Add verification for artifact responses on an attribute ID

waterkip · waterkip · commit 4d73198da21f · 2023-06-27T22:36:06.000-04:00
Be able to do something similar to

    xmlsec1 --verify --id-attr:ID \
        urn:oasis:names:tc:SAML:2.0:protocol:ArtifactResolve \
        --pubkey-cert-pem t/rsa.cert.pem \
        t/signed/saml_request-xmlsec1-rsa-signed.xml

Signed-off-by: Wesley Schwengle &lt;waterkip@cpan.org&gt;
diff --git a/Makefile.PL b/Makefile.PL
@@ -53,7 +53,7 @@ my %WriteMakefileArgs = (
     "XML::Generator" => "1.13",
     "XML::LibXML" => 0,
     "XML::LibXML::XPathContext" => 0,
-    "XML::Sig" => "0.52",
+    "XML::Sig" => "0.64",
     "XML::Writer" => "0.625",
     "base" => 0,
     "namespace::autoclean" => 0,
@@ -135,7 +135,7 @@ my %FallbackPrereqs = (
   "XML::Generator" => "1.13",
   "XML::LibXML" => 0,
   "XML::LibXML::XPathContext" => 0,
-  "XML::Sig" => "0.52",
+  "XML::Sig" => "0.64",
   "XML::Writer" => "0.625",
   "base" => 0,
   "namespace::autoclean" => 0,
diff --git a/cpanfile b/cpanfile
@@ -37,7 +37,7 @@ requires "XML::Enc" => "0.05";
 requires "XML::Generator" => "1.13";
 requires "XML::LibXML" => "0";
 requires "XML::LibXML::XPathContext" => "0";
-requires "XML::Sig" => "0.52";
+requires "XML::Sig" => "0.64";
 requires "XML::Writer" => "0.625";
 requires "base" => "0";
 requires "namespace::autoclean" => "0";
diff --git a/dist.ini b/dist.ini
@@ -49,7 +49,7 @@ skip = Saml2Test
 
 [Prereqs / RuntimeRequires]
 XML::Enc = 0.05
-XML::Sig = 0.52
+XML::Sig = 0.64
 XML::Writer = 0.625
 ; Here because otherwise only on test you get to pull in this dependency
 ; which might only be an issue with cpm or if you run --no-test with cpanm
diff --git a/lib/Net/SAML2/Binding/SOAP.pm b/lib/Net/SAML2/Binding/SOAP.pm
@@ -116,6 +116,12 @@ has 'anchors' => (
     predicate => 'has_anchors'
 );
 
+has verify => (
+    is        => 'ro',
+    isa       => 'HashRef',
+    predicate => 'has_verify',
+);
+
 # BUILDARGS
 
 # Earlier versions expected the idp_cert to be a string.  However, metadata
@@ -192,7 +198,11 @@ sub handle_response {
                 no_xml_declaration => 1,
                 cert_text          => $cert,
                 cacert             => $self->cacert,
-                anchors            => $self->anchors
+                anchors            => $self->anchors,
+                $self->has_verify ? (
+                    ns => { 'artifact' => $self->verify->{ns} },
+                    id_attr => '/artifact:' . $self->verify->{attr_id},
+                ) : (),
             );
             return 1;
         }
