RubyGems - signed_xml - Versions diffs - 0.0.1 - Mend

signed_xml 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

data/.gitignore +17 -0
data/Gemfile +4 -0
data/LICENSE.txt +22 -0
data/README.md +29 -0
data/Rakefile +1 -0
data/lib/signed_xml/base64_transform.rb +9 -0
data/lib/signed_xml/c14n_transform.rb +26 -0
data/lib/signed_xml/digest_method_resolution.rb +15 -0
data/lib/signed_xml/digest_transform.rb +17 -0
data/lib/signed_xml/document.rb +36 -0
data/lib/signed_xml/enveloped_signature_transform.rb +10 -0
data/lib/signed_xml/reference.rb +59 -0
data/lib/signed_xml/signature.rb +74 -0
data/lib/signed_xml/signed_info.rb +17 -0
data/lib/signed_xml/transformable.rb +13 -0
data/lib/signed_xml/version.rb +3 -0
data/lib/signed_xml.rb +16 -0
data/signed_xml.gemspec +25 -0
data/spec/resources/badly_signed_saml_response.xml +78 -0
data/spec/resources/incorrect_digest_saml_response.xml +78 -0
data/spec/resources/same_doc_reference.xml +38 -0
data/spec/resources/same_doc_reference_template.xml +5 -0
data/spec/resources/saml_response_template.xml +60 -0
data/spec/resources/signed_saml_response.xml +78 -0
data/spec/resources/test_cert.pem +28 -0
data/spec/resources/test_key.pem +27 -0
data/spec/resources/two_sig_doc.xml +9 -0
data/spec/resources/unsigned_saml_response.xml +36 -0
data/spec/signed_xml_document_spec.rb +94 -0
data/spec/spec_helper.rb +8 -0
metadata +157 -0

data/.gitignore ADDED Viewed

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile ADDED Viewed

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+# Specify your gem's dependencies in signed_xml_document.gemspec
+gemspec

data/LICENSE.txt ADDED Viewed

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Todd Thomas
+MIT License
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md ADDED Viewed

@@ -0,0 +1,29 @@
+# SignedXmlDocument
+TODO: Write a gem description
+## Installation
+Add this line to your application's Gemfile:
+    gem 'signed_xml_document'
+And then execute:
+    $ bundle
+Or install it yourself as:
+    $ gem install signed_xml_document
+## Usage
+TODO: Write usage instructions here
+## Contributing
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile ADDED Viewed

	@@ -0,0 +1 @@
1	+ require "bundler/gem_tasks"

data/lib/signed_xml/base64_transform.rb ADDED Viewed

@@ -0,0 +1,9 @@
+require 'base64'
+module SignedXml
+  class Base64Transform
+    def apply(input)
+      Base64.encode64(input)
+    end
+  end
+end

data/lib/signed_xml/c14n_transform.rb ADDED Viewed

@@ -0,0 +1,26 @@
+module SignedXml
+  class C14NTransform
+    include Nokogiri::XML
+    attr_reader :method
+    attr_reader :with_comments
+    def initialize(method = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315")
+      method, with_comments = method.split('#')
+      @method = case method
+                when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then XML_C14N_1_0
+                when "http://www.w3.org/2001/10/xml-exc-c14n" then XML_C14N_EXCLUSIVE_1_0
+                when "http://www.w3.org/2006/12/xml-c14n11" then XML_C14N_1_1
+                else raise ArgumentError.new("unknown canonicalization method #{method}")
+                end
+      @with_comments = !!with_comments
+    end
+    def apply(input)
+      raise ArgumentError.new("input #{input.inspect}:#{input.class} is not canonicalizable") unless input.respond_to?(:canonicalize)
+      input.canonicalize(method, nil, with_comments)
+    end
+  end
+end

data/lib/signed_xml/digest_method_resolution.rb ADDED Viewed

@@ -0,0 +1,15 @@
+require 'openssl'
+module SignedXml
+  module DigestMethodResolution
+    include OpenSSL
+    def digester_for_id(id)
+      case id
+      when "http://www.w3.org/2000/09/xmldsig#sha1","http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+        Digest::SHA1.new
+      else raise ArgumentError.new("unknown digest method #{id}")
+      end
+    end
+  end
+end

data/lib/signed_xml/digest_transform.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require "openssl"
+module SignedXml
+  class DigestTransform
+    include DigestMethodResolution
+    attr_reader :digest
+    def initialize(method_id)
+      @digest = digester_for_id(method_id)
+    end
+    def apply(input)
+      digest.digest(input)
+    end
+  end
+end

data/lib/signed_xml/document.rb ADDED Viewed

@@ -0,0 +1,36 @@
+require "openssl"
+require "options"
+module SignedXml
+  class Document
+    attr_reader :doc
+    def initialize(doc)
+      @doc = doc
+    end
+    def is_verifiable?
+      signatures.any?
+    end
+    def is_verified?(opts = {})
+      return false unless is_verifiable?
+      signatures.all?(&:is_verified?)
+    end
+    private
+    def signatures
+      @signatures ||= init_signatures
+    end
+    def init_signatures
+      signatures = []
+      doc.xpath("//ds:Signature", ds: XMLDSIG_NS).each do |signature_node|
+        signatures << Signature.new(signature_node)
+      end
+      signatures
+    end
+  end
+end

data/lib/signed_xml/enveloped_signature_transform.rb ADDED Viewed

@@ -0,0 +1,10 @@
+module SignedXml
+  class EnvelopedSignatureTransform
+    def apply(input)
+      envelope = Nokogiri::XML::Document.new
+      envelope.root = input
+      envelope.at_xpath('//ds:Signature', ds: XMLDSIG_NS).remove
+      envelope
+    end
+  end
+end

