diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index 072cf9442dc997a349f273b01a61a4f8b6f695a6..56984d9b7cf3fd9126118cce216aff0d183bf017 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -70,12 +70,6 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
}
- /* Must check certificate fingerprint now - validateReference removes it */
- // TODO FIX"!!!
- if ( ! $this->validateCertFingerprint($objDSig) ) {
- throw new Exception("Fingerprint Validation Failed");
- }
-
/* Get information about canoncalization in to the xmlsec library. Read from the siginfo part. */
$objXMLSecDSig->canonicalizeSignedInfo();
@@ -102,6 +96,11 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
throw new Exception("Error loading key to handle Signature");
}
+ /* Check certificate fingerprint. */
+ if ( ! $this->validateCertFingerprint($objKey) ) {
+ throw new Exception("Fingerprint Validation Failed");
+ }
+
if (! $objXMLSecDSig->verify($objKey)) {
throw new Exception("Unable to validate Signature");
}
@@ -113,20 +112,14 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
- function validateCertFingerprint($dom) {
-// $dom = $this->getDOM();
- $fingerprint = "";
-
-
- // Find the certificate in the document.
- if ($x509certNodes = $dom->getElementsByTagName('X509Certificate')) {
- if ($x509certNodes->length > 0) {
- $x509cert = $x509certNodes->item(0)->textContent;
- $x509data = base64_decode( $x509cert );
- $fingerprint = strtolower( sha1( $x509data ) );
- }
+ function validateCertFingerprint($objKey) {
+
+ /* Get the fingerprint. */
+ $fingerprint = $objKey->getX509Fingerprint();
+ if($fingerprint === NULL) {
+ throw new Exception('Key used to sign the message wasn\'t an X509 certificate.');
}
-
+
// Get the issuer of the assertion.
$issuer = $this->getIssuer();
$md = $this->metadata->getMetaData($issuer, 'saml20-idp-remote');
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
index 231c5b0e66b4be56a6413efa515d19e83f9d0354..9318360900aabc22e75c3bf2a0a626eafc4cc571 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
@@ -64,12 +64,6 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
}
- /* Must check certificate fingerprint now - validateReference removes it */
- // TODO FIX"!!!
- if ( ! $this->validateCertFingerprint($objDSig) ) {
- throw new Exception("Fingerprint Validation Failed");
- }
-
/* Get information about canoncalization in to the xmlsec library. Read from the siginfo part. */
$objXMLSecDSig->canonicalizeSignedInfo();
@@ -96,6 +90,12 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
throw new Exception("Error loading key to handle Signature");
}
+
+ /* Check certificate fingerprint. */
+ if ( ! $this->validateCertFingerprint($objKey) ) {
+ throw new Exception("Fingerprint Validation Failed");
+ }
+
if (! $objXMLSecDSig->verify($objKey)) {
throw new Exception("Unable to validate Signature");
}
@@ -107,18 +107,12 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
- function validateCertFingerprint($dom) {
-// $dom = $this->getDOM();
- $fingerprint = "";
-
-
- // Find the certificate in the document.
- if ($x509certNodes = $dom->getElementsByTagName('X509Certificate')) {
- if ($x509certNodes->length > 0) {
- $x509cert = $x509certNodes->item(0)->textContent;
- $x509data = base64_decode( $x509cert );
- $fingerprint = strtolower( sha1( $x509data ) );
- }
+ function validateCertFingerprint($objKey) {
+
+ /* Get the fingerprint. */
+ $fingerprint = $objKey->getX509Fingerprint();
+ if($fingerprint === NULL) {
+ throw new Exception('Key used to sign the message wasn\'t an X509 certificate.');
}
// Get the issuer of the assertion.