From 8ebe7ebc74d56920a6a783c2006a101844062aba Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Fri, 4 Jul 2008 12:40:32 +0000
Subject: [PATCH] parseMetadata / SAMLParser: Change to use the new CA
 validation function of XML_Validator.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@770 44740490-163a-0410-bde0-09ae8108e29a
---
 bin/parseMetadata.php                  | 66 ++------------------------
 lib/SimpleSAML/Metadata/SAMLParser.php | 21 ++++++++
 2 files changed, 25 insertions(+), 62 deletions(-)

diff --git a/bin/parseMetadata.php b/bin/parseMetadata.php
index afc604013..30f47dedb 100755
--- a/bin/parseMetadata.php
+++ b/bin/parseMetadata.php
@@ -13,6 +13,9 @@ $baseDir = dirname(dirname(__FILE__));
 /* Add library autoloader. */
 require_once($baseDir . '/lib/_autoload.php');
 
+/* Initialize the configuration. */
+SimpleSAML_Configuration::init($baseDir . '/config');
+
 /* $outputDir contains the directory we will store the generated metadata in. */
 $outputDir = $baseDir . '/metadata-generated';
 
@@ -160,60 +163,6 @@ function printHelp() {
 }
 
 
-/**
- * This function checks the given certificate against the CA root.
- *
- * @param $certificate  The certificate which should be checked, as a string with a PEM-encoded certificate.
- */
-function verifyCertificate($certificate) {
-	static $verifiedCertificates = array();
-	if(array_key_exists($certificate, $verifiedCertificates)) {
-		return $verifiedCertificates[$certificate];
-	}
-
-	$command = array(
-		'openssl', 'verify',
-		'-CAfile', $GLOBALS['ca'],
-		'-purpose', 'any',
-		);
-
-	$cmdline = '';
-	foreach($command as $c) {
-		$cmdline .= escapeshellarg($c) . ' ';
-	}
-
-	$cmdline .= '2>&1';
-	$descSpec = array(
-		0 => array('pipe', 'r'),
-		1 => array('pipe', 'w'),
-		);
-	$process = proc_open($cmdline, $descSpec, $pipes);
-	if(!is_resource($process)) {
-		echo('Failed to execute verification command: ' . $cmdline . "\n");
-		exit(1);
-	}
-
-	if(fwrite($pipes[0], $certificate) === FALSE) {
-		echo('Failed to write certificate for verification.' . "\n");
-		exit(1);
-	}
-	fclose($pipes[0]);
-
-	$out = trim(fgets($pipes[1]));
-	fclose($pipes[1]);
-
-	$status = proc_close($process);
-	if($status !== 0 || $out !== 'stdin: OK') {
-		$ok = FALSE;
-	} else {
-		$ok = TRUE;
-	}
-
-	$verifiedCertificates[$certificate] = $ok;
-	return $ok;
-}
-
-
 /**
  * This function writes the metadata to to separate files in the output directory.
  */
@@ -309,14 +258,7 @@ function processFile($filename) {
 		}
 
 		if($ca !== NULL) {
-			$ok = FALSE;
-			foreach($entity->getX509Certificates() as $cert) {
-				if(verifyCertificate($cert)) {
-					$ok = TRUE;
-					break;
-				}
-			}
-			if(!$ok) {
+			if(!$entity->validateCA($ca)) {
 				echo('Skipping "' . $entity->getEntityId() . '" - could not verify certificate.' . "\n");
 				continue;
 			}
diff --git a/lib/SimpleSAML/Metadata/SAMLParser.php b/lib/SimpleSAML/Metadata/SAMLParser.php
index e002e5dfa..60b528591 100644
--- a/lib/SimpleSAML/Metadata/SAMLParser.php
+++ b/lib/SimpleSAML/Metadata/SAMLParser.php
@@ -1149,6 +1149,27 @@ class SimpleSAML_Metadata_SAMLParser {
 		return $ret;
 	}
 
+
+	/**
+	 * Validate the EntityDescriptor against a CA.
+	 *
+	 * @param $caFile  A file with trusted certificates, in PEM format.
+	 * @return  TRUE if this CA can validate the EntityDescriptor, FALSE if not.
+	 */
+	public function validateCA($caFile) {
+
+		foreach($this->validator as $validator) {
+			try {
+				$validator->validateCA($caFile);
+				return TRUE;
+			} catch(Exception $e) {
+				/* Validation with this validator failed. */
+			}
+		}
+
+		return FALSE;
+	}
+
 }
 
 ?>
\ No newline at end of file
-- 
GitLab