ruby-saml 0.8.9 → 0.8.10

data/lib/onelogin/ruby-saml/utils.rb

@@ -1,15 +1,94 @@
+if RUBY_VERSION < '1.9'
+  require 'uuid'
+else
+  require 'securerandom'
+end
+
 module OneLogin
   module RubySaml
 
     # SAML2 Auxiliary class
     #
     class Utils
+      @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
+
       # Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes
       # that there all children other than text nodes can be ignored (e.g. comments). If nil is
       # passed, nil will be returned.
       def self.element_text(element)
         element.texts.map(&:value).join if element
       end
+
+      # Return a properly formatted x509 certificate
+      #
+      # @param cert [String] The original certificate
+      # @return [String] The formatted certificate
+      #
+      def self.format_cert(cert)
+        # don't try to format an encoded certificate or if is empty or nil
+        if cert.respond_to?(:ascii_only?)
+          return cert if cert.nil? || cert.empty? || !cert.ascii_only?
+        else
+          return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)
+        end
+
+        if cert.scan(/BEGIN CERTIFICATE/).length > 1
+            formatted_cert = []
+          cert.scan(/-{5}BEGIN CERTIFICATE-{5}[\n\r]?.*?-{5}END CERTIFICATE-{5}[\n\r]?/m) {|c|
+            formatted_cert << format_cert(c)
+          }
+          formatted_cert.join("\n")
+        else
+          cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
+          cert = cert.gsub(/\r/, "")
+          cert = cert.gsub(/\n/, "")
+          cert = cert.gsub(/\s/, "")
+          cert = cert.scan(/.{1,64}/)
+          cert = cert.join("\n")
+          "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
+        end
+      end
+
+      # Return a properly formatted private key
+      #
+      # @param key [String] The original private key
+      # @return [String] The formatted private key
+      #
+      def self.format_private_key(key)
+        # don't try to format an encoded private key or if is empty
+        return key if key.nil? || key.empty? || key.match(/\x0d/)
+
+        # is this an rsa key?
+        rsa_key = key.match("RSA PRIVATE KEY")
+        key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "")
+        key = key.gsub(/\n/, "")
+        key = key.gsub(/\r/, "")
+        key = key.gsub(/\s/, "")
+        key = key.scan(/.{1,64}/)
+        key = key.join("\n")
+        key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY"
+        "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
+      end
+
+      # Build the Query String signature that will be used in the HTTP-Redirect binding
+      # to generate the Signature
+      # @param params [Hash] Parameters to build the Query String
+      # @option params [String] :type 'SAMLRequest' or 'SAMLResponse'
+      # @option params [String] :data Base64 encoded SAMLRequest or SAMLResponse
+      # @option params [String] :relay_state The RelayState parameter
+      # @option params [String] :sig_alg The SigAlg parameter
+      # @return [String] The Query String
+      #
+      def self.build_query(params)
+        type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]}
+          url_string = "#{type}=#{CGI.escape(data)}"
+        url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
+        url_string << "&SigAlg=#{CGI.escape(sig_alg)}"
+      end
+
+      def self.uuid
+        RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
+      end
     end
   end
 end

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.8.9'
+    VERSION = '0.8.10'
   end
 end

data/lib/ruby-saml.rb

@@ -2,10 +2,11 @@ require 'onelogin/ruby-saml/logging'
 require 'onelogin/ruby-saml/authrequest'
 require 'onelogin/ruby-saml/logoutrequest'
 require 'onelogin/ruby-saml/logoutresponse'
+require 'onelogin/ruby-saml/slo_logoutresponse'
 require 'onelogin/ruby-saml/response'
 require 'onelogin/ruby-saml/settings'
 require 'onelogin/ruby-saml/utils'
 require 'onelogin/ruby-saml/validation_error'
 require 'onelogin/ruby-saml/metadata'
 require 'onelogin/ruby-saml/version'
-require 'onelogin/ruby-saml/attributes'
+require 'onelogin/ruby-saml/attributes'

