summaryrefslogtreecommitdiff
path: root/xslt
diff options
context:
space:
mode:
Diffstat (limited to 'xslt')
-rw-r--r--xslt/check_framework.xsl128
-rw-r--r--xslt/check_uk_algorithms.xsl195
2 files changed, 323 insertions, 0 deletions
diff --git a/xslt/check_framework.xsl b/xslt/check_framework.xsl
new file mode 100644
index 00000000..f4e8d017
--- /dev/null
+++ b/xslt/check_framework.xsl
@@ -0,0 +1,128 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+ check_framework.xsl
+
+ XSL stylesheet providing a framework for use by rule checking files.
+
+ Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ <!--
+ The stylesheet output will be a text file, which will probably be thrown
+ away in any case. The real output from the check is sent using the
+ xsl:message element.
+ -->
+ <xsl:output method="text"/>
+
+
+ <!--
+ Common template to call to report an error on some element within an entity.
+ -->
+ <xsl:template name="error">
+ <xsl:param name="m"/>
+ <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
+ <xsl:message terminate='no'>
+ <xsl:text>[ERROR] </xsl:text>
+ <!--
+ If we're processing an aggregate, we need to indicate which
+ individual entity we're dealing with.
+ -->
+ <xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
+ <!--
+ Use an ID if available, otherwise the entityID.
+ -->
+ <xsl:choose>
+ <xsl:when test="$entity/@ID">
+ <xsl:value-of select="$entity/@ID"/>
+ </xsl:when>
+ <xsl:otherwise>
+ <xsl:value-of select="$entity/@entityID"/>
+ </xsl:otherwise>
+ </xsl:choose>
+ <xsl:text>: </xsl:text>
+ </xsl:if>
+ <xsl:value-of select="$m"/>
+ </xsl:message>
+ </xsl:template>
+
+
+ <!--
+ Common template to call to report a warning on some element within an entity.
+ -->
+ <xsl:template name="warning">
+ <xsl:param name="m"/>
+ <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
+ <xsl:message terminate='no'>
+ <xsl:text>[WARN] </xsl:text>
+ <!--
+ If we're processing an aggregate, we need to indicate which
+ individual entity we're dealing with.
+ -->
+ <xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
+ <!--
+ Use an ID if available, otherwise the entityID.
+ -->
+ <xsl:choose>
+ <xsl:when test="$entity/@ID">
+ <xsl:value-of select="$entity/@ID"/>
+ </xsl:when>
+ <xsl:otherwise>
+ <xsl:value-of select="$entity/@entityID"/>
+ </xsl:otherwise>
+ </xsl:choose>
+ <xsl:text>: </xsl:text>
+ </xsl:if>
+ <xsl:value-of select="$m"/>
+ </xsl:message>
+ </xsl:template>
+
+
+ <!--
+ Common template to call to report an informational message on some element within an entity.
+ -->
+ <xsl:template name="info">
+ <xsl:param name="m"/>
+ <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
+ <xsl:message terminate='no'>
+ <xsl:text>[INFO] </xsl:text>
+ <!--
+ If we're processing an aggregate, we need to indicate which
+ individual entity we're dealing with.
+ -->
+ <xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
+ <!--
+ Use an ID if available, otherwise the entityID.
+ -->
+ <xsl:choose>
+ <xsl:when test="$entity/@ID">
+ <xsl:value-of select="$entity/@ID"/>
+ </xsl:when>
+ <xsl:otherwise>
+ <xsl:value-of select="$entity/@entityID"/>
+ </xsl:otherwise>
+ </xsl:choose>
+ <xsl:text>: </xsl:text>
+ </xsl:if>
+ <xsl:value-of select="$m"/>
+ </xsl:message>
+ </xsl:template>
+
+
+ <!-- Recurse down through all elements by default. -->
+ <xsl:template match="*">
+ <xsl:apply-templates select="node()|@*"/>
+ </xsl:template>
+
+
+ <!-- Discard text blocks, comments and attributes by default. -->
+ <xsl:template match="text()|comment()|@*">
+ <!-- do nothing -->
+ </xsl:template>
+
+</xsl:stylesheet>
diff --git a/xslt/check_uk_algorithms.xsl b/xslt/check_uk_algorithms.xsl
new file mode 100644
index 00000000..0a4c024f
--- /dev/null
+++ b/xslt/check_uk_algorithms.xsl
@@ -0,0 +1,195 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+ check_uk_algorithms.xsl
+
+ Checking ruleset for cryptographic algorithms. This is named as a UK
+ ruleset because the division between acceptable and unacceptable algorithms
+ is sometimes a judgement call; however, it should be generally
+ applicable.
+
+ The best reference for *all* URIs used as algorithm identifiers is the
+ XML Security Algorithm Cross-Reference at http://www.w3.org/TR/xmlsec-algorithms/
+ Algorithm lists here are in the same order as in that document.
+
+ Author: Ian A. Young <ian@iay.org.uk>
+-->
+<xsl:stylesheet version="1.0"
+ xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+ <!--
+ Common support functions.
