Specify Canonical exclusive mode for XML::Sig

timlegge · timlegge · commit d46073c54976 · 2020-06-28T21:23:32.000Z
diff --git a/lib/Net/SAML2/Binding/POST.pm b/lib/Net/SAML2/Binding/POST.pm
@@ -61,6 +61,7 @@ sub handle_response {
     my $xml = no_comments(decode_base64($response));
     my $xml_opts = { x509 => 1 };
     $xml_opts->{ cert_text } = $self->cert_text if ($self->cert_text);
+    $xml_opts->{ exclusive } = 1;
     my $x = Net::SAML2::XML::Sig->new($xml_opts);
     my $ret = $x->verify($xml);
     die "signature check failed" unless $ret;
diff --git a/lib/Net/SAML2/Binding/SOAP.pm b/lib/Net/SAML2/Binding/SOAP.pm
@@ -112,7 +112,7 @@ sub handle_response {
     my ($self, $response) = @_;
 
     # verify the response
-    my $x = Net::SAML2::XML::Sig->new({ x509 => 1, cert_text => $self->idp_cert });
+    my $x = Net::SAML2::XML::Sig->new({ x509 => 1, cert_text => $self->idp_cert, exclusive => 1, });
     my $ret = $x->verify($response);
     die "bad SOAP response" unless $ret;
 
@@ -151,7 +151,7 @@ sub handle_request {
     my $saml = $parser->findnodes_as_string('/soap-env:Envelope/soap-env:Body/*');
 
     if (defined $saml) {
-        my $x = Net::SAML2::XML::Sig->new({ x509 => 1, cert_text => $self->idp_cert });
+        my $x = Net::SAML2::XML::Sig->new({ x509 => 1, cert_text => $self->idp_cert, exclusive => 1, });
         my $ret = $x->verify($saml);
         die "bad signature" unless $ret;
 
@@ -181,6 +181,7 @@ sub create_soap_envelope {
         x509 => 1,
         key  => $self->key,
         cert => $self->cert,
+        exclusive => 1,
     });
     my $signed_message = $sig->sign($message);
 
diff --git a/lib/Net/SAML2/XML/Sig.pm b/lib/Net/SAML2/XML/Sig.pm
@@ -50,6 +50,7 @@ sub new {
     $self->{ 'canonicalizer' } =
         exists $params->{ canonicalizer } ? $params->{ canonicalizer } : 'XML::CanonicalizeXML';
     $self->{ 'x509' } = exists $params->{ x509 } ? 1 : 0;
+    $self->{ 'exclusive' } = exists $params->{ exclusive } ? $params->{ exclusive } : 1;
     if ( exists $params->{ 'key' } ) {
         $self->_load_key( $params->{ 'key' } );
     }
@@ -658,7 +659,7 @@ sub _canonicalize_xml {
         # adjust prefixlist from attribute for XML::CanonicalizeXML's format
         $prefixlist =~ s/ /,/g;
 
-        return XML::CanonicalizeXML::canonicalize( $xml, $xpath, $prefixlist, 1, $comments );
+        return XML::CanonicalizeXML::canonicalize( $xml, $xpath, $prefixlist, $self->{ exclusive }, $comments );
     }
     else {
         confess "Unknown XML canonicalizer module.";
@@ -898,6 +899,12 @@ XML::Canonical was removed as an option due to its age
 
 =back
 
+=item B<exclusive>
+
+The XML::CanonicalizerXML exclusive method.  exclusive is an int to specify exclusive canonicalization (1 = exclusive, 0 = non-exclusive, 2 = exclusive v1.1)
+
+default = 1
+
 =item B<x509>
 
 Takes a true (1) or false (0) value and indicates how you want the
