Bug 1056 - blacklist MD5 in incoming aggregates

Refactor so that the blacklisting happens in a parent bean.
InCommon · Nov 12, 2013 · 45ff25f · 45ff25f
1 parent a0c8177
commit 45ff25f
Show file tree

Hide file tree

Showing 31 changed files with 56 additions and 68 deletions.
diff --git a/mdx/at_aconet/beans.xml b/mdx/at_aconet/beans.xml
@@ -64,8 +64,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="at_aconet_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="at_aconet_checkSignature" parent="XMLSignatureValidationStage"
         p:id="at_aconet_checkSignature">
         <property name="verificationCertificate" ref="at_aconet_signingCertificate"/>
     </bean>

diff --git a/mdx/au_aaf/beans.xml b/mdx/au_aaf/beans.xml
@@ -39,8 +39,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="au_aaf_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="au_aaf_checkSignature" parent="XMLSignatureValidationStage"
         p:id="au_aaf_checkSignature">
         <property name="verificationCertificate" ref="au_aaf_signingCertificate"/>
     </bean>

diff --git a/mdx/be_belnet/beans.xml b/mdx/be_belnet/beans.xml
@@ -62,8 +62,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="be_belnet_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="be_belnet_checkSignature" parent="XMLSignatureValidationStage"
         p:id="be_belnet_checkSignature">
         <property name="verificationCertificate" ref="be_belnet_signingCertificate"/>
     </bean>

diff --git a/mdx/br_cafe/beans.xml b/mdx/br_cafe/beans.xml
@@ -62,8 +62,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="br_cafe_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="br_cafe_checkSignature" parent="XMLSignatureValidationStage"
         p:id="br_cafe_checkSignature">
         <property name="verificationCertificate" ref="br_cafe_signingCertificate"/>
     </bean>

diff --git a/mdx/ca_caf/beans.xml b/mdx/ca_caf/beans.xml
@@ -64,8 +64,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="ca_caf_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="ca_caf_checkSignature" parent="XMLSignatureValidationStage"
         p:id="ca_caf_checkSignature">
         <property name="verificationCertificate" ref="ca_caf_signingCertificate"/>
     </bean>
@@ -86,8 +85,7 @@
     <!--
         Check "cafshib" signing signature.
     -->
-    <bean id="ca_caf_cafShibCheckSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="ca_caf_cafShibCheckSignature" parent="XMLSignatureValidationStage"
         p:id="ca_caf_checkSignature">
         <property name="verificationCertificate" ref="ca_caf_cafShibSigningCertificate"/>
     </bean>

diff --git a/mdx/ch_switchaai/beans.xml b/mdx/ch_switchaai/beans.xml
@@ -73,17 +73,15 @@
     <!--
         Check against federation signature.
     -->
-    <bean id="ch_switchaai_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="ch_switchaai_checkSignature" parent="XMLSignatureValidationStage"
         p:id="ch_switchaai_checkSignature">
         <property name="verificationCertificate" ref="ch_switchaai_signingCertificate"/>
     </bean>
 
     <!--
         Check against federation signature.
     -->
-    <bean id="ch_switchaai_checkInterfedSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="ch_switchaai_checkInterfedSignature" parent="XMLSignatureValidationStage"
         p:id="ch_switchaai_checkInterfedSignature">
         <property name="verificationCertificate" ref="ch_switchaai_interfedSigningCertificate"/>
     </bean>

diff --git a/mdx/cl_cofre/beans.xml b/mdx/cl_cofre/beans.xml
@@ -47,8 +47,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="cl_cofre_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="cl_cofre_checkSignature" parent="XMLSignatureValidationStage"
         p:id="cl_cofre_checkSignature">
         <property name="verificationCertificate" ref="cl_cofre_signingCertificate"/>
     </bean>

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
@@ -73,6 +73,28 @@
     <bean id="CompositeStage" abstract="true" parent="stage_parent"
         class="net.shibboleth.metadata.pipeline.CompositeStage"/>
 
+    <!--
+        XMLSignatureValidationStage
+        
+        Parent for XML Signature validation stages.
+        
+        Applies global algorithm blacklists. For values, see:
+            http://www.w3.org/TR/xmlsec-algorithms/
+    -->
+    <bean id="XMLSignatureValidationStage" abstract="true" parent="stage_parent"
+        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage">
+        <property name="blacklistedDigests">
+            <list>
+                <value>http://www.w3.org/2001/04/xmldsig-more#md5</value>
+            </list>
+        </property>
+        <property name="blacklistedSignatureMethods">
+            <list>
+                <value>http://www.w3.org/2001/04/xmldsig-more#rsa-md5</value>
+            </list>
+        </property>
+    </bean>
+
     <!--
         XSLTransformationStage
         

diff --git a/mdx/cz_eduid/beans.xml b/mdx/cz_eduid/beans.xml
@@ -72,8 +72,7 @@
     <!--
         Check the signature on a document.
     -->
-    <bean id="cz_eduid_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="cz_eduid_checkSignature" parent="XMLSignatureValidationStage"
         p:id="cz_eduid_checkSignature">
         <property name="verificationCertificate" ref="cz_eduid_signingCertificate"/>
     </bean>

