From 982df6856335858882b400dcf7a24b1b6505e305 Mon Sep 17 00:00:00 2001 From: Olav Morken <olav.morken@uninett.no> Date: Fri, 4 Jul 2008 12:41:04 +0000 Subject: [PATCH] Shib13 SP: Add support for CA path validation. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@772 44740490-163a-0410-bde0-09ae8108e29a --- lib/SimpleSAML/XML/Shib13/AuthnResponse.php | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php index bec925162..2a990b4ff 100644 --- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php +++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php @@ -42,14 +42,18 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { /* Get the metadata of the issuer. */ $md = $this->metadata->getMetaData($issuer, 'shib13-idp-remote'); - if (!array_key_exists('certFingerprint', $md)) - throw new Exception('Required field [certFingerprint] in Shibboleth 1.3 IdP Remote metadata was not found for identity provider [' . $issuer . ']. Please add a fingerprint and try again. You can add a dummy fingerprint first, and then an error message will be printed with the real fingerprint.'); - - /* Get fingerprint for the certificate of the issuer. */ - $issuerFingerprint = $md['certFingerprint']; - - /* Validate the fingerprint. */ - $this->validator->validateFingerprint($issuerFingerprint); + if(array_key_exists('certFingerprint', $md)) { + /* Get fingerprint for the certificate of the issuer. */ + $issuerFingerprint = $md['certFingerprint']; + + /* Validate the fingerprint. */ + $this->validator->validateFingerprint($issuerFingerprint); + } elseif(array_key_exists('caFile', $md)) { + /* Validate against CA. */ + $this->validator->validateCA($this->configuration->getPathValue('certdir') . $md['caFile']); + } else { + throw new Exception('Required field [certFingerprint] or [caFile] in Shibboleth 1.3 IdP Remote metadata was not found for identity provider [' . $issuer . ']. Please add a fingerprint and try again. You can add a dummy fingerprint first, and then an error message will be printed with the real fingerprint.'); + } return true; } -- GitLab