SURFnet now has a proper IdP aggregate, with signature and validUntil…

…. Combine this with the SP singleton for our purposes.
InCommon · Sep 27, 2011 · b2173dc · b2173dc
1 parent d718f4c
commit b2173dc
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 3 deletions.
diff --git a/mdx/nl_surfnet/beans.xml b/mdx/nl_surfnet/beans.xml
@@ -5,15 +5,35 @@
 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"> 
 
-
+    <!--
+        Metadata signing certificate.
+    -->
+    <bean id="nl_surfnet_signingCertificate" class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
+        lazy-init="true">
+        <property name="certificateFile">
+            <bean class="java.io.File">
+                <constructor-arg value="#{ systemProperties['basedir'] }/mdx/nl_surfnet/metadata-signer.crt"/>
+            </bean>
+        </property>
+    </bean>
+
+    <!--
+        Check the signature on a document.
+    -->
+    <bean id="nl_surfnet_checkSignature" class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
+        init-method="initialize" lazy-init="true">
+        <property name="id" value="nl_surfnet_checkSignature"/>
+        <property name="verificationCertificate" ref="nl_surfnet_signingCertificate"/>
+    </bean>
+
     <!--
         Fetch the IdP aggregate.
     -->
     <bean id="nl_surfnet_idpAggregate" class="net.shibboleth.metadata.dom.DomHttpSourceStage"
         init-method="initialize" lazy-init="true">
         <property name="id" value="nl_surfnet_idpAggregate"/>
         <property name="parserPool" ref="parserPool"/>
-        <property name="sourceUrl" value="http://federatie.surfnet.nl/metadata-sfs-idp-saml20-signed.xml"/>        
+        <property name="sourceUrl" value="https://wayf.surfnet.nl/federate/metadata"/>        
     </bean>
 
     <!--
@@ -36,8 +56,20 @@
             <list>
                 <!-- no export aggregate; use the production ones instead -->
                 <ref bean="nl_surfnet_idpAggregate"/>
+
+                <!--
+                    Check for fatal errors at the aggregate level:
+                        missing or expired validUntil attribute
+                        invalid signature
+                -->
+                <ref bean="check_validUntil"/>
+                <ref bean="nl_surfnet_checkSignature"/>
+                <ref bean="errorTerminatingFilter"/>
+
+                <!-- SP singleton -->
                 <ref bean="nl_surfnet_spAggregate"/>
-                <ref bean="cleanImport"/>
+                <ref bean="disassemble"/>
+                <ref bean="standardImportActions"/>
             </list>
         </property>
     </bean>

diff --git a/mdx/nl_surfnet/metadata-signer.crt b/mdx/nl_surfnet/metadata-signer.crt
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEVDCCAzygAwIBAgIJANm7yUGYaeG1MA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV
+BAYTAk5MMRAwDgYDVQQKEwdTVVJGbmV0MREwDwYDVQQLEwhTZXJ2aWNlczEZMBcG
+A1UEAxMQRmVkZXJhdGllIEJlaGVlcjEqMCgGCSqGSIb3DQEJARYbZmVkZXJhdGll
+LWJlaGVlckBzdXJmbmV0Lm5sMB4XDTA4MDYwNTE1MDgyMVoXDTIzMDYwMjE1MDgy
+MVoweTELMAkGA1UEBhMCTkwxEDAOBgNVBAoTB1NVUkZuZXQxETAPBgNVBAsTCFNl
+cnZpY2VzMRkwFwYDVQQDExBGZWRlcmF0aWUgQmVoZWVyMSowKAYJKoZIhvcNAQkB
+FhtmZWRlcmF0aWUtYmVoZWVyQHN1cmZuZXQubmwwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC/x+YuMaHyS3xeogfBB6hWrL4Frp+KzOuu4IixfhMHz3xI
+G5l7p2aNV8UrEXevOwMWCgMNxjfSLdZBgNhR14GBh2cVGCx9f/wUtB86scmkP3Pr
+RLoZWu/EIY6MEbgET3D3tkdGuVejQwwhJTlK2xxWHtEdEL5abjYLveDg6Lb6z9od
+ljFevylBMZO+5LwTjpa3+B+07oMZr2sV1yjsG2BEBwTFz4XZzJAabeK9UO836qhN
+ptktjffoCNen33tNCjzqci4wzgQef3CNA/Ef0tMKGotdldKC6FtHvXixmVY5RKUK
+Iutm8sRwne8XYqrD54BAgXZQ0ZovxFbvGhA77YXxAgMBAAGjgd4wgdswHQYDVR0O
+BBYEFJNoYjIYUrDN/h1+9BZYOTk7jQBNMIGrBgNVHSMEgaMwgaCAFJNoYjIYUrDN
+/h1+9BZYOTk7jQBNoX2kezB5MQswCQYDVQQGEwJOTDEQMA4GA1UEChMHU1VSRm5l
+dDERMA8GA1UECxMIU2VydmljZXMxGTAXBgNVBAMTEEZlZGVyYXRpZSBCZWhlZXIx
+KjAoBgkqhkiG9w0BCQEWG2ZlZGVyYXRpZS1iZWhlZXJAc3VyZm5ldC5ubIIJANm7
+yUGYaeG1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAI4IxrYPwwjJ
+D9gO1Vzt8ByeQaRe+V0Mv5Ox9RlcXV33WX8Ny8hqUS4/kjs9v7JOuOw7TRop/4QJ
+IAv/LEXH9B+hQ96zdLGMCcHI2crWF8l0yZ/DtgkpdlcyS7dNbjLtedtmgrOMSQub
+LE02tqoSUR491mQbRuXD49+kJsHXZH8I1YZqOShzPZ7+ksvnBd64txhef8OBlCzE
+elT60nOC3Jm8k3i0HwPcCYfDrh6+MJfC2dvfgktAcyu8rm1Q/ZelxaaXok17wUKg
+D8nDrVCOfTND1RCGcqJ3YVjYDhBrMdK+5NSuC5KOJUpVZbKgTOilnOM7B/Os8HJC
+fxLkDyGV/oQ=
+-----END CERTIFICATE-----
diff --git a/mdx/nl_surfnet/verbs.xml b/mdx/nl_surfnet/verbs.xml
@@ -51,6 +51,7 @@
             <list>
                 <ref bean="nl_surfnet_idpAggregate"/>
                 <ref bean="nl_surfnet_spAggregate"/>
+                <ref bean="disassemble"/>
                 <ref bean="assemble"/>
                 <ref bean="serializeImported"/>
             </list>