ruby-saml 1.12.4 → 1.18.1

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -43,7 +43,7 @@ module OneLogin
         end
 
         @options = options
-        @response = decode_raw_saml(response)
+        @response = decode_raw_saml(response, settings)
         @document = XMLSecurity::SignedDocument.new(@response)
       end
 
@@ -213,7 +213,7 @@ module OneLogin
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
 
-        options[:raw_get_params] = OneLogin::RubySaml::Utils.prepare_raw_get_params(options[:raw_get_params], options[:get_params])
+        options[:raw_get_params] = OneLogin::RubySaml::Utils.prepare_raw_get_params(options[:raw_get_params], options[:get_params], settings.security[:lowercase_url_encoding])
 
         if options[:get_params]['SigAlg'].nil? && !options[:raw_get_params]['SigAlg'].nil?
           options[:get_params]['SigAlg'] = CGI.unescape(options[:raw_get_params]['SigAlg'])

data/lib/onelogin/ruby-saml/metadata.rb

@@ -21,53 +21,61 @@ module OneLogin
       #
       def generate(settings, pretty_print=false, valid_until=nil, cache_duration=nil)
         meta_doc = XMLSecurity::Document.new
+        add_xml_declaration(meta_doc)
+        root = add_root_element(meta_doc, settings, valid_until, cache_duration)
+        sp_sso = add_sp_sso_element(root, settings)
+        add_sp_certificates(sp_sso, settings)
+        add_sp_service_elements(sp_sso, settings)
+        add_extras(root, settings)
+        embed_signature(meta_doc, settings)
+        output_xml(meta_doc, pretty_print)
+      end
+
+      protected
+
+      def add_xml_declaration(meta_doc)
+        meta_doc << REXML::XMLDecl.new('1.0', 'UTF-8')
+      end
+
+      def add_root_element(meta_doc, settings, valid_until, cache_duration)
         namespaces = {
             "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
         }
+
         if settings.attribute_consuming_service.configured?
           namespaces["xmlns:saml"] = "urn:oasis:names:tc:SAML:2.0:assertion"
         end
-        root = meta_doc.add_element "md:EntityDescriptor", namespaces
-        sp_sso = root.add_element "md:SPSSODescriptor", {
+
+        root = meta_doc.add_element("md:EntityDescriptor", namespaces)
+        root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
+        root.attributes["entityID"] = settings.sp_entity_id if settings.sp_entity_id
+        root.attributes["validUntil"] = valid_until.utc.strftime('%Y-%m-%dT%H:%M:%SZ') if valid_until
+        root.attributes["cacheDuration"] = "PT" + cache_duration.to_s + "S" if cache_duration
+        root
+      end
+
+      def add_sp_sso_element(root, settings)
+        root.add_element "md:SPSSODescriptor", {
             "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
             "AuthnRequestsSigned" => settings.security[:authn_requests_signed],
             "WantAssertionsSigned" => settings.security[:want_assertions_signed],
         }
+      end
 
-        # Add KeyDescriptor if messages will be signed / encrypted
-        # with SP certificate, and new SP certificate if any
-        cert = settings.get_sp_cert
-        cert_new = settings.get_sp_cert_new
-
-        for sp_cert in [cert, cert_new]
-          if sp_cert
-            cert_text = Base64.encode64(sp_cert.to_der).gsub("\n", '')
-            kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
-            ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
-            xd = ki.add_element "ds:X509Data"
-            xc = xd.add_element "ds:X509Certificate"
-            xc.text = cert_text
-
-            if settings.security[:want_assertions_encrypted]
-              kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
-              ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
-              xd2 = ki2.add_element "ds:X509Data"
-              xc2 = xd2.add_element "ds:X509Certificate"
-              xc2.text = cert_text
-            end
-          end
-        end
+      # Add KeyDescriptor elements for SP certificates.
+      def add_sp_certificates(sp_sso, settings)
+        certs = settings.get_sp_certs
 
