@@ -71,6 +71,35 @@ public static function validateElement(DOMElement $root)
7171 $ signatureElement = $ signatureElement [0 ];
7272 $ objXMLSecDSig ->sigNode = $ signatureElement ;
7373
74+ /** Locate the XMLDSig Transform elements */
75+ /** @var \DOMElement[] $transformElement */
76+ $ transformElement = self ::xpQuery ($ signatureElement , './ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform ' );
77+ if (count ($ transformElement ) > 2 ) {
78+ throw new Exception ('XMLSec: more than two transform-operations in ds:Reference. ' );
79+ }
80+
81+ if (count ($ transformElement ) > 0 ) {
82+ /** Check the algorithms in the Transform-elements */
83+ /** @var \DOMElement[] $algorithms */
84+ $ algorithms = self ::xpQuery (
85+ $ signatureElement ,
86+ sprintf (
87+ "./ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform[ "
88+ . "not(@Algorithm='%s') and not(@Algorithm='%s') and not(@Algorithm='%s')] " ,
89+ XMLSecurityDSig::EXC_C14N ,
90+ XMLSecurityDSig::EXC_C14N_COMMENTS ,
91+ 'http://www.w3.org/2000/09/xmldsig#enveloped-signature ' ,
92+ ),
93+ );
94+
95+ if (count ($ algorithms ) > 0 ) {
96+ throw new Exception (
97+ 'XMLSec: Signatures in SAML messages SHOULD NOT contain transforms other than the '
98+ . 'enveloped signature transform or the exclusive canonicalization transforms. ' ,
99+ );
100+ }
101+ }
102+
74103 /* Canonicalize the XMLDSig SignedInfo element in the message. */
75104 $ objXMLSecDSig ->canonicalizeSignedInfo ();
76105
0 commit comments