SAML2 SP: Add support for CA path validation.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@771 44740490-163a-0410-bde0-09ae8108e29a

SAML2 SP: Add support for CA path validation.
d85f62b6 · Olav Morken · 8ebe7ebc · d85f62b6
Commit d85f62b6 authored 16 years ago by Olav Morken
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -260,11 +260,24 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		$this->validator = new SimpleSAML_XML_Validator($node, 'ID', $publickey);
 		if (!$publickey) {
-			/* Get fingerprint for the certificate of the issuer. */
+			if(array_key_exists('certFingerprint', $md)) {
-			$issuerFingerprint = $md['certFingerprint'];
+				/* Get fingerprint for the certificate of the issuer. */
+				$issuerFingerprint = $md['certFingerprint'];
-			/* Validate the fingerprint. */
+				/* Validate the fingerprint. */
-			$this->validator->validateFingerprint($issuerFingerprint);
+				$this->validator->validateFingerprint($issuerFingerprint);
+			} elseif(array_key_exists('caFile', $md)) {
+				/* Validation against a CA file. */
+				$this->validator->validateCA($this->configuration->getPathValue('certdir') . $md['caFile']);
+			} else {
+				/* Misconfigured - neither publickey, certFingerprint or caFile given. */
+				throw new Exception('Misconfigured saml20-idp-remote ' . $this->issuer . ':' .
+					' Neither publickey, certFingerprint or caFile given.');
+			}
 		}
 	}