menu di navigazione del network

SPID Namirial - errore in fase di verifica firma sulla response

Salve,
da qualche giorno non viene più validata la response firmata da Namirial. Lo stesso servizio invece non ha nessun problema nella verifiche delle response degli altri gestori.

Ottengo il seguente errore :
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential’s key

Qualcuno ha lo stesso problema ?
Grazie

Giuseppe

Sottoscrivo e da quello che vedo stanno utilizzando un certificato diverso da quello presente nel metadata che trovo tra gli IdP accreditati https://www.agid.gov.it/it/piattaforme/soggetti-accreditati/namirial-spa-1:

Certificato nel matadata accreditato valido dal 2020 al 2026
MIIISTCCBjGgAwIBAgIIdhWoGwd6zoowDQYJKoZIhvcNAQELBQAwgYcxITAfBgNVBAMMGE5hbWly aWFsIEVVIFF1YWxpZmllZCBDQTEfMB0GA1UECwwWVHJ1c3QgU2VydmljZSBQcm92aWRlcjEYMBYGA1UECgwPTmFtaXJpYWwgUy5wLkEuMRowGAYDVQRhDBFWQVRJVC0wMjA0NjU3MDQyNjELMAkGA1UEBhMCSVQwHhcNMjAwNzIwMTUxODAwWhcNMjYwNzIwMTUxODAwWjBdMQswCQYDVQQGEwJJVDEaMBgGA1UEYQwRVkFUSVQtMDIwNDY1NzA0MjYxGDAWBgNVBAoMD05BTUlSSUFMIFMuUC5BLjEYMBYGA1UEAwwPTkFNSVJJQUwgUy5QLkEuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvaluo+O493cRZIutqyV3Y7q6/avPAmbWL4w502HaGm6nECkl/TgQyeD7px4Drcd9ArW6ry7+m282m66qOlagmmhJOAbEVQni8EpV/JCuKZ3gLQSOxHBdJB87fNnooLp3sU/cmiPds0rmEniRRdwq4KcLxGbNt+hZ/OooJ/sPar2JgeXtIKSsQXOSNEV4o/gwJOufnMql3iixENGUIo+tUdO+ROskTl6PlG409HSlHOnGDFLDLUqpASMwmBcfI4KA9QKzXP2OU8knRnNnsjlDPez84tizvK7exfefSGMbg7lH7Q43ESndweAxsKhLNPyyGA03apNgqs6suB4bEJhlyQIDAQABo4ID4DCCA9wwgYcGCCsGAQUFBwEBBHsweTA+BggrBgEFBQcwAoYyaHR0cHM6Ly9kb2NzLm5hbWlyaWFsdHNwLmNvbS9kb2N1bWVudHMvTmFtQ0E0Sy5jcnQwNwYIKwYBBQUHMAGGK2h0dHA6Ly9vY3NwLm5hbWlyaWFsdHNwLmNvbS9vY3NwL2NlcnRzdGF0dXMwHQYDVR0OBBYEFJFw0qD1CsRQ3xDAskv5VJ6YVKhWMB8GA1UdIwQYMBaAFGO4zbhJUuXnCXtXjPt6QQ5BqnhZMIHDBggrBgEFBQcBAwSBtjCBszAIBgYEAI5GAQEwCwYGBACORgEDAgEUMBMGBgQAjkYBBjAJBgcEAI5GAQYCMIGEBgYEAI5GAQUwejA7FjVodHRwczovL2RvY3MubmFtaXJpYWx0c3AuY29tL2RvY3VtZW50cy9QRFMvUERTX2VuLnBkZhMCZW4wOxY1aHR0cHM6Ly9kb2NzLm5hbWlyaWFsdHNwLmNvbS9kb2N1bWVudHMvUERTL1BEU19pdC5wZGYTAml0MIICAgYDVR0gBIIB+TCCAfUwggHcBgsrBgEEAYKaawECATCCAcswKQYIKwYBBQUHAgEWHWh0dHBzOi8vZG9jcy5uYW1pcmlhbHRzcC5jb20vMIIBnAYIKwYBBQUHAgIwggGOHoIBigBWAGEAbABpAGQAbwAgAHMAbwBsAG8AIABwAGUAcgAgAGwAYQAgAHAAcgBvAHQAZQB6AGkAbwBuAGUAIABkAGkAIABpAG4AdABlAGcAcgBpAHQA4AAgAGQAaQAgAGYAaQByAG0AZQAgAGUAbABlAHQAdAByAG8AbgBpAGMAaABlACAAZwBlAG4AZQByAGEAdABlACAAZABhACAAdABlAGMAbgBvAGwAbwBnAGkAYQAgAE4AYQBtAGkAcgBpAGEAbAAgAEcAcgBvAHUAcAAvAFYAYQBsAGkAZAAgAG8AbgBsAHkAIABmAG8AcgAgAHAAcgBvAHQAZQBjAHQAaQBvAG4AIABvAGYAIABJAG4AdABlAGcAcgBpAHQAeQAgAG8AZgAgAGUALQBzAGkAZwBuAGEAdAB1AHIAZQAgAGcAZQBuAGUAcgBhAHQAZQBkACAAYgB5ACAATgBhAG0AaQByAGkAYQBsACAARwByAG8AdQBwACcAcwAgAHQAZQBjAGgAbgBvAGwAbwBnAHkwCQYHBACL7EABATAIBgYEAI96AQEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2NybC5uYW1pcmlhbHRzcC5jb20vQ0E0Sy5jcmwwDgYDVR0PAQH/BAQDAgZAMA0GCSqGSIb3DQEBCwUAA4ICAQCHBLQQWvCEM8q2Xxn3NL6Xn2Hs+ZVNQET1rNh6/ZhBorh/O8JunqX9+5JU88h6kFvwxLm+84RyZk2oP+EX4RUZ3BteWVmctht71CzMVvx28YRaEaAPr5835hfHgXy9+K98TMDQS9ah0StQ0RG4EAEniShIOGEng2LfeRZznFMsB95xPU/Pcr0oUHpfsLFmCyIx/fNNY1IIAp8pY+nJQ52SlZ8FWctw0ipbwdy9XvzaLTKiLE0mh93/WJ02SI5S+b5sCA2vwvJ2iTpucSqbeBnMfcsvpUODgrIm5tpTsYIftJ8q4ueeunO2rLKw/ZADLJEEyx+wKdWkv2X/pypsFaEBSAIbXRBkpekdXAfWQM7HNfSQrGcMv9gI27wmnWD1XgNvx+PlJ3U3HvuL/Rl1NQPHhVhGWArJSRwLtZozMMNitP2uVSfgWIg5M7EA2+pNm3A9J1IyTySBT5B86xXkrGbRLyx4voSX7z/EsOOfcv5wlv5hc3gsid44gnwzeuPC3JYOi7iytuurCr5dpYC3KkDaE6ARqAnU9yLmPAbvbBU/qRlNhNNU+JDep2llUHMtUJq7jDY5WrMxLvfofeELw7At2IUpHN0C3GsMsFF1Kb03/5j+GDvhTp/6G5AmsrnAtcSRAqX/XNGscKd+HcFLKogc KXW60bsCEfSd6z1or8gfnA==

