Merge remote-tracking branch 'upstream/master'

Port UKf changes from the last couple of months.

.gitignore

@@ -100,6 +100,9 @@
 # /mdx/nz_tuakiri/
 /mdx/nz_tuakiri/imported.xml
 
+# /mdx/pl_pionier/
+/mdx/pl_pionier/imported.xml
+
 # /mdx/se_swamid/
 /mdx/se_swamid/imported.xml
 

build.xml

@@ -286,18 +286,17 @@
 
 	<!--
 		Verify a metadata file held on the master distribution site.
+		
+		Verification is performed using only xmlsectool. This should be
+		used when compatibility with the Shibboleth 1.3 IdP is not a
+		concern.
 	-->
 	<macrodef name="VFY.remote">
 		<attribute name="i"/>
 		<sequential>
 			<echo>Verifying @{i}...</echo>
 			<delete file="${xml.dir}/temp.xml" quiet="true" verbose="false"/>
 			<get src="${remote.url}/@{i}" dest="${xml.dir}/temp.xml"/>
-
-			<!--
-				Verify using metadatatool.
-			-->
-			<MDT.VFY.uk i="temp.xml"/>
 
 			<!--
 				Verify using xmlsectool.
@@ -311,16 +310,47 @@
 		</sequential>
 	</macrodef>
 
+    <!--
+        Verify a metadata file held on the master distribution site.
+        
+        Verification is performed using both metadatatool and xmlsectool.
+        This should be used when the file being verified must be compatible
+        with the Shibboleth 1.3 IdP.
+    -->
+    <macrodef name="VFY.remote.both">
+        <attribute name="i"/>
+        <sequential>
+            <echo>Verifying @{i}...</echo>
+            <delete file="${xml.dir}/temp.xml" quiet="true" verbose="false"/>
+            <get src="${remote.url}/@{i}" dest="${xml.dir}/temp.xml"/>
+
+            <!--
+                Verify using metadatatool.
+            -->
+            <MDT.VFY.uk i="temp.xml"/>
+
+            <!--
+                Verify using xmlsectool.
+            -->
+            <XMLSECTOOL.VFY.uk i="temp.xml"/>
+
+            <!--
+                Delete the temporary file.
+            -->
+            <delete file="${xml.dir}/temp.xml" quiet="true" verbose="false"/>
+        </sequential>
+    </macrodef>
+
 	<!--
 		Verify metadata files held on the master distribution site.
 	-->
 	<target name="verify.remote.metadata" depends="select.remote.host">
 		<echo>Verifying metadata held at ${remote.url}</echo>
-		<VFY.remote i="${md.prod.signed}"/>
-		<VFY.remote i="${md.wayf.signed}"/>
-		<VFY.remote i="${md.cdsall.signed}"/>
+		<VFY.remote.both i="${md.prod.signed}"/>
+		<VFY.remote.both i="${md.wayf.signed}"/>
+		<VFY.remote.both i="${md.cdsall.signed}"/>
 		<VFY.remote i="${md.test.signed}"/>
-		<VFY.remote i="${md.back.signed}"/>
+		<VFY.remote.both i="${md.back.signed}"/>
 		<VFY.remote i="${md.export.signed}"/>
 		<echo>Verification completed.</echo>
 	</target>
@@ -398,7 +428,7 @@
         <MDNORM i="${xml.dir}/${md.test.unsigned}"/>
         <MDNORM i="${xml.dir}/${md.export.unsigned}"/>
         <MDNORM i="${xml.dir}/${md.back.unsigned}"/>
-        <fixcrlf file="${xml.dir}/ukfederation-stats.html" eol="lf"/>
+        <fixcrlf file="${xml.dir}/ukfederation-stats.html" eol="lf" encoding="UTF-8"/>
 
         <echo>Generated UK unsigned metadata.</echo>
 	</target>
@@ -628,7 +658,7 @@
 			</XMLSECTOOL>
 
 			<!-- Force the output file to use Unix line endings -->
-			<fixcrlf file="${xml.dir}/@{o}" eol="lf"/>
+			<fixcrlf file="${xml.dir}/@{o}" eol="lf" encoding="UTF-8"/>
 
