diff --git a/src/passport-saml/saml.ts b/src/passport-saml/saml.ts
index 37254a90..54a381a5 100644
--- a/src/passport-saml/saml.ts
+++ b/src/passport-saml/saml.ts
@@ -614,8 +614,11 @@ class SAML {
// See https://github.com/bergie/passport-saml/issues/19 for references to some of the attack
// vectors against SAML signature verification.
validateSignature = function (fullXml, currentNode, certs) {
- const xpathSigQuery = ".//*[local-name(.)='Signature' and " +
- "namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']";
+ const xpathSigQuery = ".//*[" +
+ "local-name(.)='Signature' and " +
+ "namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#' and " +
+ "descendant::*[local-name(.)='Reference' and @URI='#"+currentNode.getAttribute('ID')+"']" +
+ "]";
const signatures = xpath(currentNode, xpathSigQuery);
// This function is expecting to validate exactly one signature, so if we find more or fewer
// than that, reject.
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-signed.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-signed.xml
new file mode 100644
index 00000000..d8dce667
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-signed.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+ 32by6AdEK8sMSSW24h3290YngOx6o14TtYirwH57Plc=INVALID-IilJ1HabeLEMnQXR3olQgWQ6AzGgG/f0PdecFLSfOiOzXgHsEhnKdCoKrLvkFNW+GHMyw1FHfYE0TP+O62SFBxbzQVKD4VrlEAeJwISiH/MtLiFiARXYrvshD/vJOpQgiR3WJW3IuqsZPjrDzflnwr7CJ48TooTZVY3m0kDh+JCOKsaHg76cPOm51V+ZJmVe6aBPsIMRYyUJY4WcikpHvMDGL+MlUow0rC6qiJ2JzKTs/yAvp0TcRHSM//0s5h8Z4R67r/ECbLFs2f4WM1ggYKqZpasNQbeFFey4/XdRvRHDcQn711HxBLsam+qD6EFnJO7FWkV033F6WkDGwQheDA==
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ MDfWSGB2QmoV3THz9KU/8vLcYnTO2G2Lf+0F/DNDu78=INVALID-INVALIDZ3KfW/E9VdUhxQN4nMNFFlp2g7A0SZV0dnU8UTqKT5loy0+lniWoSf2fJjX0fgEackedWBDGwY4hM2W1xbC3r0MlS3xXudRFQFY04uIeVStt/aYgSckDnUsffkXpsw2agGOav1bZdgNIblaZYt5nIBWRUFMmJUnaR5XJ1S311G0gGxBzOzw4jYqKoWfJ/3bygqZxCYhPmOFBYPi2tLIGPMhC0Gt1+lbO9ociMz3k+z5zWCXRqRfq6zN9Ks5x9adS0ofbbaXRArwfYfXUUaFA9XrkzphwdNZy0KJSfQWtHKMyddHVFepq38/GjipCSnYV6TiCA4YzYxsShnge4ctzjQ==
+UvTBtpd/QsNbEZaTVdWTUj2vYN+oBjYg/gTmLYChv9A=INVALID-INVALIDdDu5iloo/Ah8Wf5oe80SZJMQsfsaKisKkPSCGXjquNOomqZsct+khxXiPWSrIksQmHtbcUtx1PExdZJ/P9BRjtYeUi/PRLiXz6rON+k9m2BVWmZUANXFF4yhZkU9q0WNPoETSpWR1laO3o0+sAwD6BoZu5q5+mBisg7OJLO61qB9c/VSc6ypH3JjcFzZm2Q8/R1LZtM/JtKbgzsR59SlSTKuW1Tz0pU0L700o/LfLBgyflfaSFUQxhlZmOpvxN9BKhpOU0czhvlKOMMndztlF0BLNVM1NyOjO6qcKvxxJoW6LGAzAUl9pWC6WoypzsIUnx+XUBsHyoz9I6Y1cikuZw==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml
new file mode 100644
index 00000000..0af701d0
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ kObrMLtwlZT3OYmstzY2kzYZN8CcmcYla1af9ZT/9/0=INVALID-vc2FGUjV17K+lHN186mhOMvBfgyTNnkM/67byJqlQUR0MCaTigBtcKtkr4dZm05umtnl7QHX35TAUByGtaggk8lj/3Ge+R086/8GGIgAUctwNGPlUtOnLXmvW7JQj70BeTXaS1QBsDamkePzCGxQDI92wKw3CPkFsX2lXLAgSLtfzOmnJqvxU6x+ItYY7ocnoruuEMvS7YYpJ+CGqe6nQ5zdglD2JVefjWXUq7sU1J2mZ9f1WoHdTWBUvwX0BgEUg/DFknueBaI7ZlxoL7eIs4pen4DcLTtUTsHX50L1cr4piaEwqqSj1U/pvfqa5Zpn/VLmAx2ia0ZCHlYN1LIeXw==
+vEwbdEHKTaKHy0gAH81FzX22qUlbHDiIz25CdLDIUHA=INVALID-UurDWgiukshWcaeh6wT6uQS8xLGpJ+SwmgG6lynlrI/IH3k6ltdwiODjRUwQqY6C1UtH1h0cdJR+B2VB4a3w62XEM1qZChyO1QQ85JYyWfqhhkml8XQkZbtjBihc5Rd4Zy0h4B48+yO8f5SN18E9RWLAWOpV1fc+fbDB+cuxMjHVbH5/UyPyGWObETpSP8EaVym/EOUHiUSxYgZz3gN2RGZKryBOYePeN7Yft/rNLkC2aWSjJ6uaIUUty2DeeqtWF0cEW+mSbo1xjZfN96eGfXGhyrhRBTQSioYxphMlj5Hp1Vx/3lWw+E11JRjdsoksFxvdF38I4Xzf5/Qm9DQxCQ==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-signed.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-signed.xml
new file mode 100644
index 00000000..ae50676b
