private function authenticate()
{
$client_is_authenticated = false;
/* Authenticate the requestor by verifying the TLS certificate used for the HTTP query */
if (array_key_exists('SSL_CLIENT_VERIFY', $_SERVER)) {
SimpleSAML_Logger::debug('[aa] Request was made using the following certificate: ' . var_export($_SERVER['SSL_CLIENT_VERIFY'], 1));
}
if (array_key_exists('SSL_CLIENT_VERIFY', $_SERVER) && $_SERVER['SSL_CLIENT_VERIFY'] && $_SERVER['SSL_CLIENT_VERIFY'] != 'NONE') {
/* compare certificate fingerprints */
$clientCertData = trim(preg_replace('/--.* CERTIFICATE-+-/', '', $_SERVER['SSL_CLIENT_CERT']));
$clientCertFingerprint = strtolower(sha1(base64_decode($clientCertData)));
if (!$clientCertFingerprint) {
throw new SimpleSAML_Error_Exception('[aa] Can not calculate certificate fingerprint from the request.');
}
$spCertArray = SimpleSAML_Utilities::loadPublicKey($this->spMetadata);
if (!$spCertArray) {
throw new SimpleSAML_Error_Exception('[aa] Can not find the public key of the requestor in the metadata!');
}
foreach ($spCertArray['certFingerprint'] as $fingerprint) {
if ($fingerprint && $clientCertFingerprint == $fingerprint) {
$client_is_authenticated = true;
SimpleSAML_Logger::debug('[aa] SSL certificate is checked and valid.');
break;
}
}
/* Reject the request if the TLS certificate used for the request does not match metadata */
if (!$client_is_authenticated) {
throw new SimpleSAML_Error_Exception('[aa] SSL certificate check failed.');
}
} else {
/* The request may be signed, so this is not fatal */
SimpleSAML_Logger::debug('[aa] SSL client certificate does not exist.');
}
/* Authenticate the requestor by verifying the XML signature on the query */
$certs_of_query = $this->query->getCertificates();
if (count($certs_of_query) > 0) {
if (sspmod_saml_Message::checkSign($this->spMetadata, $this->query)) {
$client_is_authenticated = true;
SimpleSAML_Logger::debug('[aa] AttributeQuery signature is checked and valid.');
} else {
/* An invalid or unverifiable signature is fatal */
throw new SimpleSAML_Error_Exception('[aa] The signature of the AttributeQuery is wrong!');
}
} else {
/* The request may be protected by HTTP TLS (X.509) authentication, so this is not fatal */
SimpleSAML_Logger::debug('[aa] AttributeQuery has no signature.');
}
if (!$client_is_authenticated) {
SimpleSAML_Logger::info('[aa] Attribute query was not authenticated. Drop.');
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: None', false);
echo 'Not authenticated. Neither query signature nor SSL client certificate was available.';
exit;
} else {
SimpleSAML_Logger::debug('[aa] Attribute query was authenticated.');
}
}