func ValidateSignature(md, xp *gosaml.Xp) (err error) {
//no ds:Object in signatures
certificates := md.Query(nil, gosaml.IdpCertQuery)
if len(certificates) == 0 {
err = errors.New("no certificates found in metadata")
return
}
signatures := xp.Query(nil, "(/samlp:Response[ds:Signature] | /samlp:Response/saml:Assertion[ds:Signature])")
destination := xp.Query1(nil, "/samlp:Response/@Destination")
if len(signatures) == 0 {
err = fmt.Errorf("%s neither the assertion nor the response was signed", destination)
return
}
verified := 0
signerrors := []error{}
for _, certificate := range certificates {
var key *rsa.PublicKey
_, key, err = gosaml.PublicKeyInfo(md.NodeGetContent(certificate))
if err != nil {
return
}
for _, signature := range signatures {
signerror := xp.VerifySignature(signature, key)
if signerror != nil {
signerrors = append(signerrors, signerror)
} else {
verified++
}
}
}
if verified == 0 || verified != len(signatures) {
errorstring := ""
delim := ""
for _, e := range signerrors {
errorstring += e.Error() + delim
delim = ", "
}
err = fmt.Errorf("%s unable to validate signature: %s", destination, errorstring)
return
}
return
}