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-signed.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+ 32by6AdEK8sMSSW24h3290YngOx6o14TtYirwH57Plc=NcDa+Q6qO371Bv6aBRhpuHzrJuPgWPMl0eMtnKJAeDY=INVALID-cI8mW+14H4l/yqkjb1+QBnBxnGzigngNweTd1euReBLqO/g9a+YpXKH8fgQ9RRZh+L5ZNxLFONTQwCijfL+jFSZLhLPNhlg/Iyh4PlQKkjBXY3cY2n1Aonvrq+A75FSJEDtvqCXtevAO8GP+3pmEYQ4g2GhveUBjYXM6XQafTNxduYnunB/w1QWR9Wq0pvn2PAmGxoR3MbNFCYTghHb6I3/fTz+KMv67DfqkUi5A77xSu9ZGopaYUPS0Hqbv8W/0urxBXOO1rl95W6M3+uP3tAoQkncocRrf2hrUztC1fnYD+A5zYXH4neF37mXysi0czrMbGL0ASB5TEP2chOj9cg==
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ OgGJSo72uGxRrLgYu7+tIDYnHmtQpEf/TMTO51+YKvA=INVALID-O9XOsqakfZPBpEoD2ZpOG8TUatw0i/v2GbPqkCdncJeyVmI6yuMg/5XXRhvMHQ4+zH/Vox8VBeK3uvNvCTNSV/hzuYlUf1WM89BUCghb0Kcw7KlbdUBKPRaHNG71uSsaZxTVKydVBpK9sBiXU+GRWMa0aWzmC+oR9UKEoozoR9Chi6VaTNFMfa2rkbC51gslZ5Qb28L9P1GhEIK+1hgtcrdEBIdZ/0W1QE93YPvJ41tgsNxoT7PCoSPgCCmVi5QTwNideLP64HTqd/rkzBpseTm8dQdySoCbll1Q/nKgTlyPyJsZ90RFjA5f4LChSRyeOyWHERPSC7V4n72l+yDtxQ==
+/AmA/x3mIGOibT0T0SRNUVA+SGKf52taHmkzZU4JcqU=INVALID-eEggu1rVjg2MOUsI0IYLTfQ/nYGbMdF10CWxbz1F70JGGpqvAp9emQpLftqT6LwKG2T6FWapEZzvp/WmRUFM45Ek2y+MMkA5rfAv2oMPX48kLEz5h2m1LCnbC++rHAgfoanCFAcpZxOvtQkmnVuLjQgRXfixqmgXfMtJxBeEik+6MFUsWRhZTS4tGIbUDdxz6n5m9umGwx3PKPhMj4QcTJUZqQmIOYmMUDvtisLU6Wr8RXRqkmaIB8U0+ikZjktzeo817H8afK9XeBVs0BHAp6CzXerYP9NT5GAoB4kPDQPqJSiqSiOrmF/cxDywElZwxNpvyePPDfBPpjRNB1bDKQ==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-unsigned.xml
new file mode 100644
index 00000000..6a96131d
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-unsigned.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ gmr1amfM3zV7QhK1Y6iPRpbqzgxl5hNn8mn/NuINTo0=INVALID-hoEErb+EJYbpU2WUuK7cJK3bOK+xAgQna5TtPHHuUYt44nDLPJd72SdR/ZKH8foZtxwwHZ2vP2DEygE1yPSaND4pOUlARPhIFLOopcei7s5UXl2Ynf22j92swVoYYcsbLDLLid6shsgZJnnPTCpCoHZHcGoXHZI9QQbZZd4w/DnGMKIN8DcWC+1E9ARMlJf4MV2eZEZtM3CRlvB+X+gMWMSDyvPg2hQZ4Yar2X2xAKeaka4Ua/rNRrD8SzRcZV6V2Jtga5BtYdra63FirchLK//pGFwRceeom1Dj0GpO1H7LWIgl5gP3AZGgAr8YPXCD3ISBxvm/Yw81UIDH49SMNQ==
+5Bf68tIF9NwX7tsKQzin35UkKg+RArZNAu3oaF2r3EU=INVALID-FWfMZAIYkhfD43c+D736eEnjAMBKYuDKYsc74BRIFg6gBIve43QjkGaqzTEfd8zT47SyPpL1t7YdFaxs4z4B5ZXvbgYM4CvXKi6mtNwushvUztaMNXoDmSq1fvZuWeLqhbpAD3nbxRtgQf/mqPhLL2eFoMgJ9AYInOULpNBjqJ3dEVm/Z8Hh0Ve/alQLEzRX4BpJBXn+XDoBloj79A3Bp/8MiHGt+cPTIcsZWw4Tf6ZX65IgWYAqVHV6ejA8zXZ+8Bec+zGDsMdZhM03loTjaivAbD7ADD+bp07ubNaaO0q0YveHYcFe1VJMNJhw7xNEiPUsxW6pUEFcfJq3CNbjbw==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.xml
new file mode 100644
index 00000000..4b24cf47
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ nT8hRy7WnO4n3hiYyBE0zgE/Vwj0aqQUhFxE+PvW94c=INVALID-To9fxKoAEyoD0z0RNJg6xB5HFeiUaOJLwAkcGMoGHYO4eURvTGbDVfM1e/7B2ALoCEaouKHF5kmnSjfks3YNQ1/Gfz0wxrrpXZ8nM/Egj3A/MRYFf6TgN9mzaGisle5nctRDK2V7UzrQx+5emBgUYWjXr6j5Xz+9XorcS5whVVE2jfIZBqTJ3uAlm3JLiwWVAiGrgvjjFEYow4r7zSJ6f2SNyC78t3Hvjngfa8LX9YwyP1gEKXWA1Egr3M5LWp76BbuErEs6vNQRW8xEen5aeDLRMBbsSEn3AOzBDDWqAN0G7r8NWb/S39twFOJF0xFZKpVvCv/0wODs4ZEVTbuojA==
+qYWgtqJ5/zkxUD+GIZ5TvaItfMYYjpMB8XMFeATHdTM=INVALID-fdEmRX3FdcD+w3TLsF3Q57fOFCZJ/psl8+H2qmBgRw5VmUECr/wjFHdO4Sazu3azrmoDwsc6Y2aVGn6+jX3M00xsp6P2rYQQEwmjRdv1n05YP4bo4hVeuj0chJS5gwfPuFyWlgO1S98OXVOhE2WPAla1zKdeecVxHvNiXcO775ObGmifS4xT04QU/VLZdhYeUVR3EOCD1oqWNmzfsKXqcCsBMfPB9X3P+wrhAWz2cCb4RXmNP3wnlAxfC3M7qQruy2yW2aqsxg6bA/VvJ2HkBzSx7B2tBQO7D56KAMG+coG2QlR6eExQyeAG/Iaz7h006Y1EZXKcJSXunLCzPog3Kw==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-unsigned.1advice-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
new file mode 100644
index 00000000..ba19b93b
