Add support for verifying SAML MD signed with the new MDQ signing key

InCommon · Nov 24, 2016 · e6bdfcb · e6bdfcb
1 parent f39c4a0
commit e6bdfcb
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 4 deletions.
diff --git a/build.xml b/build.xml
@@ -1164,7 +1164,7 @@
     -->
 
     <!--
-        Verify a metadata file held on the master distribution site.
+        Verify a metadata file held on the master distribution site, using the ukfederation-2014.pem key
     -->
     <macrodef name="VFY.remote">
         <attribute name="i"/>
@@ -1184,6 +1184,28 @@
             <delete file="${temp.xml}" quiet="true" verbose="false"/>
         </sequential>
     </macrodef>
+
+    <!--
+        Verify a metadata file held on the master distribution site, using the ukfederation-mdq.pem key
+    -->
+    <macrodef name="VFY.MDQ.remote">
+        <attribute name="i"/>
+        <sequential>
+            <echo>Verifying @{i}...</echo>
+            <delete file="${temp.xml}" quiet="true" verbose="false"/>
+            <get src="@{i}" dest="${temp.xml}"/>
+
+            <!--
+                Verify using xmlsectool.
+            -->
+            <XMLSECTOOL.VFY.MDQ.uk i="${temp.xml}"/>
+
+            <!--
+                Delete the temporary file.
+            -->
+            <delete file="${temp.xml}" quiet="true" verbose="false"/>
+        </sequential>
+    </macrodef>
 
     <!--
         Verify a metadata file held on the master distribution site.
@@ -1301,9 +1323,9 @@
     -->
     <target name="samlmd.mdq.verify.remote">
         <echo>Verifying MDQ held at ${mdq.dist.name}</echo>
-        <VFY.remote i="http://${mdq.dist.name}/entities"/>
-        <VFY.remote i="http://${mdq.dist.name}/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth"/>
-        <VFY.remote i="http://${mdq.dist.name}/entities/https%3A%2F%2Ftest.ukfederation.org.uk%2Fentity"/>
+        <VFY.MDQ.remote i="http://${mdq.dist.name}/entities"/>
+        <VFY.MDQ.remote i="http://${mdq.dist.name}/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth"/>
+        <VFY.MDQ.remote i="http://${mdq.dist.name}/entities/https%3A%2F%2Ftest.ukfederation.org.uk%2Fentity"/>
     </target>
 
 
@@ -1665,6 +1687,22 @@
             </XMLSECTOOL>
         </sequential>
     </macrodef>
+
+    <macrodef name="XMLSECTOOL.VFY.MDQ.uk">
+        <attribute name="i"/><!-- input file -->
+        <sequential>
+            <XMLSECTOOL i="@{i}">
+                <args>
+                    <arg value="--verifySignature"/>
+                    <arg value="--certificate"/>
+                    <arg value="${mdx.dir}/uk/ukfederation-mdq.pem"/>
+                    <!--
+                    <arg value="- -quiet"/>
+                    -->
+                </args>
+            </XMLSECTOOL>
+        </sequential>
+    </macrodef>
 
     <!--
         *******************************

diff --git a/mdx/uk/ukfederation-mdq.pem b/mdx/uk/ukfederation-mdq.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFTTCCAzWgAwIBAgIEXGA32DANBgkqhkiG9w0BAQsFADBQMSEwHwYDVQQDExhV
+SyBmZWRlcmF0aW9uIE1EUSBTaWduZXIxHjAcBgNVBAoTFUppc2MgU2VydmljZXMg
+TGltaXRlZDELMAkGA1UEBhMCR0IwHhcNMTYxMTIzMTgxNjU2WhcNMzcxMjMxMTgx
+NjU2WjBQMSEwHwYDVQQDExhVSyBmZWRlcmF0aW9uIE1EUSBTaWduZXIxHjAcBgNV
+BAoTFUppc2MgU2VydmljZXMgTGltaXRlZDELMAkGA1UEBhMCR0IwggIiMA0GCSqG
+SIb3DQEBAQUAA4ICDwAwggIKAoICAQCI5H5i6x+PJrKQyfI8ALGEisMiHwQLUbzs
+h2Sx8ssRkldAohR5CHp5qeMMpBDb1Pv9bBGppe+10oh2URYcPE+gBuajZT1dL8pg
+jE7F3UUOJa+MXh9jBeDmoiCmXO8V8T4DWtQAA2ObbYPKynCZ6FaGsGV8N7GYUsMK
+SXT3dfkbAzk6J7l4Top4gg4yZd6ELQwarLG5M5h0xnIIaoNSIspxTLTkIMDgJRo8
+4VObLUriJwiLPzfHXAJxJdq+0AzHzhlDrg1hTtB82dOMGGyXZd4R6E6Aar8OrKa6
+uz8OYWj8oeLzHGmzdw7dr+7WesO+4ofNksPh3lyGoRlvhWTKgBIyzXTiPRWRl2k7
+b2EWEFBoBk4+GgVhi8hjA5yriTEe99RcigFq2Y1SemKYtz3ur2wmrBag+NsWm2rm
+OHBehrYEDjlkHqzhvgqygoj2JFogP7L0ZvLh1VdU4waLAkLBLi5EJmlNjfN0b124
+UrJHXN7z/zFAl2r+Or1KZbZnWKBRD5IKZBAo/iRT4ULGqxImF+/yURXpuI12wz4P
+JQXXmU9NNzJrWLaDH5mesCeVLWg64/RoqbIVIbMCd9FTxhJTH6rr/hLkldGtHjiy
+EuvUE7lZ+2Xu2QAnW68tKmsSqk0/C3gt9l/3xhnUBaguhUo8OWrnZ1pxr+GSdnJ6
+NRm+f46RAQIDAQABoy8wLTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBSbDGYuV4tc
+bEWVEpPE3MjgF0c+UjANBgkqhkiG9w0BAQsFAAOCAgEAeBgy2CgA31Sriyw1tBnY
+kzb6Vlemnv/UwZjivoOftqdp1TS8AeMs9qGgTBBeZkCV/6G8abq5gYBU8BETifR5
+FWxuIicU1oCNO4JwYoCpUNxwZfTbvuTKRcLia5o2OYvJo5friL5a8fWdhUy43tSh
+ubOTRqeIPSDOYQif9D0Kq6A8+oURHEBA+wwDthkhRanvJYdHp6Z6YKiwTUXp1MCH
+qe0q+LnoQ2ZRXRmSZ0y2t9ghPCFY9pD4OKnyyAxjQZdn1qFyMtYlkY9acT/ZdLDq
+3LcmaGAJEqgH0dAbl3xRkwqotP//JJ/4ffTaJHF+D3yN9y2hJ1xYukfd8caRTB+W
+O6yiQwcR7707irmF5HdW5hxIQlGgR1w/akz188KuGRP3MSWVIGEdwjCVz41XxI7V
+0MC7tZs/gujXpb58BcWIog5fceTY2dux9g4MzYKifVAPORgVWXDyXtiyddWbVorI
+He6vvbpRs5UaTyiLbUJkEs8ApJYHApZwJ2Ewz4Uea02qqP0nCVgcr+fnyugyVx4T
+KWBrvb9T2A2Z2HuQlTWksTAdapluRUj3pvvzZ+tCTXYbW0YdYSMKKH+QEwzEe90+
+gy4dJqx8m9bQ3hOu60GqyYHT7ng+dx3SxZ8zA97iXEqJnqJksaIRhzLB/kku2obf
+YC3UXJnkRumoAW1o2AjWQGg=
+-----END CERTIFICATE-----