metadata-support - Re: [Metadata-Support] significant slowdown in XML Signature validation
Subject: InCommon metadata support
List archive
- From: Tom Scavo <>
- To: "" <>
- Subject: Re: [Metadata-Support] significant slowdown in XML Signature validation
- Date: Fri, 19 Feb 2016 15:08:16 -0500
On Thu, Feb 18, 2016 at 7:06 PM, Jeffrey Eaton
<>
wrote:
>
>> On Feb 18, 2016, at 12:52 PM, Tom Scavo
>> <>
>> wrote:
>>
>> Jeffrey, can you add this filter and see if it makes a difference?
>>
>> <!-- Consume all IdP metadata in the aggregate -->
>> <MetadataFilter type="EntityRoleWhiteList">
>> <RetainedRole>md:IDPSSODescriptor</RetainedRole>
>> <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
>> </MetadataFilter>
>>
>> See: https://spaces.internet2.edu/x/XAQjAQ
>
> If I put them in this order:
> <MetadataProvider type="XML" file="incommon.xml" reloadInterval="7200">
> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
> <!-- Consume all IdP metadata in the aggregate —>
> <MetadataFilter type="EntityRoleWhiteList">
> <RetainedRole>md:IDPSSODescriptor</RetainedRole>
> <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
> </MetadataFilter>
> <MetadataFilter type="Signature" certificate="incommon.pem”/>
> </MetadataProvider>
>
> it fails with:
>
> 2016-02-18 18:43:33 INFO XMLTooling.SecurityHelper : loading certificate(s)
> from file (/etc/shibboleth/incommon.pem)
> 2016-02-18 18:43:33 INFO XMLTooling.CredentialResolver.File : no private
> key resolved, usable for verification/trust only
> 2016-02-18 18:43:33 INFO XMLTooling.StorageService : cleanup thread
> started...running every 900 seconds
> 2016-02-18 18:43:33 INFO Shibboleth.SecurityPolicyProvider.XML : reload
> thread started...running when signaled
> 2016-02-18 18:43:33 INFO OpenSAML.MetadataProvider.XML : loaded XML
> resource (/etc/shibboleth/incommon.xml)
> 2016-02-18 18:43:35 INFO OpenSAML.Metadata : applying metadata filter
> (RequireValidUntil)
> 2016-02-18 18:43:35 INFO OpenSAML.Metadata : applying metadata filter
> (EntityRoleWhiteList)
> 2016-02-18 18:43:36 INFO OpenSAML.Metadata : applying metadata filter
> (Signature)
> 2016-02-18 18:43:36 WARN OpenSAML.MetadataFilter.Signature : filtering out
> group at root of instance after failed signature check: Invalid signature
> profile for
> SAML object.
> 2016-02-18 18:43:36 CRIT Shibboleth.Application : error initializing
> MetadataProvider: SignatureMetadataFilter unable to verify signature at
> root of metadata ins
> tance.
>
> If I put them in this order:
>
> <MetadataProvider type="XML" file="incommon.xml" reloadInterval="7200">
> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
> <!-- Consume all IdP metadata in the aggregate —>
> <MetadataFilter type="EntityRoleWhiteList">
> <RetainedRole>md:IDPSSODescriptor</RetainedRole>
> <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
> </MetadataFilter>
> <MetadataFilter type="Signature" certificate="incommon.pem”/>
> </MetadataProvider>
>
> The signature check passes (just as slowly as without the
> EntityRoleWhiteList filter), and the filtering completes but doesn’t seem
> to have much effect on the in-memory resident size (still taking ~250MB).
I must be missing something since those two MetadataProviders look
exactly the same. Jeffrey, can you double-check what you wrote?
Tom
- Re: [Metadata-Support] significant slowdown in XML Signature validation, (continued)
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Ian Young, 02/16/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/16/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/18/2016
- RE: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/18/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Tom Scavo, 02/18/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/19/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/19/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/19/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/19/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/19/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/18/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Tom Scavo, 02/19/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/19/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Tom Scavo, 02/19/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/22/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Tom Scavo, 02/22/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/23/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Tom Scavo, 02/23/2016
- RE: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/23/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/23/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Tom Scavo, 02/23/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Nick Roy, 02/24/2016
Archive powered by MHonArc 2.6.16.