I am a newbie to SSL certificate thing. so a little cautious about what I've done so far. I am creating an application that uses SSO to authenticate the users using PHP 5.4. What I have: a certificate (.pfx) provided by the party. encrypted SAML in POST variable.
The de-crypted xml is almost similar to SAML: Why is the certificate within the Signature?
I need to verify that the response is from verified provider.. I have come to know while googling around that I need .pem instead of .pfx, So I have converted the .pfx file to .pem using ssl commands. I've used the code from http://www.php.net/manual/es/function.openssl-verify.php#62526. Here is my code.
$encxml=$_POST['SAMLResponse'];
$xml = new SimpleXMLElement(base64_decode($encxml));
$signature = ((string)$xml->Signature->SignatureValue);
var_dump($signature);
//do I need to do something with this X509Certificate value embedded in xml??
$cert = ((string)$xml->Signature->KeyInfo->X509Data->X509Certificate);
var_dump($cert);
//Or I need
$fp = fopen("xyz.pem", "r");
$priv_key = fread($fp, 8192);
fclose($fp);
print_r($priv_key);
$ok = openssl_verify($xml, $signature, $priv_key);
So should I ignore the X509Certificate embedded in xml or I need to check it as well... will openssl_verify suffice? and am I on the right path? please any guidance will be appreciated.