+ -->
+ <xsl:import href="check_framework.xsl"/>
+
+ <!--
+ *************************************
+ *** ***
+ *** S I G N I N G M E T H O D ***
+ *** ***
+ *************************************
+ -->
+
+ <!--
+ Check for known BAD SigningMethod algorithms.
+ -->
+ <xsl:template match="alg:SigningMethod[
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-md5'
+ ]">
+ <xsl:call-template name="error">
+ <xsl:with-param name="m">
+ <xsl:text>insecure algorithm in SigningMethod: '</xsl:text>
+ <xsl:value-of select="@Algorithm"/>
+ <xsl:text>'</xsl:text>
+ </xsl:with-param>
+ </xsl:call-template>
+ </xsl:template>
+
+ <!--
+ Check for known GOOD SigningMethod algorithms.
+ -->
+ <xsl:template match="alg:SigningMethod[
+ @Algorithm = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' or
+ @Algorithm = 'http://www.w3.org/2009/xmldsig11#dsa-sha256' or
+ @Algorithm = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512'
+ ]">
+ <!-- do nothing -->
+ </xsl:template>
+
+ <!--
+ Misspelled or otherwise not known SigningMethod algorithms.
+ -->
+ <xsl:template match="alg:SigningMethod">
+ <xsl:call-template name="error">
+ <xsl:with-param name="m">
+ <xsl:text>unknown algorithm in SigningMethod: '</xsl:text>
+ <xsl:value-of select="@Algorithm"/>
+ <xsl:text>'</xsl:text>
+ </xsl:with-param>
+ </xsl:call-template>
+ </xsl:template>
+
+ <!--
+ ***********************************
+ *** ***
+ *** D I G E S T M E T H O D ***
+ *** ***
+ ***********************************
+ -->
+
+ <!--
+ Check for known BAD DigestMethod algorithms.
+ -->
+ <xsl:template match="alg:DigestMethod[
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#md5'
+ ]">
+ <xsl:call-template name="error">
+ <xsl:with-param name="m">
+ <xsl:text>insecure algorithm in DigestMethod: '</xsl:text>
+ <xsl:value-of select="@Algorithm"/>
+ <xsl:text>'</xsl:text>
+ </xsl:with-param>
+ </xsl:call-template>
+ </xsl:template>
+
+ <!--
+ Check for known GOOD DigestMethod algorithms.
+ -->
+ <xsl:template match="alg:DigestMethod[
+ @Algorithm = 'http://www.w3.org/2000/09/xmldsig#sha1' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha224' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha256' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha384' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha512' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmlenc#ripemd160'
+ ]">
+ <!-- do nothing -->
+ </xsl:template>
+
+ <!--
+ Misspelled or otherwise not known DigestMethod algorithms.
+ -->
+ <xsl:template match="alg:DigestMethod">
+ <xsl:call-template name="error">
+ <xsl:with-param name="m">
+ <xsl:text>unknown algorithm in DigestMethod: '</xsl:text>
+ <xsl:value-of select="@Algorithm"/>
+ <xsl:text>'</xsl:text>
+ </xsl:with-param>
+ </xsl:call-template>
+ </xsl:template>
+
+ <!--
+ *******************************************
+ *** ***
+ *** E N C R Y P T I O N M E T H O D ***
+ *** ***
+ *******************************************
+ -->
+
+ <!--
+ Check for known BAD EncryptionMethod algorithms.
+
+ This list is of symmetric key encryption algorithms *and*
+ key transport algorithms.
+ -->
+ <xsl:template match="md:EncryptionMethod[
+ @Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'
+ ]">
+ <xsl:call-template name="error">
+ <xsl:with-param name="m">
+ <xsl:text>insecure algorithm in EncryptionMethod: '</xsl:text>
+ <xsl:value-of select="@Algorithm"/>
+ <xsl:text>'</xsl:text>
+ </xsl:with-param>
+ </xsl:call-template>
+ </xsl:template>
+
+ <!--
+ Check for known GOOD EncryptionMethod algorithms.
+
+ This list is of symmetric key encryption algorithms *and*
+ key transport algorithms.
+ -->
+ <xsl:template match="md:EncryptionMethod[
+ @Algorithm = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' or
+ @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes128-gcm' or
+ @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes192-gcm' or
+ @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes256-gcm' or
+ @Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' or
+ @Algorithm = 'http://www.w3.org/2009/xmlenc11#rsa-oaep'
+ ]">
+ <!-- do nothing -->
+ </xsl:template>
+
+ <!--
+ Misspelled or otherwise not known EncryptionMethod algorithms.
+ -->
+ <xsl:template match="md:EncryptionMethod">
+ <xsl:call-template name="error">
+ <xsl:with-param name="m">
+ <xsl:text>unknown algorithm in EncryptionMethod: '</xsl:text>
+ <xsl:value-of select="@Algorithm"/>
+ <xsl:text>'</xsl:text>
+ </xsl:with-param>
+ </xsl:call-template>
+ </xsl:template>
+
+</xsl:stylesheet>