From e5ca519df787eb06941053a1866c792c9100327a Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 4 Aug 2010 05:48:48 +0000
Subject: [PATCH] SAMLParser: Only extract signing certificate.

When faced with two certificates, one marked as use="signing", while
the other was use="encryption", we chose the first one (even though
it may not have supported signature verification.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2474 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/Metadata/SAMLParser.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/lib/SimpleSAML/Metadata/SAMLParser.php b/lib/SimpleSAML/Metadata/SAMLParser.php
index 8549ce687..d84d9620a 100644
--- a/lib/SimpleSAML/Metadata/SAMLParser.php
+++ b/lib/SimpleSAML/Metadata/SAMLParser.php
@@ -472,6 +472,10 @@ class SimpleSAML_Metadata_SAMLParser {
 				continue;
 			}
 
+			if ($key['signing'] !== TRUE) {
+				continue;
+			}
+
 			$certData = base64_decode($key['X509Certificate']);
 			if($certData === FALSE) {
 				/* Empty/invalid certificate. */
@@ -535,6 +539,10 @@ class SimpleSAML_Metadata_SAMLParser {
 				continue;
 			}
 
+			if ($key['signing'] !== TRUE) {
+				continue;
+			}
+
 			$certData = base64_decode($key['X509Certificate']);
 			if($certData === FALSE) {
 				/* Empty/invalid certificate. */
@@ -624,6 +632,10 @@ class SimpleSAML_Metadata_SAMLParser {
 				continue;
 			}
 
+			if ($key['signing'] !== TRUE) {
+				continue;
+			}
+
 			$certData = base64_decode($key['X509Certificate']);
 			if($certData === FALSE) {
 				/* Empty/invalid certificate. */
@@ -701,6 +713,10 @@ class SimpleSAML_Metadata_SAMLParser {
 				continue;
 			}
 
+			if ($key['signing'] !== TRUE) {
+				continue;
+			}
+
 			$certData = base64_decode($key['X509Certificate']);
 			if($certData === FALSE) {
 				/* Empty/invalid certificate. */
-- 
GitLab