From 2236a29da6e86cc7b8ce2ae27dffb83d0965155a Mon Sep 17 00:00:00 2001 From: Olav Morken <olav.morken@uninett.no> Date: Tue, 22 Jan 2008 13:47:47 +0000 Subject: [PATCH] Change SAML2 & Shib13 AuthResponse to use the new fingerprint-retrival-function in xmlseclibs. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@184 44740490-163a-0410-bde0-09ae8108e29a --- lib/SimpleSAML/XML/SAML20/AuthnResponse.php | 31 ++++++++------------- lib/SimpleSAML/XML/Shib13/AuthnResponse.php | 30 ++++++++------------ 2 files changed, 24 insertions(+), 37 deletions(-) diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php index 072cf9442..56984d9b7 100644 --- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php +++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php @@ -70,12 +70,6 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse { } - /* Must check certificate fingerprint now - validateReference removes it */ - // TODO FIX"!!! - if ( ! $this->validateCertFingerprint($objDSig) ) { - throw new Exception("Fingerprint Validation Failed"); - } - /* Get information about canoncalization in to the xmlsec library. Read from the siginfo part. */ $objXMLSecDSig->canonicalizeSignedInfo(); @@ -102,6 +96,11 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse { throw new Exception("Error loading key to handle Signature"); } + /* Check certificate fingerprint. */ + if ( ! $this->validateCertFingerprint($objKey) ) { + throw new Exception("Fingerprint Validation Failed"); + } + if (! $objXMLSecDSig->verify($objKey)) { throw new Exception("Unable to validate Signature"); } @@ -113,20 +112,14 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse { - function validateCertFingerprint($dom) { -// $dom = $this->getDOM(); - $fingerprint = ""; - - - // Find the certificate in the document. - if ($x509certNodes = $dom->getElementsByTagName('X509Certificate')) { - if ($x509certNodes->length > 0) { - $x509cert = $x509certNodes->item(0)->textContent; - $x509data = base64_decode( $x509cert ); - $fingerprint = strtolower( sha1( $x509data ) ); - } + function validateCertFingerprint($objKey) { + + /* Get the fingerprint. */ + $fingerprint = $objKey->getX509Fingerprint(); + if($fingerprint === NULL) { + throw new Exception('Key used to sign the message wasn\'t an X509 certificate.'); } - + // Get the issuer of the assertion. $issuer = $this->getIssuer(); $md = $this->metadata->getMetaData($issuer, 'saml20-idp-remote'); diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php index 231c5b0e6..931836090 100644 --- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php +++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php @@ -64,12 +64,6 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { } - /* Must check certificate fingerprint now - validateReference removes it */ - // TODO FIX"!!! - if ( ! $this->validateCertFingerprint($objDSig) ) { - throw new Exception("Fingerprint Validation Failed"); - } - /* Get information about canoncalization in to the xmlsec library. Read from the siginfo part. */ $objXMLSecDSig->canonicalizeSignedInfo(); @@ -96,6 +90,12 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { throw new Exception("Error loading key to handle Signature"); } + + /* Check certificate fingerprint. */ + if ( ! $this->validateCertFingerprint($objKey) ) { + throw new Exception("Fingerprint Validation Failed"); + } + if (! $objXMLSecDSig->verify($objKey)) { throw new Exception("Unable to validate Signature"); } @@ -107,18 +107,12 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { - function validateCertFingerprint($dom) { -// $dom = $this->getDOM(); - $fingerprint = ""; - - - // Find the certificate in the document. - if ($x509certNodes = $dom->getElementsByTagName('X509Certificate')) { - if ($x509certNodes->length > 0) { - $x509cert = $x509certNodes->item(0)->textContent; - $x509data = base64_decode( $x509cert ); - $fingerprint = strtolower( sha1( $x509data ) ); - } + function validateCertFingerprint($objKey) { + + /* Get the fingerprint. */ + $fingerprint = $objKey->getX509Fingerprint(); + if($fingerprint === NULL) { + throw new Exception('Key used to sign the message wasn\'t an X509 certificate.'); } // Get the issuer of the assertion. -- GitLab