Skip to content

Commit

Permalink
EntityDescriptor: allow multiple certificates in IDPSSODescriptor
Browse files Browse the repository at this point in the history
  • Loading branch information
fumieval committed Jul 17, 2024
1 parent e837904 commit 3cd2924
Show file tree
Hide file tree
Showing 4 changed files with 221 additions and 197 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# Changelog for `wai-saml2`

## 0.7

- Replaced `x509Certificate` to `x509Certificates` in `IDPSSODescriptor` so that it may have more than one certificate ([#65](https://github.com/mbg/wai-saml2/pull/65) by [@fumieval](https://github.com/fumieval))

## 0.6

- Switch from `x509-*` to `crypton-x509-*` ([#50](https://github.com/mbg/wai-saml2/pull/50) by [@mbg](https://github.com/mbg)).
Expand Down
26 changes: 14 additions & 12 deletions src/Network/Wai/SAML2/EntityDescriptor.hs
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@ data IDPSSODescriptor
= IDPSSODescriptor {
-- | IdP Entity ID. 'Network.Wai.SAML2.Config.saml2ExpectedIssuer' should be compared against this identifier
entityID :: Text
-- | The X.509 certificate for signed assertions
, x509Certificate :: X509.SignedExact X509.Certificate
-- | The X.509 certificate for signed assertions -- @since 0.7
, x509Certificates :: [X509.SignedExact X509.Certificate]
-- | Supported NameID formats
, nameIDFormats :: [Text]
-- | List of SSO urls corresponding to 'Binding's
Expand Down Expand Up @@ -66,16 +66,18 @@ instance FromXML IDPSSODescriptor where
let entityID = T.concat $ attribute "entityID" cursor
descriptor <- oneOrFail "IDPSSODescriptor is required"
$ cursor $/ element (mdName "IDPSSODescriptor")
rawCertificate <- oneOrFail "X509Certificate is required" $ descriptor
$/ element (mdName "KeyDescriptor")
&/ element (dsName "KeyInfo")
&/ element (dsName "X509Data")
&/ element (dsName "X509Certificate")
&/ content
x509Certificate <- either fail pure
$ X509.decodeSignedObject
$ Base64.decodeLenient
$ T.encodeUtf8 rawCertificate
let rawCertificates = descriptor
$/ element (mdName "KeyDescriptor")
&/ element (dsName "KeyInfo")
&/ element (dsName "X509Data")
&/ element (dsName "X509Certificate")
&/ content
x509Certificates <- traverse
( either fail pure
. X509.decodeSignedObject
. Base64.decodeLenient
. T.encodeUtf8
) rawCertificates
let nameIDFormats = descriptor
$/ element (mdName "NameIDFormat")
&/ content
Expand Down
Loading

0 comments on commit 3cd2924

Please sign in to comment.