ruby-saml 0.9.4 → 1.0.0

data/test/utils_test.rb

@@ -1,41 +1,145 @@
-require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+require "test_helper"
 
 class UtilsTest < Minitest::Test
-  describe "Utils" do
-    describe 'element_text' do
-      it 'returns the element text' do
-        element = REXML::Document.new('<element>element text</element>').elements.first
-        assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
-      end
+  describe ".format_cert" do
+    let(:formatted_certificate) do
+      read_certificate("formatted_certificate")
+    end
 
-      it 'returns all segments of the element text' do
-        element = REXML::Document.new('<element>element <!-- comment -->text</element>').elements.first
-        assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
-      end
+    it "returns empty string when the cert is an empty string" do
+      cert = ""
+      assert_equal "", OneLogin::RubySaml::Utils.format_cert(cert)
+    end
+
+    it "returns nil when the cert is nil" do
+      cert = nil
+      assert_equal nil, OneLogin::RubySaml::Utils.format_cert(cert)
+    end
+
+    it "returns the certificate when it is valid" do
+      assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(formatted_certificate)
+    end
+
+    it "reformats the certificate when there are spaces and no line breaks" do
+      invalid_certificate1 = read_certificate("invalid_certificate1")
+      assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate1)
+    end
+
+    it "reformats the certificate when there are spaces and no headers" do
+      invalid_certificate2 = read_certificate("invalid_certificate2")
+      assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate2)
+    end
+
+    it "reformats the certificate when there line breaks and no headers" do
+      invalid_certificate3 = read_certificate("invalid_certificate3")
+      assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate3)
+    end
+  end
+
+  describe ".format_private_key" do
+    let(:formatted_private_key) do
+      read_certificate("formatted_private_key")
+    end
+
+    it "returns empty string when the private key is an empty string" do
+      private_key = ""
+      assert_equal "", OneLogin::RubySaml::Utils.format_private_key(private_key)
+    end
+
+    it "returns nil when the private key is nil" do
+      private_key = nil
+      assert_equal nil, OneLogin::RubySaml::Utils.format_private_key(private_key)
+    end
+
+    it "returns the private key when it is valid" do
+      assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_private_key)
+    end
+
+    it "reformats the private key when there are spaces and no line breaks" do
+      invalid_private_key1 = read_certificate("invalid_private_key1")
+      assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key1)
+    end
 
-      it 'returns normalized element text' do
-        element = REXML::Document.new('<element>element &amp; text</element>').elements.first
-        assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
+    it "reformats the private key when there are spaces and no headers" do
+      invalid_private_key2 = read_certificate("invalid_private_key2")
+      assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key2)
+    end
+
+    it "reformats the private key when there line breaks and no headers" do
+      invalid_private_key3 = read_certificate("invalid_private_key3")
+      assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key3)
+    end
+
+    describe "an RSA public key" do
+      let(:formatted_rsa_private_key) do
+        read_certificate("formatted_rsa_private_key")
       end
 
-      it 'returns the CDATA element text' do
-        element = REXML::Document.new('<element><![CDATA[element & text]]></element>').elements.first
-        assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
+      it "returns the private key when it is valid" do
+        assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_rsa_private_key)
       end
 
-      it 'returns the element text with newlines and additional whitespace' do
-        element = REXML::Document.new("<element>  element \n text  </element>").elements.first
-        assert_equal "  element \n text  ", OneLogin::RubySaml::Utils.element_text(element)
+      it "reformats the private key when there are spaces and no line breaks" do
+        invalid_rsa_private_key1 = read_certificate("invalid_rsa_private_key1")
+        assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key1)
       end
 
-      it 'returns nil when element is nil' do
-        assert_nil OneLogin::RubySaml::Utils.element_text(nil)
+      it "reformats the private key when there are spaces and no headers" do
+        invalid_rsa_private_key2 = read_certificate("invalid_rsa_private_key2")
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key2)
       end
 
