From 47d6766bd4184a14b52ddd69ef6006d2f2808ae5 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 24 Mar 2022 17:24:33 +0000
Subject: [PATCH] Migrate to new (2022-08-03) eduGAIN signing key

See ukf/ukf-meta#343.
---
 mdx/int_edugain/README.md    | 22 +++++++---------------
 mdx/int_edugain/beans.xml    |  4 ++--
 mdx/int_edugain/mds-2014.cer | 18 ------------------
 mdx/int_edugain/mds-v1.cer   | 18 ------------------
 mdx/int_edugain/mds-v2.cer   | 31 +++++++++++++++++++++++++++++++
 5 files changed, 40 insertions(+), 53 deletions(-)
 delete mode 100644 mdx/int_edugain/mds-2014.cer
 delete mode 100644 mdx/int_edugain/mds-v1.cer
 create mode 100644 mdx/int_edugain/mds-v2.cer

diff --git a/mdx/int_edugain/README.md b/mdx/int_edugain/README.md
index 7521027f..c47f1e4c 100644
--- a/mdx/int_edugain/README.md
+++ b/mdx/int_edugain/README.md
@@ -4,20 +4,12 @@ Resources associated with the eduGAIN interfederation.
 
 Certificates:
 
-* `mds-v1-1.cer` is the certificate used for signing the eduGAIN
-  metadata aggregate from early 2021 and intended to be used until the
-  end of 2022.
+* `mds-v2.cer` is the certificate used to sign the eduGAIN
+  metadata aggregate at `https://mds.edugain.org/edugain-v2.xml`
+  from mid-2022.
 
-* `mds-v1.cer` is the certificate used for signing the eduGAIN metadata
-  aggregate at `https://mds.edugain.org/edugain-v1.xml` from early 2019 to
-  early 2021.
+* `mds-v1-1.cer` is the certificate used to sign the eduGAIN
+  metadata aggregate at `https://mds.edugain.org/edugain-v1.xml`
+  from early 2021 until mid-2022.
 
-* `mds-2014.cer` is the certificate used for signing eduGAIN metadata at
-  `https://mds.edugain.org` and `https://mds.edugain.org/feed-256.xml` until
-  mid-2019, at which point those locations switched to the `mds-v1.cer`
-  certificate for compatibility.
-
-  See the [eduGAIN certificate change
-  roadmap](https://technical.edugain.org/certificate_change) for further details.
-
-Note that all three certificates wrap the same 2048-bit public key.
+See <https://technical.edugain.org/metadata> for details.
diff --git a/mdx/int_edugain/beans.xml b/mdx/int_edugain/beans.xml
index 719bb83a..78a0412f 100644
--- a/mdx/int_edugain/beans.xml
+++ b/mdx/int_edugain/beans.xml
@@ -23,7 +23,7 @@
     -->
     <!-- production aggregate -->
     <bean id="int_edugain_productionAggregate_url" parent="String">
-        <constructor-arg value="http://mds.edugain.org/edugain-v1.xml"/>
+        <constructor-arg value="https://mds.edugain.org/edugain-v2.xml"/>
     </bean>
     <!-- beta (test) aggregate -->
     <bean id="int_edugain_betaAggregate_url" parent="String">
@@ -58,7 +58,7 @@
         eduGAIN signing certificate.
     -->
     <bean id="int_edugain_signingCertificate" parent="X509CertificateFactoryBean"
-        p:resource="classpath:int_edugain/mds-v1-1.cer"/>
+        p:resource="classpath:int_edugain/mds-v2.cer"/>
 
