Pull request from mdriessen

Include InclusiveNamespaces specified in CanonicalizationMethod when canonicalizing SignedInfo ass/xmlsecurity: aschamberger#23 robrichards/xmlseclibs: robrichards/xmlseclibs#178
evperedadiaz · Mar 19, 2020 · 907ae60 · 907ae60
1 parent c897651
commit 907ae60
Showing 1 changed file with 17 additions and 10 deletions.
diff --git a/src/ass/XmlSecurity/DSig.php b/src/ass/XmlSecurity/DSig.php
@@ -784,18 +784,25 @@ public static function verifyDocumentSignature(DOMElement $signature, Key $keyFo
         if (!is_null($signedInfo)) {
             $canonicalizationMethod = $signedInfo->getElementsByTagNameNS(self::NS_XMLDSIG, 'CanonicalizationMethod')->item(0);
             if (!is_null($canonicalizationMethod)) {
-                $canonicalizationAlgorithm = $canonicalizationMethod->getAttribute('Algorithm');
                 $signatureValue = $signature->getElementsByTagNameNS(self::NS_XMLDSIG, 'SignatureValue')->item(0);
                 if (!is_null($signatureValue)) {
-                    $canonicalizedData = self::canonicalizeData($signedInfo, $canonicalizationAlgorithm);					
-					$decodedSignatureValueFromSoapMessage = base64_decode($signatureValue->textContent);
-					try {
-						return $keyForSignature->verifySignature($canonicalizedData, $decodedSignatureValueFromSoapMessage);
-					} catch (InvalidSignatureException $e) {
-						return false;
-					} catch (SignatureErrorException $e) {
-						return false;
-					}
+                    $nsPrefixes = null;
+                    $canonicalizationAlgorithm = $canonicalizationMethod->getAttribute('Algorithm');
+                    $inclusiveNamespaces = $canonicalizationMethod->getElementsByTagNameNS(self::EXC_C14N, 'InclusiveNamespaces')->item(0);
+                    if (!is_null($inclusiveNamespaces)) {
+                        $prefixList = $inclusiveNamespaces->getAttribute('PrefixList');
+                        $nsPrefixes = explode(' ', $prefixList);
+                    }
+
+                    $canonicalizedData = self::canonicalizeData($signedInfo, $canonicalizationAlgorithm, null, $nsPrefixes);
+                    $decodedSignatureValueFromSoapMessage = base64_decode($signatureValue->textContent);
+                    try {
+                        return $keyForSignature->verifySignature($canonicalizedData, $decodedSignatureValueFromSoapMessage);
+                    } catch (InvalidSignatureException $e) {
+                        return false;
+                    } catch (SignatureErrorException $e) {
+                        return false;
+                    }
                 }
             }
         }