IdentityPython · theseal · Jun 18, 2025
diff --git a/src/pyff/samlmd.py b/src/pyff/samlmd.py
@@ -305,7 +305,7 @@ def parse(self, resource: Resource, content: str) -> EidasMDParserInfo:
                     fingerprints = list(certs.keys())
                     fp = None
                     if len(fingerprints) > 0:
-                        fp = fingerprints[0]
+                        fp = fingerprints
 
                     ep = ml.find("{{{}}}Endpoint".format(NS['ser']))
                     if ep is not None and fp is not None:

diff --git a/src/pyff/utils.py b/src/pyff/utils.py
@@ -264,15 +264,23 @@ def redis():
 
 
 def check_signature(t: ElementTree, key: Optional[str], only_one_signature: bool = False) -> ElementTree:
+    refs = None
     if key is not None:
-        log.debug(f"verifying signature using {key}")
-        refs = xmlsec.verified(t, key, drop_signature=True)
-        if only_one_signature and len(refs) != 1:
-            raise MetadataException("XML metadata contains %d signatures - exactly 1 is required" % len(refs))
-        t = refs[0]  # prevent wrapping attacks
+        for k in key:
+            log.debug(f"verifying signature using {k}")
+            try:
+                refs = xmlsec.verified(t, k, drop_signature=True)
+            except xmlsec.exceptions.XMLSigException:
+                continue
+            if refs:
+                if only_one_signature and len(refs) != 1:
+                    raise MetadataException("XML metadata contains %d signatures - exactly 1 is required" % len(refs))
+                t = refs[0]  # prevent wrapping attacks
+                return t
 
-    return t
+        raise MetadataException("No valid signature(s) found")
 
+    return t
 
 def validate_document(t):
     schema().assertValid(t)