Ensure that trust_mark_issuers claim is not possible in subordinate statements

cicnavi · cicnavi · commit ff3d2d6a6dc1 · 2025-11-21T16:10:44.000+01:00
diff --git a/src/Federation/EntityStatement.php b/src/Federation/EntityStatement.php
@@ -276,6 +276,10 @@ public function getTrustMarkOwners(): ?TrustMarkOwnersClaimBag
     }
 
 
+    /**
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
+     */
     public function getTrustMarkIssuers(): ?TrustMarkIssuersClaimBag
     {
         // trust_mark_issuers
@@ -291,6 +295,10 @@ public function getTrustMarkIssuers(): ?TrustMarkIssuersClaimBag
             return null;
         }
 
+        if (!$this->isConfiguration()) {
+            throw new EntityStatementException('Trust Mark Issuers claim encountered in non-configuration statement.');
+        }
+
         return $this->claimFactory->forFederation()->buildTrustMarkIssuersClaimBagFrom($trustMarkIssuersClaimData);
     }
 
diff --git a/tests/src/Federation/EntityStatementTest.php b/tests/src/Federation/EntityStatementTest.php
@@ -396,6 +396,23 @@ public function testTrustMarkIssuersIsBuildUsingFactoryOptional(): void
     }
 
 
+    public function testTrustMarkIssuersClaimIsAllowedInConfigurationStatementOnly(): void
+    {
+        $this->validPayload['trust_mark_issuers'] = [
+            'trustMarkType' => ['https://issuer1.org', 'https://issuer2.org'],
+        ];
+        $this->validPayload['iss'] = 'something-else';
+
+        $this->expectException(JwsException::class);
+        $this->expectExceptionMessage('non-configuration');
+
+        $this->signatureMock->method('getProtectedHeader')->willReturn($this->sampleHeader);
+        $this->jsonHelperMock->method('decode')->willReturn($this->validPayload);
+
+        $this->sut()->getTrustMarkIssuers();
+    }
+
+
     public function testThrowsOnInvalidTrustMarks(): void
     {
         $this->validPayload['trust_marks'] = 'invalid';

Original file line number	Diff line number	Diff line change
`@@ -276,6 +276,10 @@ public function getTrustMarkOwners(): ?TrustMarkOwnersClaimBag`
`276`	`276`	`}`
`277`	`277`
`278`	`278`
	`279`	`+ /**`
	`280`	`+ * @throws \SimpleSAML\OpenID\Exceptions\JwsException`
	`281`	`+ * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException`
	`282`	`+ */`
`279`	`283`	`public function getTrustMarkIssuers(): ?TrustMarkIssuersClaimBag`
`280`	`284`	`{`
`281`	`285`	`// trust_mark_issuers`
`@@ -291,6 +295,10 @@ public function getTrustMarkIssuers(): ?TrustMarkIssuersClaimBag`
`291`	`295`	`return null;`
`292`	`296`	`}`
`293`	`297`
	`298`	`+ if (!$this->isConfiguration()) {`
	`299`	`+ throw new EntityStatementException('Trust Mark Issuers claim encountered in non-configuration statement.');`
	`300`	`+ }`
	`301`	`+`
`294`	`302`	`return $this->claimFactory->forFederation()->buildTrustMarkIssuersClaimBagFrom($trustMarkIssuersClaimData);`
`295`	`303`	`}`
`296`	`304`