Validating eduGAIN metadata
Published on 2017-02-24
This is both a blast from the past, and mostly a "note to self", as it was surprisingly hard to find how to do this. And now I am not even sure if it is complete, because XML signatures :(
Get the metadata:
$ curl -L -o md.xml http://mds.edugain.org/
Download the certificate:
$ curl -L -O https://technical.edugain.org/mds-2014.cer
For now, we just assume the published fingerprint on the site is correct, but of course this should be verified at any of the participating federations.
Verify it ourselves:
$ openssl x509 -in mds-2014.cer -outform DER | sha256sum
128f40346ad0bed0d2928e07118990a746043022d03d55222e62607cc3d540c0 -
Now for the tricky part, or at least the part where I am not sure if this is correct or not. I got some information here, so maybe it is correct.
To verify:
$ xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --trusted-pem mds-2014.cer md.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
The manpage (xmlsec1 --help-verify) is totally reassuring in any case:
--id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
adds attributes <attr-name> (default value "id") from all nodes
with<node-name> and namespace <node-namespace-uri> to the list of
known ID attributes; this is a hack and if you can use DTD or schema
to declare ID attributes instead (see "--dtd-file" option),
I don't know what else might be broken in your application when
you use this hack
I tested it by just modifying certain fields in the metadata to see if the metadata still validates. I was unable to find a modification that made it still verify. Of course that doesn't mean it is safe, but so far so good.
Point your feed reader to the RSS Feed to keep up to date with new posts.