Ensure that trust_marks are not possible in subordinate statements

Author: cicnavi

src/Federation/EntityStatement.php

@@ -237,6 +237,11 @@ public function getTrustMarks(): ?TrustMarksClaimBag
             throw new EntityStatementException('Invalid Trust Marks claim.');
         }
 
+        // It MUST NOT be present in Subordinate Statements.
+        if (!$this->isConfiguration()) {
+            throw new EntityStatementException('Trust Marks claim encountered in configuration statement.');
+        }
+
         $trustMarkClaimBag = $this->claimFactory->forFederation()->buildTrustMarksClaimBag();
 
         while (is_array($trustMarkClaimData = array_pop($trustMarksClaims))) {

tests/src/Federation/EntityStatementTest.php

@@ -216,8 +216,9 @@ public function testIsNotConfiguration(): void
         $this->signatureMock->method('getProtectedHeader')->willReturn($this->sampleHeader);
         $payload = $this->validPayload;
         $payload['iss'] = 'something-else';
-        // Authority hints should not be present if not configuration.
+        // Authority hints, trust marks should not be present if not configuration.
         unset($payload['authority_hints']);
+        unset($payload['trust_marks']);
         $this->jsonHelperMock->method('decode')->willReturn($payload);
 
         $this->assertFalse($this->sut()->isConfiguration());
@@ -525,6 +526,7 @@ public function testCanGetMetadataPolicyClaim(): void
         $payload = $this->validPayload;
         $payload['sub'] = 'something-else';
         unset($payload['authority_hints']);
+        unset($payload['trust_marks']);
         $payload['metadata_policy'] = [
             'openid_relying_party' => [
                 'contacts' => [