Certificato utilizzato nella response valido dal 2017 al 2037
MIIDNzCCAh+gAwIBAgIUNGvDUjTpLSPlP4sEfO0+JARITnEwDQYJKoZIhvcNAQELBQAwHjEcMBoG A1UEAwwTaWRwLm5hbWlyaWFsdHNwLmNvbTAeFw0xNzAzMDgwOTE3NTZaFw0zNzAzMDgwOTE3NTZaMB4xHDAaBgNVBAMME2lkcC5uYW1pcmlhbHRzcC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrcJvYRh49nNijgzwL1OOwgzeMDUWcMSwoWdtMpx3kDhZwMFQ3ITDmNvlz21I0QKaP0BDg/UAjfCbDtLqUy6wHtI6NWVJoqIziw+dLfg7S5Sr2nOzJ/sKhzadWH1kDsetIenOLU2ex+7Vf/+4P7nIrS0c+xghi9/zN8dH6+09wWYnloGmcW3qWRFMKJjR3ctBmsmqCKWNIIq2QfeFszSSeG0xaNlLKBrj6TyPDxDqPAskq038W1fCuh7aejCk7XTTOxuuIwDGJiYsc8rfXSG9/auskAfCziGEm304/ojy5MRcNjekz4KgWxT9anMCipv0I2T7tCAivc1z9QCsEPk5pAgMBAAGjbTBrMB0GA1UdDgQWBBQi8+cnv0Nw0lbuICzxlSHsvBw5SzBKBgNVHREEQzBBghNpZHAubmFtaXJpYWx0c3AuY29thipodHRwczovL2lkcC5uYW1pcmlhbHRzcC5jb20vaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQELBQADggEBAEp953KMWY7wJbJqnPTmDkXaZJVoubcjW86IY494RgVBeZ4XzAGOifa3ScDK6a0OWfIlRTbaKKu9lEVw9zs54vLp9oQI4JulomSaL805Glml4bYqtcLoh5qTnKaWp5qvzBgcQ7i2GcDC9F+qrsJYreCA7rbHXzF0hu5yIfz0BrrCRWvuWiop92WeKvtucI4oBGfoHhYOZsLuoTT3hZiEFJT60xS5Y2SNdz+Eia9Dgt0cvAzoOVk93Cxg+XBdyyEEiZn/zvhjus29KyFrzh3XYznh+4jq3ymt7Os4JKmY0aJm7yNxw+LyPjkdaB0icfo3+hD7PiuUjC3Y67LUWQ8YgOc=

Direi che finchè AgID non recepisce la modifica non dovrei fidarmi giusto?

Seguendo il regolamento non dovremmo fidarci.
Mi chiedo inoltre… gli altri SP validano correttamente la firma sulla response ?

Buonasera Eros,
il metadata raggiungibile al seguente URL https://idp.namirialtsp.com/idp/metadata contiene due certificati, uno viene usato per la firma sul metadata, il secondo viene usato per la firma delle response.
Non vanno confrontati ne scambiati per validare la firma apposta dalle nostre response.

Cordiali saluti,
Simone.

1 Mi Piace

Capisco, non avevo notato la distinzione, correggo subito la procedura
Grazie!