data/lib/signed_xml/reference.rb ADDED Viewed

@@ -0,0 +1,59 @@
+module SignedXml
+  class Reference
+    include Transformable
+    attr_reader :here, :start
+    def initialize(here)
+      @here = here
+      uri = here['URI']
+      case uri
+      when nil, ""
+        @start = here.document.root
+      when /^#/
+        id = uri.split('#').last
+        raise ArgumentError.new("XPointer expressions like #{id} are not yet supported") if id =~ /^xpointer/
+        # TODO: handle ID attrs with names other than 'ID'
+        @start = here.document.at_xpath("//*[@ID='#{id}']")
+        raise ArgumentError.new("no match found for ID #{id}") if @start.nil?
+      else raise ArgumentError.new("unsupported Reference URI #{uri}")
+      end
+      @transforms = init_transforms
+    end
+    def is_verified?
+      apply_transforms.chomp == digest_value
+    end
+    private
+    def init_transforms
+      transforms = []
+      here.xpath('.//ds:Transform', ds: XMLDSIG_NS).each do |transform_node|
+        method = transform_node['Algorithm']
+        case method
+        when "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+          transforms << EnvelopedSignatureTransform.new
+        when %r{^http://.*c14n}
+          transforms << C14NTransform.new(method)
+        else raise ArgumentError.new("unknown transform method #{method}")
+        end
+      end
+      # If no explicit c14n transform is specified, make sure we do one before digesting.
+      transforms << C14NTransform.new unless transforms.last.is_a? C14NTransform
+      digest_method = here.at_xpath('//ds:DigestMethod/@Algorithm', ds: XMLDSIG_NS).value.strip
+      transforms << DigestTransform.new(digest_method)
+      transforms << Base64Transform.new
+    end
+    def digest_value
+      @digest_value ||= here.at_xpath('ds:DigestValue', ds: XMLDSIG_NS).text.strip
+    end
+  end
+end

data/lib/signed_xml/signature.rb ADDED Viewed

@@ -0,0 +1,74 @@
+require 'base64'
+module SignedXml
+  class Signature
+    include DigestMethodResolution
+    attr_accessor :here
+    def initialize(here)
+      @here = here
+    end
+    def is_verified?
+      is_signed_info_verified? && are_reference_digests_verified?
+    end
+    private
+    def is_signed_info_verified?
+      public_key.verify(digester_for_id(signed_info.signature_method), decoded_value, signed_info.apply_transforms)
+    end
+    def are_reference_digests_verified?
+      references.all?(&:is_verified?)
+    end
+    def references
+      @references ||= init_references
+    end
+    def init_references
+      references = []
+      here.xpath('//ds:Reference', ds: XMLDSIG_NS).each do |reference_node|
+        references << Reference.new(reference_node)
+      end
+      references
+    end
+    def decoded_value
+      @decoded_value ||= Base64.decode64 value
+    end
+    def value
+      @value ||= here.at_xpath('//ds:SignatureValue', ds: XMLDSIG_NS).text.strip
+    end
+    def signed_info
+      @signed_info ||= SignedInfo.new(here.at_xpath("//ds:SignedInfo", ds: XMLDSIG_NS))
+    end
+    def public_key
+      @public_key ||= x509_certificate.public_key
+    end
+    def x509_certificate
+      @x509_certificate ||= OpenSSL::X509::Certificate.new(certificate(x509_cert_data))
+    end
+    def x509_cert_data
+      @x509_cert_data ||= here.at_xpath("//ds:X509Certificate", ds: XMLDSIG_NS).text
+    end
+    def certificate(data)
+      "-----BEGIN CERTIFICATE-----\n#{wrap_text(data, 64)}-----END CERTIFICATE-----\n"
+    end
+    # http://blog.macromates.com/2006/wrapping-text-with-regular-expressions/
+    def wrap_text(txt, col = 80)
+      txt.gsub(/(.{1,#{col}})( +|$)\n?|(.{#{col}})/, "\\1\\3\n")
+    end
+  end
+end

data/lib/signed_xml/signed_info.rb ADDED Viewed

@@ -0,0 +1,17 @@
+module SignedXml
+  class SignedInfo
+    include Transformable
+    attr_reader :start, :signature_method
+    def initialize(here)
+      @start = here
+      canonicalization_method = here.at_xpath('//ds:CanonicalizationMethod/@Algorithm', ds: XMLDSIG_NS).value.strip
+      transforms << C14NTransform.new(canonicalization_method)
+      @signature_method = here.at_xpath('//ds:SignatureMethod/@Algorithm', ds: XMLDSIG_NS).value.strip
+    end
+  end
+end

data/lib/signed_xml/transformable.rb ADDED Viewed

@@ -0,0 +1,13 @@
+module SignedXml
+  module Transformable
+    def transforms
+      @transforms ||= []
+    end
+    def apply_transforms
+      transforms.reduce(start) do |input, transform|
+        transform.apply(input)
+      end
+    end
+  end
+end

data/lib/signed_xml/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module SignedXml
+  VERSION = "0.0.1"
+end

data/lib/signed_xml.rb ADDED Viewed

@@ -0,0 +1,16 @@
+require 'nokogiri'
+module SignedXml
+  XMLDSIG_NS = "http://www.w3.org/2000/09/xmldsig#"
+  autoload :Transformable, 'signed_xml/transformable'
+  autoload :Document, 'signed_xml/document'
+  autoload :Signature, 'signed_xml/signature'
+  autoload :SignedInfo, 'signed_xml/signed_info'
+  autoload :Reference, 'signed_xml/reference'
+  autoload :DigestMethodResolution, 'signed_xml/digest_method_resolution'
+  autoload :DigestTransform, 'signed_xml/digest_transform'
+  autoload :Base64Transform, 'signed_xml/base64_transform'
+  autoload :C14NTransform, 'signed_xml/c14n_transform'
+  autoload :EnvelopedSignatureTransform, 'signed_xml/enveloped_signature_transform'
+end

