aboutsummaryrefslogtreecommitdiffstats
path: root/posts/validate_edugain_metadata.md
blob: 7cb6f1dcbf0129cccad1c10e8302b2b4281902bf (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
---
title: Validating eduGAIN metadata
published: 2017-02-24
---

This is both a blast from the past, and mostly a "note to self", as it was 
surprisingly hard to find how to do this. And now I am not even sure if it is 
complete, because XML signatures :(

Get the metadata:

    $ curl -L -o md.xml http://mds.edugain.org/

Download the certificate:

    $ curl -L -O https://technical.edugain.org/mds-2014.cer

For now, we just assume the published fingerprint on the 
[site](https://technical.edugain.org/metadata) is correct, but of course this
should be verified at any of the participating federations.

Verify it ourselves:

    $ openssl x509 -in mds-2014.cer -outform DER | sha256sum
    128f40346ad0bed0d2928e07118990a746043022d03d55222e62607cc3d540c0  -

Now for the tricky part, or at least the part where I am not sure if this 
is correct or not. I got some information 
[here](https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataCorrectness#MetadataCorrectness-xmlsec1), so maybe it is correct.

To verify:

    $ xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --trusted-pem mds-2014.cer md.xml 
    OK
    SignedInfo References (ok/all): 1/1
    Manifests References (ok/all): 0/0

The manpage (`xmlsec1 --help-verify`) is totally reassuring in any case:

    --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
        adds attributes <attr-name> (default value "id") from all nodes
        with<node-name> and namespace <node-namespace-uri> to the list of
        known ID attributes; this is a hack and if you can use DTD or schema
        to declare ID attributes instead (see "--dtd-file" option),
        I don't know what else might be broken in your application when
        you use this hack

I tested it by just modifying certain fields in the metadata to see if the 
metadata still validates. I was unable to find a modification that made it 
still verify. Of course that doesn't mean it is safe, but so far so good.