diff --git a/lib/SimpleSAML/Configuration.php b/lib/SimpleSAML/Configuration.php
index aa0a84b8cb5031dadfafd60fcacd21400c5c5244..464af92d91cc6c7c7e566b4f9d25cd0652d277e8 100644
--- a/lib/SimpleSAML/Configuration.php
+++ b/lib/SimpleSAML/Configuration.php
@@ -1356,9 +1356,11 @@ class SimpleSAML_Configuration implements \SimpleSAML\Utils\ClearableState
'X509Certificate' => $certData,
),
);
+ } elseif ($required === true) {
+ throw new SimpleSAML_Error_Exception($this->location.': Missing certificate in metadata.');
+ } else {
+ return array();
}
-
- throw new SimpleSAML_Error_Exception($this->location.': Missing certificate in metadata.');
}
/**
diff --git a/lib/SimpleSAML/Metadata/SAMLBuilder.php b/lib/SimpleSAML/Metadata/SAMLBuilder.php
index 38d15a6f3660e5827a9392a92f7d98fe397a28e4..c21df33a5dbfd1bcfc526cdfa6dab355cd642805 100644
--- a/lib/SimpleSAML/Metadata/SAMLBuilder.php
+++ b/lib/SimpleSAML/Metadata/SAMLBuilder.php
@@ -755,17 +755,15 @@ class SimpleSAML_Metadata_SAMLBuilder
private function addCertificate(\SAML2\XML\md\RoleDescriptor $rd, SimpleSAML_Configuration $metadata)
{
$keys = $metadata->getPublicKeys();
- if ($keys !== null) {
- foreach ($keys as $key) {
- if ($key['type'] !== 'X509Certificate') {
- continue;
- }
- if (!isset($key['signing']) || $key['signing'] === true) {
- $this->addX509KeyDescriptor($rd, 'signing', $key['X509Certificate']);
- }
- if (!isset($key['encryption']) || $key['encryption'] === true) {
- $this->addX509KeyDescriptor($rd, 'encryption', $key['X509Certificate']);
- }
+ foreach ($keys as $key) {
+ if ($key['type'] !== 'X509Certificate') {
+ continue;
+ }
+ if (!isset($key['signing']) || $key['signing'] === true) {
+ $this->addX509KeyDescriptor($rd, 'signing', $key['X509Certificate']);
+ }
+ if (!isset($key['encryption']) || $key['encryption'] === true) {
+ $this->addX509KeyDescriptor($rd, 'encryption', $key['X509Certificate']);
}
}
diff --git a/lib/SimpleSAML/Utils/Crypto.php b/lib/SimpleSAML/Utils/Crypto.php
index 7da5bd294a5bd85b2b70ff1f45c28f769a628ef0..749d9d2db082b0e7bdf60f6f5ed12218ea29bfa9 100644
--- a/lib/SimpleSAML/Utils/Crypto.php
+++ b/lib/SimpleSAML/Utils/Crypto.php
@@ -269,7 +269,7 @@ class Crypto
}
$keys = $metadata->getPublicKeys(null, false, $prefix);
- if ($keys !== null) {
+ if (!empty($keys)) {
foreach ($keys as $key) {
if ($key['type'] !== 'X509Certificate') {
continue;
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
index 28a9fc14cfe830fb3bdf3803a189b255df33a676..61a8f32bafd9d69a15bb48b42453bb71211c6012 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
@@ -102,7 +102,7 @@ class AuthnResponse
$md = $metadata->getMetaDataConfig($issuer, 'shib13-idp-remote');
$publicKeys = $md->getPublicKeys('signing');
- if ($publicKeys !== null) {
+ if (!empty($publicKeys)) {
$certFingerprints = array();
foreach ($publicKeys as $key) {
if ($key['type'] !== 'X509Certificate') {
diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php
index fbd6ec2f04aa0eeb65541ca8103f69fe7cb04b21..30d95781daa371e5b9b0151b279ab283653b7fb1 100644
--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -1073,20 +1073,28 @@ class sspmod_saml_IdP_SAML2
$key->loadKey($sharedKey);
} else {
$keys = $spMetadata->getPublicKeys('encryption', true);
- $key = $keys[0];
- switch ($key['type']) {
- case 'X509Certificate':
- $pemKey = "-----BEGIN CERTIFICATE-----\n".
- chunk_split($key['X509Certificate'], 64).
- "-----END CERTIFICATE-----\n";
- break;
- default:
- throw new SimpleSAML_Error_Exception('Unsupported encryption key type: '.$key['type']);
- }
+ if (!empty($keys)) {
+ $key = $keys[0];
+ switch ($key['type']) {
+ case 'X509Certificate':
+ $pemKey = "-----BEGIN CERTIFICATE-----\n".
+ chunk_split($key['X509Certificate'], 64).
+ "-----END CERTIFICATE-----\n";
+ break;
+ default:
+ throw new SimpleSAML_Error_Exception('Unsupported encryption key type: '.$key['type']);
+ }
- // extract the public key from the certificate for encryption
- $key = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, array('type' => 'public'));
- $key->loadKey($pemKey);
+ // extract the public key from the certificate for encryption
+ $key = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, array('type' => 'public'));
+ $key->loadKey($pemKey);
+ } else {
+ throw new SimpleSAML_Error_ConfigurationError(
+ 'Missing encryption key for entity `' . $spMetadata->getString('entityid') . '`',
+ null,
+ $spMetadata->getString('metadata-set') . '.php'
+ );
+ }
}
$ea = new \SAML2\EncryptedAssertion();
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index 3ba905a8bda23faee4abe590c28ee0278c680399..b80391fbcacb69238857f4c75a02c6a17564056a 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -160,7 +160,7 @@ class sspmod_saml_Message
{
// find the public key that should verify signatures by this entity
$keys = $srcMetadata->getPublicKeys('signing');
- if ($keys !== null) {
+ if (!empty($keys)) {
$pemKeys = array();
foreach ($keys as $key) {
switch ($key['type']) {