Explicitly deny signatures containing ds:Object elements (E91)

Author: tvdijen

src/XML/SignedElementTrait.php

@@ -6,6 +6,7 @@
 
 use SimpleSAML\Assert\Assert;
 use SimpleSAML\SAML2\Compat\ContainerSingleton;
+use SimpleSAML\SAML2\Exception\ProtocolViolationException;
 use SimpleSAML\XMLSecurity\Exception\ReferenceValidationFailedException;
 use SimpleSAML\XMLSecurity\XML\ds\Signature;
 use SimpleSAML\XMLSecurity\XML\SignedElementTrait as BaseSignedElementTrait;
@@ -46,6 +47,18 @@ protected function setSignature(Signature $signature): void
             ReferenceValidationFailedException::class,
         );
 
+        /**
+         * E91: Disallow <ds:Object> element in signatures
+         *
+         * The <ds:Object> element is not defined for use with SAML signatures, and SHOULD NOT be present.
+         */
+
+        Assert::isEmpty(
+            $signature->getObjects(),
+            ProtocolViolationException::class,
+            'The <ds:Object> element is not defined for use with SAML signatures, and SHOULD NOT be present.',
+        );
+
         $this->signature = $signature;
     }