...
The certificate must be obtained securely since all subsequent operations depend on it. You may check the integrity of the downloaded certificate in a variety of ways. For example, on a GNU/Linux system, you could use openssl
after the fact curl
and openssl
to check the integrity of the certificate as follows:
Code Block |
---|
|
$ /usr/bin/curl --silent --remote-name https://wayf.incommonfederation.org/bridge/certs/incommon.pem |
...
$ /usr/bin/openssl x509 -sha1 -in incommon.pem -noout -fingerprint |
...
SHA1 Fingerprint=96:0F:3B:32:87:D5:C3:A4:9F:50:B6:B7:84:33:48:7C:C2:C3:0D:C2
|
Once the certificate file is locally installed, you can use it to verify the signature on the metadata file. For example, you could use the XmlSecTool (or some similar 3rd-party tool) to verify the signature:
Code Block |
---|
|
$ /usr/bin/curl --silent --remote-name http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
$ ./
xmlsectool.sh --verifySignature --signatureRequired \
--certificate incommon.pem --inFile InCommon-metadata.xml
|
You may also want to schema validate the metadata:
Code Block |
---|
|
$ ./xmlsectool.sh --validateSchema \
--schemaDirectory schema-files --inFile InCommon-metadata.xml
|
...