 		</sequential>
 	</macrodef>
@@ -762,9 +792,12 @@
 	</target>
 
 	<!--
-		Select the tool to verify UK federation metadata with.
+		Verify UK federation metadata with both verification tools.
+		
+		This should be used when the metadata needs to be compatible
+		with the Shibboleth 1.3 IdP.
 	-->
-	<macrodef name="VFY.uk">
+	<macrodef name="VFY.uk.both">
 		<attribute name="i"/>
 		<sequential>
 			<!--
@@ -785,22 +818,22 @@
 	-->
 	<target name="verify">
 		<echo>Verifying signed UK metadata.</echo>
-		<VFY.uk i="${md.prod.signed}"/>
+		<VFY.uk.both i="${md.prod.signed}"/>
 
 		<echo>Verifying signed UK WAYF metadata.</echo>
-		<VFY.uk i="${md.wayf.signed}"/>
+		<VFY.uk.both i="${md.wayf.signed}"/>
 
         <echo>Verifying signed UK CDS full metadata.</echo>
-        <VFY.uk i="${md.cdsall.signed}"/>
+        <VFY.uk.both i="${md.cdsall.signed}"/>
 
 		<echo>Verifying signed UK test metadata.</echo>
-		<VFY.uk i="${md.test.signed}"/>
+		<XMLSECTOOL.VFY.uk i="${md.test.signed}"/>
 
 		<echo>Verifying signed UK export metadata.</echo>
-		<VFY.uk i="${md.export.signed}"/>
+		<XMLSECTOOL.VFY.uk i="${md.export.signed}"/>
 
 		<echo>Verifying signed UK fallback metadata.</echo>
-		<VFY.uk i="${md.back.signed}"/>
+		<VFY.uk.both i="${md.back.signed}"/>
 
 		<echo>Verification completed.</echo>
 	</target>
@@ -818,7 +851,7 @@
         <delete file="${entities.dir}/imported.xml" quiet="true" verbose="false"/>
 		<CHANNEL.do channel="uk" verb="import.metadata"/>
 		<echo>Imported metadata to ${entities.dir}/imported.xml</echo>
-        <fixcrlf file="${entities.dir}/imported.xml"/>
+        <fixcrlf file="${entities.dir}/imported.xml" encoding="UTF-8"/>
 	</target>
 
     <!--
@@ -950,6 +983,7 @@
     	-->
     	<CHANNEL.do verb="importProduction" channel="no_feide"/>
     	<CHANNEL.do verb="importProduction" channel="nz_tuakiri"/>
+        <CHANNEL.do verb="importProduction" channel="pl_pionier"/>
     	<CHANNEL.do verb="importProduction" channel="se_swamid"/>
     	<CHANNEL.do verb="importProduction" channel="si_arnes"/>
         <CHANNEL.do verb="importProduction" channel="us_incommon"/>
@@ -980,6 +1014,7 @@
     	<CHANNEL.do verb="importEdugain" channel="lv_laife"/>
     	<CHANNEL.do verb="importEdugain" channel="nl_surfnet"/>
     	<CHANNEL.do verb="importEdugain" channel="no_feide"/>
+    	<CHANNEL.do verb="importEdugain" channel="pl_pionier"/>
     	<CHANNEL.do verb="importEdugain" channel="se_swamid"/>
     </target>
 
@@ -1008,6 +1043,7 @@
     	<CHANNEL.do verb="importEdugainRaw" channel="lv_laife"/>
         <CHANNEL.do verb="importEdugainRaw" channel="nl_surfnet"/>
         <CHANNEL.do verb="importEdugainRaw" channel="no_feide"/>
+    	<CHANNEL.do verb="importEdugainRaw" channel="pl_pionier"/>
         <CHANNEL.do verb="importEdugainRaw" channel="se_swamid"/>
     </target>
 
