Skip to content

Commit

Permalink
Significant rework of the fr_renater channel to handle the RENATER fe…
Browse files Browse the repository at this point in the history 
…deration's participation in eduGAIN.
  • Loading branch information
@iay
iay committed May 29, 2013
1 parent 8088e1d commit 3c22b2e
Show file tree
Hide file tree
Showing 7 changed files with 312 additions and 13 deletions.
3 changes: 2 additions & 1 deletion build.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -894,7 +894,6 @@
<CHANNEL.import channel="at_aconet"/>
<CHANNEL.import channel="au_aaf"/>
<CHANNEL.import channel="eu_clarin"/>
<CHANNEL.import channel="fr_renater"/>
<CHANNEL.import channel="ie_edugate"/>
<CHANNEL.do channel="ie_edugate" verb="importAll"/>
<CHANNEL.import channel="int_edugain"/>
Expand Down Expand Up @@ -924,6 +923,7 @@
<CHANNEL.do verb="importProduction" channel="dk_wayf"/>
<CHANNEL.do verb="importProduction" channel="es_sir"/>
<CHANNEL.do verb="importProduction" channel="fi_haka"/>
<CHANNEL.do verb="importProduction" channel="fr_renater"/>
<CHANNEL.do verb="importProduction" channel="gr_grnet"/>
<CHANNEL.do verb="importProduction" channel="hu_eduid"/>
<CHANNEL.do verb="importProduction" channel="in_infed"/>
Expand All @@ -950,6 +950,7 @@
<CHANNEL.do verb="importEdugain" channel="dk_wayf"/>
<CHANNEL.do verb="importEdugain" channel="es_sir"/>
<CHANNEL.do verb="importEdugain" channel="fi_haka"/>
<CHANNEL.do verb="importEdugain" channel="fr_renater"/>
<CHANNEL.do verb="importEdugain" channel="gr_grnet"/>
<CHANNEL.do verb="importEdugain" channel="hr_eduhr"/>
<CHANNEL.do verb="importEdugain" channel="hu_eduid"/>
Expand Down
138 changes: 132 additions & 6 deletions mdx/fr_renater/beans.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,19 @@
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">

<!--
Location of various resources.
-->
<bean id="fr_renater_productionAggregate_url" class="java.lang.String">
<constructor-arg value="https://services-federation.renater.fr/metadata/renater-metadata.xml"/>
</bean>
<bean id="fr_renater_edugainAggregate_url" class="java.lang.String">
<constructor-arg value="https://fedregistry.renater.fr/edugain/edugain-metadata.xml"/>
</bean>
<bean id="fr_renater_testAggregate_url" class="java.lang.String">
<constructor-arg value="https://services-federation.renater.fr/metadata/renater-test-metadata.xml"/>
</bean>

<!--
Fetch the production aggregate.
-->
Expand All @@ -20,7 +33,20 @@
<property name="domResource">
<bean class="net.shibboleth.utilities.java.support.httpclient.HttpResource">
<constructor-arg name="client" ref="httpClient"/>
<constructor-arg name="url" value="https://services-federation.renater.fr/metadata/renater-metadata.xml"/>
<constructor-arg name="url" ref="fr_renater_productionAggregate_url"/>
</bean>
</property>
</bean>

<!--
Fetch the eduGAIN export aggregate.
-->
<bean id="fr_renater_edugainAggregate" parent="domResourceStage_parent"
p:id="fr_renater_edugainAggregate">
<property name="domResource">
<bean class="net.shibboleth.utilities.java.support.httpclient.HttpResource">
<constructor-arg name="client" ref="httpClient"/>
<constructor-arg name="url" ref="fr_renater_edugainAggregate_url"/>
</bean>
</property>
</bean>
Expand All @@ -33,7 +59,7 @@
<property name="domResource">
<bean class="net.shibboleth.utilities.java.support.httpclient.HttpResource">
<constructor-arg name="client" ref="httpClient"/>
<constructor-arg name="url" value="https://services-federation.renater.fr/metadata/renater-test-metadata.xml"/>
<constructor-arg name="url" ref="fr_renater_testAggregate_url"/>
</bean>
</property>
</bean>
Expand All @@ -59,10 +85,69 @@
</bean>

