Verify signed info first before using it

Thanks @ahacker1-securesaml for reporting this

Author: tvdijen

src/XML/SignedElementTrait.php

@@ -201,17 +201,20 @@ private function verifyInternal(SignatureAlgorithmInterface $verifier): SignedEl
 
         // the canonicalized ds:SignedInfo element (plaintext)
         $c14nSignedInfo = $signedInfo->canonicalize($c14nAlg->getValue());
-        $ref = $this->validateReference(
-            SignedInfo::fromXML(DOMDocumentFactory::fromString($c14nSignedInfo)->documentElement),
-        );
 
+        // verify the c14n signed info has correct signature
         if (
             $verifier?->verify(
                 $c14nSignedInfo, // the canonicalized ds:SignedInfo element (plaintext)
                 // the actual signature
                 base64_decode(strval($this->getSignature()->getSignatureValue()->getValue()), true),
             )
         ) {
+            // uses the trusted c14nsignedinfo and only the c14nsignedinfo to validate references
+            $ref = $this->validateReference(
+                SignedInfo::fromXML(DOMDocumentFactory::fromString($c14nSignedInfo)->documentElement),
+            );
+
             /*
              * validateReference() returns an object of the same class using this trait. This means the validatingKey
              * property is available, and we can set it on the newly created object because we are in the same class,
@@ -220,6 +223,7 @@ private function verifyInternal(SignatureAlgorithmInterface $verifier): SignedEl
             $ref->validatingKey = $verifier->getKey();
             return $ref;
         }
+
         throw new SignatureVerificationFailedException('Failed to verify signature.');
     }