Merge pull request SAML-Toolkits#66 from newrelic/add_validation_erro…

…r_when_missing_certificate_in_response Added an explicit validation error when the X509Certificate is missing from the SAML Reponse
orslumen · Feb 22, 2013 · 3fe7644 · 3fe7644
2 parents 35dae94 + 35e4c00
commit 3fe7644
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/lib/xml_security.rb b/lib/xml_security.rb
@@ -47,6 +47,7 @@ def initialize(response)
     def validate(idp_cert_fingerprint, soft = true)
       # get cert from response
       cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
+      raise Onelogin::Saml::ValidationError.new("Certificate element missing in response (ds:X509Certificate)") unless cert_element
       base64_cert  = cert_element.text
       cert_text    = Base64.decode64(base64_cert)
       cert         = OpenSSL::X509::Certificate.new(cert_text)

diff --git a/test/xml_security_test.rb b/test/xml_security_test.rb
@@ -51,6 +51,16 @@ class XmlSecurityTest < Test::Unit::TestCase
       end
       assert_equal("Key validation error", exception.message)
     end
+
+    should "raise validation error when the X509Certificate is missing" do
+      response = Base64.decode64(response_document)
+      response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
+      document = XMLSecurity::SignedDocument.new(response)
+      exception = assert_raise(Onelogin::Saml::ValidationError) do
+        document.validate("a fingerprint", false) # The fingerprint isn't relevant to this test
+      end
+      assert_equal("Certificate element missing in response (ds:X509Certificate)", exception.message)
+    end
   end
 
   context "Algorithms" do