shibboleth-dev - Re: testing the one-hop validation scenario
Subject: Shibboleth Developers
List archive
- From: Derek Atkins <>
- To: "RL 'Bob' Morgan" <>
- Cc: Shibboleth Design Team <>
- Subject: Re: testing the one-hop validation scenario
- Date: 05 Jun 2003 21:37:54 -0400
"RL 'Bob' Morgan"
<>
writes:
> I will leave the UW origin HS on shib.cac.washington.edu set up to use a
> server cert issued by the UW CA. To test with it, a target would add the
> UW site metadata to sites.xml, then add the UW CA to trust.xml in the
> KeyAuthority section corresponding to the incommon pilot, ie with all the
> other CA certs. Data below, also at
Now I'm a bit confused. It all just worked! The change I made:
failing to parse an X509 key out of the trust file (or failing to
insert it into a key store) is no longer a fatal operation. For some
reason it doesn't like the cert that calls itself /C=US/O=RSA Data
Security, Inc./OU=Secure Server Certification Authority.
Anyways, with this simple patch to current CVS shibboleth (see
attached) I was able to proceed as a valid-user and access my shib
site.
-derek
Index: shib/XMLTrust.cpp
===================================================================
RCS file: /home/cvs/shibboleth/shibboleth/c/shib/XMLTrust.cpp,v
retrieving revision 1.2
diff -u -r1.2 XMLTrust.cpp
--- shib/XMLTrust.cpp 19 May 2003 15:51:10 -0000 1.2
+++ shib/XMLTrust.cpp 6 Jun 2003 01:29:50 -0000
@@ -121,21 +121,28 @@
X509_STORE_set_verify_cb_func(m_store,verify_callback);
+ Category& log=Category::getInstance(SHIB_LOGCAT".XMLTrustImpl");
+
for (vector<XSECCryptoX509*>::const_iterator i=m_certs.begin(); i!=m_certs.end(); i++)
{
X509* x509=B64_to_X509((*i)->getDEREncodingSB().rawCharBuffer());
if (!x509)
{
- X509_STORE_free(m_store);
- return m_store=NULL;
+ //X509_STORE_free(m_store);
+ //return m_store=NULL;
+ log.warn("failed to parse X509 buffer: %s",
+ (*i)->getDEREncodingSB().rawCharBuffer());
+ continue;
}
if (!X509_STORE_add_cert(m_store,x509))
{
log_openssl();
+ log.warn("failed to add cert: %s", x509->name);
X509_free(x509);
- X509_STORE_free(m_store);
- return m_store=NULL;
+ //X509_STORE_free(m_store);
+ //return m_store=NULL;
+ continue;
}
}
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
PGP key available
- Re: testing the one-hop validation scenario, Derek Atkins, 06/05/2003
- Re: testing the one-hop validation scenario, RL 'Bob' Morgan, 06/05/2003
- Re: testing the one-hop validation scenario, Derek Atkins, 06/05/2003
- Re: testing the one-hop validation scenario, Derek Atkins, 06/05/2003
- Re: testing the one-hop validation scenario, Derek Atkins, 06/05/2003
- <Possible follow-up(s)>
- Re: testing the one-hop validation scenario, Derek Atkins, 06/05/2003
- Re: testing the one-hop validation scenario, Steven_Carmody, 06/05/2003
- Re: testing the one-hop validation scenario, Derek Atkins, 06/05/2003
- Re: testing the one-hop validation scenario, Steven_Carmody, 06/05/2003
- Re: testing the one-hop validation scenario, Derek Atkins, 06/05/2003
- Re: testing the one-hop validation scenario, RL 'Bob' Morgan, 06/06/2003
- Re: testing the one-hop validation scenario, Steven_Carmody, 06/06/2003
- Re: testing the one-hop validation scenario, Derek Atkins, 06/06/2003
- Re: testing the one-hop validation scenario, RL 'Bob' Morgan, 06/06/2003
- Re: testing the one-hop validation scenario, Steven_Carmody, 06/06/2003
- Re: testing the one-hop validation scenario, Derek Atkins, 06/06/2003
- Re: testing the one-hop validation scenario, Steven_Carmody, 06/06/2003
- Re: testing the one-hop validation scenario, Steven_Carmody, 06/05/2003
- Re: testing the one-hop validation scenario, Derek Atkins, 06/05/2003
- Re: testing the one-hop validation scenario, Steven_Carmody, 06/05/2003
- Re: testing the one-hop validation scenario, RL 'Bob' Morgan, 06/05/2003
Archive powered by MHonArc 2.6.16.