ruby-saml 0.8.9 → 0.8.10

data/test/logoutresponse_test.rb

@@ -1,7 +1,8 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 require 'rexml/document'
 require 'responses/logoutresponse_fixtures'
-class RubySamlTest < Test::Unit::TestCase
+
+class LogoutResponseTest < Test::Unit::TestCase
 
   context "Logoutresponse" do
     context "#new" do

data/test/request_test.rb

@@ -1,11 +1,15 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
-class RequestTest < Test::Unit::TestCase
+class RequestTest < Minitest::Test
 
-  context "Authrequest" do
-    should "create the deflated SAMLRequest URL parameter" do
-      settings = OneLogin::RubySaml::Settings.new
+  describe "Authrequest" do
+    let(:settings) { OneLogin::RubySaml::Settings.new }
+
+    before do
       settings.idp_sso_target_url = "http://example.com"
+    end
+
+    it "create the deflated SAMLRequest URL parameter" do
       auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
       assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
       payload  = CGI.unescape(auth_url.split("=").last)
@@ -19,9 +23,7 @@ class RequestTest < Test::Unit::TestCase
       assert_match /^<samlp:AuthnRequest/, inflated
     end
 
-    should "create the deflated SAMLRequest URL parameter including the Destination" do
-      settings = OneLogin::RubySaml::Settings.new
-      settings.idp_sso_target_url = "http://example.com"
+    it "create the deflated SAMLRequest URL parameter including the Destination" do
       auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
       payload  = CGI.unescape(auth_url.split("=").last)
       decoded  = Base64.decode64(payload)
@@ -34,10 +36,8 @@ class RequestTest < Test::Unit::TestCase
       assert_match /<samlp:AuthnRequest[^<]* Destination='http:\/\/example.com'/, inflated
     end
 
-    should "create the SAMLRequest URL parameter without deflating" do
-      settings = OneLogin::RubySaml::Settings.new
+    it "create the SAMLRequest URL parameter without deflating" do
       settings.compress_request = false
-      settings.idp_sso_target_url = "http://example.com"
       auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
       assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
       payload  = CGI.unescape(auth_url.split("=").last)
@@ -46,9 +46,7 @@ class RequestTest < Test::Unit::TestCase
       assert_match /^<samlp:AuthnRequest/, decoded
     end
 
-    should "create the SAMLRequest URL parameter with IsPassive" do
-      settings = OneLogin::RubySaml::Settings.new
-      settings.idp_sso_target_url = "http://example.com"
+    it "create the SAMLRequest URL parameter with IsPassive" do
       settings.passive = true
       auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
       assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
@@ -63,9 +61,7 @@ class RequestTest < Test::Unit::TestCase
       assert_match /<samlp:AuthnRequest[^<]* IsPassive='true'/, inflated
     end
 
-    should "create the SAMLRequest URL parameter with ProtocolBinding" do
-      settings = OneLogin::RubySaml::Settings.new
-      settings.idp_sso_target_url = "http://example.com"
+    it "create the SAMLRequest URL parameter with ProtocolBinding" do
       settings.protocol_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
       assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
@@ -80,9 +76,7 @@ class RequestTest < Test::Unit::TestCase
       assert_match /<samlp:AuthnRequest[^<]* ProtocolBinding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'/, inflated
     end
 
-    should "create the SAMLRequest URL parameter with ForceAuthn" do
-      settings = OneLogin::RubySaml::Settings.new
-      settings.idp_sso_target_url = "http://example.com"
+    it "create the SAMLRequest URL parameter with ForceAuthn" do
       settings.force_authn = true
       auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
       assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
@@ -96,9 +90,7 @@ class RequestTest < Test::Unit::TestCase
       assert_match /<samlp:AuthnRequest[^<]* ForceAuthn='true'/, inflated
     end
 
-    should "create the SAMLRequest URL parameter with NameID Format" do
-      settings = OneLogin::RubySaml::Settings.new
-      settings.idp_sso_target_url = "http://example.com"
+    it "create the SAMLRequest URL parameter with NameID Format" do
       settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
       auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
       assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
@@ -113,9 +105,7 @@ class RequestTest < Test::Unit::TestCase
       assert_match /<samlp:NameIDPolicy[^<]* Format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'/, inflated
     end
 
