Merge remote-tracking branch 'upstream/master'

build.xml

@@ -609,7 +609,7 @@
         <attribute name="i"/>
         <sequential>
             <MDT i="@{i}" o="${null.device}"
-                keystore="${mdx.dir}/uk/ukfederation-2012.jks"
+                keystore="${mdx.dir}/uk/ukfederation-2014.jks"
                 alias="${keystore.uk.vfy.alias}"/>
         </sequential>
     </macrodef>
@@ -702,7 +702,7 @@
                 <args>
                     <arg value="--verifySignature"/>
                     <arg value="--certificate"/>
-                    <arg value="${mdx.dir}/uk/ukfederation-2012.pem"/>
+                    <arg value="${mdx.dir}/uk/ukfederation-2014.pem"/>
                     <!--
                     <arg value="- -quiet"/>
                     -->
@@ -1261,28 +1261,6 @@
         </exec>
     </target>
 
-    <!--
-        Extract authorities
-    -->
-    <target name="extract.authorities">
-        <echo>Extracting key authorities</echo>
-        <XALAN
-            i="${mdx.dir}/uk/trust-roots.xml"
-            o="${mdx.dir}/uk/authorities.pem"
-            x="${mdx.dir}/uk/extract_authorities.xsl"/>
-    </target>
-
-    <!--
-        Check authorities
-    -->
-    <target name="check.authorities">
-        <echo>Checking authority certificates</echo>
-        <exec executable="perl" dir="${mdx.dir}/uk"
-            input="${mdx.dir}/uk/authorities.pem">
-            <arg value="${mdx.dir}/uk/check_authorities.pl"/>
-        </exec>
-    </target>
-
     <!--
         Utility to fold overlong embedded certificates.
     -->

build/check_embedded.pl

@@ -41,12 +41,10 @@
 #
 my %issuerMark;
 
-# From the UK federation trust roots document.
-$issuerMark{'AddTrust External CA Root'} = 'R';
-$issuerMark{'UTN-USERFirst-Hardware'} = 'i';
-$issuerMark{'TERENA SSL CA'} = 'i';
-
 # ex-roots
+$issuerMark{'AddTrust External CA Root'} = 'X';
+$issuerMark{'UTN-USERFirst-Hardware'} = 'x';
+$issuerMark{'TERENA SSL CA'} = 'x';
 $issuerMark{'GlobalSign Root CA'} = 'X';
 $issuerMark{'GlobalSign Organization Validation CA'} = 'x';
 $issuerMark{'GlobalSign Primary Secure Server CA'} = 'x';
@@ -143,18 +141,23 @@ sub comment {
 		@args = split;
 		$entity = $args[1];
 		$keyname = $args[3];
+
+		#
+		# Tidy entity ID if it includes a UK ID as well.
+		#
+		if ($entity =~ /^\[(.+)\](.+)$/) {
+			$entity = $2 . ' (' . $1 . ')';
+		}
 
 		#
 		# Output header line.
 		#
-		$oline = "Entity $entity ";
+		$oline = "Entity $entity";
 		$hasKeyName = !($keyname eq '(none)');
+		push(@olines, $oline);
 		if ($hasKeyName) {
-			$oline .= "has KeyName $keyname";
-		} else {
-			$oline .= "has no KeyName";
+			error("descriptor has unexpected KeyName $keyname");
 		}
-		push(@olines, $oline);
 
 		#
 		# Start building a new blob.
@@ -280,7 +283,6 @@ sub comment {
 				#
 				if ($notAfter =~ /(\d\d\d\d)/) {
 					my $year = $1;
-					$expiryYear = $year;
 					if ($year > $maxYear) {
 						$maxYear = $year;
 					}
@@ -362,101 +364,6 @@ sub comment {
 		}
 