-        root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
-        if settings.sp_entity_id
-          root.attributes["entityID"] = settings.sp_entity_id
-        end
-        if valid_until
-          root.attributes["validUntil"] = valid_until.strftime('%Y-%m-%dT%H:%M:%S%z')
-        end
-        if cache_duration
-          root.attributes["cacheDuration"] = "PT" + cache_duration.to_s + "S"
+        certs[:signing].each { |cert, _| add_sp_cert_element(sp_sso, cert, :signing) }
+
+        if settings.security[:want_assertions_encrypted]
+          certs[:encryption].each { |cert, _| add_sp_cert_element(sp_sso, cert, :encryption) }
         end
+
+        sp_sso
+      end
+
+      def add_sp_service_elements(sp_sso, settings)
         if settings.single_logout_service_url
           sp_sso.add_element "md:SingleLogoutService", {
               "Binding" => settings.single_logout_service_binding,
@@ -75,10 +83,12 @@ module OneLogin
               "ResponseLocation" => settings.single_logout_service_url
           }
         end
+
         if settings.name_identifier_format
           nameid = sp_sso.add_element "md:NameIDFormat"
           nameid.text = settings.name_identifier_format
         end
+
         if settings.assertion_consumer_service_url
           sp_sso.add_element "md:AssertionConsumerService", {
               "Binding" => settings.assertion_consumer_service_binding,
@@ -117,15 +127,26 @@ module OneLogin
         #  <md:RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
         #  <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
 
-        meta_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+        sp_sso
+      end
 
-        # embed signature
-        if settings.security[:metadata_signed] && settings.private_key && settings.certificate
-          private_key = settings.get_sp_key
-          meta_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
-        end
+      # can be overridden in subclass
+      def add_extras(root, _settings)
+        root
+      end
+
+      def embed_signature(meta_doc, settings)
+        return unless settings.security[:metadata_signed]
+
+        cert, private_key = settings.get_sp_signing_pair
+        return unless private_key && cert
+
+        meta_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+      end
+
+      def output_xml(meta_doc, pretty_print)
+        ret = ''.dup
 
-        ret = ""
         # pretty print the XML so IdP administrators can easily see what the SP supports
         if pretty_print
           meta_doc.write(ret, 1)
@@ -133,7 +154,19 @@ module OneLogin
           ret = meta_doc.to_s
         end
 
-        return ret
+        ret
+      end
+
+      private
+
+      def add_sp_cert_element(sp_sso, cert, use)
+        return unless cert
+        cert_text = Base64.encode64(cert.to_der).gsub("\n", '')
+        kd = sp_sso.add_element "md:KeyDescriptor", { "use" => use.to_s }
+        ki = kd.add_element "ds:KeyInfo", { "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#" }
+        xd = ki.add_element "ds:X509Data"
+        xc = xd.add_element "ds:X509Certificate"
+        xc.text = cert_text
       end
     end
   end

data/lib/onelogin/ruby-saml/response.rb

@@ -17,6 +17,10 @@ module OneLogin
       PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
       DSIG      = "http://www.w3.org/2000/09/xmldsig#"
       XENC      = "http://www.w3.org/2001/04/xmlenc#"
+      SAML_NAMESPACES = {
+        "p" => PROTOCOL,
+        "a" => ASSERTION
+      }.freeze
 
       # TODO: Settings should probably be initialized too... WDYT?
 
@@ -63,7 +67,7 @@ module OneLogin
           end
         end
 
-        @response = decode_raw_saml(response)
+        @response = decode_raw_saml(response, settings)
         @document = XMLSecurity::SignedDocument.new(@response, @errors)
 
         if assertion_encrypted?
@@ -198,6 +202,27 @@ module OneLogin
         end
       end
 