-    should "create the SAMLRequest URL parameter with Subject" do
-      settings = OneLogin::RubySaml::Settings.new
-      settings.idp_sso_target_url = "http://example.com"
+    it "create the SAMLRequest URL parameter with Subject" do
       settings.name_identifier_value_requested = "testuser@example.com"
       settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
       auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
@@ -132,10 +122,7 @@ class RequestTest < Test::Unit::TestCase
       assert inflated.include?("<saml:SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:bearer'/>")
     end
 
-    should "accept extra parameters" do
-      settings = OneLogin::RubySaml::Settings.new
-      settings.idp_sso_target_url = "http://example.com"
-
+    it "accept extra parameters" do
       auth_url = OneLogin::RubySaml::Authrequest.new.create(settings, { :hello => "there" })
       assert auth_url =~ /&hello=there$/
 
@@ -143,24 +130,100 @@ class RequestTest < Test::Unit::TestCase
       assert auth_url =~ /&hello=$/
     end
 
-    context "when the target url doesn't contain a query string" do
-      should "create the SAMLRequest parameter correctly" do
-        settings = OneLogin::RubySaml::Settings.new
-        settings.idp_sso_target_url = "http://example.com"
-
+    describe "when the target url doesn't contain a query string" do
+      it "create the SAMLRequest parameter correctly" do
         auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
         assert auth_url =~ /^http:\/\/example.com\?SAMLRequest/
       end
     end
 
-    context "when the target url contains a query string" do
-      should "create the SAMLRequest parameter correctly" do
-        settings = OneLogin::RubySaml::Settings.new
+    describe "when the target url contains a query string" do
+      it "create the SAMLRequest parameter correctly" do
         settings.idp_sso_target_url = "http://example.com?field=value"
 
         auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
         assert auth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
       end
     end
+
+    describe "#create_params when the settings indicate to sign (embebed) the request" do
+      before do
+        settings.compress_request = false
+        settings.idp_sso_target_url = "http://example.com?field=value"
+        settings.security[:authn_requests_signed] = true
+        settings.security[:embed_sign] = true
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+      end
+
+      it "create a signed request" do
+        params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
+        request_xml = Base64.decode64(params["SAMLRequest"])
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], request_xml
+      end
+
+      it "create a signed request with 256 digest and signature methods" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+        settings.security[:digest_method] = XMLSecurity::Document::SHA512
+
+        params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
+
+        request_xml = Base64.decode64(params["SAMLRequest"])
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
+      end
+    end
+
+    describe "#create_params when the settings indicate to sign the request" do
+      let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+
+      before do
+        settings.compress_request = false
+        settings.idp_sso_target_url = "http://example.com?field=value"
+        settings.security[:authn_requests_signed] = true
+        settings.security[:embed_sign] = false
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+      end
+
+      it "create a signature parameter with RSA_SHA1 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+
+        params = OneLogin::RubySaml::Authrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        assert params['SAMLRequest']
+        assert params[:RelayState]
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
+
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
+
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+
+      it "create a signature parameter with RSA_SHA256 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+
+        params = OneLogin::RubySaml::Authrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
+
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA256
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+    end
+
   end
+
 end

data/test/response_test.rb

@@ -1,6 +1,6 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
-class RubySamlTest < Test::Unit::TestCase
+class ResponseTest < Test::Unit::TestCase
 
   context "Response" do
     should "raise an exception when response is initialized with nil" do

