lib/saml2/response.rb in saml2-2.2.8 vs lib/saml2/response.rb in saml2-2.2.9
- old
+ new
@@ -90,11 +90,12 @@
# Validate timestamps (signing certificate validity, issued at, etc.) as of
# this point in time.
def validate(service_provider:,
identity_provider:,
verification_time: Time.now.utc,
- allow_expired_certificate: false)
+ allow_expired_certificate: false,
+ verify_certificate: true)
raise ArgumentError, "service_provider should be an Entity object" unless service_provider.is_a?(Entity)
raise ArgumentError, "service_provider should have at least one service_provider role" unless (sp = service_provider.service_providers.first)
# validate the schema
super()
@@ -123,11 +124,12 @@
end
if signed?
unless (signature_errors = validate_signature(fingerprint: idp.fingerprints,
cert: certificates,
- allow_expired_certificate: allow_expired_certificate)).empty?
+ allow_expired_certificate: allow_expired_certificate,
+ verify_certificate: verify_certificate)).empty?
return errors.concat(signature_errors)
end
response_signed = true
end
@@ -135,11 +137,12 @@
# this might be nil, if the assertion was encrypted
if assertion&.signed?
unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
cert: certificates,
- allow_expired_certificate: allow_expired_certificate)).empty?
+ allow_expired_certificate: allow_expired_certificate,
+ verify_certificate: verify_certificate)).empty?
return errors.concat(signature_errors)
end
assertion_signed = true
end
@@ -192,10 +195,11 @@
# if we didn't previously check the assertion's signature (because it was encrypted)
# check it now
if assertion.signed? && !assertion_signed
unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
cert: certificates,
- allow_expired_certificate: allow_expired_certificate)).empty?
+ allow_expired_certificate: allow_expired_certificate,
+ verify_certificate: verify_certificate)).empty?
return errors.concat(signature_errors)
end
assertion_signed = true
end