Add EncryptionMethod elements with AES128-CBC algorithm where appropr…

…iate

Add AES128-CBC to SPs that have no block encryption algorithms.

Initially apply only to test and export preview pipelines.

See ukf-meta#243

mdx/uk/README.md

@@ -28,11 +28,14 @@ before being included in the `export` version consumed by interfederation partne
 
 ### Export Preview Aggregate vs. Export Aggregate
 
-Status (2020-07-21):
+Status (2020-09-10):
 
 * The `export-preview` aggregate declares the `alg` namespace on the document element,
   rather than on each `<DigestMethod>` or `<SigningMethod>` element.
 
+* The `export-preview` aggregate adds `<EncryptionMethod>` elements with AES128-CBC
+  to SPs that have no block encryption methods listed
+
 ## Production Maturity Pipeline
 
 The production maturity pipeline consists of:
@@ -60,7 +63,7 @@ when it appeared in the fallback aggregate, which would be too late to take corr
 
 ### Test Aggregate vs. Production Aggregate
 
-Status (2020-07-21):
+Status (2020-09-10):
 
 * The `test` aggregate does not include the `<UKFederationMember>` label (`ukf-meta#34`).
 
@@ -70,6 +73,8 @@ Status (2020-07-21):
 * The `test` aggregate declares the `alg` namespace on the document element,
   rather than on each `<DigestMethod>` or `<SigningMethod>` element.
 
+* The `test` aggregate adds `<EncryptionMethod>` elements with AES128-CBC
+  to SPs that have no block encryption methods listed
 
 ### `cds-all` Aggregate vs. Production Aggregate
 

mdx/uk/add_cbc_encryption.xsl

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <xsl:output method="xml" encoding="UTF-8" indent="yes"/>
+
+    <xsl:template match="//md:KeyDescriptor
+		[parent::md:SPSSODescriptor]
+		[not(@use='signing')]
+                [not(
+			md:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#aes128-gcm'] or
+			md:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm'] or
+			md:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#aes256-gcm'] or
+			md:EncryptionMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc'] or
+			md:EncryptionMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#aes192-cbc'] or
+			md:EncryptionMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#aes256-cbc'] or
+			md:EncryptionMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc']
+	)]">
+
+
+
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+            <xsl:text>    </xsl:text>
+            <xsl:element name="EncryptionMethod"><xsl:attribute name="Algorithm">http://www.w3.org/2001/04/xmlenc#aes128-cbc</xsl:attribute></xsl:element>
+            <xsl:text>&#10;        </xsl:text>
+        </xsl:copy>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="node()|@*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>

mdx/uk/beans.xml

@@ -591,4 +591,18 @@
         </property>
     </bean>
 
+    <!--
+        #############################################################
+        ###                                                       ###
+        ###   A D D   E N C R Y P T I O N   A L G O R I T H M S   ###
+        ###                                                       ###
+        #############################################################
+    -->
+
+    <!--
+        Add CBC EncryptionMethod where there is no other block algorithm
+    -->
+    <bean id="uk_add_cbc_encryption" parent="mda.XSLTransformationStage"
+        p:XSLResource="classpath:uk/add_cbc_encryption.xsl"/>
+
 </beans>

mdx/uk/generate.xml

@@ -642,6 +642,9 @@
                 <bean parent="mda.SetCacheDurationStage"
                     p:cacheDuration="${cacheDuration.aggregate.duration}"/>
                 <ref bean="stripEntityScopes"/>
+
+                <ref bean="uk_add_cbc_encryption"/>
+
                 <ref bean="uk_finaliseTest"/>
                 <ref bean="uk_normaliseTest"/>
 
@@ -867,6 +870,9 @@
                     p:cacheDuration="${cacheDuration.aggregate.duration}"/>
                 <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
+
+                <ref bean="uk_add_cbc_encryption"/>
+
                 <ref bean="uk_finaliseExport"/>
 
                 <bean id="uk_normaliseExportPreview" parent="mda.XSLTransformationStage"