+      # Gets the AuthnInstant from the AuthnStatement.
+      # Could be used to require re-authentication if a long time has passed
+      # since the last user authentication.
+      # @return [String] AuthnInstant value
+      #
+      def authn_instant
+        @authn_instant ||= begin
+          node = xpath_first_from_signed_assertion('/a:AuthnStatement')
+          node.nil? ? nil : node.attributes['AuthnInstant']
+        end
+      end
+
+      # Gets the AuthnContextClassRef from the AuthnStatement
+      # Could be used to require re-authentication if the assertion
+      # did not met the requested authentication context class.
+      # @return [String] AuthnContextClassRef value
+      #
+      def authn_context_class_ref
+        @authn_context_class_ref ||= Utils.element_text(xpath_first_from_signed_assertion('/a:AuthnStatement/a:AuthnContext/a:AuthnContextClassRef'))
+      end
+
       # Checks if the Status has the "Success" code
       # @return [Boolean] True if the StatusCode is Sucess
       #
@@ -227,11 +252,10 @@ module OneLogin
               statuses = nodes.collect do |inner_node|
                 inner_node.attributes["Value"]
               end
-              extra_code = statuses.join(" | ")
-              if extra_code
-                code = "#{code} | #{extra_code}"
-              end
+
+              code = [code, statuses].flatten.join(" | ")
             end
+
             code
           end
         end
@@ -283,7 +307,7 @@ module OneLogin
           issuer_response_nodes = REXML::XPath.match(
             document,
             "/p:Response/a:Issuer",
-            { "p" => PROTOCOL, "a" => ASSERTION }
+            SAML_NAMESPACES
           )
 
           unless issuer_response_nodes.size == 1
@@ -338,9 +362,9 @@ module OneLogin
       end
 
       # returns the allowed clock drift on timing validation
-      # @return [Integer]
+      # @return [Float]
       def allowed_clock_drift
-        return options[:allowed_clock_drift].to_f
+        options[:allowed_clock_drift].to_f.abs + Float::EPSILON
       end
 
       # Checks if the SAML Response contains or not an EncryptedAssertion element
@@ -350,7 +374,7 @@ module OneLogin
         ! REXML::XPath.first(
           document,
           "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
-          { "p" => PROTOCOL, "a" => ASSERTION }
+          SAML_NAMESPACES
         ).nil?
       end
 
@@ -377,14 +401,13 @@ module OneLogin
         return false unless validate_response_state
 
         validations = [
-          :validate_response_state,
           :validate_version,
           :validate_id,
           :validate_success_status,
           :validate_num_assertion,
-          :validate_no_duplicated_attributes,
           :validate_signed_elements,
           :validate_structure,
+          :validate_no_duplicated_attributes,
           :validate_in_response_to,
           :validate_one_conditions,
           :validate_conditions,
@@ -425,6 +448,7 @@ module OneLogin
       #
       def validate_structure
         structure_error_msg = "Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"
+
         check_malformed_doc = check_malformed_doc_enabled?
         unless valid_saml?(document, soft, check_malformed_doc)
           return append_error(structure_error_msg)
@@ -616,7 +640,12 @@ module OneLogin
       #
       def validate_audience
         return true if options[:skip_audience]
-        return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
+        return true if settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
+
+        if audiences.empty?
+          return true unless settings.security[:strict_audience_validation]
+          return append_error("Invalid Audiences. The <AudienceRestriction> element contained only empty <Audience> elements. Expected audience #{settings.sp_entity_id}.")
+        end
 
         unless audiences.include? settings.sp_entity_id
           s = audiences.count > 1 ? 's' : '';
@@ -695,13 +724,13 @@ module OneLogin
 
         now = Time.now.utc
 
-        if not_before && (now_with_drift = now + allowed_clock_drift) < not_before
-          error_msg = "Current time is earlier than NotBefore condition (#{now_with_drift} < #{not_before})"
+        if not_before && now < (not_before - allowed_clock_drift)
+          error_msg = "Current time is earlier than NotBefore condition (#{now} < #{not_before}#{" - #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})"
           return append_error(error_msg)
         end
 
-        if not_on_or_after && now >= (not_on_or_after_with_drift = not_on_or_after + allowed_clock_drift)
-          error_msg = "Current time is on or after NotOnOrAfter condition (#{now} >= #{not_on_or_after_with_drift})"
+        if not_on_or_after && now >= (not_on_or_after + allowed_clock_drift)
+          error_msg = "Current time is on or after NotOnOrAfter condition (#{now} >= #{not_on_or_after}#{" + #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})"
           return append_error(error_msg)
         end
 
