Move everything related to UKf trust roots into mdx/uk.

build.xml

@@ -707,19 +707,6 @@
         </sequential>
     </macrodef>
 
-	<!--
-		Macro to run the Xalan XSLT engine, taking files from pre-defined
-		locations.
-	-->
-	<macrodef name="XALAN.xmldir">
-		<attribute name="i"/>
-		<attribute name="o"/>
-		<attribute name="x"/>
-		<sequential>
-			<XALAN i="${xml.dir}/@{i}" o="${xml.dir}/@{o}" x="${build.dir}/@{x}"/>
-		</sequential>
-	</macrodef>
-
 	<!--
 		*******************************************
 		***                                     ***
@@ -1191,20 +1178,20 @@
 	-->
 	<target name="extract.authorities">
 		<echo>Extracting key authorities</echo>
-		<XALAN.xmldir
-			i="master.xml"
-			o="authorities.pem"
-			x="extract_authorities.xsl"/>
+		<XALAN
+			i="${mdx.dir}/uk/trust-roots.xml"
+			o="${mdx.dir}/uk/authorities.pem"
+			x="${mdx.dir}/uk/extract_authorities.xsl"/>
 	</target>
 
 	<!--
 		Check authorities
 	-->
 	<target name="check.authorities">
 		<echo>Checking authority certificates</echo>
-		<exec executable="perl" dir="${xml.dir}"
-			input="${xml.dir}/authorities.pem">
-			<arg value="${build.dir}/check_authorities.pl"/>
+		<exec executable="perl" dir="${mdx.dir}/uk"
+			input="${mdx.dir}/uk/authorities.pem">
+			<arg value="${mdx.dir}/uk/check_authorities.pl"/>
 		</exec>
 	</target>
 

build/check_embedded.pl

@@ -41,7 +41,7 @@
 #
 my %issuerMark;
 
-# From master.xml
+# From the UK federation trust roots document.
 $issuerMark{'AddTrust External CA Root'} = 'R';
 $issuerMark{'UTN-USERFirst-Hardware'} = 'i';
 $issuerMark{'TERENA SSL CA'} = 'i';

mdx/uk/beans.xml

@@ -307,13 +307,13 @@
     <!--
         uk_trustRootsDocument
         
-        This bean contains the contents of the master.xml file as a DOM Document.
+        This bean contains the contents of the trust roots file as a DOM Document.
     -->
     <bean id="uk_trustRootsDocument" class="net.shibboleth.ext.spring.factory.DomDocumentFactoryBean">
         <property name="parserPool" ref="parserPool"/>
         <property name="documentResource">
             <bean parent="FilesystemResource">
-                <constructor-arg value="#{ systemProperties['basedir'] }/xml/master.xml"/>
+                <constructor-arg value="#{ systemProperties['basedir'] }/mdx/uk/trust-roots.xml"/>
             </bean>
         </property>
     </bean>    

build/check_authorities.pl → mdx/uk/check_authorities.pl

@@ -18,24 +18,6 @@ sub comment {
 	print '   (' . $s . ')' . "\n";
 }
 
-#
-# Load RSA key blacklists.
-#
-print "Loading key blacklists...\n";
-open KEYS, '../build/blacklist.RSA-1024' || die "can't open RSA 1024 blacklist";
-while (<KEYS>) {
-	chomp;
-	$rsa1024{$_} = 1;
-}
-close KEYS;
-open KEYS, '../build/blacklist.RSA-2048' || die "can't open RSA 2048 blacklist";
-while (<KEYS>) {
-	chomp;
-	$rsa2048{$_} = 1;
-}
-close KEYS;
-print "Blacklists loaded.\n";
-
 while (<>) {
 
 	#
@@ -166,24 +148,6 @@ sub comment {
 			print "   expires in $days days at $notAfter\n";
 		}
 
-		#
-		# Check for weak (Debian) keys
-		#
-		# Weak key fingerprints loaded from files are hex SHA-1 digests of the
-		# line you get from "openssl x509 -modulus", including the "Modulus=".
-		#
-		$fpr = sha1_hex($modulus);
-		# print "   fpr: $fpr\n";
-		if ($pubSize == 1024) {
-			if (defined($rsa1024{$fpr})) {
-				print "   *** WEAK DEBIAN KEY ***\n";
-			}
-		} elsif ($pubSize == 2048) {
-			if (defined($rsa2048{$fpr})) {
-				print "   *** WEAK DEBIAN KEY ***\n";
-			}
-		}
-
 		#
 		# Look for reasonable public exponent values.
 		#