From d6d38a3b506cde9fa35dfa57c48bd90b19f92fed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Wed, 27 Aug 2008 12:43:28 +0000
Subject: [PATCH] Adding support for signing Assertions in shib13 protocol.
 Request from eduGAIN folks

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@840 44740490-163a-0410-bde0-09ae8108e29a
---
 config-templates/config.php                 |  2 +
 lib/SimpleSAML/Bindings/Shib13/HTTPPost.php | 44 ++++++++++++++++++---
 2 files changed, 41 insertions(+), 5 deletions(-)

diff --git a/config-templates/config.php b/config-templates/config.php
index 8546299ec..cd7276d18 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -212,6 +212,8 @@ $config = array (
 	 * same name to the metadata of the SP.
 	 */
 	'saml20.signresponse' => FALSE,
+	'shib13.signresponse' => TRUE,
+
 
 	/*
 	 * Configuration of Consent storage used for attribute consent.
diff --git a/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php b/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
index 2026e658b..e6073b6b6 100644
--- a/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
+++ b/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
@@ -112,13 +112,47 @@ class SimpleSAML_Bindings_Shib13_HTTPPost {
 		$responsedom->loadXML(str_replace ("\r", "", $response));
 		
 		$responseroot = $responsedom->getElementsByTagName('Response')->item(0);
+		
+		$firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
+		
+		
+		
+		/* Determine what we should sign - either the Response element or the Assertion. The default
+		 * is to sign the Assertion, but that can be overridden by the 'signresponse' option in the
+		 * SP metadata or 'saml20.signresponse' in the global configuration.
+		 */
+		$signResponse = FALSE;
+		if(array_key_exists('signresponse', $spmd) && $spmd['signresponse'] !== NULL) {
+			$signResponse = $spmd['signresponse'];
+			if(!is_bool($signResponse)) {
+				throw new Exception('Expected the \'signresponse\' option in the metadata of the' .
+					' SP \'' . $spmd['entityid'] . '\' to be a boolean value.');
+			}
+		} else {
+			$signResponse = $this->configuration->getBoolean('shib13.signresponse', TRUE);
+		}
+		
+		/* Check if we have an assertion to sign. Force to sign the response if not. */
+		if($firstassertionroot === NULL) {
+			$signResponse = TRUE;
+		}
+		
+		
+		
+		if(!$signResponse) {
+			$signer->sign($firstassertionroot, $firstassertionroot);
+		}
+		
+		if($signResponse) {
+			/* Sign the response - this must be done after encrypting the assertion. */
 
-		/* We insert the signature before the saml1p:Status element. */
-		$statusElements = SimpleSAML_Utilities::getDOMChildren($responseroot, 'Status', '@saml1p');
-		assert('count($statusElements) === 1');
-
-		$signer->sign($responseroot, $responseroot, $statusElements[0]);
+			/* We insert the signature before the saml2p:Status element. */
+			$statusElements = SimpleSAML_Utilities::getDOMChildren($responseroot, 'Status', '@saml1p');
+			assert('count($statusElements) === 1');
 
+			$signer->sign($responseroot, $responseroot, $statusElements[0]);
+		}
+		
 		$response = $responsedom->saveXML();
 		
 		
-- 
GitLab