shibboleth-dev - Re: More Java/XML bugs
Subject: Shibboleth Developers
List archive
- From: Valery Tschopp <>
- To:
- Subject: Re: More Java/XML bugs
- Date: Tue, 27 Sep 2005 17:38:27 +0200
- Organization: SWITCH - Swiss Education & Research Network
Hi Scott,
What is exactly the IdP 1.3b status regarding OpenSAML 1.1b library?
We have X509 certificates in our SWITCHaai metadata, see:
https://aai-rr.switch.ch/gen_metadata.php/metadata.switchaai.xml
With the metadatatool included in IdP 1.3b tarball it is possible to sign it, but the signed metadata become unusable (base64 block are broken)
Is it normal that opensaml 1.1b is not included in IdP 1.3b ?
Best regards,
Valery Tschopp - SWITCH
Scott Cantor wrote:
Another overlooked consequence of switching to Xerces is that the Java
version still contains a bug that causes signing of base64 content to fail
unless a particular parser feature specific to Xerces is turned off.
The immediate consequence of this bug, aside from people using OpenSAML, is
that metadatatool can't verify signed metadata that contains certificates. A
later, less critical consequence would be the Java SP validating signed
responses if they included signed assertions, not something we need right
now.
To fix this, we have to release a patched opensaml-1.1.jar and replace the
version included with Shibboleth. I suspect we can get away with just
posting a new opensaml-1.1b package and documenting that you need to copy
that version into IDP_HOME/lib if you want metadatatool to work.
This feature appears to be off by default in Sun's version, which is why it
appeared to work before. Unfortunately, setting this Xerces feature causes a
spurious exception when using some other parser, but for now this is the
best I can think to do. A spurious warning is better than broken, and Shib
at this point requires Xerces anyway.
We can discuss on the call tomorrow.
-- Scott
--
Valery Tschopp Software Engineer
SWITCH The Swiss Education and Research Network
NetServices AAI Neumuehlequai 6, 8001 Zurich
phone:+41 1 268 1544
email:
- Re: More Java/XML bugs, Valery Tschopp, 09/27/2005
- Re: More Java/XML bugs, Walter Hoehn, 09/27/2005
Archive powered by MHonArc 2.6.16.