#StackBounty: #openssl #saml Signature verification for InCommon SAML metadata using xmlsec1 fails

Bounty: 100

InCommon Federation provides IdP and SP metadata. Their refresh policy recommends frequent checking of the metadata aggregate to use the most recent version. They strongly recommend InCommon SPs refresh and verify metadata at least daily.

Following instruction provided on Metadata Consumption page, I download an aggregate and obtain an authentic copy of the Metadata Signing Certificate.

Then, I’m to “Verify the XML signature on downloaded metadata.” This is where I’m having issues. I’m able to verify the downloaded metadata with the embedded x509 certificate, but cannot verify using the separately downloaded Metadata Signing Certificate.

I have the two files downloaded from InCommon:

  • xml: InCommon-metadata-idp-only.xml
  • private signing key: inc-md-cert.pem

I thought I should be able to run the command:

# xmlsec1 --verify 
     --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor 
     --privkey-pem ./inc-md-cert.pem 
     ./InCommon-metadata-idp-only.xml

That fails saying “Failed to load private key from ./inc-md-cert.pem”. I can verify it contains a valid key using openssl x509 -text -in ./inc-md-cert.pem. ( and it’s readable, and that’s the correct path.) Fails the same way if I reference it with --privkey-pem or --pubkey-pem.

Now, if I use --pubkey-cert-pem ./inc-md-cert.pem instead, it runs without error, indicating OK SignedInfo References (ok/all): 1/1.

But no, it’s clearly ignoring my private signing key, and simply doing verification based on the key embedded in the metadata.xml file. (I can remove the --pubkey-cert-pem argument completely, and the verify still works, using the embedded x509 certificate.

Fundamental error on my part, I assume, as this can’t be so difficult: How do I use an external key (provided by InCommon) to verify the signature of the metadata file (provided by InCommon)?


Get this bounty!!!

Leave a Reply