diff --git a/mdx/de_dfnaai/beans.xml b/mdx/de_dfnaai/beans.xml
@@ -62,8 +62,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="de_dfnaai_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="de_dfnaai_checkSignature" parent="XMLSignatureValidationStage"
         p:id="de_dfnaai_checkSignature">
         <property name="verificationCertificate" ref="de_dfnaai_signingCertificate"/>
     </bean>

diff --git a/mdx/dk_wayf/beans.xml b/mdx/dk_wayf/beans.xml
@@ -122,8 +122,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="dk_wayf_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="dk_wayf_checkSignature" parent="XMLSignatureValidationStage"
         p:id="dk_wayf_checkSignature">
         <property name="verificationCertificate" ref="dk_wayf_signingCertificate"/>
     </bean>

diff --git a/mdx/es_sir/beans.xml b/mdx/es_sir/beans.xml
@@ -62,8 +62,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="es_sir_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="es_sir_checkSignature" parent="XMLSignatureValidationStage"
         p:id="es_sir_checkSignature">
         <property name="verificationCertificate" ref="es_sir_signingCertificate"/>
     </bean>

diff --git a/mdx/fi_haka/beans.xml b/mdx/fi_haka/beans.xml
@@ -62,8 +62,7 @@
     <!--
         Check federation signature.
     -->
-    <bean id="fi_haka_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="fi_haka_checkSignature" parent="XMLSignatureValidationStage"
         p:id="fi_haka_checkSignature">
         <property name="verificationCertificate" ref="fi_haka_signingCertificate"/>
     </bean>
@@ -82,8 +81,7 @@
     <!--
         Check eduGAIN signature.
     -->
-    <bean id="fi_haka_checkEdugainSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="fi_haka_checkEdugainSignature" parent="XMLSignatureValidationStage"
         p:id="fi_haka_checkEdugainSignature">
         <property name="verificationCertificate" ref="fi_haka_edugainSigningCertificate"/>
     </bean>

diff --git a/mdx/fr_renater/beans.xml b/mdx/fr_renater/beans.xml
@@ -78,8 +78,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="fr_renater_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="fr_renater_checkSignature" parent="XMLSignatureValidationStage"
         p:id="fr_renater_checkSignature">
         <property name="verificationCertificate" ref="fr_renater_signingCertificate"/>
     </bean>
@@ -98,8 +97,7 @@
     <!--
         Check eduGAIN signing signature.
     -->
-    <bean id="fr_renater_edugainCheckSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="fr_renater_edugainCheckSignature" parent="XMLSignatureValidationStage"
         p:id="fr_renater_edugainCheckSignature">
         <property name="verificationCertificate" ref="fr_renater_edugainSigningCertificate"/>
     </bean>

diff --git a/mdx/gr_grnet/beans.xml b/mdx/gr_grnet/beans.xml
@@ -62,8 +62,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="gr_grnet_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="gr_grnet_checkSignature" parent="XMLSignatureValidationStage"
         p:id="gr_grnet_checkSignature">
         <property name="verificationCertificate" ref="gr_grnet_signingCertificate"/>
     </bean>

diff --git a/mdx/hr_eduhr/beans.xml b/mdx/hr_eduhr/beans.xml
@@ -46,8 +46,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="hr_eduhr_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="hr_eduhr_checkSignature" parent="XMLSignatureValidationStage"
         p:id="hr_eduhr_checkSignature">
         <property name="verificationCertificate" ref="hr_eduhr_signingCertificate"/>
     </bean>

diff --git a/mdx/hu_eduid/beans.xml b/mdx/hu_eduid/beans.xml
@@ -62,8 +62,7 @@
     <!--
         Check the signature on a document.
     -->
-    <bean id="hu_eduid_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="hu_eduid_checkSignature" parent="XMLSignatureValidationStage"
         p:id="hu_eduid_checkSignature">
         <property name="verificationCertificate" ref="hu_eduid_signingCertificate"/>
     </bean>

diff --git a/mdx/ie_edugate/beans.xml b/mdx/ie_edugate/beans.xml
@@ -52,8 +52,7 @@
     <!--
         Check the signature on a document.
     -->
-    <bean id="ie_edugate_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="ie_edugate_checkSignature" parent="XMLSignatureValidationStage"
         p:id="ie_edugate_checkSignature">
         <property name="verificationCertificate" ref="ie_edugate_signingCertificate"/>
     </bean>

diff --git a/mdx/int_edugain/beans.xml b/mdx/int_edugain/beans.xml
@@ -70,8 +70,7 @@
     <!--
         Check a signature against the eduGAIN signing certificate.
     -->
-    <bean id="int_edugain_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="int_edugain_checkSignature" parent="XMLSignatureValidationStage"
         p:id="int_edugain_checkSignature">
         <property name="verificationCertificate" ref="int_edugain_signingCertificate"/>
     </bean>