@@ -1043,6 +1079,7 @@
     <target name="flow.verifyEdugain.inputs">
         <CHANNEL.do verb="verifyEdugain" channel="at_aconet"/>
     	<CHANNEL.do verb="verifyEdugain" channel="cl_cofre"/>
+    	<CHANNEL.do verb="verifyEdugain" channel="pl_pionier"/>
         <CHANNEL.do verb="verifyEdugain" channel="se_swamid"/>
     </target>
 
@@ -1094,6 +1131,7 @@
         <CHANNEL.do verb="importRaw" channel="nl_surfnet"/>
         <CHANNEL.do verb="importRaw" channel="no_feide"/>
         <CHANNEL.do verb="importRaw" channel="nz_tuakiri"/>
+		<CHANNEL.do verb="importRaw" channel="pl_pionier"/>
         <CHANNEL.do verb="importRaw" channel="se_swamid"/>
         <CHANNEL.do verb="importRaw" channel="si_arnes"/>
 		<CHANNEL.do verb="collect"   channel="uk"/>
@@ -1161,7 +1199,7 @@
 	-->
 	<target name="stats">
 		<CHANNEL.do channel="uk" verb="statistics"/>
-		<fixcrlf file="${xml.dir}/ukfederation-stats.html" eol="lf"/>
+		<fixcrlf file="${xml.dir}/ukfederation-stats.html" eol="lf" encoding="UTF-8"/>
 	</target>
 
 	<!--
@@ -1339,4 +1377,13 @@
     	<echo>Check complete.</echo>
     </target>
 
+    <!--
+        echoproperties
+        
+        List all the properties ant is using.
+    -->
+    <target name="echoproperties">
+        <echoproperties/>
+    </target>
+
 </project>

charting/fetch.pl

@@ -1,4 +1,4 @@
-#!/usr/bin/perl -w
+#!/usr/bin/env perl -w
 
 #
 # fetch.pl

charting/saml2.pl

@@ -1,4 +1,4 @@
-#!/usr/bin/perl -w
+#!/usr/bin/env perl -w
 
 #
 # saml2.pl

charting/scopes.pl

@@ -1,4 +1,4 @@
-#!/usr/bin/perl -w
+#!/usr/bin/env perl -w
 
 #
 # scopes.pl

charting/sizes.pl

@@ -1,4 +1,4 @@
-#!/usr/bin/perl -w
+#!/usr/bin/env perl -w
 
 #
 # sizes.pl

charting/trust.pl

@@ -1,4 +1,4 @@
-#!/usr/bin/perl -w
+#!/usr/bin/env perl -w
 
 #
 # trust.pl

mdx/_rules/check_future_0.xsl

@@ -30,10 +30,4 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
-	<xsl:template match="md:SPSSODescriptor[descendant::ds:KeyName]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">service provider with KeyName element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
 </xsl:stylesheet>

mdx/_rules/check_mdiop.xsl

@@ -25,15 +25,8 @@
 
 	<!--
 		Section 2.5.1: at least one representation must appear.
-		
-		As well as the variations specified in the IOP, we also allow a KeyName to be
-		used, as the UK federation currently allows a pure PKIX setup as an
-		alternative to embedded keys.
-		
-		Strict IOP conformance would require the removal of the KeyInfo/KeyName clause.
 	-->
 	<xsl:template match="md:KeyDescriptor
-		[not(ds:KeyInfo/ds:KeyName)]
 		[not(ds:KeyInfo/ds:KeyValue)]
 		[not(ds:KeyInfo/ds:X509Data/ds:X509Certificate)]">
 		<xsl:call-template name="error">

