diff --git a/src/passport-saml/saml.ts b/src/passport-saml/saml.ts
index 37254a90..54a381a5 100644
--- a/src/passport-saml/saml.ts
+++ b/src/passport-saml/saml.ts
@@ -614,8 +614,11 @@ class SAML {
// See https://github.com/bergie/passport-saml/issues/19 for references to some of the attack
// vectors against SAML signature verification.
validateSignature = function (fullXml, currentNode, certs) {
- const xpathSigQuery = ".//*[local-name(.)='Signature' and " +
- "namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']";
+ const xpathSigQuery = ".//*[" +
+ "local-name(.)='Signature' and " +
+ "namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#' and " +
+ "descendant::*[local-name(.)='Reference' and @URI='#"+currentNode.getAttribute('ID')+"']" +
+ "]";
const signatures = xpath(currentNode, xpathSigQuery);
// This function is expecting to validate exactly one signature, so if we find more or fewer
// than that, reject.
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-signed.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-signed.xml
new file mode 100644
index 00000000..d8dce667
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-signed.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+ 32by6AdEK8sMSSW24h3290YngOx6o14TtYirwH57Plc=INVALID-IilJ1HabeLEMnQXR3olQgWQ6AzGgG/f0PdecFLSfOiOzXgHsEhnKdCoKrLvkFNW+GHMyw1FHfYE0TP+O62SFBxbzQVKD4VrlEAeJwISiH/MtLiFiARXYrvshD/vJOpQgiR3WJW3IuqsZPjrDzflnwr7CJ48TooTZVY3m0kDh+JCOKsaHg76cPOm51V+ZJmVe6aBPsIMRYyUJY4WcikpHvMDGL+MlUow0rC6qiJ2JzKTs/yAvp0TcRHSM//0s5h8Z4R67r/ECbLFs2f4WM1ggYKqZpasNQbeFFey4/XdRvRHDcQn711HxBLsam+qD6EFnJO7FWkV033F6WkDGwQheDA==
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ MDfWSGB2QmoV3THz9KU/8vLcYnTO2G2Lf+0F/DNDu78=INVALID-INVALIDZ3KfW/E9VdUhxQN4nMNFFlp2g7A0SZV0dnU8UTqKT5loy0+lniWoSf2fJjX0fgEackedWBDGwY4hM2W1xbC3r0MlS3xXudRFQFY04uIeVStt/aYgSckDnUsffkXpsw2agGOav1bZdgNIblaZYt5nIBWRUFMmJUnaR5XJ1S311G0gGxBzOzw4jYqKoWfJ/3bygqZxCYhPmOFBYPi2tLIGPMhC0Gt1+lbO9ociMz3k+z5zWCXRqRfq6zN9Ks5x9adS0ofbbaXRArwfYfXUUaFA9XrkzphwdNZy0KJSfQWtHKMyddHVFepq38/GjipCSnYV6TiCA4YzYxsShnge4ctzjQ==
+UvTBtpd/QsNbEZaTVdWTUj2vYN+oBjYg/gTmLYChv9A=INVALID-INVALIDdDu5iloo/Ah8Wf5oe80SZJMQsfsaKisKkPSCGXjquNOomqZsct+khxXiPWSrIksQmHtbcUtx1PExdZJ/P9BRjtYeUi/PRLiXz6rON+k9m2BVWmZUANXFF4yhZkU9q0WNPoETSpWR1laO3o0+sAwD6BoZu5q5+mBisg7OJLO61qB9c/VSc6ypH3JjcFzZm2Q8/R1LZtM/JtKbgzsR59SlSTKuW1Tz0pU0L700o/LfLBgyflfaSFUQxhlZmOpvxN9BKhpOU0czhvlKOMMndztlF0BLNVM1NyOjO6qcKvxxJoW6LGAzAUl9pWC6WoypzsIUnx+XUBsHyoz9I6Y1cikuZw==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml
new file mode 100644
index 00000000..0af701d0
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ kObrMLtwlZT3OYmstzY2kzYZN8CcmcYla1af9ZT/9/0=INVALID-vc2FGUjV17K+lHN186mhOMvBfgyTNnkM/67byJqlQUR0MCaTigBtcKtkr4dZm05umtnl7QHX35TAUByGtaggk8lj/3Ge+R086/8GGIgAUctwNGPlUtOnLXmvW7JQj70BeTXaS1QBsDamkePzCGxQDI92wKw3CPkFsX2lXLAgSLtfzOmnJqvxU6x+ItYY7ocnoruuEMvS7YYpJ+CGqe6nQ5zdglD2JVefjWXUq7sU1J2mZ9f1WoHdTWBUvwX0BgEUg/DFknueBaI7ZlxoL7eIs4pen4DcLTtUTsHX50L1cr4piaEwqqSj1U/pvfqa5Zpn/VLmAx2ia0ZCHlYN1LIeXw==
+vEwbdEHKTaKHy0gAH81FzX22qUlbHDiIz25CdLDIUHA=INVALID-UurDWgiukshWcaeh6wT6uQS8xLGpJ+SwmgG6lynlrI/IH3k6ltdwiODjRUwQqY6C1UtH1h0cdJR+B2VB4a3w62XEM1qZChyO1QQ85JYyWfqhhkml8XQkZbtjBihc5Rd4Zy0h4B48+yO8f5SN18E9RWLAWOpV1fc+fbDB+cuxMjHVbH5/UyPyGWObETpSP8EaVym/EOUHiUSxYgZz3gN2RGZKryBOYePeN7Yft/rNLkC2aWSjJ6uaIUUty2DeeqtWF0cEW+mSbo1xjZfN96eGfXGhyrhRBTQSioYxphMlj5Hp1Vx/3lWw+E11JRjdsoksFxvdF38I4Xzf5/Qm9DQxCQ==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-signed.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-signed.xml
new file mode 100644
index 00000000..ae50676b
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-signed.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+ 32by6AdEK8sMSSW24h3290YngOx6o14TtYirwH57Plc=NcDa+Q6qO371Bv6aBRhpuHzrJuPgWPMl0eMtnKJAeDY=INVALID-cI8mW+14H4l/yqkjb1+QBnBxnGzigngNweTd1euReBLqO/g9a+YpXKH8fgQ9RRZh+L5ZNxLFONTQwCijfL+jFSZLhLPNhlg/Iyh4PlQKkjBXY3cY2n1Aonvrq+A75FSJEDtvqCXtevAO8GP+3pmEYQ4g2GhveUBjYXM6XQafTNxduYnunB/w1QWR9Wq0pvn2PAmGxoR3MbNFCYTghHb6I3/fTz+KMv67DfqkUi5A77xSu9ZGopaYUPS0Hqbv8W/0urxBXOO1rl95W6M3+uP3tAoQkncocRrf2hrUztC1fnYD+A5zYXH4neF37mXysi0czrMbGL0ASB5TEP2chOj9cg==
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ OgGJSo72uGxRrLgYu7+tIDYnHmtQpEf/TMTO51+YKvA=INVALID-O9XOsqakfZPBpEoD2ZpOG8TUatw0i/v2GbPqkCdncJeyVmI6yuMg/5XXRhvMHQ4+zH/Vox8VBeK3uvNvCTNSV/hzuYlUf1WM89BUCghb0Kcw7KlbdUBKPRaHNG71uSsaZxTVKydVBpK9sBiXU+GRWMa0aWzmC+oR9UKEoozoR9Chi6VaTNFMfa2rkbC51gslZ5Qb28L9P1GhEIK+1hgtcrdEBIdZ/0W1QE93YPvJ41tgsNxoT7PCoSPgCCmVi5QTwNideLP64HTqd/rkzBpseTm8dQdySoCbll1Q/nKgTlyPyJsZ90RFjA5f4LChSRyeOyWHERPSC7V4n72l+yDtxQ==
+/AmA/x3mIGOibT0T0SRNUVA+SGKf52taHmkzZU4JcqU=INVALID-eEggu1rVjg2MOUsI0IYLTfQ/nYGbMdF10CWxbz1F70JGGpqvAp9emQpLftqT6LwKG2T6FWapEZzvp/WmRUFM45Ek2y+MMkA5rfAv2oMPX48kLEz5h2m1LCnbC++rHAgfoanCFAcpZxOvtQkmnVuLjQgRXfixqmgXfMtJxBeEik+6MFUsWRhZTS4tGIbUDdxz6n5m9umGwx3PKPhMj4QcTJUZqQmIOYmMUDvtisLU6Wr8RXRqkmaIB8U0+ikZjktzeo817H8afK9XeBVs0BHAp6CzXerYP9NT5GAoB4kPDQPqJSiqSiOrmF/cxDywElZwxNpvyePPDfBPpjRNB1bDKQ==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-unsigned.xml
new file mode 100644
index 00000000..6a96131d
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-unsigned.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ gmr1amfM3zV7QhK1Y6iPRpbqzgxl5hNn8mn/NuINTo0=INVALID-hoEErb+EJYbpU2WUuK7cJK3bOK+xAgQna5TtPHHuUYt44nDLPJd72SdR/ZKH8foZtxwwHZ2vP2DEygE1yPSaND4pOUlARPhIFLOopcei7s5UXl2Ynf22j92swVoYYcsbLDLLid6shsgZJnnPTCpCoHZHcGoXHZI9QQbZZd4w/DnGMKIN8DcWC+1E9ARMlJf4MV2eZEZtM3CRlvB+X+gMWMSDyvPg2hQZ4Yar2X2xAKeaka4Ua/rNRrD8SzRcZV6V2Jtga5BtYdra63FirchLK//pGFwRceeom1Dj0GpO1H7LWIgl5gP3AZGgAr8YPXCD3ISBxvm/Yw81UIDH49SMNQ==
+5Bf68tIF9NwX7tsKQzin35UkKg+RArZNAu3oaF2r3EU=INVALID-FWfMZAIYkhfD43c+D736eEnjAMBKYuDKYsc74BRIFg6gBIve43QjkGaqzTEfd8zT47SyPpL1t7YdFaxs4z4B5ZXvbgYM4CvXKi6mtNwushvUztaMNXoDmSq1fvZuWeLqhbpAD3nbxRtgQf/mqPhLL2eFoMgJ9AYInOULpNBjqJ3dEVm/Z8Hh0Ve/alQLEzRX4BpJBXn+XDoBloj79A3Bp/8MiHGt+cPTIcsZWw4Tf6ZX65IgWYAqVHV6ejA8zXZ+8Bec+zGDsMdZhM03loTjaivAbD7ADD+bp07ubNaaO0q0YveHYcFe1VJMNJhw7xNEiPUsxW6pUEFcfJq3CNbjbw==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.xml
new file mode 100644
index 00000000..4b24cf47
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ nT8hRy7WnO4n3hiYyBE0zgE/Vwj0aqQUhFxE+PvW94c=INVALID-To9fxKoAEyoD0z0RNJg6xB5HFeiUaOJLwAkcGMoGHYO4eURvTGbDVfM1e/7B2ALoCEaouKHF5kmnSjfks3YNQ1/Gfz0wxrrpXZ8nM/Egj3A/MRYFf6TgN9mzaGisle5nctRDK2V7UzrQx+5emBgUYWjXr6j5Xz+9XorcS5whVVE2jfIZBqTJ3uAlm3JLiwWVAiGrgvjjFEYow4r7zSJ6f2SNyC78t3Hvjngfa8LX9YwyP1gEKXWA1Egr3M5LWp76BbuErEs6vNQRW8xEen5aeDLRMBbsSEn3AOzBDDWqAN0G7r8NWb/S39twFOJF0xFZKpVvCv/0wODs4ZEVTbuojA==
+qYWgtqJ5/zkxUD+GIZ5TvaItfMYYjpMB8XMFeATHdTM=INVALID-fdEmRX3FdcD+w3TLsF3Q57fOFCZJ/psl8+H2qmBgRw5VmUECr/wjFHdO4Sazu3azrmoDwsc6Y2aVGn6+jX3M00xsp6P2rYQQEwmjRdv1n05YP4bo4hVeuj0chJS5gwfPuFyWlgO1S98OXVOhE2WPAla1zKdeecVxHvNiXcO775ObGmifS4xT04QU/VLZdhYeUVR3EOCD1oqWNmzfsKXqcCsBMfPB9X3P+wrhAWz2cCb4RXmNP3wnlAxfC3M7qQruy2yW2aqsxg6bA/VvJ2HkBzSx7B2tBQO7D56KAMG+coG2QlR6eExQyeAG/Iaz7h006Y1EZXKcJSXunLCzPog3Kw==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-unsigned.1advice-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
new file mode 100644
index 00000000..ba19b93b
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+5wg810GLqW+t9PLsVIA4HowQrP1ORKYuYG8l7B8rNAw=INVALID-JDIzw+1kv3SMfvJF3IeF4tSr2/VosORAo2epsDsRCjMjjDinuIZowgObOXyf1AAZK/HPZnMcIDoow3C55HdA8RrepVzyJVUY8Umf3BQKvP8vNbwnnA1W81sa0hMLd6Lqy2/zEN09jQ1Gpm2VKsIE5TLILKGyO4MjcsTSSVVq9jfhOHrAoWmRnCIO3PdB3sB/baKTZPZUiQzpywyZY2ucGcSdmUkPhdlM0FvZ0dQ7OaAIxhDGLzSJbnM6Zfm/t62JY3xXH/Nl9QuJx4z0W314Ak/pvoLkHm53oziQnfRSr38CLGB+efiKWCarHkShbtMHhqxJU2ehnx6Pobgz8wV3nw==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-unsigned.2advice-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
new file mode 100644
index 00000000..211f3c09
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+8L+EbdtsrQn2ojFJPsTFRhGEdC6Ub9Evxrj3KEXWPyY=INVALID-Bca3aGYXbRyifnsFaHcWilzpuWbBjQ5i8/HmXt5dFIrWO8yJD4Qdeb86J2/2CHTpm5J77Z3Ww1CVoodagkwiDGuj/CjUeBTWyVzDuZsGRH/h/dL9i083udnpt2V1/vIyq1eU6qJzjRW6xAT6ObY+f9/lQ8wpzgRDc+s7X0k2uGhgwknJDjCb8xyr6m31rJNGnR/TZFrbKgpjrfUX1l51A7Q0ctkl3bjATnZLYebmgUJfri7WoEO4kkkn/11GpCl+UvOU86QJw5iSCFqivuDJl94zmVl0cx0fhYvgmqQ6aN2cnSIbANisMsL9cZi6030pIwrHKLmzDDTrcJw9TVneZQ==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.xml
new file mode 100644
index 00000000..668a05bd
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+tXVP7qLQ2AY2XRYyxjUHlZFmTclDPcWPF5s98mqi3N4=INVALID-JIQ+CHFnBpau/97L5GRFIFtvpHfcpEynzTDFcJrApogHvVXubmUWXtOcOCloepK3gkPdMtPdsf/t86BDdXU9hK9uwTIa23utAu5Btgs+mK1YIvIMyWddtXysEu34T5jNZs8F/bG2xug1nSn8BrL9s2x1yui66noCYD/mGjVbsJY76abKXKnRblnyGa0Iqx3T1qSo2bcTnTP/NvGapr3Fg5jby6TnuCBqH0KyhnqJL8hbCcRQXKUzLYIk3RcOfaRvVN/WeQD0SdWmY8EMTePUxkbOTGAgj7prFNI3eb8FZsfHPCL9R1H39veVaBUU/hM/8jm9FZK+0ccaTNhlj8tHhQ==
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-signed.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-signed.xml
new file mode 100644
index 00000000..66d43a17
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-signed.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+ 32by6AdEK8sMSSW24h3290YngOx6o14TtYirwH57Plc=INVALID-IilJ1HabeLEMnQXR3olQgWQ6AzGgG/f0PdecFLSfOiOzXgHsEhnKdCoKrLvkFNW+GHMyw1FHfYE0TP+O62SFBxbzQVKD4VrlEAeJwISiH/MtLiFiARXYrvshD/vJOpQgiR3WJW3IuqsZPjrDzflnwr7CJ48TooTZVY3m0kDh+JCOKsaHg76cPOm51V+ZJmVe6aBPsIMRYyUJY4WcikpHvMDGL+MlUow0rC6qiJ2JzKTs/yAvp0TcRHSM//0s5h8Z4R67r/ECbLFs2f4WM1ggYKqZpasNQbeFFey4/XdRvRHDcQn711HxBLsam+qD6EFnJO7FWkV033F6WkDGwQheDA==
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ MDfWSGB2QmoV3THz9KU/8vLcYnTO2G2Lf+0F/DNDu78=INVALID-Z3KfW/E9VdUhxQN4nMNFFlp2g7A0SZV0dnU8UTqKT5loy0+lniWoSf2fJjX0fgEackedWBDGwY4hM2W1xbC3r0MlS3xXudRFQFY04uIeVStt/aYgSckDnUsffkXpsw2agGOav1bZdgNIblaZYt5nIBWRUFMmJUnaR5XJ1S311G0gGxBzOzw4jYqKoWfJ/3bygqZxCYhPmOFBYPi2tLIGPMhC0Gt1+lbO9ociMz3k+z5zWCXRqRfq6zN9Ks5x9adS0ofbbaXRArwfYfXUUaFA9XrkzphwdNZy0KJSfQWtHKMyddHVFepq38/GjipCSnYV6TiCA4YzYxsShnge4ctzjQ==
+
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-unsigned.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
new file mode 100644
index 00000000..81a3467e
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ kObrMLtwlZT3OYmstzY2kzYZN8CcmcYla1af9ZT/9/0=INVALID-vc2FGUjV17K+lHN186mhOMvBfgyTNnkM/67byJqlQUR0MCaTigBtcKtkr4dZm05umtnl7QHX35TAUByGtaggk8lj/3Ge+R086/8GGIgAUctwNGPlUtOnLXmvW7JQj70BeTXaS1QBsDamkePzCGxQDI92wKw3CPkFsX2lXLAgSLtfzOmnJqvxU6x+ItYY7ocnoruuEMvS7YYpJ+CGqe6nQ5zdglD2JVefjWXUq7sU1J2mZ9f1WoHdTWBUvwX0BgEUg/DFknueBaI7ZlxoL7eIs4pen4DcLTtUTsHX50L1cr4piaEwqqSj1U/pvfqa5Zpn/VLmAx2ia0ZCHlYN1LIeXw==
+
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-signed.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.xml
new file mode 100644
index 00000000..d798f2d6
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ nT8hRy7WnO4n3hiYyBE0zgE/Vwj0aqQUhFxE+PvW94c=INVALID-To9fxKoAEyoD0z0RNJg6xB5HFeiUaOJLwAkcGMoGHYO4eURvTGbDVfM1e/7B2ALoCEaouKHF5kmnSjfks3YNQ1/Gfz0wxrrpXZ8nM/Egj3A/MRYFf6TgN9mzaGisle5nctRDK2V7UzrQx+5emBgUYWjXr6j5Xz+9XorcS5whVVE2jfIZBqTJ3uAlm3JLiwWVAiGrgvjjFEYow4r7zSJ6f2SNyC78t3Hvjngfa8LX9YwyP1gEKXWA1Egr3M5LWp76BbuErEs6vNQRW8xEen5aeDLRMBbsSEn3AOzBDDWqAN0G7r8NWb/S39twFOJF0xFZKpVvCv/0wODs4ZEVTbuojA==
+
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml
new file mode 100644
index 00000000..8e1c271b
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml
new file mode 100644
index 00000000..6532a91c
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.xml
new file mode 100644
index 00000000..90688fa1
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-signed.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-signed.xml
new file mode 100644
index 00000000..5df7a1e7
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-signed.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+ xeXYmnRcab1G94jWD+APScicy5YeY3ycxrh7pxcnAO0=IrLED4UYbk4X5JvCH18uVnMcY+4Nh7JnqdiF/WxPx7bxdVqn+yIQkYmdF73m4QjvZF6BiuzRBDkcW0rQNXsW8Y5ZfjWOV5flSOdW9+mu4Md7PFvggLDbU5avixi+lhKP8mtTktYbmTrvEE8xijEmGifqvJNR3RsOT9crU2TjD2gPvpfImS6otKUYoRxf4hJGW/GeLTxRv14YtAOojUaihJjJSUG22edZLbrO5lxUEuCpbHRbb2i/XWwCVHHcRGf9+b2HXzxkZoZAQY/mb/wRM2bfCN2WDEIbX/hK5edXc9HRivnEySPe6cP4KXesOjVd4E7xqHMHjYQWXma1DhKjFA==
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ AXtGOc1GEc3p9Fg6sarULpiu5P4XIF8r5dYe+ORZa4U=pVT0a2wXHoYJMC3rZohEch8/N5q7byeLa9I+YVLUC7E0Q4HAud9VgrYAwUIM6DsyQc3RmcqGVikq63DfUmounFVq3pn+TU8GytU+BDssBhdIvpa+vjaGyTDgZa+98YCU1BDr2hZytbvMBNHwAqi/cB650wEv5lbDNb6F12ttakYg+18Qzru+HrVynzGiuPxVy4RzpQxx7guNAoGwv7l1MEmIrZN104D/EdSIdmS9lZ8AGDSFHcrGVIjs2SQqvbVOXEdr9JN5/ZuEwWlDIi9EU60DvLlZ2treEArx2us141/ukbCg7kc/nWW59rxPRrPu9RGMHLdjhgiTpEPVOUN52Q==
+ZPDjvY8Jb6jiwg01d9TASXz5o4WBfjTSv1w7O4DAkcc=kwsj44K6HxuRzc7v6YQpYhRODX0uPvrb2ExaXrFyaA9yBv/bmUmE0t0PQFR7kyXkY3mfQ3sbBzGVsI3SiSaBhMoi6Rs9nKhGwUKan9Z/yru4XAPiM5Wm2h+nXjbMiHCTbHwSGXbt9Wo4tRA3nYPOS4+ieBK+jvFJj0yXwWSRiP/+Rui8G76lPRZ15zzJ1GZcsRm4mhpRoSMgjlfo5hWf50uPf8NNiOcx14USjSU4Ry5tbaD9Qui8luctVyjZVGJb/CHpqk7c2/Of+W/OoxZaDROScVK2OwQQhAv4EJh+g5LpyqQLD0HHsY7ENRRtFOAheg64TtkeqtoFEQaNAOYLtQ==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-unsigned.xml
new file mode 100644
index 00000000..b811e4c7
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ JXsH4yqs7dEiVLTSW8KhNTpXVtl+Bi4GYkFZY1Emm1I=dKQSuL03fOHOvB980uxsRI9Wzx0Bo1yvcOGFQ0nX1f2EJRPYwkO6HFhZsX7L/l8sjXHmjgjAPK3KHcbxcus1ldWLxlZYBA7RdyW2HsQT8neMJMUpVUuJ5YkbgB1OvDPuAXTHmLByS3YpLaeJXwydBKgPGNmEyGrvqJbYZzGbIhMHt8dfI26PkUkJUqxTxXnn/+dAsZ9w3PXiGvjF/7pggnTWUfvSsTyT3IJ6Mpijlgh3S++Ng3dolpt17gjga4klOQM8uVLudKpOWczjfRu4bmT3VqNs2XmQHqdCb9lgT5S9S/nXaFnt13GIHZaNG1crR6ehGsgUIcuaonCivd82Xg==
+Zi+4eDy2Qjg6fIzcroHQwbKZIBDpFe57zEavijyBuiU=d8AO77YtXkSKxCAbrGrjWLzqSox7idhPXOGDkJWK7I1G2YPlqf8chFE14F3rtml1iVY9MVTduPagsILJ1AIKARgqCaSrIxZA9HtQNrVdILPU5m4k/GYOXkn4g0KwH7DILvucZlZhE4dFcM2GI3HyYutlXBpxur5O8dtKhG7bAhEKfWEh3q/R1nGZhikBa03Hi90hIBvh6CaKuVmWJfSA4acjxrI8jYFUOFNMd5aao2wNhnEIhqGUZD/HAwDKsZgL+RBjf44z4BJ43qPxRIBPJlq7lUwyeKa5ptMOSDtEwQZwxyQd4GcX99ke/6Ny8E3Y1itg15rlp6fbynl/EOprNg==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-signed.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-signed.xml
new file mode 100644
index 00000000..2c15b397
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-signed.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+ xeXYmnRcab1G94jWD+APScicy5YeY3ycxrh7pxcnAO0=2o7uJTdF5ra173h02sRtBIfAVbnSP/qRE3JSfSrXtao=BoHad6+OEyqytEHOLe/64cK5hExZRVZxFY+sSWjOSwFLOfiHVFII79Jgd3NNZNrVBZjCF3uVlsrmsXZKC+MieK4n8xHavjTGWZEn2MTPfeamCepbfONPTH8ICHHxvnmtYm2HvmIxXRGy3orRSVpMwdAaf2JVmqmGmLsbYl8HWCsTygu7C+strR9AGER/pm0o66GSI9gvCEP1ZElNsvIv2MosyXOUMqravsKqzwdTeae7m0MeTEpQUmYFSATDzLztRju2Ioz/iDoIeUr/7uVvSCZV8e5EDGw+S0+LhJs3ICnzxOwYLpcFqXZW4ycZOBcnuIA7iJyJvlmD5mtLaXBiJw==
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ q/gQ4rMIR9zcrM/dbYujVj8RzZddlJRnrtwx/Xwiqik=O++/SkaA5duu/bGzxQBjvDjE/ww95fqpz3HFQdtuP5B41ZF3VjvbC9h9HvFuANGqLUJshtoh2u9EFZhfnwdFtiNXfHPSUmSPWcP94d36u4iwCkDUR/3SGW+P9rM64d78YRFlvXV6CNvlHvE54p5EuSbW0I+n1LtdZvnw8NoOgurEkwyEk4H9E6GFxhXjDWasJUORMEmknebFoS30dOFrYBanW94xW81Bx1VFxE7b+xhneNe+0hAi3Y/8smUjxLb0VrorJfzJll7zexGTU19Zhb9N1TWzO3hcjW6OuLsJKMYqA6ozM4reXwP1s1r4qMpuI/6wUcDFLgD5fI03cza0IQ==
+CvuOTeKUlgVdBer4Zzq1JKrPIXS1m27cm5aAH5EHrus=lgPH2GXp+sex1NJZo95w9yViFM3mbaDU+x7KFfm/8vo51pVYFJyShyQW/GFlk+Qymt/56I5RClEZ7NmuKZiL/zbTrGmioh3YuIaf1rlzrkBbrUN75dk/8C8SS08DMgHAB/qYbUQQ+jNFtyMyOLdbRBmpXUpGtJNaOFdxXF38d9i5/LG3AqW6GHn3dbvvhze32BggNT4IHoRqo//ac3V4QMd89Q612ZPHq657wTnkbzJxfKR/OmTX01xFcpNARyOymW+dCuEvAJPuPwa+YbqgPXJFtwNlBxfx/lbQY63/37DRB0kjE0dZBi6IAzJoHaiFTWINxzMzztaqR3d7PQOHtg==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-unsigned.xml
new file mode 100644
index 00000000..dec79fac
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-unsigned.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ WR/EQp2SVNFw2VuA3YnaOUODb/waG+P9wZAbIyTDidw=H4OV4BpSMzwuWoB2ODaMVbHmeNJViMJSWtVUTYIFWLoaw9Wlxs6qAaqqAQlFZzoX+OJm3opADYn38P/r2QxM3qp2dsH2qFFkXNIAfDJZ4ZSBKdI3LE4EfJch+PDiLvdzZdZqx1LS2iLtpMWjZzVUQx3Gk4M0Tra44lVhhgjS1I++rAw+Zuh2z8dDATFokozIHI1/P1xF8ltrAJqBr7eKYwOxEm+xU8G8wqa/IBlEjvaN++QOjfsj06zy7Xv41JiSY5TFIjr0K/C53YA75HlNyWvu/XJcDtflz9gni22VaV1up4KGf75A/E8yDpXIxCRScneF7rRcbVU+dt0JxzWd2Q==
+pSkLBRAvbEy1Uj45aeB9c6/dxphVNBE3zgnQw7oWn30=OHW4kkZnM2fXPHi8sihBl9wDcD6UhnKiGdkwq/EksDlzvRRIUCIm8mSAefsD8izaNZFJgNtMSSxjZAu/z4Rnrgba4XmpoJzFtyWf1LKvr0ZxaWpTCH4U9Y532VTa5LtLfSO1MPqNRphaC1s6NZboJYMoowL/0Yvsz6T+sQAV48pec1oB40ACI8mM2Oid3EMHrfQi6lCue2RMIU+F2HTvoGucweC7pibBXBjjT7XFwXP7K/ledEVHp3J/DkcojeLCaV2p0l1GshxiB7ZzoNqhhNT3MaTa7nYy/Y2eA6b9yiGSHj7qCiS0seezsEcqU3oGqjnBklWtg2/G6acH1xrM+A==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.xml
new file mode 100644
index 00000000..0f4b2f0f
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ UlVrWcRgUXgqQRuYZNEIhLEYv4oC8Kd5/HAl9Cb/jiQ=vWCTy3IYpsGMl+RJQKZvCN/zZvMp/mBs7Y4Y3ihq0lnX2PDsJaHLEUPX+WTlQN8e791PDCkk+uIu+X+Y1sOyFxIjD5dAikZA2d3QWDC5mcHqj/gvzeiirAWA06Maw3jvaZlquBhpixFk+6mcbAP33UvqgA0Zkjb2qYq0GrOno+bED1vUl2Os9EQB30phllxP5WuJlhUz5Y+X1WXT7AS6f0haTvkFwdMRbniDdjvMiEBfbITUQfM3K361L4TKlYB2T/NRpXv+zjGx9xAl93s4DFdbUzI3jvkBYHhIsRFURwWP5UyczT9P4uuJIiaLXLnOYAX4ZgxVtyWltJKRUhRlzg==
+btmMhWeiNWFtvX59ONbp9AlYcxu9w+dpaWRWEA40Too=XcZR4j7Hy7QQPoYuAlIi4k/6BK+Nq/ByyPOzIdlkMD4BT7HobxgMv0LeFvgdvE0QMA1IUQgGVuMKRMdwy02HowhQHPrLzHomwKXIy0GaBuDKudLcjYH4Sqlo1DMn5MHhXyzE4j66FlJFoR0fvjWyz4vbRHFpxMcVoqrb4NBDT5f5LN63IXlexZOOCR0n6ZimyNpu91LzCtK4mYb53OjT1Glbq3zslxas+jqEk4+S2wqZyIQjqzsUrOl540L9+9x/KlfKB2jeb2i2wjiwLORzzlZXPrOxLZzisZMnossS9QXImj9ItF9vE9coIJGbF30YSSmGeLgdxjRLJGQFdg5dPg==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-unsigned.1advice-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
new file mode 100644
index 00000000..9b62846d
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+XyeBN+3a0SMAbjbG/PGEa251VO07sIDCEMWrgtHEiMk=IkoMFuWZy02ZRHEG7ssfZyLAYIoXu92RH6Tem74vuvDaxlxaThNkLvDLWtpKyPVCJPaN9jrL5wXvlRqp31KEZ90Tv2SdpprDVF8NgmfLoyjaqidChtH77HN8tLivU+ZpEI1SEjkIwoou+UAr8vhrVYx55id1Do/njJX+kRwOk8QJgLtCKqlwQJGve4+8meogEp/X7ZyFVgqX2L/KeoWu94hobWGx7qyl41lNhVPS1b/jpVfBxqHZku1wAPyGGYlrinU7gtrB8w52rCUF4YRznLGaffYg0u4HZrSZyIfS5UGja4Nyf+iYj1E5cvrK0Y4wo+u3DAnvK4lebhpp9vrr0A==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-unsigned.2advice-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
new file mode 100644
index 00000000..e38db68e
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+xevlr+TYovbByBWSrQrq/4scMZ9szTtXkikj/Xq83qM=vuxF/CKrp+jEkNRxk18J6Cp8yMLftZ9QnTphPshio4jYb2rUHXRInUaz5TEuiuFHVZ7QE31UBufPmvlZ8rD+PosGgVKnC5egKNzdFWavmZVLiTL95oE4mIsvE9ZpF5p9Wqg6Qxp3l3aR/m77SlgE7mn12EA9cQ2wZLA9le5x7yzJxXO1aLhjMZcwkVLeZXb6o8Ud1JhJyy+u6ANXBjjzAveKBiXLsDeQGYxgxt2HF/FAj2zEhczeQlZmoPh7f5W1m6Y1/GQZIk9nVnQkgBqmfQErWQgNVgWBl2RZ6wSrdaq4SoI0+CEjSBGrR3tYC218LLueNDjE6VK4jacQBRFP6Q==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-unsigned.xml
new file mode 100644
index 00000000..155003c4
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-unsigned.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+lxh6m3MiCHxj0VA8oqNSEVIm62MUU5iaEJrw5n4BDc0=tnFggo2qh3vnvOeX6o+vCDy4yKo7Cgvgps9jZHWixHKRgpVHPEMuWbHxRXa3XJTPETAnYQevL0+T206xBn75zpYXDdyUmW04nOpBNnp+7wjJzL+0SqqoSnyDq8wDB1tGMZ4Gj8JJNN3nF4s2Xerps/AfRTl4TNXUmmIrO0OdkKMEooaJybIOqXuGjU8hhK5RixGFye4rfT1+6+0EXi/xdgKQx0eE/qDdfxrd/6ZVvbLd7mZyNTOqOpSQ8eOAh/7Z6U938sVfp3NyAIoEnNwNJ4h6BhHWC0OJh7XN2arl8Mtfd5ha8raMAJTyN9aZOS9Hzx1DTotBQfLuMC3Ugx0aMg==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-signed.xml b/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-signed.xml
new file mode 100644
index 00000000..50c428b9
--- /dev/null
+++ b/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-signed.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+ xeXYmnRcab1G94jWD+APScicy5YeY3ycxrh7pxcnAO0=IrLED4UYbk4X5JvCH18uVnMcY+4Nh7JnqdiF/WxPx7bxdVqn+yIQkYmdF73m4QjvZF6BiuzRBDkcW0rQNXsW8Y5ZfjWOV5flSOdW9+mu4Md7PFvggLDbU5avixi+lhKP8mtTktYbmTrvEE8xijEmGifqvJNR3RsOT9crU2TjD2gPvpfImS6otKUYoRxf4hJGW/GeLTxRv14YtAOojUaihJjJSUG22edZLbrO5lxUEuCpbHRbb2i/XWwCVHHcRGf9+b2HXzxkZoZAQY/mb/wRM2bfCN2WDEIbX/hK5edXc9HRivnEySPe6cP4KXesOjVd4E7xqHMHjYQWXma1DhKjFA==
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ AXtGOc1GEc3p9Fg6sarULpiu5P4XIF8r5dYe+ORZa4U=pVT0a2wXHoYJMC3rZohEch8/N5q7byeLa9I+YVLUC7E0Q4HAud9VgrYAwUIM6DsyQc3RmcqGVikq63DfUmounFVq3pn+TU8GytU+BDssBhdIvpa+vjaGyTDgZa+98YCU1BDr2hZytbvMBNHwAqi/cB650wEv5lbDNb6F12ttakYg+18Qzru+HrVynzGiuPxVy4RzpQxx7guNAoGwv7l1MEmIrZN104D/EdSIdmS9lZ8AGDSFHcrGVIjs2SQqvbVOXEdr9JN5/ZuEwWlDIi9EU60DvLlZ2treEArx2us141/ukbCg7kc/nWW59rxPRrPu9RGMHLdjhgiTpEPVOUN52Q==
+
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-unsigned.xml b/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
new file mode 100644
index 00000000..ff2a368b
--- /dev/null
+++ b/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ JXsH4yqs7dEiVLTSW8KhNTpXVtl+Bi4GYkFZY1Emm1I=dKQSuL03fOHOvB980uxsRI9Wzx0Bo1yvcOGFQ0nX1f2EJRPYwkO6HFhZsX7L/l8sjXHmjgjAPK3KHcbxcus1ldWLxlZYBA7RdyW2HsQT8neMJMUpVUuJ5YkbgB1OvDPuAXTHmLByS3YpLaeJXwydBKgPGNmEyGrvqJbYZzGbIhMHt8dfI26PkUkJUqxTxXnn/+dAsZ9w3PXiGvjF/7pggnTWUfvSsTyT3IJ6Mpijlgh3S++Ng3dolpt17gjga4klOQM8uVLudKpOWczjfRu4bmT3VqNs2XmQHqdCb9lgT5S9S/nXaFnt13GIHZaNG1crR6ehGsgUIcuaonCivd82Xg==
+
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-unsigned.assertion-signed.xml b/test/static/signatures/valid/response.root-unsigned.assertion-signed.xml
new file mode 100644
index 00000000..5eb53bba
--- /dev/null
+++ b/test/static/signatures/valid/response.root-unsigned.assertion-signed.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ UlVrWcRgUXgqQRuYZNEIhLEYv4oC8Kd5/HAl9Cb/jiQ=vWCTy3IYpsGMl+RJQKZvCN/zZvMp/mBs7Y4Y3ihq0lnX2PDsJaHLEUPX+WTlQN8e791PDCkk+uIu+X+Y1sOyFxIjD5dAikZA2d3QWDC5mcHqj/gvzeiirAWA06Maw3jvaZlquBhpixFk+6mcbAP33UvqgA0Zkjb2qYq0GrOno+bED1vUl2Os9EQB30phllxP5WuJlhUz5Y+X1WXT7AS6f0haTvkFwdMRbniDdjvMiEBfbITUQfM3K361L4TKlYB2T/NRpXv+zjGx9xAl93s4DFdbUzI3jvkBYHhIsRFURwWP5UyczT9P4uuJIiaLXLnOYAX4ZgxVtyWltJKRUhRlzg==
+
\ No newline at end of file
diff --git a/test/test-signatures.js b/test/test-signatures.js
new file mode 100644
index 00000000..a26fec22
--- /dev/null
+++ b/test/test-signatures.js
@@ -0,0 +1,83 @@
+const should = require('should'),
+ SAML = require('../lib/passport-saml/index.js').SAML,
+ fs = require('fs'),
+ cert = fs.readFileSync(__dirname + '/static/cert.pem', 'ascii'),
+ sinon = require('sinon');
+
+describe('Signatures', function() {
+
+ const INVALID_ROOT_SIGNATURE = 'Invalid signature on documentElement',
+ INVALID_SIGNATURE = 'Invalid signature',
+ createBody = pathToXml => ({ SAMLResponse: fs.readFileSync(__dirname + '/static/signatures' + pathToXml, 'base64') }),
+ tryCatchTest = ( done, func ) => ( ...args ) => {
+ try {
+ func(...args);
+ }
+ catch ( ex ) {
+ done(ex);
+ }
+ },
+ testOneResponse = ( pathToXml, shouldErrorWith, amountOfSignatureChecks = 1 ) => {
+ return done => {
+ //== Instantiate new instance before every test
+ const samlObj = new SAML({ cert });
+ //== Spy on `validateSignature` to be able to count how many times it has been called
+ const validateSignatureSpy = sinon.spy(samlObj, 'validateSignature');
+
+ //== Create a body bases on an XML an run the test in `func`
+ samlObj.validatePostResponse(createBody(pathToXml), tryCatchTest(done, function( error ) {
+ //== Assert error. If the error is `SAML assertion expired` we made it past the certificate validation
+ shouldErrorWith ? error.should.eql(new Error(shouldErrorWith)) : error.should.eql(new Error('SAML assertion expired'));
+ //== Assert times `validateSignature` was called
+ validateSignatureSpy.callCount.should.eql(amountOfSignatureChecks);
+ done();
+ }));
+ };
+ };
+
+ describe('Signatures on saml:Response - Only 1 saml:Assertion', () => {
+ //== VALID
+ it('R1A - both signed => valid', testOneResponse('/valid/response.root-signed.assertion-signed.xml', false, 1));
+ it('R1A - root signed => valid', testOneResponse('/valid/response.root-signed.assertion-unsigned.xml', false, 1));
+ it('R1A - asrt signed => valid', testOneResponse('/valid/response.root-unsigned.assertion-signed.xml', false, 2));
+
+ //== INVALID
+ it('R1A - none signed => error', testOneResponse('/invalid/response.root-unsigned.assertion-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A - both signed => error', testOneResponse('/invalid/response.root-signed.assertion-signed.xml', INVALID_SIGNATURE, 2));
+ it('R1A - root signed => error', testOneResponse('/invalid/response.root-signed.assertion-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A - asrt signed => error', testOneResponse('/invalid/response.root-unsigned.assertion-signed.xml', INVALID_SIGNATURE, 2));
+ });
+
+ describe('Signatures on saml:Response - 1 saml:Assertion + 1 saml:Advice containing 1 saml:Assertion', () => {
+ //== VALID
+ it('R1A1Ad - signed root+asrt+advi => valid', testOneResponse('/valid/response.root-signed.assertion-signed.1advice-signed.xml', false, 1));
+ it('R1A1Ad - signed root+asrt => valid', testOneResponse('/valid/response.root-signed.assertion-signed.1advice-unsigned.xml', false, 1));
+ it('R1A1Ad - signed asrt+advi => valid', testOneResponse('/valid/response.root-unsigned.assertion-signed.1advice-signed.xml', false, 2));
+ it('R1A1Ad - signed root => valid', testOneResponse('/valid/response.root-signed.assertion-unsigned.1advice-unsigned.xml', false, 1));
+ it('R1A1Ad - signed asrt => valid', testOneResponse('/valid/response.root-unsigned.assertion-signed.1advice-unsigned.xml', false, 2));
+
+ //== INVALID
+ it('R1A1Ad - signed none => error', testOneResponse('/invalid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A1Ad - signed root+asrt+advi => error', testOneResponse('/invalid/response.root-signed.assertion-signed.1advice-signed.xml', INVALID_SIGNATURE, 2));
+ it('R1A1Ad - signed root+asrt => error', testOneResponse('/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A1Ad - signed asrt+advi => error', testOneResponse('/invalid/response.root-unsigned.assertion-signed.1advice-signed.xml', INVALID_SIGNATURE, 2));
+ it('R1A1Ad - signed root => error', testOneResponse('/invalid/response.root-signed.assertion-unsigned.1advice-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A1Ad - signed asrt => error', testOneResponse('/invalid/response.root-unsigned.assertion-signed.1advice-unsigned.xml', INVALID_SIGNATURE, 2));
+
+ });
+
+ describe('Signatures on saml:Response - 1 saml:Assertion + 1 saml:Advice containing 2 saml:Assertion', () => {
+ //== VALID
+ it('R1A2Ad - signed root+asrt+advi => error', testOneResponse('/valid/response.root-signed.assertion-signed.2advice-signed.xml', false, 1));
+ it('R1A2Ad - signed root+asrt => error', testOneResponse('/valid/response.root-signed.assertion-signed.2advice-unsigned.xml', false, 1));
+ it('R1A2Ad - signed root => error', testOneResponse('/valid/response.root-signed.assertion-unsigned.2advice-unsigned.xml', false, 1));
+
+ //== INVALID
+ it('R1A2Ad - signed none => error', testOneResponse('/invalid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A2Ad - signed root+asrt+advi => error', testOneResponse('/invalid/response.root-signed.assertion-signed.2advice-signed.xml', INVALID_SIGNATURE, 2));
+ it('R1A2Ad - signed root+asrt => error', testOneResponse('/invalid/response.root-signed.assertion-signed.2advice-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A2Ad - signed root => error', testOneResponse('/invalid/response.root-signed.assertion-unsigned.2advice-unsigned.xml', INVALID_SIGNATURE, 2));
+
+ });
+
+});