Fixes to reflect upstream changes in xml-security

tvdijen · tvdijen · commit c61e284e99b3 · 2026-03-13T16:55:31.000+01:00
diff --git a/src/XML/CanonicalizableElementTrait.php b/src/XML/CanonicalizableElementTrait.php
@@ -0,0 +1,72 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\XMLSecurity\XML;
+
+use DOMElement;
+use SimpleSAML\XMLSecurity\Assert\Assert;
+use SimpleSAML\XMLSecurity\Constants as C;
+use SimpleSAML\XMLSecurity\Exception\CanonicalizationFailedException;
+use SimpleSAML\XMLSecurity\XML\CanonicalizableElementTrait as BaseCanonicalizableElementTrait;
+use SimpleSAML\XMLSecurity\XML\ds\Transforms;
+
+/**
+ * A trait implementing the CanonicalizableElementInterface.
+ *
+ * @package simplesamlphp/xml-security
+ */
+trait CanonicalizableElementTrait
+{
+    use BaseCanonicalizableElementTrait;
+
+
+    /**
+     * Process all transforms specified by a given Reference element.
+     *
+     * @param \SimpleSAML\XMLSecurity\XML\ds\Transforms $transforms The transforms to apply.
+     * @param \DOMElement $data The data referenced.
+     *
+     * @return string The canonicalized data after applying all transforms specified by $ref.
+     *
+     * @see http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel
+     */
+    #[Override]
+    public function processTransforms(
+        Transforms $transforms,
+        DOMElement $data,
+    ): string {
+        Assert::maxCount(
+            $transforms->getTransform(),
+            C::MAX_TRANSFORMS,
+            ReferenceValidationFailedException::class,
+            'Too many transforms.',
+        );
+
+        $canonicalMethod = C::C14N_EXCLUSIVE_WITHOUT_COMMENTS;
+        $arXPath = null;
+        $prefixList = null;
+
+        foreach ($transforms->getTransform() as $transform) {
+            $canonicalMethod = $transform->getAlgorithm()->getValue();
+            switch ($canonicalMethod) {
+                case C::C14N_EXCLUSIVE_WITHOUT_COMMENTS:
+                case C::C14N_EXCLUSIVE_WITH_COMMENTS:
+                    $inclusiveNamespaces = $transform->getInclusiveNamespaces();
+                    if ($inclusiveNamespaces !== null) {
+                        $prefixes = $inclusiveNamespaces->getPrefixes();
+                        if ($prefixes !== null) {
+                            $prefixList = array_map('strval', $prefixes->toArray());
+                        }
+                    }
+                    break;
+                default:
+                    throw new CanonicalizationFailedException(
+                        'Message rejected due to unsupported canonicalization transform.',
+                    );
+            }
+        }
+
+        return $this->canonicalizeData($data, $canonicalMethod, $arXPath, $prefixList);
+    }
+}
diff --git a/src/XML/SignableElementTrait.php b/src/XML/SignableElementTrait.php
@@ -14,7 +14,6 @@
 use SimpleSAML\XMLSecurity\Constants as C;
 use SimpleSAML\XMLSecurity\Exception\RuntimeException;
 use SimpleSAML\XMLSecurity\Exception\UnsupportedAlgorithmException;
-use SimpleSAML\XMLSecurity\Utils\XML;
 use SimpleSAML\XMLSecurity\XML\ds\CanonicalizationMethod;
 use SimpleSAML\XMLSecurity\XML\ds\KeyInfo;
 use SimpleSAML\XMLSecurity\XML\ds\Signature;
@@ -109,7 +108,7 @@ protected function doSign(DOMElement $xml): DOMElement
             new Transform(AnyURIValue::fromString($this->c14nAlg)),
         ]);
 
-        $canonicalDocument = XML::processTransforms($transforms, $xml);
+        $canonicalDocument = $this->processTransforms($transforms, $xml);
 
         $signedInfo = new SignedInfo(
             new CanonicalizationMethod(AnyURIValue::fromString($this->c14nAlg)),
diff --git a/tests/Vulnerabilities/XmlSignatureWrappingTest.php b/tests/Vulnerabilities/XmlSignatureWrappingTest.php
@@ -11,7 +11,7 @@
 use SimpleSAML\SAML2\Signature\Validator;
 use SimpleSAML\SAML2\XML\saml\Assertion;
 use SimpleSAML\XML\DOMDocumentFactory;
-use SimpleSAML\XMLSecurity\Exception\ReferenceValidationFailedException;
+use SimpleSAML\XMLSecurity\Exception\SignatureVerificationFailedException;
 use SimpleSAML\XMLSecurity\TestUtils\PEMCertificatesMock;
 
 /**
@@ -43,8 +43,8 @@ public static function setUpBeforeClass(): void
      */
     public function testThatASignatureReferencingAnEmbeddedAssertionIsNotValid(): void
     {
-        $this->expectException(ReferenceValidationFailedException::class);
-        $this->expectExceptionMessage('Reference does not point to given element.');
+        $this->expectException(SignatureVerificationFailedException::class);
+        $this->expectExceptionMessage('Failed to verify signature.');
 
         $assertion = $this->getSignedAssertionWithEmbeddedAssertionReferencedInSignature();
         self::$signatureValidator->hasValidSignature($assertion, self::$identityProviderConfiguration);
@@ -55,8 +55,8 @@ public function testThatASignatureReferencingAnEmbeddedAssertionIsNotValid(): vo
      */
     public function testThatASignatureReferencingAnotherAssertionIsNotValid(): void
     {
-        $this->expectException(ReferenceValidationFailedException::class);
-        $this->expectExceptionMessage('Reference does not point to given element.');
+        $this->expectException(SignatureVerificationFailedException::class);
+        $this->expectExceptionMessage('Failed to verify signature.');
 
         $assertion = $this->getSignedAssertionWithSignatureThatReferencesAnotherAssertion();
         self::$signatureValidator->hasValidSignature($assertion, self::$identityProviderConfiguration);