data/lib/xml_security.rb

@@ -34,17 +34,153 @@ require "onelogin/ruby-saml/utils"
 
 module XMLSecurity
 
-  class SignedDocument < REXML::Document
-    C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
-    DSIG = "http://www.w3.org/2000/09/xmldsig#"
+  class BaseDocument < REXML::Document
+    REXML::Document::entity_expansion_limit = 0
+
+    C14N            = "http://www.w3.org/2001/10/xml-exc-c14n#"
+    DSIG            = "http://www.w3.org/2000/09/xmldsig#"
+    NOKOGIRI_OPTIONS = Nokogiri::XML::ParseOptions::STRICT |
+                       Nokogiri::XML::ParseOptions::NONET
+
+   def canon_algorithm(element)
+     algorithm = element
+     if algorithm.is_a?(REXML::Element)
+       algorithm = element.attribute('Algorithm').value
+     end
+
+     case algorithm
+       when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
+            "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
+         Nokogiri::XML::XML_C14N_1_0
+       when "http://www.w3.org/2006/12/xml-c14n11",
+            "http://www.w3.org/2006/12/xml-c14n11#WithComments"
+         Nokogiri::XML::XML_C14N_1_1
+       else
+         Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+     end
+   end
+
+   def algorithm(element)
+     algorithm = element
+     if algorithm.is_a?(REXML::Element)
+       algorithm = element.attribute("Algorithm").value
+     end
+
+     algorithm = algorithm && algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
+
+     case algorithm
+     when 256 then OpenSSL::Digest::SHA256
+     when 384 then OpenSSL::Digest::SHA384
+     when 512 then OpenSSL::Digest::SHA512
+     else
+       OpenSSL::Digest::SHA1
+     end
+   end
+  end
+
+  class Document < BaseDocument
+    RSA_SHA1        = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+    RSA_SHA256      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+    RSA_SHA384      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+    RSA_SHA512      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
+    SHA1            = "http://www.w3.org/2000/09/xmldsig#sha1"
+    SHA256          = 'http://www.w3.org/2001/04/xmlenc#sha256'
+    SHA384          = "http://www.w3.org/2001/04/xmldsig-more#sha384"
+    SHA512          = 'http://www.w3.org/2001/04/xmlenc#sha512'
+    ENVELOPED_SIG   = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+    INC_PREFIX_LIST = "#default samlp saml ds xs xsi md"
+
+    attr_writer :uuid
+
+    def uuid
+      @uuid ||= begin
+        document.root.nil? ? nil : document.root.attributes['ID']
+      end
+    end
+
+    def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA1)
+      noko = Nokogiri::XML(self.to_s) do |config|
+        config.options = NOKOGIRI_OPTIONS
+      end
+
+      signature_element = REXML::Element.new("ds:Signature").add_namespace('ds', DSIG)
+      signed_info_element = signature_element.add_element("ds:SignedInfo")
+      signed_info_element.add_element("ds:CanonicalizationMethod", {"Algorithm" => C14N})
+      signed_info_element.add_element("ds:SignatureMethod", {"Algorithm"=>signature_method})
+
+      # Add Reference
+      reference_element = signed_info_element.add_element("ds:Reference", {"URI" => "##{uuid}"})
+
+      # Add Transforms
+      transforms_element = reference_element.add_element("ds:Transforms")
+      transforms_element.add_element("ds:Transform", {"Algorithm" => ENVELOPED_SIG})
+      c14element = transforms_element.add_element("ds:Transform", {"Algorithm" => C14N})
+      c14element.add_element("ec:InclusiveNamespaces", {"xmlns:ec" => C14N, "PrefixList" => INC_PREFIX_LIST})
+
+      digest_method_element = reference_element.add_element("ds:DigestMethod", {"Algorithm" => digest_method})
+      inclusive_namespaces = INC_PREFIX_LIST.split(" ")
+      canon_doc = noko.canonicalize(canon_algorithm(C14N), inclusive_namespaces)
+      reference_element.add_element("ds:DigestValue").text = compute_digest(canon_doc, algorithm(digest_method_element))
+
+      # add SignatureValue
+      noko_sig_element = Nokogiri::XML(signature_element.to_s) do |config|
+        config.options = NOKOGIRI_OPTIONS
+      end
+
+      noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
+      canon_string = noko_signed_info_element.canonicalize(canon_algorithm(C14N))
+
+      signature = compute_signature(private_key, algorithm(signature_method).new, canon_string)
+      signature_element.add_element("ds:SignatureValue").text = signature
+
+      # add KeyInfo
+      key_info_element       = signature_element.add_element("ds:KeyInfo")
+      x509_element           = key_info_element.add_element("ds:X509Data")
+      x509_cert_element      = x509_element.add_element("ds:X509Certificate")
+      if certificate.is_a?(String)
+        certificate = OpenSSL::X509::Certificate.new(certificate)
+      end
+      x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
+
+      # add the signature
+      issuer_element = self.elements["//saml:Issuer"]
+      if issuer_element
+        self.root.insert_after issuer_element, signature_element
+      else
+        if sp_sso_descriptor = self.elements["/md:EntityDescriptor"]
+          self.root.insert_before sp_sso_descriptor, signature_element
+        else
+          self.root.add_element(signature_element)
+        end
+      end
+    end
+
+    protected
+
+    def compute_signature(private_key, signature_algorithm, document)
+      Base64.encode64(private_key.sign(signature_algorithm, document)).gsub(/\n/, "")
+    end
+
+    def compute_digest(document, digest_algorithm)
+      digest = digest_algorithm.digest(document)
+      Base64.encode64(digest).strip!
+    end
+
+  end
+
+  class SignedDocument < BaseDocument
 