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+5wg810GLqW+t9PLsVIA4HowQrP1ORKYuYG8l7B8rNAw=INVALID-JDIzw+1kv3SMfvJF3IeF4tSr2/VosORAo2epsDsRCjMjjDinuIZowgObOXyf1AAZK/HPZnMcIDoow3C55HdA8RrepVzyJVUY8Umf3BQKvP8vNbwnnA1W81sa0hMLd6Lqy2/zEN09jQ1Gpm2VKsIE5TLILKGyO4MjcsTSSVVq9jfhOHrAoWmRnCIO3PdB3sB/baKTZPZUiQzpywyZY2ucGcSdmUkPhdlM0FvZ0dQ7OaAIxhDGLzSJbnM6Zfm/t62JY3xXH/Nl9QuJx4z0W314Ak/pvoLkHm53oziQnfRSr38CLGB+efiKWCarHkShbtMHhqxJU2ehnx6Pobgz8wV3nw==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-unsigned.2advice-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
new file mode 100644
index 00000000..211f3c09
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+8L+EbdtsrQn2ojFJPsTFRhGEdC6Ub9Evxrj3KEXWPyY=INVALID-Bca3aGYXbRyifnsFaHcWilzpuWbBjQ5i8/HmXt5dFIrWO8yJD4Qdeb86J2/2CHTpm5J77Z3Ww1CVoodagkwiDGuj/CjUeBTWyVzDuZsGRH/h/dL9i083udnpt2V1/vIyq1eU6qJzjRW6xAT6ObY+f9/lQ8wpzgRDc+s7X0k2uGhgwknJDjCb8xyr6m31rJNGnR/TZFrbKgpjrfUX1l51A7Q0ctkl3bjATnZLYebmgUJfri7WoEO4kkkn/11GpCl+UvOU86QJw5iSCFqivuDJl94zmVl0cx0fhYvgmqQ6aN2cnSIbANisMsL9cZi6030pIwrHKLmzDDTrcJw9TVneZQ==
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.xml
new file mode 100644
index 00000000..668a05bd
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+tXVP7qLQ2AY2XRYyxjUHlZFmTclDPcWPF5s98mqi3N4=INVALID-JIQ+CHFnBpau/97L5GRFIFtvpHfcpEynzTDFcJrApogHvVXubmUWXtOcOCloepK3gkPdMtPdsf/t86BDdXU9hK9uwTIa23utAu5Btgs+mK1YIvIMyWddtXysEu34T5jNZs8F/bG2xug1nSn8BrL9s2x1yui66noCYD/mGjVbsJY76abKXKnRblnyGa0Iqx3T1qSo2bcTnTP/NvGapr3Fg5jby6TnuCBqH0KyhnqJL8hbCcRQXKUzLYIk3RcOfaRvVN/WeQD0SdWmY8EMTePUxkbOTGAgj7prFNI3eb8FZsfHPCL9R1H39veVaBUU/hM/8jm9FZK+0ccaTNhlj8tHhQ==
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-signed.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-signed.xml
new file mode 100644
index 00000000..66d43a17
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-signed.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+ 32by6AdEK8sMSSW24h3290YngOx6o14TtYirwH57Plc=INVALID-IilJ1HabeLEMnQXR3olQgWQ6AzGgG/f0PdecFLSfOiOzXgHsEhnKdCoKrLvkFNW+GHMyw1FHfYE0TP+O62SFBxbzQVKD4VrlEAeJwISiH/MtLiFiARXYrvshD/vJOpQgiR3WJW3IuqsZPjrDzflnwr7CJ48TooTZVY3m0kDh+JCOKsaHg76cPOm51V+ZJmVe6aBPsIMRYyUJY4WcikpHvMDGL+MlUow0rC6qiJ2JzKTs/yAvp0TcRHSM//0s5h8Z4R67r/ECbLFs2f4WM1ggYKqZpasNQbeFFey4/XdRvRHDcQn711HxBLsam+qD6EFnJO7FWkV033F6WkDGwQheDA==
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ MDfWSGB2QmoV3THz9KU/8vLcYnTO2G2Lf+0F/DNDu78=INVALID-Z3KfW/E9VdUhxQN4nMNFFlp2g7A0SZV0dnU8UTqKT5loy0+lniWoSf2fJjX0fgEackedWBDGwY4hM2W1xbC3r0MlS3xXudRFQFY04uIeVStt/aYgSckDnUsffkXpsw2agGOav1bZdgNIblaZYt5nIBWRUFMmJUnaR5XJ1S311G0gGxBzOzw4jYqKoWfJ/3bygqZxCYhPmOFBYPi2tLIGPMhC0Gt1+lbO9ociMz3k+z5zWCXRqRfq6zN9Ks5x9adS0ofbbaXRArwfYfXUUaFA9XrkzphwdNZy0KJSfQWtHKMyddHVFepq38/GjipCSnYV6TiCA4YzYxsShnge4ctzjQ==
+
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-unsigned.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
new file mode 100644
index 00000000..81a3467e
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ kObrMLtwlZT3OYmstzY2kzYZN8CcmcYla1af9ZT/9/0=INVALID-vc2FGUjV17K+lHN186mhOMvBfgyTNnkM/67byJqlQUR0MCaTigBtcKtkr4dZm05umtnl7QHX35TAUByGtaggk8lj/3Ge+R086/8GGIgAUctwNGPlUtOnLXmvW7JQj70BeTXaS1QBsDamkePzCGxQDI92wKw3CPkFsX2lXLAgSLtfzOmnJqvxU6x+ItYY7ocnoruuEMvS7YYpJ+CGqe6nQ5zdglD2JVefjWXUq7sU1J2mZ9f1WoHdTWBUvwX0BgEUg/DFknueBaI7ZlxoL7eIs4pen4DcLTtUTsHX50L1cr4piaEwqqSj1U/pvfqa5Zpn/VLmAx2ia0ZCHlYN1LIeXw==
+
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-signed.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.xml
new file mode 100644
index 00000000..d798f2d6
