Remove UKf PKIX trust root handling.

build.xml

@@ -1261,17 +1261,6 @@
         </exec>
     </target>
 
-    <!--
-        Extract authorities
-    -->
-    <target name="extract.authorities">
-        <echo>Extracting key authorities</echo>
-        <XALAN
-            i="${mdx.dir}/uk/trust-roots.xml"
-            o="${mdx.dir}/uk/authorities.pem"
-            x="${mdx.dir}/uk/extract_authorities.xsl"/>
-    </target>
-
     <!--
         Utility to fold overlong embedded certificates.
     -->

build/check_embedded.pl

@@ -41,12 +41,10 @@
 #
 my %issuerMark;
 
-# From the UK federation trust roots document.
-$issuerMark{'AddTrust External CA Root'} = 'R';
-$issuerMark{'UTN-USERFirst-Hardware'} = 'i';
-$issuerMark{'TERENA SSL CA'} = 'i';
-
 # ex-roots
+$issuerMark{'AddTrust External CA Root'} = 'X';
+$issuerMark{'UTN-USERFirst-Hardware'} = 'x';
+$issuerMark{'TERENA SSL CA'} = 'x';
 $issuerMark{'GlobalSign Root CA'} = 'X';
 $issuerMark{'GlobalSign Organization Validation CA'} = 'x';
 $issuerMark{'GlobalSign Primary Secure Server CA'} = 'x';
@@ -366,74 +364,6 @@ sub comment {
 		}
 
 
-		#
-		# Use openssl to ask whether this matches our trust fabric or not.
-		#
-		my $error = '';
-		$serverOK = 1;
-		$cmd = "openssl verify -CAfile ../mdx/uk/authorities.pem -purpose sslserver $filename |";
-		open(SSL, $cmd) || die "could not open openssl subcommand 2";
-		while (<SSL>) {
-			chomp;
-			if (/error/) {
-				$error = $_;
-				$serverOK = 0;
-			}
-		}
-		close SSL;
-		$clientOK = 1;
-		$cmd = "openssl verify -CAfile ../mdx/uk/authorities.pem -purpose sslclient $filename |";
-		open(SSL, $cmd) || die "could not open openssl subcommand 3";
-		while (<SSL>) {
-			chomp;
-			if (/error/) {
-				$error = $_;
-				$clientOK = 0;
-			}
-		}
-		close SSL;
-
-		#
-		# Irrespective of what went wrong, client and server results should match.
-		#
-		if ($clientOK != $serverOK) {
-			error("client/server purpose result mismatch: $clientOK != $serverOK");
-		}
-
-		#
-		# Reduce error if possible.
-		#
-		if ($error =~ m/^error \d+ at \d+ depth lookup:\s*(.*)$/) {
-			$error = $1;
-		}
-
-		#
-		# Now, adjust for our expectations.
-		#
-		if (!$hasKeyName) {
-			#
-			# Pretty much any certificate is fine if we don't have a KeyName.
-			#
-			if ($error eq 'self signed certificate') {
-				$error = '';
-				comment("self signed certificate");
-			} elsif ($error eq 'unable to get local issuer certificate') {
-				$error = '';
-				comment("unknown issuer: $issuerCN");
-			} elsif ($clientOK) {
-				# $error = "certificate matches trust fabric; add KeyName?";
-			}
-		}
-
-		if ($error eq 'certificate has expired' && $days < 0) {
-			# an equivalent message has already been issued
-			$error = '';
-		}
-
-		if ($error ne '') {
-			error($error);
-		}
-
 		#
 		# Handle public key size.
 		#
@@ -446,14 +376,6 @@ sub comment {
 		#
 		close $fh;
 
-		#if ($issuer eq $subject) {
-		#	# self-signed
-		#} elsif ($issuerCN eq 'TERENA SSL CA') {
-		#	# this one we know about
-		#} else {
-		#	warning("issuer is '$issuerCN'");
-		#}
-
 		#
 		# Add a warning for certain issuers.
 		#

mdx/uk/beans.xml

@@ -286,76 +286,6 @@
     </bean>
 
 
-    <!--
-        uk_trustRootsDocument
-        
-        This bean contains the contents of the trust roots file as a DOM Document.
-    -->
-    <bean id="uk_trustRootsDocument" parent="DOMDocumentFactoryBean">
-        <property name="parserPool" ref="parserPool"/>
-        <property name="documentResource">
-            <bean parent="FileSystemResource">
-                <constructor-arg value="${basedir}/mdx/uk/trust-roots.xml"/>
-            </bean>
-        </property>
-    </bean>    
-
-
-    <!--
-        uk_addTrustRoots
-        
-        This stage adds the UK federation trust roots to an EntitiesDescriptor.
-    -->
-    <bean id="uk_addTrustRoots" parent="XSLTransformationStage"
-        p:id="uk_addTrustRoots">
-        <property name="XSLResource">
-            <bean parent="ClassPathResource">
-                <constructor-arg value="uk/trust-roots.xsl"/>
-            </bean>
-        </property>
-        <property name="transformParameters">
-            <map>
-                <entry key="trustRootsDocument" value-ref="uk_trustRootsDocument"/>
-            </map>
-        </property>
-    </bean>
-
-
-    <!--
-        uk_dummyTrustRootsDocument
-        
-        This bean contains the contents of the dummy trust roots file as a DOM Document.
-    -->
-    <bean id="uk_dummyTrustRootsDocument" parent="DOMDocumentFactoryBean">
-        <property name="parserPool" ref="parserPool"/>
-        <property name="documentResource">
-            <bean parent="FileSystemResource">
-                <constructor-arg value="${basedir}/mdx/uk/trust-dummy.xml"/>
-            </bean>
-        </property>
-    </bean>    
-
-
-    <!--
-        uk_addDummyTrustRoots
-        
-        This stage adds the dummy UK federation trust roots to an EntitiesDescriptor.
-    -->
-    <bean id="uk_addDummyTrustRoots" parent="XSLTransformationStage"
-        p:id="uk_addDummyTrustRoots">
-        <property name="XSLResource">
-            <bean parent="ClassPathResource">
-                <constructor-arg value="uk/trust-roots.xsl"/>
-            </bean>
-        </property>
-        <property name="transformParameters">
-            <map>
-                <entry key="trustRootsDocument" value-ref="uk_dummyTrustRootsDocument"/>
-            </map>
-        </property>
-    </bean>
-
-
     <!--
         uk_processFragment
         

mdx/uk/collect.xml

@@ -37,7 +37,6 @@
             <list>
                 <ref bean="uk_registeredEntities"/>
                 <ref bean="uk_assemble"/>
-                <ref bean="uk_addTrustRoots"/>
                 <ref bean="normaliseNamespaces"/>
                 <ref bean="errorTerminatingFilter"/>
                 <ref bean="serializeCollected"/>