Check that DiscoveryResponse elements have index attributes, and that…

… they all have distinct ones.

build/check_idpdisc.xsl

@@ -13,18 +13,41 @@
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+	xmlns:set="http://exslt.org/sets"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
 	<!--
 		Common support functions.
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
+	<!--
+		"index" attributes on DiscoveryResponse elements should all be different
+		for any given entity.
+	-->
+
+	<xsl:template match="md:EntityDescriptor[descendant::idpdisc:DiscoveryResponse]">
+		<xsl:variable name="indices" select="descendant::idpdisc:DiscoveryResponse/@index"/>
+		<xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
+		<xsl:if test="count($indices) != count($distinct.indices)">
+			<xsl:call-template name="fatal">
+				<xsl:with-param name="m">DiscoveryResponse index values not all different</xsl:with-param>
+			</xsl:call-template>
+		</xsl:if>
+		<!-- check individual DiscoveryResponse elements for correctness as well -->
+		<xsl:apply-templates/>
+	</xsl:template>
 
 	<!--
 		Checks on the DiscoveryResponse extension.
 	-->
 
+	<xsl:template match="idpdisc:DiscoveryResponse[not(@index)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">missing index attribute on DiscoveryResponse</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
 	<xsl:template match="idpdisc:DiscoveryResponse[not(@Binding)]">
 		<xsl:call-template name="fatal">
 			<xsl:with-param name="m">missing Binding attribute on DiscoveryResponse</xsl:with-param>