From 8d20d4b3a969aeb6c30bd270a174cdf19faefeb1 Mon Sep 17 00:00:00 2001 From: Chris Andrews Date: Oct 12 2010 15:37:11 +0000 Subject: Add support for verifying the certificate used to sign Assertions. Adds dependency on Crypt::OpenSSL::VerifyX509. --- diff --git a/Makefile.PL b/Makefile.PL index 4c23510..d3c5a0c 100755 --- a/Makefile.PL +++ b/Makefile.PL @@ -14,6 +14,7 @@ all_from 'lib/Net/SAML2.pm'; requires 'XML::Sig'; requires 'Crypt::OpenSSL::RSA'; requires 'Crypt::OpenSSL::X509'; +requires 'Crypt::OpenSSL::VerifyX509'; requires 'IO::Compress::RawDeflate'; requires 'IO::Uncompress::RawInflate'; requires 'File::Slurp'; diff --git a/lib/Net/SAML2/Binding/POST.pm b/lib/Net/SAML2/Binding/POST.pm index 697ac42..00f8c3e 100644 --- a/lib/Net/SAML2/Binding/POST.pm +++ b/lib/Net/SAML2/Binding/POST.pm @@ -19,6 +19,7 @@ Net::SAML2::Binding::POST - HTTP POST binding for SAML2 use XML::Sig; use MIME::Base64 qw/ decode_base64 /; +use Crypt::OpenSSL::VerifyX509; =head2 new() @@ -31,6 +32,9 @@ No arguments. sub new { my ($class, %args) = @_; my $self = bless {}, $class; + + $self->{cacert} = $args{cacert}; + return $self; } @@ -43,10 +47,22 @@ Base64-encoded response, from the SAMLResponse CGI parameter. sub handle_response { my ($self, $response) = @_; + + # unpack and check the signature my $xml = decode_base64($response); my $x = XML::Sig->new({ x509 => 1 }); my $ret = $x->verify($xml); - return $ret; + die "signature check failed" unless $ret; + + # verify the signing certificate + my $cert = $x->signer_cert; + my $ca = Crypt::OpenSSL::VerifyX509->new($self->{cacert}); + $ret = $ca->verify($cert); + + if ($ret) { + return sprintf("%s (verified)", $cert->subject); + } + return; } 1; diff --git a/t/01-create-idp.t b/t/01-create-idp.t index bd9f394..d0b2230 100644 --- a/t/01-create-idp.t +++ b/t/01-create-idp.t @@ -58,4 +58,7 @@ ok($idp->sso_url($redirect_uri)); ok($idp->slo_url($redirect_uri)); ok($idp->art_url($soap_uri)); +ok($idp->cert('signing')); +ok($idp->entityID eq 'http://sso.dev.venda.com/opensso'); + done_testing;