Leave signature verification up to the implementation, just like we d…

…o on the other bindings

src/SAML2/HTTPRedirect.php

@@ -127,10 +127,8 @@ public function receive(ServerRequestInterface $request): AbstractMessage
 
  if (array_key_exists('SAMLRequest', $query)) {
  $message = $query['SAMLRequest'];
- $signedQuery = 'SAMLRequest=' . urlencode($query['SAMLRequest']);
  } elseif (array_key_exists('SAMLResponse', $query)) {
  $message = $query['SAMLResponse'];
- $signedQuery = 'SAMLResponse=' . urlencode($query['SAMLResponse']);
  } else {
  throw new Exception('Missing SAMLRequest or SAMLResponse parameter.');
  }
@@ -151,44 +149,11 @@ public function receive(ServerRequestInterface $request): AbstractMessage
 
  $document = DOMDocumentFactory::fromString($message);
  Utils::getContainer()->debugMessage($document->documentElement, 'in');
- $message = MessageFactory::fromXML($document->documentElement);
 
+ $msg = MessageFactory::fromXML($document->documentElement);
  if (array_key_exists('RelayState', $query)) {
- $message->setRelayState($query['RelayState']);
- $signedQuery .= '&RelayState=' . urlencode($query['RelayState']);
+ $msg->setRelayState($query['RelayState']);
  }
-
- if (!array_key_exists('Signature', $query)) {
- return $message;
- }
-
- /**
- * 3.4.5.2 - SAML Bindings
- *
- * If the message is signed, the Destination XML attribute in the root SAML element of the protocol
- * message MUST contain the URL to which the sender has instructed the user agent to deliver the
- * message.
- */
- Assert::notNull($message->getDestination()); // Validation of the value must be done upstream
-
- if (!array_key_exists('SigAlg', $query)) {
- throw new Exception('Missing signature algorithm.');
- } else {
- $signedQuery .= '&SigAlg=' . urlencode($query['SigAlg']);
- }
-
- $container = ContainerSingleton::getInstance();
- $blacklist = $container->getBlacklistedEncryptionAlgorithms();
- $verifier = (new SignatureAlgorithmFactory($blacklist))->getAlgorithm(
- $query['SigAlg'],
- // TODO: Need to use the key from the metadata
- PEMCertificatesMock::getPublicKey(PEMCertificatesMock::SELFSIGNED_PUBLIC_KEY),
- );
-
- if ($verifier->verify($signedQuery, base64_decode($query['Signature'])) === false) {
- throw new SignatureVerificationFailedException('Failed to verify signature.');
- }
-
- return $message;
+ return $msg;
  }
 }

tests/SAML2/HTTPRedirectTest.php

@@ -234,25 +234,6 @@ public function testInvalidEncodingSpecified(): void
  }
 
 
- /**
- */
- public function testNoSigAlgSpecified(): void
- {
- $q = [
- 'SAMLRequest' => 'nVLBauMwEP0Vo7sjW7FpKpJA2rBsoNuGOruHXhZFHm8EsuRqxtv27yvbWWgvYelFgjfvzbx5zBJVazu56enkHuG5B6TktbUO5VhYsT446RUalE61gJK0rDY/7qSYZbILnrz2ln2QXFYoRAhkvGPJbrtiv7VoygJEoTJ9LOusXDSFuJ4vdH6cxwoIEGUjsrqoFUt+QcCoXLHYKMoRe9g5JOUoQlleprlI8/yQz6W4ksXiiSXbuI1xikbViahDyfkRSM2wD40DmjnL0bSdhcE6Hx7BTd3xqnqoIPw1GmbdqWPJNx80jCGtGIUeWLL5t8mtd9i3EM78n493/zWr9XVvx+58mj39IlUaR/QmKOPq4Dtkyf4c9E1EjPtzOePjREL5/XDYp/uH6sDWy6G3HDML66+5ayO7VlHx2dySf2y9nM7pPprabffeGv02ZNcquux5QEydNiNVUlAODTiKMVvrX24DKIJz8nw9jfx8tOt3',
- 'RelayState' => 'https://beta.surfnet.nl/simplesaml/module.php/core/authenticate.php?as=Braindrops',
- 'Signature' => 'b+qe/XGgICOrEL1v9dwuoy0RJtJ/GNAr7gJGYSJzLG0riPKwo7v5CH8GPC2P9IRikaeaNeQrnhBAaf8FCWrO0cLFw4qR6msK9bxRBGk+hIaTUYCh54ETrVCyGlmBneMgC5/iCRvtEW3ESPXCCqt8Ncu98yZmv9LIVyHSl67Se+fbB9sDw3/fzwYIHRMqK2aS8jnsnqlgnBGGOXqIqN3+d/2dwtCfz14s/9odoYzSUv32qfNPiPez6PSNqwhwH7dWE3TlO/jZmz0DnOeQ2ft6qdZEi5ZN5KCV6VmNKpkrLMq6DDPnuwPm/8oCAoT88R2jG7uf9QZB+ArWJKMEhDLsCA==',
- ];
- $request = new ServerRequest('GET', 'http://tnyholm.se');
- $request = $request->withQueryParams($q);
-
- $this->expectException(Exception::class);
- $this->expectExceptionMessage('Missing signature algorithm');
- $hr = new HTTPRedirect();
- $hr->receive($request);
- }
-
-
  /**
  * test handling of non-deflated data in samlrequest
  */