<!--
Fetch and process the exported entities as a collection.
eduGAIN signing certificate.
-->
<bean id="fr_renater_edugainSigningCertificate" class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean">
<property name="certificateFile">
<bean class="java.io.File">
<constructor-arg value="#{ systemProperties['basedir'] }/mdx/fr_renater/renater-federation-metadata.crt"/>
</bean>
</property>
</bean>

<!--
Check eduGAIN signing signature.
-->
<bean id="fr_renater_edugainCheckSignature" parent="stage_parent"
class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
p:id="fr_renater_edugainCheckSignature">
<property name="verificationCertificate" ref="fr_renater_edugainSigningCertificate"/>
</bean>

<!--
fr_renater_registrar
Unique ID for the registrar associated with this channel.
-->
<bean id="fr_renater_registrar" class="java.lang.String">
<constructor-arg value="https://federation.renater.fr/gestion"/>
</bean>

<!--
fr_renater_check_regauth
Any registrationAuthority already present on an entity in this
channel must match the known registration authority value.
-->
<bean id="fr_renater_check_regauth" parent="check_regauth_parent"
p:id="fr_renater_check_regauth">
<property name="transformParameters">
<map>
<entry key="expectedAuthority" value-ref="fr_renater_registrar"/>
</map>
</property>
</bean>

<!--
fr_renater_default_regauth
Provide a default registrationAuthority appropriate to
this channel.
-->
<bean id="fr_renater_exportedEntities" parent="composite_parent"
p:id="fr_renater_exportedEntities">
<bean id="fr_renater_default_regauth" parent="default_regauth_parent"
p:id="fr_renater_default_regauth">
<property name="transformParameters">
<map>
<entry key="defaultAuthority" value-ref="fr_renater_registrar"/>
</map>
</property>
</bean>

<!--
Fetch and process the production entities as a collection.
-->
<bean id="fr_renater_productionEntities" parent="composite_parent"
p:id="fr_renater_productionEntities">
<property name="composedStages">
<list>
<!-- no export aggregate; use the production one instead -->
Expand All @@ -79,6 +164,9 @@

<ref bean="disassemble"/>

<ref bean="fr_renater_default_regauth"/>
<ref bean="fr_renater_check_regauth"/>

<ref bean="standardImportActions"/>

<!-- Strip all entity attributes from this source. -->
Expand All @@ -87,5 +175,43 @@
</list>
</property>
</bean>


<!--
Fetch and process the eduGAIN export entities as a collection.
-->
<bean id="fr_renater_edugainEntities" parent="composite_parent"
p:id="fr_renater_edugainEntities">
<property name="composedStages">
<list>
<!-- no export aggregate; use the production one instead -->
<ref bean="fr_renater_edugainAggregate"/>

<!--
Check for fatal errors at the aggregate level:
missing or expired validUntil attribute
invalid signature
-->
<ref bean="check_validUntil"/>
<ref bean="fr_renater_edugainCheckSignature"/>
<ref bean="errorTerminatingFilter"/>

<ref bean="disassemble"/>

<ref bean="fr_renater_default_regauth"/>
<ref bean="fr_renater_check_regauth"/>

<ref bean="standardImportActions"/>

<!-- Strip all entity attributes from this source. -->
<ref bean="stripMdattrNamespace"/>

</list>
</property>
</bean>

<!--
Select primary export aggregate.
-->
<alias alias="fr_renater_exportedAggregate" name="fr_renater_edugainAggregate"/>
<alias alias="fr_renater_exportedEntities" name="fr_renater_edugainEntities"/>
</beans>
15 changes: 15 additions & 0 deletions mdx/fr_renater/edugain-signer.crt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICZTCCAc6gAwIBAgIEScn+qTANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJG
UjEQMA4GA1UEChMHUkVOQVRFUjFWMFQGA1UEAxNNQ2VydGlmaWNhdCBkZSBzaWdu
YXR1cmUgZGVzIG1ldGEgZG9ubmVlcyBkZSBsYSBmZWRlcmF0aW9uIEVkdWNhdGlv
bi1SZWNoZXJjaGUwHhcNMDkwMzI1MDk1MTM3WhcNMTkwMzIzMDk1MTM3WjB3MQsw
CQYDVQQGEwJGUjEQMA4GA1UEChMHUkVOQVRFUjFWMFQGA1UEAxNNQ2VydGlmaWNh
dCBkZSBzaWduYXR1cmUgZGVzIG1ldGEgZG9ubmVlcyBkZSBsYSBmZWRlcmF0aW9u
IEVkdWNhdGlvbi1SZWNoZXJjaGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AJBXcLIguokGiytYSOrgmU6fN+1DXK4eaquvFGMaswuhcRPD4tXtSs8CGxPP8/VF
Mpcry04lfPA3mpwDis47hsvmLqGJVmfSuvkDsPx+I325h4WqGzEV8kfttkJSi8D0
QLKk9wseA+BHzoBpU6e5uWmGqfWJgbZlcUuYKCIE2nL/AgMBAAEwDQYJKoZIhvcN
AQEFBQADgYEAT0rUS5GTtqW9a0pAv0PjieSS6bW3KG3Mtn0jC1dmav6X9fbhhmFL
1XSC9WnCU2UD3986EWWYKhN2INHghHE/fQGveVwdcVSSt601OpAsUF18tx0vHqkf
Shcj7mteq59Gv4hOE8U1Urd/pSRaIO3G42X6/L/AlXeDkicfGZHhq7Q=
-----END CERTIFICATE-----
27 changes: 27 additions & 0 deletions mdx/fr_renater/readme.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# `fr_renater` Channel