-      it 'returns empty string when element has no text' do
-        element = REXML::Document.new('<element></element>').elements.first
-        assert_equal '', OneLogin::RubySaml::Utils.element_text(element)
+      it "reformats the private key when there line breaks and no headers" do
+        invalid_rsa_private_key3 = read_certificate("invalid_rsa_private_key3")
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key3)
       end
     end
   end
+
+  describe "build_query" do
+    it "returns the query string" do
+      params = {}
+      params[:type] = "SAMLRequest"
+      params[:data] = "PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8+"
+      params[:relay_state] = "http://example.com"
+      params[:sig_alg] = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+      query_string = OneLogin::RubySaml::Utils.build_query(params)
+      assert_equal "SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8%2B&RelayState=http%3A%2F%2Fexample.com&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1", query_string
+    end
+  end
+
+  describe "#verify_signature" do
+    before do
+      @params = {}
+      @params[:cert] = ruby_saml_cert
+      @params[:sig_alg] = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+      @params[:query_string] = "SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8%2B&RelayState=http%3A%2F%2Fexample.com&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1"
+    end
+
+    it "returns true when the signature is valid" do
+      @params[:signature] = "uWJm/T4gKLYEsVu1j/ZmjDeHp9zYPXPXWTXHFJZf2KKnWg57fUw3x2l6KTyRQ+Xjigb+sfYdGnnwmIz6KngXYRnh7nO6inspRLWOwkqQFy9iR9LDlMcfpXV/0g3oAxBxO6tX8MUHqR2R62SYZRGd1rxC9apg4vQiP97+atOI8t4="
+      assert OneLogin::RubySaml::Utils.verify_signature(@params)
+    end
+
+    it "returns false when the signature is invalid" do
+      @params[:signature] = "uWJm/InVaLiDsVu1j/ZmjDeHp9zYPXPXWTXHFJZf2KKnWg57fUw3x2l6KTyRQ+Xjigb+sfYdGnnwmIz6KngXYRnh7nO6inspRLWOwkqQFy9iR9LDlMcfpXV/0g3oAxBxO6tX8MUHqR2R62SYZRGd1rxC9apg4vQiP97+atOI8t4="
+      assert !OneLogin::RubySaml::Utils.verify_signature(@params)
+    end
+  end
+
+  describe "#status_error_msg" do
+    it "returns a error msg with a status message" do
+      error_msg = "The status code of the Logout Response was not Success"
+      status_code = "urn:oasis:names:tc:SAML:2.0:status:Requester"
+      status_message = "The request could not be performed due to an error on the part of the requester."
+      status_error_msg = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code, status_message)
+      assert_equal = "The status code of the Logout Response was not Success, was Requester -> The request could not be performed due to an error on the part of the requester.", status_error_msg
+
+      status_error_msg2 = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code)
+      assert_equal = "The status code of the Logout Response was not Success, was Requester", status_error_msg2
+
+      status_error_msg3 =  OneLogin::RubySaml::Utils.status_error_msg(error_msg)
+      assert_equal = "The status code of the Logout Response was not Success", status_error_msg3
+    end
+  end
 end

data/test/xml_security_test.rb

@@ -6,78 +6,125 @@ class XmlSecurityTest < Minitest::Test
   include XMLSecurity
 
   describe "XmlSecurity" do
+
+    let(:decoded_response) { Base64.decode64(response_document_without_recipient) }
+    let(:document) { XMLSecurity::SignedDocument.new(decoded_response) }
+    let(:settings) { OneLogin::RubySaml::Settings.new() }
+
     before do
-      @document = XMLSecurity::SignedDocument.new(Base64.decode64(response_document))
-      @base64cert = @document.elements["//ds:X509Certificate"].text
+      @base64cert = document.elements["//ds:X509Certificate"].text
     end
 
     it "should run validate without throwing NS related exceptions" do
-      assert !@document.validate_signature(@base64cert, true)
+      assert !document.validate_signature(@base64cert, true)
     end
 
     it "should run validate with throwing NS related exceptions" do
       assert_raises(OneLogin::RubySaml::ValidationError) do
-        @document.validate_signature(@base64cert, false)
+        document.validate_signature(@base64cert, false)
       end
     end
 
     it "not raise an error when softly validating the document multiple times" do
-      2.times { assert_equal @document.validate_signature(@base64cert, true), false }
+      2.times { assert_equal document.validate_signature(@base64cert, true), false }
     end
 
