Add variable to be able to know whether a response was signed, later …

…in processing

src/SAML2/Entity/ServiceProvider.php

@@ -54,7 +54,7 @@ final class ServiceProvider
     protected SignatureAlgorithmFactory $signatureAlgorithmFactory;
     protected EncryptionAlgorithmFactory $encryptionAlgorithmFactory;
     protected KeyTransportAlgorithmFactory $keyTransportAlgorithmFactory;
-
+    protected bool $responseWasSigned;
 
     /**
      * @param bool $encryptedAssertions  Whether assertions must be encrypted
@@ -160,7 +160,8 @@ public function receiveResponse(ServerRequestInterface $request): Response
         }
 
         // Verify the signature (if any)
-        $verifiedResponse = $rawResponse->isSigned() ? $this->verifyElementSignature($rawResponse) : $rawResponse;
+        $this->responseWasSigned = $rawResponse->isSigned();
+        $verifiedResponse = $this->responseWasSigned ? $this->verifyElementSignature($rawResponse) : $rawResponse;
 
         $state = null;
         $stateId = $verifiedResponse->getInResponseTo();
@@ -336,6 +337,8 @@ protected function decryptAndVerifyAssertions(array $unverifiedAssertions): arra
      */
     protected function decryptElement(EncryptedElementInterface $element): EncryptableElementInterface
     {
+        // TODO: When CBC-mode encryption is used, the assertion OR the Response must be signed
+
         $factory = $this->encryptionAlgorithmFactory;
 
         // If the IDP has a pre-shared key, try decrypting with that