From 43f60f732f084793e1f891345826f97b7300c761 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Tue, 10 Aug 2010 11:27:15 +0000
Subject: [PATCH] Shib13: Add support for multiple certificates in metadata.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2514 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/XML/Shib13/AuthnResponse.php | 27 ++++++++++++++-------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
index ce9ae7a71..bb9ca85bc 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
@@ -88,19 +88,28 @@ class SimpleSAML_XML_Shib13_AuthnResponse {
 
 		/* Get the metadata of the issuer. */
 		$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-		$md = $metadata->getMetaData($issuer, 'shib13-idp-remote');
-
-		if(array_key_exists('certFingerprint', $md)) {
-			/* Get fingerprint for the certificate of the issuer. */
-			$issuerFingerprint = $md['certFingerprint'];
+		$md = $metadata->getMetaDataConfig($issuer, 'shib13-idp-remote');
+
+		$publicKeys = $md->getPublicKeys('signing');
+		if ($publicKeys !== NULL) {
+			$certFingerprints = array();
+			foreach ($publicKeys as $key) {
+				if ($key['type'] !== 'X509Certificate') {
+					continue;
+				}
+				$certFingerprints[] = sha1(base64_decode($key['X509Certificate']));
+			}
+			$this->validator->validateFingerprint($certFingerprints);
+		} elseif ($md->hasValue('certFingerprint')) {
+			$certFingerprints = $md->getArrayizeString('certFingerprint');
 
 			/* Validate the fingerprint. */
-			$this->validator->validateFingerprint($issuerFingerprint);
-		} elseif(array_key_exists('caFile', $md)) {
+			$this->validator->validateFingerprint($certFingerprints);
+		} elseif ($md->hasValue('caFile')) {
 			/* Validate against CA. */
-			$this->validator->validateCA(SimpleSAML_Utilities::resolveCert($md['caFile']));
+			$this->validator->validateCA(SimpleSAML_Utilities::resolveCert($md->getString('caFile')));
 		} else {
-			throw new Exception('Required field [certFingerprint] or [caFile] in Shibboleth 1.3 IdP Remote metadata was not found for identity provider [' . $issuer . ']. Please add a fingerprint and try again. You can add a dummy fingerprint first, and then an error message will be printed with the real fingerprint.');
+			throw new SimpleSAML_Error_Exception('Missing certificate in Shibboleth 1.3 IdP Remote metadata for identity provider [' . $issuer . '].');
 		}
 
 		return true;
-- 
GitLab