François' Blog

Validating eduGAIN metadata

Published on 2017-02-24

This is both a blast from the past, and mostly a "note to self", as it was surprisingly hard to find how to do this. And now I am not even sure if it is complete, because XML signatures :(

Get the metadata:

$ curl -L -o md.xml

Download the certificate:

$ curl -L -O

For now, we just assume the published fingerprint on the site is correct, but of course this should be verified at any of the participating federations.

Verify it ourselves:

$ openssl x509 -in mds-2014.cer -outform DER | sha256sum
128f40346ad0bed0d2928e07118990a746043022d03d55222e62607cc3d540c0  -

Now for the tricky part, or at least the part where I am not sure if this is correct or not. I got some information here, so maybe it is correct.

To verify:

$ xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --trusted-pem mds-2014.cer md.xml 
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

The manpage (xmlsec1 --help-verify) is totally reassuring in any case:

--id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
    adds attributes <attr-name> (default value "id") from all nodes
    with<node-name> and namespace <node-namespace-uri> to the list of
    known ID attributes; this is a hack and if you can use DTD or schema
    to declare ID attributes instead (see "--dtd-file" option),
    I don't know what else might be broken in your application when
    you use this hack

I tested it by just modifying certain fields in the metadata to see if the metadata still validates. I was unable to find a modification that made it still verify. Of course that doesn't mean it is safe, but so far so good.