[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: zxid 0.53 metadata parsing issues



Sampo,

1.  Running zxcot I get:
/opt/saml/var/zxid/cot/0D5XlTNF5XoaggdNLUd8nKON-XY
https://idp.testshib.org/idp/shibboleth            TestShib Two
/opt/saml/var/zxid/cot/OKCy5mMaXMJUnKQ1wVJCcT00AA8
http://auth-int.orange.fr                         -
/opt/saml/var/zxid/cot/s36Te-rgbzReSjVc8vDDGy89tT8
http://idp.ssocircle.com                          -
/opt/saml/var/zxid/cot/yFx-OsV0bEOOcHmPlxAuInI63zk
https://sp.testshib.org/shibboleth-sp              TestShib Two
/opt/saml/var/zxid/cot/rQalJ8S4WSBIb3HWgs1cDSuHhrQ https://tstfapcn100
                         -


2.  Regarding zxid_ load_cot_cache, I'm trying to build a complete CoT
lookup table in Perl.  Is there a better way, given the possibility of
multiple descriptors in one file?  I don't mind manually splitting them (and
it seems to work OK when I do), if necessary.


3.  rQalJ8S4WSBIb3HWgs1cDSuHhrQ metadata is at the end of my response.

Thanks,
Eric

$ cat /opt/saml/var/zxid/cot/rQalJ8S4WSBIb3HWgs1cDSuHhrQ
<md:EntityDescriptor entityID="https://tstfapcn100"; cacheDuration="PT1440M"
ID="zcNOtgLT_Dadr-2JUaFI21cMn6F"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#zcNOtgLT_Dadr-2JUaFI21cMn6F">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Pm1M8iysm5j0ZOvJuaTdyGhNqz0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
OnBJZi4Pd48TwI7bWVY3OiW7Mbcst8/PwcGu/uMLFQq02l+CMupLFF4AGVEU2m++tubvzdmA94mm
LXVehCVCtXj4E2fvVU82hH/oc8pEiu2X7QU3CaVrrvzyd5yrdADo1E3P674cmr1X7c86H2olmwPv
zU/WMQk6rocW60yhJiA=
</ds:SignatureValue>

