From 755127a4e2a8a144a564070f7f38b771597f5604 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 17 Sep 2012 13:52:25 +0000
Subject: [PATCH] Promote a check for SAML 2.0 IdPs whose metadata includes
 pure PKIX KeyDescriptor elements to production. This is problematic for some
 OpenAthens SP software, and superfluous for anyone else.

---
 build/check_misc.xsl   | 21 +++++++++++++++++++++
 mdx/check_future_0.xsl | 18 ------------------
 2 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/build/check_misc.xsl b/build/check_misc.xsl
index 46e43662..89ce16db 100644
--- a/build/check_misc.xsl
+++ b/build/check_misc.xsl
@@ -11,6 +11,7 @@
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
@@ -140,4 +141,24 @@
 		</xsl:call-template>
 	</xsl:template>
 
+	<!--
+        Look for SAML 2.0 IdPs whose metadata includes pure PKIX KeyDescriptor elements.
+        
+        This causes problems for some OpenAthens SP products.
+    -->
+	<xsl:template match="md:IDPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 IdP has KeyDescriptor without embedded key</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	<xsl:template match="md:AttributeAuthorityDescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
 </xsl:stylesheet>
diff --git a/mdx/check_future_0.xsl b/mdx/check_future_0.xsl
index 4b1b613e..807ebacb 100644
--- a/mdx/check_future_0.xsl
+++ b/mdx/check_future_0.xsl
@@ -29,22 +29,4 @@
 	-->
 	<xsl:import href="../build/check_framework.xsl"/>
 
-	<!--
-		Look for SAML 2.0 IdPs whose metadata includes pure PKIX KeyDescriptor elements.
-	-->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 IdP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
 </xsl:stylesheet>