3 files changed, 25 insertions, 3 deletions

diff --git a/lib/saml/kit/trustable.rb b/lib/saml/kit/trustable.rb
index 1c8bc9f..52c1048 100644
--- a/lib/saml/kit/trustable.rb
+++ b/lib/saml/kit/trustable.rb
@@ -52,8 +52,8 @@ module Saml
           "samlp": Namespaces::PROTOCOL,
         })
         xml.valid?
-        xml.errors.each do |error|
-          errors[:base] << error
+        xml.errors.each do |attribute, error|
+          errors[attribute] << error
         end
       end
 
diff --git a/lib/saml/kit/version.rb b/lib/saml/kit/version.rb
index b72f918..fcf10e9 100644
--- a/lib/saml/kit/version.rb
+++ b/lib/saml/kit/version.rb
@@ -1,5 +1,5 @@
 module Saml
   module Kit
-    VERSION = "1.0.0"
+    VERSION = "1.0.1"
   end
 end
diff --git a/spec/saml/authentication_request_spec.rb b/spec/saml/authentication_request_spec.rb
index f1516b3..5c17beb 100644
--- a/spec/saml/authentication_request_spec.rb
+++ b/spec/saml/authentication_request_spec.rb
@@ -133,6 +133,28 @@ RSpec.describe Saml::Kit::AuthenticationRequest do
       subject = described_class.new(raw_xml, configuration: configuration)
       expect(subject).to be_invalid
     end
+
+    context "when the certificate is expired" do
+      let(:expired_certificate) do
+        certificate = OpenSSL::X509::Certificate.new
+        certificate.public_key = private_key.public_key
+        certificate.not_before = 1.day.ago
+        certificate.not_after = 1.second.ago
+        certificate
+      end
+      let(:private_key) { OpenSSL::PKey::RSA.new(2048) }
+      let(:configuration) do
+        Saml::Kit::Configuration.new do |config|
+          config.add_key_pair(expired_certificate, private_key, passphrase: nil, use: :signing)
+        end
+      end
+
+      it 'is invalid' do
+        subject = described_class.new(raw_xml, configuration: configuration)
+        expect(subject).to be_invalid
+        expect(subject.errors[:certificate]).to be_present
+      end
+    end
   end
 
   describe "#assertion_consumer_service_url" do