data/signed_xml.gemspec ADDED Viewed

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'signed_xml/version'
+Gem::Specification.new do |gem|
+  gem.name          = "signed_xml"
+  gem.version       = SignedXml::VERSION
+  gem.authors       = ["Todd Thomas"]
+  gem.email         = ["todd.thomas@openlogic.com"]
+  gem.description   = %q{XML Signature verification}
+  gem.summary       = %q{Provides [incomplete] support for verification of XML Signatures <http://www.w3.org/TR/xmldsig-core>.}
+  gem.homepage      = ""
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+  gem.add_dependency "nokogiri", "~> 1.5"
+  gem.add_dependency "options"
+  gem.add_development_dependency "rake"
+  gem.add_development_dependency "rspec"
+end

data/spec/resources/badly_signed_saml_response.xml ADDED Viewed

@@ -0,0 +1,78 @@
+<?xml version="1.0"?>
+<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" ID="_c7055387-af61-4fce-8b98-e2927324b306">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>otynz9RFK0/mrkztml+POU0P4Rw=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>fMniqoW/jSH7isH7ka+79+WYeiE4O63mA7TdrqOTrh8Q+JZQMsYsbAnx5E7Fo4Fy
++2yE/6XgCnEUFUvyWK9J5vaS+qzoOH5RZeSDcaSZeM5rP2hW5lf7iTQG/9wLsQUX
+KQRm1/pFgm7yetYr+gfK8yvUMR0pQc4h+vo4wKyQQYpHMlS97BWFoPEvi9F1M0Ld
+7NxHSHUFGTLqm+664ZTYI3z1k2kZgsuZpwHYCYOx185U383jnW1DruwLD8KE6Nxn
+Wd9imhxAiCV2CMQkjxIkrBM8du47rm+kDToYVgOn9gU15gYAmXUN/4MwF/yvYpQE
+sAs0VcNWD5PRjIviKbRh2Q==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+      <ds:X509Certificate>MIIExDCCA6ygAwIBAgIJAJsG6scSiBu+MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
+VQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEUMBIGA1UEBxMLU3ByaW5nZmll
+bGQxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UECxQK
+QXJyciAmIERlZTELMAkGA1UEAxMCTWUxHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1w
+bGUub3JnMB4XDTEzMDQxMTAwNTc1MloXDTQwMDgyNzAwNTc1MlowgZwxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJpbmdmaWVs
+ZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQLFApB
+cnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs
+ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZbhwD884KG1Aj
+ZENyOQw1TpqvMkkxMSIFQwSMPg81JIDgPifCXXHimiNheo99K4TnLAV4V+6sLsP8
+c2pQFr57mDSBo1x1JjSLR/LGD/scqQqzSXNXLNffF7FbH28/wL9+lBrMNxEh5LvT
+Cm+rmnAHdJjGK//BbLE7Vuek3irquUo3OF6HidORr2b86ec4I2gjien3kwgmYc0n
+7pxjReEeKqpoZ1ytB3PjDlAwJchCTs6i+bmQJ5xqyDn+OHTZutCVCE9DwBLThfGr
+2j+c7po42EucuS1GMEbHWbEcSCruhQY51iR+hc54TRc/GQbwfVyfOBMJ98s5TASA
+h0Sfw2DlAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUbuT5ExXORlqEIJRWCNvHgBig
+I9swgdEGA1UdIwSByTCBxoAUbuT5ExXORlqEIJRWCNvHgBigI9uhgaKkgZ8wgZwx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJp
+bmdmaWVsZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQLFApBcnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVA
+ZXhhbXBsZS5vcmeCCQCbBurHEogbvjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4IBAQABGQp+S8TgiPkMqOoHiosApgs/SttQfRZVlmhoqsJQ554xkui75PIo
+RMHd42Ft8PO5aQiqXe6sbGJh9e78pSqdhytrlwIf4OSomJ2ghRGKoPESBnMQGxYT
+vMx/0BvjVj8rNSFmVgTV+foSkJj2tJnr/9ZfYbRPybDRYvDhfnlE7SpfBanKK2r+
+VpLSlm1c6d5cYA5xKUtQgV9wKbMZLl5B75S3CXz1K6TujHN3K/B3a4Hc7AknWqFd
+qsWDWKJjyH3XzQkpPT00TqQOaM9gbYqsLXmiuLzYXV1JQhU1vs29mIIFbtQK0jYd
+YEcPFLoaQoTClLMt9R+6wrJvJ9loh6P8</ds:X509Certificate>
+</ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2003-04-17T00:46:02Z" Version="2.0">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/resources/incorrect_digest_saml_response.xml ADDED Viewed

