- // Check payload freshness.
- time_t now = time(NULL);
- if ((res ? res->getIssueInstant() : req->getIssueInstant())->getEpoch() < now-(2*XMLToolingConfig::getConfig().clock_skew_secs))
- throw BindingException("Detected expired ArtifactResponse payload.");
-
- // Check replay.
- if (replayCache) {
- auto_ptr_char mid(res ? res->getID() : req->getID());
- if (!replayCache->check("SAML2ArtifactPayload", mid.get(), now + (2*XMLToolingConfig::getConfig().clock_skew_secs))) {
- log.error("replay detected of ArtifactResponse payload message ID (%s)", mid.get());
- throw BindingException("Rejecting replayed ArtifactResponse payload ($1).", params(1,mid.get()));
- }
- }
-
- // Check signatures.
- if (trustEngine) {
- if (response->getSignature()) {
- if (!trustEngine->validate(*(response->getSignature()), *issuer, metadataProvider->getKeyResolver())) {
- log.error("unable to verify signature on ArtifactResponse message with supplied trust engine");
- throw BindingException("Message signature failed verification.");
- }
- else if (!securityMech) {
- securityMech = samlconstants::SAML20P_NS;
- }
- }
- Signature* sig = (res ? res->getSignature() : req->getSignature());
- if (sig) {
- if (!trustEngine->validate(*sig, *issuer, metadataProvider->getKeyResolver())) {
- log.error("unable to verify signature on ArtifactResponse payload with supplied trust engine");
- throw BindingException("Message signature failed verification.");
- }
- else if (!securityMech) {
- securityMech = samlconstants::SAML20P_NS;
- }
- }
- }
-
- if (!securityMech) {
- log.warn("unable to authenticate ArtifactResponse message or payload, leaving untrusted");
- }
-
- // Return the payload only.
- response.release();
- payload->detach();
- return payload;
- }
- catch (XMLToolingException& ex) {
- annotateException(&ex,issuer,false);
- throw;
- }
-}
-
-bool SAML2ArtifactDecoder::issuerMatches(const Issuer* messageIssuer, const XMLCh* expectedIssuer) const
-{
- if (messageIssuer && messageIssuer->getName()) {
- if (messageIssuer->getFormat() && !XMLString::equals(messageIssuer->getFormat(), NameIDType::ENTITY))
- return false;
- else if (!XMLString::equals(expectedIssuer, messageIssuer->getName()))
- return false;