From 9f1110537251f2156628ec9e950fe6d6f763a78d Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 23 Jun 2011 14:27:09 +0000
Subject: [PATCH] Guarantee that ds:X509SerialNumber will not appear in
 published metadata: * strip it from fragment files when building the master
 file (old and new style) * strip it from import channels * verify this
 explicitly before publication This is slightly too severe, as it would be
 best to strip it only from the publication channels, but this is easier to do
 for now until we retire the old production system.

---
 build.xml                     |  3 ++-
 build/check_filtered.xsl      | 35 +++++++++++++++++++++++++++++++++++
 build/master_ukfederation.xsl | 20 +++++++++++++++++++-
 mdx/clean-import.xsl          |  8 ++++++++
 mdx/uk/fragment.xsl           | 14 ++++++++++++--
 mdx/validation-beans.xml      | 27 +++++++++++++++++++++++++++
 6 files changed, 103 insertions(+), 4 deletions(-)
 create mode 100644 build/check_filtered.xsl

diff --git a/build.xml b/build.xml
index 084bea5b..ed2f6bf1 100644
--- a/build.xml
+++ b/build.xml
@@ -424,7 +424,7 @@
         export flows, for which we desire the closest possible correspondence to
         the registered metadata.
         
-        At the moment, this is a single test which is no longer being performed elsewhere
+        At the moment, this consists of a few tests which are no longer being performed elsewhere
         but should pass by construction.  In the longer term it may make sense to
         expand this to the fullest battery possible, with the exception of those
         tests which are registrar-specific.
@@ -436,6 +436,7 @@
         <attribute name="i"/>
         <sequential>
             <CHECK.base i="@{i}">
+            	<arg value="${build.dir}/check_filtered.xsl"/>
                 <arg value="${build.dir}/check_fixups.xsl"/>
             </CHECK.base>
         </sequential>
diff --git a/build/check_filtered.xsl b/build/check_filtered.xsl
new file mode 100644
index 00000000..fdb40a1f
--- /dev/null
+++ b/build/check_filtered.xsl
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_filtered.xsl
+
+	This checking ruleset verifies that certain constructs have been removed from the
+	metadata before it is published.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	
+	<xsl:template match="ds:X509SerialNumber">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">ds:X509SerialNumber should have been filtered out</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+
+</xsl:stylesheet>
diff --git a/build/master_ukfederation.xsl b/build/master_ukfederation.xsl
index 65b65b87..d827698c 100644
--- a/build/master_ukfederation.xsl
+++ b/build/master_ukfederation.xsl
@@ -201,7 +201,25 @@
     </xsl:template>
 
 
-    <!--
+	<!--
+		***********************************
+		***                             ***
+		***   D S   N A M E S P A C E   ***
+		***                             ***
+		***********************************
+	-->
+	
+	
+	<!--
+		Discard various ds:X509 elements.  Several of these are known to
+		cause problems with software systems, and they don't affect trust
+		establishment so are safe to remove.
+	-->
+	<xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
+	<xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
+	
+		
+	<!--
         *********************************************
         ***                                       ***
         ***   D E F A U L T   T E M P L A T E S   ***
diff --git a/mdx/clean-import.xsl b/mdx/clean-import.xsl
index 8aac9ff6..bdf37d61 100644
--- a/mdx/clean-import.xsl
+++ b/mdx/clean-import.xsl
@@ -54,6 +54,14 @@
 		</xsl:element>
 	</xsl:template>
 	
+	<!--
+		Discard various ds:X509 elements.  Several of these are known to
+		cause problems with software systems, and they don't affect trust
+		establishment so are safe to remove.
+	-->
+	<xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
+	<xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
+	
 	<!--By default, copy text blocks, comments and attributes unchanged.-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
diff --git a/mdx/uk/fragment.xsl b/mdx/uk/fragment.xsl
index 43dbca43..b0c281f1 100644
--- a/mdx/uk/fragment.xsl
+++ b/mdx/uk/fragment.xsl
@@ -8,7 +8,8 @@
 	
 -->
 <xsl:stylesheet version="1.0"
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -25,7 +26,16 @@
 	<xsl:template match="@xsi:schemaLocation"/>
 
 
-    <!--
+	<!--
+		Discard various ds:X509 elements.  Several of these are known to
+		cause problems with software systems, and they don't affect trust
+		establishment so are safe to remove.
+	-->
+	<xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
+	<xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
+	
+
+	<!--
         *********************************************
         ***                                       ***
         ***   D E F A U L T   T E M P L A T E S   ***
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index 1f8d102c..97f50a28 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -22,6 +22,19 @@
         </property>
     </bean>
     
+    <!--
+        check_filtered
+    -->
+    <bean id="check_filtered" class="net.shibboleth.metadata.dom.XSLValidationStage"
+        init-method="initialize" lazy-init="true">
+        <property name="id" value="check_filtered"/>
+        <property name="xslResource">
+            <bean class="org.opensaml.util.resource.FilesystemResource">
+                <constructor-arg value="#{ systemProperties['basedir'] }/build/check_filtered.xsl"/>
+            </bean>
+        </property>
+    </bean>
+    
     <!--
         check_fixups
     -->
@@ -240,4 +253,18 @@
         </property>
     </bean>
     
+    <!--
+        CHECK_publishable
+    -->
+    <bean id="CHECK_publishable" class="net.shibboleth.metadata.pipeline.CompositeStage"
+        init-method="initialize" lazy-init="true">
+        <property name="id" value="CHECK_publishable"/>
+        <property name="composedStages">
+            <list>
+                <ref bean="check_filtered"/>
+                <ref bean="check_fixups"/>
+            </list>
+        </property>
+    </bean>
+    
 </beans>