@@ -0,0 +1,78 @@
+<?xml version="1.0"?>
+<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" ID="_c7055387-af61-4fce-8b98-e2927324b306">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>otynz9RFK0/mrZztml+POU0P4Rw=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>fMniqoW/jSH7isH7ka+79+WYeiE4O63mA7TdrqOTrh8Q+JZQMsYsbAnx5E7Fo4Fy
++2yE/6XgCnEUFUvyWK9J5vaS+qzoOH5RZeSDcaSZeM5rP2hW5lf7iTQG/9wLsQUX
+KQRm1/pFgm7yetYr+gfK8yvUMR0pQc4h+vo4wKyQQYpHMlS97BWFoPEvi9F1M0Ld
+7NxHSHUFGTLqm+664ZTYI3z1k2kcgsuZpwHYCYOx185U383jnW1DruwLD8KE6Nxn
+Wd9imhxAiCV2CMQkjxIkrBM8du47rm+kDToYVgOn9gU15gYAmXUN/4MwF/yvYpQE
+sAs0VcNWD5PRjIviKbRh2Q==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+      <ds:X509Certificate>MIIExDCCA6ygAwIBAgIJAJsG6scSiBu+MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
+VQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEUMBIGA1UEBxMLU3ByaW5nZmll
+bGQxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UECxQK
+QXJyciAmIERlZTELMAkGA1UEAxMCTWUxHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1w
+bGUub3JnMB4XDTEzMDQxMTAwNTc1MloXDTQwMDgyNzAwNTc1MlowgZwxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJpbmdmaWVs
+ZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQLFApB
+cnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs
+ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZbhwD884KG1Aj
+ZENyOQw1TpqvMkkxMSIFQwSMPg81JIDgPifCXXHimiNheo99K4TnLAV4V+6sLsP8
+c2pQFr57mDSBo1x1JjSLR/LGD/scqQqzSXNXLNffF7FbH28/wL9+lBrMNxEh5LvT
+Cm+rmnAHdJjGK//BbLE7Vuek3irquUo3OF6HidORr2b86ec4I2gjien3kwgmYc0n
+7pxjReEeKqpoZ1ytB3PjDlAwJchCTs6i+bmQJ5xqyDn+OHTZutCVCE9DwBLThfGr
+2j+c7po42EucuS1GMEbHWbEcSCruhQY51iR+hc54TRc/GQbwfVyfOBMJ98s5TASA
+h0Sfw2DlAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUbuT5ExXORlqEIJRWCNvHgBig
+I9swgdEGA1UdIwSByTCBxoAUbuT5ExXORlqEIJRWCNvHgBigI9uhgaKkgZ8wgZwx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJp
+bmdmaWVsZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQLFApBcnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVA
+ZXhhbXBsZS5vcmeCCQCbBurHEogbvjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4IBAQABGQp+S8TgiPkMqOoHiosApgs/SttQfRZVlmhoqsJQ554xkui75PIo
+RMHd42Ft8PO5aQiqXe6sbGJh9e78pSqdhytrlwIf4OSomJ2ghRGKoPESBnMQGxYT
+vMx/0BvjVj8rNSFmVgTV+foSkJj2tJnr/9ZfYbRPybDRYvDhfnlE7SpfBanKK2r+
+VpLSlm1c6d5cYA5xKUtQgV9wKbMZLl5B75S3CXz1K6TujHN3K/B3a4Hc7AknWqFd
+qsWDWKJjyH3XzQkpPT00TqQOaM9gbYqsLXmiuLzYXV1JQhU1vs29mIIFbtQK0jYd
+YEcPFLoaQoTClLMt9R+6wrJvJ9loh6P8</ds:X509Certificate>
+</ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2003-04-17T00:46:02Z" Version="2.0">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/resources/same_doc_reference.xml ADDED Viewed

@@ -0,0 +1,38 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_dd2d35dad58d4ebb9e3ec8e85d3e234da2cd639962" Version="2.0" IssueInstant="2013-04-08T23:13:22Z" Destination="http://localhost:3000/saml-login" InResponseTo="83767498-2df3-4035-b0a5-8b40212b8fd7"><saml:Issuer>http://localhost/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#_dd2d35dad58d4ebb9e3ec8e85d3e234da2cd639962"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>MNf3EJFKtNqL4VLmjQ3ie/quaEY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>yrvpPF7jkXgzu00ro5vY3gpHDzP2rsXdNL6aKwlMgjwMF4EG4RxlmYioGS7ioxyo
+AMCF7TUI7NH5CrVEXM56Rl50uEVLsV9ePvyW1OkfxdUrzJtg9fzAW9OwBj/Xa6Kv
+kfvFu2SND/Ak2JV5GJxBI09fANwrq20xGgtQ3gB8XlSArT+Te4XWxWwViCkIq8pQ
+llZYpN5wba0cJ5gF8ukw1Ypf8Do/fQGxjp50C4wDJ557/TwjBZyqJGXOcbkijb7i
+Mit++q4AfEO1zaDT+PbY4YrqH1gUxBLdCcrZI/EakaJHFjdwk43+yrVWPLRb2OUS
+yF1bxdhBTEWz0c7KtAhjmA==</ds:SignatureValue>
+    <ds:KeyInfo><ds:X509Data>
+<ds:X509Certificate>MIIExDCCA6ygAwIBAgIJAJsG6scSiBu+MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
+VQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEUMBIGA1UEBxMLU3ByaW5nZmll
+bGQxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UECxQK
+QXJyciAmIERlZTELMAkGA1UEAxMCTWUxHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1w
+bGUub3JnMB4XDTEzMDQxMTAwNTc1MloXDTQwMDgyNzAwNTc1MlowgZwxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJpbmdmaWVs
+ZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQLFApB
+cnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs
+ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZbhwD884KG1Aj
+ZENyOQw1TpqvMkkxMSIFQwSMPg81JIDgPifCXXHimiNheo99K4TnLAV4V+6sLsP8
+c2pQFr57mDSBo1x1JjSLR/LGD/scqQqzSXNXLNffF7FbH28/wL9+lBrMNxEh5LvT
+Cm+rmnAHdJjGK//BbLE7Vuek3irquUo3OF6HidORr2b86ec4I2gjien3kwgmYc0n
+7pxjReEeKqpoZ1ytB3PjDlAwJchCTs6i+bmQJ5xqyDn+OHTZutCVCE9DwBLThfGr
+2j+c7po42EucuS1GMEbHWbEcSCruhQY51iR+hc54TRc/GQbwfVyfOBMJ98s5TASA
+h0Sfw2DlAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUbuT5ExXORlqEIJRWCNvHgBig
+I9swgdEGA1UdIwSByTCBxoAUbuT5ExXORlqEIJRWCNvHgBigI9uhgaKkgZ8wgZwx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJp
+bmdmaWVsZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQLFApBcnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVA
+ZXhhbXBsZS5vcmeCCQCbBurHEogbvjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4IBAQABGQp+S8TgiPkMqOoHiosApgs/SttQfRZVlmhoqsJQ554xkui75PIo
+RMHd42Ft8PO5aQiqXe6sbGJh9e78pSqdhytrlwIf4OSomJ2ghRGKoPESBnMQGxYT
+vMx/0BvjVj8rNSFmVgTV+foSkJj2tJnr/9ZfYbRPybDRYvDhfnlE7SpfBanKK2r+
+VpLSlm1c6d5cYA5xKUtQgV9wKbMZLl5B75S3CXz1K6TujHN3K/B3a4Hc7AknWqFd
+qsWDWKJjyH3XzQkpPT00TqQOaM9gbYqsLXmiuLzYXV1JQhU1vs29mIIFbtQK0jYd
+YEcPFLoaQoTClLMt9R+6wrJvJ9loh6P8</ds:X509Certificate>
+</ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_6f56d840d8df3697749fc533c9efac5866d5b88dde" Version="2.0" IssueInstant="2013-04-08T23:13:22Z"><saml:Issuer>http://localhost/simplesaml/saml2/idp/metadata.php</saml:Issuer><saml:Subject><saml:NameID SPNameQualifier="http://localhost:3000/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_3c448bd72f639960c116dc6339a4930e7a4a3e9f3c</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2013-04-08T23:18:22Z" Recipient="http://localhost:3000/saml-login" InResponseTo="83767498-2df3-4035-b0a5-8b40212b8fd7"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-04-08T23:12:52Z" NotOnOrAfter="2013-04-08T23:18:22Z"><saml:AudienceRestriction><saml:Audience>http://localhost:3000/</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-04-08T23:12:38Z" SessionNotOnOrAfter="2013-04-09T07:13:22Z" SessionIndex="_0c21a3bb421aefe16d6278b10c7924a5d66141922b"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">todd.thomas@openlogic.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

