Shibboleth Developers

["RL 'Bob' Morgan" <>]

> > so, the problem would seem to be with cert chain validation on the
> > target side.....
>
> The error line from shar.log (new_session validate getX509Store: error
> code: 185057381 in x509_lu.c, line 336) points to something in openssl's
> X509_STORE_add_cert(), which is called from shib's XMLTrust.cpp.  So
> something going wrong in adding certs to the certstore ...

Steven and I were both trying bossie-signed certs for our HSs, which chain
through an intermediate to its root, where the failure above I think
indicates failure to load the cert chain.

I did a test with a HS server cert issued directly by a root CA (our UW
CA, https://www.washington.edu/computing/ca/), and (after putting the CA
into trust.xml along with all the other CAs verifying the incommon:pilot
group) got a different failure:

  SHIRE failure at (https://perq.cac.washington.edu/shibboleth/SHIRE)

  Exception: cryptographic check failed: SAMLSignedObject::verify() caught
  an XMLSec crypto exception

>From shar.log:

  2003-05-29 21:44:00 ERROR SAML.PN4saml10SAMLObjectE [1] new_session
  verify: caught an XMLSec crypto exception: OpenSSL:RSA::verify() - Error
  decrypting signature

which I think means it's getting past the loading step it got stuck on in
the bossie case, but now trips while doing the verify itself.

I used jarsigner to verify that the UW-CA-signed certs/keys in the
keystore work OK (signed a jar on one box with the HS keystore, verified
on a different box with a different keystore with just the CA in it).  So
I think the problem is with the verification code.

So, one step forward ... 8^\

 - RL "Bob"


------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--