From bc16ada550dfd23e7ff704864720b58a8d36fdd4 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Fri, 26 Mar 2010 10:14:37 +0000
Subject: [PATCH] Allow absolute paths to certificates.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2237 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/Bindings/Shib13/Artifact.php |  3 +--
 lib/SimpleSAML/Metadata/Signer.php          |  4 ++--
 lib/SimpleSAML/Utilities.php                | 21 +++++++++++++++++----
 lib/SimpleSAML/XML/Shib13/AuthnResponse.php |  3 +--
 lib/SimpleSAML/XML/Signer.php               | 16 +++-------------
 modules/adfs/lib/IdP/ADFS.php               |  6 +++---
 modules/saml2/lib/Message.php               |  3 +--
 www/wsfed/sp/prp.php                        |  2 +-
 8 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/lib/SimpleSAML/Bindings/Shib13/Artifact.php b/lib/SimpleSAML/Bindings/Shib13/Artifact.php
index 263335e37..d1693373d 100644
--- a/lib/SimpleSAML/Bindings/Shib13/Artifact.php
+++ b/lib/SimpleSAML/Bindings/Shib13/Artifact.php
@@ -137,8 +137,7 @@ class SimpleSAML_Bindings_Shib13_Artifact {
 			SimpleSAML_Utilities::writeFile($file, $certData);
 		}
 
-		$globalConfig = SimpleSAML_Configuration::getInstance();
-		$spKeyCertFile = $globalConfig->getPathValue('certdir', 'cert/') . $spMetadata->getString('privatekey');
+		$spKeyCertFile = SimpleSAML_Utilities::resolveCert($spMetadata->getString('privatekey'));
 
 		$opts = array(
 			'ssl' => array(
diff --git a/lib/SimpleSAML/Metadata/Signer.php b/lib/SimpleSAML/Metadata/Signer.php
index bd81709f2..d6964690f 100644
--- a/lib/SimpleSAML/Metadata/Signer.php
+++ b/lib/SimpleSAML/Metadata/Signer.php
@@ -143,13 +143,13 @@ class SimpleSAML_Metadata_Signer {
 
 		$keyCertFiles = self::findKeyCert($config, $entityMetadata, $type);
 
-		$keyFile = $config->getPathValue('certdir', 'cert/') . $keyCertFiles['privatekey'];
+		$keyFile = SimpleSAML_Utilities::resolveCert($keyCertFiles['privatekey']);
 		if (!file_exists($keyFile)) {
 			throw new Exception('Could not find private key file [' . $keyFile . '], which is needed to sign the metadata');
 		}
 		$keyData = file_get_contents($keyFile);
 
-		$certFile = $config->getPathValue('certdir', 'cert/') . $keyCertFiles['certificate'];
+		$certFile = SimpleSAML_Utilities::resolveCert($keyCertFiles['certificate']);
 		if (!file_exists($certFile)) {
 			throw new Exception('Could not find certificate file [' . $certFile . '], which is needed to sign the metadata');
 		}
diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index dea9998d5..18ff41bc4 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -1478,6 +1478,21 @@ class SimpleSAML_Utilities {
 	}
 
 
+	/**
+	 * Resolves a path that may be relative to the cert-directory.
+	 *
+	 * @param string $path  The (possibly relative) path to the file.
+	 * @return string  The file path.
+	 */
+	public static function resolveCert($path) {
+		assert('is_string($path)');
+
+		$globalConfig = SimpleSAML_Configuration::getInstance();
+		$base = $globalConfig->getPathValue('certdir', 'cert/');
+		return SimpleSAML_Utilities::resolvePath($path, $base);
+	}
+
+
 	/**
 	 * Get public key or certificate from metadata.
 	 *
@@ -1525,8 +1540,7 @@ class SimpleSAML_Utilities {
 
 		} elseif (array_key_exists($prefix . 'certificate', $metadata)) {
 			/* Reference to certificate file. */
-			$config = SimpleSAML_Configuration::getInstance();
-			$file = $config->getPathValue('certdir', 'cert/') . $metadata[$prefix . 'certificate'];
+			$file = SimpleSAML_Utilities::resolveCert($metadata[$prefix . 'certificate']);
 			$data = @file_get_contents($file);
 			if ($data === FALSE) {
 				throw new Exception('Unable to load certificate/public key from file "' . $file . '"');
@@ -1612,8 +1626,7 @@ class SimpleSAML_Utilities {
 			}
 		}
 
-		$config = SimpleSAML_Configuration::getInstance();
-		$file = $config->getPathValue('certdir', 'cert/') . $metadata[$prefix . 'privatekey'];
+		$file = SimpleSAML_Utilities::resolveCert($metadata[$prefix . 'privatekey']);
 		$data = @file_get_contents($file);
 		if ($data === FALSE) {
 			throw new Exception('Unable to load private key from file "' . $file . '"');
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
index 5a3ba1406..56ba0c114 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
@@ -98,8 +98,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse {
 			$this->validator->validateFingerprint($issuerFingerprint);
 		} elseif(array_key_exists('caFile', $md)) {
 			/* Validate against CA. */
-			$globalConfig = SimpleSAML_Configuration::getInstance();
-			$this->validator->validateCA($globalConfig->getPathValue('certdir', 'cert/') . $md['caFile']);
+			$this->validator->validateCA(SimpleSAML_Utilities::resolveCert($md['caFile']));
 		} else {
 			throw new Exception('Required field [certFingerprint] or [caFile] in Shibboleth 1.3 IdP Remote metadata was not found for identity provider [' . $issuer . ']. Please add a fingerprint and try again. You can add a dummy fingerprint first, and then an error message will be printed with the real fingerprint.');
 		}
diff --git a/lib/SimpleSAML/XML/Signer.php b/lib/SimpleSAML/XML/Signer.php
index f07f48b02..7072e27c6 100644
--- a/lib/SimpleSAML/XML/Signer.php
+++ b/lib/SimpleSAML/XML/Signer.php
@@ -12,11 +12,6 @@
 class SimpleSAML_XML_Signer {
 
