Move utilities to the place where they belong

tvdijen · tvdijen · commit 40daae0b55e7 · 2026-03-12T20:22:24.000+01:00
diff --git a/src/Utils/XML.php b/src/Utils/XML.php
diff --git a/src/XML/CanonicalizableElementTrait.php b/src/XML/CanonicalizableElementTrait.php
@@ -5,7 +5,10 @@
 namespace SimpleSAML\XMLSecurity\XML;
 
 use DOMElement;
-use SimpleSAML\XMLSecurity\Utils\XML;
+use SimpleSAML\XMLSecurity\Constants as C;
+use SimpleSAML\XMLSecurity\Exception\CanonicalizationFailedException;
+use SimpleSAML\XMLSecurity\XML\ds\Transforms;
+use SimpleSAML\XPath\Constants as XPATH_C;
 
 /**
  * A trait implementing the CanonicalizableElementInterface.
@@ -25,6 +28,64 @@ trait CanonicalizableElementTrait
     abstract protected function getOriginalXML(): DOMElement;
 
 
+    /**
+     * Canonicalize any given node.
+     *
+     * @param \DOMElement $element The DOM element that needs canonicalization.
+     * @param string $c14nMethod The identifier of the canonicalization algorithm to use.
+     *   See \SimpleSAML\XMLSecurity\Constants.
+     * @param string[]|null $xpaths An array of xpaths to filter the nodes by. Defaults to null (no filters).
+     * @param string[]|null $prefixes An array of namespace prefixes to filter the nodes by.
+     *   Defaults to null (no filters).
+     *
+     * @return string The canonical representation of the given DOM node, according to the algorithm requested.
+     */
+    public function canonicalizeData(
+        DOMElement $element,
+        string $c14nMethod,
+        ?array $xpaths = null,
+        ?array $prefixes = null,
+    ): string {
+        $withComments = match ($c14nMethod) {
+            C::C14N_EXCLUSIVE_WITH_COMMENTS, C::C14N_INCLUSIVE_WITH_COMMENTS => true,
+            default => false,
+        };
+        $exclusive = match ($c14nMethod) {
+            C::C14N_EXCLUSIVE_WITH_COMMENTS, C::C14N_EXCLUSIVE_WITHOUT_COMMENTS => true,
+            default => false,
+        };
+
+        if (
+            is_null($xpaths)
+            && ($element->ownerDocument !== null)
+            && ($element->ownerDocument->documentElement !== null)
+            && $element->isSameNode($element->ownerDocument->documentElement)
+        ) {
+            // check for any PI or comments as they would have been excluded
+            $current = $element;
+            for ($refNode = $current->previousSibling; $refNode !== null; $current = $refNode) {
+                if (
+                    (($refNode->nodeType === XML_COMMENT_NODE) && $withComments)
+                    || $refNode->nodeType === XML_PI_NODE
+                ) {
+                    break;
+                }
+            }
+
+            if ($refNode === null) {
+                $element = $element->ownerDocument;
+            }
+        }
+
+        $ret = $element->C14N($exclusive, $withComments, $xpaths, $prefixes);
+        if ($ret === false) {
+            // GHSA-h25p-2wxc-6584
+            throw new CanonicalizationFailedException();
+        }
+        return $ret;
+    }
+
+
     /**
      * Get the canonical (string) representation of this object.
      *
@@ -39,7 +100,61 @@ abstract protected function getOriginalXML(): DOMElement;
     #[\NoDiscard]
     public function canonicalize(string $method, ?array $xpaths = null, ?array $prefixes = null): string
     {
-        return XML::canonicalizeData($this->getOriginalXML(), $method, $xpaths, $prefixes);
+        return $this->canonicalizeData($this->getOriginalXML(), $method, $xpaths, $prefixes);
+    }
+
+
+    /**
+     * Process all transforms specified by a given Reference element.
+     *
+     * @param \SimpleSAML\XMLSecurity\XML\ds\Transforms $transforms The transforms to apply.
+     * @param \DOMElement $data The data referenced.
+     *
+     * @return string The canonicalized data after applying all transforms specified by $ref.
+     *
+     * @see http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel
+     */
+    public function processTransforms(
+        Transforms $transforms,
+        DOMElement $data,
+    ): string {
+        $canonicalMethod = C::C14N_EXCLUSIVE_WITHOUT_COMMENTS;
+        $arXPath = null;
+        $prefixList = null;
+        foreach ($transforms->getTransform() as $transform) {
+            $canonicalMethod = $transform->getAlgorithm()->getValue();
+            switch ($canonicalMethod) {
+                case C::C14N_EXCLUSIVE_WITHOUT_COMMENTS:
+                case C::C14N_EXCLUSIVE_WITH_COMMENTS:
+                    $inclusiveNamespaces = $transform->getInclusiveNamespaces();
+                    if ($inclusiveNamespaces !== null) {
+                        $prefixes = $inclusiveNamespaces->getPrefixes();
+                        if ($prefixes !== null) {
+                            $prefixList = array_map('strval', $prefixes->toArray());
+                        }
+                    }
+                    break;
+                case XPATH_C::XPATH10_URI:
+                    $xpath = $transform->getXPath();
+                    if ($xpath !== null) {
+                        $arXPath = [];
+                        $xpathValue = $xpath->getContent()->getValue();
+                        $arXPath['query'] = '(.//. | .//@* | .//namespace::*)[' . $xpathValue . ']';
+
+//                        $arXpath['namespaces'] = $xpath->getNamespaces();
+                        // TODO: review if $nsnode->localName is equivalent to the keys in getNamespaces()
+//                        $nslist = $xp->query('./namespace::*', $node);
+//                        foreach ($nslist as $nsnode) {
+//                            if ($nsnode->localName != "xml") {
+//                                $arXPath['namespaces'][$nsnode->localName] = $nsnode->nodeValue;
+//                            }
+//                        }
+                    }
+                    break;
+            }
+        }
+
+        return $this->canonicalizeData($data, $canonicalMethod, $arXPath, $prefixList);
     }
 