     <!--
         Check a signature against the eduGAIN signing certificate.
diff --git a/mdx/int_edugain/mds-2014.cer b/mdx/int_edugain/mds-2014.cer
deleted file mode 100644
index 868e6c45..00000000
--- a/mdx/int_edugain/mds-2014.cer
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC1DCCAbwCCQDDDZyGtn6K8TANBgkqhkiG9w0BAQUFADAsMQ4wDAYDVQQKEwVH
-RUFOVDEaMBgGA1UEAxMRZWR1R0FJTiBTaWduZXIgQ0EwHhcNMTQwNzAyMTQzNDQ5
-WhcNMTkwNzAxMTQzNDQ5WjAsMQ4wDAYDVQQKEwVHRUFOVDEaMBgGA1UEAxMRZWR1
-R0FJTiBTaWduZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR
-fl1zhkaFveJvJtS03bRIO3k77q2s5m+c6sQ83j71rIad+vGCO29S4JHBXHI/U57y
-NbNLgoKzl0MI4WQrs4KT/y+LPMFB9M0lNrALQd/op6PNc7CWKMN1yV8V/L74/vap
-Rlb90gPVJABHmoAfQmjyMXLW38KLwzK1qEpKUIxPBfQMBawmh0gC2T5ndZndcMPp
-gsMXyG2AZ4QGSOt4tgpspjTSRY++X+gi9WUuWzsEHHdFhCR9UYQ6+1glMVheJjVm
-oD0b9V/KQ0BF/1zry2jfWlchFeILlWbWgiWsIBA4BPNHqFW42qGgUr9DI3FzRLHX
-qF2N2f592tzcTeDZ11ejAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBACq0ER17moQB
-/39SstbsWdpGQMIsrHZ+ERF7jYdjnE/63xBfMIVFQo2G1PW0cZ1ckpLIQMyKyTAv
-9RAVxv3WVnQ9IGh715jP/QHH7ycTM7oE5XdpNzNMRDMevrtTa1T/GX6G6+cc73JG
-VoJ9JQNXbLv5bspyG9kkIu9VQqUqlrUWTjzBBysAYj4kR1gorrUmI7l2GBrrcGej
-Q57VXdUxaCKzQita0aSSzbHQ+2BxcvYV1r4QWm6Jv8HTn3c4B1d6QbaSEgGHSCkp
-CxwOq82gt1OM/hOz7wzkIQohaYEo3koNlGsat5Hc24VffcosRmNFYmGU+dCnwHDO
-YuxCFwLHAcg=
------END CERTIFICATE-----
diff --git a/mdx/int_edugain/mds-v1.cer b/mdx/int_edugain/mds-v1.cer
deleted file mode 100644
index 47ee676b..00000000
--- a/mdx/int_edugain/mds-v1.cer
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC1zCCAb+gAwIBAgIDVWNTMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNVBAoTBUdF
-QU5UMRowGAYDVQQDExFlZHVHQUlOIFNpZ25lciBDQTAiGA8yMDE0MDcwMjE0MzQ0
-OVoYDzIwMjEwMzMxMjM1OTU5WjAsMQ4wDAYDVQQKEwVHRUFOVDEaMBgGA1UEAxMR
-ZWR1R0FJTiBTaWduZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQCRfl1zhkaFveJvJtS03bRIO3k77q2s5m+c6sQ83j71rIad+vGCO29S4JHBXHI/
-U57yNbNLgoKzl0MI4WQrs4KT/y+LPMFB9M0lNrALQd/op6PNc7CWKMN1yV8V/L74
-/vapRlb90gPVJABHmoAfQmjyMXLW38KLwzK1qEpKUIxPBfQMBawmh0gC2T5ndZnd
-cMPpgsMXyG2AZ4QGSOt4tgpspjTSRY++X+gi9WUuWzsEHHdFhCR9UYQ6+1glMVhe
-JjVmoD0b9V/KQ0BF/1zry2jfWlchFeILlWbWgiWsIBA4BPNHqFW42qGgUr9DI3Fz
-RLHXqF2N2f592tzcTeDZ11ejAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAATS7E/J
-tww0rf9VROqVqEoAcyO2fhEt4iLj2PJaAftiKTQEbsEzjOx9C/QdB88NBPxv3+hT
-d3eXUQfrfo1a/CMXfh4v/7wgFAFGWXMCIfXbMn7YS7FnoIhf24Dly0aY7skn9MNe
