func ValidateSignature(md, xp *gosaml.Xp) (err error) { //no ds:Object in signatures certificates := md.Query(nil, gosaml.IdpCertQuery) if len(certificates) == 0 { err = errors.New("no certificates found in metadata") return } signatures := xp.Query(nil, "(/samlp:Response[ds:Signature] | /samlp:Response/saml:Assertion[ds:Signature])") destination := xp.Query1(nil, "/samlp:Response/@Destination") if len(signatures) == 0 { err = fmt.Errorf("%s neither the assertion nor the response was signed", destination) return } verified := 0 signerrors := []error{} for _, certificate := range certificates { var key *rsa.PublicKey _, key, err = gosaml.PublicKeyInfo(md.NodeGetContent(certificate)) if err != nil { return } for _, signature := range signatures { signerror := xp.VerifySignature(signature, key) if signerror != nil { signerrors = append(signerrors, signerror) } else { verified++ } } } if verified == 0 || verified != len(signatures) { errorstring := "" delim := "" for _, e := range signerrors { errorstring += e.Error() + delim delim = ", " } err = fmt.Errorf("%s unable to validate signature: %s", destination, errorstring) return } return }