Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14336

Unable to use Signed Metadata to Re-Import


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.0.0,,,,,, 6.5.0,,
    • Fix Version/s: 6.5.1,, 6.0.1, 5.5.2, 7.0.0
    • Component/s: None
    • Labels:
    • Environment:
    • Sprint:
      AM Sustaining Sprint 60, AM Sustaining Sprint 61
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      Importing Remote SP signed Meta data and then exporting it results in a set of signed meta data that does not match the signature format. 

      How to reproduce the issue

      1. Import the Certificate from the Meta data:
        A. First take the Signature and surround it in :
        ----BEGIN CERTIFICATE----
        ----END CERTIFICATE----
        B.Save this file as .pem. {{}}
        C.Use opensso to covert this to a der Encoded file
        openssl x509 -in cert.pem -outform der -out cert.der
        {{}}D. Import the certificate with Keytool 
        keytool -importcert -keystore keystore.jceks -storetype jceks -storepass $(cat .storepass) -file cert.der -alias cert
      2. Import the Meta data into am signed, You will not get any warning if the cert is installed. 
      3. Export a signed copy of the meta data using ssoadm
        ./ssoadm export-entity -u amadmin -f /root/openam/bin/pwd.txt -e / -y externalsp -c saml2 -m /root/openam/bin/export.xml -g
      4. Remove the Orignal SP Entity, and try to reimport the signed metadata
      Expected behaviour
      You should be able to import this same metadata without an issue
      Current behaviour
      The Metadata will fail to import with the error:
      Unable to verify signature under element "EntityDescriptor".

      The signature area will have return characters in place to make the signature more readable.

      Work around

      Edit the XML to make it like the orignal

      I tried with JAVA_OPTS='-Dorg.apache.xml.security.ignoreLineBreaks=true' and this didn't change the behavior either.

      Code analysis





            • Assignee:
              lawrence.yarham Lawrence Yarham
              william.hepler William Hepler
              QA Assignee:
              Filip Kubáň [X] (Inactive)
            • Votes:
              0 Vote for this issue
              9 Start watching this issue


              • Created: