/**
* @deprecated This method will be removed in SSP 2.0.
*/
public static function validateCA($certificate, $caFile)
{
SimpleSAML_XML_Validator::validateCertificate($certificate, $caFile);
}
$idpEntityId = $assertion->getAttribute('Issuer');
/* Load the IdP metadata. */
$idpMetadata = $metadata->getMetaData($idpEntityId, 'wsfed-idp-remote');
/* Find the certificate used by the IdP. */
if (array_key_exists('certificate', $idpMetadata)) {
$certFile = SimpleSAML_Utilities::resolveCert($idpMetadata['certificate']);
} else {
throw new Exception('Missing \'certificate\' metadata option in the \'wsfed-idp-remote\' metadata' . ' for the IdP \'' . $idpEntityId . '\'.');
}
/* Load the certificate. */
$certData = file_get_contents($certFile);
if ($certData === FALSE) {
throw new Exception('Unable to load certificate file \'' . $certFile . '\' for wsfed-idp \'' . $idpEntityId . '\'.');
}
/* Verify that the assertion is signed by the issuer. */
$validator = new SimpleSAML_XML_Validator($assertion, 'AssertionID', $certData);
if (!$validator->isNodeValidated($assertion)) {
throw new Exception('The assertion was not correctly signed by the WS-Fed IdP \'' . $idpEntityId . '\'.');
}
/* Check time constraints of contitions (if present). */
foreach ($xpath->query('./saml:Conditions', $assertion) as $condition) {
$notBefore = $condition->getAttribute('NotBefore');
$notOnOrAfter = $condition->getAttribute('NotOnOrAfter');
if (!SimpleSAML_Utilities::checkDateConditions($notBefore, $notOnOrAfter)) {
throw new Exception('The response has expired.');
}
}
/* Extract the name identifier from the response. */
$nameid = $xpath->query('./saml:AuthenticationStatement/saml:Subject/saml:NameIdentifier', $assertion);
if ($nameid->length === 0) {
throw new Exception('Could not find the name identifier in the response from the WS-Fed IdP \'' . $idpEntityId . '\'.');
/**
* This function processes a signature element in an EntityDescriptor element.
*
* It will attempt to validate the EntityDescriptor element using the signature. If the signature
* is good, it will and will store the fingerprint the certificate in the $validatedFingerprint variable.
*
* @param $element The ds:Signature element.
*/
private function processSignature($element)
{
assert('$element instanceof DOMElement');
/* We want to validate the EntityDescriptor which contains the signature. */
$entityDescriptor = $element->parentNode;
assert('$entityDescriptor instanceof DOMElement');
/*
* Make a copy of the entity descriptor, so that the validator can
* change the DOM tree in any way it wants.
*/
$doc = new DOMDocument();
$entityDescriptor = $doc->importNode($entityDescriptor, TRUE);
$doc->appendChild($entityDescriptor);
/* Attempt to check the signature. */
try {
$validator = new SimpleSAML_XML_Validator($entityDescriptor, 'ID');
if ($validator->isNodeValidated($entityDescriptor)) {
/* The EntityDescriptor is signed. Store the validator in $this->validator, so
* that it can be used to verify the fingerprint of the certificate later.
*/
$this->validator[] = $validator;
}
} catch (Exception $e) {
/* Ignore validation errors and pretend that this EntityDescriptor is unsigned. */
}
}
