Skip to content

Commit f8d5aaa

Browse files
author
LuisVM
committed
Added Validations:
 - Validates only 1 assertion is present - Validates Timestamps
1 parent 5415ac5 commit f8d5aaa

File tree

1 file changed

+37
-4
lines changed

1 file changed

+37
-4
lines changed

lib/onelogin/saml/xmlsec.php

Lines changed: 37 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
<?php
2+
23
require(dirname(__FILE__) . '/../../xmlseclibs/xmlseclibs.php');
34

45
class XmlSec {
@@ -9,6 +10,28 @@ function __construct($val) {
910
$this->doc = $val;
1011
}
1112

13+
function validateNumAssertions(){
14+
$rootNode = $this->doc; //->documentElement->ownerDocument;
15+
$assertionNodes = $rootNode->getElementsByTagName('Assertion');
16+
return ($assertionNodes->length == 1);
17+
}
18+
19+
function validateTimestamps(){
20+
$rootNode = $this->doc;
21+
$timestampNodes = $rootNode->getElementsByTagName('Conditions');
22+
for($i=0;$i<$timestampNodes->length;$i++){
23+
$nbAttribute = $timestampNodes->item($i)->attributes->getNamedItem("NotBefore");
24+
$naAttribute = $timestampNodes->item($i)->attributes->getNamedItem("NotOnOrAfter");
25+
if($nbAttribute && strtotime($nbAttribute->textContent) > time()){
26+
return false;
27+
}
28+
if($naAttribute && strtotime($naAttribute->textContent) <= time()){
29+
return false;
30+
}
31+
}
32+
return true;
33+
}
34+
1235
function is_valid() {
1336
$objXMLSecDSig = new XMLSecurityDSig();
1437

@@ -20,7 +43,6 @@ function is_valid() {
2043
$objXMLSecDSig->idKeys = array('ID');
2144

2245
$retVal = $objXMLSecDSig->validateReference();
23-
2446
if (! $retVal) {
2547
throw new Exception("Reference Validation Failed");
2648
}
@@ -31,13 +53,24 @@ function is_valid() {
3153
}
3254
$key = NULL;
3355

56+
$singleAssertion = $this->validateNumAssertions();
57+
if (!$singleAssertion){
58+
throw new Exception("Only ONE SamlAssertion allowed");
59+
}
60+
61+
$validTimestamps = $this->validateTimestamps();
62+
if (!$validTimestamps){
63+
throw new Exception("Check your timestamp conditions");
64+
}
65+
3466
$objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
3567

3668
$objKey->loadKey($this->x509certificate, FALSE, true);
37-
69+
3870
$result = $objXMLSecDSig->verify($objKey);
3971
return $result;
4072
}
41-
}
4273

43-
?>
74+
}
75+
76+
?>

0 commit comments

Comments
 (0)