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ nT8hRy7WnO4n3hiYyBE0zgE/Vwj0aqQUhFxE+PvW94c=INVALID-To9fxKoAEyoD0z0RNJg6xB5HFeiUaOJLwAkcGMoGHYO4eURvTGbDVfM1e/7B2ALoCEaouKHF5kmnSjfks3YNQ1/Gfz0wxrrpXZ8nM/Egj3A/MRYFf6TgN9mzaGisle5nctRDK2V7UzrQx+5emBgUYWjXr6j5Xz+9XorcS5whVVE2jfIZBqTJ3uAlm3JLiwWVAiGrgvjjFEYow4r7zSJ6f2SNyC78t3Hvjngfa8LX9YwyP1gEKXWA1Egr3M5LWp76BbuErEs6vNQRW8xEen5aeDLRMBbsSEn3AOzBDDWqAN0G7r8NWb/S39twFOJF0xFZKpVvCv/0wODs4ZEVTbuojA==
+
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml
new file mode 100644
index 00000000..8e1c271b
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml
new file mode 100644
index 00000000..6532a91c
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.xml
new file mode 100644
index 00000000..90688fa1
--- /dev/null
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-signed.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-signed.xml
new file mode 100644
index 00000000..8b1420ee
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-signed.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+ 32by6AdEK8sMSSW24h3290YngOx6o14TtYirwH57Plc=IilJ1HabeLEMnQXR3olQgWQ6AzGgG/f0PdecFLSfOiOzXgHsEhnKdCoKrLvkFNW+GHMyw1FHfYE0TP+O62SFBxbzQVKD4VrlEAeJwISiH/MtLiFiARXYrvshD/vJOpQgiR3WJW3IuqsZPjrDzflnwr7CJ48TooTZVY3m0kDh+JCOKsaHg76cPOm51V+ZJmVe6aBPsIMRYyUJY4WcikpHvMDGL+MlUow0rC6qiJ2JzKTs/yAvp0TcRHSM//0s5h8Z4R67r/ECbLFs2f4WM1ggYKqZpasNQbeFFey4/XdRvRHDcQn711HxBLsam+qD6EFnJO7FWkV033F6WkDGwQheDA==
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ MDfWSGB2QmoV3THz9KU/8vLcYnTO2G2Lf+0F/DNDu78=Z3KfW/E9VdUhxQN4nMNFFlp2g7A0SZV0dnU8UTqKT5loy0+lniWoSf2fJjX0fgEackedWBDGwY4hM2W1xbC3r0MlS3xXudRFQFY04uIeVStt/aYgSckDnUsffkXpsw2agGOav1bZdgNIblaZYt5nIBWRUFMmJUnaR5XJ1S311G0gGxBzOzw4jYqKoWfJ/3bygqZxCYhPmOFBYPi2tLIGPMhC0Gt1+lbO9ociMz3k+z5zWCXRqRfq6zN9Ks5x9adS0ofbbaXRArwfYfXUUaFA9XrkzphwdNZy0KJSfQWtHKMyddHVFepq38/GjipCSnYV6TiCA4YzYxsShnge4ctzjQ==
+UvTBtpd/QsNbEZaTVdWTUj2vYN+oBjYg/gTmLYChv9A=dDu5iloo/Ah8Wf5oe80SZJMQsfsaKisKkPSCGXjquNOomqZsct+khxXiPWSrIksQmHtbcUtx1PExdZJ/P9BRjtYeUi/PRLiXz6rON+k9m2BVWmZUANXFF4yhZkU9q0WNPoETSpWR1laO3o0+sAwD6BoZu5q5+mBisg7OJLO61qB9c/VSc6ypH3JjcFzZm2Q8/R1LZtM/JtKbgzsR59SlSTKuW1Tz0pU0L700o/LfLBgyflfaSFUQxhlZmOpvxN9BKhpOU0czhvlKOMMndztlF0BLNVM1NyOjO6qcKvxxJoW6LGAzAUl9pWC6WoypzsIUnx+XUBsHyoz9I6Y1cikuZw==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-unsigned.xml
new file mode 100644
index 00000000..0ae070db
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ kObrMLtwlZT3OYmstzY2kzYZN8CcmcYla1af9ZT/9/0=vc2FGUjV17K+lHN186mhOMvBfgyTNnkM/67byJqlQUR0MCaTigBtcKtkr4dZm05umtnl7QHX35TAUByGtaggk8lj/3Ge+R086/8GGIgAUctwNGPlUtOnLXmvW7JQj70BeTXaS1QBsDamkePzCGxQDI92wKw3CPkFsX2lXLAgSLtfzOmnJqvxU6x+ItYY7ocnoruuEMvS7YYpJ+CGqe6nQ5zdglD2JVefjWXUq7sU1J2mZ9f1WoHdTWBUvwX0BgEUg/DFknueBaI7ZlxoL7eIs4pen4DcLTtUTsHX50L1cr4piaEwqqSj1U/pvfqa5Zpn/VLmAx2ia0ZCHlYN1LIeXw==
+vEwbdEHKTaKHy0gAH81FzX22qUlbHDiIz25CdLDIUHA=UurDWgiukshWcaeh6wT6uQS8xLGpJ+SwmgG6lynlrI/IH3k6ltdwiODjRUwQqY6C1UtH1h0cdJR+B2VB4a3w62XEM1qZChyO1QQ85JYyWfqhhkml8XQkZbtjBihc5Rd4Zy0h4B48+yO8f5SN18E9RWLAWOpV1fc+fbDB+cuxMjHVbH5/UyPyGWObETpSP8EaVym/EOUHiUSxYgZz3gN2RGZKryBOYePeN7Yft/rNLkC2aWSjJ6uaIUUty2DeeqtWF0cEW+mSbo1xjZfN96eGfXGhyrhRBTQSioYxphMlj5Hp1Vx/3lWw+E11JRjdsoksFxvdF38I4Xzf5/Qm9DQxCQ==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-signed.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-signed.xml
new file mode 100644
index 00000000..87b7a811
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-signed.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+ 32by6AdEK8sMSSW24h3290YngOx6o14TtYirwH57Plc=NcDa+Q6qO371Bv6aBRhpuHzrJuPgWPMl0eMtnKJAeDY=cI8mW+14H4l/yqkjb1+QBnBxnGzigngNweTd1euReBLqO/g9a+YpXKH8fgQ9RRZh+L5ZNxLFONTQwCijfL+jFSZLhLPNhlg/Iyh4PlQKkjBXY3cY2n1Aonvrq+A75FSJEDtvqCXtevAO8GP+3pmEYQ4g2GhveUBjYXM6XQafTNxduYnunB/w1QWR9Wq0pvn2PAmGxoR3MbNFCYTghHb6I3/fTz+KMv67DfqkUi5A77xSu9ZGopaYUPS0Hqbv8W/0urxBXOO1rl95W6M3+uP3tAoQkncocRrf2hrUztC1fnYD+A5zYXH4neF37mXysi0czrMbGL0ASB5TEP2chOj9cg==