<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIB7zCCAVigAwIBAgIGARbqepeOMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9RdWljayBTdGFydCBBcHAxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0wNzEyMTcyMzQwMTFa
Fw0xMjEyMTUyMzQwMTFaMDsxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9RdWljayBTdGFydCBBcHAx
EjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjehh16jXa5zH
LXih8rNLKO2uvQUoCWIWwTXWfFFwY+UsPR0CVn8YInnJiKXp8YCeXCkhHEqgSWUb2KKBtF+nJoMw
DM3RnJ1yCX0Z1kZmN+nmulGftkQI6ekP5vBrX8h/5zuY8dNjvLbczxB75ih700zhYTheCsaT7I1Y
aAT3AGMCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBrS9kMTTwA5T3EJmjB2GuDIgEIu4Q7wvrZoJxm
XDMRnHi0LhpKleTXb/VRzw+QcGHqRsJ1+PtJEHKw4g5MtfkEW3rbrmXusvchmzZIB1jOlEtEuZzO
qge4grnxZAG76036bfPfj6iZK8YNMbsLAyw5ghho9+dQB8ekhGDNHlfJ9A==
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
jehh16jXa5zHLXih8rNLKO2uvQUoCWIWwTXWfFFwY+UsPR0CVn8YInnJiKXp8YCeXCkhHEqgSWUb
2KKBtF+nJoMwDM3RnJ1yCX0Z1kZmN+nmulGftkQI6ekP5vBrX8h/5zuY8dNjvLbczxB75ih700zh
YTheCsaT7I1YaAT3AGM=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature><md:IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDesc
riptor
use="signing"><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:X509Data><ds:X509Certificat
e>MIIB7zCCAVigAwIBAgIGARbqepeOMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNVBAYTAlVTMRgwFgY
DVQQKEw9RdWljayBTdGFydCBBcHAxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0wNzEyMTcyMzQwMTFa
Fw0xMjEyMTUyMzQwMTFaMDsxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9RdWljayBTdGFydCBBcHAxE
jAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjehh16jXa5zHLX
ih8rNLKO2uvQUoCWIWwTXWfFFwY+UsPR0CVn8YInnJiKXp8YCeXCkhHEqgSWUb2KKBtF+nJoMwDM3
RnJ1yCX0Z1kZmN+nmulGftkQI6ekP5vBrX8h/5zuY8dNjvLbczxB75ih700zhYTheCsaT7I1YaAT3
AGMCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBrS9kMTTwA5T3EJmjB2GuDIgEIu4Q7wvrZoJxmXDMRn
Hi0LhpKleTXb/VRzw+QcGHqRsJ1+PtJEHKw4g5MtfkEW3rbrmXusvchmzZIB1jOlEtEuZzOqge4gr
nxZAG76036bfPfj6iZK8YNMbsLAyw5ghho9+dQB8ekhGDNHlfJ9A==</ds:X509Certificate></
ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService
Location="https://tstfapcn100:9031/idp/SLO.saml2";
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/><md:SingleLogou
tService
Location="https://tstfapcn100:9031/idp/SLO.saml2";
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/><md:SingleSignOnSer
vice
Location="https://tstfapcn100:9031/idp/SSO.saml2";
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/><md:SingleSignOnSer
vice
Location="https://tstfapcn100:9031/idp/SSO.saml2";
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/><saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email
Address" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/><saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Member
Status" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/><saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Last
Name" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/><saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="First
Name"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/></md:IDPSSODescriptor><md
:SPSSODescriptor
AuthnRequestsSigned="true" WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDesc
riptor
use="signing"><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:X509Data><ds:X509Certificat
e>MIIB7zCCAVigAwIBAgIGARbqepeOMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNVBAYTAlVTMRgwFgY
DVQQKEw9RdWljayBTdGFydCBBcHAxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0wNzEyMTcyMzQwMTFa
Fw0xMjEyMTUyMzQwMTFaMDsxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9RdWljayBTdGFydCBBcHAxE
jAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjehh16jXa5zHLX
ih8rNLKO2uvQUoCWIWwTXWfFFwY+UsPR0CVn8YInnJiKXp8YCeXCkhHEqgSWUb2KKBtF+nJoMwDM3
RnJ1yCX0Z1kZmN+nmulGftkQI6ekP5vBrX8h/5zuY8dNjvLbczxB75ih700zhYTheCsaT7I1YaAT3
AGMCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBrS9kMTTwA5T3EJmjB2GuDIgEIu4Q7wvrZoJxmXDMRn
Hi0LhpKleTXb/VRzw+QcGHqRsJ1+PtJEHKw4g5MtfkEW3rbrmXusvchmzZIB1jOlEtEuZzOqge4gr
nxZAG76036bfPfj6iZK8YNMbsLAyw5ghho9+dQB8ekhGDNHlfJ9A==</ds:X509Certificate></
ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService
Location="https://tstfapcn100:9031/sp/SLO.saml2";
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/><md:SingleLogou
tService
Location="https://tstfapcn100:9031/sp/SLO.saml2";
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/><md:AssertionConsum
erService
isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://tstfapcn100:9031/sp/ACS.saml2";
index="0"/><md:AttributeConsumingService index="0"><md:ServiceName
xml:lang="en">AttributeContract</md:ServiceName><md:RequestedAttribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email
Address"/><md:RequestedAttribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Member
Status"/><md:RequestedAttribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Last
Name"/><md:RequestedAttribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="First
Name"/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescrip
tor>


On Wed, Apr 21, 2010 at 1:55 PM, <sampo@xxxxxxxxxxx> wrote:

