...
The certificate must be obtained securely since all subsequent operations depend on it. You may check the integrity of the downloaded certificate in a variety of ways. For example, on a GNU/Linux system, you could use curl
and openssl
to check the integrity of the certificate as follows:
Code Block | ||
---|---|---|
| ||
# get the metadata signing certificate on wayf.incommonfederation.org via HTTPS # and display the HTTP response header $ CERT_PATH=~/path/to/inc-md-cert.pem $ /usr/bin/curl --silent --remote-namedump-header /dev/tty https://wayf.incommonfederation.org/bridge/certs/incommon.pem inc-md-cert.pem > $CERT_PATH HTTP/1.1 200 OK Date: Tue, 17 Dec 2013 22:31:11 GMT Server: Apache Last-Modified: Mon, 16 Dec 2013 21:15:44 GMT ETag: "6077f-4fd-4edad50966000" Accept-Ranges: bytes Content-Length: 1277 Connection: close Content-Type: text/plain; charset=UTF-8 # compute the SHA-1 and SHA-256 fingerprints of the metadata signing certificate $ /usr/bin/openssl x509 -sha1 -in incommon.pem$CERT_PATH -noout -fingerprint SHA1 Fingerprint=967D:0FB4:3BBB:3228:87D3:D5:C3:A4:9F:50:B6:B7:84:33:48:7C:C2:C3:0D:C2:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD $ /usr/bin/openssl x509 -sha256 -in $CERT_PATH -noout -fingerprint SHA256 Fingerprint=2F:9D:9A:A1:FE:D1:92:F0:64:A8:C6:31:5D:39:FA:CF:1E:08:84:0D:27:21:F3:31:B1:70:A5:2B:88:81:9F:5B |
Once the certificate file is locally installed, you can use it to verify the signature on the metadata file. For example, you could use the XmlSecTool (or some similar 3rd-party tool) to verify the signature:
Code Block | ||
---|---|---|
| ||
$ /usr/bin/curl --silent --remote-name http://wayfmd.incommonfederationincommon.org/InCommon/InCommon-metadata.xml $ ./xmlsectool.sh --verifySignature --signatureRequired \ --certificate incommon.pem$CERT_PATH --inFile InCommon-metadata.xml |
...