tests/manual/ukf-meta-243/3-certs-has-encryptionmethod.xml

@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://243.ukf-meta.ukfederation.org.uk/009">
+    <SPSSODescriptor>
+        <KeyDescriptor>
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+                        MIIC3DCCAcSgAwIBAgIJAN+91XVXF36VMA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV
+                        BAMTB3Rlc3Qtc3AwHhcNMTYwNTExMTI0MTA3WhcNMjYwNTA5MTI0MTA3WjASMRAw
+                        DgYDVQQDEwd0ZXN0LXNwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+                        zSnEqqkjqprYaIIiO3NOMHHMtvu3T4OP3lRFRp3arNgQTu6J54dj4Ljh2R6w2oFf
+                        NW/SXKYmHQSv9L/wo57PH47QDvHpt/fSrcG5vr5E0GJFBsKLH21ejK2IaRh58m4k
+                        xTpncRbdLDVntHs0ZOOAzXTyM9kzwNmLHnhkl6MH0q7qiHRsOXUFMJMM8VdEFZ3p
+                        zGrOjZ36sFysjxwBH+2YYixgJCsmDJJI8/0XCFg9KvgHgtUudru4cO2PgU4MFj9V
+                        mV+j3vPhZP3GPMNqLBlAqDTKKw6lRIHF2hHGE1zhqU6A3QGRxhkAonPEyGMvYfFT
+                        tSW5MW2f58B+0+A5nMKqTwIDAQABozUwMzASBgNVHREECzAJggd0ZXN0LXNwMB0G
+                        A1UdDgQWBBQob//Wa5StNlZteESM3e54WsDovzANBgkqhkiG9w0BAQUFAAOCAQEA
+                        iaLcK3+i8w7AzYuaDiu0I4kclZoxz1zKHyI4o7s+iTTR5xJrX+d5WRZT4f72RkDS
+                        gEH4L/f64XUufso8ilt7vCxJOIUAAcZSxHFD/4TvBhNBha9HjzlL11kOr8VNs3OJ
+                        FQwsV8Or5xr2T1wpcT+JN5sDNbAxx7oz/vthnAdvo98vGMMx1VJcNz7B5irg3B5M
+                        gegI3kOm1UfZLWxjfae/uX19d8N0r8AFD3Uuw4UX/07LVZmrtvjI5LB+ju/kv8kP
+                        ENCjwhjjXq7NUW8hgSiqqdMkFA1iH+KMAYtn2xvll1TojluWAwpYjaCjOLyJSBuV
+                        sIV9aK2TFEhoJD6KkXUNqg==
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+        </KeyDescriptor>
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+                        MIIC3DCCAcSgAwIBAgIJAN+91XVXF36VMA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV
+                        BAMTB3Rlc3Qtc3AwHhcNMTYwNTExMTI0MTA3WhcNMjYwNTA5MTI0MTA3WjASMRAw
+                        DgYDVQQDEwd0ZXN0LXNwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+                        zSnEqqkjqprYaIIiO3NOMHHMtvu3T4OP3lRFRp3arNgQTu6J54dj4Ljh2R6w2oFf
+                        NW/SXKYmHQSv9L/wo57PH47QDvHpt/fSrcG5vr5E0GJFBsKLH21ejK2IaRh58m4k
+                        xTpncRbdLDVntHs0ZOOAzXTyM9kzwNmLHnhkl6MH0q7qiHRsOXUFMJMM8VdEFZ3p
+                        zGrOjZ36sFysjxwBH+2YYixgJCsmDJJI8/0XCFg9KvgHgtUudru4cO2PgU4MFj9V
+                        mV+j3vPhZP3GPMNqLBlAqDTKKw6lRIHF2hHGE1zhqU6A3QGRxhkAonPEyGMvYfFT
+                        tSW5MW2f58B+0+A5nMKqTwIDAQABozUwMzASBgNVHREECzAJggd0ZXN0LXNwMB0G
+                        A1UdDgQWBBQob//Wa5StNlZteESM3e54WsDovzANBgkqhkiG9w0BAQUFAAOCAQEA
+                        iaLcK3+i8w7AzYuaDiu0I4kclZoxz1zKHyI4o7s+iTTR5xJrX+d5WRZT4f72RkDS
+                        gEH4L/f64XUufso8ilt7vCxJOIUAAcZSxHFD/4TvBhNBha9HjzlL11kOr8VNs3OJ
+                        FQwsV8Or5xr2T1wpcT+JN5sDNbAxx7oz/vthnAdvo98vGMMx1VJcNz7B5irg3B5M
+                        gegI3kOm1UfZLWxjfae/uX19d8N0r8AFD3Uuw4UX/07LVZmrtvjI5LB+ju/kv8kP
+                        ENCjwhjjXq7NUW8hgSiqqdMkFA1iH+KMAYtn2xvll1TojluWAwpYjaCjOLyJSBuV
+                        sIV9aK2TFEhoJD6KkXUNqg==
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+        <KeyDescriptor use="encryption">
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+                        MIIC3DCCAcSgAwIBAgIJAN+91XVXF36VMA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV
+                        BAMTB3Rlc3Qtc3AwHhcNMTYwNTExMTI0MTA3WhcNMjYwNTA5MTI0MTA3WjASMRAw
+                        DgYDVQQDEwd0ZXN0LXNwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+                        zSnEqqkjqprYaIIiO3NOMHHMtvu3T4OP3lRFRp3arNgQTu6J54dj4Ljh2R6w2oFf
+                        NW/SXKYmHQSv9L/wo57PH47QDvHpt/fSrcG5vr5E0GJFBsKLH21ejK2IaRh58m4k
+                        xTpncRbdLDVntHs0ZOOAzXTyM9kzwNmLHnhkl6MH0q7qiHRsOXUFMJMM8VdEFZ3p
+                        zGrOjZ36sFysjxwBH+2YYixgJCsmDJJI8/0XCFg9KvgHgtUudru4cO2PgU4MFj9V
+                        mV+j3vPhZP3GPMNqLBlAqDTKKw6lRIHF2hHGE1zhqU6A3QGRxhkAonPEyGMvYfFT
+                        tSW5MW2f58B+0+A5nMKqTwIDAQABozUwMzASBgNVHREECzAJggd0ZXN0LXNwMB0G
+                        A1UdDgQWBBQob//Wa5StNlZteESM3e54WsDovzANBgkqhkiG9w0BAQUFAAOCAQEA
+                        iaLcK3+i8w7AzYuaDiu0I4kclZoxz1zKHyI4o7s+iTTR5xJrX+d5WRZT4f72RkDS
+                        gEH4L/f64XUufso8ilt7vCxJOIUAAcZSxHFD/4TvBhNBha9HjzlL11kOr8VNs3OJ
+                        FQwsV8Or5xr2T1wpcT+JN5sDNbAxx7oz/vthnAdvo98vGMMx1VJcNz7B5irg3B5M
+                        gegI3kOm1UfZLWxjfae/uX19d8N0r8AFD3Uuw4UX/07LVZmrtvjI5LB+ju/kv8kP
+                        ENCjwhjjXq7NUW8hgSiqqdMkFA1iH+KMAYtn2xvll1TojluWAwpYjaCjOLyJSBuV
+                        sIV9aK2TFEhoJD6KkXUNqg==
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+        </KeyDescriptor>
+    </SPSSODescriptor>
+</EntityDescriptor>

