From 417353b344d5461ae5b48066171e3f1df9e4686f Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Tue, 22 Jan 2008 14:56:52 +0000
Subject: [PATCH] Shib13:AuthResponse: Change to use the new node validation
method.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@186 44740490-163a-0410-bde0-09ae8108e29a
---
lib/SimpleSAML/XML/Shib13/AuthnResponse.php | 39 +++++++++++++++++++--
1 file changed, 37 insertions(+), 2 deletions(-)
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
index 931836090..c4558f930 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
@@ -30,7 +30,8 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
private $relayState = null;
private $validIDs = null;
-
+ private $validNodes = null;
+
const PROTOCOL = 'urn:oasis:names:tc:SAML:2.0';
const SHIB_PROTOCOL_NS = 'urn:oasis:names:tc:SAML:1.0:protocol';
const SHIB_ASSERT_NS = 'urn:oasis:names:tc:SAML:1.0:assertion';
@@ -101,6 +102,9 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
}
$this->validIDs = $refids;
+
+ $this->validNodes = $objXMLSecDSig->getValidatedNodes();
+
return true;
}
@@ -143,6 +147,34 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
return ($fingerprint == $issuerFingerprint);
}
+
+
+ /* Checks if the given node is validated by the signatore on this response.
+ *
+ * Returns:
+ * TRUE if the node is validated or FALSE if not.
+ */
+ private function isNodeValidated($node) {
+
+ if($this->validNodes === NULL) {
+ return FALSE;
+ }
+
+ /* Convert the node to a DOM node if it is an element from SimpleXML. */
+ if($node instanceof SimpleXMLElement) {
+ $node = dom_import_simplexml($node);
+ }
+
+ assert('$node instanceof DOMNode');
+
+ while($node !== NULL) {
+ if(in_array($node, $this->validNodes)) {
+ return TRUE;
+ }
+
+ $node = $node->parentNode;
+ }
+ }
public function createSession() {
@@ -219,9 +251,12 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
- $assertions = $sxml->xpath('/samlp:Response[@ResponseID="' . $this->validIDs[0] . '"]/saml:Assertion');
+ $assertions = $sxml->xpath('/samlp:Response/saml:Assertion');
foreach ($assertions AS $assertion) {
+ if(!$this->isNodeValidated($assertion)) {
+ throw new Exception('Shib13 AuthResponse contained an unsigned assertion.');
+ }
if ($assertion->Conditions) {
--
GitLab