Check for locally derived known compromised RSA keys

See ukf/ukf-meta#223.

mdx/uk/beans.xml

@@ -233,6 +233,31 @@
     <bean id="check_owner" parent="ukf.EntityOwnerCheckingStage"
         p:members-ref="uk_members"/>
 
+    <!--
+        compromised.ukf
+
+        Check against UKf-specific list of compromised RSA keys.
+    -->
+    <bean id="compromised.ukf" parent="mda.X509RSAOpenSSLBlacklistValidator"
+        p:id="compromised.ukf">
+        <property name="blacklistResource">
+            <bean parent="FileSystemResource" c:_="${blocklists.dir}/compromised-keys.txt"/>
+        </property>
+    </bean>
+
+    <!--
+        check_ukf_compromised
+
+        Validation bean which just checks against the UKf-specific list of compromised RSA keys.
+    -->
+    <bean id="check_ukf_compromised" parent="mda.X509ValidationStage">
+        <property name="validators">
+            <list>
+                <ref bean="compromised.ukf"/>
+            </list>
+        </property>
+    </bean>
+
     <!--
         check_uk_keydesc_key
     -->
@@ -425,6 +450,11 @@
                                 Again, don't need to check for keys below our minimum key size.
                             -->
                             <ref bean="compromised.2048"/>
+
+                            <!--
+                                Check against UKf-specific list of compromised RSA keys.
+                            -->
+                            <ref bean="compromised.ukf"/>
                         </list>
                     </property>
                 </bean>

mdx/uk/edugain-policy.xml

@@ -150,6 +150,11 @@
                 -->
                 <ref bean="check_hasreginfo"/>
 
+                <!--
+                    Checks against the UKf-specific list of compromised RSA keys.
+                -->
+                <ref bean="check_ukf_compromised"/>
+
             </list>
         </property>
     </bean>