diff options
Diffstat (limited to 'xslt')
-rw-r--r-- | xslt/check_framework.xsl | 128 | ||||
-rw-r--r-- | xslt/check_uk_algorithms.xsl | 195 |
2 files changed, 323 insertions, 0 deletions
diff --git a/xslt/check_framework.xsl b/xslt/check_framework.xsl new file mode 100644 index 00000000..f4e8d017 --- /dev/null +++ b/xslt/check_framework.xsl @@ -0,0 +1,128 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + + check_framework.xsl + + XSL stylesheet providing a framework for use by rule checking files. + + Author: Ian A. Young <ian@iay.org.uk> + +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + + <!-- + The stylesheet output will be a text file, which will probably be thrown + away in any case. The real output from the check is sent using the + xsl:message element. + --> + <xsl:output method="text"/> + + + <!-- + Common template to call to report an error on some element within an entity. + --> + <xsl:template name="error"> + <xsl:param name="m"/> + <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/> + <xsl:message terminate='no'> + <xsl:text>[ERROR] </xsl:text> + <!-- + If we're processing an aggregate, we need to indicate which + individual entity we're dealing with. + --> + <xsl:if test="ancestor-or-self::md:EntitiesDescriptor"> + <!-- + Use an ID if available, otherwise the entityID. + --> + <xsl:choose> + <xsl:when test="$entity/@ID"> + <xsl:value-of select="$entity/@ID"/> + </xsl:when> + <xsl:otherwise> + <xsl:value-of select="$entity/@entityID"/> + </xsl:otherwise> + </xsl:choose> + <xsl:text>: </xsl:text> + </xsl:if> + <xsl:value-of select="$m"/> + </xsl:message> + </xsl:template> + + + <!-- + Common template to call to report a warning on some element within an entity. + --> + <xsl:template name="warning"> + <xsl:param name="m"/> + <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/> + <xsl:message terminate='no'> + <xsl:text>[WARN] </xsl:text> + <!-- + If we're processing an aggregate, we need to indicate which + individual entity we're dealing with. + --> + <xsl:if test="ancestor-or-self::md:EntitiesDescriptor"> + <!-- + Use an ID if available, otherwise the entityID. + --> + <xsl:choose> + <xsl:when test="$entity/@ID"> + <xsl:value-of select="$entity/@ID"/> + </xsl:when> + <xsl:otherwise> + <xsl:value-of select="$entity/@entityID"/> + </xsl:otherwise> + </xsl:choose> + <xsl:text>: </xsl:text> + </xsl:if> + <xsl:value-of select="$m"/> + </xsl:message> + </xsl:template> + + + <!-- + Common template to call to report an informational message on some element within an entity. + --> + <xsl:template name="info"> + <xsl:param name="m"/> + <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/> + <xsl:message terminate='no'> + <xsl:text>[INFO] </xsl:text> + <!-- + If we're processing an aggregate, we need to indicate which + individual entity we're dealing with. + --> + <xsl:if test="ancestor-or-self::md:EntitiesDescriptor"> + <!-- + Use an ID if available, otherwise the entityID. + --> + <xsl:choose> + <xsl:when test="$entity/@ID"> + <xsl:value-of select="$entity/@ID"/> + </xsl:when> + <xsl:otherwise> + <xsl:value-of select="$entity/@entityID"/> + </xsl:otherwise> + </xsl:choose> + <xsl:text>: </xsl:text> + </xsl:if> + <xsl:value-of select="$m"/> + </xsl:message> + </xsl:template> + + + <!-- Recurse down through all elements by default. --> + <xsl:template match="*"> + <xsl:apply-templates select="node()|@*"/> + </xsl:template> + + + <!-- Discard text blocks, comments and attributes by default. --> + <xsl:template match="text()|comment()|@*"> + <!-- do nothing --> + </xsl:template> + +</xsl:stylesheet> diff --git a/xslt/check_uk_algorithms.xsl b/xslt/check_uk_algorithms.xsl new file mode 100644 index 00000000..0a4c024f --- /dev/null +++ b/xslt/check_uk_algorithms.xsl @@ -0,0 +1,195 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + + check_uk_algorithms.xsl + + Checking ruleset for cryptographic algorithms. This is named as a UK + ruleset because the division between acceptable and unacceptable algorithms + is sometimes a judgement call; however, it should be generally + applicable. + + The best reference for *all* URIs used as algorithm identifiers is the + XML Security Algorithm Cross-Reference at http://www.w3.org/TR/xmlsec-algorithms/ + Algorithm lists here are in the same order as in that document. + + Author: Ian A. Young <ian@iay.org.uk> +--> +<xsl:stylesheet version="1.0" + xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" + xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> + + <!