France -- RENATER federation

[Federation web site.](https://services.renater.fr/federation/en/index)

eduGAIN participant

## Metadata Signing Practices

The production metadata we are fetching may be an old format; it is signed using the certificate in `metadata-federation-renater.crt`, which is a self-signed certificate with a 1024-bit key, as follows:

Issuer: C=FR, O=RENATER, CN=Certificat de signature des meta donnees de la federation Education-Recherche
Validity
Not Before: Mar 25 09:51:37 2009 GMT
Not After : Mar 23 09:51:37 2019 GMT
Subject: C=FR, O=RENATER, CN=Certificat de signature des meta donnees de la federation Education-Recherche

The eduGAIN aggregate, which is pulled from a different server, is signed with a different certificate:

Issuer: C=FR, O=GIP RENATER, CN=AC metadata federation education-recherche/emailAddress=support-federation@support.renater.fr
Validity
Not Before: Mar 15 14:46:04 2013 GMT
Not After : Mar 13 14:46:04 2023 GMT
Subject: C=FR, O=GIP RENATER, CN=metadata federation education-recherche/emailAddress=support-federation@support.renater.fr

This is held in `renater-federation-metadata.crt`, and has a 2048-bit RSA key. Note that this certificate is not self-signed, but is issued by the root CA held in `renater-federation-metadata-ca.crt`.
24 changes: 24 additions & 0 deletions mdx/fr_renater/renater-federation-metadata-ca.crt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
-----BEGIN CERTIFICATE-----
MIID8TCCAtmgAwIBAgIJAPsRvfohSqSDMA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD
VQQGEwJGUjEUMBIGA1UECgwLR0lQIFJFTkFURVIxMzAxBgNVBAMMKkFDIG1ldGFk
YXRhIGZlZGVyYXRpb24gZWR1Y2F0aW9uLXJlY2hlcmNoZTE0MDIGCSqGSIb3DQEJ
ARYlc3VwcG9ydC1mZWRlcmF0aW9uQHN1cHBvcnQucmVuYXRlci5mcjAeFw0xMzAz
MTUxNDE2NDdaFw0yMzAzMTMxNDE2NDdaMIGOMQswCQYDVQQGEwJGUjEUMBIGA1UE
CgwLR0lQIFJFTkFURVIxMzAxBgNVBAMMKkFDIG1ldGFkYXRhIGZlZGVyYXRpb24g
ZWR1Y2F0aW9uLXJlY2hlcmNoZTE0MDIGCSqGSIb3DQEJARYlc3VwcG9ydC1mZWRl
cmF0aW9uQHN1cHBvcnQucmVuYXRlci5mcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAO+s9f/93HeZgPsGAu1Mii1uTGMYsZyUQs7OfiAWZhJh5ouBuSyp
/K771Z7SEMctHHj21LrQT4P1wOE+FpHgQWNmMYZ/+glzqx724UdWxBt8HTOOTrVn
4qY2A6orKi8P7dEVDf4QA89LDZC3ZcMaDy3tHXMefwX3wfkHKhzJjKd+TEgLHqN0
