diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php index 8ba625a0a9e37e7a4e4846281e972524314d6a5e..d928030fb7ba1631a968497041ef86a4d5942c21 100644 --- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php +++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php @@ -5,6 +5,7 @@ require_once('SimpleSAML/Session.php'); require_once('SimpleSAML/Utilities.php'); require_once('SimpleSAML/Metadata/MetaDataStorageHandler.php'); require_once('SimpleSAML/XML/AuthnResponse.php'); +require_once('SimpleSAML/XML/Validator.php'); require_once('xmlseclibs.php'); @@ -25,8 +26,11 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { private $dom; private $relayState = null; - private $validIDs = null; - private $validNodes = null; + /** + * This variable contains an XML validator for this message. + */ + private $validator = null; + const PROTOCOL = 'urn:oasis:names:tc:SAML:2.0'; const SHIB_PROTOCOL_NS = 'urn:oasis:names:tc:SAML:1.0:protocol'; @@ -46,103 +50,24 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { public function validate() { $dom = $this->getDOM(); - - /* Create an XML security object, and register ID as the id attribute for sig references. */ - $objXMLSecDSig = new XMLSecurityDSig(); - $objXMLSecDSig->idKeys[] = 'ResponseID'; - - /* Locate the signature element to be used. */ - $objDSig = $objXMLSecDSig->locateSignature($dom); - - /* If no signature element was found, throw an error */ - if (!$objDSig) { - throw new Exception("Could not locate XML Signature element in Authentication Response"); - } - - - /* Get information about canoncalization in to the xmlsec library. Read from the siginfo part. */ - $objXMLSecDSig->canonicalizeSignedInfo(); - - $refids = $objXMLSecDSig->getRefIDs(); - - - - /* Validate refrences */ - $retVal = $objXMLSecDSig->validateReference(); - if (! $retVal) { - throw new Exception("XMLsec: digest validation failed"); - } - - $key = NULL; - $objKey = $objXMLSecDSig->locateKey(); - - if ($objKey) { - if ($objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig)) { - /* Handle any additional key processing such as encrypted keys here */ - } - } - - if (empty($objKey)) { - throw new Exception("Error loading key to handle Signature"); - } + /* Validate the signature. */ + $this->validator = new SimpleSAML_XML_Validator($dom, 'ResponseID'); + // Get the issuer of the response. + $issuer = $this->getIssuer(); - /* Check certificate fingerprint. */ - if ( ! $this->validateCertFingerprint($objKey) ) { - throw new Exception("Fingerprint Validation Failed"); - } + /* Get the metadata of the issuer. */ + $md = $this->metadata->getMetaData($issuer, 'shib13-idp-remote'); - if (! $objXMLSecDSig->verify($objKey)) { - throw new Exception("Unable to validate Signature"); - } - - $this->validIDs = $refids; + /* Get fingerprint for the certificate of the issuer. */ + $issuerFingerprint = $md['certFingerprint']; - $this->validNodes = $objXMLSecDSig->getValidatedNodes(); + /* Validate the fingerprint. */ + $this->validator->validateFingerprint($issuerFingerprint); return true; } - - - - - function validateCertFingerprint($objKey) { - - /* Get the fingerprint. */ - $fingerprint = $objKey->getX509Fingerprint(); - if($fingerprint === NULL) { - throw new Exception('Key used to sign the message wasn\'t an X509 certificate.'); - } - - // Get the issuer of the assertion. - $issuer = $this->getIssuer(); - - //echo 'found issuer: ' . $this->getIssuer(); - $md = $this->metadata->getMetaData($issuer, 'shib13-idp-remote'); - - /* - * Get fingerprint from saml20-idp-remote metadata... - * - * Accept fingerprints with or without colons, case insensitive - */ - $issuerFingerprint = strtolower( str_replace(":", "", $md['certFingerprint']) ); - - //echo 'issuer fingerprint: ' . $issuerFingerprint; - - if (empty($issuerFingerprint)) { - throw new Exception("Certificate finger print for entity ID [" . $issuer . "] in metadata was empty."); - } - if (empty($fingerprint)) { - throw new Exception("Certificate finger print in message was empty."); - } - - if ($fingerprint != $issuerFingerprint) { - throw new Exception("Expecting certificate fingerprint [$issuerFingerprint] but got [$fingerprint]"); - } - - return ($fingerprint == $issuerFingerprint); - } /* Checks if the given node is validated by the signatore on this response. @@ -152,7 +77,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { */ private function isNodeValidated($node) { - if($this->validNodes === NULL) { + if($this->validator === NULL) { return FALSE; } @@ -163,18 +88,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { assert('$node instanceof DOMNode'); - while($node !== NULL) { - if(in_array($node, $this->validNodes)) { - return TRUE; - } - - $node = $node->parentNode; - } - - /* Neither this node nor any of the parent nodes could be found in the list of - * signed nodes. - */ - return FALSE; + return $this->validator->isNodeValidated($node); }