/**
* Compare audiences
*
* Checks if the given assertion is valid for the audience.
*
* @access private
* @param string $want The expected audience
* @return string The error message if it fails or null on success
*/
private function compareAudiences($want)
{
try {
// We allow the RP to provide audience in multiple forms (see issue #82).
// The RP SHOULD provide full origin, but we allow these alternate forms for
// some dude named Postel doesn't go postal.
// 1. full origin 'http://rp.tld'
// 1a. full origin with port 'http://rp.tld:8080'
// 2. domain and port 'rp.tld:8080'
// 3. domain only 'rp.tld'
// case 1 & 1a
if (preg_match("/^https?:\\/\\//", $this->audience)) {
$gu = CertAssertion::normalizeParsedURL(parse_url($this->audience));
$this->audience_scheme = $gu['scheme'];
$this->audience_domain = $gu['host'];
$this->audience_port = $gu['port'];
} else {
if (strpos($this->audience, ':') !== false) {
$p = explode(':', $this->audience);
if (count($p) !== 2) {
throw new \Exception("malformed domain");
}
$this->audience_domain = $p[0];
$this->audience_port = $p[1];
} else {
$this->audience_domain = $this->audience;
}
}
if (!isset($this->audience_domain)) {
throw new \Exception("domain mismatch");
}
// now parse "want" url
$want = CertAssertion::normalizeParsedURL(parse_url($want));
// compare the parts explicitly provided by the client
if (isset($this->audience_scheme) && $this->audience_scheme != $want['scheme']) {
throw new \Exception("scheme mismatch : " . $want['scheme']);
}
if (isset($this->audience_port) && $this->audience_port != $want['port']) {
throw new \Exception("port mismatch : " . $want['port'] . '/' . $this->audience_port);
}
if (isset($this->audience_domain) && $this->audience_domain != $want['host']) {
throw new \Exception("domain mismatch " . $want['host'] . ' et ' . $this->audience_domain);
}
return null;
} catch (Exception $e) {
return $e->getMessage();
}
}