 
-	/**
-	 * The path to the simpleSAMLphp cert dir.
-	 */
-	private static $certDir = FALSE;
-
 	/**
 	 * The name of the ID attribute.
 	 */
@@ -58,11 +53,6 @@ class SimpleSAML_XML_Signer {
 	public function __construct($options = array()) {
 		assert('is_array($options)');
 
-		if(self::$certDir === FALSE) {
-			$config = SimpleSAML_Configuration::getInstance();
-			self::$certDir = $config->getPathValue('certdir', 'cert/');
-		}
-
 		$this->idAttrName = FALSE;
 		$this->privateKey = FALSE;
 		$this->certificate = FALSE;
@@ -128,7 +118,7 @@ class SimpleSAML_XML_Signer {
 		assert('is_string($file)');
 		assert('is_string($pass) || is_null($pass)');
 
-		$keyFile = self::$certDir . $file;
+		$keyFile = SimpleSAML_Utilities::resolveCert($file);
 		if (!file_exists($keyFile)) {
 			throw new Exception('Could not find private key file "' . $keyFile . '".');
 		}
@@ -178,7 +168,7 @@ class SimpleSAML_XML_Signer {
 	public function loadCertificate($file) {
 		assert('is_string($file)');
 
-		$certFile = self::$certDir . $file;
+		$certFile = SimpleSAML_Utilities::resolveCert($file);
 		if (!file_exists($certFile)) {
 			throw new Exception('Could not find certificate file "' . $certFile . '".');
 		}
@@ -213,7 +203,7 @@ class SimpleSAML_XML_Signer {
 	public function addCertificate($file) {
 		assert('is_string($file)');
 
-		$certFile = self::$certDir . $file;
+		$certFile = SimpleSAML_Utilities::resolveCert($file);
 		if (!file_exists($certFile)) {
 			throw new Exception('Could not find extra certificate file "' . $certFile . '".');
 		}
diff --git a/modules/adfs/lib/IdP/ADFS.php b/modules/adfs/lib/IdP/ADFS.php
index da55aa28a..144a7a2a1 100644
--- a/modules/adfs/lib/IdP/ADFS.php
+++ b/modules/adfs/lib/IdP/ADFS.php
@@ -156,9 +156,9 @@ class sspmod_adfs_IdP_ADFS {
 		
 		$response = sspmod_adfs_IdP_ADFS::ADFS_GenerateResponse($idpEntityId, $spEntityId, $nameid, $attributes);
 
-		$config = SimpleSAML_Configuration::getInstance();
-		$certdir = $config->getPathValue('certdir', 'cert/');		
-		$wresult = sspmod_adfs_IdP_ADFS::ADFS_SignResponse($response, $certdir . $idpMetadata->getString('privatekey'), $certdir . $idpMetadata->getString('certificate'));
+		$privateKeyFile = SimpleSAML_Utilities::resolveCert($idpMetadata->getString('privatekey'));
+		$certificateFile = SimpleSAML_Utilities::resolveCert($idpMetadata->getString('certificate'));
+		$wresult = sspmod_adfs_IdP_ADFS::ADFS_SignResponse($response, $privateKeyFile, $certificateFile);
 
 		$wctx = $state['adfs:wctx'];
 		sspmod_adfs_IdP_ADFS::ADFS_PostResponse($spMetadata->getValue('prp'), $wresult, $wctx);
diff --git a/modules/saml2/lib/Message.php b/modules/saml2/lib/Message.php
index 10e41a4dc..6a5b54418 100644
--- a/modules/saml2/lib/Message.php
+++ b/modules/saml2/lib/Message.php
@@ -164,8 +164,7 @@ class sspmod_saml2_Message {
 					'Missing certificate in metadata for ' .
 					var_export($srcMetadata->getString('entityid'), TRUE));
 			}
-			$globalConfig = SimpleSAML_Configuration::getInstance();
-			$caFile = $globalConfig->getPathValue('certdir', 'cert/') . $caFile;
+			$caFile = SimpleSAML_Utilities::resolveCert($caFile);
 
 			if (count($certificates) === 0) {
 				/* We need the full certificate in order to check it against the CA file. */
diff --git a/www/wsfed/sp/prp.php b/www/wsfed/sp/prp.php
index d5c3becc7..be7f77280 100644
--- a/www/wsfed/sp/prp.php
+++ b/www/wsfed/sp/prp.php
@@ -78,7 +78,7 @@ try {
 
 	/* Find the certificate used by the IdP. */
 	if(array_key_exists('certificate', $idpMetadata)) {
-		$certFile = $config->getPathvalue('certdir', 'cert/') . $idpMetadata['certificate'];
+		SimpleSAML_Utilities::resolveCert($idpMetadata['certificate']);
 	} else {
 		throw new Exception('Missing \'certificate\' metadata option in the \'wsfed-idp-remote\' metadata' .
 			' for the IdP \'' .  $idpEntityId . '\'.');
-- 
GitLab