From 9cf7382616092dcdb57e4f0c192914ff6f5e0bb8 Mon Sep 17 00:00:00 2001
From: Phil Smart <philip.smart@jisc.ac.uk>
Date: Tue, 4 Jun 2024 15:35:27 +0100
Subject: [PATCH] Fix multi predicate negation in check_saml2

From (part-of) commit hash ukf/ukf-testbed/4d362d9f9b289ecf9bd96f09b7bd5368ac2ad7b6

See ukf/ukf-meta#432
---
 mdx/_rules/check_saml2.xsl | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/mdx/_rules/check_saml2.xsl b/mdx/_rules/check_saml2.xsl
index 8ab0d9f..b97520b 100644
--- a/mdx/_rules/check_saml2.xsl
+++ b/mdx/_rules/check_saml2.xsl
@@ -60,8 +60,7 @@
     -->
     <xsl:template match="md:SPSSODescriptor
         [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-        [not(md:KeyDescriptor[descendant::ds:X509Data][@use='encryption'])]
-        [not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+        [not((md:KeyDescriptor[descendant::ds:X509Data and @use='encryption']) or ((md:KeyDescriptor[descendant::ds:X509Data and not(@use)])))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">SAML 2.0 SP has no encryption key</xsl:with-param>
         </xsl:call-template>