From 2236a29da6e86cc7b8ce2ae27dffb83d0965155a Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Tue, 22 Jan 2008 13:47:47 +0000
Subject: [PATCH] Change SAML2 & Shib13 AuthResponse to use the new
 fingerprint-retrival-function in xmlseclibs.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@184 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/XML/SAML20/AuthnResponse.php | 31 ++++++++-------------
 lib/SimpleSAML/XML/Shib13/AuthnResponse.php | 30 ++++++++------------
 2 files changed, 24 insertions(+), 37 deletions(-)

diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index 072cf9442..56984d9b7 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -70,12 +70,6 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		}
 		
 		
-		/* Must check certificate fingerprint now - validateReference removes it */        
-		// TODO FIX"!!!
-		if ( ! $this->validateCertFingerprint($objDSig) ) {
-			throw new Exception("Fingerprint Validation Failed");
-		}
-
 		/* Get information about canoncalization in to the xmlsec library. Read from the siginfo part. */
 		$objXMLSecDSig->canonicalizeSignedInfo();
 		
@@ -102,6 +96,11 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 			throw new Exception("Error loading key to handle Signature");
 		}
 
+		/* Check certificate fingerprint. */
+		if ( ! $this->validateCertFingerprint($objKey) ) {
+			throw new Exception("Fingerprint Validation Failed");
+		}
+
 		if (! $objXMLSecDSig->verify($objKey)) {
 			throw new Exception("Unable to validate Signature");
 		}
@@ -113,20 +112,14 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 	
 	
 	
-	function validateCertFingerprint($dom) {
-//		$dom = $this->getDOM();
-		$fingerprint = "";
-		
-		
-		// Find the certificate in the document.
-		if ($x509certNodes = $dom->getElementsByTagName('X509Certificate')) {
-			if ($x509certNodes->length > 0) {
-				$x509cert = $x509certNodes->item(0)->textContent;
-				$x509data = base64_decode( $x509cert );
-				$fingerprint = strtolower( sha1( $x509data ) );
-			}
+	function validateCertFingerprint($objKey) {
+
+		/* Get the fingerprint. */
+		$fingerprint = $objKey->getX509Fingerprint();
+		if($fingerprint === NULL) {
+			throw new Exception('Key used to sign the message wasn\'t an X509 certificate.');
 		}
-	
+
 		// Get the issuer of the assertion.
 		$issuer = $this->getIssuer();
 		$md = $this->metadata->getMetaData($issuer, 'saml20-idp-remote');
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
index 231c5b0e6..931836090 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
@@ -64,12 +64,6 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		}
 		
 		
-		/* Must check certificate fingerprint now - validateReference removes it */        
-		// TODO FIX"!!!
-		if ( ! $this->validateCertFingerprint($objDSig) ) {
-			throw new Exception("Fingerprint Validation Failed");
-		}
-
 		/* Get information about canoncalization in to the xmlsec library. Read from the siginfo part. */
 		$objXMLSecDSig->canonicalizeSignedInfo();
 		
@@ -96,6 +90,12 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 			throw new Exception("Error loading key to handle Signature");
 		}
 
+
+		/* Check certificate fingerprint. */
+		if ( ! $this->validateCertFingerprint($objKey) ) {
+			throw new Exception("Fingerprint Validation Failed");
+		}
+
 		if (! $objXMLSecDSig->verify($objKey)) {
 			throw new Exception("Unable to validate Signature");
 		}
@@ -107,18 +107,12 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 	
 	
 	
-	function validateCertFingerprint($dom) {
-//		$dom = $this->getDOM();
-		$fingerprint = "";
-		
-		
-		// Find the certificate in the document.
-		if ($x509certNodes = $dom->getElementsByTagName('X509Certificate')) {
-			if ($x509certNodes->length > 0) {
-				$x509cert = $x509certNodes->item(0)->textContent;
-				$x509data = base64_decode( $x509cert );
-				$fingerprint = strtolower( sha1( $x509data ) );
-			}
+	function validateCertFingerprint($objKey) {
+
+		/* Get the fingerprint. */
+		$fingerprint = $objKey->getX509Fingerprint();
+		if($fingerprint === NULL) {
+			throw new Exception('Key used to sign the message wasn\'t an X509 certificate.');
 		}
 	
 		// Get the issuer of the assertion.
-- 
GitLab