-57L+WP++kmiO/r7aPq1TO6+HtzdPYBovi8iBBf9Dh1y+qG6u2pH+r9nQNaPEC4nY
-b3cFjwCOkWeteAvZx9Jmj6rpF+r8DbQQveDruXmJXb4/yiF9vmRTRhK6KawTfPB+
-p9oNpPhRuUSONQDRo7Spg7sHAnAKMyP/txPLEve3MgITYv9SIMqpE2ljrs+wHxrw
-OegS1EztHA0//Cw=
------END CERTIFICATE-----
diff --git a/mdx/int_edugain/mds-v2.cer b/mdx/int_edugain/mds-v2.cer
new file mode 100644
index 00000000..a21110b0
--- /dev/null
+++ b/mdx/int_edugain/mds-v2.cer
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFSzCCAzOgAwIBAgIUY99qGOKOxV+iz/+tWfwixuh0CpowDQYJKoZIhvcNAQEL
+BQAwNTEOMAwGA1UECgwFR0VBTlQxIzAhBgNVBAMMGmVkdUdBSU4gUlNBIFNpZ25l
+ciBDQSAyMDIyMB4XDTIyMDMwODA5MjIzMloXDTQyMDMwODA5MjIzMlowNTEOMAwG
+A1UECgwFR0VBTlQxIzAhBgNVBAMMGmVkdUdBSU4gUlNBIFNpZ25lciBDQSAyMDIy
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1H2PdoPu4QLKqfcg7uC9
+rzPA04tdUAdbdnByPddLFEeOfYUxkzbbmrEkUbvL65YAibbxJwEioIQTgSwrtoHL
+nT/puQnux7T7en5qYRDLpX7qR2ssNN4TiXS8Z8qDmI+LQw9YnNpI35qHguHKBr2J
+kbM7qdq6+8KQD0aK+7FyPcGsYDnOoLlJ8cfmIxY7mumfEbiAni/z/pP4Mo2g4rf4
+GY8nhHudJea6qSvxIGLRy7GlL0VOY/PCnxl+EPYSRZYEJEc9jNXsepIzpSU5AM6r
+kwO6Ue+5crYtJMey07b0IEaFNHc/Omt5KY+UO0ewYnjcdnKa5MWgTntxs+AzDiMp
+dIXGemo2SKfcqmAPUW8bLNFABdwxq/Bhcsqb1K+e4C61dPyI2rDWpaM+NIRLvpLD
+jDZsaMnhZK6/ezxKV4h94YKSF1fTunZsyEtaot53ztXjUgvALMFb/XqAes3V+o7D
+WSQ1JYvifkk2agzjel+A9m+e7UgaBuuqfwpkClgMExrB8CJI1xBuAHI/yldoaITL
+auPKWYb+bXpkPg8BznYhGIA9TSqTPNwd0WmH1SZ1lmINuN8ElKRmi+DKkKe9NRXf
+/jS3PKg9NnrFS9fnhTeaI8ikVSh8qPDfsUYtuDF1SL7B+27yT3+7WKCD6gqu/J4P
+8iYELM++C29VgApxlHnLdO8CAwEAAaNTMFEwHQYDVR0OBBYEFEgBijs8UaPzEW81
+hco9oyNH27b3MB8GA1UdIwQYMBaAFEgBijs8UaPzEW81hco9oyNH27b3MA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAMTQKHe5mybVO4hlTHeha1xo
+/OYREQsa0We4nR5Rbga6xDMHCjnDYdfZg6VqbgGUA97kOAymhlIFO0pNKGowlOdR
+o9AjEhW2mq2itD7e4T4bDWqJ+6YAVc94DIVAjaY8BSJiet5BccXB8oles+W9nQ8k
+k24X2uCa3lWTbUaNGootbN+DVKVvX85zt5p707++yRQJZH4AWSAgpglnnIxo/y2Z
+rVUl8LvbwU4SuSQnyorfaiA0Q4NCnJPoZh1sEyfqvcVkH915RwP+0Vl7oXYgYKx0
+52U+G6I3w5qm/PafUQ4K2hn2KIHYDCz4P8DV6pbUqzoZ15BvLPu/3eenzqvdtoGj
+hD8/3VxowicLrV69gEWJZ89VMjjPTHp7XyrEvKq4n7uquLArS3dW3+mNrmeFRA99
+Y59RFgtroEbIyk5Z/AQA0vuTfEATIMdn/jbeLC2juz57AAnuu6mE72KBdZY3OK2u
+F1sQCop/lWfN/khleo5EBWucQ+a7nZnByd6J0sp70AxjSOBTP5I0TBcdZgaDXJpH
+b4pOwX4EQeXUwlYTh2eYoZRP2thTdH0QrXKEEicynmBfvECz/4nAPwLPYk+yK9/a
+bYYSBn/KbBhBie7chsknzJ+XXb4C9ROubuuAl26yPQxX5uI03lYkVExpj5SdHzts
+/ULLKN5t9Us3gc9SQ3+6
+-----END CERTIFICATE-----