From 04b5af6de931fa31fdc3aa329de00b7c08c58651 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 14 Sep 2011 09:22:57 +0000
Subject: [PATCH] Remove the caFile option from SAML 2.0.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2899 44740490-163a-0410-bde0-09ae8108e29a
---
docs/simplesamlphp-reference-idp-remote.txt | 6 ++---
modules/saml/lib/Message.php | 25 +++------------------
2 files changed, 6 insertions(+), 25 deletions(-)
diff --git a/docs/simplesamlphp-reference-idp-remote.txt b/docs/simplesamlphp-reference-idp-remote.txt
index 71478f112..d39812cce 100644
--- a/docs/simplesamlphp-reference-idp-remote.txt
+++ b/docs/simplesamlphp-reference-idp-remote.txt
@@ -27,9 +27,6 @@ The following options are common between both the SAML 2.0 protocol and Shibbole
`base64attributes`
: Whether attributes received from this IdP should be base64 decoded. The default is `FALSE`.
-`caFile`
-: Alternative to specifying a certificate. Allows you to specify a file with root certificates, and responses from the service be validated against these certificates. Note that simpleSAMLphp doesn't support chains with any itermediate certificates between the root and the certificate used to sign the response. Support for PKIX in SimpleSAMLphp is experimental, and we encourage users to not rely on PKIX for validation of signatures; for background information review [the SAML 2.0 Metadata Interoperability Profile](http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cd-01.pdf).
-
`certData`
: The base64 encoded certificate for this IdP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option.
@@ -186,6 +183,9 @@ These options overrides the options set in `saml20-sp-hosted`.
Shibboleth 1.3 options
----------------------
+`caFile`
+: Alternative to specifying a certificate. Allows you to specify a file with root certificates, and responses from the service be validated against these certificates. Note that simpleSAMLphp doesn't support chains with any itermediate certificates between the root and the certificate used to sign the response. Support for PKIX in SimpleSAMLphp is experimental, and we encourage users to not rely on PKIX for validation of signatures; for background information review [the SAML 2.0 Metadata Interoperability Profile](http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cd-01.pdf).
+
`saml1.useartifact`
: Request that the IdP returns the result to the artifact binding.
The default is to use the POST binding, set this option to TRUE to use the artifact binding instead.
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index 9dd11c65f..65ebff37f 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -160,28 +160,9 @@ class sspmod_saml_Message {
$pemCert = self::findCertificate($certFingerprint, $certificates);
$pemKeys = array($pemCert);
} else {
- /* Attempt CA validation. */
- $caFile = $srcMetadata->getString('caFile', NULL);
- if ($caFile === NULL) {
- throw new SimpleSAML_Error_Exception(
- 'Missing certificate in metadata for ' .
- var_export($srcMetadata->getString('entityid'), TRUE));
- }
- $caFile = SimpleSAML_Utilities::resolveCert($caFile);
-
- if (count($certificates) === 0) {
- /* We need the full certificate in order to check it against the CA file. */
- SimpleSAML_Logger::debug('No certificate in message when validating with CA.');
- return FALSE;
- }
-
- /* We assume that it is the first certificate that was used to sign the message. */
- $pemCert = "-----BEGIN CERTIFICATE-----\n" .
- chunk_split($certificates[0], 64) .
- "-----END CERTIFICATE-----\n";
-
- SimpleSAML_Utilities::validateCA($pemCert, $caFile);
- $pemKeys = array($pemCert);
+ throw new SimpleSAML_Error_Exception(
+ 'Missing certificate in metadata for ' .
+ var_export($srcMetadata->getString('entityid'), TRUE));
}
SimpleSAML_Logger::debug('Has ' . count($pemKeys) . ' candidate keys for validation.');
--
GitLab