From 44c393c9842f65020944bbbb485165cddfa1a3be Mon Sep 17 00:00:00 2001
From: Mads Freek Petersen <freek@wayf.dk>
Date: Tue, 22 Apr 2008 13:39:59 +0000
Subject: [PATCH] git-svn-id:
 https://simplesamlphp.googlecode.com/svn/trunk@505
 44740490-163a-0410-bde0-09ae8108e29a

---
 docs/source/simplesamlphp-sp.xml            | 11 +++++++++
 lib/SimpleSAML/XML/SAML20/AuthnResponse.php | 25 ++++++++++++++-------
 lib/SimpleSAML/XML/Validator.php            | 11 +++++----
 3 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/docs/source/simplesamlphp-sp.xml b/docs/source/simplesamlphp-sp.xml
index ad536ca1e..111abb1ac 100644
--- a/docs/source/simplesamlphp-sp.xml
+++ b/docs/source/simplesamlphp-sp.xml
@@ -436,6 +436,17 @@
               Features</emphasis> document.</para>
             </glossdef>
           </glossentry>
+
+          <glossentry>
+            <glossterm>certificate</glossterm>
+
+            <glossdef>
+              <para>Name of certificate file in PEM format, in the
+              <filename>certs</filename> directory. Used for decrypting
+              assertions and as an alternative to certFingerprint for
+              validating signatures. </para>
+            </glossdef>
+          </glossentry>
         </glosslist>
       </section>
 
diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index 03ca344b2..d97ee857b 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -175,17 +175,26 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 	
 		$dom = $this->getDOM();
 
-		/* Validate the signature. */
-		$this->validator = new SimpleSAML_XML_Validator($dom, 'ID');
-
 		/* Get the metadata of the issuer. */
 		$md = $this->metadata->getMetaData($this->issuer, 'saml20-idp-remote');
 
-		/* Get fingerprint for the certificate of the issuer. */
-		$issuerFingerprint = $md['certFingerprint'];
-
-		/* Validate the fingerprint. */
-		$this->validator->validateFingerprint($issuerFingerprint);
+		$publickey = FALSE;
+		if (isset($md['certificate'])) {
+			$publickey = file_get_contents($this->configuration->getPathValue('certdir') . $md['certificate']);
+			if (!$publickey) {
+				throw new Exception("Optional saml20-idp-remote metadata 'certificate' set, but no certificate found");			
+			}
+		}
+		/* Validate the signature. */
+		$this->validator = new SimpleSAML_XML_Validator($dom, 'ID', $publickey);
+		
+		if (!$publickey) {
+			/* Get fingerprint for the certificate of the issuer. */
+			$issuerFingerprint = $md['certFingerprint'];
+	
+			/* Validate the fingerprint. */
+			$this->validator->validateFingerprint($issuerFingerprint);
+		}
 	}
 
 
diff --git a/lib/SimpleSAML/XML/Validator.php b/lib/SimpleSAML/XML/Validator.php
index 277011b17..8551cf99f 100644
--- a/lib/SimpleSAML/XML/Validator.php
+++ b/lib/SimpleSAML/XML/Validator.php
@@ -33,7 +33,7 @@ class SimpleSAML_XML_Validator {
 	 * @param $idAttribute  The ID attribute which is used in node references. If this attribute is
 	 *                      NULL (the default), then we will use whatever is the default ID.
 	 */
-	public function __construct($xmlDocument, $idAttribute = NULL) {
+	public function __construct($xmlDocument, $idAttribute = NULL, $publickey = FALSE) {
 		assert('$xmlDocument instanceof DOMDocument');
 
 		$this->xmlDocument = $xmlDocument;
@@ -69,10 +69,13 @@ class SimpleSAML_XML_Validator {
 		}
 
 		/* Load the key data. */
-		if (!XMLSecEnc::staticLocateKeyInfo($objKey, $signatureElement)) {
-			throw new Exception('Error finding key data for XML signature validation.');
+		if ($publickey) {
+			$objKey->loadKey($publickey);
+		} else {
+			if (!XMLSecEnc::staticLocateKeyInfo($objKey, $signatureElement)) {
+				throw new Exception('Error finding key data for XML signature validation.');
+			}
 		}
-
 		/* Check the signature. */
 		if (! $objXMLSecDSig->verify($objKey)) {
 			throw new Exception("Unable to validate Signature");
-- 
GitLab