/** * Process an input Infomation Card EncryptedData block sent from the client, * validate it, and return the claims contained within it on success or an error message on error * * @param string $strXmlToken The XML token sent to the server from the client * @return Zend_Infocard_Claims The Claims object containing the claims, or any errors which occurred */ public function process($strXmlToken) { $retval = new Zend_InfoCard_Claims(); require_once 'Zend/InfoCard/Exception.php'; try { $signedAssertionsXml = $this->_extractSignedToken($strXmlToken); } catch (Zend_InfoCard_Exception $e) { $retval->setError('Failed to extract assertion document'); $retval->setCode(Zend_InfoCard_Claims::RESULT_PROCESSING_FAILURE); return $retval; } try { $assertions = Zend_InfoCard_Xml_Assertion::getInstance($signedAssertionsXml); } catch (Zend_InfoCard_Exception $e) { $retval->setError('Failure processing assertion document'); $retval->setCode(Zend_InfoCard_Claims::RESULT_PROCESSING_FAILURE); return $retval; } if (!$assertions instanceof Zend_InfoCard_Xml_Assertion_Interface) { throw new Zend_InfoCard_Exception("Invalid Assertion Object returned"); } if (!($reference_id = Zend_InfoCard_Xml_Security::validateXMLSignature($assertions->asXML()))) { $retval->setError("Failure Validating the Signature of the assertion document"); $retval->setCode(Zend_InfoCard_Claims::RESULT_VALIDATION_FAILURE); return $retval; } // The reference id should be locally scoped as far as I know if ($reference_id[0] == '#') { $reference_id = substr($reference_id, 1); } else { $retval->setError("Reference of document signature does not reference the local document"); $retval->setCode(Zend_InfoCard_Claims::RESULT_VALIDATION_FAILURE); return $retval; } // Make sure the signature is in reference to the same document as the assertions if ($reference_id != $assertions->getAssertionID()) { $retval->setError("Reference of document signature does not reference the local document"); $retval->setCode(Zend_InfoCard_Claims::RESULT_VALIDATION_FAILURE); } // Validate we haven't seen this before and the conditions are acceptable $conditions = $this->getAdapter()->retrieveAssertion($assertions->getAssertionURI(), $assertions->getAssertionID()); if ($conditions === false) { $conditions = $assertions->getConditions(); } if (is_array($condition_error = $assertions->validateConditions($conditions))) { $retval->setError("Conditions of assertion document are not met: {$condition_error[1]} ({$condition_error[0]})"); $retval->setCode(Zend_InfoCard_Claims::RESULT_VALIDATION_FAILURE); } $attributes = $assertions->getAttributes(); $retval->setClaims($attributes); if ($retval->getCode() == 0) { $retval->setCode(Zend_InfoCard_Claims::RESULT_SUCCESS); } return $retval; }