data/spec/resources/same_doc_reference_template.xml ADDED Viewed

@@ -0,0 +1,5 @@
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_dd2d35dad58d4ebb9e3ec8e85d3e234da2cd639962" Version="2.0" IssueInstant="2013-04-08T23:13:22Z" Destination="http://localhost:3000/saml-login" InResponseTo="83767498-2df3-4035-b0a5-8b40212b8fd7"><saml:Issuer>http://localhost/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#_dd2d35dad58d4ebb9e3ec8e85d3e234da2cd639962"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue/></ds:Reference></ds:SignedInfo><ds:SignatureValue/>
+    <ds:KeyInfo><ds:X509Data><ds:X509Certificate/></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_6f56d840d8df3697749fc533c9efac5866d5b88dde" Version="2.0" IssueInstant="2013-04-08T23:13:22Z"><saml:Issuer>http://localhost/simplesaml/saml2/idp/metadata.php</saml:Issuer><saml:Subject><saml:NameID SPNameQualifier="http://localhost:3000/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_3c448bd72f639960c116dc6339a4930e7a4a3e9f3c</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2013-04-08T23:18:22Z" Recipient="http://localhost:3000/saml-login" InResponseTo="83767498-2df3-4035-b0a5-8b40212b8fd7"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-04-08T23:12:52Z" NotOnOrAfter="2013-04-08T23:18:22Z"><saml:AudienceRestriction><saml:Audience>http://localhost:3000/</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-04-08T23:12:38Z" SessionNotOnOrAfter="2013-04-09T07:13:22Z" SessionIndex="_0c21a3bb421aefe16d6278b10c7924a5d66141922b"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">todd.thomas@openlogic.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

data/spec/resources/saml_response_template.xml ADDED Viewed

@@ -0,0 +1,60 @@
+<Response
+  IssueInstant="2003-04-17T00:46:02Z" Version="2.0"
+  ID="_c7055387-af61-4fce-8b98-e2927324b306"
+  xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
+  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod
+        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod
+        Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="">
+        <ds:Transforms>
+          <ds:Transform
+            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod
+          Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue/>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue/>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>
+        </ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
+    IssueInstant="2003-04-17T00:46:02Z" Version="2.0"
+    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID
+        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation
+        Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z"
+      NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/resources/signed_saml_response.xml ADDED Viewed

@@ -0,0 +1,78 @@
+<?xml version="1.0"?>
+<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" ID="_c7055387-af61-4fce-8b98-e2927324b306">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>otynz9RFK0/mrkztml+POU0P4Rw=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>fMniqoW/jSH7isH7ka+79+WYeiE4O63mA7TdrqOTrh8Q+JZQMsYsbAnx5E7Fo4Fy
++2yE/6XgCnEUFUvyWK9J5vaS+qzoOH5RZeSDcaSZeM5rP2hW5lf7iTQG/9wLsQUX
+KQRm1/pFgm7yetYr+gfK8yvUMR0pQc4h+vo4wKyQQYpHMlS97BWFoPEvi9F1M0Ld
+7NxHSHUFGTLqm+664ZTYI3z1k2kcgsuZpwHYCYOx185U383jnW1DruwLD8KE6Nxn
+Wd9imhxAiCV2CMQkjxIkrBM8du47rm+kDToYVgOn9gU15gYAmXUN/4MwF/yvYpQE
+sAs0VcNWD5PRjIviKbRh2Q==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+      <ds:X509Certificate>MIIExDCCA6ygAwIBAgIJAJsG6scSiBu+MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
+VQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEUMBIGA1UEBxMLU3ByaW5nZmll
+bGQxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UECxQK
+QXJyciAmIERlZTELMAkGA1UEAxMCTWUxHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1w
+bGUub3JnMB4XDTEzMDQxMTAwNTc1MloXDTQwMDgyNzAwNTc1MlowgZwxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJpbmdmaWVs
+ZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQLFApB
+cnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs
+ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZbhwD884KG1Aj
+ZENyOQw1TpqvMkkxMSIFQwSMPg81JIDgPifCXXHimiNheo99K4TnLAV4V+6sLsP8
+c2pQFr57mDSBo1x1JjSLR/LGD/scqQqzSXNXLNffF7FbH28/wL9+lBrMNxEh5LvT
+Cm+rmnAHdJjGK//BbLE7Vuek3irquUo3OF6HidORr2b86ec4I2gjien3kwgmYc0n
+7pxjReEeKqpoZ1ytB3PjDlAwJchCTs6i+bmQJ5xqyDn+OHTZutCVCE9DwBLThfGr
+2j+c7po42EucuS1GMEbHWbEcSCruhQY51iR+hc54TRc/GQbwfVyfOBMJ98s5TASA
+h0Sfw2DlAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUbuT5ExXORlqEIJRWCNvHgBig
+I9swgdEGA1UdIwSByTCBxoAUbuT5ExXORlqEIJRWCNvHgBigI9uhgaKkgZ8wgZwx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJp
+bmdmaWVsZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQLFApBcnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVA
+ZXhhbXBsZS5vcmeCCQCbBurHEogbvjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4IBAQABGQp+S8TgiPkMqOoHiosApgs/SttQfRZVlmhoqsJQ554xkui75PIo
+RMHd42Ft8PO5aQiqXe6sbGJh9e78pSqdhytrlwIf4OSomJ2ghRGKoPESBnMQGxYT
+vMx/0BvjVj8rNSFmVgTV+foSkJj2tJnr/9ZfYbRPybDRYvDhfnlE7SpfBanKK2r+
+VpLSlm1c6d5cYA5xKUtQgV9wKbMZLl5B75S3CXz1K6TujHN3K/B3a4Hc7AknWqFd
+qsWDWKJjyH3XzQkpPT00TqQOaM9gbYqsLXmiuLzYXV1JQhU1vs29mIIFbtQK0jYd
+YEcPFLoaQoTClLMt9R+6wrJvJ9loh6P8</ds:X509Certificate>
+</ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2003-04-17T00:46:02Z" Version="2.0">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/resources/test_cert.pem ADDED Viewed