     it "not raise an error when softly validating the document and the X509Certificate is missing" do
-      response = Base64.decode64(response_document)
-      response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
-      document = XMLSecurity::SignedDocument.new(response)
-      assert !document.validate_document("a fingerprint", true) # The fingerprint isn't relevant to this test
+      decoded_response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
+      mod_document = XMLSecurity::SignedDocument.new(decoded_response)
+      assert !mod_document.validate_document("a fingerprint", true) # The fingerprint isn't relevant to this test
     end
 
     it "should raise Fingerprint mismatch" do
       exception = assert_raises(OneLogin::RubySaml::ValidationError) do
-        @document.validate_document("no:fi:ng:er:pr:in:t", false)
+        document.validate_document("no:fi:ng:er:pr:in:t", false)
       end
       assert_equal("Fingerprint mismatch", exception.message)
-      assert @document.errors.include? "Fingerprint mismatch"
+      assert_includes document.errors, "Fingerprint mismatch"
     end
 
     it "should raise Digest mismatch" do
       exception = assert_raises(OneLogin::RubySaml::ValidationError) do
-        @document.validate_signature(@base64cert, false)
+        document.validate_signature(@base64cert, false)
       end
       assert_equal("Digest mismatch", exception.message)
-      assert @document.errors.include? "Digest mismatch"
+      assert_includes document.errors, "Digest mismatch"
     end
 
     it "should raise Key validation error" do
-      response = Base64.decode64(response_document)
-      response.sub!("<ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>",
+      decoded_response.sub!("<ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>",
                     "<ds:DigestValue>b9xsAXLsynugg3Wc1CI3kpWku+0=</ds:DigestValue>")
-      document = XMLSecurity::SignedDocument.new(response)
-      base64cert = document.elements["//ds:X509Certificate"].text
+      mod_document = XMLSecurity::SignedDocument.new(decoded_response)
+      base64cert = mod_document.elements["//ds:X509Certificate"].text
       exception = assert_raises(OneLogin::RubySaml::ValidationError) do
-        document.validate_signature(base64cert, false)
+        mod_document.validate_signature(base64cert, false)
       end
       assert_equal("Key validation error", exception.message)
-      assert document.errors.include? "Key validation error"
+      assert_includes mod_document.errors, "Key validation error"
     end
 
     it "correctly obtain the digest method with alternate namespace declaration" do
-      document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_xmlns, false))
-      base64cert = document.elements["//X509Certificate"].text
-      assert document.validate_signature(base64cert, false)
+      adfs_document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_xmlns, false))
+      base64cert = adfs_document.elements["//X509Certificate"].text
+      assert adfs_document.validate_signature(base64cert, false)
     end
 
     it "raise validation error when the X509Certificate is missing" do
-      response = Base64.decode64(response_document)
-      response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
-      document = XMLSecurity::SignedDocument.new(response)
+      decoded_response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
+      mod_document = XMLSecurity::SignedDocument.new(decoded_response)
       exception = assert_raises(OneLogin::RubySaml::ValidationError) do
-        document.validate_document("a fingerprint", false) # The fingerprint isn't relevant to this test
+        mod_document.validate_document("a fingerprint", false) # The fingerprint isn't relevant to this test
       end
       assert_equal("Certificate element missing in response (ds:X509Certificate)", exception.message)
     end
   end
 
+  describe "#canon_algorithm" do
+    it "C14N_EXCLUSIVE_1_0" do
+      canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2001/10/xml-exc-c14n#")
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2001/10/xml-exc-c14n#WithComments")
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("other")
+    end
+
+    it "C14N_1_0" do
+      canon_algorithm = Nokogiri::XML::XML_C14N_1_0
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/TR/2001/REC-xml-c14n-20010315")
+    end
+
+    it "XML_C14N_1_1" do
+      canon_algorithm = Nokogiri::XML::XML_C14N_1_1
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2006/12/xml-c14n11")
+    end
+  end
+
+  describe "#algorithm" do    
+    it "SHA1" do
+      alg = OpenSSL::Digest::SHA1
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2000/09/xmldsig#rsa-sha1")
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2000/09/xmldsig#sha1")
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("other")
+    end
+
+    it "SHA256" do
+      alg = OpenSSL::Digest::SHA256
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#sha256")
+    end
+
+    it "SHA384" do
+      alg = OpenSSL::Digest::SHA384
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384")
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#sha384")
+    end
+
+    it "SHA512" do
+      alg = OpenSSL::Digest::SHA512
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512")
+      assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#sha512")
+    end        
+  end
+
   describe "Fingerprint Algorithms" do
     let(:response_fingerprint_test) { OneLogin::RubySaml::Response.new(fixture(:adfs_response_sha1, false)) }
 
