New method of importing a decrypted assertion into the XML document to replace the EncryptedAssertion. Fix signature issues on Signed Encrypted Assertions with default namespace

Author: pitbulk

src/Saml2/Response.php

@@ -745,7 +745,7 @@ public function getAttributesWithFriendlyName()
         return $this->_getAttributesByKeyName('FriendlyName');
     }
 
-    private function _getAttributesByKeyName($keyName="Name")
+    private function _getAttributesByKeyName($keyName = "Name")
     {
         $attributes = array();
         $entries = $this->_queryAssertion('/saml:AttributeStatement/saml:Attribute');
@@ -1090,12 +1090,17 @@ protected function decryptAssertion(\DomNode $dom)
             $objKey->loadKey($key);
         }
 
-        $decrypted = $objenc->decryptNode($objKey, true);
-
-        if ($decrypted instanceof DOMDocument) {
+        $decryptedXML = $objenc->decryptNode($objKey, false);
+        $decrypted = new DOMDocument();
+        $check = Utils::loadXML($decrypted, $decryptedXML);
+        if ($check === false) {
+            throw new Exception('Error: string from decrypted assertion could not be loaded into a XML document');
+        }
+        if ($encData->parentNode instanceof DOMDocument) {
             return $decrypted;
         } else {
-            $encryptedAssertion = $decrypted->parentNode;
+            $decrypted = $decrypted->documentElement;
+            $encryptedAssertion = $encData->parentNode;
             $container = $encryptedAssertion->parentNode;
 
             // Fix possible issue with saml namespace
@@ -1112,13 +1117,14 @@ protected function decryptAssertion(\DomNode $dom)
                 } else {
                     $ns = 'xmlns';
                 }
-
                 $decrypted->setAttributeNS('http://www.w3.org/2000/xmlns/', $ns, Constants::NS_SAML);
             }
 
-            $container->replaceChild($decrypted, $encryptedAssertion);
+            Utils::treeCopyReplace($encryptedAssertion, $decrypted);
 
-            return $decrypted->ownerDocument;
+            // Rebuild the DOM will fix issues with namespaces as well
+            $dom = new DOMDocument();
+            return Utils::loadXML($dom, $container->ownerDocument->saveXML());
         }
     }
 

src/Saml2/Utils.php

@@ -22,6 +22,7 @@
 use DOMDocument;
 use DOMElement;
 use DOMNodeList;
+use DomNode;
 use DOMXPath;
 use Exception;
 
@@ -138,6 +139,48 @@ public static function validateXML($xml, $schema, $debug = false)
         return $dom;
     }
 
+    /**
+     * Import a node tree into a target document
+     * Copy it before a reference node as a sibling
+     * and at the end of the copy remove
+     * the reference node in the target document
+     * As it were 'replacing' it
+     * Leaving nested default namespaces alone
+     * (Standard importNode with deep copy
+     *  mangles nested default namespaces)
+     *
+     * The reference node must not be a DomDocument
+     * It CAN be the top element of a document
+     * Returns the copied node in the target document
+     *
+     * @param DomNode $targetNode
+     * @param DomNode $sourceNode
+     * @param bool $recurse
+     * @return DOMNode
+     * @throws Exception
+     */
+    public static function treeCopyReplace(DomNode $targetNode, DomNode $sourceNode, $recurse = false)
+    {
+        if ($targetNode->parentNode === null) {
+            throw new Exception('Illegal argument targetNode. It has no parentNode.');
+        }
+        $clonedNode = $targetNode->ownerDocument->importNode($sourceNode, false);
+        if ($recurse) {
+            $resultNode = $targetNode->appendChild($clonedNode);
+        } else {
+            $resultNode = $targetNode->parentNode->insertBefore($clonedNode, $targetNode);
+        }
+        if ($sourceNode->childNodes !== null) {
+            foreach ($sourceNode->childNodes as $child) {
+                self::treeCopyReplace($resultNode, $child, true);
+            }
+        }
+        if (!$recurse) {
+            $targetNode->parentNode->removeChild($targetNode);
+        }
+        return $resultNode;
+    }
+
     /**
      * Returns a x509 cert (adding header & footer if required).
      *