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ OgGJSo72uGxRrLgYu7+tIDYnHmtQpEf/TMTO51+YKvA=O9XOsqakfZPBpEoD2ZpOG8TUatw0i/v2GbPqkCdncJeyVmI6yuMg/5XXRhvMHQ4+zH/Vox8VBeK3uvNvCTNSV/hzuYlUf1WM89BUCghb0Kcw7KlbdUBKPRaHNG71uSsaZxTVKydVBpK9sBiXU+GRWMa0aWzmC+oR9UKEoozoR9Chi6VaTNFMfa2rkbC51gslZ5Qb28L9P1GhEIK+1hgtcrdEBIdZ/0W1QE93YPvJ41tgsNxoT7PCoSPgCCmVi5QTwNideLP64HTqd/rkzBpseTm8dQdySoCbll1Q/nKgTlyPyJsZ90RFjA5f4LChSRyeOyWHERPSC7V4n72l+yDtxQ==
+/AmA/x3mIGOibT0T0SRNUVA+SGKf52taHmkzZU4JcqU=eEggu1rVjg2MOUsI0IYLTfQ/nYGbMdF10CWxbz1F70JGGpqvAp9emQpLftqT6LwKG2T6FWapEZzvp/WmRUFM45Ek2y+MMkA5rfAv2oMPX48kLEz5h2m1LCnbC++rHAgfoanCFAcpZxOvtQkmnVuLjQgRXfixqmgXfMtJxBeEik+6MFUsWRhZTS4tGIbUDdxz6n5m9umGwx3PKPhMj4QcTJUZqQmIOYmMUDvtisLU6Wr8RXRqkmaIB8U0+ikZjktzeo817H8afK9XeBVs0BHAp6CzXerYP9NT5GAoB4kPDQPqJSiqSiOrmF/cxDywElZwxNpvyePPDfBPpjRNB1bDKQ==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-unsigned.xml
new file mode 100644
index 00000000..5b4edadf
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-unsigned.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ gmr1amfM3zV7QhK1Y6iPRpbqzgxl5hNn8mn/NuINTo0=hoEErb+EJYbpU2WUuK7cJK3bOK+xAgQna5TtPHHuUYt44nDLPJd72SdR/ZKH8foZtxwwHZ2vP2DEygE1yPSaND4pOUlARPhIFLOopcei7s5UXl2Ynf22j92swVoYYcsbLDLLid6shsgZJnnPTCpCoHZHcGoXHZI9QQbZZd4w/DnGMKIN8DcWC+1E9ARMlJf4MV2eZEZtM3CRlvB+X+gMWMSDyvPg2hQZ4Yar2X2xAKeaka4Ua/rNRrD8SzRcZV6V2Jtga5BtYdra63FirchLK//pGFwRceeom1Dj0GpO1H7LWIgl5gP3AZGgAr8YPXCD3ISBxvm/Yw81UIDH49SMNQ==
+5Bf68tIF9NwX7tsKQzin35UkKg+RArZNAu3oaF2r3EU=FWfMZAIYkhfD43c+D736eEnjAMBKYuDKYsc74BRIFg6gBIve43QjkGaqzTEfd8zT47SyPpL1t7YdFaxs4z4B5ZXvbgYM4CvXKi6mtNwushvUztaMNXoDmSq1fvZuWeLqhbpAD3nbxRtgQf/mqPhLL2eFoMgJ9AYInOULpNBjqJ3dEVm/Z8Hh0Ve/alQLEzRX4BpJBXn+XDoBloj79A3Bp/8MiHGt+cPTIcsZWw4Tf6ZX65IgWYAqVHV6ejA8zXZ+8Bec+zGDsMdZhM03loTjaivAbD7ADD+bp07ubNaaO0q0YveHYcFe1VJMNJhw7xNEiPUsxW6pUEFcfJq3CNbjbw==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.xml
new file mode 100644
index 00000000..abb4b6da
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ nT8hRy7WnO4n3hiYyBE0zgE/Vwj0aqQUhFxE+PvW94c=To9fxKoAEyoD0z0RNJg6xB5HFeiUaOJLwAkcGMoGHYO4eURvTGbDVfM1e/7B2ALoCEaouKHF5kmnSjfks3YNQ1/Gfz0wxrrpXZ8nM/Egj3A/MRYFf6TgN9mzaGisle5nctRDK2V7UzrQx+5emBgUYWjXr6j5Xz+9XorcS5whVVE2jfIZBqTJ3uAlm3JLiwWVAiGrgvjjFEYow4r7zSJ6f2SNyC78t3Hvjngfa8LX9YwyP1gEKXWA1Egr3M5LWp76BbuErEs6vNQRW8xEen5aeDLRMBbsSEn3AOzBDDWqAN0G7r8NWb/S39twFOJF0xFZKpVvCv/0wODs4ZEVTbuojA==
+qYWgtqJ5/zkxUD+GIZ5TvaItfMYYjpMB8XMFeATHdTM=fdEmRX3FdcD+w3TLsF3Q57fOFCZJ/psl8+H2qmBgRw5VmUECr/wjFHdO4Sazu3azrmoDwsc6Y2aVGn6+jX3M00xsp6P2rYQQEwmjRdv1n05YP4bo4hVeuj0chJS5gwfPuFyWlgO1S98OXVOhE2WPAla1zKdeecVxHvNiXcO775ObGmifS4xT04QU/VLZdhYeUVR3EOCD1oqWNmzfsKXqcCsBMfPB9X3P+wrhAWz2cCb4RXmNP3wnlAxfC3M7qQruy2yW2aqsxg6bA/VvJ2HkBzSx7B2tBQO7D56KAMG+coG2QlR6eExQyeAG/Iaz7h006Y1EZXKcJSXunLCzPog3Kw==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-unsigned.1advice-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
new file mode 100644
index 00000000..a11d34fa
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+5wg810GLqW+t9PLsVIA4HowQrP1ORKYuYG8l7B8rNAw=JDIzw+1kv3SMfvJF3IeF4tSr2/VosORAo2epsDsRCjMjjDinuIZowgObOXyf1AAZK/HPZnMcIDoow3C55HdA8RrepVzyJVUY8Umf3BQKvP8vNbwnnA1W81sa0hMLd6Lqy2/zEN09jQ1Gpm2VKsIE5TLILKGyO4MjcsTSSVVq9jfhOHrAoWmRnCIO3PdB3sB/baKTZPZUiQzpywyZY2ucGcSdmUkPhdlM0FvZ0dQ7OaAIxhDGLzSJbnM6Zfm/t62JY3xXH/Nl9QuJx4z0W314Ak/pvoLkHm53oziQnfRSr38CLGB+efiKWCarHkShbtMHhqxJU2ehnx6Pobgz8wV3nw==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-unsigned.2advice-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
