/** * Compare audiences * * Checks if the given assertion is valid for the audience. * * @access private * @param string $want The expected audience * @return string The error message if it fails or null on success */ private function compareAudiences($want) { try { // We allow the RP to provide audience in multiple forms (see issue #82). // The RP SHOULD provide full origin, but we allow these alternate forms for // some dude named Postel doesn't go postal. // 1. full origin 'http://rp.tld' // 1a. full origin with port 'http://rp.tld:8080' // 2. domain and port 'rp.tld:8080' // 3. domain only 'rp.tld' // case 1 & 1a if (preg_match("/^https?:\\/\\//", $this->audience)) { $gu = CertAssertion::normalizeParsedURL(parse_url($this->audience)); $this->audience_scheme = $gu['scheme']; $this->audience_domain = $gu['host']; $this->audience_port = $gu['port']; } else { if (strpos($this->audience, ':') !== false) { $p = explode(':', $this->audience); if (count($p) !== 2) { throw new \Exception("malformed domain"); } $this->audience_domain = $p[0]; $this->audience_port = $p[1]; } else { $this->audience_domain = $this->audience; } } if (!isset($this->audience_domain)) { throw new \Exception("domain mismatch"); } // now parse "want" url $want = CertAssertion::normalizeParsedURL(parse_url($want)); // compare the parts explicitly provided by the client if (isset($this->audience_scheme) && $this->audience_scheme != $want['scheme']) { throw new \Exception("scheme mismatch : " . $want['scheme']); } if (isset($this->audience_port) && $this->audience_port != $want['port']) { throw new \Exception("port mismatch : " . $want['port'] . '/' . $this->audience_port); } if (isset($this->audience_domain) && $this->audience_domain != $want['host']) { throw new \Exception("domain mismatch " . $want['host'] . ' et ' . $this->audience_domain); } return null; } catch (Exception $e) { return $e->getMessage(); } }