> (If CrashPlan allows you to retrieve the RSA private key, creating a
> certificate using that should be far more straightforward.)
In tried to do that:
1. Copy the text in "RSA Private Key (base 64 encoded PKCS#8 private
key)" to a file key.der.base64, then extract the private key:
openssl enc -base64 -in key.der.base64 -d | openssl pkcs8 -inform DER -nocrypt
Then I generate self-signed certificate with this private key:
openssl req -new -x509 -key private.key -out cert.pem -days 36500
Then I stripped the tabs and headers:
openssl base64 -d -in cert.pem | base64 -w 0
I then add the resulting certificate to the metadata:
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' =>
'MIIECTCCAvGgAwIBAgIJAM4Jf5h5Hh4pMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYDVQQGEwJOTDELMAkGA1UECAwCTkgxFDASBgNVBAcMC0Ftc3RlcmRhbXp6MQ8wDQYDVQQKDAZURVJFTkExEzARBgNVBAsMCklUIFN1cHBvcnQxHTAbBgNVBAMMFGNyYXNocGxhbi50ZXJlbmEub3JnMSIwIAYJKoZIhvcNAQkBFhNzeXNhZG1pbkB0ZXJlbmEub3JnMCAXDTE0MDEwNjE1NTczNloYDzIxMTMxMjEzMTU1NzM2WjCBmTELMAkGA1UEBhMCTkwxCzAJBgNVBAgMAk5IMRQwEgYDVQQHDAtBbXN0ZXJkYW16ejEPMA0GA1UECgwGVEVSRU5BMRMwEQYDVQQLDApJVCBTdXBwb3J0MR0wGwYDVQQDDBRjcmFzaHBsYW4udGVyZW5hLm9yZzEiMCAGCSqGSIb3DQEJARYTc3lzYWRtaW5AdGVyZW5hLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKPrHNFJLMi2Pd7z5jRD3h16f2TaroyPu6MI6CauOcs7FVkywrYVSni4wJm5k9HrXwwZo3IGLW10yNBtC6B74u6EJgihfgISf2VzOZfMHMhTlr5Gkyc3OojS3RPGPwueZ9yDir52SlrI5zP9ptoor9+b8eAQdhpue1lwNbg1eQ2MAhkoi9AbqQ+zePIPtCfK1axPkHtM+GvYxda/lDNxyvzdUxsK3uBgDY6kYSVVkrnV6mSJEq5qKIxUrT0zKyFyOiOJQQtfp7OIf5LqBoxVkywUx4UdHy2ybijlgxTJvLV7kL2rfMBYxFK1paQWImU/eEnZd05mSye7qebdVn2RdlcCAwEAAaNQME4wHQYDVR0OBBYEFIIpGxQ6C/D0r1tGeeUZkqC0Yst1MB8GA1UdIwQYMBaAFIIpGxQ6C/D0r1tGeeUZkqC0Yst1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAHPMIl2kY7RA09n8I2nrFSr2lgY64Vtv24DL+krAvwRwC6s5QTzi6PdwAQHvsV1PI+PLihKZRBcGdV/pLGsb11588849bYAst8dPFbphDfHst7ypRSono7w5dDqiBOygjuSWJgY5uWO5nQ8D82VjYwMGsECq5naw+MvGDSk8Ncm6e9x5p2Pq66abWdYvs84xdtfpTcl0MuQ+o0fM7cHPjx17+Rg3/dDRAWfomPmdw6Z1iHhtCOe5Vddf16OvckFW/qFIAh59cvab+DNYgXHOnATwIT6C2GUReSQWY9gN8RL6VXtP9GNG+dXPfeX8ED7Fz5GMuI7SiDSWxyv9/uNGKaI=',
),
1 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' =>
'MIIECTCCAvGgAwIBAgIJAM4Jf5h5Hh4pMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYDVQQGEwJOTDELMAkGA1UECAwCTkgxFDASBgNVBAcMC0Ftc3RlcmRhbXp6MQ8wDQYDVQQKDAZURVJFTkExEzARBgNVBAsMCklUIFN1cHBvcnQxHTAbBgNVBAMMFGNyYXNocGxhbi50ZXJlbmEub3JnMSIwIAYJKoZIhvcNAQkBFhNzeXNhZG1pbkB0ZXJlbmEub3JnMCAXDTE0MDEwNjE1NTczNloYDzIxMTMxMjEzMTU1NzM2WjCBmTELMAkGA1UEBhMCTkwxCzAJBgNVBAgMAk5IMRQwEgYDVQQHDAtBbXN0ZXJkYW16ejEPMA0GA1UECgwGVEVSRU5BMRMwEQYDVQQLDApJVCBTdXBwb3J0MR0wGwYDVQQDDBRjcmFzaHBsYW4udGVyZW5hLm9yZzEiMCAGCSqGSIb3DQEJARYTc3lzYWRtaW5AdGVyZW5hLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKPrHNFJLMi2Pd7z5jRD3h16f2TaroyPu6MI6CauOcs7FVkywrYVSni4wJm5k9HrXwwZo3IGLW10yNBtC6B74u6EJgihfgISf2VzOZfMHMhTlr5Gkyc3OojS3RPGPwueZ9yDir52SlrI5zP9ptoor9+b8eAQdhpue1lwNbg1eQ2MAhkoi9AbqQ+zePIPtCfK1axPkHtM+GvYxda/lDNxyvzdUxsK3uBgDY6kYSVVkrnV6mSJEq5qKIxUrT0zKyFyOiOJQQtfp7OIf5LqBoxVkywUx4UdHy2ybijlgxTJvLV7kL2rfMBYxFK1paQWImU/eEnZd05mSye7qebdVn2RdlcCAwEAAaNQME4wHQYDVR0OBBYEFIIpGxQ6C/D0r1tGeeUZkqC0Yst1MB8GA1UdIwQYMBaAFIIpGxQ6C/D0r1tGeeUZkqC0Yst1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAHPMIl2kY7RA09n8I2nrFSr2lgY64Vtv24DL+krAvwRwC6s5QTzi6PdwAQHvsV1PI+PLihKZRBcGdV/pLGsb11588849bYAst8dPFbphDfHst7ypRSono7w5dDqiBOygjuSWJgY5uWO5nQ8D82VjYwMGsECq5naw+MvGDSk8Ncm6e9x5p2Pq66abWdYvs84xdtfpTcl0MuQ+o0fM7cHPjx17+Rg3/dDRAWfomPmdw6Z1iHhtCOe5Vddf16OvckFW/qFIAh59cvab+DNYgXHOnATwIT6C2GUReSQWY9gN8RL6VXtP9GNG+dXPfeX8ED7Fz5GMuI7SiDSWxyv9/uNGKaI=',