new file mode 100644
index 00000000..3a202377
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+8L+EbdtsrQn2ojFJPsTFRhGEdC6Ub9Evxrj3KEXWPyY=Bca3aGYXbRyifnsFaHcWilzpuWbBjQ5i8/HmXt5dFIrWO8yJD4Qdeb86J2/2CHTpm5J77Z3Ww1CVoodagkwiDGuj/CjUeBTWyVzDuZsGRH/h/dL9i083udnpt2V1/vIyq1eU6qJzjRW6xAT6ObY+f9/lQ8wpzgRDc+s7X0k2uGhgwknJDjCb8xyr6m31rJNGnR/TZFrbKgpjrfUX1l51A7Q0ctkl3bjATnZLYebmgUJfri7WoEO4kkkn/11GpCl+UvOU86QJw5iSCFqivuDJl94zmVl0cx0fhYvgmqQ6aN2cnSIbANisMsL9cZi6030pIwrHKLmzDDTrcJw9TVneZQ==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-unsigned.xml
new file mode 100644
index 00000000..e618e3f1
--- /dev/null
+++ b/test/static/signatures/valid/response.root-signed.assertion-unsigned.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+tXVP7qLQ2AY2XRYyxjUHlZFmTclDPcWPF5s98mqi3N4=JIQ+CHFnBpau/97L5GRFIFtvpHfcpEynzTDFcJrApogHvVXubmUWXtOcOCloepK3gkPdMtPdsf/t86BDdXU9hK9uwTIa23utAu5Btgs+mK1YIvIMyWddtXysEu34T5jNZs8F/bG2xug1nSn8BrL9s2x1yui66noCYD/mGjVbsJY76abKXKnRblnyGa0Iqx3T1qSo2bcTnTP/NvGapr3Fg5jby6TnuCBqH0KyhnqJL8hbCcRQXKUzLYIk3RcOfaRvVN/WeQD0SdWmY8EMTePUxkbOTGAgj7prFNI3eb8FZsfHPCL9R1H39veVaBUU/hM/8jm9FZK+0ccaTNhlj8tHhQ==
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-signed.xml b/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-signed.xml
new file mode 100644
index 00000000..63bf9f3c
--- /dev/null
+++ b/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-signed.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+ 32by6AdEK8sMSSW24h3290YngOx6o14TtYirwH57Plc=IilJ1HabeLEMnQXR3olQgWQ6AzGgG/f0PdecFLSfOiOzXgHsEhnKdCoKrLvkFNW+GHMyw1FHfYE0TP+O62SFBxbzQVKD4VrlEAeJwISiH/MtLiFiARXYrvshD/vJOpQgiR3WJW3IuqsZPjrDzflnwr7CJ48TooTZVY3m0kDh+JCOKsaHg76cPOm51V+ZJmVe6aBPsIMRYyUJY4WcikpHvMDGL+MlUow0rC6qiJ2JzKTs/yAvp0TcRHSM//0s5h8Z4R67r/ECbLFs2f4WM1ggYKqZpasNQbeFFey4/XdRvRHDcQn711HxBLsam+qD6EFnJO7FWkV033F6WkDGwQheDA==
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ MDfWSGB2QmoV3THz9KU/8vLcYnTO2G2Lf+0F/DNDu78=Z3KfW/E9VdUhxQN4nMNFFlp2g7A0SZV0dnU8UTqKT5loy0+lniWoSf2fJjX0fgEackedWBDGwY4hM2W1xbC3r0MlS3xXudRFQFY04uIeVStt/aYgSckDnUsffkXpsw2agGOav1bZdgNIblaZYt5nIBWRUFMmJUnaR5XJ1S311G0gGxBzOzw4jYqKoWfJ/3bygqZxCYhPmOFBYPi2tLIGPMhC0Gt1+lbO9ociMz3k+z5zWCXRqRfq6zN9Ks5x9adS0ofbbaXRArwfYfXUUaFA9XrkzphwdNZy0KJSfQWtHKMyddHVFepq38/GjipCSnYV6TiCA4YzYxsShnge4ctzjQ==
+
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-unsigned.xml b/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
new file mode 100644
index 00000000..eb9b3139
--- /dev/null
+++ b/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ kObrMLtwlZT3OYmstzY2kzYZN8CcmcYla1af9ZT/9/0=vc2FGUjV17K+lHN186mhOMvBfgyTNnkM/67byJqlQUR0MCaTigBtcKtkr4dZm05umtnl7QHX35TAUByGtaggk8lj/3Ge+R086/8GGIgAUctwNGPlUtOnLXmvW7JQj70BeTXaS1QBsDamkePzCGxQDI92wKw3CPkFsX2lXLAgSLtfzOmnJqvxU6x+ItYY7ocnoruuEMvS7YYpJ+CGqe6nQ5zdglD2JVefjWXUq7sU1J2mZ9f1WoHdTWBUvwX0BgEUg/DFknueBaI7ZlxoL7eIs4pen4DcLTtUTsHX50L1cr4piaEwqqSj1U/pvfqa5Zpn/VLmAx2ia0ZCHlYN1LIeXw==
+
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-unsigned.assertion-signed.xml b/test/static/signatures/valid/response.root-unsigned.assertion-signed.xml
new file mode 100644
index 00000000..7adef2f5
--- /dev/null
+++ b/test/static/signatures/valid/response.root-unsigned.assertion-signed.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+ nT8hRy7WnO4n3hiYyBE0zgE/Vwj0aqQUhFxE+PvW94c=To9fxKoAEyoD0z0RNJg6xB5HFeiUaOJLwAkcGMoGHYO4eURvTGbDVfM1e/7B2ALoCEaouKHF5kmnSjfks3YNQ1/Gfz0wxrrpXZ8nM/Egj3A/MRYFf6TgN9mzaGisle5nctRDK2V7UzrQx+5emBgUYWjXr6j5Xz+9XorcS5whVVE2jfIZBqTJ3uAlm3JLiwWVAiGrgvjjFEYow4r7zSJ6f2SNyC78t3Hvjngfa8LX9YwyP1gEKXWA1Egr3M5LWp76BbuErEs6vNQRW8xEen5aeDLRMBbsSEn3AOzBDDWqAN0G7r8NWb/S39twFOJF0xFZKpVvCv/0wODs4ZEVTbuojA==
