99use Nyholm \Psr7 \Response ;
1010use Psr \Http \Message \ResponseInterface ;
1111use Psr \Http \Message \ServerRequestInterface ;
12- use RobRichards \XMLSecLibs \XMLSecurityKey ;
1312use SimpleSAML \Configuration ;
1413use SimpleSAML \Metadata \MetaDataStorageHandler ;
1514use SimpleSAML \Module \saml \Message as MSG ;
1615use SimpleSAML \SAML2 \Assert \Assert ;
1716use SimpleSAML \SAML2 \Binding ;
17+ use SimpleSAML \SAML2 \Compat \ContainerSingleton ;
1818use SimpleSAML \SAML2 \SOAPClient ;
1919use SimpleSAML \SAML2 \Utils ;
2020use SimpleSAML \SAML2 \XML \saml \Issuer ;
2424use SimpleSAML \SAML2 \XML \samlp \ArtifactResponse ;
2525use SimpleSAML \Store \StoreFactory ;
2626use SimpleSAML \Utils \HTTP ;
27+ use SimpleSAML \XMLSecurity \Alg \Signature \SignatureAlgorithmFactory ;
28+ use SimpleSAML \XMLSecurity \TestUtils \PEMCertificatesMock ;
2729
2830use function array_key_exists ;
2931use function base64_decode ;
@@ -173,8 +175,10 @@ public function receive(ServerRequestInterface $request): AbstractMessage
173175 $ soap = new SOAPClient ();
174176
175177 // Send message through SoapClient
176- /** @var \SimpleSAML\SAML2\XML\samlp\ArtifactResponse $artifactResponse */
177178 $ artifactResponse = $ soap ->send ($ ar , $ this ->spMetadata , $ idpMetadata );
179+ if (!($ artifactResponse instanceof ArtifactResponse)) {
180+ throw new Exception ('Invalid message received in response to our ArtifactResolve. ' );
181+ }
178182
179183 if (!$ artifactResponse ->isSuccess ()) {
180184 throw new Exception ('Received error from ArtifactResolutionService. ' );
@@ -183,18 +187,27 @@ public function receive(ServerRequestInterface $request): AbstractMessage
183187 $ samlResponse = $ artifactResponse ->getMessage ();
184188 if ($ samlResponse === null ) {
185189 /* Empty ArtifactResponse - possibly because of Artifact replay? */
186-
187190 throw new Exception ('Empty ArtifactResponse received, maybe a replay? ' );
188191 }
189192
190- $ samlResponse ->addValidator ([get_class ($ this ), 'validateSignature ' ], $ artifactResponse );
191-
192193 $ query = $ request ->getQueryParams ();
193194 if (isset ($ query ['RelayState ' ])) {
194195 $ this ->setRelayState ($ query ['RelayState ' ]);
195196 }
196197
197- return $ samlResponse ;
198+ if (!$ samlResponse ->isSigned ()) {
199+ return $ samlResponse ;
200+ }
201+
202+ $ container = ContainerSingleton::getInstance ();
203+ $ blacklist = $ container ->getBlacklistedEncryptionAlgorithms ();
204+ $ verifier = (new SignatureAlgorithmFactory ($ blacklist ))->getAlgorithm (
205+ $ samlResponse ->getSignature ()->getSignedInfo ()->getSignatureMethod ()->getAlgorithm (),
206+ // TODO: Need to use the key from the metadata
207+ PEMCertificatesMock::getPublicKey (PEMCertificatesMock::SELFSIGNED_PUBLIC_KEY ),
208+ );
209+
210+ return $ samlResponse ->verify ($ verifier );
198211 }
199212
200213
@@ -205,17 +218,4 @@ public function setSPMetadata(Configuration $sp): void
205218 {
206219 $ this ->spMetadata = $ sp ;
207220 }
208-
209-
210- /**
211- * A validator which returns true if the ArtifactResponse was signed with the given key
212- *
213- * @param \SimpleSAML\SAML2\XML\samlp\ArtifactResponse $message
214- * @param \RobRichards\XMLSecLibs\XMLSecurityKey $key
215- */
216- public static function validateSignature (ArtifactResponse $ message , XMLSecurityKey $ key ): bool
217- {
218- // @todo verify if this works and/or needs to do anything more. Ref. HTTPRedirect binding
219- return $ message ->validate ($ key );
220- }
221221}
0 commit comments