 
-		#
-		# Check KeyName if one has been supplied.
-		#
-		if ($hasKeyName && !defined($names{lc $keyname})) {
-			my $nameList = join ", ", sort keys %names;
-			error("KeyName mismatch: $keyname not in {$nameList}");
-		}
-
-		#
-		# Use openssl to ask whether this matches our trust fabric or not.
-		#
-		my $error = '';
-		$serverOK = 1;
-		$cmd = "openssl verify -CAfile ../mdx/uk/authorities.pem -purpose sslserver $filename |";
-		open(SSL, $cmd) || die "could not open openssl subcommand 2";
-		while (<SSL>) {
-			chomp;
-			if (/error/) {
-				$error = $_;
-				$serverOK = 0;
-			}
-		}
-		close SSL;
-		$clientOK = 1;
-		$cmd = "openssl verify -CAfile ../mdx/uk/authorities.pem -purpose sslclient $filename |";
-		open(SSL, $cmd) || die "could not open openssl subcommand 3";
-		while (<SSL>) {
-			chomp;
-			if (/error/) {
-				$error = $_;
-				$clientOK = 0;
-			}
-		}
-		close SSL;
-
-		#
-		# Irrespective of what went wrong, client and server results should match.
-		#
-		if ($clientOK != $serverOK) {
-			error("client/server purpose result mismatch: $clientOK != $serverOK");
-		}
-
-		#
-		# Reduce error if possible.
-		#
-		if ($error =~ m/^error \d+ at \d+ depth lookup:\s*(.*)$/) {
-			$error = $1;
-		}
-
-		#
-		# Now, adjust for our expectations.
-		#
-		if (!$hasKeyName) {
-			#
-			# Pretty much any certificate is fine if we don't have a KeyName.
-			#
-			if ($error eq 'self signed certificate') {
-				$error = '';
-				comment("self signed certificate");
-			} elsif ($error eq 'unable to get local issuer certificate') {
-				$error = '';
-				comment("unknown issuer: $issuerCN");
-			} elsif ($clientOK) {
-				# $error = "certificate matches trust fabric; add KeyName?";
-			}
-		} else {
-			#
-			# If a KeyName is present, we must match the trust fabric.
-			#
-			if ($error eq 'self signed certificate') {
-				$error = 'self signed certificate: remove KeyName?';
-			} elsif ($error eq 'unable to get local issuer certificate') {
-				$error = "non trust fabric issuer: $issuerCN: remove KeyName?";
-			}
-
-			#
-			# KeyName with an expired certificate indicates some kind of misconfiguration.
-			# Either the KeyDescriptor isn't working, or the expired certificate is still
-			# in use (in which case the KeyName is superfluous) or a different certificate
-			# is in use via PKIX (which means we have the wrong one).
-			#
-			if ($days < 0) {
-				error("expired certificate has KeyName; acquire/ensure correct certificate and remove KeyName");
-			}
-		}
-
-		if ($error eq 'certificate has expired' && $days < 0) {
-			# an equivalent message has already been issued
-			$error = '';
-		}
-
-		if ($error ne '') {
-			error($error);
-		}
-
 		#
 		# Handle public key size.
 		#
@@ -478,13 +385,6 @@ sub comment {
 				warning("issuer '$issuerCN' suspect; verify");
 			}
 		}
-		if ($hasKeyName && ($issuerCN =~ /(Global|Veri)Sign/)) {
-			warning("issuer \"$issuerCN\" to be retired; certificate expires $notAfter; remove KeyName?");
-			$issuerMark{$issuerCN} = '*';
-		}
-		if ($hasKeyName && ($expiryYear > 2014)) {
-			warning("expires $notAfter, which is later than 2014");
-		}
 
 		#
 		# Count issuers.
@@ -497,9 +397,6 @@ sub comment {
 			} else {
 				$issuers{$issuerCN}++;
 			}
-			if ($hasKeyName) {
-				$knIssuers{$issuerCN}++;
-			}
 		}
 
 		#
@@ -544,14 +441,6 @@ sub comment {
 	}
 	print "\n";
 
-	print "KeyName certificate issuers:\n";
-	foreach $issuer (sort keys %knIssuers) {
-		my $count = $knIssuers{$issuer};
-		my $mark = $issuerMark{$issuer} ? $issuerMark{$issuer}: ' ';
-		print " $mark $issuer: $count\n";
-	}
-	print "\n";
-
 	my $first = 1;
 	foreach $fingerprint (sort keys %expiry_whitelist) {
 		if ($expiry_whitelist{$fingerprint} eq 'unused') {

build/normalise_fragment

@@ -11,7 +11,7 @@ file:
 
    * arranges for all appropriate namespaces to appear on the EntityDescriptor
 
-   * arranges for an appropriate collection on schemaLocation values
+   * arranges for an appropriate collection of schemaLocation values
 
    * puts any ID and entityID attributes in the right place
 
@@ -66,6 +66,7 @@ ED_TEMPLATE = Template('''<?xml version="1.0" encoding="UTF-8"?>
         urn:oasis:names:tc:SAML:2.0:assertion ../xml/saml-schema-assertion-2.0.xsd
         urn:mace:shibboleth:metadata:1.0 ../xml/shibboleth-metadata-1.0.xsd
         http://ukfederation.org.uk/2006/11/label ../xml/uk-fed-label.xsd
+        http://sdss.ac.uk/2006/06/WAYF ../xml/uk-wayf.xsd
         http://www.w3.org/2001/04/xmlenc# ../xml/xenc-schema.xsd
         http://www.w3.org/2009/xmlenc11# ../xml/xenc-schema-11.xsd
         http://www.w3.org/2000/09/xmldsig# ../xml/xmldsig-core-schema.xsd"

build/query-entities.pl

@@ -14,7 +14,7 @@
 sub help {
 	print<<'EOF';
 
-usage: query-entities.pl [--help] [--head] [--idonly] [--idp] [--sp] [--reg <registrationAuthority>] [--notreg <registrationAuthority>] <file>
+usage: query-entities.pl [--help] [--head] [--idonly] [--idp] [--sp] [--reg <registrationAuthority>] [--notreg <registrationAuthority>] [--org <OrganizationName>] <file>
 
 Outputs the entityID, display name(s) and other information about entities in the given SAML metadata aggregate file.
 