+
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml b/test/static/signatures/valid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml
new file mode 100644
index 00000000..8e1c271b
--- /dev/null
+++ b/test/static/signatures/valid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml
@@ -0,0 +1,66 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+
diff --git a/test/static/signatures/valid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml b/test/static/signatures/valid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml
new file mode 100644
index 00000000..6532a91c
--- /dev/null
+++ b/test/static/signatures/valid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml
@@ -0,0 +1,91 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ https://evil-corp.com
+
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ Jules Winnfield
+
+
+
+
+
+ https://evil-daughter-corp.com
+
+
+ vincent.vega@evil-daughter-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ John Travolta
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+
diff --git a/test/static/signatures/valid/response.root-unsigned.assertion-unsigned.xml b/test/static/signatures/valid/response.root-unsigned.assertion-unsigned.xml
new file mode 100644
index 00000000..90688fa1
--- /dev/null
+++ b/test/static/signatures/valid/response.root-unsigned.assertion-unsigned.xml
@@ -0,0 +1,39 @@
+
+
+ https://evil-corp.com
+
+
+
+
+ https://evil-corp.com
+
+ vincent.vega@evil-corp.com
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+
+
+
+ vincent.vega@evil-corp.com
+
+
+
+ Vincent
+
+
+
+ VEGA
+
+
+
+
+
diff --git a/test/test-signatures.js b/test/test-signatures.js
new file mode 100644
index 00000000..a26fec22
--- /dev/null
+++ b/test/test-signatures.js
@@ -0,0 +1,83 @@
+const should = require('should'),
+ SAML = require('../lib/passport-saml/index.js').SAML,
+ fs = require('fs'),
+ cert = fs.readFileSync(__dirname + '/static/cert.pem', 'ascii'),
+ sinon = require('sinon');
+
+describe('Signatures', function() {
+
+ const INVALID_ROOT_SIGNATURE = 'Invalid signature on documentElement',
+ INVALID_SIGNATURE = 'Invalid signature',
+ createBody = pathToXml => ({ SAMLResponse: fs.readFileSync(__dirname + '/static/signatures' + pathToXml, 'base64') }),
+ tryCatchTest = ( done, func ) => ( ...args ) => {
+ try {
+ func(...args);
+ }
+ catch ( ex ) {
+ done(ex);
+ }
+ },
+ testOneResponse = ( pathToXml, shouldErrorWith, amountOfSignatureChecks = 1 ) => {
+ return done => {
+ //== Instantiate new instance before every test
+ const samlObj = new SAML({ cert });
+ //== Spy on `validateSignature` to be able to count how many times it has been called
+ const validateSignatureSpy = sinon.spy(samlObj, 'validateSignature');
+
+ //== Create a body bases on an XML an run the test in `func`
+ samlObj.validatePostResponse(createBody(pathToXml), tryCatchTest(done, function( error ) {
+ //== Assert error. If the error is `SAML assertion expired` we made it past the certificate validation
+ shouldErrorWith ? error.should.eql(new Error(shouldErrorWith)) : error.should.eql(new Error('SAML assertion expired'));
+ //== Assert times `validateSignature` was called
+ validateSignatureSpy.callCount.should.eql(amountOfSignatureChecks);
+ done();
+ }));
+ };
+ };
+
+ describe('Signatures on saml:Response - Only 1 saml:Assertion', () => {
+ //== VALID
+ it('R1A - both signed => valid', testOneResponse('/valid/response.root-signed.assertion-signed.xml', false, 1));