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIExDCCA6ygAwIBAgIJAJsG6scSiBu+MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
+VQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEUMBIGA1UEBxMLU3ByaW5nZmll
+bGQxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UECxQK
+QXJyciAmIERlZTELMAkGA1UEAxMCTWUxHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1w
+bGUub3JnMB4XDTEzMDQxMTAwNTc1MloXDTQwMDgyNzAwNTc1MlowgZwxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJpbmdmaWVs
+ZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQLFApB
+cnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs
+ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZbhwD884KG1Aj
+ZENyOQw1TpqvMkkxMSIFQwSMPg81JIDgPifCXXHimiNheo99K4TnLAV4V+6sLsP8
+c2pQFr57mDSBo1x1JjSLR/LGD/scqQqzSXNXLNffF7FbH28/wL9+lBrMNxEh5LvT
+Cm+rmnAHdJjGK//BbLE7Vuek3irquUo3OF6HidORr2b86ec4I2gjien3kwgmYc0n
+7pxjReEeKqpoZ1ytB3PjDlAwJchCTs6i+bmQJ5xqyDn+OHTZutCVCE9DwBLThfGr
+2j+c7po42EucuS1GMEbHWbEcSCruhQY51iR+hc54TRc/GQbwfVyfOBMJ98s5TASA
+h0Sfw2DlAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUbuT5ExXORlqEIJRWCNvHgBig
+I9swgdEGA1UdIwSByTCBxoAUbuT5ExXORlqEIJRWCNvHgBigI9uhgaKkgZ8wgZwx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJp
+bmdmaWVsZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQLFApBcnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVA
+ZXhhbXBsZS5vcmeCCQCbBurHEogbvjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4IBAQABGQp+S8TgiPkMqOoHiosApgs/SttQfRZVlmhoqsJQ554xkui75PIo
+RMHd42Ft8PO5aQiqXe6sbGJh9e78pSqdhytrlwIf4OSomJ2ghRGKoPESBnMQGxYT
+vMx/0BvjVj8rNSFmVgTV+foSkJj2tJnr/9ZfYbRPybDRYvDhfnlE7SpfBanKK2r+
+VpLSlm1c6d5cYA5xKUtQgV9wKbMZLl5B75S3CXz1K6TujHN3K/B3a4Hc7AknWqFd
+qsWDWKJjyH3XzQkpPT00TqQOaM9gbYqsLXmiuLzYXV1JQhU1vs29mIIFbtQK0jYd
+YEcPFLoaQoTClLMt9R+6wrJvJ9loh6P8
+-----END CERTIFICATE-----