),
),
But now the signature can't be verified:
Jan 06 17:12:04 simplesamlphp INFO [06e111d47e] SAML2.0 -
IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] Received message:
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] <saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="
https://crashplan.terena.org:4285/api/SsoAuthLoginResponse"
Destination="
https://login.terena.org/idp/saml2/idp/SSOService.php"
ForceAuthn="false" ID="_7d6a6a24-0e18-
4d94-9685-32d0e606d641" IsPassive="false"
IssueInstant="2014-01-06T16:10:22.500Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] <saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
https://crashplan.terena.org:4285</saml2:Issuer>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
<saml2p:NameIDPolicy AllowCreate="true"
SPNameQualifier="
https://crashplan.terena.org:4285"/>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
<saml2p:RequestedAuthnContext Comparison="exact"/>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] <Signature
xmlns="
http://www.w3.org/2000/09/xmldsig#">
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] <SignedInfo>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
<CanonicalizationMethod
Algorithm="
http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
<SignatureMethod
Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] <Reference URI="">
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] <Transforms>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] <Transform
Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] </Transforms>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] <DigestMethod
Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
<DigestValue>5hj2bk+X21QBOLvrKtVORpALGBU=</DigestValue>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] </Reference>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] </SignedInfo>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
<SignatureValue>R0moeU+WI0KINkD6eSLrzr3XeKWbYvfxBJ6fPL/kTExDFwHq57JXNeFeqKe+wqPwCY02YbvJAYnE
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
921gV1GecYOgw4pdasHckHZpzoLtrRgXz+bloClWsx16bD6jN4NzJ0qurLak0zvofnU8PrphonCT
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
ems0pSW88CgyYn++DNAcEemi4WNRGSZLCUPaHt7YI1pZXqCtnkJjclI8KsOhVy5E0/29QyCeGKIa
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
H96LabJzb993bXcVAVDlVzkVj8qRFXQa0+dGAdWC4YSLa2Fo5ZsJrW/T65GzdJz6eEqtIep7GoWd
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
4Ex9mn7LD+JU57+ODn+JYjmBNsXcHzgF1stpYA==</SignatureValue>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] <KeyInfo>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] <KeyValue>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] <RSAKeyValue>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
<Modulus>q0/dV5P0n5MJ+bvbpzxik8TQ1hHdXxIG7CYb0/XEuxLNNgu+fdZORwV0Jius7zICTlAPIibxRWeE
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
DtaGxW+xriIwOjLU6KRqmuVL8/vZVD3+WtqVyTQv5QpOEaZUNUb0ffCCXKR4nTWFR6YGYcp1LSY9
