diff options
author | Björn Mattsson <bjorn@sunet.se> | 2023-01-13 09:05:55 +0100 |
---|---|---|
committer | Björn Mattsson <bjorn@sunet.se> | 2023-01-13 09:05:55 +0100 |
commit | ed34f4b59dce226700bf849098b367103065cc69 (patch) | |
tree | 6143fea83f1fcf2bced1f00f5013ac7487ca67c1 | |
parent | ac54b1751300577d55afaf8f77a3292899efa10a (diff) |
Added checks for invalid algorithms that UK complains about
-rw-r--r-- | Makefile | 6 | ||||
-rw-r--r-- | xslt/check_framework.xsl | 128 | ||||
-rw-r--r-- | xslt/check_uk_algorithms.xsl | 195 |
3 files changed, 328 insertions, 1 deletions
@@ -173,11 +173,15 @@ checkInvalidChars: fi;\ done | grep . && exit 1 || exit 0 +checkUKalgorithms: + @echo "Check for invalid algorithms in swamid-edugain" + @xsltproc --xinclude xslt/check_uk_algorithms.xsl swamid-edugain-1.0.mxml 2>&1 | sed 's/.*/[1;31m&[0m/' | grep . && exit 1 || exit 0 + createMXMLfiles: @echo Recreating MXML files @scripts/create_mxml.sh | sed 's/.*/[1;31m&[0m/' | grep . && exit 1 || exit 0 -signtest: syntaxtest testMDUI testALlevel testEduGAINchecks testRefedsRnS testBadStrings testIdPinSP testRegistrationAuthority checkInvalidChars +signtest: syntaxtest testMDUI testALlevel testEduGAINchecks testRefedsRnS testBadStrings testIdPinSP testRegistrationAuthority checkInvalidChars checkUKalgorithms test: createMXMLfiles signtest test2: $(EDUGAINXML) $(SWAMID20XML) $(TESTINGXML) test diff --git a/xslt/check_framework.xsl b/xslt/check_framework.xsl new file mode 100644 index 00000000..f4e8d017 --- /dev/null +++ b/xslt/check_framework.xsl @@ -0,0 +1,128 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + + check_framework.xsl + + XSL stylesheet providing a framework for use by rule checking files. + + Author: Ian A. Young <ian@iay.org.uk> + +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + + <!-- + The stylesheet output will be a text file, which will probably be thrown + away in any case. The real output from the check is sent using the + xsl:message element. + --> + <xsl:output method="text"/> + + + <!-- + Common template to call to report an error on some element within an entity. + --> + <xsl:template name="error"> + <xsl:param name="m"/> + <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/> + <xsl:message terminate='no'> + <xsl:text>[ERROR] </xsl:text> + <!-- + If we're processing an aggregate, we need to indicate which + individual entity we're dealing with. + --> + <xsl:if test="ancestor-or-self::md:EntitiesDescriptor"> + <!-- + Use an ID if available, otherwise the entityID. + --> + <xsl:choose> + <xsl:when test="$entity/@ID"> + <xsl:value-of select="$entity/@ID"/> + </xsl:when> + <xsl:otherwise> + <xsl:value-of select="$entity/@entityID"/> + </xsl:otherwise> + </xsl:choose> + <xsl:text>: </xsl:text> + </xsl:if> + <xsl:value-of select="$m"/> + </xsl:message> + </xsl:template> + + + <!-- + Common template to call to report a warning on some element within an entity. + --> + <xsl:template name="warning"> + <xsl:param name="m"/> + <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/> + <xsl:message terminate='no'> + <xsl:text>[WARN] </xsl:text> + <!-- + If we're processing an aggregate, we need to indicate which + individual entity we're dealing with. + --> + <xsl:if test="ancestor-or-self::md:EntitiesDescriptor"> + <!-- + Use an ID if available, otherwise the entityID. + --> + <xsl:choose> + <xsl:when test="$entity/@ID"> + <xsl:value-of select="$entity/@ID"/> + </xsl:when> + <xsl:otherwise> + <xsl:value-of select="$entity/@entityID"/> + </xsl:otherwise> + </xsl:choose> + <xsl:text>: </xsl:text> + </xsl:if> + <xsl:value-of select="$m"/> + </xsl:message> + </xsl:template> + + + <!-- + Common template to call to report an informational message on some element within an entity. + --> + <xsl:template name="info"> + <xsl:param name="m"/> + <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/> + <xsl:message terminate='no'> + <xsl:text>[INFO] </xsl:text> + <!-- + If we're processing an aggregate, we need to indicate which + individual entity we're dealing with. + --> + <xsl:if test="ancestor-or-self::md:EntitiesDescriptor"> + <!-- + Use an ID if available, otherwise the entityID. + --> + <xsl:choose> + <xsl:when test="$entity/@ID"> + <xsl:value-of select="$entity/@ID"/> + </xsl:when> + <xsl:otherwise> + <xsl:value-of select="$entity/@entityID"/> + </xsl:otherwise> + </xsl:choose> + <xsl:text>: </xsl:text> + </xsl:if> + <xsl:value-of select="$m"/> + </xsl:message> + </xsl:template> + + + <!-- Recurse down through all elements by default. --> + <xsl:template match="*"> + <xsl:apply-templates select="node()|@*"/> + </xsl:template> + + + <!-- Discard text blocks, comments and attributes by default. --> + <xsl:template match="text()|comment()|@*"> + <!