From b0187a4655a068f0b5f6a9124466b2dab2fb93fb Mon Sep 17 00:00:00 2001
From: Phil Smart <philip.smart@jisc.ac.uk>
Date: Tue, 16 Apr 2024 15:28:57 +0100
Subject: [PATCH] Fix multi-predicate support in check_saml2int ruleset

From commit hash ukf/ukf-testbed/3a2ac084ffed84ef2de3ba7a08b6c4012b86cc96

See ukf/ukf-meta#416 for details
---
 mdx/_rules/check_saml2int.xsl | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/mdx/_rules/check_saml2int.xsl b/mdx/_rules/check_saml2int.xsl
index 37b4444..596c2fa 100644
--- a/mdx/_rules/check_saml2int.xsl
+++ b/mdx/_rules/check_saml2int.xsl
@@ -126,16 +126,14 @@
     -->
     <xsl:template match="md:IDPSSODescriptor
         [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-        [not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
-        [not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+        [not((md:KeyDescriptor[descendant::ds:X509Data][@use='signing']) or (md:KeyDescriptor[descendant::ds:X509Data][not(@use)]))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">SAML 2.0 IdP has no embedded signing key</xsl:with-param>
         </xsl:call-template>
     </xsl:template>
     <xsl:template match="md:AttributeAuthorityDescriptor
         [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-        [not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
-        [not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+        [not((md:KeyDescriptor[descendant::ds:X509Data][@use='signing']) or (md:KeyDescriptor[descendant::ds:X509Data][not(@use)]))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m">SAML 2.0 AttributeAuthority has no embedded signing key</xsl:with-param>
         </xsl:call-template>