> Sorry for slow reply. I was travelling and got stuck by the ash problem.
>
> Eric Rybski wrote:
> > Hi,
> >
> >    I'm currently evaluating a zxid 0.53 upgrade.  I've been using 0.32.
> > I'm
> > using the Net::SAML library.
> >
> > I'm getting new metadata parsing issues with 0.53:
> > 1. Bad metadata errors, like: "EntityDescriptor could not be found or was
> > corrupt. MD(
> > ) 0 chars parsed."
> > I don't see what's wrong with the affected metadata files.  Perhaps
> > there's
> > a new metadata parsing issue in 0.53?
>
> Possible, since I messed with it. 0 chars parsed could be due to
> inputn reading problem or it could indicate that the file has some
> garbage, probably near beginning. Perhaps a BOM or unwarranted XML
> processing instructions?
>
> To triangulate better, can you run
>
> zxcot /opt/saml/var/zxid/cot/
>
> That should parse every metadata file there and list some info
> about them. This is a good test for my metadata parsing code.
> If that reproduces your problems, then bug is likely to be
> in my parser. Otherwise bug is likely to be in I/O.
>
> > 2. Shibboleth 2 IdP metadata now works (never parsed in 0.32), but
> > contains
> > two EntityDescriptor wrapped in an EntityDescriptors parent tag.  zxid
> > uses
> > the last one when identifying list of available IdPs by sha1 hash
> > (Net::SAML::load_cot_cache).  I need the first one.  Do I need to
> manually
> > separate these descriptors into separate files for zxid?
>
> When ZXID processes the EntitiesDescriptor, it writes a file for
> each EntityDescriptor found. You confusion may come from the fact
> that although zxid_load_cot_cache() processes all descriptors, it returns
> the last one processed. Instead of relying on return value of
> zxid_load_cot_cache(), you probably should be calling zxid_get_ent().
>
> > My COT looks like:
> > [www@localhost cot]$ ls -al /opt/saml/var/zxid/cot
> > total 40
> > -rw-r--r--    1 www      www         17924 Feb 22 11:47
> > 0D5XlTNF5XoaggdNLUd8nKON-XY
> > -rw-r--r--    1 www      www          2166 Apr 20 03:46
> > OKCy5mMaXMJUnKQ1wVJCcT00AA8
> > -rw-r--r--    1 www      www          6264 Aug 22  2009
> > rQalJ8S4WSBIb3HWgs1cDSuHhrQ
> > -rw-rw-r--    1 www      www          5329 Sep 13  2009
> > s36Te-rgbzReSjVc8vDDGy89tT8
> >
> > I've attached the four metadata files for reference.
> >    1. OK:  0D5XlTNF5XoaggdNLUd8nKON-XY is for TestShib 2 (
> > https://idp.testshib.org/idp/shibboleth).
> >    2. ERR: OKCy5mMaXMJUnKQ1wVJCcT00AA8 is a demo SP that was included in
> > the
> > 0.32 distribution (http://auth-int.orange.fr).
>
> I tried that file and had success.
>
> >    3. ERR: rQalJ8S4WSBIb3HWgs1cDSuHhrQ is a local test instance of
> > PingFederate 6.0 (https://tstfapcn100).
>
> I see you had attempted to attach some files that got stripped for
> some reason. Please include contents of rQalJ8S4WSBIb3HWgs1cDSuHhrQ
> inline in the mail so I can analyze it.
>
> >    4. OK: s36Te-rgbzReSjVc8vDDGy89tT8 is for SSOCircle (
> > http://idp.ssocircle.com)
> >
> >
> > Here is my test script:
> > #!/usr/bin/perl
> > use Net::SAML;
> > use Data::Dumper;
> > my $qs = 'o=E';
> > my $cf_url = 'PATH=/opt/saml/var/zxid/&URL=
> >
>
http://localhost/saml.pl&AFTER_SLOP=3660&AUTO_CERT=0&BARE_URL_ENTITYID=0&BEFO
> >
>
RE_SLOP=86400&CDC_URL=&DI_ALLOW_CREATE=0&DUP_A7N_FATAL=0&DUP_MSG_FATAL=0&MD_F
> >
>
ETCH=0&MD_POPULATE_CACHE=0&NAMEID_ENC=0&NOSIG_FATAL=0&REDIR_TO_CONTENT=0&SES_
> >
>
ARCH_DIR=/opt/saml/var/zxid/oldses/&SES_COOKIE_NAME=ssid&SES_COOKIE_UNIQ=1&SH
> > OW_CONF=0&SIG_FATAL=0&TIMEOUT_FATAL=0&USER_LOCAL=0
> > ';
> > my $cf = Net::SAML::new_conf_to_cf($cf_url);
> > Net::SAML::set_opt($cf, 1, 1); #enable debugging info
> > my $simple_cf_flags = $Net::SAML::AUTO_SOAPH | $Net::SAML::AUTO_METAH |
> > $Net::SAML::AUTO_LOGINC | $Net::SAML::AUTO_MGMTC |
> $Net::SAML::AUTO_FORMT;
> > my $res = Net::SAML::simple_cf($cf, -1, $qs, undef, $simple_cf_flags);
>
> I presume the call to zxid_simple_cf() is irrelevant for the metadata
> debugging exercise.
>
> > print Dumper(get_cot_eid_sha1($cf));
> > sub get_cot_eid_sha1 {
> >     my $cf = shift;
> >     my %cot;
> >     if (my $idp = Net::SAML::load_cot_cache($cf)) {
> >         while ($idp) {
> >             my $eid  = $idp->swig_eid_get();
> >             next unless $eid;
