diff options
| author | Leif Johansson <leifj@sunet.se> | 2016-11-16 10:13:55 +0100 |
|---|---|---|
| committer | Leif Johansson <leifj@sunet.se> | 2016-11-16 10:13:55 +0100 |
| commit | 47170551ffe3b1662e39e60199dfd6b0567dc8e3 (patch) | |
| tree | 042fd100cf793c8bb58476750b57be0a4b9a83fa | |
| parent | 504d41eb76856c20834625ed86e081e3eed6a76c (diff) | |
use a separate sign xslt for the pyXMLSecurity-based stuff
| -rw-r--r-- | Makefile | 3 | ||||
| -rw-r--r-- | swamid2007.mk | 1 | ||||
| -rw-r--r-- | swamid2016.mk | 1 | ||||
| -rw-r--r-- | xslt/sign-new.xsl | 48 |
4 files changed, 52 insertions, 1 deletions
@@ -17,6 +17,7 @@ ID=$(shell perl scripts/unique_id.pl) XSLTDEFS := --stringparam org $(ORG) --stringparam ID $(ID) --stringparam tou $(TOU) --stringparam rpi $(RPI) --stringparam defaultContact $(CONTACTS) --stringparam date $(DATE) --stringparam now $(NOW) SIGNER := xmlsec1 --sign --privkey-pem $(KEY),$(CERT) --pwd $(PASS) --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor BASEURL := http://md.swamid.se/md +SIGN := xslt/sign.xsl -include $(SWAMID_MK_CONFIG) @@ -28,7 +29,7 @@ sign: swamid upstream projects %.sig: %.mxml xsltproc $(XSLTDEFS) --stringparam target "$(BASEURL)/$*.xml" --xinclude $(TRANSFORM) $< > $*.n - xsltproc $(XSLTDEFS) --xinclude xslt/sign.xsl $*.n > $*.tbs + xsltproc $(XSLTDEFS) --xinclude $(SIGN) $*.n > $*.tbs $(SIGNER) --output $@ $*.tbs xmllint --xinclude --nowarning --noout --path schema --schema schema.xsd $@ rm -f $*.tbs $*.n diff --git a/swamid2007.mk b/swamid2007.mk index 21bd58c1..b291cbe7 100644 --- a/swamid2007.mk +++ b/swamid2007.mk @@ -1,3 +1,4 @@ SIGNER := xmlsign -k http://swamid-hsmproxy.docker:8000/swamid/swamid -c /opt/swamid-credentials/swamid-signer.crt DEST := /opt/published-metadata/md.swamid.se BASEURL:= http://md.swamid.se/md +SIGN := xslt/sign-luna.xslt diff --git a/swamid2016.mk b/swamid2016.mk index c74427a4..c585c429 100644 --- a/swamid2016.mk +++ b/swamid2016.mk @@ -1,3 +1,4 @@ SIGNER := xmlsign -k http://swamid-hsmproxy.docker:8000/swamid/swamid -c /opt/swamid-credentials/swamid-signer.crt DEST := /opt/published-metadata/mds.swamid.se BASEURL:= http://mds.swamid.se/md +SIGN := xslt/sign-luna.xslt diff --git a/xslt/sign-new.xsl b/xslt/sign-new.xsl new file mode 100644 index 00000000..48364512 --- /dev/null +++ b/xslt/sign-new.xsl @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xsl:stylesheet version="1.0" + xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:xs="http://www.w3.org/2001/XMLSchema" + xmlns:ds="http://www.w3.org/2000/09/xmldsig#" + xmlns:exsl="http://exslt.org/common" + xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi" + extension-element-prefixes="exsl" + xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"> + + <xsl:output method="xml" indent="yes" encoding="UTF-8"/> + + <xsl:template match="/md:EntitiesDescriptor"> + <md:EntitiesDescriptor> + <xsl:apply-templates select="@*|text()|comment()"/> + <ds:Signature> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> + <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> + <ds:Reference> + <xsl:attribute name="URI"><xsl:text>#</xsl:text><xsl:value-of select="@ID"/></xsl:attribute> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> + <ds:DigestValue></ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue/> + </ds:Signature> + <xsl:apply-templates/> + </md:EntitiesDescriptor> + </xsl:template> + + <xsl:template match="text()|comment()|@*"> + <xsl:copy/> + </xsl:template> + + <xsl:template match="*"> + <xsl:copy> + <xsl:apply-templates select="node()|@*"/> + </xsl:copy> + </xsl:template> + +</xsl:stylesheet> |