SAML2 SP: Add support for CA path validation.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@771 44740490-163a-0410-bde0-09ae8108e29a

1 files changed, 17 insertions, 4 deletions

diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index d3f9989..855908a 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -260,11 +260,24 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		$this->validator = new SimpleSAML_XML_Validator($node, 'ID', $publickey);
 		
 		if (!$publickey) {
-			/* Get fingerprint for the certificate of the issuer. */
-			$issuerFingerprint = $md['certFingerprint'];
+			if(array_key_exists('certFingerprint', $md)) {
+
+				/* Get fingerprint for the certificate of the issuer. */
+				$issuerFingerprint = $md['certFingerprint'];
 	
-			/* Validate the fingerprint. */
-			$this->validator->validateFingerprint($issuerFingerprint);
+				/* Validate the fingerprint. */
+				$this->validator->validateFingerprint($issuerFingerprint);
+
+			} elseif(array_key_exists('caFile', $md)) {
+
+				/* Validation against a CA file. */
+				$this->validator->validateCA($this->configuration->getPathValue('certdir') . $md['caFile']);
+			} else {
+
+				/* Misconfigured - neither publickey, certFingerprint or caFile given. */
+				throw new Exception('Misconfigured saml20-idp-remote ' . $this->issuer . ':' .
+					' Neither publickey, certFingerprint or caFile given.');
+			}
 		}
 	}