> >             my $sha1 = $idp->swig_sha1_name_get();
> >             $cot{$eid} = $sha1;
> >             $idp = $idp->swig_n_get();
> >         }
> >     }
> >     return \%cot;
> > }
> >
> > Output:
> > t zxidsimp.c:1466 zxid_simple_cf_ses zx d QUERY_STRING(o=E) 0.53
> > t  zxidecp.c:137 zxid_lecp_check   zx d Neither ECP nor LECP request 0
> > t zxidsimp.c:1262 zxid_simple_no_ses_cf zx d LECP check: ss(?)
> > t zxidsimp.c:1273 zxid_simple_no_ses_cf zx d NOT CDC 0
> > t zxidsimp.c:748 zxid_simple_show_idp_sel zx d cf=0x829fc10
> cgi=0xbffff700
> > t zxidmeta.c:837 zxid_my_entity_id zx d my_entity_id url(
> > http://localhost/saml.pl)
>
>
> > t zxidsimp.c:460 zxid_idp_select_zxstr_cf_cgi zx d HERE 0x812dc80 e() m()
> > d()
> > t zxidmeta.c:250 zxid_get_ent_from_file zx d GOT META
> > sha1_name(OKCy5mMaXMJUnKQ1wVJCcT00AA8) eid(http://auth-int.orange.fr)
> > t zxidmeta.c:157 zxid_parse_meta   zx E Bad metadata. EntityDescriptor
> > could
> > not be found or was corrupt. MD(
> > ) 0 chars parsed.
>
> Seems I/O problem to me.
>
> > t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.174
> > 19700101-000000.501 -:- - - - - zx N B BADMD - chars_parsed(0))
> > t zxidmeta.c:243 zxid_get_ent_from_file zx E ***** Parsing metadata
> failed
> > for sha1_name(OKCy5mMaXMJUnKQ1wVJCcT00AA8)
> > t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.175
> > 19700101-000000.501 -:- - - - - zx N B NOMD -
> > sha1_name(OKCy5mMaXMJUnKQ1wVJCcT00AA8))
>
>
> > t zxidmeta.c:250 zxid_get_ent_from_file zx d GOT META
> > sha1_name(s36Te-rgbzReSjVc8vDDGy89tT8) eid(http://idp.ssocircle.com)
> > t zxidmeta.c:86  zxid_process_keys zx d KeyDescriptor is missing use
> > attribute. Assume this certificate can be used for both signing and
> > encryption. 0
>
> > t zxidmeta.c:250 zxid_get_ent_from_file zx d GOT META
> > sha1_name(yFx-OsV0bEOOcHmPlxAuInI63zk) eid(
> > https://sp.testshib.org/shibboleth-sp)
>
> > t zxidmeta.c:250 zxid_get_ent_from_file zx d GOT META
> > sha1_name(rQalJ8S4WSBIb3HWgs1cDSuHhrQ) eid(https://tstfapcn100)
> > t zxidmeta.c:157 zxid_parse_meta   zx E Bad metadata. EntityDescriptor
> > could
> > not be found or was corrupt. MD(
> > ) 0 chars parsed.
> > t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.177
> > 19700101-000000.501 -:- - - - - zx N B BADMD - chars_parsed(0))
> > t zxidmeta.c:243 zxid_get_ent_from_file zx E ***** Parsing metadata
> failed
> > for sha1_name(rQalJ8S4WSBIb3HWgs1cDSuHhrQ)
> > t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.178
> > 19700101-000000.501 -:- - - - - zx N B NOMD -
> > sha1_name(rQalJ8S4WSBIb3HWgs1cDSuHhrQ))
>
>
> > t zxidsimp.c:359 zxid_idp_list_cf_cgi zx d Starting IdP processing...
> > 0x81aead0
> > t zxidsimp.c:419 zxid_idp_list_cf_cgi zx d IdP list(<select name=d>
> > <option value="https://tstfapcn100";>  (https://tstfapcn100)
> > <option value="http://idp.ssocircle.com";>  (http://idp.ssocircle.com)
> > <option value="http://auth-int.orange.fr";>  (http://auth-int.orange.fr)
> > </select><input type=submit name="l0" value=" Login "><br>
> > )
> > t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.178
> > 19700101-000000.501 -:- - - - - zx N W IDPSEL - -)
> > t zxidsimp.c:697 zxid_simple_show_page zx d No headers 968
> > $VAR1 = {
> >           'https://tstfapcn100' => 'rQalJ8S4WSBIb3HWgs1cDSuHhrQ',
> >           'http://idp.ssocircle.com' => 's36Te-rgbzReSjVc8vDDGy89tT8',
> >           'https://sp.testshib.org/shibboleth-sp' =>
> > 'yFx-OsV0bEOOcHmPlxAuInI63zk',
> >           'http://auth-int.orange.fr' => 'OKCy5mMaXMJUnKQ1wVJCcT00AA8'
> >         };
>
> The dump of $VAR1 seems good to me.
>
> Cheers,
> --Sampo
>
> > Thanks,
> > Eric
> >
> > [demime 1.01d removed an attachment of type application/octet-stream
> which
> > had a name of 0D5XlTNF5XoaggdNLUd8nKON-XY]
>
> Perhaps the attachments should have MIME type text/xml? Or just text/plain?
>
> > [demime 1.01d removed an attachment of type application/octet-stream
> which
> > had a name of OKCy5mMaXMJUnKQ1wVJCcT00AA8]
> >
> > [demime 1.01d removed an attachment of type application/octet-stream
> which
> > had a name of rQalJ8S4WSBIb3HWgs1cDSuHhrQ]
> >
> > [demime 1.01d removed an attachment of type application/octet-stream
> which
> > had a name of s36Te-rgbzReSjVc8vDDGy89tT8]