@@ -739,11 +768,11 @@ module OneLogin
       # @return [Boolean] True if the SessionNotOnOrAfter of the AuthnStatement is valid, otherwise (when expired) False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def validate_session_expiration(soft = true)
+      def validate_session_expiration
         return true if session_expires_at.nil?
 
         now = Time.now.utc
-        unless (session_expires_at + allowed_clock_drift) > now
+        unless now < (session_expires_at + allowed_clock_drift)
           error_msg = "The attributes have expired, based on the SessionNotOnOrAfter of the AuthnStatement of this Response"
           return append_error(error_msg)
         end
@@ -781,8 +810,8 @@ module OneLogin
 
           attrs = confirmation_data_node.attributes
           next if (attrs.include? "InResponseTo" and attrs['InResponseTo'] != in_response_to) ||
-                  (attrs.include? "NotOnOrAfter" and (parse_time(confirmation_data_node, "NotOnOrAfter") + allowed_clock_drift) <= now) ||
-                  (attrs.include? "NotBefore" and parse_time(confirmation_data_node, "NotBefore") > (now + allowed_clock_drift)) ||
+                  (attrs.include? "NotBefore" and now < (parse_time(confirmation_data_node, "NotBefore") - allowed_clock_drift)) ||
+                  (attrs.include? "NotOnOrAfter" and now >= (parse_time(confirmation_data_node, "NotOnOrAfter") + allowed_clock_drift)) ||
                   (attrs.include? "Recipient" and !options[:skip_recipient_check] and settings and attrs['Recipient'] != settings.assertion_consumer_service_url)
 
           valid_subject_confirmation = true
@@ -810,7 +839,7 @@ module OneLogin
 
           unless settings.sp_entity_id.nil? || settings.sp_entity_id.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?
             if name_id_spnamequalifier != settings.sp_entity_id
-              return append_error("The SPNameQualifier value mistmatch the SP entityID value.")
+              return append_error("SPNameQualifier value does not match the SP entityID value.")
             end
           end
         end
@@ -818,6 +847,25 @@ module OneLogin
         true
       end
 
+      def doc_to_validate
+        # If the response contains the signature, and the assertion was encrypted, validate the original SAML Response
+        # otherwise, review if the decrypted assertion contains a signature
+        sig_elements = REXML::XPath.match(
+          document,
+          "/p:Response[@ID=$id]/ds:Signature",
+          { "p" => PROTOCOL, "ds" => DSIG },
+          { 'id' => document.signed_element_id }
+        )
+
+        use_original = sig_elements.size == 1 || decrypted_document.nil?
+        doc = use_original ? document : decrypted_document
+        if !doc.processed
+          doc.cache_referenced_xml(@soft, check_malformed_doc_enabled?)
+        end
+
+        return doc
+      end
+
       # Validates the Signature
       # @return [Boolean] True if not contains a Signature or if the Signature is valid, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
@@ -825,8 +873,8 @@ module OneLogin
       def validate_signature
         error_msg = "Invalid Signature on SAML Response"
 
-        # If the response contains the signature, and the assertion was encrypted, validate the original SAML Response
-        # otherwise, review if the decrypted assertion contains a signature
+        doc = doc_to_validate
+
         sig_elements = REXML::XPath.match(
           document,
           "/p:Response[@ID=$id]/ds:Signature",
@@ -834,15 +882,12 @@ module OneLogin
           { 'id' => document.signed_element_id }
         )
 
-        use_original = sig_elements.size == 1 || decrypted_document.nil?
-        doc = use_original ? document : decrypted_document
-
-        # Check signature nodes
+        # Check signature node inside assertion
         if sig_elements.nil? || sig_elements.size == 0
           sig_elements = REXML::XPath.match(
             doc,
             "/p:Response/a:Assertion[@ID=$id]/ds:Signature",
-            {"p" => PROTOCOL, "a" => ASSERTION, "ds"=>DSIG},
+            SAML_NAMESPACES.merge({"ds"=>DSIG}),
             { 'id' => doc.signed_element_id }
           )
         end
@@ -866,8 +911,6 @@ module OneLogin
           fingerprint = settings.get_fingerprint
           opts[:cert] = idp_cert
 
