/**
* Process an input Infomation Card EncryptedData block sent from the client,
* validate it, and return the claims contained within it on success or an error message on error
*
* @param string $strXmlToken The XML token sent to the server from the client
* @return Zend_Infocard_Claims The Claims object containing the claims, or any errors which occurred
*/
public function process($strXmlToken)
{
$retval = new Zend_InfoCard_Claims();
require_once 'Zend/InfoCard/Exception.php';
try {
$signedAssertionsXml = $this->_extractSignedToken($strXmlToken);
} catch (Zend_InfoCard_Exception $e) {
$retval->setError('Failed to extract assertion document');
$retval->setCode(Zend_InfoCard_Claims::RESULT_PROCESSING_FAILURE);
return $retval;
}
try {
$assertions = Zend_InfoCard_Xml_Assertion::getInstance($signedAssertionsXml);
} catch (Zend_InfoCard_Exception $e) {
$retval->setError('Failure processing assertion document');
$retval->setCode(Zend_InfoCard_Claims::RESULT_PROCESSING_FAILURE);
return $retval;
}
if (!$assertions instanceof Zend_InfoCard_Xml_Assertion_Interface) {
throw new Zend_InfoCard_Exception("Invalid Assertion Object returned");
}
if (!($reference_id = Zend_InfoCard_Xml_Security::validateXMLSignature($assertions->asXML()))) {
$retval->setError("Failure Validating the Signature of the assertion document");
$retval->setCode(Zend_InfoCard_Claims::RESULT_VALIDATION_FAILURE);
return $retval;
}
// The reference id should be locally scoped as far as I know
if ($reference_id[0] == '#') {
$reference_id = substr($reference_id, 1);
} else {
$retval->setError("Reference of document signature does not reference the local document");
$retval->setCode(Zend_InfoCard_Claims::RESULT_VALIDATION_FAILURE);
return $retval;
}
// Make sure the signature is in reference to the same document as the assertions
if ($reference_id != $assertions->getAssertionID()) {
$retval->setError("Reference of document signature does not reference the local document");
$retval->setCode(Zend_InfoCard_Claims::RESULT_VALIDATION_FAILURE);
}
// Validate we haven't seen this before and the conditions are acceptable
$conditions = $this->getAdapter()->retrieveAssertion($assertions->getAssertionURI(), $assertions->getAssertionID());
if ($conditions === false) {
$conditions = $assertions->getConditions();
}
if (is_array($condition_error = $assertions->validateConditions($conditions))) {
$retval->setError("Conditions of assertion document are not met: {$condition_error[1]} ({$condition_error[0]})");
$retval->setCode(Zend_InfoCard_Claims::RESULT_VALIDATION_FAILURE);
}
$attributes = $assertions->getAttributes();
$retval->setClaims($attributes);
if ($retval->getCode() == 0) {
$retval->setCode(Zend_InfoCard_Claims::RESULT_SUCCESS);
}
return $retval;
}
private function ValidateSignature($assertions)
{
include_once 'Zend_InfoCard_Xml_Security.php';
$reference_id = Zend_InfoCard_Xml_Security::validateXMLSignature($assertions->asXML(), $this->_sts_crt);
if (!$reference_id) {
throw new Exception("Failure Validating the Signature of the assertion document");
}
return $reference_id;
}