Add saml11-custom version of the CanonicalizableElementTrait to deny any transforms we don't know

Author: tvdijen

src/SAML11/XML/CanonicalizableElementTrait.php

@@ -0,0 +1,75 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML11\XML;
+
+use DOMElement;
+use SimpleSAML\SAML11\Assert\Assert;
+use SimpleSAML\XMLSecurity\Constants as C;
+use SimpleSAML\XMLSecurity\Exception\CanonicalizationFailedException;
+use SimpleSAML\XMLSecurity\Exception\ReferenceValidationFailedException;
+use SimpleSAML\XMLSecurity\XML\CanonicalizableElementTrait as BaseCanonicalizableElementTrait;
+use SimpleSAML\XMLSecurity\XML\ds\Transforms;
+
+/**
+ * A trait implementing the CanonicalizableElementInterface.
+ *
+ * @package simplesamlphp/saml11
+ */
+trait CanonicalizableElementTrait
+{
+    use BaseCanonicalizableElementTrait;
+
+
+    /**
+     * Process all transforms specified by a given Reference element.
+     *
+     * @param \SimpleSAML\XMLSecurity\XML\ds\Transforms $transforms The transforms to apply.
+     * @param \DOMElement $data The data referenced.
+     *
+     * @return string The canonicalized data after applying all transforms specified by $ref.
+     *
+     * @see http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel
+     */
+    public function processTransforms(
+        Transforms $transforms,
+        DOMElement $data,
+    ): string {
+        Assert::maxCount(
+            $transforms->getTransform(),
+            C::MAX_TRANSFORMS,
+            ReferenceValidationFailedException::class,
+            'Too many transforms.',
+        );
+
+        $canonicalMethod = C::C14N_EXCLUSIVE_WITHOUT_COMMENTS;
+        $arXPath = null;
+        $prefixList = null;
+
+        foreach ($transforms->getTransform() as $transform) {
+            $canonicalMethod = $transform->getAlgorithm()->getValue();
+            switch ($canonicalMethod) {
+                case C::XMLDSIG_ENVELOPED:
+                    break;
+                case C::C14N_EXCLUSIVE_WITHOUT_COMMENTS:
+                case C::C14N_EXCLUSIVE_WITH_COMMENTS:
+                    $inclusiveNamespaces = $transform->getInclusiveNamespaces();
+                    if ($inclusiveNamespaces !== null) {
+                        $prefixes = $inclusiveNamespaces->getPrefixes();
+                        if ($prefixes !== null) {
+                            $prefixList = array_map('strval', $prefixes->toArray());
+                        }
+                    }
+                    break;
+                default:
+                    throw new CanonicalizationFailedException(sprintf(
+                        'Message rejected due to unsupported canonicalization transform; %s',
+                        $canonicalMethod,
+                    ));
+            }
+        }
+
+        return $this->canonicalizeData($data, $canonicalMethod, $arXPath, $prefixList);
+    }
+}

src/SAML11/XML/SignableElementTrait.php

@@ -14,7 +14,6 @@
 use SimpleSAML\XMLSecurity\Constants as C;
 use SimpleSAML\XMLSecurity\Exception\RuntimeException;
 use SimpleSAML\XMLSecurity\Exception\UnsupportedAlgorithmException;
-use SimpleSAML\XMLSecurity\Utils\XML;
 use SimpleSAML\XMLSecurity\XML\ds\CanonicalizationMethod;
 use SimpleSAML\XMLSecurity\XML\ds\KeyInfo;
 use SimpleSAML\XMLSecurity\XML\ds\Signature;
@@ -110,7 +109,7 @@ protected function doSign(DOMElement $xml): DOMElement
             ),
         ]);
 
-        $canonicalDocument = XML::processTransforms($transforms, $xml);
+        $canonicalDocument = $this->processTransforms($transforms, $xml);
 
         $signedInfo = new SignedInfo(
             new CanonicalizationMethod(

src/SAML11/XML/saml/AbstractAssertionType.php

@@ -12,12 +12,14 @@
 use SimpleSAML\SAML11\Type\SAMLDateTimeValue;
 use SimpleSAML\SAML11\Type\SAMLStringValue;
 use SimpleSAML\SAML11\Utils\XPath;
+use SimpleSAML\SAML11\XML\CanonicalizableElementTrait;
 use SimpleSAML\XMLSchema\Exception\InvalidDOMElementException;
 use SimpleSAML\XMLSchema\Exception\MissingElementException;
 use SimpleSAML\XMLSchema\Exception\SchemaViolationException;
 use SimpleSAML\XMLSchema\Exception\TooManyElementsException;
 use SimpleSAML\XMLSchema\Type\IDValue;
 use SimpleSAML\XMLSchema\Type\NonNegativeIntegerValue;
+use SimpleSAML\XMLSecurity\XML\CanonicalizableElementInterface;
 use SimpleSAML\XMLSecurity\XML\ds\Signature;
 use SimpleSAML\XMLSecurity\XML\SignableElementInterface;
 use SimpleSAML\XMLSecurity\XML\SignableElementTrait;
@@ -36,9 +38,11 @@
  * @package simplesamlphp/saml11
  */
 abstract class AbstractAssertionType extends AbstractSamlElement implements
+    CanonicalizableElementInterface,
     SignableElementInterface,
     SignedElementInterface
 {
+    use CanonicalizableElementTrait;
     use SignableElementTrait;
     use SignedElementTrait;
 

src/SAML11/XML/samlp/AbstractMessage.php

@@ -6,9 +6,11 @@
 
 use DOMElement;
 use SimpleSAML\SAML11\Type\SAMLDateTimeValue;
+use SimpleSAML\SAML11\XML\CanonicalizableElementTrait;
 use SimpleSAML\SAML11\XML\SignableElementTrait;
 use SimpleSAML\SAML11\XML\SignedElementTrait;
 use SimpleSAML\XMLSchema\Type\NonNegativeIntegerValue;
+use SimpleSAML\XMLSecurity\XML\CanonicalizableElementInterface;
 use SimpleSAML\XMLSecurity\XML\SignableElementInterface;
 use SimpleSAML\XMLSecurity\XML\SignedElementInterface;
 
@@ -22,8 +24,12 @@
  *
  * @package simplesamlphp/saml11
  */
-abstract class AbstractMessage extends AbstractSamlpElement implements SignableElementInterface, SignedElementInterface
+abstract class AbstractMessage extends AbstractSamlpElement implements
+    CanonicalizableElementInterface,
+    SignableElementInterface,
+    SignedElementInterface
 {
+    use CanonicalizableElementTrait;
     use SignableElementTrait;
     use SignedElementTrait {
         SignedElementTrait::getBlacklistedAlgorithms insteadof SignableElementTrait;