data/spec/resources/test_key.pem ADDED Viewed

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA2W4cA/POChtQI2RDcjkMNU6arzJJMTEiBUMEjD4PNSSA4D4n
+wl1x4pojYXqPfSuE5ywFeFfurC7D/HNqUBa+e5g0gaNcdSY0i0fyxg/7HKkKs0lz
+VyzX3xexWx9vP8C/fpQazDcRIeS70wpvq5pwB3SYxiv/wWyxO1bnpN4q6rlKNzhe
+h4nTka9m/OnnOCNoI4np95MIJmHNJ+6cY0XhHiqqaGdcrQdz4w5QMCXIQk7Oovm5
+kCecasg5/jh02brQlQhPQ8AS04Xxq9o/nO6aONhLnLktRjBGx1mxHEgq7oUGOdYk
+foXOeE0XPxkG8H1cnzgTCffLOUwEgIdEn8Ng5QIDAQABAoIBAQCVIe/3SgddaUR7
+Me8M7lIQUhzI4+3N3sxd3YzGAF7/7Uy0Ag3VQ7C0Y1K3LpAyo2HiCZCq7W0YDm+A
+vU0DJ8Z5EXmaHYlyFMVfbvb2oMl07AEZ3dxNw8VBEIgmXxY4HSV7VWxX+8E1hSTK
+6NKVWjVS98c9zbn7WmjpsX7q1zOKkE7B2uMLZr0Q+5eDRTgNYZdRSKWt5g9KXJrW
+F4ONPSnvEsSWKDylS89JK1jK1Q3neiTHmqpu112m8x5JsQ3OrFNfWmwRxiGbgSXv
+WQnbU+IJ/23f8i/6gwHnYjHpldsxQQFPsrODPQS6vj0OV+ectcp7QneTMF1f4NKW
+QmJTI2KBAoGBAPB8qezibK9OxqLrrLFtqQE1v7m592A59BcujxWJ8nTzRGyLygeG
+rCX/PUv8iSd0BTIFuCSlgy6yqxT8Wko+vzWLtu4rP1Iky9L+12UuJJiK5mA6BC9f
+DMLqNEOR0jO9Y490hYDejH+e0cAY2s0Oh8TUjEP7D/ViFkWSLE5a3kcFAoGBAOd0
+sOq4kFVk/ZiALN/wkaU73qPEpVM8M0W7NwZ6MOXdVvMNLu3An2cf/i2/C6wqG/Ve
+NYCQrCMOBRfEbWDF4KOb/YuOpAgVfZnujOas1TfVsyM06wnkjCvg0DL9qwihMR9K
+SK0c/sIl4ybUNJzwhmx2kPrt8Vk9+gqirGYA+hhhAoGAZe1glC9Pw2nPFQRwmG8T
+H5kpXs2sRJOrmhu4t3dVVS46RQtmoJP66MvqrgcmFpu9C/uSla21ERjXHDjtB+Ta
+ZBaIfR/FYcqIvTAYGSFaj3Dnvcc5ON6/aOmdJzpp7lYKGaZYY0twHzMwUYv3SMws
+zUcNAE8r72QYbnpK3xbyeQUCgYBSPuz++0aOkaxrnGBV0y5uALBEkYQN575wcO5E
+pvbpN5XGGFEsut3pzzyLFPAY5X252xg37zC75Cd7IpmbYbVJbgzSooU3Oiu/nz0C
+WzgI9y8Iu60pfsUwclqJRAqarmy+Ka9ZlIwSgVQOYCmx+uZJdHhgMl0o0RUg4l1Q
+gdhdAQKBgG3U5J6jeHe8svMWO8R3pfFewX427FETnwm5XU/DCeY1xAAEVlsXLgDe
+3XmaQlskylQJhoP0pImV+snAFTtPYGZM9Wof18FkYxwaCViEwYVr7Z5Gm6GyFKpL
+IiVG3k0XwY/Pgci3Wxw5aZIyS4NBnp8KCXzXAn4nfUbFZt/DXzI6
+-----END RSA PRIVATE KEY-----

data/spec/resources/two_sig_doc.xml ADDED Viewed

@@ -0,0 +1,9 @@
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_575136947e054f114761c6df08bd3644f0c2079aae" Version="2.0" IssueInstant="2013-04-12T00:45:07Z" Destination="http://localhost:3000/saml-login" InResponseTo="49246bce-6fc4-43b7-a661-6d5d5b146ea4"><saml:Issuer>http://localhost/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_575136947e054f114761c6df08bd3644f0c2079aae"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>Vb69+UWPYwvAMb4K5aVQvT7Nq2c=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>eMsQ2jp2aY0kqYYDPS0rUJkwNPajXYFjBArqS8n4JuRhjNTpv3mDVmfk/+eUDxHBWfxSFDa5gLN3lgtu6VMwfcJ2zuUmIFtUUpfBcCaeVcc4jDehckSAAYXIlrG3eoPDp3+uU6cS+3gJQPfCfMl7LIKeNZS1yOHgz5XXk9zOo9Y=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_36bb41924d265fa2d92450e85c53c35590bf06c106" Version="2.0" IssueInstant="2013-04-12T00:45:07Z"><saml:Issuer>http://localhost/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_36bb41924d265fa2d92450e85c53c35590bf06c106"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>NRT1gWsxJE1n+kHlHRbEvfQW81I=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>S1eVfcB7Lf0hNdfunOIDivgWL5JPBsEiUgXnNhgx4rbID1WnQv1X3QOt25OWO1RaML9ML61A976AS6CP1s5Z4y2SzHcPDbye3vKll3lbqKj6OQ4H5s1C9Xmy3sJcOIw8aJ+N89KhLckWqy66ec/XybbX3D2RDuzoIg2KmR2Nf14=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="http://localhost:3000/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_7e3d918ee67356d13c10e088927902206b98c1c2bb</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2013-04-12T00:50:07Z" Recipient="http://localhost:3000/saml-login" InResponseTo="49246bce-6fc4-43b7-a661-6d5d5b146ea4"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-04-12T00:44:37Z" NotOnOrAfter="2013-04-12T00:50:07Z"><saml:AudienceRestriction><saml:Audience>http://localhost:3000/</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-04-12T00:45:07Z" SessionNotOnOrAfter="2013-04-12T08:45:07Z" SessionIndex="_07a70ed54455feb8685d2b25e292773cd003cd57ac"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">toddthomas@acm.org</saml:AttributeValue></saml:Attribute><saml:Attribute Name="givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Todd</saml:AttributeValue></saml:Attribute><saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Thomas</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

data/spec/resources/unsigned_saml_response.xml ADDED Viewed

@@ -0,0 +1,36 @@
+<Response
+  IssueInstant="2003-04-17T00:46:02Z" Version="2.0"
+  ID="_c7055387-af61-4fce-8b98-e2927324b306"
+  xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
+  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
+    IssueInstant="2003-04-17T00:46:02Z" Version="2.0"
+    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID
+        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation
+        Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z"
+      NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/signed_xml_document_spec.rb ADDED Viewed

