protected function _queryAssertion($assertionXpath)
{
if ($this->encrypted) {
$xpath = new DOMXPath($this->decryptedDocument);
} else {
$xpath = new DOMXPath($this->document);
}
$xpath->registerNamespace('samlp', OneLogin_Saml2_Constants::NS_SAMLP);
$xpath->registerNamespace('saml', OneLogin_Saml2_Constants::NS_SAML);
$xpath->registerNamespace('ds', OneLogin_Saml2_Constants::NS_DS);
$xpath->registerNamespace('xenc', OneLogin_Saml2_Constants::NS_XENC);
$assertionNode = '/samlp:Response/saml:Assertion';
$signatureQuery = $assertionNode . '/ds:Signature/ds:SignedInfo/ds:Reference';
$assertionReferenceNode = $xpath->query($signatureQuery)->item(0);
if (!$assertionReferenceNode) {
// is the response signed as a whole?
$signatureQuery = '/samlp:Response/ds:Signature/ds:SignedInfo/ds:Reference';
$responseReferenceNode = $xpath->query($signatureQuery)->item(0);
if ($responseReferenceNode) {
$uri = $responseReferenceNode->attributes->getNamedItem('URI')->nodeValue;
if (empty($uri)) {
$id = $responseReferenceNode->parentNode->parentNode->parentNode->attributes->getNamedItem('ID')->nodeValue;
} else {
$id = substr($responseReferenceNode->attributes->getNamedItem('URI')->nodeValue, 1);
}
$nameQuery = "/samlp:Response[@ID='{$id}']/saml:Assertion" . $assertionXpath;
} else {
$nameQuery = "/samlp:Response/saml:Assertion" . $assertionXpath;
}
} else {
$uri = $assertionReferenceNode->attributes->getNamedItem('URI')->nodeValue;
if (empty($uri)) {
$id = $assertionReferenceNode->parentNode->parentNode->parentNode->attributes->getNamedItem('ID')->nodeValue;
} else {
$id = substr($assertionReferenceNode->attributes->getNamedItem('URI')->nodeValue, 1);
}
$nameQuery = $assertionNode . "[@ID='{$id}']" . $assertionXpath;
}
return $xpath->query($nameQuery);
}