tests/manual/ukf-meta-243/3-certs-has-encryptionmethod.xml.out

@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://243.ukf-meta.ukfederation.org.uk/009">
+    <SPSSODescriptor>
+        <KeyDescriptor>
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+                        MIIC3DCCAcSgAwIBAgIJAN+91XVXF36VMA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV
+                        BAMTB3Rlc3Qtc3AwHhcNMTYwNTExMTI0MTA3WhcNMjYwNTA5MTI0MTA3WjASMRAw
+                        DgYDVQQDEwd0ZXN0LXNwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+                        zSnEqqkjqprYaIIiO3NOMHHMtvu3T4OP3lRFRp3arNgQTu6J54dj4Ljh2R6w2oFf
+                        NW/SXKYmHQSv9L/wo57PH47QDvHpt/fSrcG5vr5E0GJFBsKLH21ejK2IaRh58m4k
+                        xTpncRbdLDVntHs0ZOOAzXTyM9kzwNmLHnhkl6MH0q7qiHRsOXUFMJMM8VdEFZ3p
+                        zGrOjZ36sFysjxwBH+2YYixgJCsmDJJI8/0XCFg9KvgHgtUudru4cO2PgU4MFj9V
+                        mV+j3vPhZP3GPMNqLBlAqDTKKw6lRIHF2hHGE1zhqU6A3QGRxhkAonPEyGMvYfFT
+                        tSW5MW2f58B+0+A5nMKqTwIDAQABozUwMzASBgNVHREECzAJggd0ZXN0LXNwMB0G
+                        A1UdDgQWBBQob//Wa5StNlZteESM3e54WsDovzANBgkqhkiG9w0BAQUFAAOCAQEA
+                        iaLcK3+i8w7AzYuaDiu0I4kclZoxz1zKHyI4o7s+iTTR5xJrX+d5WRZT4f72RkDS
+                        gEH4L/f64XUufso8ilt7vCxJOIUAAcZSxHFD/4TvBhNBha9HjzlL11kOr8VNs3OJ
+                        FQwsV8Or5xr2T1wpcT+JN5sDNbAxx7oz/vthnAdvo98vGMMx1VJcNz7B5irg3B5M
+                        gegI3kOm1UfZLWxjfae/uX19d8N0r8AFD3Uuw4UX/07LVZmrtvjI5LB+ju/kv8kP
+                        ENCjwhjjXq7NUW8hgSiqqdMkFA1iH+KMAYtn2xvll1TojluWAwpYjaCjOLyJSBuV
+                        sIV9aK2TFEhoJD6KkXUNqg==
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+        </KeyDescriptor>
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+                        MIIC3DCCAcSgAwIBAgIJAN+91XVXF36VMA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV
+                        BAMTB3Rlc3Qtc3AwHhcNMTYwNTExMTI0MTA3WhcNMjYwNTA5MTI0MTA3WjASMRAw
+                        DgYDVQQDEwd0ZXN0LXNwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+                        zSnEqqkjqprYaIIiO3NOMHHMtvu3T4OP3lRFRp3arNgQTu6J54dj4Ljh2R6w2oFf
+                        NW/SXKYmHQSv9L/wo57PH47QDvHpt/fSrcG5vr5E0GJFBsKLH21ejK2IaRh58m4k
+                        xTpncRbdLDVntHs0ZOOAzXTyM9kzwNmLHnhkl6MH0q7qiHRsOXUFMJMM8VdEFZ3p
+                        zGrOjZ36sFysjxwBH+2YYixgJCsmDJJI8/0XCFg9KvgHgtUudru4cO2PgU4MFj9V
