Skip to content
Snippets Groups Projects
Commit 6d9d1a7b authored by Olav Morken's avatar Olav Morken
Browse files

bin/parseMetadata.php: Added support for requiring the metadata to be signed... 

bin/parseMetadata.php: Added support for requiring the metadata to be signed by a certificate with the specified fingerprint.


git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@592 44740490-163a-0410-bde0-09ae8108e29a
parent ceb64123
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 26 additions and 0 deletions
bin/parseMetadata.php
+ 26
0
View file @ 6d9d1a7b
...@@ -29,6 +29,11 @@ $outputDir = $baseDir . '/metadata-generated'; ...@@ -29,6 +29,11 @@ $outputDir = $baseDir . '/metadata-generated';
*/ */
$toStdOut = FALSE; $toStdOut = FALSE;
/* $validateFingerprint contains the fingerprint of the certificate which should have been used
* to sign the EntityDescriptor in the metadata, or NULL if fingerprint validation shouldn't be
* done.
*/
$validateFingerprint = NULL;
/* This variable contains the files we will parse. */ /* This variable contains the files we will parse. */
...@@ -68,6 +73,14 @@ foreach($argv as $a) { ...@@ -68,6 +73,14 @@ foreach($argv as $a) {
} }
switch($a) { switch($a) {
case '--validate-fingerprint':
if($v === NULL || strlen($v) === 0) {
echo('The --validate-fingerprint option requires an parameter.' . "\n");
echo('Please run `' . $progName . ' --help` for usage information.' . "\n");
exit(1);
}
$validateFingerprint = $v;
break;
case '--help': case '--help':
printHelp(); printHelp();
exit(0); exit(0);
...@@ -127,6 +140,10 @@ function printHelp() { ...@@ -127,6 +140,10 @@ function printHelp() {
echo('be added to the metadata files in metadata/.' . "\n"); echo('be added to the metadata files in metadata/.' . "\n");
echo("\n"); echo("\n");
echo('Options:' . "\n"); echo('Options:' . "\n");
echo(' --validate-fingerprint=<FINGERPRINT>' . "\n");
echo(' Check the signature of the metadata,' . "\n");
echo(' and check the fingerprint of the' . "\n");
echo(' certificate against <FINGERPRINT>.' . "\n");
echo(' -h, --help Print this help.' . "\n"); echo(' -h, --help Print this help.' . "\n");
echo(' -o=<DIR>, --out-dir=<DIR> Write the output to this directory. The' . "\n"); echo(' -o=<DIR>, --out-dir=<DIR> Write the output to this directory. The' . "\n");
echo(' default directory is metadata-generated/' . "\n"); echo(' default directory is metadata-generated/' . "\n");
...@@ -219,7 +236,16 @@ function dumpMetadataStdOut() { ...@@ -219,7 +236,16 @@ function dumpMetadataStdOut() {
function processFile($filename) { function processFile($filename) {
$entities = SimpleSAML_Metadata_SAMLParser::parseDescriptorsFile($filename); $entities = SimpleSAML_Metadata_SAMLParser::parseDescriptorsFile($filename);
global $validateFingerprint;
foreach($entities as $entity) { foreach($entities as $entity) {
if($validateFingerprint !== NULL) {
if(!$entity->validateFingerprint($validateFingerprint)) {
echo('Skipping "' . $entity->getEntityId() . '" - could not verify signature.' . "\n");
continue;
}
}
addMetadata($filename, $entity->getMetadata1xSP(), 'shib13-sp-remote'); addMetadata($filename, $entity->getMetadata1xSP(), 'shib13-sp-remote');
addMetadata($filename, $entity->getMetadata1xIdP(), 'shib13-idp-remote'); addMetadata($filename, $entity->getMetadata1xIdP(), 'shib13-idp-remote');
addMetadata($filename, $entity->getMetadata20SP(), 'saml20-sp-remote'); addMetadata($filename, $entity->getMetadata20SP(), 'saml20-sp-remote');
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment