signed_xml 0.0.1

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in signed_xml_document.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Todd Thomas
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,29 @@
+# SignedXmlDocument
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'signed_xml_document'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install signed_xml_document
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/signed_xml/base64_transform.rb

@@ -0,0 +1,9 @@
+require 'base64'
+
+module SignedXml
+  class Base64Transform
+    def apply(input)
+      Base64.encode64(input)
+    end
+  end
+end

data/lib/signed_xml/c14n_transform.rb

@@ -0,0 +1,26 @@
+module SignedXml
+  class C14NTransform
+    include Nokogiri::XML
+
+    attr_reader :method
+    attr_reader :with_comments
+
+    def initialize(method = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315")
+      method, with_comments = method.split('#')
+      @method = case method
+                when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then XML_C14N_1_0
+                when "http://www.w3.org/2001/10/xml-exc-c14n" then XML_C14N_EXCLUSIVE_1_0
+                when "http://www.w3.org/2006/12/xml-c14n11" then XML_C14N_1_1
+                else raise ArgumentError.new("unknown canonicalization method #{method}")
+                end
+
+      @with_comments = !!with_comments
+    end
+
+    def apply(input)
+      raise ArgumentError.new("input #{input.inspect}:#{input.class} is not canonicalizable") unless input.respond_to?(:canonicalize)
+
+      input.canonicalize(method, nil, with_comments)
+    end
+  end
+end

data/lib/signed_xml/digest_method_resolution.rb

@@ -0,0 +1,15 @@
+require 'openssl'
+
+module SignedXml
+  module DigestMethodResolution
+    include OpenSSL
+
+    def digester_for_id(id)
+      case id
+      when "http://www.w3.org/2000/09/xmldsig#sha1","http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+        Digest::SHA1.new
+      else raise ArgumentError.new("unknown digest method #{id}")
+      end
+    end
+  end
+end

data/lib/signed_xml/digest_transform.rb

@@ -0,0 +1,17 @@
+require "openssl"
+
+module SignedXml
+  class DigestTransform
+    include DigestMethodResolution
+
+    attr_reader :digest
+
+    def initialize(method_id)
+      @digest = digester_for_id(method_id)
+    end
+
+    def apply(input)
+      digest.digest(input)
+    end
+  end
+end

data/lib/signed_xml/document.rb

@@ -0,0 +1,36 @@
+require "openssl"
+require "options"
+
+module SignedXml
+  class Document
+    attr_reader :doc
+
+    def initialize(doc)
+      @doc = doc
+    end
+
+    def is_verifiable?
+      signatures.any?
+    end
+
+    def is_verified?(opts = {})
+      return false unless is_verifiable?
+
+      signatures.all?(&:is_verified?)
+    end
+
+    private
+
+    def signatures
+      @signatures ||= init_signatures
+    end
+
+    def init_signatures
+      signatures = []
+      doc.xpath("//ds:Signature", ds: XMLDSIG_NS).each do |signature_node|
+        signatures << Signature.new(signature_node)
+      end
+      signatures
+    end
+  end
+end

data/lib/signed_xml/enveloped_signature_transform.rb

@@ -0,0 +1,10 @@
+module SignedXml
+  class EnvelopedSignatureTransform
+    def apply(input)
+      envelope = Nokogiri::XML::Document.new
+      envelope.root = input
+      envelope.at_xpath('//ds:Signature', ds: XMLDSIG_NS).remove
+      envelope
+    end
+  end
+end

data/lib/signed_xml/reference.rb

@@ -0,0 +1,59 @@
+module SignedXml
+  class Reference
+    include Transformable
+
+    attr_reader :here, :start
+
+    def initialize(here)
+      @here = here
+
+      uri = here['URI']
+      case uri
+      when nil, ""
+        @start = here.document.root
+      when /^#/
+        id = uri.split('#').last
+        raise ArgumentError.new("XPointer expressions like #{id} are not yet supported") if id =~ /^xpointer/
+        # TODO: handle ID attrs with names other than 'ID'
+        @start = here.document.at_xpath("//*[@ID='#{id}']")
+        raise ArgumentError.new("no match found for ID #{id}") if @start.nil?
+      else raise ArgumentError.new("unsupported Reference URI #{uri}")
+      end
+
+      @transforms = init_transforms
+    end
+
+    def is_verified?
+      apply_transforms.chomp == digest_value
+    end
+
+    private
+
+    def init_transforms
+      transforms = []
+
+      here.xpath('.//ds:Transform', ds: XMLDSIG_NS).each do |transform_node|
+        method = transform_node['Algorithm']
+        case method
+        when "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+          transforms << EnvelopedSignatureTransform.new
+        when %r{^http://.*c14n}
+          transforms << C14NTransform.new(method)
+        else raise ArgumentError.new("unknown transform method #{method}")
+        end
+      end
+
+      # If no explicit c14n transform is specified, make sure we do one before digesting.
+      transforms << C14NTransform.new unless transforms.last.is_a? C14NTransform
+
+      digest_method = here.at_xpath('//ds:DigestMethod/@Algorithm', ds: XMLDSIG_NS).value.strip
+      transforms << DigestTransform.new(digest_method)
+
+      transforms << Base64Transform.new
+    end
+
+    def digest_value
+      @digest_value ||= here.at_xpath('ds:DigestValue', ds: XMLDSIG_NS).text.strip
+    end
+  end
+end

data/lib/signed_xml/signature.rb

@@ -0,0 +1,74 @@
+require 'base64'
+
+module SignedXml
+  class Signature
+    include DigestMethodResolution
+
+    attr_accessor :here
+
+    def initialize(here)
+      @here = here
+    end
+
+    def is_verified?
+      is_signed_info_verified? && are_reference_digests_verified?
+    end
+
+    private
+
+    def is_signed_info_verified?
+      public_key.verify(digester_for_id(signed_info.signature_method), decoded_value, signed_info.apply_transforms)
+    end
+
+    def are_reference_digests_verified?
+      references.all?(&:is_verified?)
+    end
+
+    def references
+      @references ||= init_references
+    end
+
+    def init_references
+      references = []
+
+      here.xpath('//ds:Reference', ds: XMLDSIG_NS).each do |reference_node|
+        references << Reference.new(reference_node)
+      end
+
+      references
+    end
+
+    def decoded_value
+      @decoded_value ||= Base64.decode64 value
+    end
+
+    def value
+      @value ||= here.at_xpath('//ds:SignatureValue', ds: XMLDSIG_NS).text.strip
+    end
+
+    def signed_info
+      @signed_info ||= SignedInfo.new(here.at_xpath("//ds:SignedInfo", ds: XMLDSIG_NS))
+    end
+
+    def public_key
+      @public_key ||= x509_certificate.public_key
+    end
+
+    def x509_certificate
+      @x509_certificate ||= OpenSSL::X509::Certificate.new(certificate(x509_cert_data))
+    end
+
+    def x509_cert_data
+      @x509_cert_data ||= here.at_xpath("//ds:X509Certificate", ds: XMLDSIG_NS).text
+    end
+
+    def certificate(data)
+      "-----BEGIN CERTIFICATE-----\n#{wrap_text(data, 64)}-----END CERTIFICATE-----\n"
+    end
+
+    # http://blog.macromates.com/2006/wrapping-text-with-regular-expressions/
+    def wrap_text(txt, col = 80)
+      txt.gsub(/(.{1,#{col}})( +|$)\n?|(.{#{col}})/, "\\1\\3\n")
+    end
+  end
+end

data/lib/signed_xml/signed_info.rb

@@ -0,0 +1,17 @@
+module SignedXml
+  class SignedInfo
+    include Transformable
+
+    attr_reader :start, :signature_method
+
+    def initialize(here)
+      @start = here
+
+      canonicalization_method = here.at_xpath('//ds:CanonicalizationMethod/@Algorithm', ds: XMLDSIG_NS).value.strip
+
+      transforms << C14NTransform.new(canonicalization_method)
+
+      @signature_method = here.at_xpath('//ds:SignatureMethod/@Algorithm', ds: XMLDSIG_NS).value.strip
+    end
+  end
+end

data/lib/signed_xml/transformable.rb

@@ -0,0 +1,13 @@
+module SignedXml
+  module Transformable
+    def transforms
+      @transforms ||= []
+    end
+
+    def apply_transforms
+      transforms.reduce(start) do |input, transform|
+        transform.apply(input)
+      end
+    end
+  end
+end

data/lib/signed_xml/version.rb

@@ -0,0 +1,3 @@
+module SignedXml
+  VERSION = "0.0.1"
+end

data/lib/signed_xml.rb

@@ -0,0 +1,16 @@
+require 'nokogiri'
+
+module SignedXml
+  XMLDSIG_NS = "http://www.w3.org/2000/09/xmldsig#"
+
+  autoload :Transformable, 'signed_xml/transformable'
+  autoload :Document, 'signed_xml/document'
+  autoload :Signature, 'signed_xml/signature'
+  autoload :SignedInfo, 'signed_xml/signed_info'
+  autoload :Reference, 'signed_xml/reference'
+  autoload :DigestMethodResolution, 'signed_xml/digest_method_resolution'
+  autoload :DigestTransform, 'signed_xml/digest_transform'
+  autoload :Base64Transform, 'signed_xml/base64_transform'
+  autoload :C14NTransform, 'signed_xml/c14n_transform'
+  autoload :EnvelopedSignatureTransform, 'signed_xml/enveloped_signature_transform'
+end

data/signed_xml.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'signed_xml/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "signed_xml"
+  gem.version       = SignedXml::VERSION
+  gem.authors       = ["Todd Thomas"]
+  gem.email         = ["todd.thomas@openlogic.com"]
+  gem.description   = %q{XML Signature verification}
+  gem.summary       = %q{Provides [incomplete] support for verification of XML Signatures <http://www.w3.org/TR/xmldsig-core>.}
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency "nokogiri", "~> 1.5"
+  gem.add_dependency "options"
+
+  gem.add_development_dependency "rake"
+  gem.add_development_dependency "rspec"
+end

data/spec/resources/badly_signed_saml_response.xml

@@ -0,0 +1,78 @@
+<?xml version="1.0"?>
+<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" ID="_c7055387-af61-4fce-8b98-e2927324b306">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>otynz9RFK0/mrkztml+POU0P4Rw=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>fMniqoW/jSH7isH7ka+79+WYeiE4O63mA7TdrqOTrh8Q+JZQMsYsbAnx5E7Fo4Fy
++2yE/6XgCnEUFUvyWK9J5vaS+qzoOH5RZeSDcaSZeM5rP2hW5lf7iTQG/9wLsQUX
+KQRm1/pFgm7yetYr+gfK8yvUMR0pQc4h+vo4wKyQQYpHMlS97BWFoPEvi9F1M0Ld
+7NxHSHUFGTLqm+664ZTYI3z1k2kZgsuZpwHYCYOx185U383jnW1DruwLD8KE6Nxn
+Wd9imhxAiCV2CMQkjxIkrBM8du47rm+kDToYVgOn9gU15gYAmXUN/4MwF/yvYpQE
+sAs0VcNWD5PRjIviKbRh2Q==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        
+      <ds:X509Certificate>MIIExDCCA6ygAwIBAgIJAJsG6scSiBu+MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
+VQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEUMBIGA1UEBxMLU3ByaW5nZmll
+bGQxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UECxQK
+QXJyciAmIERlZTELMAkGA1UEAxMCTWUxHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1w
+bGUub3JnMB4XDTEzMDQxMTAwNTc1MloXDTQwMDgyNzAwNTc1MlowgZwxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJpbmdmaWVs
+ZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQLFApB
+cnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs
+ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZbhwD884KG1Aj
+ZENyOQw1TpqvMkkxMSIFQwSMPg81JIDgPifCXXHimiNheo99K4TnLAV4V+6sLsP8
+c2pQFr57mDSBo1x1JjSLR/LGD/scqQqzSXNXLNffF7FbH28/wL9+lBrMNxEh5LvT
+Cm+rmnAHdJjGK//BbLE7Vuek3irquUo3OF6HidORr2b86ec4I2gjien3kwgmYc0n
+7pxjReEeKqpoZ1ytB3PjDlAwJchCTs6i+bmQJ5xqyDn+OHTZutCVCE9DwBLThfGr
+2j+c7po42EucuS1GMEbHWbEcSCruhQY51iR+hc54TRc/GQbwfVyfOBMJ98s5TASA
+h0Sfw2DlAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUbuT5ExXORlqEIJRWCNvHgBig
+I9swgdEGA1UdIwSByTCBxoAUbuT5ExXORlqEIJRWCNvHgBigI9uhgaKkgZ8wgZwx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJp
+bmdmaWVsZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQLFApBcnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVA
+ZXhhbXBsZS5vcmeCCQCbBurHEogbvjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4IBAQABGQp+S8TgiPkMqOoHiosApgs/SttQfRZVlmhoqsJQ554xkui75PIo
+RMHd42Ft8PO5aQiqXe6sbGJh9e78pSqdhytrlwIf4OSomJ2ghRGKoPESBnMQGxYT
+vMx/0BvjVj8rNSFmVgTV+foSkJj2tJnr/9ZfYbRPybDRYvDhfnlE7SpfBanKK2r+
+VpLSlm1c6d5cYA5xKUtQgV9wKbMZLl5B75S3CXz1K6TujHN3K/B3a4Hc7AknWqFd
+qsWDWKJjyH3XzQkpPT00TqQOaM9gbYqsLXmiuLzYXV1JQhU1vs29mIIFbtQK0jYd
+YEcPFLoaQoTClLMt9R+6wrJvJ9loh6P8</ds:X509Certificate>
+</ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2003-04-17T00:46:02Z" Version="2.0">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/resources/incorrect_digest_saml_response.xml

@@ -0,0 +1,78 @@
+<?xml version="1.0"?>
+<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" ID="_c7055387-af61-4fce-8b98-e2927324b306">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>otynz9RFK0/mrZztml+POU0P4Rw=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>fMniqoW/jSH7isH7ka+79+WYeiE4O63mA7TdrqOTrh8Q+JZQMsYsbAnx5E7Fo4Fy
++2yE/6XgCnEUFUvyWK9J5vaS+qzoOH5RZeSDcaSZeM5rP2hW5lf7iTQG/9wLsQUX
+KQRm1/pFgm7yetYr+gfK8yvUMR0pQc4h+vo4wKyQQYpHMlS97BWFoPEvi9F1M0Ld
+7NxHSHUFGTLqm+664ZTYI3z1k2kcgsuZpwHYCYOx185U383jnW1DruwLD8KE6Nxn
+Wd9imhxAiCV2CMQkjxIkrBM8du47rm+kDToYVgOn9gU15gYAmXUN/4MwF/yvYpQE
+sAs0VcNWD5PRjIviKbRh2Q==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        
+      <ds:X509Certificate>MIIExDCCA6ygAwIBAgIJAJsG6scSiBu+MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
+VQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEUMBIGA1UEBxMLU3ByaW5nZmll
+bGQxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UECxQK
+QXJyciAmIERlZTELMAkGA1UEAxMCTWUxHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1w
+bGUub3JnMB4XDTEzMDQxMTAwNTc1MloXDTQwMDgyNzAwNTc1MlowgZwxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJpbmdmaWVs
+ZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQLFApB
+cnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs
+ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZbhwD884KG1Aj
+ZENyOQw1TpqvMkkxMSIFQwSMPg81JIDgPifCXXHimiNheo99K4TnLAV4V+6sLsP8
+c2pQFr57mDSBo1x1JjSLR/LGD/scqQqzSXNXLNffF7FbH28/wL9+lBrMNxEh5LvT
+Cm+rmnAHdJjGK//BbLE7Vuek3irquUo3OF6HidORr2b86ec4I2gjien3kwgmYc0n
+7pxjReEeKqpoZ1ytB3PjDlAwJchCTs6i+bmQJ5xqyDn+OHTZutCVCE9DwBLThfGr
+2j+c7po42EucuS1GMEbHWbEcSCruhQY51iR+hc54TRc/GQbwfVyfOBMJ98s5TASA
+h0Sfw2DlAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUbuT5ExXORlqEIJRWCNvHgBig
+I9swgdEGA1UdIwSByTCBxoAUbuT5ExXORlqEIJRWCNvHgBigI9uhgaKkgZ8wgZwx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJp
+bmdmaWVsZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQLFApBcnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVA
+ZXhhbXBsZS5vcmeCCQCbBurHEogbvjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4IBAQABGQp+S8TgiPkMqOoHiosApgs/SttQfRZVlmhoqsJQ554xkui75PIo
+RMHd42Ft8PO5aQiqXe6sbGJh9e78pSqdhytrlwIf4OSomJ2ghRGKoPESBnMQGxYT
+vMx/0BvjVj8rNSFmVgTV+foSkJj2tJnr/9ZfYbRPybDRYvDhfnlE7SpfBanKK2r+
+VpLSlm1c6d5cYA5xKUtQgV9wKbMZLl5B75S3CXz1K6TujHN3K/B3a4Hc7AknWqFd
+qsWDWKJjyH3XzQkpPT00TqQOaM9gbYqsLXmiuLzYXV1JQhU1vs29mIIFbtQK0jYd
+YEcPFLoaQoTClLMt9R+6wrJvJ9loh6P8</ds:X509Certificate>
+</ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2003-04-17T00:46:02Z" Version="2.0">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/resources/same_doc_reference.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_dd2d35dad58d4ebb9e3ec8e85d3e234da2cd639962" Version="2.0" IssueInstant="2013-04-08T23:13:22Z" Destination="http://localhost:3000/saml-login" InResponseTo="83767498-2df3-4035-b0a5-8b40212b8fd7"><saml:Issuer>http://localhost/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#_dd2d35dad58d4ebb9e3ec8e85d3e234da2cd639962"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>MNf3EJFKtNqL4VLmjQ3ie/quaEY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>yrvpPF7jkXgzu00ro5vY3gpHDzP2rsXdNL6aKwlMgjwMF4EG4RxlmYioGS7ioxyo
+AMCF7TUI7NH5CrVEXM56Rl50uEVLsV9ePvyW1OkfxdUrzJtg9fzAW9OwBj/Xa6Kv
+kfvFu2SND/Ak2JV5GJxBI09fANwrq20xGgtQ3gB8XlSArT+Te4XWxWwViCkIq8pQ
+llZYpN5wba0cJ5gF8ukw1Ypf8Do/fQGxjp50C4wDJ557/TwjBZyqJGXOcbkijb7i
+Mit++q4AfEO1zaDT+PbY4YrqH1gUxBLdCcrZI/EakaJHFjdwk43+yrVWPLRb2OUS
+yF1bxdhBTEWz0c7KtAhjmA==</ds:SignatureValue>
+    <ds:KeyInfo><ds:X509Data>
+<ds:X509Certificate>MIIExDCCA6ygAwIBAgIJAJsG6scSiBu+MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
+VQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEUMBIGA1UEBxMLU3ByaW5nZmll
+bGQxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UECxQK
+QXJyciAmIERlZTELMAkGA1UEAxMCTWUxHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1w
+bGUub3JnMB4XDTEzMDQxMTAwNTc1MloXDTQwMDgyNzAwNTc1MlowgZwxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJpbmdmaWVs
+ZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQLFApB
+cnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs
+ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZbhwD884KG1Aj
+ZENyOQw1TpqvMkkxMSIFQwSMPg81JIDgPifCXXHimiNheo99K4TnLAV4V+6sLsP8
+c2pQFr57mDSBo1x1JjSLR/LGD/scqQqzSXNXLNffF7FbH28/wL9+lBrMNxEh5LvT
+Cm+rmnAHdJjGK//BbLE7Vuek3irquUo3OF6HidORr2b86ec4I2gjien3kwgmYc0n
+7pxjReEeKqpoZ1ytB3PjDlAwJchCTs6i+bmQJ5xqyDn+OHTZutCVCE9DwBLThfGr
+2j+c7po42EucuS1GMEbHWbEcSCruhQY51iR+hc54TRc/GQbwfVyfOBMJ98s5TASA
+h0Sfw2DlAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUbuT5ExXORlqEIJRWCNvHgBig
+I9swgdEGA1UdIwSByTCBxoAUbuT5ExXORlqEIJRWCNvHgBigI9uhgaKkgZ8wgZwx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJp
+bmdmaWVsZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQLFApBcnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVA
+ZXhhbXBsZS5vcmeCCQCbBurHEogbvjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4IBAQABGQp+S8TgiPkMqOoHiosApgs/SttQfRZVlmhoqsJQ554xkui75PIo
+RMHd42Ft8PO5aQiqXe6sbGJh9e78pSqdhytrlwIf4OSomJ2ghRGKoPESBnMQGxYT
+vMx/0BvjVj8rNSFmVgTV+foSkJj2tJnr/9ZfYbRPybDRYvDhfnlE7SpfBanKK2r+
+VpLSlm1c6d5cYA5xKUtQgV9wKbMZLl5B75S3CXz1K6TujHN3K/B3a4Hc7AknWqFd
+qsWDWKJjyH3XzQkpPT00TqQOaM9gbYqsLXmiuLzYXV1JQhU1vs29mIIFbtQK0jYd
+YEcPFLoaQoTClLMt9R+6wrJvJ9loh6P8</ds:X509Certificate>
+</ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_6f56d840d8df3697749fc533c9efac5866d5b88dde" Version="2.0" IssueInstant="2013-04-08T23:13:22Z"><saml:Issuer>http://localhost/simplesaml/saml2/idp/metadata.php</saml:Issuer><saml:Subject><saml:NameID SPNameQualifier="http://localhost:3000/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_3c448bd72f639960c116dc6339a4930e7a4a3e9f3c</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2013-04-08T23:18:22Z" Recipient="http://localhost:3000/saml-login" InResponseTo="83767498-2df3-4035-b0a5-8b40212b8fd7"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-04-08T23:12:52Z" NotOnOrAfter="2013-04-08T23:18:22Z"><saml:AudienceRestriction><saml:Audience>http://localhost:3000/</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-04-08T23:12:38Z" SessionNotOnOrAfter="2013-04-09T07:13:22Z" SessionIndex="_0c21a3bb421aefe16d6278b10c7924a5d66141922b"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">todd.thomas@openlogic.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

data/spec/resources/same_doc_reference_template.xml

@@ -0,0 +1,5 @@
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_dd2d35dad58d4ebb9e3ec8e85d3e234da2cd639962" Version="2.0" IssueInstant="2013-04-08T23:13:22Z" Destination="http://localhost:3000/saml-login" InResponseTo="83767498-2df3-4035-b0a5-8b40212b8fd7"><saml:Issuer>http://localhost/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#_dd2d35dad58d4ebb9e3ec8e85d3e234da2cd639962"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue/></ds:Reference></ds:SignedInfo><ds:SignatureValue/>
+    <ds:KeyInfo><ds:X509Data><ds:X509Certificate/></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_6f56d840d8df3697749fc533c9efac5866d5b88dde" Version="2.0" IssueInstant="2013-04-08T23:13:22Z"><saml:Issuer>http://localhost/simplesaml/saml2/idp/metadata.php</saml:Issuer><saml:Subject><saml:NameID SPNameQualifier="http://localhost:3000/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_3c448bd72f639960c116dc6339a4930e7a4a3e9f3c</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2013-04-08T23:18:22Z" Recipient="http://localhost:3000/saml-login" InResponseTo="83767498-2df3-4035-b0a5-8b40212b8fd7"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-04-08T23:12:52Z" NotOnOrAfter="2013-04-08T23:18:22Z"><saml:AudienceRestriction><saml:Audience>http://localhost:3000/</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-04-08T23:12:38Z" SessionNotOnOrAfter="2013-04-09T07:13:22Z" SessionIndex="_0c21a3bb421aefe16d6278b10c7924a5d66141922b"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">todd.thomas@openlogic.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

data/spec/resources/saml_response_template.xml

@@ -0,0 +1,60 @@
+<Response
+  IssueInstant="2003-04-17T00:46:02Z" Version="2.0"
+  ID="_c7055387-af61-4fce-8b98-e2927324b306"
+  xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
+  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod
+        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod
+        Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="">
+        <ds:Transforms>
+          <ds:Transform
+            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod
+          Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue/>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue/>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>
+        </ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
+    IssueInstant="2003-04-17T00:46:02Z" Version="2.0"
+    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID
+        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation
+        Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z"
+      NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/resources/signed_saml_response.xml

@@ -0,0 +1,78 @@
+<?xml version="1.0"?>
+<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" ID="_c7055387-af61-4fce-8b98-e2927324b306">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>otynz9RFK0/mrkztml+POU0P4Rw=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>fMniqoW/jSH7isH7ka+79+WYeiE4O63mA7TdrqOTrh8Q+JZQMsYsbAnx5E7Fo4Fy
++2yE/6XgCnEUFUvyWK9J5vaS+qzoOH5RZeSDcaSZeM5rP2hW5lf7iTQG/9wLsQUX
+KQRm1/pFgm7yetYr+gfK8yvUMR0pQc4h+vo4wKyQQYpHMlS97BWFoPEvi9F1M0Ld
+7NxHSHUFGTLqm+664ZTYI3z1k2kcgsuZpwHYCYOx185U383jnW1DruwLD8KE6Nxn
+Wd9imhxAiCV2CMQkjxIkrBM8du47rm+kDToYVgOn9gU15gYAmXUN/4MwF/yvYpQE
+sAs0VcNWD5PRjIviKbRh2Q==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        
+      <ds:X509Certificate>MIIExDCCA6ygAwIBAgIJAJsG6scSiBu+MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
+VQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEUMBIGA1UEBxMLU3ByaW5nZmll
+bGQxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UECxQK
+QXJyciAmIERlZTELMAkGA1UEAxMCTWUxHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1w
+bGUub3JnMB4XDTEzMDQxMTAwNTc1MloXDTQwMDgyNzAwNTc1MlowgZwxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJpbmdmaWVs
+ZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQLFApB
+cnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs
+ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZbhwD884KG1Aj
+ZENyOQw1TpqvMkkxMSIFQwSMPg81JIDgPifCXXHimiNheo99K4TnLAV4V+6sLsP8
+c2pQFr57mDSBo1x1JjSLR/LGD/scqQqzSXNXLNffF7FbH28/wL9+lBrMNxEh5LvT
+Cm+rmnAHdJjGK//BbLE7Vuek3irquUo3OF6HidORr2b86ec4I2gjien3kwgmYc0n
+7pxjReEeKqpoZ1ytB3PjDlAwJchCTs6i+bmQJ5xqyDn+OHTZutCVCE9DwBLThfGr
+2j+c7po42EucuS1GMEbHWbEcSCruhQY51iR+hc54TRc/GQbwfVyfOBMJ98s5TASA
+h0Sfw2DlAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUbuT5ExXORlqEIJRWCNvHgBig
+I9swgdEGA1UdIwSByTCBxoAUbuT5ExXORlqEIJRWCNvHgBigI9uhgaKkgZ8wgZwx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJp
+bmdmaWVsZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQLFApBcnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVA
+ZXhhbXBsZS5vcmeCCQCbBurHEogbvjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4IBAQABGQp+S8TgiPkMqOoHiosApgs/SttQfRZVlmhoqsJQ554xkui75PIo
+RMHd42Ft8PO5aQiqXe6sbGJh9e78pSqdhytrlwIf4OSomJ2ghRGKoPESBnMQGxYT
+vMx/0BvjVj8rNSFmVgTV+foSkJj2tJnr/9ZfYbRPybDRYvDhfnlE7SpfBanKK2r+
+VpLSlm1c6d5cYA5xKUtQgV9wKbMZLl5B75S3CXz1K6TujHN3K/B3a4Hc7AknWqFd
+qsWDWKJjyH3XzQkpPT00TqQOaM9gbYqsLXmiuLzYXV1JQhU1vs29mIIFbtQK0jYd
+YEcPFLoaQoTClLMt9R+6wrJvJ9loh6P8</ds:X509Certificate>
+</ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2003-04-17T00:46:02Z" Version="2.0">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/resources/test_cert.pem

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIExDCCA6ygAwIBAgIJAJsG6scSiBu+MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
+VQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEUMBIGA1UEBxMLU3ByaW5nZmll
+bGQxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UECxQK
+QXJyciAmIERlZTELMAkGA1UEAxMCTWUxHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1w
+bGUub3JnMB4XDTEzMDQxMTAwNTc1MloXDTQwMDgyNzAwNTc1MlowgZwxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJpbmdmaWVs
+ZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQLFApB
+cnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs
+ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZbhwD884KG1Aj
+ZENyOQw1TpqvMkkxMSIFQwSMPg81JIDgPifCXXHimiNheo99K4TnLAV4V+6sLsP8
+c2pQFr57mDSBo1x1JjSLR/LGD/scqQqzSXNXLNffF7FbH28/wL9+lBrMNxEh5LvT
+Cm+rmnAHdJjGK//BbLE7Vuek3irquUo3OF6HidORr2b86ec4I2gjien3kwgmYc0n
+7pxjReEeKqpoZ1ytB3PjDlAwJchCTs6i+bmQJ5xqyDn+OHTZutCVCE9DwBLThfGr
+2j+c7po42EucuS1GMEbHWbEcSCruhQY51iR+hc54TRc/GQbwfVyfOBMJ98s5TASA
+h0Sfw2DlAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUbuT5ExXORlqEIJRWCNvHgBig
+I9swgdEGA1UdIwSByTCBxoAUbuT5ExXORlqEIJRWCNvHgBigI9uhgaKkgZ8wgZwx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJp
+bmdmaWVsZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQLFApBcnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVA
+ZXhhbXBsZS5vcmeCCQCbBurHEogbvjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4IBAQABGQp+S8TgiPkMqOoHiosApgs/SttQfRZVlmhoqsJQ554xkui75PIo
+RMHd42Ft8PO5aQiqXe6sbGJh9e78pSqdhytrlwIf4OSomJ2ghRGKoPESBnMQGxYT
+vMx/0BvjVj8rNSFmVgTV+foSkJj2tJnr/9ZfYbRPybDRYvDhfnlE7SpfBanKK2r+
+VpLSlm1c6d5cYA5xKUtQgV9wKbMZLl5B75S3CXz1K6TujHN3K/B3a4Hc7AknWqFd
+qsWDWKJjyH3XzQkpPT00TqQOaM9gbYqsLXmiuLzYXV1JQhU1vs29mIIFbtQK0jYd
+YEcPFLoaQoTClLMt9R+6wrJvJ9loh6P8
+-----END CERTIFICATE-----

