Validating eduGAIN metadata
Published on 2017-02-24
This is both a blast from the past, and mostly a "note to self", as it was surprisingly hard to find how to do this. And now I am not even sure if it is complete, because XML signatures :(
Get the metadata:
$ curl -L -o md.xml http://mds.edugain.org/
Download the certificate:
$ curl -L -O https://technical.edugain.org/mds-2014.cer
For now, we just assume the published fingerprint on the site is correct, but of course this should be verified at any of the participating federations.
Verify it ourselves:
$ openssl x509 -in mds-2014.cer -outform DER | sha256sum
128f40346ad0bed0d2928e07118990a746043022d03d55222e62607cc3d540c0 -
Now for the tricky part, or at least the part where I am not sure if this is correct or not. I got some information here, so maybe it is correct.
To verify:
$ xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --trusted-pem mds-2014.cer md.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
The manpage (xmlsec1 --help-verify) is totally reassuring in any case:
--id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
adds attributes <attr-name> (default value "id") from all nodes
with<node-name> and namespace <node-namespace-uri> to the list of
known ID attributes; this is a hack and if you can use DTD or schema
to declare ID attributes instead (see "--dtd-file" option),
I don't know what else might be broken in your application when
you use this hack
I tested it by just modifying certain fields in the metadata to see if the metadata still validates. I was unable to find a modification that made it still verify. Of course that doesn't mean it is safe, but so far so good.