+                        mV+j3vPhZP3GPMNqLBlAqDTKKw6lRIHF2hHGE1zhqU6A3QGRxhkAonPEyGMvYfFT
+                        tSW5MW2f58B+0+A5nMKqTwIDAQABozUwMzASBgNVHREECzAJggd0ZXN0LXNwMB0G
+                        A1UdDgQWBBQob//Wa5StNlZteESM3e54WsDovzANBgkqhkiG9w0BAQUFAAOCAQEA
+                        iaLcK3+i8w7AzYuaDiu0I4kclZoxz1zKHyI4o7s+iTTR5xJrX+d5WRZT4f72RkDS
+                        gEH4L/f64XUufso8ilt7vCxJOIUAAcZSxHFD/4TvBhNBha9HjzlL11kOr8VNs3OJ
+                        FQwsV8Or5xr2T1wpcT+JN5sDNbAxx7oz/vthnAdvo98vGMMx1VJcNz7B5irg3B5M
+                        gegI3kOm1UfZLWxjfae/uX19d8N0r8AFD3Uuw4UX/07LVZmrtvjI5LB+ju/kv8kP
+                        ENCjwhjjXq7NUW8hgSiqqdMkFA1iH+KMAYtn2xvll1TojluWAwpYjaCjOLyJSBuV
+                        sIV9aK2TFEhoJD6KkXUNqg==
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+        <KeyDescriptor use="encryption">
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+                        MIIC3DCCAcSgAwIBAgIJAN+91XVXF36VMA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV
+                        BAMTB3Rlc3Qtc3AwHhcNMTYwNTExMTI0MTA3WhcNMjYwNTA5MTI0MTA3WjASMRAw
+                        DgYDVQQDEwd0ZXN0LXNwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+                        zSnEqqkjqprYaIIiO3NOMHHMtvu3T4OP3lRFRp3arNgQTu6J54dj4Ljh2R6w2oFf
+                        NW/SXKYmHQSv9L/wo57PH47QDvHpt/fSrcG5vr5E0GJFBsKLH21ejK2IaRh58m4k
+                        xTpncRbdLDVntHs0ZOOAzXTyM9kzwNmLHnhkl6MH0q7qiHRsOXUFMJMM8VdEFZ3p
+                        zGrOjZ36sFysjxwBH+2YYixgJCsmDJJI8/0XCFg9KvgHgtUudru4cO2PgU4MFj9V
+                        mV+j3vPhZP3GPMNqLBlAqDTKKw6lRIHF2hHGE1zhqU6A3QGRxhkAonPEyGMvYfFT
+                        tSW5MW2f58B+0+A5nMKqTwIDAQABozUwMzASBgNVHREECzAJggd0ZXN0LXNwMB0G
+                        A1UdDgQWBBQob//Wa5StNlZteESM3e54WsDovzANBgkqhkiG9w0BAQUFAAOCAQEA
+                        iaLcK3+i8w7AzYuaDiu0I4kclZoxz1zKHyI4o7s+iTTR5xJrX+d5WRZT4f72RkDS
+                        gEH4L/f64XUufso8ilt7vCxJOIUAAcZSxHFD/4TvBhNBha9HjzlL11kOr8VNs3OJ
+                        FQwsV8Or5xr2T1wpcT+JN5sDNbAxx7oz/vthnAdvo98vGMMx1VJcNz7B5irg3B5M
+                        gegI3kOm1UfZLWxjfae/uX19d8N0r8AFD3Uuw4UX/07LVZmrtvjI5LB+ju/kv8kP
+                        ENCjwhjjXq7NUW8hgSiqqdMkFA1iH+KMAYtn2xvll1TojluWAwpYjaCjOLyJSBuV
+                        sIV9aK2TFEhoJD6KkXUNqg==
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+        </KeyDescriptor>
+    </SPSSODescriptor>
+</EntityDescriptor>