Implement reproducible signatures for per-entity metadata

See ukf/ukf-meta#347.

build.xml

@@ -116,6 +116,12 @@
     <!-- Same value, as an ISO 8601 duration. -->
     <property name="validUntil.aggregate.duration" value="P${validUntil.aggregate.days}D"/>
 
+    <!--
+        The following properties establish a validity interval for per-entity
+        metadata. Note, however, that the current UK federation configuration (see
+        mdx/uk/mdq-multisign.xml) does not make use of these, instead inheriting
+        the validUntil instant from the aggregate metadata.
+    -->
     <!-- Specific validUntil duration for per-entity metadata, in days. -->
     <property name="validUntil.perEntity.days" value="${validUntil.default.days}"/>
     <!-- Same value, as an ISO 8601 duration. -->

mdx/uk/mdq-multisign.xml

@@ -60,20 +60,26 @@
                 -->
                 <ref bean="stripXsiNamespace"/>
 
+                <!--
+                    Propagate the validUntil attribute from the aggregate
+                    down to the individual entity descriptors.
+                -->
+                <bean parent="mda.XSLTransformationStage"
+                    p:XSLResource="classpath:uk/mdq_validity.xsl"/>
+
                 <!-- Break down into individual entities. -->
                 <ref bean="disassemble"/>
 
                 <!-- Populate ItemId with the entityID. -->
                 <ref bean="populateItemIds"/>
 
-                <!-- Set ID, cacheDuration and validUntil attributes. -->
+                <!-- Set ID and cacheDuration attributes. -->
                 <bean parent="mda.GenerateIdStage">
                     <constructor-arg>
                         <bean parent="ukf.FixedStringIdentifierGenerationStrategy" c:_="_"/>
                     </constructor-arg>
                 </bean>
                 <bean parent="mda.SetCacheDurationStage" p:cacheDuration="${cacheDuration.perEntity.duration}"/>
-                <bean parent="mda.SetValidUntilStage" p:validityDuration="${validUntil.perEntity.duration}"/>
 
                 <!-- Identity transform fixes signing issues. -->
                 <bean parent="mda.XSLTransformationStage"

mdx/uk/mdq_validity.xsl

@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    mdq_validity.xsl
+
+    Operates on an aggregate, propagating the validUntil attribute from the
+    EntitiesDescriptor down to each EntityDescriptor.
+
+-->
+<xsl:stylesheet version="1.0"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    exclude-result-prefixes="md">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <!--
+        Copy validUntil down from the aggregate.
+
+        Has no effect if the aggregate is not present.
+    -->
+    <xsl:template match="md:EntitiesDescriptor/md:EntityDescriptor">
+        <xsl:copy>
+            <xsl:attribute name="validUntil">
+                <xsl:value-of select="../@validUntil"/>
+            </xsl:attribute>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>