@@ -0,0 +1,94 @@
+require 'spec_helper'
+describe SignedXml::Document do
+  include SignedXml::DigestMethodResolution
+  let(:resources_path) { File.join(File.dirname(__FILE__), 'resources') }
+  let(:unsigned_doc_nodes) do
+    xml_doc_from_file(File.join(resources_path, 'unsigned_saml_response.xml'))
+  end
+  let(:unsigned_doc) { SignedXml::Document.new(unsigned_doc_nodes) }
+  let(:signed_doc_nodes) do
+    xml_doc_from_file(File.join(resources_path, 'signed_saml_response.xml'))
+  end
+  let(:signed_doc) { SignedXml::Document.new(signed_doc_nodes) }
+  it "knows which documents can be verified" do
+    unsigned_doc.is_verifiable?.should be false
+    signed_doc.is_verifiable?.should be true
+  end
+  it "knows unsigned documents can't be verified" do
+    unsigned_doc.is_verified?.should be false
+  end
+  let(:test_certificate) { OpenSSL::X509::Certificate.new IO.read(File.join(resources_path, 'test_cert.pem')) }
+  it "can read an embedded X.509 certificate" do
+    signed_doc.send(:signatures).first.send(:x509_certificate).to_pem.should eq test_certificate.to_pem
+  end
+  it "knows the public key of the embedded X.509 certificate" do
+    signed_doc.send(:signatures).first.send(:public_key).to_s.should eq test_certificate.public_key.to_s
+  end
+  it "knows the signature method of the signed info" do
+    digester_for_id(signed_doc.send(:signatures).first.send(:signed_info).signature_method).class.should == OpenSSL::Digest::SHA1
+  end
+  it "knows how to canonicalize its signed info" do
+    signed_doc.send(:signatures).first.send(:signed_info).transforms.first.method.should == Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+  end
+  it "verifies its signed info" do
+    signed_doc.send(:signatures).first.send(:is_signed_info_verified?).should be true
+  end
+  it "verifies docs with one enveloped-signature Resource element and embedded X.509 key" do
+    signed_doc.is_verified?.should be true
+  end
+  let(:same_doc_ref_nodes) do
+    xml_doc_from_file(File.join(resources_path, 'same_doc_reference.xml'))
+  end
+  let(:same_doc_ref_doc) { SignedXml::Document.new(same_doc_ref_nodes) }
+  it "verifies docs with same-document references" do
+    same_doc_ref_doc.is_verified?.should be true
+  end
+  let(:two_sig_nodes) do
+    xml_doc_from_file(File.join(resources_path, 'two_sig_doc.xml'))
+  end
+  let(:two_sig_doc) { SignedXml::Document.new(two_sig_nodes) }
+  it "verifies docs with more than one signature" do
+    two_sig_doc.is_verified?.should be true
+  end
+  let(:badly_signed_doc_nodes) do
+    xml_doc_from_file(File.join(resources_path, 'badly_signed_saml_response.xml'))
+  end
+  let(:badly_signed_doc) { SignedXml::Document.new(badly_signed_doc_nodes) }
+  it "fails verification of a badly-signed doc" do
+    badly_signed_doc.is_verified?.should be false
+  end
+  let(:incorrect_digest_doc_nodes) do
+    xml_doc_from_file(File.join(resources_path, 'incorrect_digest_saml_response.xml'))
+  end
+  let(:incorrect_digest_doc) { SignedXml::Document.new(incorrect_digest_doc_nodes) }
+  it "fails verification of a doc with an incorrect Resource digest" do
+    incorrect_digest_doc.is_verified?.should be false
+  end
+end

data/spec/spec_helper.rb ADDED Viewed

@@ -0,0 +1,8 @@
+require 'signed_xml'
+def xml_doc_from_file(path)
+  file = File.open(path)
+  doc = Nokogiri::XML(file)
+  file.close
+  doc
+end

metadata ADDED Viewed

@@ -0,0 +1,157 @@
+--- !ruby/object:Gem::Specification
+name: signed_xml
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease:
+platform: ruby
+authors:
+- Todd Thomas
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2013-04-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: options
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: XML Signature verification
+email:
+- todd.thomas@openlogic.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/signed_xml.rb
+- lib/signed_xml/base64_transform.rb
+- lib/signed_xml/c14n_transform.rb
+- lib/signed_xml/digest_method_resolution.rb
+- lib/signed_xml/digest_transform.rb
+- lib/signed_xml/document.rb
+- lib/signed_xml/enveloped_signature_transform.rb
+- lib/signed_xml/reference.rb
+- lib/signed_xml/signature.rb
+- lib/signed_xml/signed_info.rb
+- lib/signed_xml/transformable.rb
+- lib/signed_xml/version.rb
+- signed_xml.gemspec
+- spec/resources/badly_signed_saml_response.xml
+- spec/resources/incorrect_digest_saml_response.xml
+- spec/resources/same_doc_reference.xml
+- spec/resources/same_doc_reference_template.xml
+- spec/resources/saml_response_template.xml
+- spec/resources/signed_saml_response.xml
+- spec/resources/test_cert.pem
+- spec/resources/test_key.pem
+- spec/resources/two_sig_doc.xml
+- spec/resources/unsigned_saml_response.xml
+- spec/signed_xml_document_spec.rb
+- spec/spec_helper.rb
+homepage: ''
+licenses: []
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -2293715516306633631
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -2293715516306633631
+requirements: []
+rubyforge_project:
+rubygems_version: 1.8.25
+signing_key:
+specification_version: 3
+summary: Provides [incomplete] support for verification of XML Signatures <http://www.w3.org/TR/xmldsig-core>.
+test_files:
+- spec/resources/badly_signed_saml_response.xml
+- spec/resources/incorrect_digest_saml_response.xml
+- spec/resources/same_doc_reference.xml
+- spec/resources/same_doc_reference_template.xml
+- spec/resources/saml_response_template.xml
+- spec/resources/signed_saml_response.xml
+- spec/resources/test_cert.pem
+- spec/resources/test_key.pem
+- spec/resources/two_sig_doc.xml
+- spec/resources/unsigned_saml_response.xml
+- spec/signed_xml_document_spec.rb
+- spec/spec_helper.rb