implement metadata signatures locally, transforms of metadata

5 files changed, 166 insertions, 12 deletions

diff --git a/Makefile b/Makefile
index 854fd99a..155d1aaa 100644
--- a/Makefile
+++ b/Makefile
@@ -3,9 +3,14 @@ KEY=/opt/swamid-credentials/swamid-signer.key
 CERT=/opt/swamid-credentials/swamid-signer.crt
 PASS=$(shell cat /opt/swamid-credentials/swamid-signer-pass.txt)
 DEST=/opt/published-metadata
-DAYS=1
 
-all: update clean sign
+DAYS:=1
+DATE=$(shell perl scripts/expiration_date.pl $(DAYS))
+RPI=false
+CONTACTS=false
+XSLTDEFS := --stringparam rpi $(RPI) --stringparam defaultContact $(CONTACTS) --stringparam date $(DATE) 
+
+all: update clean sign clean
 
 update:
 #	@svn up -q
@@ -14,7 +19,23 @@ keys: $(KEY) $(CERT)
 
 MXML=$(shell echo *.mxml)
 
-sign: keys swamid nya nya-testing swamid-testing swamid-testing-idp swamid-kalmar swamid-kalmar-testing swamid-edugain-testing swamid-edugain swamid-ki-sll swamid-fiv-test
+sign: keys swamid nya nya-testing swamid-testing swamid-testing-idp upstream swamid-ki-sll swamid-fiv-test
+
+%.sig: %.mxml
+	xsltproc $(XSLTDEFS) --xinclude xslt/swamid-sign.xsl $< > $*.tbs
+	xmllint --xinclude --nowarning --noout --path schema --schema  schema.xsd $*.tbs
+	xmlsec1 --sign --privkey-pem $(KEY),$(CERT) --pwd $(PASS) --output $@ $*.tbs
+	rm -f $*.tbs
+
+%.pub: %.sig
+	@test -s $< && xmllint --format --nsclean $< $(DEST)/$*.xml
+
+upstream: edugain kalmar
+
+kalmar: swamid-kalmar swamid-kalmar-testing
+
+edugain:
+	$(MAKE) RPI=true CONTACTS=true swamid-edugain-testing-1.0.pub swamid-edugain-1.0.pub
 
 swamid-externals: swamid-externals1 swamid-externals2
 
@@ -91,14 +112,6 @@ swamid-testing-idp:
 	@saml-md-tool swamid-testing-idp-1.0 update --key=$(KEY) --cert=$(CERT) --pwd=$(PASS)
 	@test -s swamid-testing-idp-1.0.xml && cp swamid-testing-idp-1.0.xml $(DEST)
 
-swamid-edugain-testing:
-	@saml-md-tool swamid-edugain-testing-1.0 update --key=$(KEY) --cert=$(CERT) --pwd=$(PASS)
-	@test -s swamid-edugain-testing-1.0.xml && cp swamid-edugain-testing-1.0.xml $(DEST)
-
-swamid-edugain:
-	@saml-md-tool swamid-edugain-1.0 update --key=$(KEY) --cert=$(CERT) --pwd=$(PASS)
-	@test -s swamid-edugain-1.0.xml && cp swamid-edugain-1.0.xml $(DEST)
-
 swamid-kalmar:
 	@saml-md-tool swamid-kalmar-1.0 update --days=2 --key=$(KEY) --cert=$(CERT) --pwd=$(PASS)
 	@test -s swamid-kalmar-1.0.xml && cp swamid-kalmar-1.0.xml $(DEST)
@@ -119,4 +132,4 @@ test: swamid2-deps
 	@for x in $(MXML); do xmllint --xinclude --nowarning --noout --path schema --schema  schema.xsd $$x; done
 
