Re-add future check for algorithm support consistent with new saml2int

Check is flagged as warning. See ukf/ukf-meta#157
InCommon · Mar 8, 2018 · 1dbd1a0 · 1dbd1a0
1 parent 0c4b489
commit 1dbd1a0
Showing 1 changed file with 69 additions and 0 deletions.
diff --git a/mdx/_rules/check_future_4.xsl b/mdx/_rules/check_future_4.xsl
@@ -28,4 +28,73 @@
     -->
     <xsl:import href="check_framework.xsl"/>
 
+    <!--
+
+        If an entity has algorithmic agility metadata, check whether it has the algorithms
+        which are listed in the 2018 SAML V2.0 Interoperability Deployment Profile
+
+        See section 3.3 of https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
+        and ukf/ukf-meta#157
+
+    -->
+    <xsl:template match="md:KeyDescriptor[count(md:EncryptionMethod) > 0]">
+
+        <xsl:variable name="gcm"
+            select="md:EncryptionMethod[
+            @Algorithm='http://www.w3.org/2009/xmlenc11#aes128-gcm' or
+            @Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm' or
+            @Algorithm='http://www.w3.org/2009/xmlenc11#aes256-gcm'
+            ]"/>
+
+        <xsl:variable name="keytransport"
+            select="md:EncryptionMethod[
+            @Algorithm='http://www.w3.org/2009/xmlenc11#rsa-oaep' or
+            @Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'
+            ]"/>
+
+        <xsl:if test="count($gcm) = 0">
+            <xsl:call-template name="warning">
+                <xsl:with-param name="m">Does not contain a GCM EncryptionMethod specified in new saml2int</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
+        <xsl:if test="count($keytransport) = 0">
+            <xsl:call-template name="warning">
+                <xsl:with-param name="m">Does not contain a Key Transport EncryptionMethod specified in new saml2int</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
+    </xsl:template>
+
+    <xsl:template match="md:Extensions
+        [
+        count(alg:DigestMethod) > 0 or
+        count(alg:SigningMethod) > 0
+        ]">
+
+        <xsl:variable name="signing"
+            select="alg:SigningMethod[
+            @Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' or
+            @Algorithm='http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256'
+            ]"/>
+
+        <xsl:variable name="digest"
+            select="alg:DigestMethod[
+            @Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'
+            ]"/>
+
+        <xsl:if test="count($signing) = 0">
+            <xsl:call-template name="warning">
+                <xsl:with-param name="m">Does not contain a SigningMethod specified in new saml2int</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
+        <xsl:if test="count($digest) = 0">
+            <xsl:call-template name="warning">
+                <xsl:with-param name="m">Does not contain a DigestMethod specified in new saml2int</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+
+    </xsl:template>
+
 </xsl:stylesheet>