8Izmrrj69Ae5H2i+hM78sCWWD42XgJPj/SeRvBLikuRUcea8luvKUXghxbs68hPN
QkUE7nCKgcgXWs3I5HFX59w5o9chX1vuE24rKTj7svu30N350XCR3Vf9pBz9awUH
AZWGGUrDC9S+QyhJWh6L7a5gs2Azj4SJq0cCAwEAAaNQME4wHQYDVR0OBBYEFHy4
StIppN3WWnFiQ69jzd2JBcQzMB8GA1UdIwQYMBaAFHy4StIppN3WWnFiQ69jzd2J
BcQzMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADDjGzUOjgdRN3TL
9PcGUYSwKnIZTh4Qv84yfLAuAJgEWJAbCjZ5rsuScWXa+4B9q/JP0sZK7VI7DdLc
oWuthMIWqyXB1OZCDJFdlqTRhInd96TQvw54duPgVqSbFHv9uuoUaT4AjwRpO2Ol
sMuUaOK6tNBDSdKGUbnb1Nn57Y7iXWJFAvOa1ERAHQ+/N1nGvs9tiOsFuqPYptxa
NMMg/KUqTcQ2l8pMR68ayO9ZFliApU0PIzswuSwM3g2uKP7N7r0JkC93p+/bNz5D
y8TetxOOv2MRX3dSuEc/T1mOGZ3PHK1ODlhgb8hgny+q9Ip7DqUYAynTO1kEBgXH
CeAY8as=
-----END CERTIFICATE-----
83 changes: 83 additions & 0 deletions mdx/fr_renater/renater-federation-metadata.crt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, O=GIP RENATER, CN=AC metadata federation education-recherche/emailAddress=support-federation@support.renater.fr
Validity
Not Before: Mar 15 14:46:04 2013 GMT
Not After : Mar 13 14:46:04 2023 GMT
Subject: C=FR, O=GIP RENATER, CN=metadata federation education-recherche/emailAddress=support-federation@support.renater.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c4:3d:c2:50:21:85:c7:6a:f6:fc:9f:cc:a6:70:
ac:af:3f:2e:52:14:65:55:17:09:98:fd:2c:4a:bc:
54:a0:e9:b6:83:4d:a5:12:08:d3:04:c1:63:84:37:
e7:43:d6:16:07:a4:83:a9:54:d9:6c:7c:f4:3b:4b:
46:4b:ae:d1:0f:1c:ee:3a:0a:42:d0:7c:bd:de:d6:
f1:83:33:d2:18:27:65:ee:9e:ff:8f:f9:45:ff:5b:
69:4d:c2:1b:27:37:6a:bf:99:43:2d:e7:48:18:a6:
59:57:61:7f:a9:53:f3:94:1b:c6:e1:7b:c8:98:65:
e6:03:ae:26:b9:09:6f:72:8c:c9:ec:e4:8a:41:e8:
2e:1c:77:5a:15:11:bc:16:ed:81:7c:b4:69:86:3f:
7e:eb:78:bf:1a:35:2e:ae:81:98:42:ee:fc:3b:70:
6a:b9:c9:89:83:d0:46:11:5b:b8:d0:e1:7f:77:f9:
b6:2f:83:e7:5d:6f:44:60:48:ca:8a:95:b9:60:7e:
7d:ce:58:d2:e2:e9:70:69:50:0a:91:36:7d:8f:a6:
68:8a:de:ee:23:ef:89:62:8d:0d:20:b1:4b:51:ba:
8b:18:dd:79:45:83:b2:7d:9c:61:f1:3c:9a:c8:67:
a6:e5:6b:69:d6:ec:68:67:a8:0d:11:7c:98:03:1a:
b3:bd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4F:7C:2A:13:02:9A:45:2B:3C:BD:D4:70:68:6F:D1:F1:70:B4:24:F0
X509v3 Authority Key Identifier:
keyid:7C:B8:4A:D2:29:A4:DD:D6:5A:71:62:43:AF:63:CD:DD:89:05:C4:33

