Add some fixes to xmlseclibs. Extra protection verifying the Signature algorithm used on SignedInfo element, not only rely on verify / verifySignature methods

Author: pitbulk

lib/Saml2/Utils.php

@@ -1206,6 +1206,11 @@ public static function castKey(XMLSecurityKey $key, $algorithm, $type = 'public'
         if ($key->type === $algorithm) {
             return $key;
         }
+
+        if (!OneLogin_Saml2_Utils::isSupportedSigningAlgorithm($algorithm)) {
+            throw new \Exception('Unsupported signing algorithm.');
+        }
+
         $keyInfo = openssl_pkey_get_details($key->key);
         if ($keyInfo === false) {
             throw new Exception('Unable to get key details from XMLSecurityKey.');
@@ -1218,6 +1223,17 @@ public static function castKey(XMLSecurityKey $key, $algorithm, $type = 'public'
         return $newKey;
     }
 
+    public static function isSupportedSigningAlgorithm($algorithm)
+    {
+        return in_array($algorithm, array(
+            XMLSecurityKey::RSA_1_5,
+            XMLSecurityKey::RSA_SHA1,
+            XMLSecurityKey::RSA_SHA256,
+            XMLSecurityKey::RSA_SHA384,
+            XMLSecurityKey::RSA_SHA512
+        ));
+    }
+
     /**
      * Adds signature key and senders certificate to an element (Message or Assertion).
      *
@@ -1329,6 +1345,10 @@ public static function validateSign($xml, $cert = null, $fingerprint = null, $fi
             throw new Exception('We have no idea about the key');
         }
 
+        if (!OneLogin_Saml2_Utils::isSupportedSigningAlgorithm($objKey->type)) {
+            throw new \Exception('Unsupported signing algorithm.');
+        }
+
         $objXMLSecDSig->canonicalizeSignedInfo();
 
         try {