+ it('R1A - root signed => valid', testOneResponse('/valid/response.root-signed.assertion-unsigned.xml', false, 1));
+ it('R1A - asrt signed => valid', testOneResponse('/valid/response.root-unsigned.assertion-signed.xml', false, 2));
+
+ //== INVALID
+ it('R1A - none signed => error', testOneResponse('/invalid/response.root-unsigned.assertion-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A - both signed => error', testOneResponse('/invalid/response.root-signed.assertion-signed.xml', INVALID_SIGNATURE, 2));
+ it('R1A - root signed => error', testOneResponse('/invalid/response.root-signed.assertion-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A - asrt signed => error', testOneResponse('/invalid/response.root-unsigned.assertion-signed.xml', INVALID_SIGNATURE, 2));
+ });
+
+ describe('Signatures on saml:Response - 1 saml:Assertion + 1 saml:Advice containing 1 saml:Assertion', () => {
+ //== VALID
+ it('R1A1Ad - signed root+asrt+advi => valid', testOneResponse('/valid/response.root-signed.assertion-signed.1advice-signed.xml', false, 1));
+ it('R1A1Ad - signed root+asrt => valid', testOneResponse('/valid/response.root-signed.assertion-signed.1advice-unsigned.xml', false, 1));
+ it('R1A1Ad - signed asrt+advi => valid', testOneResponse('/valid/response.root-unsigned.assertion-signed.1advice-signed.xml', false, 2));
+ it('R1A1Ad - signed root => valid', testOneResponse('/valid/response.root-signed.assertion-unsigned.1advice-unsigned.xml', false, 1));
+ it('R1A1Ad - signed asrt => valid', testOneResponse('/valid/response.root-unsigned.assertion-signed.1advice-unsigned.xml', false, 2));
+
+ //== INVALID
+ it('R1A1Ad - signed none => error', testOneResponse('/invalid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A1Ad - signed root+asrt+advi => error', testOneResponse('/invalid/response.root-signed.assertion-signed.1advice-signed.xml', INVALID_SIGNATURE, 2));
+ it('R1A1Ad - signed root+asrt => error', testOneResponse('/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A1Ad - signed asrt+advi => error', testOneResponse('/invalid/response.root-unsigned.assertion-signed.1advice-signed.xml', INVALID_SIGNATURE, 2));
+ it('R1A1Ad - signed root => error', testOneResponse('/invalid/response.root-signed.assertion-unsigned.1advice-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A1Ad - signed asrt => error', testOneResponse('/invalid/response.root-unsigned.assertion-signed.1advice-unsigned.xml', INVALID_SIGNATURE, 2));
+
+ });
+
+ describe('Signatures on saml:Response - 1 saml:Assertion + 1 saml:Advice containing 2 saml:Assertion', () => {
+ //== VALID
+ it('R1A2Ad - signed root+asrt+advi => error', testOneResponse('/valid/response.root-signed.assertion-signed.2advice-signed.xml', false, 1));
+ it('R1A2Ad - signed root+asrt => error', testOneResponse('/valid/response.root-signed.assertion-signed.2advice-unsigned.xml', false, 1));
+ it('R1A2Ad - signed root => error', testOneResponse('/valid/response.root-signed.assertion-unsigned.2advice-unsigned.xml', false, 1));
+
+ //== INVALID
+ it('R1A2Ad - signed none => error', testOneResponse('/invalid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A2Ad - signed root+asrt+advi => error', testOneResponse('/invalid/response.root-signed.assertion-signed.2advice-signed.xml', INVALID_SIGNATURE, 2));
+ it('R1A2Ad - signed root+asrt => error', testOneResponse('/invalid/response.root-signed.assertion-signed.2advice-unsigned.xml', INVALID_SIGNATURE, 2));
+ it('R1A2Ad - signed root => error', testOneResponse('/invalid/response.root-signed.assertion-unsigned.2advice-unsigned.xml', INVALID_SIGNATURE, 2));
+
+ });
+
+});