diff options
| author | Olav Morken <olav.morken@uninett.no> | 2010-08-10 11:27:15 +0000 |
|---|---|---|
| committer | Olav Morken <olav.morken@uninett.no> | 2010-08-10 11:27:15 +0000 |
| commit | 43f60f732f084793e1f891345826f97b7300c761 (patch) | |
| tree | 4da6ffcba5a6bb56ec1cb371df7103e712894441 | |
| parent | 7231f2e5d108d4f27839295a7b905421af3548bf (diff) | |
| download | simplesamlphp-43f60f732f084793e1f891345826f97b7300c761.zip simplesamlphp-43f60f732f084793e1f891345826f97b7300c761.tar.gz simplesamlphp-43f60f732f084793e1f891345826f97b7300c761.tar.bz2 | |
Shib13: Add support for multiple certificates in metadata.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2514 44740490-163a-0410-bde0-09ae8108e29a
| -rw-r--r-- | lib/SimpleSAML/XML/Shib13/AuthnResponse.php | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php index ce9ae7a..bb9ca85 100644 --- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php +++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php @@ -88,19 +88,28 @@ class SimpleSAML_XML_Shib13_AuthnResponse { /* Get the metadata of the issuer. */ $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); - $md = $metadata->getMetaData($issuer, 'shib13-idp-remote'); - - if(array_key_exists('certFingerprint', $md)) { - /* Get fingerprint for the certificate of the issuer. */ - $issuerFingerprint = $md['certFingerprint']; + $md = $metadata->getMetaDataConfig($issuer, 'shib13-idp-remote'); + + $publicKeys = $md->getPublicKeys('signing'); + if ($publicKeys !== NULL) { + $certFingerprints = array(); + foreach ($publicKeys as $key) { + if ($key['type'] !== 'X509Certificate') { + continue; + } + $certFingerprints[] = sha1(base64_decode($key['X509Certificate'])); + } + $this->validator->validateFingerprint($certFingerprints); + } elseif ($md->hasValue('certFingerprint')) { + $certFingerprints = $md->getArrayizeString('certFingerprint'); /* Validate the fingerprint. */ - $this->validator->validateFingerprint($issuerFingerprint); - } elseif(array_key_exists('caFile', $md)) { + $this->validator->validateFingerprint($certFingerprints); + } elseif ($md->hasValue('caFile')) { /* Validate against CA. */ - $this->validator->validateCA(SimpleSAML_Utilities::resolveCert($md['caFile'])); + $this->validator->validateCA(SimpleSAML_Utilities::resolveCert($md->getString('caFile'))); } else { - throw new Exception('Required field [certFingerprint] or [caFile] in Shibboleth 1.3 IdP Remote metadata was not found for identity provider [' . $issuer . ']. Please add a fingerprint and try again. You can add a dummy fingerprint first, and then an error message will be printed with the real fingerprint.'); + throw new SimpleSAML_Error_Exception('Missing certificate in Shibboleth 1.3 IdP Remote metadata for identity provider [' . $issuer . '].'); } return true; |