-    attr_accessor :signed_element_id
+    attr_writer :signed_element_id
 
     def initialize(response)
       super(response)
       extract_signed_element_id
     end
 
+    def signed_element_id
+      @signed_element_id ||= extract_signed_element_id
+    end
+
     def validate_document(idp_cert_fingerprint, soft = true)
       # get cert from response
       cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
@@ -69,7 +205,9 @@ module XMLSecurity
       # check for inclusive namespaces
       inclusive_namespaces = extract_inclusive_namespaces
 
-      document = Nokogiri.parse(self.to_s)
+      document = Nokogiri::XML(self.to_s) do |config|
+        config.options = NOKOGIRI_OPTIONS
+      end
 
       # create a working copy so we don't modify the original
       @working_copy ||= REXML::Document.new(self.to_s).root
@@ -80,7 +218,6 @@ module XMLSecurity
         element.remove
       end
 
-
       # verify signature
       signed_info_element     = REXML::XPath.first(@sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
       noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
@@ -131,30 +268,16 @@ module XMLSecurity
     end
 
     def extract_signed_element_id
-      reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
-      self.signed_element_id  = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
-    end
+      reference_element = REXML::XPath.first(
+        self,
+        "//ds:Signature/ds:SignedInfo/ds:Reference",
+        {"ds"=>DSIG}
+      )
 
-    def canon_algorithm(element)
-      algorithm = element.attribute('Algorithm').value if element
-      case algorithm
-        when "http://www.w3.org/2001/10/xml-exc-c14n#"         then Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
-        when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
-        when "http://www.w3.org/2006/12/xml-c14n11"            then Nokogiri::XML::XML_C14N_1_1
-        else                                                        Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
-      end
-    end
+      return nil if reference_element.nil?
 