diff --git a/mdx/it_idem/beans.xml b/mdx/it_idem/beans.xml
@@ -62,8 +62,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="it_idem_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="it_idem_checkSignature" parent="XMLSignatureValidationStage"
         p:id="it_idem_checkSignature">
         <property name="verificationCertificate" ref="it_idem_signingCertificate"/>
     </bean>

diff --git a/mdx/jp_gakunin/beans.xml b/mdx/jp_gakunin/beans.xml
@@ -39,8 +39,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="jp_gakunin_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="jp_gakunin_checkSignature" parent="XMLSignatureValidationStage"
         p:id="jp_gakunin_checkSignature">
         <property name="verificationCertificate" ref="jp_gakunin_signingCertificate"/>
     </bean>

diff --git a/mdx/lv_laife/beans.xml b/mdx/lv_laife/beans.xml
@@ -65,8 +65,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="lv_laife_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="lv_laife_checkSignature" parent="XMLSignatureValidationStage"
         p:id="lv_laife_checkSignature">
         <property name="verificationCertificate" ref="lv_laife_signingCertificate"/>
     </bean>

diff --git a/mdx/nl_surfconext/beans.xml b/mdx/nl_surfconext/beans.xml
@@ -34,8 +34,7 @@
     <!--
         Check the signature on a document.
     -->
-    <bean id="nl_surfconext_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="nl_surfconext_checkSignature" parent="XMLSignatureValidationStage"
         p:id="nl_surfnet_checkSignature">
         <property name="verificationCertificate" ref="nl_surfconext_signingCertificate"/>
     </bean>

diff --git a/mdx/nl_surfnet/beans.xml b/mdx/nl_surfnet/beans.xml
@@ -46,8 +46,7 @@
     <!--
         Check the signature on a document.
     -->
-    <bean id="nl_surfnet_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="nl_surfnet_checkSignature" parent="XMLSignatureValidationStage"
         p:id="nl_surfnet_checkSignature">
         <property name="verificationCertificate" ref="nl_surfnet_signingCertificate"/>
     </bean>

diff --git a/mdx/no_feide/beans.xml b/mdx/no_feide/beans.xml
@@ -76,8 +76,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="no_feide_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="no_feide_checkSignature" parent="XMLSignatureValidationStage"
         p:id="no_feide_checkSignature">
         <property name="verificationCertificate" ref="no_feide_signingCertificate"/>
     </bean>

diff --git a/mdx/nz_tuakiri/beans.xml b/mdx/nz_tuakiri/beans.xml
@@ -39,8 +39,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="nz_tuakiri_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="nz_tuakiri_checkSignature" parent="XMLSignatureValidationStage"
         p:id="nz_tuakiri_checkSignature">
         <property name="verificationCertificate" ref="nz_tuakiri_signingCertificate"/>
     </bean>

diff --git a/mdx/se_swamid/beans.xml b/mdx/se_swamid/beans.xml
@@ -68,8 +68,7 @@
     <!--
         Check signing signature.
     -->
-    <bean id="se_swamid_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="se_swamid_checkSignature" parent="XMLSignatureValidationStage"
         p:id="se_swamid_checkSignature">
         <property name="verificationCertificate" ref="se_swamid_signingCertificate"/>
     </bean>

diff --git a/mdx/si_arnes/beans.xml b/mdx/si_arnes/beans.xml
@@ -39,8 +39,7 @@
     <!--
         Check ARNES signing signature.
     -->
-    <bean id="si_arnes_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="si_arnes_checkSignature" parent="XMLSignatureValidationStage"
         p:id="si_arnes_checkSignature">
         <property name="verificationCertificate" ref="si_arnes_signingCertificate"/>
     </bean>

diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
@@ -83,8 +83,7 @@
     <!--
         Check the signature on a document.
     -->
-    <bean id="uk_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="uk_checkSignature" parent="XMLSignatureValidationStage"
         p:id="uk_checkSignature">
         <property name="verificationCertificate" ref="uk_signingCertificate"/>
     </bean>

diff --git a/mdx/uk_eduserv/beans.xml b/mdx/uk_eduserv/beans.xml
@@ -39,8 +39,7 @@
     <!--
         Check the signature on a document.
     -->
-    <bean id="uk_eduserv_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="uk_eduserv_checkSignature" parent="XMLSignatureValidationStage"
         p:id="uk_eduserv_checkSignature">
         <property name="verificationCertificate" ref="uk_eduserv_signingCertificate"/>
     </bean>

diff --git a/mdx/us_incommon/beans.xml b/mdx/us_incommon/beans.xml
@@ -46,8 +46,7 @@
     <!--
         Check InCommon signing signature.
     -->
-    <bean id="us_incommon_checkSignature" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+    <bean id="us_incommon_checkSignature" parent="XMLSignatureValidationStage"
         p:id="us_incommon_checkSignature">
         <property name="verificationCertificate" ref="us_incommon_signingCertificate"/>
     </bean>