From 45a838fa328461b38a497ba72e464bf62b862909 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 5 May 2014 12:04:33 +0000
Subject: [PATCH 1/6] Bugzilla 1098: remove another known-fixed Heartbleed
 entity from the blacklist.

---
 mdx/uk/blacklist.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/mdx/uk/blacklist.xml b/mdx/uk/blacklist.xml
index 3c1b4220..67f09f4b 100644
--- a/mdx/uk/blacklist.xml
+++ b/mdx/uk/blacklist.xml
@@ -42,7 +42,6 @@
             Remove eduGAIN entities that are still known to be vulnerable.
         -->
         <value>https://butare.ifrn.edu.br/idp/shibboleth</value>
-        <value>https://dourado.ufs.br/idp/shibboleth</value>
         <value>https://shibboleth-idp.dti.ufv.br/idp/shibboleth</value>
         
     </util:set>

From 979ed3058b4ac4e3abcf90e6bcba5966b4e4222d Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 5 May 2014 12:27:13 +0000
Subject: [PATCH 2/6] Bugzilla 1039: no longer need to blacklist one entity
 because the one it clashed with no longer appears in eduGAIN metadata. It's
 still in the *verification* blacklist because it has a 1024-bit key.

---
 mdx/uk/blacklist.xml | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/mdx/uk/blacklist.xml b/mdx/uk/blacklist.xml
index 67f09f4b..a07f3c75 100644
--- a/mdx/uk/blacklist.xml
+++ b/mdx/uk/blacklist.xml
@@ -25,17 +25,6 @@
     -->
     <util:set id="importEntityBlacklist">
         
-        <!--
-            Problems in int_edugain metadata updated 2013-09-10.
-        -->
-        <!--
-            Duplicate IdP display names.
-            
-            If we left this to normal processing, both entities would be rejected.
-            By blacklisting one, we allow the other to be processed normally.
-        -->
-        <value>https://lu-idp.lu.lv</value>
-        
         <!--
             Temporary mitigation of Heartbleed vulnerability 2014-04-16 (Bugzilla 1098).
             

From 6fb1ba2cffc68d61e6d648a5d9093bfd8153de5c Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 5 May 2014 13:47:12 +0000
Subject: [PATCH 3/6] Bugzilla 1082, 1096: resolve by blacklisting one IdP in
 each clashing pair. Entity selected for blacklisting in each case selected in
 consultation with the originating registrar.

---
 mdx/int_edugain/beans.xml | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/mdx/int_edugain/beans.xml b/mdx/int_edugain/beans.xml
index c7d03228..044ecb99 100644
--- a/mdx/int_edugain/beans.xml
+++ b/mdx/int_edugain/beans.xml
@@ -12,6 +12,11 @@
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
     
+    <!--
+        Import additional channel-local beans.
+    -->
+    <import resource="classpath:int_edugain/entity-blacklist.xml"/>
+    
     <!--
         Import eduGAIN participant beans for namespace stripping stages.
     -->
@@ -74,7 +79,15 @@
         p:id="int_edugain_checkSignature">
         <property name="verificationCertificate" ref="int_edugain_signingCertificate"/>
     </bean>
-    
+
+    <!--
+        Remove blacklisted entities.
+    -->
+    <bean id="int_edugain_removeBlacklistedEntities" parent="EntityFilterStage"
+        p:id="int_edugain_removeBlacklistedEntities"
+        p:whitelistingEntities="false"
+        p:designatedEntities-ref="int_edugain_entity_blacklist"/>
+
     <!--
         Fetch the production entities as a collection.
     -->
@@ -95,6 +108,8 @@
                 
                 <ref bean="disassemble"/>
                 
+                <ref bean="int_edugain_removeBlacklistedEntities"/>
+
                 <!--
                     Strip participant-specific namespaces.
                 -->
@@ -130,6 +145,8 @@
                 
                 <ref bean="disassemble"/>
 
+                <ref bean="int_edugain_removeBlacklistedEntities"/>
+                
                 <!--
                     Strip participant-specific namespaces.
                 -->

From bd18700ff7b387d9d2ba167f6fd9347ab4942262 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 5 May 2014 14:11:27 +0000
Subject: [PATCH 4/6] Move Heartbleed mitigation into int_edugain blacklist
 from generic one.

