func ExampleSignature_Sign() {
	xmlsec.Init()
	defer xmlsec.Shutdown()

	p := parser.New(parser.XMLParseDTDLoad | parser.XMLParseDTDAttr | parser.XMLParseNoEnt)
	doc, err := p.ParseString(`<?xml version="1.0" encoding="UTF-8"?>
<Message><Data>Hello, World!</Data></Message>`)

	n, err := doc.DocumentElement()
	if err != nil {
		log.Printf("DocumentElement failed: %s", err)
		return
	}

	// n is the node where you want your signature to be
	// generated under
	sig, err := dsig.NewSignature(n, dsig.ExclC14N, dsig.RsaSha1, "")
	if err != nil {
		log.Printf("failed to create signature: %s", err)
		return
	}

	sig.AddReference(dsig.Sha1, "", "", "")
	sig.AddTransform(dsig.Enveloped)

	privkey, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		log.Printf("failed to generate key: %s", err)
		return
	}

	key, err := crypto.LoadKeyFromRSAPrivateKey(privkey)
	if err := sig.Sign(key); err != nil {
		log.Printf("failed to sign: %s", err)
		return
	}

	log.Printf("%s", doc.Dump(true))
}
Beispiel #2
0
func TestAuthnRequest(t *testing.T) {
	xmlsec.Init()
	defer xmlsec.Shutdown()

	ar := NewAuthnRequest()
	ar.ID = "809707f0030a5d00620c9d9df97f627afe9dcc24"
	ar.Version = "2.0"
	ar.IssueInstant = time.Now()
	ar.Issuer = "http://sp.example.com/metadata"
	ar.Destination = "http://idp.example.com/sso"
	ar.ProviderName = "FooProvider"
	ar.ProtocolBinding = binding.HTTPPost
	ar.AssertionConsumerServiceURL = "http://sp.example.com/acs"
	ar.NameIDPolicy = NewNameIDPolicy(nameid.EmailAddress, true)
	ar.RequestedAuthnContext = NewRequestedAuthnContext(
		"exact",
		"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
	)

	xmlstr, err := ar.Serialize()
	if !assert.NoError(t, err, "Serialize() succeeds") {
		return
	}

	p := parser.New(parser.XMLParseDTDLoad | parser.XMLParseDTDAttr | parser.XMLParseNoEnt)
	c14ndoc, err := p.ParseString(xmlstr)
	if !assert.NoError(t, err, "Parse C14N XML doc succeeds") {
		return
	}
	defer c14ndoc.Free()

	root, err := c14ndoc.DocumentElement()
	if !assert.NoError(t, err, "DocumentElement succeeds") {
		return
	}

	privkey, err := rsa.GenerateKey(rand.Reader, 2048)
	if !assert.NoError(t, err, "GenerateKey succeeds") {
		return
	}

	signer, err := dsig.NewSignature(root, dsig.ExclC14N, dsig.RsaSha1, "urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest")
	if !assert.NoError(t, err, "dsig.NewSignature succeeds") {
		return
	}

	if !assert.NoError(t, signer.AddReference(dsig.Sha1, "", "", ""), "AddReference succeeds") {
		return
	}

	if !assert.NoError(t, signer.AddTransform(dsig.Enveloped), "AddTransform succeeds") {
		return
	}

	if !assert.NoError(t, signer.AddKeyValue(), "AddKeyValue succeeds") {
		return
	}

	key, err := crypto.LoadKeyFromRSAPrivateKey(privkey)
	if !assert.NoError(t, err, "Load key from RSA private key succeeds") {
		return
	}

	if !assert.NoError(t, signer.Sign(key), "Sign succeeds") {
		return
	}

	t.Logf("%s", c14ndoc.Dump(true))
}
Beispiel #3
0
func TestResponse(t *testing.T) {
	xmlsec.Init()
	defer xmlsec.Shutdown()
	res := NewResponse()
	res.Issuer = "http://idp.example.com/metadata"
	res.Destination = "http://sp.example.com/sso"

	// Run serialize once so we can check for empty assertion
	xmlstr, err := res.Serialize()
	if !assert.NoError(t, err, "Serialize() succeeds") {
		return
	}
	if !assert.NotContains(t, xmlstr, "<Assertion", "Should not contain assertion") {
		return
	}

	res.Assertion = NewAssertion()

	res.Assertion.Conditions.AddAudience("sp.example.com/sso")

	xmlstr, err = res.Serialize()
	if !assert.NoError(t, err, "Serialize() succeeds") {
		return
	}

	if !assert.Contains(t, xmlstr, "<saml:Audience>sp.example.com/sso", "<saml:Audience> exists") {
		return
	}

	p := parser.New(parser.XMLParseDTDLoad | parser.XMLParseDTDAttr | parser.XMLParseNoEnt)
	doc, err := p.ParseString(xmlstr)
	if !assert.NoError(t, err, "Parse XML doc succeeds") {
		return
	}
	defer doc.Free()

	c14nxml, err := dom.C14NSerialize{Mode: dom.C14NExclusive1_0}.Serialize(doc)
	if !assert.NoError(t, err, "C14NSerialize.Serialize succeeds") {
		return
	}

	c14ndoc, err := p.ParseString(c14nxml)
	if !assert.NoError(t, err, "Parse C14N doc succeeds") {
		return
	}
	defer c14ndoc.Free()

	root, err := c14ndoc.DocumentElement()
	if !assert.NoError(t, err, "DocumentElement succeeds") {
		return
	}

	privkey, err := rsa.GenerateKey(rand.Reader, 2048)
	if !assert.NoError(t, err, "GenerateKey succeeds") {
		return
	}

	signer, err := dsig.NewSignature(root, dsig.ExclC14N, dsig.RsaSha1, "urn:oasis:names:tc:SAML:2.0:protocol:Response")
	if !assert.NoError(t, err, "dsig.NewSignature succeeds") {
		return
	}

	if !assert.NoError(t, signer.AddReference(dsig.Sha1, "", "", ""), "AddReference succeeds") {
		return
	}

	if !assert.NoError(t, signer.AddTransform(dsig.Enveloped), "AddTransform succeeds") {
		return
	}

	if !assert.NoError(t, signer.AddKeyValue(), "AddKeyValue succeeds") {
		return
	}

	key, err := crypto.LoadKeyFromRSAPrivateKey(privkey)
	if !assert.NoError(t, err, "Load key from RSA private key succeeds") {
		return
	}

	if !assert.NoError(t, signer.Sign(key), "Sign succeeds") {
		t.Logf("%s", c14ndoc.Dump(true))
		return
	}

	t.Logf("%s", c14ndoc.Dump(true))
}