@@ -32,6 +32,8 @@ sub help {
 --notreg <registrationAuthority>	- outputs those entities NOT registered by registrationAuthority
 	(By default the script outputs all entities; can only have one of --reg or --notreg)
 	
+--org <OrganizationName>    - outputs entities with this OrganizationName (xml:lang="en" only in this version))
+	
 Example 1:
 To output all SPs in the UK federation metadata which have been imported (i.e. are not registered by the UKAMF registrationAuthority http://ukfederation.org.uk), and to include a header on the CSV file:
 
@@ -42,6 +44,11 @@ sub help {
 
 query-entities.pl --head --idp -reg http://ukfederation.org.uk ukfederation-export.xml
 
+Example 3:
+To output all entities with OrganizationName 'University of Edinburgh'
+
+query-entities.pl --org 'University of Edinburgh' ukfederation-metadata.xml
+
 EOF
 }
 
@@ -52,6 +59,7 @@ sub help {
 my $help;
 my $head;
 my $idonly;
+my $org;
 
 my $result = GetOptions(
 		"idp" => \$idp,
@@ -60,7 +68,8 @@ sub help {
 		"notreg=s" => \$notreg,
 		"help" => \$help,
 		"head" => \$head,
-		"idonly" => \$idonly
+		"idonly" => \$idonly,
+		"org=s" => \$org
 		);
 
 if ($help) {
@@ -111,6 +120,7 @@ sub help {
 	if ($sp) { print "sp: $sp\n"; }
 	if ($reg) { print "reg: $reg\n"; }
 	if ($notreg) { print "notreg: $notreg\n"; }
+	if ($org) { print "org: $org\n"; }
 }
 
 #
@@ -129,7 +139,7 @@ sub help {
 #
 # print header
 #
-if ($head) { print "# type, entityID, registrationAuthority, OrganizationDisplayName, OrganizationURL\n"; }
+if ($head) { print "# type, entityID, registrationAuthority, OrganizationName, OrganizationDisplayName, OrganizationURL\n"; }
 
 #
 # Workhorse
@@ -145,11 +155,12 @@ sub help {
 
 sub is_entity () {
 	my ($t, $section)= @_;
-	my ($entityID, $ODN, $URL, $registrationAuthority, $type, $temp);
+	my ($entityID, $OrganizationName, $ODN, $URL, $registrationAuthority, $type, $temp);
 
 	$entityID = "No entityID found";
 	$entityID = $section->{'att'}->{'entityID'};
 
+    $OrganizationName = "No OrganizationName found";
 	$ODN = "No OrganizationDisplayName found";
 	$URL = "No URL found";	
 	# Turns out the Organization element is optional
@@ -159,12 +170,18 @@ ()
 				$ODN = $temp;
 			}
 		}
+		if ( $section->first_child('Organization')->first_child('OrganizationName[@xml:lang="en"]') ) {
+			if ( $temp = $section->first_child('Organization')->first_child('OrganizationName[@xml:lang="en"]')->text) {
+				$OrganizationName = $temp;
+			}
+		}
 		if ( $section->first_child('Organization')->first_child('OrganizationURL') ) {
 			if ( $temp = $section->first_child('Organization')->first_child('OrganizationURL')->text) {
 				$URL = $temp;
 			}
 		}	
 	}
+	if ( $org && $org ne $OrganizationName ) { return; }
 
 	$registrationAuthority = "No registrationAuthority found";
 	# Even though eduGAIN Metadata profile says entities MUST have MDRPI, turns out the eduGAIN aggregate does not enforce this rule. However, the eduGAIN site allows people to validate federations' incoming aggregates. See http://www.edugain.org/technical/status.php and go to countries' entry 'validate this metadata set'
@@ -176,8 +193,7 @@ ()
 				}
 			}
 		}
-	}
-
+	}	
 	if ( $notreg && $notreg eq $registrationAuthority ) { return; }
 	if ( $reg && $reg ne $registrationAuthority ) { return; }
 
@@ -189,7 +205,7 @@ ()
 		if ($idonly) {
 			print "$entityID\n";
 		} else {	
-			print "$type, $entityID, $registrationAuthority, \"$ODN\", $URL\n"
+			print "$type, $entityID, $registrationAuthority, \"$OrganizationName\", \"$ODN\", $URL\n"
 		}
 	}
 }