Bugzilla 959: check for SAML 2.0 SPs with KeyName-only KeyDescriptors

InCommon · Sep 7, 2012 · 5268ae4 · 5268ae4
1 parent faba1f8
commit 5268ae4
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/mdx/check_future_1.xsl b/mdx/check_future_1.xsl
@@ -29,4 +29,15 @@
 	-->
 	<xsl:import href="../build/check_framework.xsl"/>
 
+	<!--
+		Check for SAML 2.0 SPs with KeyName-only KeyDescriptors.
+	-->
+	<xsl:template match="md:SPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 SP has KeyDescriptor without embedded key</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
 </xsl:stylesheet>