Explicitly deny signatures containing ds:Object elements (E91)

tvdijen · tvdijen · commit 9bc631b767fb · 2025-06-29T10:14:15.000+02:00
diff --git a/src/XML/SignedElementTrait.php b/src/XML/SignedElementTrait.php
@@ -46,6 +46,18 @@ protected function setSignature(Signature $signature): void
             ReferenceValidationFailedException::class,
         );
 
+        /**
+         * E91: Disallow <ds:Object> element in signatures
+         *
+         * The <ds:Object> element is not defined for use with SAML signatures, and SHOULD NOT be present.
+         */
+
+        Assert::isEmpty(
+            $signature->getObjects(),
+            ProtocolViolationException::class,
+            'The <ds:Object> element is not defined for use with SAML signatures, and SHOULD NOT be present.',
+        );
+
         $this->signature = $signature;
     }
 