-          check_malformed_doc = check_malformed_doc_enabled?
-          opts[:check_malformed_doc] = check_malformed_doc
           if fingerprint && doc.validate_document(fingerprint, @soft, opts)
             if settings.security[:check_idp_cert_expiration]
               if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
@@ -882,7 +925,7 @@ module OneLogin
           valid = false
           expired = false
           idp_certs[:signing].each do |idp_cert|
-            valid = doc.validate_document_with_cert(idp_cert, true, check_malformed_doc)
+            valid = doc.validate_document_with_cert(idp_cert, true)
             if valid
               if settings.security[:check_idp_cert_expiration]
                 if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
@@ -915,31 +958,54 @@ module OneLogin
           begin
             encrypted_node = xpath_first_from_signed_assertion('/a:Subject/a:EncryptedID')
             if encrypted_node
-              node = decrypt_nameid(encrypted_node)
+              decrypt_nameid(encrypted_node)
             else
-              node = xpath_first_from_signed_assertion('/a:Subject/a:NameID')
+              xpath_first_from_signed_assertion('/a:Subject/a:NameID')
             end
           end
       end
 
+      def get_cached_signed_assertion
+        xml = doc_to_validate.referenced_xml
+        empty_doc = REXML::Document.new
+
+        return empty_doc if xml.nil? # when no signature/reference is found, return empty document
+
+        root = REXML::Document.new(xml).root
+
+        if root.attributes["ID"] != doc_to_validate.signed_element_id
+          return empty_doc
+        end
+
+        assertion = empty_doc
+        if root.name == "Response"
+          if REXML::XPath.first(root, "a:Assertion", {"a" => ASSERTION})
+            assertion = REXML::XPath.first(root, "a:Assertion", {"a" => ASSERTION})
+          elsif REXML::XPath.first(root, "a:EncryptedAssertion", {"a" => ASSERTION})
+            assertion = decrypt_assertion(REXML::XPath.first(root, "a:EncryptedAssertion", {"a" => ASSERTION}))
+          end
+        elsif root.name == "Assertion"
+          assertion = root
+        end
+
+        assertion
+      end
+
+      def signed_assertion
+        @signed_assertion ||= get_cached_signed_assertion
+      end
+
       # Extracts the first appearance that matchs the subelt (pattern)
       # Search on any Assertion that is signed, or has a Response parent signed
       # @param subelt [String] The XPath pattern
       # @return [REXML::Element | nil] If any matches, return the Element
       #
       def xpath_first_from_signed_assertion(subelt=nil)
-        doc = decrypted_document.nil? ? document : decrypted_document
+        doc = signed_assertion
         node = REXML::XPath.first(
             doc,
-            "/p:Response/a:Assertion[@ID=$id]#{subelt}",
-            { "p" => PROTOCOL, "a" => ASSERTION },
-            { 'id' => doc.signed_element_id }
-        )
-        node ||= REXML::XPath.first(
-            doc,
-            "/p:Response[@ID=$id]/a:Assertion#{subelt}",
-            { "p" => PROTOCOL, "a" => ASSERTION },
-            { 'id' => doc.signed_element_id }
+            "./#{subelt}",
+            SAML_NAMESPACES
         )
         node
       end
@@ -950,26 +1016,20 @@ module OneLogin
       # @return [Array of REXML::Element] Return all matches
       #
       def xpath_from_signed_assertion(subelt=nil)
-        doc = decrypted_document.nil? ? document : decrypted_document
+        doc = signed_assertion
         node = REXML::XPath.match(
             doc,
-            "/p:Response/a:Assertion[@ID=$id]#{subelt}",
-            { "p" => PROTOCOL, "a" => ASSERTION },
-            { 'id' => doc.signed_element_id }
+            "./#{subelt}",
+            SAML_NAMESPACES
         )
-        node.concat( REXML::XPath.match(
-            doc,
-            "/p:Response[@ID=$id]/a:Assertion#{subelt}",
-            { "p" => PROTOCOL, "a" => ASSERTION },
-            { 'id' => doc.signed_element_id }
-        ))
+        node
       end
 
       # Generates the decrypted_document
       # @return [XMLSecurity::SignedDocument] The SAML Response with the assertion decrypted
       #
       def generate_decrypted_document
-        if settings.nil? || !settings.get_sp_key
+        if settings.nil? || settings.get_sp_decryption_keys.empty?
           raise ValidationError.new('An EncryptedAssertion found and no SP private key found on the settings to decrypt it. Be sure you provided the :settings parameter at the initialize method')
         end
 
@@ -996,7 +1056,7 @@ module OneLogin
         encrypted_assertion_node = REXML::XPath.first(
           document_copy,
           "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
-          { "p" => PROTOCOL, "a" => ASSERTION }
+          SAML_NAMESPACES
         )
         response_node.add(decrypt_assertion(encrypted_assertion_node))
         encrypted_assertion_node.remove
@@ -1012,42 +1072,42 @@ module OneLogin
       end
 
       # Decrypts an EncryptedID element
-      # @param encryptedid_node [REXML::Element] The EncryptedID element
+      # @param encrypted_id_node [REXML::Element] The EncryptedID element
       # @return [REXML::Document] The decrypted EncrypedtID element
       #
-      def decrypt_nameid(encryptedid_node)
-        decrypt_element(encryptedid_node, /(.*<\/(\w+:)?NameID>)/m)
+      def decrypt_nameid(encrypted_id_node)
+        decrypt_element(encrypted_id_node, /(.*<\/(\w+:)?NameID>)/m)
       end
 
-      # Decrypts an EncryptedID element
-      # @param encryptedid_node [REXML::Element] The EncryptedID element
-      # @return [REXML::Document] The decrypted EncrypedtID element
+      # Decrypts an EncryptedAttribute element
+      # @param encrypted_attribute_node [REXML::Element] The EncryptedAttribute element
+      # @return [REXML::Document] The decrypted EncryptedAttribute element
       #
-      def decrypt_attribute(encryptedattribute_node)
-        decrypt_element(encryptedattribute_node, /(.*<\/(\w+:)?Attribute>)/m)
+      def decrypt_attribute(encrypted_attribute_node)
+        decrypt_element(encrypted_attribute_node, /(.*<\/(\w+:)?Attribute>)/m)
       end
 
       # Decrypt an element
-      # @param encryptedid_node [REXML::Element] The encrypted element
-      # @param rgrex string Regex
+      # @param encrypt_node [REXML::Element] The encrypted element
+      # @param regexp [Regexp] The regular expression to extract the decrypted data
       # @return [REXML::Document] The decrypted element
       #
-      def decrypt_element(encrypt_node, rgrex)
-        if settings.nil? || !settings.get_sp_key
+      def decrypt_element(encrypt_node, regexp)
+        if settings.nil? || settings.get_sp_decryption_keys.empty?
           raise ValidationError.new('An ' + encrypt_node.name + ' found and no SP private key found on the settings to decrypt it')
         end
 
-
         if encrypt_node.name == 'EncryptedAttribute'
           node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
         else
           node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">'
         end
 
-        elem_plaintext = OneLogin::RubySaml::Utils.decrypt_data(encrypt_node, settings.get_sp_key)
+        elem_plaintext = OneLogin::RubySaml::Utils.decrypt_multi(encrypt_node, settings.get_sp_decryption_keys)
+
         # If we get some problematic noise in the plaintext after decrypting.
         # This quick regexp parse will grab only the Element and discard the noise.
-        elem_plaintext = elem_plaintext.match(rgrex)[0]
+        elem_plaintext = elem_plaintext.match(regexp)[0]
 
         # To avoid namespace errors if saml namespace is not defined
         # create a parent node first with the namespace defined