From 0556a445946c8e4dd2783abf314215cf98d02bf5 Mon Sep 17 00:00:00 2001
From: Stefan Halen <github@gethere.tk>
Date: Sun, 2 Oct 2016 22:04:28 +0200
Subject: [PATCH] Fix certificate precedence over fingerprint when verifying
 metadata

---
 modules/metarefresh/lib/MetaLoader.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/modules/metarefresh/lib/MetaLoader.php b/modules/metarefresh/lib/MetaLoader.php
index c7871f592..24790fdb3 100644
--- a/modules/metarefresh/lib/MetaLoader.php
+++ b/modules/metarefresh/lib/MetaLoader.php
@@ -116,9 +116,13 @@ class sspmod_metarefresh_MetaLoader {
 			}
 
 			if(array_key_exists('validateFingerprint', $source) && $source['validateFingerprint'] !== NULL) {
-				if(!$entity->validateFingerprint($source['validateFingerprint'])) {
-					SimpleSAML_Logger::info('Skipping "' . $entity->getEntityId() . '" - could not verify signature using fingerprint.' . "\n");
-					continue;
+				if(!array_key_exists('certificates', $source) || $source['certificates'] == NULL) {
+					if(!$entity->validateFingerprint($source['validateFingerprint'])) {
+						SimpleSAML_Logger::info('Skipping "' . $entity->getEntityId() . '" - could not verify signature using fingerprint.' . "\n");
+						continue;
+					}
+				} else {
+					SimpleSAML_Logger::info('Skipping validation with fingerprint since option certificate is set.' . "\n");
 				}
 			}
 
-- 
GitLab