data/test/slo_logoutresponse_test.rb

@@ -0,0 +1,226 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+
+class SloLogoutresponseTest < Minitest::Test
+
+  describe "SloLogoutresponse" do
+
+    let(:settings) { OneLogin::RubySaml::Settings.new }
+
+    before do
+      settings.idp_slo_target_url = "http://unauth.com/logout"
+      settings.name_identifier_value = "f00f00"
+      settings.compress_request = true
+      settings.certificate = ruby_saml_cert_text
+      settings.private_key = ruby_saml_key_text
+    end
+
+    it "create the deflated SAMLResponse URL parameter" do
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings)
+      assert_match /^http:\/\/unauth\.com\/logout\?SAMLResponse=/, unauth_url
+
+      inflated = decode_saml_response_payload(unauth_url)
+      assert_match /^<samlp:LogoutResponse/, inflated
+    end
+
+    it "support additional params" do
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, nil, nil, { :hello => nil })
+      assert_match /&hello=$/, unauth_url
+
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, nil, nil, { :foo => "bar" })
+      assert_match /&foo=bar$/, unauth_url
+
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, nil, nil, { :RelayState => "http://idp.example.com" })
+      assert_match /&RelayState=http%3A%2F%2Fidp.example.com$/, unauth_url
+    end
+
+    it "RelayState cases" do
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, nil, nil, { :RelayState => nil })
+      assert !unauth_url.include?('RelayState')
+
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, nil, nil, { :RelayState => "http://example.com" })
+      assert unauth_url.include?('&RelayState=http%3A%2F%2Fexample.com')
+
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, nil, nil, { 'RelayState' => nil })
+      assert !unauth_url.include?('RelayState')
+
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, nil, nil, { 'RelayState' => "http://example.com" })
+      assert unauth_url.include?('&RelayState=http%3A%2F%2Fexample.com')
+    end
+
+    it "set InResponseTo to the ID from the logout request" do
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, '_c0348950-935b-0131-1060-782bcb56fcaa')
+
+      inflated = decode_saml_response_payload(unauth_url)
+      assert_match /InResponseTo='_c0348950-935b-0131-1060-782bcb56fcaa'/, inflated
+    end
+
+    it "set a custom successful logout message on the response" do
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, nil, "Custom Logout Message")
+
+      inflated = decode_saml_response_payload(unauth_url)
+      assert_match /<samlp:StatusMessage>Custom Logout Message<\/samlp:StatusMessage>/, inflated
+    end
+
+    describe "when the settings indicate to sign (embedded) logout response" do
+
+      before do
+        settings.compress_response = false
+        settings.security[:logout_responses_signed] = true
+        settings.security[:embed_sign] = true
+      end
+
+      it "doesn't sign through create_xml_document" do
+        unauth_res = OneLogin::RubySaml::SloLogoutresponse.new
+        inflated = unauth_res.create_xml_document(settings).to_s
+
+        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+      end
+
+      it "sign unsigned request" do
+        unauth_res = OneLogin::RubySaml::SloLogoutresponse.new
+        unauth_res_doc = unauth_res.create_xml_document(settings)
+        inflated = unauth_res_doc.to_s
+
+        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+
+        inflated = unauth_res.sign_document(unauth_res_doc, settings).to_s
+
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+      end
+
+      it "signs through create_logout_response_xml_doc" do
+        unauth_res = OneLogin::RubySaml::SloLogoutresponse.new
+        inflated = unauth_res.create_logout_response_xml_doc(settings).to_s
+
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+      end
+
+      it "create a signed logout response" do
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, nil, "Custom Logout Message")
+
+        response_xml = Base64.decode64(params["SAMLResponse"])
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], response_xml
+        assert_match /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/, response_xml
+        assert_match /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1'\/>/, response_xml
+      end
+
+      it "create a signed logout response with 256 digest and signature methods" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+        settings.security[:digest_method] = XMLSecurity::Document::SHA256
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, nil, "Custom Logout Message")
+
+        response_xml = Base64.decode64(params["SAMLResponse"])
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], response_xml
+        assert_match /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/, response_xml
+        assert_match /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmlenc#sha256'\/>/, response_xml
+      end
+
+      it "create a signed logout response with 512 digest and signature method RSA_SHA384" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+        settings.security[:digest_method] = XMLSecurity::Document::SHA512
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, nil, "Custom Logout Message")
+
+        response_xml = Base64.decode64(params["SAMLResponse"])
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], response_xml
+        assert_match /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha384'\/>/, response_xml
+        assert_match /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmlenc#sha512'\/>/, response_xml
+      end
+    end
+
+    describe "#create_params when the settings indicate to sign the logout response" do
+
+      let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+
+      before do
+        settings.compress_response = false
+        settings.security[:logout_responses_signed] = true
+        settings.security[:embed_sign] = false
+      end
+
+      it "create a signature parameter with RSA_SHA1 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, nil, "Custom Logout Message", :RelayState => 'http://example.com')
+        assert params['SAMLResponse']
+        assert params[:RelayState]
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
+
+        query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+
+      it "create a signature parameter with RSA_SHA256 /SHA256 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, nil, "Custom Logout Message", :RelayState => 'http://example.com')
+        assert params['SAMLResponse']
+        assert params[:RelayState]
+        assert params['Signature']
+
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
+
+        query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA256
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+
+      it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, nil, "Custom Logout Message", :RelayState => 'http://example.com')
+        assert params['SAMLResponse']
+        assert params[:RelayState]
+        assert params['Signature']
+
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
+
+        query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA384
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+
+      it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, nil, "Custom Logout Message", :RelayState => 'http://example.com')
+        assert params['SAMLResponse']
+        assert params[:RelayState]
+        assert params['Signature']
+
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
+
+        query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA512
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+    end
+  end
+end