@@ -117,23 +164,23 @@ class XmlSecurityTest < Minitest::Test
 
   describe "Signature Algorithms" do
     it "validate using SHA1" do
-      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
-      assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+      document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
+      assert document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
     end
 
     it "validate using SHA256" do
-      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
-      assert @document.validate_document("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")
+      document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
+      assert document.validate_document("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")
     end
 
     it "validate using SHA384" do
-      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
-      assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+      document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
+      assert document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
     end
 
     it "validate using SHA512" do
-      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
-      assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+      document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
+      assert document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
     end
   end
 
@@ -161,12 +208,11 @@ class XmlSecurityTest < Minitest::Test
         response = OneLogin::RubySaml::Response.new(fixture("tdnf_response.xml"))
         response.stubs(:conditions).returns(nil)
         assert !response.is_valid?
-        settings = OneLogin::RubySaml::Settings.new
         assert !response.is_valid?
         response.settings = settings
         assert !response.is_valid?
         settings.idp_cert_fingerprint = "e6 38 9a 20 b7 4f 13 db 6a bc b1 42 6a e7 52 1d d6 56 d4 1b".upcase.gsub(" ", ":")
-        assert response.validate!
+        assert response.is_valid?
       end
 
       it "return an empty list when inclusive namespace element is missing" do
@@ -181,78 +227,101 @@ class XmlSecurityTest < Minitest::Test
     end
 
     describe "XMLSecurity::DSIG" do
-      it "sign a AuthNRequest" do
-        settings = OneLogin::RubySaml::Settings.new({
-          :idp_sso_target_url => "https://idp.example.com/sso",
-          :protocol_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-          :issuer => "https://sp.example.com/saml2",
-          :assertion_consumer_service_url => "https://sp.example.com/acs"
-        })
+      before do
+        settings.idp_sso_target_url = "https://idp.example.com/sso"
+        settings.protocol_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        settings.idp_slo_target_url = "https://idp.example.com/slo",
+        settings.issuer = "https://sp.example.com/saml2"
+        settings.assertion_consumer_service_url = "https://sp.example.com/acs"
+        settings.single_logout_service_url = "https://sp.example.com/sls"
+      end 
+
 
+      it "sign an AuthNRequest" do
         request = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
         request.sign_document(ruby_saml_key, ruby_saml_cert)
-
         # verify our signature
         signed_doc = XMLSecurity::SignedDocument.new(request.to_s)
         assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
+
+        request2 = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+        request2.sign_document(ruby_saml_key, ruby_saml_cert_text)
+        # verify our signature
+        signed_doc2 = XMLSecurity::SignedDocument.new(request2.to_s)
+        assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
       end
 
-      it "sign a LogoutRequest" do
-        settings = OneLogin::RubySaml::Settings.new({
-          :idp_slo_target_url => "https://idp.example.com/slo",
-          :protocol_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-          :issuer => "https://sp.example.com/saml2",
-          :single_logout_service_url => "https://sp.example.com/sls"
-        })
-
-        request = OneLogin::RubySaml::Logoutrequest.new.create_logout_request_xml_doc(settings)
-        request.sign_document(ruby_saml_key, ruby_saml_cert)
+      it "sign an AuthNRequest with certificate as text" do
+        request = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+        request.sign_document(ruby_saml_key, ruby_saml_cert_text)
 
         # verify our signature
         signed_doc = XMLSecurity::SignedDocument.new(request.to_s)
         assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
       end
 