 clean:
-	@rm -f *.xml
+	@rm -f *.xml *.tbs
diff --git a/organization/nordu.net.xml b/organization/nordu.net.xml
new file mode 100644
index 00000000..90eee399
--- /dev/null
+++ b/organization/nordu.net.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0"?>
+<md:Organization xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata'>
+    <md:OrganizationName xml:lang="en">NORDUnet</md:OrganizationName>
+    <md:OrganizationDisplayName xml:lang="en">NORDUnet A/S</md:OrganizationDisplayName>
+    <md:OrganizationURL xml:lang="en">http://www.nordu.net</md:OrganizationURL>
+</md:Organization>
diff --git a/organization/sunet.se.xml b/organization/sunet.se.xml
new file mode 100644
index 00000000..8a58408a
--- /dev/null
+++ b/organization/sunet.se.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0"?>
+<md:Organization xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata'>
+    <md:OrganizationName xml:lang="en">SUNET</md:OrganizationName>
+    <md:OrganizationDisplayName xml:lang="en">Swedish University Network (SUNET)</md:OrganizationDisplayName>
+    <md:OrganizationURL xml:lang="en">http://www.sunet.se</md:OrganizationURL>
+</md:Organization>
diff --git a/organization/swamid.se.xml b/organization/swamid.se.xml
new file mode 100644
index 00000000..25ad55cd
--- /dev/null
+++ b/organization/swamid.se.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0"?>
+<md:Organization xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata'>
+    <md:OrganizationName xml:lang="en">SWAMID</md:OrganizationName>
+    <md:OrganizationDisplayName xml:lang="en">Swedish Academic Identity Federation (SWAMID)</md:OrganizationDisplayName>
+    <md:OrganizationURL xml:lang="en">http://www.swamid.se</md:OrganizationURL>
+</md:Organization>
diff --git a/xslt/swamid-sign.xsl b/xslt/swamid-sign.xsl
new file mode 100644
index 00000000..94e38477
--- /dev/null
+++ b/xslt/swamid-sign.xsl
@@ -0,0 +1,123 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0"
+                xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+                xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+                xmlns:exsl="http://exslt.org/common"
+                xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+                extension-element-prefixes="exsl"
+                xmlns:shibmd="urn:mace:shibboleth:metadata:1.0">
+
+  <xsl:output method="xml" indent="yes" encoding="UTF-8"/>
+
+  <xsl:template match="/md:EntitiesDescriptor">
+    <xsl:comment>
+
+       IMPORTANT NOTICE: READ CAREFULLY
+
+You are reading this because You wish to use the technical information (the “Metadata”) 
+published on behalf of the Registrars. These Terms of Access and Use (these “Terms”) govern 
+the use of the Metadata. By accessing or using the Metadata You accept that the access and 
+use will be on and subject to these Terms. These Terms will be binding and enforceable on 
+You as contractual obligations.
+
+The Terms is available at 
+
+- http://md.swamid.se/md/swamid-tou-sv.txt Swedish version - Legally Binding!
+- http://md.swamid.se/md/swamid-tou-en.txt English version - Non-normative translation
+
+If You do not accept these Terms, then You must not continue to use this Metadata.
+
+    </xsl:comment> 
+    <md:EntitiesDescriptor>
+      <xsl:attribute name="Name"><xsl:value-of select="@Name"/></xsl:attribute>
+      <xsl:if test="@cacheDuration">
+         <xsl:attribute name="cacheDuration"><xsl:value-of select="@cacheDuration"/></xsl:attribute>
+      </xsl:if>
+      <xsl:if test="@validUntil">
+         <xsl:attribute name="validUntil"><xsl:value-of select="$date"/></xsl:attribute>
+      </xsl:if>
+      <ds:Signature>
+	<ds:SignedInfo>
+	  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
+	  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
+	  <ds:Reference URI="">
+            <ds:Transforms>
+              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+	      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
+            </ds:Transforms>
+            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
+            <ds:DigestValue></ds:DigestValue>
+	  </ds:Reference>
+	</ds:SignedInfo>
+	<ds:SignatureValue/>
+	<ds:KeyInfo>
+	  <ds:X509Data>
+	  </ds:X509Data>
+	</ds:KeyInfo>
+      </ds:Signature>
+      <xsl:apply-templates/>
+    </md:EntitiesDescriptor>
+  </xsl:template>
+
+  <xsl:template match="md:EntityDescriptor">
+    <xsl:variable name="path"><xsl:value-of select="substring-after(@entityID,'://')"/></xsl:variable>
+    <xsl:variable name="host">
+      <xsl:if test="contains($path,'/')">
+        <xsl:value-of select="substring-before($path,'/')"/>
+      </xsl:if>
+      <xsl:if test="not(contains($path,'/'))">
+        <xsl:value-of select="$path"/>
+      </xsl:if>
+    </xsl:variable>
+    <xsl:variable name="domain">
+       <xsl:value-of select="substring-after($host,'.')"/>
+    </xsl:variable>
+    <xsl:variable name="orginfo">
+       <xsl:value-of select="concat('../organization','/',$domain,'.xml')"/>
+    </xsl:variable>
+    <md:EntityDescriptor>
+       <xsl:apply-templates select="@*"/>
+       <xsl:if test="$rpi='true' and not(md:Extensions)">
+          <md:Extensions><xsl:call-template name="add-swamid-rpi"/></md:Extensions>
+       </xsl:if>
+       <xsl:apply-templates select="text()|comment()|md:Extensions|md:RoleDescriptor|md:IDPSSODescriptor|md:SPSSODescriptor|md:AuthnAuthorityDescriptor|md:AttributeAuthorityDescriptor|md:PDPDescriptor|md:AffiliationDescriptor"/>
+       <xsl:if test="not(md:Organization)">
+          <xsl:apply-templates select="document($orginfo)"/>
+       </xsl:if>
+       <xsl:if test="$defaultContact='true' and not(md:ContactPerson)">
+          <md:ContactPerson contactType="technical"><md:EmailAddress>operations@swamid.se</md:EmailAddress></md:ContactPerson>
+       </xsl:if>
+       <xsl:apply-templates select="md:Organization|md:ContactPerson|md:AdditionalMetadataLocation"/>
+    </md:EntityDescriptor>
+  </xsl:template>
+
+  <xsl:template match="md:EntityDescriptor/md:Extensions">
+     <md:Extensions>
+       <xsl:call-template name="add-swamid-rpi"/>
+       <xsl:apply-templates select="text()|comment()|node()"/>
+     </md:Extensions>
+  </xsl:template>
+
+  <xsl:template name="add-swamid-rpi">
+     <xsl:if test="$rpi='true' and not(mdrpi:RegistrationInfo[@registrationAuthority='http://swamid.se/'])">
+       <mdrpi:RegistrationInfo registrationAuthority="http://www.swamid.se/">
+          <mdrpi:RegistrationPolicy xml:lang="en">http://www.swamid.se/download/18.248ad5af12aa8136533800012293/SWAMID+Metadata+Registration+Practice+Statement-20110714.pdf</mdrpi:RegistrationPolicy>
+       </mdrpi:RegistrationInfo>
+     </xsl:if>
+  </xsl:template>
+
+  <xsl:template match="@xml:base|@ID"/>
+
+  <xsl:template match="text()|comment()|@*">
+    <xsl:copy/>
+  </xsl:template>
+  
+  <xsl:template match="*">
+    <xsl:copy>
+      <xsl:apply-templates select="node()|@*"/>
+    </xsl:copy>
+  </xsl:template>
+
+</xsl:stylesheet>