mdx/_rules/check_reqattr.xsl

@@ -233,14 +233,15 @@
 				">
 				<xsl:call-template name="error">
 					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses OID name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
+						<xsl:text>RequestedAttribute</xsl:text>
 						<xsl:if test="@FriendlyName">
 							<xsl:text> (</xsl:text>
 							<xsl:value-of select="@FriendlyName"/>
 							<xsl:text>)</xsl:text>
 						</xsl:if>
+						<xsl:text> uses OID name </xsl:text>
+						<xsl:value-of select="@Name"/>
+						<xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
 					</xsl:with-param>
 				</xsl:call-template>
 			</xsl:when>
@@ -289,14 +290,15 @@
 				">
 				<xsl:call-template name="error">
 					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses OID name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
+						<xsl:text>RequestedAttribute</xsl:text>
 						<xsl:if test="@FriendlyName">
 							<xsl:text> (</xsl:text>
 							<xsl:value-of select="@FriendlyName"/>
 							<xsl:text>)</xsl:text>
 						</xsl:if>
+						<xsl:text> uses OID name </xsl:text>
+						<xsl:value-of select="@Name"/>
+						<xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
 					</xsl:with-param>
 				</xsl:call-template>
 			</xsl:when>

mdx/_rules/check_uk_trust.xsl

@@ -104,4 +104,15 @@
 		</xsl:call-template>
 	</xsl:template>
 
+	<!--
+		FTS 1.5 draft of 2014-06-25, section 3.10, last paragraph.
+		
+		<ds:KeyName> elements SHALL NOT be accepted in locally registered metadata
+	-->
+	<xsl:template match="ds:KeyName">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">entity has legacy KeyName element</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
 </xsl:stylesheet>

mdx/at_aconet/beans.xml

@@ -53,7 +53,7 @@
     <!--
         Signing certificate.
     -->
-    <bean id="at_aconet_signingCertificate" class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean">
+    <bean id="at_aconet_signingCertificate" parent="X509CertificateFactoryBean">
         <property name="certificateFile">
             <bean class="java.io.File">
                 <constructor-arg value="#{ systemProperties['basedir'] }/mdx/at_aconet/aconet-aai-metadata-signing.crt"/>

mdx/au_aaf/beans.xml

@@ -28,7 +28,7 @@
     <!--
         Signing certificate.
     -->
-    <bean id="au_aaf_signingCertificate" class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean">
+    <bean id="au_aaf_signingCertificate" parent="X509CertificateFactoryBean">
         <property name="certificateFile">
             <bean class="java.io.File">
                 <constructor-arg value="#{ systemProperties['basedir'] }/mdx/au_aaf/aaf-metadata-cert.pem"/>

mdx/be_belnet/beans.xml

@@ -51,7 +51,7 @@
     <!--
         Signing certificate.
     -->
-    <bean id="be_belnet_signingCertificate" class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean">
+    <bean id="be_belnet_signingCertificate" parent="X509CertificateFactoryBean">
         <property name="certificateFile">
             <bean class="java.io.File">
                 <constructor-arg value="#{ systemProperties['basedir'] }/mdx/be_belnet/certificate.federation.belnet.be.pem"/>

mdx/br_cafe/beans.xml

@@ -51,7 +51,7 @@
     <!--
         Signing certificate.
     -->
-    <bean id="br_cafe_signingCertificate" class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean">
+    <bean id="br_cafe_signingCertificate" parent="X509CertificateFactoryBean">
         <property name="certificateFile">
             <bean class="java.io.File">
                 <constructor-arg value="#{ systemProperties['basedir'] }/mdx/br_cafe/metadata.crt"/>

mdx/ca_caf/beans.xml

@@ -53,7 +53,7 @@
         
         This one is used to sign the eduGAIN aggregate.
     -->
-    <bean id="ca_caf_signingCertificate" class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean">
+    <bean id="ca_caf_signingCertificate" parent="X509CertificateFactoryBean">
         <property name="certificateFile">
             <bean class="java.io.File">
                 <constructor-arg value="#{ systemProperties['basedir'] }/mdx/ca_caf/metadata-signer.crt"/>
@@ -74,7 +74,7 @@
         
         This one is used to sign the production aggregate.
     -->
-    <bean id="ca_caf_cafShibSigningCertificate" class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean">
+    <bean id="ca_caf_cafShibSigningCertificate" parent="X509CertificateFactoryBean">
         <property name="certificateFile">
             <bean class="java.io.File">
                 <constructor-arg value="#{ systemProperties['basedir'] }/mdx/ca_caf/cafshib_metadata_verify.crt"/>