|
8 | 8 | use DOMElement; |
9 | 9 | use DOMNode; |
10 | 10 | use DOMXPath; |
| 11 | +use Exception; |
11 | 12 | use RobRichards\XMLSecLibs\XMLSecEnc; |
12 | 13 | use RobRichards\XMLSecLibs\XMLSecurityDSig; |
13 | 14 | use RobRichards\XMLSecLibs\XMLSecurityKey; |
@@ -70,6 +71,35 @@ public static function validateElement(DOMElement $root) |
70 | 71 | $signatureElement = $signatureElement[0]; |
71 | 72 | $objXMLSecDSig->sigNode = $signatureElement; |
72 | 73 |
|
| 74 | + /** Locate the XMLDSig Transform elements */ |
| 75 | + /** @var \DOMElement[] $transformElement */ |
| 76 | + $transformElement = self::xpQuery($signatureElement, './ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform'); |
| 77 | + if (count($transformElement) > 2) { |
| 78 | + throw new Exception('XMLSec: more than two transform-operations in ds:Reference.'); |
| 79 | + } |
| 80 | + |
| 81 | + if (count($transformElement) > 0) { |
| 82 | + /** Check the algorithms in the Transform-elements */ |
| 83 | + /** @var \DOMElement[] $algorithms */ |
| 84 | + $algorithms = self::xpQuery( |
| 85 | + $signatureElement, |
| 86 | + sprintf( |
| 87 | + "./ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform[" |
| 88 | + . "not(@Algorithm='%s') and not(@Algorithm='%s') and not(@Algorithm='%s')]", |
| 89 | + XMLSecurityDSig::EXC_C14N, |
| 90 | + XMLSecurityDSig::EXC_C14N_COMMENTS, |
| 91 | + 'http://www.w3.org/2000/09/xmldsig#enveloped-signature' |
| 92 | + ) |
| 93 | + ); |
| 94 | + |
| 95 | + if (count($algorithms) > 0) { |
| 96 | + throw new Exception( |
| 97 | + 'XMLSec: Signatures in SAML messages SHOULD NOT contain transforms other than the ' |
| 98 | + . 'enveloped signature transform or the exclusive canonicalization transforms.' |
| 99 | + ); |
| 100 | + } |
| 101 | + } |
| 102 | + |
73 | 103 | /* Canonicalize the XMLDSig SignedInfo element in the message. */ |
74 | 104 | $objXMLSecDSig->canonicalizeSignedInfo(); |
75 | 105 |
|
|
0 commit comments