Skip to content
Snippets Groups Projects
Commit 2236a29d authored by Olav Morken's avatar Olav Morken
Browse files

Change SAML2 & Shib13 AuthResponse to use the new fingerprint-retrival-function in xmlseclibs.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@184 44740490-163a-0410-bde0-09ae8108e29a
parent a3a1587e
Branches
Tags
No related merge requests found
...@@ -70,12 +70,6 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse { ...@@ -70,12 +70,6 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
} }
/* Must check certificate fingerprint now - validateReference removes it */
// TODO FIX"!!!
if ( ! $this->validateCertFingerprint($objDSig) ) {
throw new Exception("Fingerprint Validation Failed");
}
/* Get information about canoncalization in to the xmlsec library. Read from the siginfo part. */ /* Get information about canoncalization in to the xmlsec library. Read from the siginfo part. */
$objXMLSecDSig->canonicalizeSignedInfo(); $objXMLSecDSig->canonicalizeSignedInfo();
...@@ -102,6 +96,11 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse { ...@@ -102,6 +96,11 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
throw new Exception("Error loading key to handle Signature"); throw new Exception("Error loading key to handle Signature");
} }
/* Check certificate fingerprint. */
if ( ! $this->validateCertFingerprint($objKey) ) {
throw new Exception("Fingerprint Validation Failed");
}
if (! $objXMLSecDSig->verify($objKey)) { if (! $objXMLSecDSig->verify($objKey)) {
throw new Exception("Unable to validate Signature"); throw new Exception("Unable to validate Signature");
} }
...@@ -113,20 +112,14 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse { ...@@ -113,20 +112,14 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
function validateCertFingerprint($dom) { function validateCertFingerprint($objKey) {
// $dom = $this->getDOM();
$fingerprint = ""; /* Get the fingerprint. */
$fingerprint = $objKey->getX509Fingerprint();
if($fingerprint === NULL) {
// Find the certificate in the document. throw new Exception('Key used to sign the message wasn\'t an X509 certificate.');
if ($x509certNodes = $dom->getElementsByTagName('X509Certificate')) {
if ($x509certNodes->length > 0) {
$x509cert = $x509certNodes->item(0)->textContent;
$x509data = base64_decode( $x509cert );
$fingerprint = strtolower( sha1( $x509data ) );
}
} }
// Get the issuer of the assertion. // Get the issuer of the assertion.
$issuer = $this->getIssuer(); $issuer = $this->getIssuer();
$md = $this->metadata->getMetaData($issuer, 'saml20-idp-remote'); $md = $this->metadata->getMetaData($issuer, 'saml20-idp-remote');
......
...@@ -64,12 +64,6 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { ...@@ -64,12 +64,6 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
} }
/* Must check certificate fingerprint now - validateReference removes it */
// TODO FIX"!!!
if ( ! $this->validateCertFingerprint($objDSig) ) {
throw new Exception("Fingerprint Validation Failed");
}
/* Get information about canoncalization in to the xmlsec library. Read from the siginfo part. */ /* Get information about canoncalization in to the xmlsec library. Read from the siginfo part. */
$objXMLSecDSig->canonicalizeSignedInfo(); $objXMLSecDSig->canonicalizeSignedInfo();
...@@ -96,6 +90,12 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { ...@@ -96,6 +90,12 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
throw new Exception("Error loading key to handle Signature"); throw new Exception("Error loading key to handle Signature");
} }
/* Check certificate fingerprint. */
if ( ! $this->validateCertFingerprint($objKey) ) {
throw new Exception("Fingerprint Validation Failed");
}
if (! $objXMLSecDSig->verify($objKey)) { if (! $objXMLSecDSig->verify($objKey)) {
throw new Exception("Unable to validate Signature"); throw new Exception("Unable to validate Signature");
} }
...@@ -107,18 +107,12 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { ...@@ -107,18 +107,12 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
function validateCertFingerprint($dom) { function validateCertFingerprint($objKey) {
// $dom = $this->getDOM();
$fingerprint = ""; /* Get the fingerprint. */
$fingerprint = $objKey->getX509Fingerprint();
if($fingerprint === NULL) {
// Find the certificate in the document. throw new Exception('Key used to sign the message wasn\'t an X509 certificate.');
if ($x509certNodes = $dom->getElementsByTagName('X509Certificate')) {
if ($x509certNodes->length > 0) {
$x509cert = $x509certNodes->item(0)->textContent;
$x509data = base64_decode( $x509cert );
$fingerprint = strtolower( sha1( $x509data ) );
}
} }
// Get the issuer of the assertion. // Get the issuer of the assertion.
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment