From 355861e6aca082adbc17652dfeba7c3f613b9a71 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Tue, 24 Jun 2008 09:11:34 +0000
Subject: [PATCH] Move fingerprint calculation out from xmlseclibs.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@704 44740490-163a-0410-bde0-09ae8108e29a
---
lib/SimpleSAML/XML/Validator.php | 56 +++++++++++++++++++++++++-------
lib/xmlseclibs.php | 55 -------------------------------
2 files changed, 44 insertions(+), 67 deletions(-)
diff --git a/lib/SimpleSAML/XML/Validator.php b/lib/SimpleSAML/XML/Validator.php
index 88e61ceaf..103212cb5 100644
--- a/lib/SimpleSAML/XML/Validator.php
+++ b/lib/SimpleSAML/XML/Validator.php
@@ -9,12 +9,6 @@
*/
class SimpleSAML_XML_Validator {
- /**
- * This variable contains the fingerprint of the certificate the XML document
- * was signed with.
- */
- private $x509Fingerprint;
-
/**
* This variable contains the X509 certificate the XML document
* was signed with, or NULL if it wasn't signed with an X509 certificate.
@@ -80,9 +74,6 @@ class SimpleSAML_XML_Validator {
throw new Exception("Unable to validate Signature");
}
- /* Extract the certificate fingerprint. */
- $this->x509Fingerprint = $objKey->getX509Fingerprint();
-
/* Extract the certificate. */
$this->x509Certificate = $objKey->getX509Certificate();
@@ -104,6 +95,46 @@ class SimpleSAML_XML_Validator {
}
+ /**
+ * Calculates the fingerprint of an X509 certificate.
+ *
+ * @param $x509cert The certificate as a base64-encoded string. The string may optionally
+ * be framed with '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----'.
+ * @return The fingerprint as a 40-character lowercase hexadecimal number. NULL is returned if the
+ * argument isn't an X509 certificate.
+ */
+ private static function calculateX509Fingerprint($x509cert) {
+ assert('is_string($x509cert)');
+
+ $lines = explode("\n", $x509cert);
+
+ $data = '';
+
+ foreach($lines as $line) {
+ /* Remove '\r' from end of line if present. */
+ $line = rtrim($line);
+ if($line === '-----BEGIN CERTIFICATE-----') {
+ /* Delete junk from before the certificate. */
+ $data = '';
+ } elseif($line === '-----END CERTIFICATE-----') {
+ /* Ignore data after the certificate. */
+ break;
+ } elseif($line === '-----BEGIN PUBLIC KEY-----') {
+ /* This isn't an X509 certificate. */
+ return NULL;
+ } else {
+ /* Append the current line to the certificate data. */
+ $data .= $line;
+ }
+ }
+
+ /* $data now contains the certificate as a base64-encoded string. The fingerprint
+ * of the certificate is the sha1-hash of the certificate.
+ */
+ return strtolower(sha1(base64_decode($data)));
+ }
+
+
/**
* Validate the fingerprint of the certificate which was used to sign this document.
*
@@ -117,9 +148,10 @@ class SimpleSAML_XML_Validator {
public function validateFingerprint($fingerprints) {
assert('is_string($fingerprints) || is_array($fingerprints)');
- if($this->x509Fingerprint === NULL) {
+ if($this->x509Certificate === NULL) {
throw new Exception('Key used to sign the message was not an X509 certificate.');
}
+ $certFingerprint = self::calculateX509Fingerprint($this->x509Certificate);
if(!is_array($fingerprints)) {
$fingerprints = array($fingerprints);
@@ -131,7 +163,7 @@ class SimpleSAML_XML_Validator {
/* Make sure that the fingerprint is in the correct format. */
$fp = strtolower(str_replace(":", "", $fp));
- if($fp === $this->x509Fingerprint) {
+ if($fp === $certFingerprint) {
/* The fingerprints matched. */
return;
}
@@ -140,7 +172,7 @@ class SimpleSAML_XML_Validator {
/* None of the fingerprints matched. Throw an exception describing the error. */
throw new Exception('Invalid fingerprint of certificate. Expected one of [' .
- implode('], [', $fingerprints) . '], but got [' . $this->x509Fingerprint . ']');
+ implode('], [', $fingerprints) . '], but got [' . $certFingerprint . ']');
}
diff --git a/lib/xmlseclibs.php b/lib/xmlseclibs.php
index c4fbe284e..6cb79d1f1 100644
--- a/lib/xmlseclibs.php
+++ b/lib/xmlseclibs.php
@@ -299,47 +299,6 @@ class XMLSecurityKey {
return $key;
}
- /* This function calculates the fingerprint of an X509 certificate.
- *
- * Parameters:
- * $x509cert The certificate as a base64-encoded string. The string may optionally
- * be framed with '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----'.
- *
- * Returns:
- * The fingerprint as a 40-character lowercase hexadecimal number.
- * NULL is returned if the argument isn't an X509 certificate.
- */
- private static function calculateX509Fingerprint($x509cert) {
- assert('is_string($x509cert)');
-
- $lines = explode("\n", $x509cert);
-
- $data = '';
-
- foreach($lines as $line) {
- /* Remove '\r' from end of line if present. */
- $line = rtrim($line);
- if($line === '-----BEGIN CERTIFICATE-----') {
- /* Delete junk from before the certificate. */
- $data = '';
- } elseif($line === '-----END CERTIFICATE-----') {
- /* Ignore data after the certificate. */
- break;
- } elseif($line === '-----BEGIN PUBLIC KEY-----') {
- /* This isn't an X509 certificate. */
- return NULL;
- } else {
- /* Append the current line to the certificate data. */
- $data .= $line;
- }
- }
-
- /* $data now contains the certificate as a base64-encoded string. The fingerprint
- * of the certificate is the sha1-hash of the certificate.
- */
- return strtolower(sha1(base64_decode($data)));
- }
-
public function loadKey($key, $isFile=FALSE, $isCert = FALSE) {
if ($isFile) {
$this->key = file_get_contents($key);
@@ -556,20 +515,6 @@ class XMLSecurityKey {
public function getX509Certificate() {
return $this->X509Certificate;
}
-
-
- /* Get the fingerprint of this X509 certificate.
- *
- * Returns:
- * The fingerprint as a lowercase 40-character hexadecimal number, or NULL
- * if this isn't a X509 certificate.
- */
- public function getX509Fingerprint() {
- if($this->X509Certificate === NULL) {
- return NULL;
- }
- return self::calculateX509Fingerprint($this->X509Certificate);
- }
}
class XMLSecurityDSig {
--
GitLab