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
H4QrldQxN7sWZuY6tfcL8kLdJE+035liu/BD8utW4xHP9OnO3h8cncu3v0fFKw0GPZojDD8ikn7Z
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
ZnO35GR0N6pJmmK1IaJOmyt0gtsTE0K7uTrSqayNyCJsynfTbHejHbcrl/reO1njVjRji3o2FhLk
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
c0XXvz4WWV9arbUy0kvzomhTI3bJGtOYDXA0tw==</Modulus>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
<Exponent>AQAB</Exponent>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] </RSAKeyValue>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] </KeyValue>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] </KeyInfo>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] </Signature>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] </saml2p:AuthnRequest>
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] Has 1 candidate keys
for validation.
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] Validation with key
#0 failed with exception: Unable to validate Signature
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e]
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e] Backtrace:
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e] 1
/usr/share/simplesamlphp/idp.r3313/www/_include.php:37
(SimpleSAML_exception_handler)
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e] 0 [builtin] (N/A)
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e] Caused by: Exception:
Unable to validate Signature
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e] Backtrace:
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e] 6
/usr/share/simplesamlphp/idp.r3313/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:158
(SAML2_Utils::validateSignature)
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e] 5 [builtin] (call_user_func)
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e] 4
/usr/share/simplesamlphp/idp.r3313/vendor/simplesamlphp/saml2/src/SAML2/Message.php:212
(SAML2_Message::validate)
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e] 3
/usr/share/simplesamlphp/idp.r3313/modules/saml/lib/Message.php:195
(sspmod_saml_Message::checkSign)
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e] 2
/usr/share/simplesamlphp/idp.r3313/modules/saml/lib/Message.php:252
(sspmod_saml_Message::validateMessage)
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e] 1
/usr/share/simplesamlphp/idp.r3313/modules/saml/lib/IdP/SAML2.php:298
(sspmod_saml_IdP_SAML2::receiveAuthnRequest)
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e] 0
/usr/share/simplesamlphp/idp.r3313/www/saml2/idp/SSOService.php:19
(N/A)
Jan 06 17:12:04 simplesamlphp ERROR [06e111d47e] Error report with id
12d9dc1f generated.
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e]
/idp/saml2/idp/SSOService.php - Template: Could not find template file
[error.php] at [/usr/share/simplesamlphp/idp.r3313/modules/terena/themes/theme/default/error.php]
- now trying the base template
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] Template: Reading
[/usr/share/simplesamlphp/idp.r3313/dictionaries/errors]
Jan 06 17:12:04 simplesamlphp DEBUG [06e111d47e] Template: Reading
[/usr/share/simplesamlphp/idp.r3313/modules/terena/dictionaries/header]
I guess I'm now out of options....