-      it "sign a LogoutResponse" do
-        settings = OneLogin::RubySaml::Settings.new({
-          :idp_slo_target_url => "https://idp.example.com/slo",
-          :protocol_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-          :issuer => "https://sp.example.com/saml2",
-          :single_logout_service_url => "https://sp.example.com/sls"
-        })
+      it "sign a LogoutRequest" do
+        logout_request = OneLogin::RubySaml::Logoutrequest.new.create_logout_request_xml_doc(settings)
+        logout_request.sign_document(ruby_saml_key, ruby_saml_cert)
+        # verify our signature
+        signed_doc = XMLSecurity::SignedDocument.new(logout_request.to_s)
+        assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
 
-        response = OneLogin::RubySaml::SloLogoutresponse.new.create_logout_response_xml_doc(settings, 'request_id_example', "Custom Logout Message")
-        response.sign_document(ruby_saml_key, ruby_saml_cert)
+        logout_request2 = OneLogin::RubySaml::Logoutrequest.new.create_logout_request_xml_doc(settings)
+        logout_request2.sign_document(ruby_saml_key, ruby_saml_cert_text)
+        # verify our signature
+        signed_doc2 = XMLSecurity::SignedDocument.new(logout_request2.to_s)
+        signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)        
+        assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
+      end
 
+      it "sign a LogoutResponse" do
+        logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create_logout_response_xml_doc(settings, 'request_id_example', "Custom Logout Message")
+        logout_response.sign_document(ruby_saml_key, ruby_saml_cert)
         # verify our signature
-        signed_doc = XMLSecurity::SignedDocument.new(response.to_s)
+        signed_doc = XMLSecurity::SignedDocument.new(logout_response.to_s)
         assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
+
+        logout_response2 = OneLogin::RubySaml::SloLogoutresponse.new.create_logout_response_xml_doc(settings, 'request_id_example', "Custom Logout Message")
+        logout_response2.sign_document(ruby_saml_key, ruby_saml_cert_text)
+        # verify our signature
+        signed_doc2 = XMLSecurity::SignedDocument.new(logout_response2.to_s)
+        signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)        
+        assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
       end
     end
 
     describe "StarfieldTMS" do
+      let (:response) { OneLogin::RubySaml::Response.new(fixture(:starfield_response)) }
+
       before do
-        @response = OneLogin::RubySaml::Response.new(fixture(:starfield_response))
-        @response.settings = OneLogin::RubySaml::Settings.new(
-                                                          :idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D"
-                                                          )
+        response.settings = OneLogin::RubySaml::Settings.new( :idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D")
       end
 
       it "be able to validate a good response" do
         Timecop.freeze Time.parse('2012-11-28 17:55:00 UTC') do
-          assert @response.validate!
+          response.stubs(:validate_subject_confirmation).returns(true)
+          assert response.is_valid?
         end
       end
 
       it "fail before response is valid" do
         Timecop.freeze Time.parse('2012-11-20 17:55:00 UTC') do
-          assert ! @response.is_valid?
+          assert !response.is_valid?
+
+          contains_expected_error = response.errors.include? "Current time is earlier than NotBefore condition 2012-11-20 17:55:00 UTC < 2012-11-28 17:53:45 UTC)"
+          contains_expected_error ||= response.errors.include? "Current time is earlier than NotBefore condition Tue Nov 20 17:55:00 UTC 2012 < Wed Nov 28 17:53:45 UTC 2012)"
+          assert contains_expected_error
         end
       end
 
       it "fail after response expires" do
         Timecop.freeze Time.parse('2012-11-30 17:55:00 UTC') do
-          assert ! @response.is_valid?
+          assert !response.is_valid?
+
+          contains_expected_error = response.errors.include? "Current time is on or after NotOnOrAfter condition (2012-11-30 17:55:00 UTC >= 2012-11-28 18:33:45 UTC)"
+          contains_expected_error ||= response.errors.include? "Current time is on or after NotOnOrAfter condition (Fri Nov 30 17:55:00 UTC 2012 >= Wed Nov 28 18:33:45 UTC 2012)"
+          assert contains_expected_error
         end
       end
     end