path: root/posts/validate_edugain_metadata.md
diff options
authorFran├žois Kooman <fkooman@tuxed.net>2017-02-24 15:36:00 +0100
committerFran├žois Kooman <fkooman@tuxed.net>2017-02-24 15:36:00 +0100
commit1888650285e2c99f943c78577c573a74c816afd1 (patch)
treee47c003e6b33ebc36dc12d8d7465bae5c2812c81 /posts/validate_edugain_metadata.md
parent1057339b21753426146e90228f103b7f1a13e8f8 (diff)
add edugain post
Diffstat (limited to 'posts/validate_edugain_metadata.md')
1 files changed, 50 insertions, 0 deletions
diff --git a/posts/validate_edugain_metadata.md b/posts/validate_edugain_metadata.md
new file mode 100644
index 0000000..e8ad111
--- /dev/null
+++ b/posts/validate_edugain_metadata.md
@@ -0,0 +1,50 @@
+title: Validating eduGAIN metadata
+published: 2017-02-24
+This is a mostly a "note to self", as it was surprisingly hard to find how to
+do this. And now I am not even sure if it is completely, because XML
+Get the metadata:
+ $ curl -L -o md.xml http://mds.edugain.org/
+Download the certificate:
+ $ curl -L -O https://technical.edugain.org/mds-2014.cer
+For now, we just assume the published fingerprint on the
+[site](https://technical.edugain.org/metadata) is correct, but of course this
+should be verified at any of the participating federations.
+Verify it ourselves:
+ $ openssl x509 -in mds-2014.cer -outform DER | sha256sum
+ 128f40346ad0bed0d2928e07118990a746043022d03d55222e62607cc3d540c0 -
+Now for the tricky part, or at least the part where I am not sure if this
+is correct or not. I got some information
+[here](https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataCorrectness#MetadataCorrectness-xmlsec1), so maybe it is correct.
+To verify:
+ $ xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --trusted-pem mds-2014.cer md.xml
+ OK
+ SignedInfo References (ok/all): 1/1
+ Manifests References (ok/all): 0/0
+The manpage (`xmlsec1 --help-verify`) is totally reassuring in any case:
+ --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
+ adds attributes <attr-name> (default value "id") from all nodes
+ with<node-name> and namespace <node-namespace-uri> to the list of
+ known ID attributes; this is a hack and if you can use DTD or schema
+ to declare ID attributes instead (see "--dtd-file" option),
+ I don't know what else might be broken in your application when
+ you use this hack
+I tested it by just modifying certain fields in the metadata to see if the
+metadata still validates. I was unable to find a modification that made it
+still verify. So far so good.