-    def algorithm(element)
-      algorithm = element.attribute("Algorithm").value if element
-      algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
-      case algorithm
-      when 256 then OpenSSL::Digest::SHA256
-      when 384 then OpenSSL::Digest::SHA384
-      when 512 then OpenSSL::Digest::SHA512
-      else
-        OpenSSL::Digest::SHA1
-      end
+      sei = reference_element.attribute("URI").value[1..-1]
+      sei.nil? ? reference_element.parent.parent.parent.attribute("ID").value : sei
     end
 
     def extract_inclusive_namespaces

data/test/certificates/ruby-saml.crt

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGzCCAYQCCQCNNcQXom32VDANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJV
+UzELMAkGA1UECBMCSU4xFTATBgNVBAcTDEluZGlhbmFwb2xpczERMA8GA1UEChMI
+T25lTG9naW4xDDAKBgNVBAsTA0VuZzAeFw0xNDA0MjMxODQxMDFaFw0xNTA0MjMx
+ODQxMDFaMFIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTjEVMBMGA1UEBxMMSW5k
+aWFuYXBvbGlzMREwDwYDVQQKEwhPbmVMb2dpbjEMMAoGA1UECxMDRW5nMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo6m+QZvYQ/xL0ElLgupK1QDcYL4f5Pckw
+sNgS9pUvV7fzTqCHk8ThLxTk42MQ2McJsOeUJVP728KhymjFCqxgP4VuwRk9rpAl
+0+mhy6MPdyjyA6G14jrDWS65ysLchK4t/vwpEDz0SQlEoG1kMzllSm7zZS3XregA
+7DjNaUYQqwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBALM2vGCiQ/vm+a6v40+VX2zd
+qHA2Q/1vF1ibQzJ54MJCOVWvs+vQXfZFhdm0OPM2IrDU7oqvKPqP6xOAeJK6H0yP
+7M4YL3fatSvIYmmfyXC9kt3Svz/NyrHzPhUnJ0ye/sUSXxnzQxwcm/9PwAqrQaA3
+QpQkH57ybF/OoryPe+2h
+-----END CERTIFICATE-----

data/test/certificates/ruby-saml.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDo6m+QZvYQ/xL0ElLgupK1QDcYL4f5PckwsNgS9pUvV7fzTqCH
+k8ThLxTk42MQ2McJsOeUJVP728KhymjFCqxgP4VuwRk9rpAl0+mhy6MPdyjyA6G1
+4jrDWS65ysLchK4t/vwpEDz0SQlEoG1kMzllSm7zZS3XregA7DjNaUYQqwIDAQAB
+AoGBALGR6bRBit+yV5TUU3MZSrf8WQSLWDLgs/33FQSAEYSib4+DJke2lKbI6jkG
+UoSJgFUXFbaQLtMY2+3VDsMKPBdAge9gIdvbkC4yoKjLGm/FBDOxxZcfLpR+9OPq
+U3qM9D0CNuliBWI7Je+p/zs09HIYucpDXy9E18KA1KNF6rfhAkEA9KoNam6wAKnm
+vMzz31ws3RuIOUeo2rx6aaVY95+P9tTxd6U+pNkwxy1aCGP+InVSwlYNA1aQ4Axi
+/GdMIWMkxwJBAPO1CP7cQNZQmu7yusY+GUObDII5YK9WLaY4RAicn5378crPBFxv
+Ukqf9G6FHo7u88iTCIp+vwa3Hn9Tumg3iP0CQQDgUXWBasCVqzCxU5wY4tMDWjXY
+hpoLCpmVeRML3dDJt004rFm2HKe7Rhpw7PTZNQZOxUSjFeA4e0LaNf838UWLAkB8
+QfbHM3ffjhOg96PhhjINdVWoZCb230LBOHj/xxPfUmFTHcBEfQIBSJMxcrBFAnLL
+9qPpMXymqOFk3ETz9DTlAj8E0qGbp78aVbTOtuwEwNJII+RPw+Zkc+lKR+yaWkAz
+fIXw527NPHH3+rnBG72wyZr9ud4LAum9jh+5No1LQpk=
+-----END RSA PRIVATE KEY-----

data/test/logoutrequest_test.rb

@@ -1,14 +1,17 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+require 'uuid'
 
