From 97fda0421c9616448249abb5f86e53bc13554557 Mon Sep 17 00:00:00 2001
From: Tim van Dijen <tvdijen@gmail.com>
Date: Sat, 27 Jul 2024 17:28:24 +0200
Subject: [PATCH] Add variable to be able to know whether a response was
 signed, later in processing

---
 src/SAML2/Entity/ServiceProvider.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/SAML2/Entity/ServiceProvider.php b/src/SAML2/Entity/ServiceProvider.php
index a87dced19..f801f5c38 100644
--- a/src/SAML2/Entity/ServiceProvider.php
+++ b/src/SAML2/Entity/ServiceProvider.php
@@ -54,7 +54,7 @@ final class ServiceProvider
     protected SignatureAlgorithmFactory $signatureAlgorithmFactory;
     protected EncryptionAlgorithmFactory $encryptionAlgorithmFactory;
     protected KeyTransportAlgorithmFactory $keyTransportAlgorithmFactory;
-
+    protected bool $responseWasSigned;
 
     /**
      * @param bool $encryptedAssertions  Whether assertions must be encrypted
@@ -160,7 +160,8 @@ public function receiveResponse(ServerRequestInterface $request): Response
         }
 
         // Verify the signature (if any)
-        $verifiedResponse = $rawResponse->isSigned() ? $this->verifyElementSignature($rawResponse) : $rawResponse;
+        $this->responseWasSigned = $rawResponse->isSigned();
+        $verifiedResponse = $this->responseWasSigned ? $this->verifyElementSignature($rawResponse) : $rawResponse;
 
         $state = null;
         $stateId = $verifiedResponse->getInResponseTo();
@@ -336,6 +337,8 @@ protected function decryptAndVerifyAssertions(array $unverifiedAssertions): arra
      */
     protected function decryptElement(EncryptedElementInterface $element): EncryptableElementInterface
     {
+        // TODO: When CBC-mode encryption is used, the assertion OR the Response must be signed
+
         $factory = $this->encryptionAlgorithmFactory;
 
         // If the IDP has a pre-shared key, try decrypting with that