Signature Algorithm: sha1WithRSAEncryption
60:b4:45:74:42:16:56:11:b2:74:14:39:26:22:eb:bb:bd:84:
bc:81:84:4e:8f:bd:00:dd:29:ca:87:88:ff:29:d7:7e:5a:bd:
d0:cb:20:33:ac:75:7b:01:0b:86:86:0d:91:4a:b9:85:69:09:
a0:55:3a:47:ea:fd:84:d9:3f:3d:0f:ed:c9:9d:a2:13:ea:8f:
7c:80:59:93:c1:4f:88:e7:d5:f3:f0:14:61:fe:ce:29:af:bf:
53:d8:53:5b:a8:49:7d:df:41:52:45:fb:9d:b4:cd:a4:f5:0c:
9e:ac:65:72:85:0e:5f:85:87:ff:c4:d3:65:1b:15:0c:25:9a:
df:72:10:3e:94:59:e8:43:79:2c:60:20:3e:1e:40:7f:24:36:
6f:cd:94:ab:b0:92:37:cd:d3:f3:f9:fb:fa:1c:24:e3:75:62:
b3:f4:34:a1:29:8c:4c:60:ed:59:96:4c:8c:ef:64:a8:3f:4c:
d1:55:ed:cd:c5:e0:45:1d:70:2d:71:77:71:fd:86:ec:e0:9b:
73:1f:f7:f9:96:ab:9a:fd:92:c1:40:c8:e6:d5:df:fe:66:2d:
84:66:aa:78:e5:4f:cd:16:b4:7b:f5:c6:b2:b8:cc:db:4d:7c:
50:a2:35:80:15:5d:46:75:ef:c1:da:c1:c4:00:da:01:9a:ec:
86:37:57:98
-----BEGIN CERTIFICATE-----
MIIEEjCCAvqgAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwgY4xCzAJBgNVBAYTAkZS
MRQwEgYDVQQKDAtHSVAgUkVOQVRFUjEzMDEGA1UEAwwqQUMgbWV0YWRhdGEgZmVk
ZXJhdGlvbiBlZHVjYXRpb24tcmVjaGVyY2hlMTQwMgYJKoZIhvcNAQkBFiVzdXBw
b3J0LWZlZGVyYXRpb25Ac3VwcG9ydC5yZW5hdGVyLmZyMB4XDTEzMDMxNTE0NDYw
NFoXDTIzMDMxMzE0NDYwNFowgYsxCzAJBgNVBAYTAkZSMRQwEgYDVQQKDAtHSVAg
UkVOQVRFUjEwMC4GA1UEAwwnbWV0YWRhdGEgZmVkZXJhdGlvbiBlZHVjYXRpb24t
cmVjaGVyY2hlMTQwMgYJKoZIhvcNAQkBFiVzdXBwb3J0LWZlZGVyYXRpb25Ac3Vw
cG9ydC5yZW5hdGVyLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
xD3CUCGFx2r2/J/MpnCsrz8uUhRlVRcJmP0sSrxUoOm2g02lEgjTBMFjhDfnQ9YW
B6SDqVTZbHz0O0tGS67RDxzuOgpC0Hy93tbxgzPSGCdl7p7/j/lF/1tpTcIbJzdq
v5lDLedIGKZZV2F/qVPzlBvG4XvImGXmA64muQlvcozJ7OSKQeguHHdaFRG8Fu2B
fLRphj9+63i/GjUuroGYQu78O3BqucmJg9BGEVu40OF/d/m2L4PnXW9EYEjKipW5
YH59zljS4ulwaVAKkTZ9j6Zoit7uI++JYo0NILFLUbqLGN15RYOyfZxh8TyayGem
5Wtp1uxoZ6gNEXyYAxqzvQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB
DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUT3wq
EwKaRSs8vdRwaG/R8XC0JPAwHwYDVR0jBBgwFoAUfLhK0imk3dZacWJDr2PN3YkF
xDMwDQYJKoZIhvcNAQEFBQADggEBAGC0RXRCFlYRsnQUOSYi67u9hLyBhE6PvQDd
KcqHiP8p135avdDLIDOsdXsBC4aGDZFKuYVpCaBVOkfq/YTZPz0P7cmdohPqj3yA
WZPBT4jn1fPwFGH+zimvv1PYU1uoSX3fQVJF+520zaT1DJ6sZXKFDl+Fh//E02Ub
FQwlmt9yED6UWehDeSxgID4eQH8kNm/NlKuwkjfN0/P5+/ocJON1YrP0NKEpjExg
7VmWTIzvZKg/TNFV7c3F4EUdcC1xd3H9huzgm3Mf9/mWq5r9ksFAyObV3/5mLYRm
qnjlT80WtHv1xrK4zNtNfFCiNYAVXUZ178HawcQA2gGa7IY3V5g=
-----END CERTIFICATE-----
Loading

0 comments on commit 3c22b2e

Please sign in to comment.