From 4c5bf5676d651db68b1ba47efedfaa74fa939bfd Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Mon, 23 Jun 2008 08:22:35 +0000
Subject: [PATCH] XML_Validator: Added support for multiple valid fingerprints.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@688 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/XML/Validator.php | 38 ++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 12 deletions(-)

diff --git a/lib/SimpleSAML/XML/Validator.php b/lib/SimpleSAML/XML/Validator.php
index 9cc839c4d..88e61ceaf 100644
--- a/lib/SimpleSAML/XML/Validator.php
+++ b/lib/SimpleSAML/XML/Validator.php
@@ -105,28 +105,42 @@ class SimpleSAML_XML_Validator {
 
 
 	/**
-	 * This function validates that the fingerprint of the certificate which was used to
-	 * sign this document matches the given fingerprint. An exception will be thrown if
-	 * the fingerprints doesn't match.
+	 * Validate the fingerprint of the certificate which was used to sign this document.
 	 *
-	 * @param $fingerprint  The fingerprint which should match.
+	 * This function accepts either a string, or an array of strings as a parameter. If this
+	 * is an array, then any string (certificate) in the array can match. If this is a string,
+	 * then that string must match,
+	 *
+	 * @param $fingerprints  The fingerprints which should match. This can be a single string,
+	 *                       or an array of fingerprints.
 	 */
-	public function validateFingerprint($fingerprint) {
-		assert('is_string($fingerprint)');
+	public function validateFingerprint($fingerprints) {
+		assert('is_string($fingerprints) || is_array($fingerprints)');
 
 		if($this->x509Fingerprint === NULL) {
 			throw new Exception('Key used to sign the message was not an X509 certificate.');
 		}
 
-		/* Make sure that the fingerprint is in the correct format. */
-		$fingerprint = strtolower(str_replace(":", "", $fingerprint));
+		if(!is_array($fingerprints)) {
+			$fingerprints = array($fingerprints);
+		}
+
+		foreach($fingerprints as $fp) {
+			assert('is_string($fp)');
+
+			/* Make sure that the fingerprint is in the correct format. */
+			$fp = strtolower(str_replace(":", "", $fp));
+
+			if($fp === $this->x509Fingerprint) {
+				/* The fingerprints matched. */
+				return;
+			}
 
-		/* Compare the fingerprints. Throw an exception if they didn't match. */
-		if ($fingerprint !== $this->x509Fingerprint) {
-			throw new Exception('Expecting certificate fingerprint [' . $fingerprint . '] but got [' . $this->x509Fingerprint . ']');
 		}
 
-		/* The fingerprints matched. */
+		/* None of the fingerprints matched. Throw an exception describing the error. */
+		throw new Exception('Invalid fingerprint of certificate. Expected one of [' .
+			implode('], [', $fingerprints) . '], but got [' . $this->x509Fingerprint . ']');
 	}
 
 
-- 
GitLab