martinhickson
diff --git a/‎modules/federation/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java
+17-3 b/‎modules/federation/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java
+17-3
diff --git a/‎modules/federation/src/main/java/org/picketlink/identity/federation/saml/v2/protocol/ResponseType.java
+4 b/‎modules/federation/src/main/java/org/picketlink/identity/federation/saml/v2/protocol/ResponseType.java
+4
@@ -19,6 +19,7 @@
 
 import org.picketlink.common.PicketLinkLogger;
 import org.picketlink.common.PicketLinkLoggerFactory;
+import org.picketlink.common.constants.JBossSAMLConstants;
 import org.picketlink.common.constants.JBossSAMLURIConstants;
 import org.picketlink.common.constants.WSTrustConstants;
 import org.picketlink.common.exceptions.ParsingException;
@@ -500,9 +501,18 @@ public static boolean validate(Document signedDoc, Key publicKey) throws Marshal
 
         if (publicKey == null)
             throw logger.nullValueError("Public Key");
-
+        int signedAssertions = 0;
+        String assertionNameSpaceUri = null;
         for (int i = 0; i < nl.getLength(); i++) {
-            DOMValidateContext valContext = new DOMValidateContext(publicKey, nl.item(i));
+            Node signatureNode = nl.item(i);
+            Node parent = signatureNode.getParentNode();
+            if (parent != null && JBossSAMLConstants.ASSERTION.get().equals(parent.getLocalName())) {
+                ++signedAssertions;
+                if (assertionNameSpaceUri == null) {
+                    assertionNameSpaceUri = parent.getNamespaceURI();
+                }
+            }
+            DOMValidateContext valContext = new DOMValidateContext(publicKey, signatureNode);
             XMLSignature signature = fac.unmarshalXMLSignature(valContext);
 
             boolean coreValidity = signature.validate(valContext);
@@ -521,7 +531,11 @@ public static boolean validate(Document signedDoc, Key publicKey) throws Marshal
                 return false;
             }
         }
-
+        NodeList assertions = signedDoc.getElementsByTagNameNS(assertionNameSpaceUri, JBossSAMLConstants.ASSERTION.get());
+        if (signedAssertions > 0 && assertions != null && assertions.getLength() != signedAssertions) {
+            // there are unsigned assertions mixed with signed ones
+            return false;
+        }
         return true;
     }
 
 
@@ -68,6 +68,10 @@ public void addAssertion(RTChoiceType choice) {
         assertions.add(choice);
     }
 
+    public void addAssertion(int index, RTChoiceType choice) {
+        assertions.add(index, choice);
+    }
+
     /**
      * Remove an assertion
      *
Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,10 @@ public void addAssertion(RTChoiceType choice) {`
`68`	`68`	`assertions.add(choice);`
`69`	`69`	`}`
`70`	`70`
	`71`	`+ public void addAssertion(int index, RTChoiceType choice) {`
	`72`	`+ assertions.add(index, choice);`
	`73`	`+ }`
	`74`	`+`
`71`	`75`	`/**`
`72`	`76`	`* Remove an assertion`
`73`	`77`	`*`