Guarantee that ds:X509SerialNumber will not appear in published metad…

…ata:

* strip it from fragment files when building the master file (old and new style)
* strip it from import channels
* verify this explicitly before publication
This is slightly too severe, as it would be best to strip it only from the publication channels, but this is easier to do for now until we retire the old production system.

build.xml

@@ -424,7 +424,7 @@
         export flows, for which we desire the closest possible correspondence to
         the registered metadata.
         
-        At the moment, this is a single test which is no longer being performed elsewhere
+        At the moment, this consists of a few tests which are no longer being performed elsewhere
         but should pass by construction.  In the longer term it may make sense to
         expand this to the fullest battery possible, with the exception of those
         tests which are registrar-specific.
@@ -436,6 +436,7 @@
         <attribute name="i"/>
         <sequential>
             <CHECK.base i="@{i}">
+            	<arg value="${build.dir}/check_filtered.xsl"/>
                 <arg value="${build.dir}/check_fixups.xsl"/>
             </CHECK.base>
         </sequential>

build/check_filtered.xsl

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_filtered.xsl
+
+	This checking ruleset verifies that certain constructs have been removed from the
+	metadata before it is published.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+
+	<xsl:template match="ds:X509SerialNumber">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">ds:X509SerialNumber should have been filtered out</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+
+</xsl:stylesheet>

build/master_ukfederation.xsl

@@ -201,7 +201,25 @@
     </xsl:template>
 
 
-    <!--
+	<!--
+		***********************************
+		***                             ***
+		***   D S   N A M E S P A C E   ***
+		***                             ***
+		***********************************
+	-->
+
+
+	<!--
+		Discard various ds:X509 elements.  Several of these are known to
+		cause problems with software systems, and they don't affect trust
+		establishment so are safe to remove.
+	-->
+	<xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
+	<xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
+
+
+	<!--
         *********************************************
         ***                                       ***
         ***   D E F A U L T   T E M P L A T E S   ***

mdx/clean-import.xsl

@@ -54,6 +54,14 @@
 		</xsl:element>
 	</xsl:template>
 
+	<!--
+		Discard various ds:X509 elements.  Several of these are known to
+		cause problems with software systems, and they don't affect trust
+		establishment so are safe to remove.
+	-->
+	<xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
+	<xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
+
 	<!--By default, copy text blocks, comments and attributes unchanged.-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>

mdx/uk/fragment.xsl

@@ -8,7 +8,8 @@
 	
 -->
 <xsl:stylesheet version="1.0"
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -25,7 +26,16 @@
 	<xsl:template match="@xsi:schemaLocation"/>
 
 
-    <!--
+	<!--
+		Discard various ds:X509 elements.  Several of these are known to
+		cause problems with software systems, and they don't affect trust
+		establishment so are safe to remove.
+	-->
+	<xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
+	<xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
+
+
+	<!--
         *********************************************
         ***                                       ***
         ***   D E F A U L T   T E M P L A T E S   ***

mdx/validation-beans.xml

@@ -22,6 +22,19 @@
         </property>
     </bean>
 
+    <!--
+        check_filtered
+    -->
+    <bean id="check_filtered" class="net.shibboleth.metadata.dom.XSLValidationStage"
+        init-method="initialize" lazy-init="true">
+        <property name="id" value="check_filtered"/>
+        <property name="xslResource">
+            <bean class="org.opensaml.util.resource.FilesystemResource">
+                <constructor-arg value="#{ systemProperties['basedir'] }/build/check_filtered.xsl"/>
+            </bean>
+        </property>
+    </bean>
+
     <!--
         check_fixups
     -->
@@ -240,4 +253,18 @@
         </property>
     </bean>
 
+    <!--
+        CHECK_publishable
+    -->
+    <bean id="CHECK_publishable" class="net.shibboleth.metadata.pipeline.CompositeStage"
+        init-method="initialize" lazy-init="true">
+        <property name="id" value="CHECK_publishable"/>
+        <property name="composedStages">
+            <list>
+                <ref bean="check_filtered"/>
+                <ref bean="check_fixups"/>
+            </list>
+        </property>
+    </bean>
+
 </beans>