data/spec/resources/test_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA2W4cA/POChtQI2RDcjkMNU6arzJJMTEiBUMEjD4PNSSA4D4n
+wl1x4pojYXqPfSuE5ywFeFfurC7D/HNqUBa+e5g0gaNcdSY0i0fyxg/7HKkKs0lz
+VyzX3xexWx9vP8C/fpQazDcRIeS70wpvq5pwB3SYxiv/wWyxO1bnpN4q6rlKNzhe
+h4nTka9m/OnnOCNoI4np95MIJmHNJ+6cY0XhHiqqaGdcrQdz4w5QMCXIQk7Oovm5
+kCecasg5/jh02brQlQhPQ8AS04Xxq9o/nO6aONhLnLktRjBGx1mxHEgq7oUGOdYk
+foXOeE0XPxkG8H1cnzgTCffLOUwEgIdEn8Ng5QIDAQABAoIBAQCVIe/3SgddaUR7
+Me8M7lIQUhzI4+3N3sxd3YzGAF7/7Uy0Ag3VQ7C0Y1K3LpAyo2HiCZCq7W0YDm+A
+vU0DJ8Z5EXmaHYlyFMVfbvb2oMl07AEZ3dxNw8VBEIgmXxY4HSV7VWxX+8E1hSTK
+6NKVWjVS98c9zbn7WmjpsX7q1zOKkE7B2uMLZr0Q+5eDRTgNYZdRSKWt5g9KXJrW
+F4ONPSnvEsSWKDylS89JK1jK1Q3neiTHmqpu112m8x5JsQ3OrFNfWmwRxiGbgSXv
+WQnbU+IJ/23f8i/6gwHnYjHpldsxQQFPsrODPQS6vj0OV+ectcp7QneTMF1f4NKW
+QmJTI2KBAoGBAPB8qezibK9OxqLrrLFtqQE1v7m592A59BcujxWJ8nTzRGyLygeG
+rCX/PUv8iSd0BTIFuCSlgy6yqxT8Wko+vzWLtu4rP1Iky9L+12UuJJiK5mA6BC9f
+DMLqNEOR0jO9Y490hYDejH+e0cAY2s0Oh8TUjEP7D/ViFkWSLE5a3kcFAoGBAOd0
+sOq4kFVk/ZiALN/wkaU73qPEpVM8M0W7NwZ6MOXdVvMNLu3An2cf/i2/C6wqG/Ve
+NYCQrCMOBRfEbWDF4KOb/YuOpAgVfZnujOas1TfVsyM06wnkjCvg0DL9qwihMR9K
+SK0c/sIl4ybUNJzwhmx2kPrt8Vk9+gqirGYA+hhhAoGAZe1glC9Pw2nPFQRwmG8T
+H5kpXs2sRJOrmhu4t3dVVS46RQtmoJP66MvqrgcmFpu9C/uSla21ERjXHDjtB+Ta
+ZBaIfR/FYcqIvTAYGSFaj3Dnvcc5ON6/aOmdJzpp7lYKGaZYY0twHzMwUYv3SMws
+zUcNAE8r72QYbnpK3xbyeQUCgYBSPuz++0aOkaxrnGBV0y5uALBEkYQN575wcO5E
+pvbpN5XGGFEsut3pzzyLFPAY5X252xg37zC75Cd7IpmbYbVJbgzSooU3Oiu/nz0C
+WzgI9y8Iu60pfsUwclqJRAqarmy+Ka9ZlIwSgVQOYCmx+uZJdHhgMl0o0RUg4l1Q
+gdhdAQKBgG3U5J6jeHe8svMWO8R3pfFewX427FETnwm5XU/DCeY1xAAEVlsXLgDe
+3XmaQlskylQJhoP0pImV+snAFTtPYGZM9Wof18FkYxwaCViEwYVr7Z5Gm6GyFKpL
+IiVG3k0XwY/Pgci3Wxw5aZIyS4NBnp8KCXzXAn4nfUbFZt/DXzI6
+-----END RSA PRIVATE KEY-----

data/spec/resources/two_sig_doc.xml

@@ -0,0 +1,9 @@
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_575136947e054f114761c6df08bd3644f0c2079aae" Version="2.0" IssueInstant="2013-04-12T00:45:07Z" Destination="http://localhost:3000/saml-login" InResponseTo="49246bce-6fc4-43b7-a661-6d5d5b146ea4"><saml:Issuer>http://localhost/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_575136947e054f114761c6df08bd3644f0c2079aae"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>Vb69+UWPYwvAMb4K5aVQvT7Nq2c=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>eMsQ2jp2aY0kqYYDPS0rUJkwNPajXYFjBArqS8n4JuRhjNTpv3mDVmfk/+eUDxHBWfxSFDa5gLN3lgtu6VMwfcJ2zuUmIFtUUpfBcCaeVcc4jDehckSAAYXIlrG3eoPDp3+uU6cS+3gJQPfCfMl7LIKeNZS1yOHgz5XXk9zOo9Y=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_36bb41924d265fa2d92450e85c53c35590bf06c106" Version="2.0" IssueInstant="2013-04-12T00:45:07Z"><saml:Issuer>http://localhost/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_36bb41924d265fa2d92450e85c53c35590bf06c106"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>NRT1gWsxJE1n+kHlHRbEvfQW81I=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>S1eVfcB7Lf0hNdfunOIDivgWL5JPBsEiUgXnNhgx4rbID1WnQv1X3QOt25OWO1RaML9ML61A976AS6CP1s5Z4y2SzHcPDbye3vKll3lbqKj6OQ4H5s1C9Xmy3sJcOIw8aJ+N89KhLckWqy66ec/XybbX3D2RDuzoIg2KmR2Nf14=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="http://localhost:3000/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_7e3d918ee67356d13c10e088927902206b98c1c2bb</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2013-04-12T00:50:07Z" Recipient="http://localhost:3000/saml-login" InResponseTo="49246bce-6fc4-43b7-a661-6d5d5b146ea4"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-04-12T00:44:37Z" NotOnOrAfter="2013-04-12T00:50:07Z"><saml:AudienceRestriction><saml:Audience>http://localhost:3000/</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-04-12T00:45:07Z" SessionNotOnOrAfter="2013-04-12T08:45:07Z" SessionIndex="_07a70ed54455feb8685d2b25e292773cd003cd57ac"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">toddthomas@acm.org</saml:AttributeValue></saml:Attribute><saml:Attribute Name="givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Todd</saml:AttributeValue></saml:Attribute><saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Thomas</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

data/spec/resources/unsigned_saml_response.xml

@@ -0,0 +1,36 @@
+<Response
+  IssueInstant="2003-04-17T00:46:02Z" Version="2.0"
+  ID="_c7055387-af61-4fce-8b98-e2927324b306"
+  xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
+  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
+    IssueInstant="2003-04-17T00:46:02Z" Version="2.0"
+    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID
+        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation
+        Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z"
+      NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/signed_xml_document_spec.rb