-- + Common support functions. + --> + <xsl:import href="check_framework.xsl"/> + + <!-- + ************************************* + *** *** + *** S I G N I N G M E T H O D *** + *** *** + ************************************* + --> + + <!-- + Check for known BAD SigningMethod algorithms. + --> + <xsl:template match="alg:SigningMethod[ + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-md5' + ]"> + <xsl:call-template name="error"> + <xsl:with-param name="m"> + <xsl:text>insecure algorithm in SigningMethod: '</xsl:text> + <xsl:value-of select="@Algorithm"/> + <xsl:text>'</xsl:text> + </xsl:with-param> + </xsl:call-template> + </xsl:template> + + <!-- + Check for known GOOD SigningMethod algorithms. + --> + <xsl:template match="alg:SigningMethod[ + @Algorithm = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' or + @Algorithm = 'http://www.w3.org/2009/xmldsig11#dsa-sha256' or + @Algorithm = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512' + ]"> + <!-- do nothing --> + </xsl:template> + + <!-- + Misspelled or otherwise not known SigningMethod algorithms. + --> + <xsl:template match="alg:SigningMethod"> + <xsl:call-template name="error"> + <xsl:with-param name="m"> + <xsl:text>unknown algorithm in SigningMethod: '</xsl:text> + <xsl:value-of select="@Algorithm"/> + <xsl:text>'</xsl:text> + </xsl:with-param> + </xsl:call-template> + </xsl:template> + + <!-- + *********************************** + *** *** + *** D I G E S T M E T H O D *** + *** *** + *********************************** + --> + + <!-- + Check for known BAD DigestMethod algorithms. + --> + <xsl:template match="alg:DigestMethod[ + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#md5' + ]"> + <xsl:call-template name="error"> + <xsl:with-param name="m"> + <xsl:text>insecure algorithm in DigestMethod: '</xsl:text> + <xsl:value-of select="@Algorithm"/> + <xsl:text>'</xsl:text> + </xsl:with-param> + </xsl:call-template> + </xsl:template> + + <!-- + Check for known GOOD DigestMethod algorithms. + --> + <xsl:template match="alg:DigestMethod[ + @Algorithm = 'http://www.w3.org/2000/09/xmldsig#sha1' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha224' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha256' or + @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha384' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha512' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#ripemd160' + ]"> + <!-- do nothing --> + </xsl:template> + + <!-- + Misspelled or otherwise not known DigestMethod algorithms. + --> + <xsl:template match="alg:DigestMethod"> + <xsl:call-template name="error"> + <xsl:with-param name="m"> + <xsl:text>unknown algorithm in DigestMethod: '</xsl:text> + <xsl:value-of select="@Algorithm"/> + <xsl:text>'</xsl:text> + </xsl:with-param> + </xsl:call-template> + </xsl:template> + + <!-- + ******************************************* + *** *** + *** E N C R Y P T I O N M E T H O D *** + *** *** + ******************************************* + --> + + <!-- + Check for known BAD EncryptionMethod algorithms. + + This list is of symmetric key encryption algorithms *and* + key transport algorithms. + --> + <xsl:template match="md:EncryptionMethod[ + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' + ]"> + <xsl:call-template name="error"> + <xsl:with-param name="m"> + <xsl:text>insecure algorithm in EncryptionMethod: '</xsl:text> + <xsl:value-of select="@Algorithm"/> + <xsl:text>'</xsl:text> + </xsl:with-param> + </xsl:call-template> + </xsl:template> + + <!-- + Check for known GOOD EncryptionMethod algorithms. + + This list is of symmetric key encryption algorithms *and* + key transport algorithms. + --> + <xsl:template match="md:EncryptionMethod[ + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' or + @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes128-gcm' or + @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes192-gcm' or + @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes256-gcm' or + @Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' or + @Algorithm = 'http://www.w3.org/2009/xmlenc11#rsa-oaep' + ]"> + <!-- do nothing --> + </xsl:template> + + <!-- + Misspelled or otherwise not known EncryptionMethod algorithms. + --> + <xsl:template match="md:EncryptionMethod"> + <xsl:call-template name="error"> + <xsl:with-param name="m"> + <xsl:text>unknown algorithm in EncryptionMethod: '</xsl:text> + <xsl:value-of select="@Algorithm"/> + <xsl:text>'</xsl:text> + </xsl:with-param> + </xsl:call-template> + </xsl:template> + +</xsl:stylesheet> |