Shibboleth Developers

["RL 'Bob' Morgan" <>]

On Thu, 29 May 2003, RL 'Bob' Morgan wrote:

> I did a test with a HS server cert issued directly by a root CA (our UW
> CA, https://www.washington.edu/computing/ca/), and (after putting the CA
> into trust.xml along with all the other CAs verifying the incommon:pilot
> group) got a different failure:
>
>   SHIRE failure at (https://perq.cac.washington.edu/shibboleth/SHIRE)
>
>   Exception: cryptographic check failed: SAMLSignedObject::verify() caught
>   an XMLSec crypto exception

I'm guessing now that this is because the xmlsec package requires
precisely md5WithRSAEncryption for signature algorithm.  For some reason
the UW CA seems to issue certs with sha1WithRSAEncryption signatures.
This seems to work in general but not here.  The tipoff line from shar.log
on the above failure is:

2003-05-29 21:44:00 INFO shibtarget.rpc-server [1] new_session: FAILED:
<Status xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><StatusCode
Value="Responder"></StatusCode><StatusMessage>SAMLSignedObject::verify()
caught an XMLSec crypto
exception</StatusMessage><StatusDetail><ExceptionClass
xmlns="http://www.opensaml.org";>org.opensaml.InvalidCryptoException</ExceptionClass></StatusDetail></Status>

The shib2.internet2.edu cert uses md5, as do the bossie certs ...

 - RL "Bob"


------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--