-- do nothing --> + </xsl:template> + +</xsl:stylesheet> diff --git a/xslt/check_uk_algorithms.xsl b/xslt/check_uk_algorithms.xsl new file mode 100644 index 00000000..0a4c024f --- /dev/null +++ b/xslt/check_uk_algorithms.xsl @@ -0,0 +1,195 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + + check_uk_algorithms.xsl + + Checking ruleset for cryptographic algorithms. This is named as a UK + ruleset because the division between acceptable and unacceptable algorithms + is sometimes a judgement call; however, it should be generally + applicable. + + The best reference for *all* URIs used as algorithm identifiers is the + XML Security Algorithm Cross-Reference at http://www.w3.org/TR/xmlsec-algorithms/ + Algorithm lists here are in the same order as in that document. + + Author: Ian A. Young <ian@iay.org.uk> +--> +<xsl:stylesheet version="1.0" + xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" + xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> + + <!-- + Common support functions. + --> + <xsl:import href="check_framework.xsl"/> + + <!-- + ************************************* + *** *** + *** S I G N I N G M E T H O D *** + *** *** + ************************************* + --> + + <!-- + Check for known BAD SigningMethod algorithms. + --> + <xsl:template match="alg:SigningMethod[ + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-md5' + ]"> + <xsl:call-template name="error"> + <xsl:with-param name="m"> + <xsl:text>insecure algorithm in SigningMethod: '</xsl:text> + <xsl:value-of select="@Algorithm"/> + <xsl:text>'</xsl:text> + </xsl:with-param> + </xsl:call-template> + </xsl:template> + + <!-- + Check for known GOOD SigningMethod algorithms. + --> + <xsl:template match="alg:SigningMethod[ + @Algorithm = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' or + @Algorithm = 'http://www.w3.org/2009/xmldsig11#dsa-sha256' or + @Algorithm = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512' + ]"> + <!-- do nothing --> + </xsl:template> + + <!-- + Misspelled or otherwise not known SigningMethod algorithms. + --> + <xsl:template match="alg:SigningMethod"> + <xsl:call-template name="error"> + <xsl:with-param name="m"> + <xsl:text>unknown algorithm in SigningMethod: '</xsl:text> + <xsl:value-of select="@Algorithm"/> + <xsl:text>'</xsl:text> + </xsl:with-param> + </xsl:call-template> + </xsl:template> + + <!-- + *********************************** + *** *** + *** D I G E S T M E T H O D *** + *** *** + *********************************** + --> + + <!-- + Check for known BAD DigestMethod algorithms. + --> + <xsl:template match="alg:DigestMethod[ + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#md5' + ]"> + <xsl:call-template name="error"> + <xsl:with-param name="m"> + <xsl:text>insecure algorithm in DigestMethod: '</xsl:text> + <xsl:value-of select="@Algorithm"/> + <xsl:text>'</xsl:text> + </xsl:with-param> + </xsl:call-template> + </xsl:template> + + <!-- + Check for known GOOD DigestMethod algorithms. + --> + <xsl:template match="alg:DigestMethod[ + @Algorithm = 'http://www.w3.org/2000/09/xmldsig#sha1' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha224' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha256' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha384' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha512' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#ripemd160' + ]"> + <!-- do nothing --> + </xsl:template> + + <!-- + Misspelled or otherwise not known DigestMethod algorithms. + --> + <xsl:template match="alg:DigestMethod"> + <xsl:call-template name="error"> + <xsl:with-param name="m"> + <xsl:text>unknown algorithm in DigestMethod: '</xsl:text> + <xsl:value-of select="@Algorithm"/> + <xsl:text>'</xsl:text> + </xsl:with-param> + </xsl:call-template> + </xsl:template> + + <!-- + ******************************************* + *** *** + *** E N C R Y P T I O N M E T H O D *** + *** *** + ******************************************* + --> + + <!-- + Check for known BAD EncryptionMethod algorithms. + + This list is of symmetric key encryption algorithms *and* + key transport algorithms. + --> + <xsl:template match="md:EncryptionMethod[ + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' + ]"> + <xsl:call-template name="error"> + <xsl:with-param name="m"> + <xsl:text>insecure algorithm in EncryptionMethod: '</xsl:text> + <xsl:value-of select="@Algorithm"/> + <xsl:text>'</xsl:text> + </xsl:with-param> + </xsl:call-template> + </xsl:template> + + <!-- + Check for known GOOD EncryptionMethod algorithms. + + This list is of symmetric key encryption algorithms *and* + key transport algorithms. + --> + <xsl:template match="md:EncryptionMethod[ + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' or + @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes128-gcm' or + @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes192-gcm' or + @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes256-gcm' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' or + @Algorithm = 'http://www.w3.org/2009/xmlenc11#rsa-oaep' + ]"> + <!-- do nothing --> + </xsl:template> + + <!-- + Misspelled or otherwise not known EncryptionMethod algorithms. + --> + <xsl:template match="md:EncryptionMethod"> + <xsl:call-template name="error"> + <xsl:with-param name="m"> + <xsl:text>unknown algorithm in EncryptionMethod: '</xsl:text> + <xsl:value-of select="@Algorithm"/> + <xsl:text>'</xsl:text> + </xsl:with-param> + </xsl:call-template> + </xsl:template> + +</xsl:stylesheet> |