Support multiple encrypted keys as required by i.e. saml:EncryptedElementType

tvdijen · tvdijen · commit cc8a7179e16a · 2025-06-29T11:18:23.000+02:00
diff --git a/src/XML/EncryptedElementInterface.php b/src/XML/EncryptedElementInterface.php
@@ -36,9 +36,9 @@ public function hasDecryptionKey(): bool;
     /**
      * Get the encrypted key used to encrypt the current element.
      *
-     * @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey
+     * @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey[]
      */
-    public function getEncryptedKey(): EncryptedKey;
+    public function getEncryptedKey(): array;
 
     /**
      * Get the EncryptedData object.
diff --git a/src/XML/EncryptedElementTrait.php b/src/XML/EncryptedElementTrait.php
@@ -27,8 +27,8 @@
  */
 trait EncryptedElementTrait
 {
-    /** @var \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey|null */
-    protected ?EncryptedKey $encryptedKey = null;
+    /** @var \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey[] */
+    protected array $encryptedKey = [];
 
 
     /**
@@ -46,7 +46,7 @@ public function __construct(
 
         foreach ($keyInfo->getInfo() as $info) {
             if ($info instanceof EncryptedKey) {
-                $this->encryptedKey = $info;
+                $this->encryptedKey[] = $info;
                 break;
             }
         }
@@ -60,16 +60,16 @@ public function __construct(
      */
     public function hasDecryptionKey(): bool
     {
-        return $this->encryptedKey !== null;
+        return !empty($this->encryptedKey);
     }
 
 
     /**
      * Get the encrypted key used to encrypt the current element.
      *
-     * @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey
+     * @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey[]
      */
-    public function getEncryptedKey(): EncryptedKey
+    public function getEncryptedKey(): array
     {
         return $this->encryptedKey;
     }
@@ -120,7 +120,7 @@ protected function decryptData(EncryptionAlgorithmInterface $decryptor): string
 
         if (in_array($decryptor->getAlgorithmId(), C::$KEY_TRANSPORT_ALGORITHMS)) {
             // the decryptor uses a key transport algorithm, check if we have a session key
-            if ($this->hasDecryptionKey() === null) {
+            if (!$this->hasDecryptionKey()) {
                 throw new RuntimeException('Cannot use a key transport algorithm to decrypt an object.');
             }
 
@@ -129,7 +129,9 @@ protected function decryptData(EncryptionAlgorithmInterface $decryptor): string
             }
 
             $encryptedKey = $this->getEncryptedKey();
-            $decryptionKey = $encryptedKey->decrypt($decryptor);
+            Assert::count($encryptedKey, 1, RuntimeException::class);
+
+            $decryptionKey = $encryptedKey[0]->decrypt($decryptor);
 
             $factory = new EncryptionAlgorithmFactory(
                 $this->getBlacklistedAlgorithms() ?? EncryptionAlgorithmFactory::DEFAULT_BLACKLIST,

Original file line number	Diff line number	Diff line change
`@@ -27,8 +27,8 @@`
`27`	`27`	`*/`
`28`	`28`	`trait EncryptedElementTrait`
`29`	`29`	`{`
`30`		`- /** @var \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey\|null */`
`31`		`- protected ?EncryptedKey $encryptedKey = null;`
	`30`	`+ /** @var \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey[] */`
	`31`	`+ protected array $encryptedKey = [];`
`32`	`32`
`33`	`33`
`34`	`34`	`/**`
`@@ -46,7 +46,7 @@ public function __construct(`
`46`	`46`
`47`	`47`	`foreach ($keyInfo->getInfo() as $info) {`
`48`	`48`	`if ($info instanceof EncryptedKey) {`
`49`		`- $this->encryptedKey = $info;`
	`49`	`+ $this->encryptedKey[] = $info;`
`50`	`50`	`break;`
`51`	`51`	`}`
`52`	`52`	`}`
`@@ -60,16 +60,16 @@ public function __construct(`
`60`	`60`	`*/`
`61`	`61`	`public function hasDecryptionKey(): bool`
`62`	`62`	`{`
`63`		`- return $this->encryptedKey !== null;`
	`63`	`+ return !empty($this->encryptedKey);`
`64`	`64`	`}`
`65`	`65`
`66`	`66`
`67`	`67`	`/**`
`68`	`68`	`* Get the encrypted key used to encrypt the current element.`
`69`	`69`	`*`
`70`		`- * @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey`
	`70`	`+ * @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey[]`
`71`	`71`	`*/`
`72`		`- public function getEncryptedKey(): EncryptedKey`
	`72`	`+ public function getEncryptedKey(): array`
`73`	`73`	`{`
`74`	`74`	`return $this->encryptedKey;`
`75`	`75`	`}`
`@@ -120,7 +120,7 @@ protected function decryptData(EncryptionAlgorithmInterface $decryptor): string`
`120`	`120`
`121`	`121`	`if (in_array($decryptor->getAlgorithmId(), C::$KEY_TRANSPORT_ALGORITHMS)) {`
`122`	`122`	`// the decryptor uses a key transport algorithm, check if we have a session key`
`123`		`- if ($this->hasDecryptionKey() === null) {`
	`123`	`+ if (!$this->hasDecryptionKey()) {`
`124`	`124`	`throw new RuntimeException('Cannot use a key transport algorithm to decrypt an object.');`
`125`	`125`	`}`
`126`	`126`
`@@ -129,7 +129,9 @@ protected function decryptData(EncryptionAlgorithmInterface $decryptor): string`
`129`	`129`	`}`
`130`	`130`
`131`	`131`	`$encryptedKey = $this->getEncryptedKey();`
`132`		`- $decryptionKey = $encryptedKey->decrypt($decryptor);`
	`132`	`+ Assert::count($encryptedKey, 1, RuntimeException::class);`
	`133`	`+`
	`134`	`+ $decryptionKey = $encryptedKey[0]->decrypt($decryptor);`
`133`	`135`
`134`	`136`	`$factory = new EncryptionAlgorithmFactory(`
`135`	`137`	`$this->getBlacklistedAlgorithms() ?? EncryptionAlgorithmFactory::DEFAULT_BLACKLIST,`