Require all KeyDescriptor elements in registered entities to have emb…

…edded key material. This means no more KeyName-only KeyDescriptors.
InCommon · Dec 17, 2013 · 55ae268 · 55ae268
1 parent d5601d9
commit 55ae268
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 17 deletions.
diff --git a/mdx/_rules/check_future_2.xsl b/mdx/_rules/check_future_2.xsl
@@ -30,21 +30,4 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
-	<!--
-		Check for entities which have both PKIX-only KeyDescriptors (i.e.,
-		ones with a KeyName but no embedded X.509 certificate) and also
-		non-PKIX KeyDescriptors (i.e., ones with no KeyName).
-		
-		This combination seems unlikely to be intentional, and most
-		likely the result of an incomplete transition to embedded key
-		material.
-	-->
-	<xsl:template match="md:EntityDescriptor
-		[descendant::md:KeyDescriptor[not(descendant::ds:X509Data)]]
-		[descendant::md:KeyDescriptor[not(descendant::ds:KeyName)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">has both PKIX-only and no-PKIX KeyDescriptors</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
 </xsl:stylesheet>
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
@@ -265,6 +265,19 @@
     </bean>
 
 
+    <!--
+        check_uk_keydesc_key
+    -->
+    <bean id="check_uk_keydesc_key" parent="XSLValidationStage"
+        p:id="check_uk_keydesc_key">
+        <property name="XSLResource">
+            <bean parent="FilesystemResource">
+                <constructor-arg value="#{ systemProperties['basedir'] }/mdx/uk/check_uk_keydesc_key.xsl"/>
+            </bean>
+        </property>
+    </bean>
+
+
     <!--
         check_uk_mdrps
     -->
@@ -414,6 +427,7 @@
                 <ref bean="CHECK_std"/>
                 <ref bean="check_ukreg"/>
                 <ref bean="check_uk_expkeyname"/>
+                <ref bean="check_uk_keydesc_key"/>
                 <ref bean="check_uk_mdrps"/>
                 <ref bean="check_uk_urlenc"/>
                 <ref bean="mdui_dn_en_present"/>

diff --git a/mdx/uk/check_uk_keydesc_key.xsl b/mdx/uk/check_uk_keydesc_key.xsl
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_uk_keydesc_key.xsl
+	
+    UKf-specific check that all KeyDescriptor elements contain a key.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="../_rules/check_framework.xsl"/>
+
+
+	<xsl:template match="md:KeyDescriptor[not(descendant::ds:X509Data)]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>KeyDescriptor lacks key material</xsl:text>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+</xsl:stylesheet>