Improve how fingerprint is calcultated

Author: pitbulk

lib/Saml2/Utils.php

@@ -902,7 +902,7 @@ public static function deleteLocalSession()
     /**
      * Calculates the fingerprint of a x509cert.
      *
-     * @param string $x509cert x509 cert
+     * @param string $x509cert x509 cert formatted
      * @param string $alg      Algorithm to be used in order to calculate the fingerprint
      *
      * @return null|string Formatted fingerprint
@@ -911,27 +911,30 @@ public static function calculateX509Fingerprint($x509cert, $alg = 'sha1')
     {
         assert(is_string($x509cert));
 
-        $lines = explode("\n", $x509cert);
-
+        $arCert = explode("\n", $x509cert);
         $data = '';
-
-        foreach ($lines as $line) {
-            /* Remove '\r' from end of line if present. */
-            $line = rtrim($line);
-            if ($line === '-----BEGIN CERTIFICATE-----') {
-                /* Delete junk from before the certificate. */
-                $data = '';
-            } elseif ($line === '-----END CERTIFICATE-----') {
-                /* Ignore data after the certificate. */
-                break;
-            } elseif ($line === '-----BEGIN PUBLIC KEY-----' || $line === '-----BEGIN RSA PRIVATE KEY-----') {
-                /* This isn't an X509 certificate. */
-                return null;
+        $inData = false;
+
+        foreach ($arCert as $curData) {
+            if (! $inData) {
+                if (strncmp($curData, '-----BEGIN CERTIFICATE', 22) == 0) {
+                    $inData = true;
+                } elseif ((strncmp($curData, '-----BEGIN PUBLIC KEY', 21) == 0) || (strncmp($curData, '-----BEGIN RSA PRIVATE KEY', 26) == 0)) {
+                    /* This isn't an X509 certificate. */
+                    return null;
+                }
             } else {
-                /* Append the current line to the certificate data. */
-                $data .= $line;
+                if (strncmp($curData, '-----END CERTIFICATE', 20) == 0) {
+                    break;
+                }
+                $data .= trim($curData);
             }
         }
+
+        if (empty($data)) {
+            return null;
+        }
+
         $decodedData = base64_decode($data);
 
         switch ($alg) {

tests/src/OneLogin/Saml2/ResponseTest.php

@@ -1456,7 +1456,8 @@ public function testIsValid2()
 
         $settingsDir = TEST_ROOT .'/settings/';
         include $settingsDir.'settings1.php';
-        $settingsInfo['idp']['certFingerprint'] = OneLogin_Saml2_Utils::calculateX509Fingerprint($settingsInfo['idp']['x509cert']);
+        $cert = OneLogin_Saml2_Utils::formatCert($settingsInfo['idp']['x509cert']);
+        $settingsInfo['idp']['certFingerprint'] = OneLogin_Saml2_Utils::calculateX509Fingerprint($cert);
         $settingsInfo['idp']['x509cert'] = null;
 
         $settings = new OneLogin_Saml2_Settings($settingsInfo);

tests/src/OneLogin/Saml2/UtilsTest.php

@@ -958,6 +958,12 @@ public function testCalculateX509Fingerprint()
 
         $this->assertNull(OneLogin_Saml2_Utils::calculateX509Fingerprint($key));
 
+        $this->assertNull(OneLogin_Saml2_Utils::calculateX509Fingerprint(""));
+
+        $this->assertNull(OneLogin_Saml2_Utils::calculateX509Fingerprint($settingsInfo['idp']['x509cert']));
+
+        $this->assertEquals('afe71c28ef740bc87425be13a2263d37971da1f9', OneLogin_Saml2_Utils::calculateX509Fingerprint(OneLogin_Saml2_Utils::formatCert($settingsInfo['idp']['x509cert'])));
+
         $this->assertEquals('afe71c28ef740bc87425be13a2263d37971da1f9', OneLogin_Saml2_Utils::calculateX509Fingerprint($cert));
 
         $this->assertEquals('afe71c28ef740bc87425be13a2263d37971da1f9', OneLogin_Saml2_Utils::calculateX509Fingerprint($cert, 'sha1'));