From d85f62b671ba9a854c84f3a0d081a19e846307d9 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Fri, 4 Jul 2008 12:40:49 +0000
Subject: [PATCH] SAML2 SP: Add support for CA path validation.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@771 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/XML/SAML20/AuthnResponse.php | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index d3f99895f..855908a6a 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -260,11 +260,24 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		$this->validator = new SimpleSAML_XML_Validator($node, 'ID', $publickey);
 		
 		if (!$publickey) {
-			/* Get fingerprint for the certificate of the issuer. */
-			$issuerFingerprint = $md['certFingerprint'];
+			if(array_key_exists('certFingerprint', $md)) {
+
+				/* Get fingerprint for the certificate of the issuer. */
+				$issuerFingerprint = $md['certFingerprint'];
 	
-			/* Validate the fingerprint. */
-			$this->validator->validateFingerprint($issuerFingerprint);
+				/* Validate the fingerprint. */
+				$this->validator->validateFingerprint($issuerFingerprint);
+
+			} elseif(array_key_exists('caFile', $md)) {
+
+				/* Validation against a CA file. */
+				$this->validator->validateCA($this->configuration->getPathValue('certdir') . $md['caFile']);
+			} else {
+
+				/* Misconfigured - neither publickey, certFingerprint or caFile given. */
+				throw new Exception('Misconfigured saml20-idp-remote ' . $this->issuer . ':' .
+					' Neither publickey, certFingerprint or caFile given.');
+			}
 		}
 	}
 
-- 
GitLab