git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@505 44740490-163a-0410-bde0-09ae8108e29a

44c393c9 · Mads Freek Petersen · b0c12082 · 44c393c9 · 44c393c9 · 44c393c9
Commit 44c393c9 authored 17 years ago by Mads Freek Petersen
--- a/docs/source/simplesamlphp-sp.xml
+++ b/docs/source/simplesamlphp-sp.xml
@@ -436,6 +436,17 @@
              Features</emphasis> document.</para>
            </glossdef>
          </glossentry>
+          <glossentry>
+            <glossterm>certificate</glossterm>
+            <glossdef>
+              <para>Name of certificate file in PEM format, in the
+              <filename>certs</filename> directory. Used for decrypting
+              assertions and as an alternative to certFingerprint for
+              validating signatures. </para>
+            </glossdef>
+          </glossentry>
        </glosslist>
      </section>

--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -175,17 +175,26 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		$dom = $this->getDOM();
-		/* Validate the signature. */
-		$this->validator = new SimpleSAML_XML_Validator($dom, 'ID');
 		/* Get the metadata of the issuer. */
 		$md = $this->metadata->getMetaData($this->issuer, 'saml20-idp-remote');
-		/* Get fingerprint for the certificate of the issuer. */
+		$publickey = FALSE;
-		$issuerFingerprint = $md['certFingerprint'];
+		if (isset($md['certificate'])) {
+			$publickey = file_get_contents($this->configuration->getPathValue('certdir') . $md['certificate']);
-		/* Validate the fingerprint. */
+			if (!$publickey) {
-		$this->validator->validateFingerprint($issuerFingerprint);
+				throw new Exception("Optional saml20-idp-remote metadata 'certificate' set, but no certificate found");			
+			}
+		}
+		/* Validate the signature. */
+		$this->validator = new SimpleSAML_XML_Validator($dom, 'ID', $publickey);
+		if (!$publickey) {
+			/* Get fingerprint for the certificate of the issuer. */
+			$issuerFingerprint = $md['certFingerprint'];
+			/* Validate the fingerprint. */
+			$this->validator->validateFingerprint($issuerFingerprint);
+		}
 	}

--- a/lib/SimpleSAML/XML/Validator.php
+++ b/lib/SimpleSAML/XML/Validator.php
@@ -33,7 +33,7 @@ class SimpleSAML_XML_Validator {
 	 * @param $idAttribute  The ID attribute which is used in node references. If this attribute is
 	 *                      NULL (the default), then we will use whatever is the default ID.
 	 */
-	public function __construct($xmlDocument, $idAttribute = NULL) {
+	public function __construct($xmlDocument, $idAttribute = NULL, $publickey = FALSE) {
 		assert('$xmlDocument instanceof DOMDocument');
 		$this->xmlDocument = $xmlDocument;
@@ -69,10 +69,13 @@ class SimpleSAML_XML_Validator {
 		}
 		/* Load the key data. */
-		if (!XMLSecEnc::staticLocateKeyInfo($objKey, $signatureElement)) {
+		if ($publickey) {
-			throw new Exception('Error finding key data for XML signature validation.');
+			$objKey->loadKey($publickey);
+		} else {
+			if (!XMLSecEnc::staticLocateKeyInfo($objKey, $signatureElement)) {
+				throw new Exception('Error finding key data for XML signature validation.');
+			}
 		}
 		/* Check the signature. */
 		if (! $objXMLSecDSig->verify($objKey)) {
 			throw new Exception("Unable to validate Signature");