@@ -0,0 +1,94 @@
+require 'spec_helper'
+
+describe SignedXml::Document do
+  include SignedXml::DigestMethodResolution
+
+  let(:resources_path) { File.join(File.dirname(__FILE__), 'resources') }
+
+  let(:unsigned_doc_nodes) do
+    xml_doc_from_file(File.join(resources_path, 'unsigned_saml_response.xml'))
+  end
+
+  let(:unsigned_doc) { SignedXml::Document.new(unsigned_doc_nodes) }
+
+  let(:signed_doc_nodes) do
+    xml_doc_from_file(File.join(resources_path, 'signed_saml_response.xml'))
+  end
+
+  let(:signed_doc) { SignedXml::Document.new(signed_doc_nodes) }
+
+  it "knows which documents can be verified" do
+    unsigned_doc.is_verifiable?.should be false
+    signed_doc.is_verifiable?.should be true
+  end
+
+  it "knows unsigned documents can't be verified" do
+    unsigned_doc.is_verified?.should be false
+  end
+
+  let(:test_certificate) { OpenSSL::X509::Certificate.new IO.read(File.join(resources_path, 'test_cert.pem')) }
+
+  it "can read an embedded X.509 certificate" do
+    signed_doc.send(:signatures).first.send(:x509_certificate).to_pem.should eq test_certificate.to_pem
+  end
+
+  it "knows the public key of the embedded X.509 certificate" do
+    signed_doc.send(:signatures).first.send(:public_key).to_s.should eq test_certificate.public_key.to_s
+  end
+
+  it "knows the signature method of the signed info" do
+    digester_for_id(signed_doc.send(:signatures).first.send(:signed_info).signature_method).class.should == OpenSSL::Digest::SHA1
+  end
+
+  it "knows how to canonicalize its signed info" do
+    signed_doc.send(:signatures).first.send(:signed_info).transforms.first.method.should == Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+  end
+
+  it "verifies its signed info" do
+    signed_doc.send(:signatures).first.send(:is_signed_info_verified?).should be true
+  end
+
+  it "verifies docs with one enveloped-signature Resource element and embedded X.509 key" do
+    signed_doc.is_verified?.should be true
+  end
+
+  let(:same_doc_ref_nodes) do
+    xml_doc_from_file(File.join(resources_path, 'same_doc_reference.xml'))
+  end
+
+  let(:same_doc_ref_doc) { SignedXml::Document.new(same_doc_ref_nodes) }
+
+  it "verifies docs with same-document references" do
+    same_doc_ref_doc.is_verified?.should be true
+  end
+
+  let(:two_sig_nodes) do
+    xml_doc_from_file(File.join(resources_path, 'two_sig_doc.xml'))
+  end
+
+  let(:two_sig_doc) { SignedXml::Document.new(two_sig_nodes) }
+
+  it "verifies docs with more than one signature" do
+    two_sig_doc.is_verified?.should be true
+  end
+
+  let(:badly_signed_doc_nodes) do
+    xml_doc_from_file(File.join(resources_path, 'badly_signed_saml_response.xml'))
+  end
+
+  let(:badly_signed_doc) { SignedXml::Document.new(badly_signed_doc_nodes) }
+
+  it "fails verification of a badly-signed doc" do
+    badly_signed_doc.is_verified?.should be false
+  end
+
+  let(:incorrect_digest_doc_nodes) do
+    xml_doc_from_file(File.join(resources_path, 'incorrect_digest_saml_response.xml'))
+  end
+
+  let(:incorrect_digest_doc) { SignedXml::Document.new(incorrect_digest_doc_nodes) }
+
+  it "fails verification of a doc with an incorrect Resource digest" do
+    incorrect_digest_doc.is_verified?.should be false
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,8 @@
+require 'signed_xml'
+
+def xml_doc_from_file(path)
+  file = File.open(path)
+  doc = Nokogiri::XML(file)
+  file.close
+  doc
+end

metadata

@@ -0,0 +1,157 @@
+--- !ruby/object:Gem::Specification
+name: signed_xml
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Todd Thomas
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-04-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: options
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: XML Signature verification
+email:
+- todd.thomas@openlogic.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/signed_xml.rb
+- lib/signed_xml/base64_transform.rb
+- lib/signed_xml/c14n_transform.rb
+- lib/signed_xml/digest_method_resolution.rb
+- lib/signed_xml/digest_transform.rb
+- lib/signed_xml/document.rb
+- lib/signed_xml/enveloped_signature_transform.rb
+- lib/signed_xml/reference.rb
+- lib/signed_xml/signature.rb
+- lib/signed_xml/signed_info.rb
+- lib/signed_xml/transformable.rb
+- lib/signed_xml/version.rb
+- signed_xml.gemspec
+- spec/resources/badly_signed_saml_response.xml
+- spec/resources/incorrect_digest_saml_response.xml
+- spec/resources/same_doc_reference.xml
+- spec/resources/same_doc_reference_template.xml
+- spec/resources/saml_response_template.xml
+- spec/resources/signed_saml_response.xml
+- spec/resources/test_cert.pem
+- spec/resources/test_key.pem
+- spec/resources/two_sig_doc.xml
+- spec/resources/unsigned_saml_response.xml
+- spec/signed_xml_document_spec.rb
+- spec/spec_helper.rb
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -2293715516306633631
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -2293715516306633631
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.25
+signing_key: 
+specification_version: 3
+summary: Provides [incomplete] support for verification of XML Signatures <http://www.w3.org/TR/xmldsig-core>.
+test_files:
+- spec/resources/badly_signed_saml_response.xml
+- spec/resources/incorrect_digest_saml_response.xml
+- spec/resources/same_doc_reference.xml
+- spec/resources/same_doc_reference_template.xml
+- spec/resources/saml_response_template.xml
+- spec/resources/signed_saml_response.xml
+- spec/resources/test_cert.pem
+- spec/resources/test_key.pem
+- spec/resources/two_sig_doc.xml
+- spec/resources/unsigned_saml_response.xml
+- spec/signed_xml_document_spec.rb
+- spec/spec_helper.rb