-class RequestTest < Test::Unit::TestCase
+class LogoutRequestTest < Minitest::Test
 
-  context "Logoutrequest" do
-    settings = OneLogin::RubySaml::Settings.new
+  describe "Logoutrequest" do
+    let(:settings) { OneLogin::RubySaml::Settings.new }
 
-    should "create the deflated SAMLRequest URL parameter" do
+    before do
       settings.idp_slo_target_url = "http://unauth.com/logout"
       settings.name_identifier_value = "f00f00"
+    end
 
+    it "create the deflated SAMLRequest URL parameter" do
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
       assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLRequest=/
 
@@ -17,8 +20,7 @@ class RequestTest < Test::Unit::TestCase
       assert_match /^<samlp:LogoutRequest/, inflated
     end
 
-    should "support additional params" do
-
+    it "support additional params" do
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :hello => nil })
       assert unauth_url =~ /&hello=$/
 
@@ -26,8 +28,7 @@ class RequestTest < Test::Unit::TestCase
       assert unauth_url =~ /&foo=bar$/
     end
 
-    should "set sessionindex" do
-      settings.idp_slo_target_url = "http://example.com"
+    it "set sessionindex" do
       sessionidx = UUID.new.generate
       settings.sessionindex = sessionidx
 
@@ -38,9 +39,7 @@ class RequestTest < Test::Unit::TestCase
       assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
     end
 
-    should "set name_identifier_value" do
-      settings = OneLogin::RubySaml::Settings.new
-      settings.idp_slo_target_url = "http://example.com"
+    it "set name_identifier_value" do
       settings.name_identifier_format = "transient"
       name_identifier_value = "abc123"
       settings.name_identifier_value = name_identifier_value
@@ -52,41 +51,25 @@ class RequestTest < Test::Unit::TestCase
       assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
     end
 
-    should "require name_identifier_value" do
-      settings = OneLogin::RubySaml::Settings.new
-      settings.idp_slo_target_url = "http://example.com"
-      settings.name_identifier_format = nil
-
-      assert_raises(OneLogin::RubySaml::ValidationError) { OneLogin::RubySaml::Logoutrequest.new.create(settings) }
-    end
-
-    context "when the target url doesn't contain a query string" do
-      should "create the SAMLRequest parameter correctly" do
-        settings = OneLogin::RubySaml::Settings.new
+    describe "when the target url doesn't contain a query string" do
+      it "create the SAMLRequest parameter correctly" do
         settings.idp_slo_target_url = "http://example.com"
-        settings.name_identifier_value = "f00f00"
-
         unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
         assert unauth_url =~ /^http:\/\/example.com\?SAMLRequest/
       end
     end
 
-    context "when the target url contains a query string" do
-      should "create the SAMLRequest parameter correctly" do
-        settings = OneLogin::RubySaml::Settings.new
+    describe "when the target url contains a query string" do
+      it "create the SAMLRequest parameter correctly" do
         settings.idp_slo_target_url = "http://example.com?field=value"
-        settings.name_identifier_value = "f00f00"
-
         unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
         assert unauth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
       end
     end
 
-    context "consumation of logout may need to track the transaction" do
-      should "have access to the request uuid" do
-        settings = OneLogin::RubySaml::Settings.new
+    describe "consumation of logout may need to track the transaction" do
+      it "have access to the request uuid" do
         settings.idp_slo_target_url = "http://example.com?field=value"
-        settings.name_identifier_value = "f00f00"
 
         unauth_req = OneLogin::RubySaml::Logoutrequest.new
         unauth_url = unauth_req.create(settings)
@@ -97,15 +80,167 @@ class RequestTest < Test::Unit::TestCase
     end
   end
 
