From 1bf21ea2413c7458bf960627885df7c372a2e817 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 15 Mar 2010 11:18:44 +0000
Subject: [PATCH] Add a checking ruleset for the SAML V2.0 Metadata
 Interoperability Profile.  This isn't a strict check, as we allow
 KeyName-only KeyDescriptors which the IOP does not.

---
 build.xml             |  1 +
 build/check_mdiop.xsl | 53 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 build/check_mdiop.xsl

diff --git a/build.xml b/build.xml
index 0f141118..0bf01a69 100644
--- a/build.xml
+++ b/build.xml
@@ -777,6 +777,7 @@
 				<!-- set of checking stylesheets applied in every case -->
 				<arg value="${build.dir}/check_shibboleth.xsl"/>
                 <arg value="${build.dir}/check_idpdisc.xsl"/>
+				<arg value="${build.dir}/check_mdiop.xsl"/>
                 <arg value="${build.dir}/check_misc.xsl"/>
 				<!-- single context-dependent ruleset -->
 				<arg value="${build.dir}/@{s}"/>
diff --git a/build/check_mdiop.xsl b/build/check_mdiop.xsl
new file mode 100644
index 00000000..4f404b33
--- /dev/null
+++ b/build/check_mdiop.xsl
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_mdiop.xsl
+	
+	Checking ruleset containing rules associated with the SAML V2.0 Metadata
+	Interoperability Profile, see:
+
+		http://wiki.oasis-open.org/security/SAML2MetadataIOP
+
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	<!--
+		Section 2.5.1: at least one representation must appear.
+		
+		As well as the variations specified in the IOP, we also allow a KeyName to be
+		used, as the UK federation currently allows a pure PKIX setup as an
+		alternative to embedded keys.
+		
+		Strict IOP conformance would require the removal of the KeyInfo/KeyName clause.
+	-->
+	<xsl:template match="md:KeyDescriptor
+		[not(ds:KeyInfo/ds:KeyName)]
+		[not(ds:KeyInfo/ds:KeyValue)]
+		[not(ds:KeyInfo/ds:X509Data/ds:X509Certificate)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">KeyDescriptor does not contain a key representation</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<!--
+		Section 2.5.1: only one X.509 certificate may appear in any KeyDescriptor.
+	-->
+	<xsl:template match="md:KeyDescriptor[count(ds:KeyInfo/ds:X509Data/ds:X509Certificate)>1]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">KeyDescriptor contains more than one X509Certificate</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+</xsl:stylesheet>