---
 mdx/uk/blacklist.xml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/mdx/uk/blacklist.xml b/mdx/uk/blacklist.xml
index a07f3c75..193b9f41 100644
--- a/mdx/uk/blacklist.xml
+++ b/mdx/uk/blacklist.xml
@@ -25,14 +25,6 @@
     -->
     <util:set id="importEntityBlacklist">
         
-        <!--
-            Temporary mitigation of Heartbleed vulnerability 2014-04-16 (Bugzilla 1098).
-            
-            Remove eduGAIN entities that are still known to be vulnerable.
-        -->
-        <value>https://butare.ifrn.edu.br/idp/shibboleth</value>
-        <value>https://shibboleth-idp.dti.ufv.br/idp/shibboleth</value>
-        
     </util:set>
     
 </beans>

From 20fec28ce1f40ff840323c3b2da0241491ef2a63 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 6 May 2014 15:42:54 +0000
Subject: [PATCH 5/6] Make sure saml and mdattr prefixes are defined in new
 fragment files.

---
 mdx/uk/ns_norm_fragment.xsl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdx/uk/ns_norm_fragment.xsl b/mdx/uk/ns_norm_fragment.xsl
index 0cb99232..8d47e8a7 100644
--- a/mdx/uk/ns_norm_fragment.xsl
+++ b/mdx/uk/ns_norm_fragment.xsl
@@ -27,7 +27,7 @@
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	
-	exclude-result-prefixes="md mdattr saml"
+	exclude-result-prefixes="md"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

From a282b36173e36d31fc0be1cd6dd8107c389a8f54 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 8 May 2014 12:43:40 +0000
Subject: [PATCH 6/6] Make the hr_eduhr_registrar bean common, so that it can
 be updated in one place.

---
 mdx/common-beans.xml   | 7 ++++++-
 mdx/hr_eduhr/beans.xml | 9 ---------
 2 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index ce4f9a67..bfbbf897 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -404,6 +404,11 @@
     -->
     <import resource="classpath:validation-beans.xml"/>
     
+    <!--
+        Federation registrationAuthority URIs.
+    -->
+    <bean id="hr_eduhr_registrar" parent="String" c:_0="http://www.srce.hr"/>
+    
     <!--
         identificationStrategy
         
@@ -429,7 +434,7 @@
                 <entry key="http://cafe.rnp.br"               value="BR"/>
                 <entry key="http://www.canarie.ca"            value="CA"/>
                 <entry key="http://cofre.reuna.cl"            value="CL"/>
-                <entry key="http://www.srce.hr"               value="HR"/>
+                <entry key-ref="hr_eduhr_registrar"           value="HR"/>
                 <entry key="http://www.eduid.cz/"             value="CZ"/>
                 <entry key="https://www.wayf.dk"              value="DK"/>
                 <entry key="http://www.csc.fi/haka"           value="FI"/>
diff --git a/mdx/hr_eduhr/beans.xml b/mdx/hr_eduhr/beans.xml
index e653791c..ef923582 100644
--- a/mdx/hr_eduhr/beans.xml
+++ b/mdx/hr_eduhr/beans.xml
@@ -51,15 +51,6 @@
         <property name="verificationCertificate" ref="hr_eduhr_signingCertificate"/>
     </bean>
 
-    <!--
-        hr_eduhr_registrar
-        
-        Unique ID for the registrar associated with this channel.
-    -->
-    <bean id="hr_eduhr_registrar" class="java.lang.String">
-        <constructor-arg value="http://www.aaiedu.hr"/>
-    </bean>
-    
     <!--
         hr_eduhr_check_regauth