-  def decode_saml_request_payload(unauth_url)
-    payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
-    decoded = Base64.decode64(payload)
+  describe "when the settings indicate to sign (embedded) logout request" do
+
+    before do
+      # sign the logout request
+      settings.security[:logout_requests_signed] = true
+      settings.security[:embed_sign] = true
+      settings.certificate = ruby_saml_cert_text
+      settings.private_key = ruby_saml_key_text
+    end
+
+    it "doesn't sign through create_xml_document" do
+      unauth_req = OneLogin::RubySaml::Logoutrequest.new
+      inflated = unauth_req.create_xml_document(settings).to_s
+
+      refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+      refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+      refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+    end
+
+    it "sign unsigned request" do
+      unauth_req = OneLogin::RubySaml::Logoutrequest.new
+      unauth_req_doc = unauth_req.create_xml_document(settings)
+      inflated = unauth_req_doc.to_s
+
+      refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+      refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+      refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+
+      inflated = unauth_req.sign_document(unauth_req_doc, settings).to_s
+
+      assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+      assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+      assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+    end
+
+    it "signs through create_logout_request_xml_doc" do
+      unauth_req = OneLogin::RubySaml::Logoutrequest.new
+      inflated = unauth_req.create_logout_request_xml_doc(settings).to_s
+
+      assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+      assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+      assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+    end
+
+    it "created a signed logout request" do
+      settings.compress_request = true
+
+      unauth_req = OneLogin::RubySaml::Logoutrequest.new
+      unauth_url = unauth_req.create(settings)
+
+      inflated = decode_saml_request_payload(unauth_url)
+      assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+      assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+      assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+    end
+
+    it "create a signed logout request with 256 digest and signature method" do
+      settings.compress_request = false
+      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+      settings.security[:digest_method] = XMLSecurity::Document::SHA256
+
+      params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
+      request_xml = Base64.decode64(params["SAMLRequest"])
+
+      assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
+      assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
+      assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], request_xml
+    end
+
+    it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
+      settings.compress_request = false
+      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+      settings.security[:digest_method] = XMLSecurity::Document::SHA512
+
+      params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
+      request_xml = Base64.decode64(params["SAMLRequest"])
+
+      assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
+      assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'/>], request_xml
+      assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
+    end
+  end
+
+  describe "#create_params when the settings indicate to sign the logout request" do
+
+    let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+
+    before do
+      # sign the logout request
+      settings.security[:logout_requests_signed] = true
+      settings.security[:embed_sign] = false
+      settings.certificate = ruby_saml_cert_text
+      settings.private_key = ruby_saml_key_text
+    end
+
+    it "create a signature parameter with RSA_SHA1 / SHA1 and validate it" do
+      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+
+      params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+      assert params['SAMLRequest']
+      assert params[:RelayState]
+      assert params['Signature']
+      assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
+
+      query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+      query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+      query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+      signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+      assert_equal signature_algorithm, OpenSSL::Digest::SHA1
+      assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+    end
+
+    it "create a signature parameter with RSA_SHA256 / SHA256 and validate it" do
+      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+
+      params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+      assert params['Signature']
+      assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
+
+      query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+      query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+      query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+      signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+      assert_equal signature_algorithm, OpenSSL::Digest::SHA256
+      assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+    end
+
+    it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
+      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+
+      params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+      assert params['Signature']
+      assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
+
+      query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+      query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+      query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+      signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+      assert_equal signature_algorithm, OpenSSL::Digest::SHA384
+      assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+    end
+
+    it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
+      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
+
+      params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+      assert params['Signature']
+      assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
+
+      query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+      query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+      query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+      signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+      assert_equal signature_algorithm, OpenSSL::Digest::SHA512
+      assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+    end
 
-    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-    inflated = zstream.inflate(decoded)
-    zstream.finish
-    zstream.close
-    inflated
   end
 
 end