From ded9fd41a4e6516be9c10f11e91ea5bf82f8b42f Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 9 Feb 2010 17:20:45 +0000
Subject: [PATCH] Add an ID attribute to the test aggregate's document element,
 and arrange for xmltool to sign with reference to that rather than using the
 implicit parent form of signature.  This complies with SAML 2.0 metadata
 specification section 3.1.2.

The identifier value used is "uk" followed by the aggregation instant in compact form.
---
 build.xml                |  2 ++
 build/uk_master_test.xsl | 19 ++++++++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/build.xml b/build.xml
index 34363abe..5c7a8cb8 100644
--- a/build.xml
+++ b/build.xml
@@ -531,6 +531,8 @@
 					<arg value="${keystore.pass}"/>
 					<arg value="--outFile"/>
 					<arg value="${xml.dir}/@{o}"/>
+					<arg value="--referenceIdAttributeName"/>
+					<arg value="ID"/>
 					<!--
 					<arg value="- -quiet"/>
 					-->
diff --git a/build/uk_master_test.xsl b/build/uk_master_test.xsl
index b230dd45..b179195c 100644
--- a/build/uk_master_test.xsl
+++ b/build/uk_master_test.xsl
@@ -42,7 +42,21 @@
 	
 	<xsl:variable name="now" select="date:date-time()"/>
 	<xsl:variable name="validUntil" select="mdxDates:dateAdd($now, $validityDays)"/>
-	
+	
+	<!--
+		documentID
+		
+		This value is generated from a normalised version of the aggregation instant,
+		transformed so that it can be used as an XML ID value.
+		
+		Strict conformance to the SAML 2.0 metadata specification (section 3.1.2) requires
+		that the signature explicitly references an identifier attribute in the element
+		being signed, in this case the document element.
+	-->
+	<xsl:variable name="normalisedNow" select="mdxDates:dateAdd($now, 0)"/>
+	<xsl:variable name="documentID"
+		select="concat('uk', translate($normalisedNow, ':-', ''))"/>
+
 	<!--
 		Document root.
 	-->
@@ -58,6 +72,9 @@
 		<xsl:copy>
 			<xsl:attribute name="validUntil">
 				<xsl:value-of select="$validUntil"/>
+			</xsl:attribute>
+			<xsl:attribute name="ID">
+				<xsl:value-of select="$documentID"/>
 			</xsl:attribute>
 			<xsl:apply-templates select="@*"/>
 			<xsl:call-template name="document.comment"/>