Shibboleth Developers

[Alistair Young <>]

hmm.. I sorted the problem completely by adding the cert in a top level  
<ds:KeyInfo>

I think this was frowned upon? Why would it need to go in the top level  
<ds:KeyInfo>?

thanks,

Alistair

On 28 Apr 2005, at 12:11, Alistair Young wrote:

> I changed it to ALGO_ID_SIGNATURE_RSA and it's better now but I get  
> the error:
>
> new_session validate: verified with key inside token, entering  
> validation stage
> new_session validate: certificate subject: CN=guanxi.uhi.ac.uk;  
> OU=WWW; O=UHI Millennium Institute; L=Isle of Skye; ST=Scotland; C=GB
> new_session validate: matched subject CN to a key name  
> (guanxi.uhi.ac.uk)
> new_session validate: KeyAuthority match on guanxi.uhi.ac.uk
> new_session validate: failed to validate certificate chain, token  
> signature untrusted
>
> I got "token signature untrusted" once before when a cert's valid from  
> and to dates were wrong but this is a brand new Thawte cert.
>
> should I add more stuff to IQ-trust.xml?
>
> thanks,
>
> Alistair
>
>
> On 28 Apr 2005, at 11:45, Alistair Young wrote:
>
> > Is there a way to find out what this refers to?
> >
> > Exception: XML object is malformed: XML::Parser detected an error  
> > during parsing: Datatype error: Type:InvalidDatatypeValueException,  
> > Message:Value '' is not encoded in Base64
> > ERROR shibtarget.rpc-server init shar_svc_run [0] new_session: caught  
> > SAML exception: XML::Parser detected an error during parsing:  
> > Datatype error: Type:InvalidDatatypeValueException, Message:Value ''  
> > is not encoded in Base64
> >
> > it's when an AuthenticationStatement is coming back from an IdP. It's  
> > worked fine with self-signed certs. Now I'm using a Thawte cert and I  
> > get this error.
> >
> > I've checked and the SAMLResponse in the form is indeed base 64  
> > encoded, as is the X509 in the response.
> >
> > below is the decoded SAMLResponse field from the form. Is there stuff  
> > in there that maybe shibb doesn't like?
> >
> > thanks,
> >
> > Alistair
> >
> >
> > <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> > <ds:CanonicalizationMethod  
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";  
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> > <ds:SignatureMethod  
> > Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1";  
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> > <ds:Reference URI="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> > <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> > <ds:Transform  
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";  
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";  
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>code ds kind rw saml  
> > samlp typens #default</ds:Transform>
> > </ds:Transforms>
> > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";  
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> > <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> > </ds:Reference>
> > </ds:SignedInfo>
> > <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> > <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> > <ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> > MIIDcjCCAtugAwIBAgIDIQ36MA0GCSqGSIb3DQEBBAUAMIHOMQswCQYDVQQGEwJaQTEVMB 
> > MGA1UE
> > CBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAbBgNVBAoTFFRoYXd0ZS 
> > BDb25z
> > dWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMS 
> > EwHwYD
> > VQQDExhUaGF3dGUgUHJlbWl1bSBTZXJ2ZXIgQ0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW 
> > 0tc2Vy
> > dmVyQHRoYXd0ZS5jb20wHhcNMDUwNDEyMTMwODQ5WhcNMDYwNDEyMTMwODQ5WjCBgzELMA 
> > kGA1UE
> > BhMCR0IxETAPBgNVBAgTCFNjb3RsYW5kMRUwEwYDVQQHEwxJc2xlIG9mIFNreWUxITAfBg 
> > NVBAoT
> > GFVISSBNaWxsZW5uaXVtIEluc3RpdHV0ZTEMMAoGA1UECxMDV1dXMRkwFwYDVQQDExBndW 
> > FueGku
> > dWhpLmFjLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIr4/ 
> > 29FuZwQIqP7VOPEBy/L2H
> > e9FdrJyaXSW6HpeXVhJ//kasQHzeri5pT6NPFeU027/ 
> > M1WJkcNeYCvjATZBFFMefx74trv+Gztal
> > yVjf5QmOHFkml8RKTbyoTYbqr3igqtAbciuuGhx7r5uonw27HGTyJ1Fs96OMNtO7zBntuw 
> > IDAQAB
> > o4GmMIGjMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBABgNVHR8EOTA3MDWgM6 
> > Axhi9o
> > dHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUHJlbWl1bVNlcnZlckNBLmNybDAyBggrBg 
> > EFBQcB
> > AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wDAYDVR0TAQH/ 
> > BAIwADAN
> > BgkqhkiG9w0BAQQFAAOBgQCQCFtxPME3dhwFLK/pkUY84Hcul7tk/ 
> > 6DPZBiVUPdQjOpfk7OW8pK9
> > 4bOGviXuKBE/ 
> > 0e+QVSuGwCDQetJYVz368HYAHorFLwik3BdKl3NlmlWQTipsOV97OboDqbDeuLhv
> > L5ek1CWI8Fgid3bI0SILno8V/ZBoXyuHSx7Tv5WxKA==
> > </ds:X509Certificate>
> > </ds:X509Data>
> > <ds:KeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> > <ds:RSAKeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> > <ds:Modulus xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> > yK+P9vRbmcECKj+1TjxAcvy9h3vRXaycml0luh6Xl1YSf/5GrEB83q4uaU+jTxXlNNu/ 
> > zNViZHDX
> > mAr4wE2QRRTHn8e+La7/ 
> > hs7WpclY3+UJjhxZJpfESk28qE2G6q94oKrQG3Irrhoce6+bqJ8Nuxxk
> > 8idRbPejjDbTu8wZ7bs=
> > </ds:Modulus>
> > <ds:Exponent  
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>AQAB</ds:Exponent>
> > </ds:RSAKeyValue>
> > </ds:KeyValue>
> > </ds:KeyInfo>
> > </ds:Signature>