 
diff --git a/src/XML/SignableElementTrait.php b/src/XML/SignableElementTrait.php
@@ -15,7 +15,6 @@
 use SimpleSAML\XMLSecurity\Exception\RuntimeException;
 use SimpleSAML\XMLSecurity\Exception\UnsupportedAlgorithmException;
 use SimpleSAML\XMLSecurity\Type\DigestValue as DigestValueType;
-use SimpleSAML\XMLSecurity\Utils\XML;
 use SimpleSAML\XMLSecurity\XML\ds\CanonicalizationMethod;
 use SimpleSAML\XMLSecurity\XML\ds\DigestMethod;
 use SimpleSAML\XMLSecurity\XML\ds\DigestValue;
@@ -188,7 +187,7 @@ protected function doSign(DOMElement $xml): DOMElement
             ),
         ]);
 
-        $canonicalDocument = XML::processTransforms($transforms, $xml);
+        $canonicalDocument = $this->processTransforms($transforms, $xml);
 
         $signedInfo = new SignedInfo(
             new CanonicalizationMethod(
diff --git a/src/XML/SignedElementTrait.php b/src/XML/SignedElementTrait.php
@@ -20,7 +20,6 @@
 use SimpleSAML\XMLSecurity\Exception\SignatureVerificationFailedException;
 use SimpleSAML\XMLSecurity\Key;
 use SimpleSAML\XMLSecurity\Key\KeyInterface;
-use SimpleSAML\XMLSecurity\Utils\XML;
 use SimpleSAML\XMLSecurity\Utils\XPath;
 use SimpleSAML\XMLSecurity\XML\ds\Reference;
 use SimpleSAML\XMLSecurity\XML\ds\Signature;
@@ -157,7 +156,7 @@ private function validateReference(SignedInfo $signedInfo): SignedElementInterfa
         Assert::maxCount($sigNode, 1, 'More than one signature found in object.', TooManyElementsException::class);
 
         $doc->documentElement->removeChild($sigNode[0]);
-        $data = XML::processTransforms($reference->getTransforms(), $doc->documentElement);
+        $data = $this->processTransforms($reference->getTransforms(), $doc->documentElement);
         $algo = $reference->getDigestMethod()->getAlgorithm()->getValue();
         Assert::keyExists(
             C::$DIGEST_ALGORITHMS,
