dex/vendor/github.com/russellhaering/goxmldsig/sign.go

package dsig

import (
	"crypto"
	"crypto/rand"
	"crypto/rsa"
	_ "crypto/sha1"
	_ "crypto/sha256"
	"encoding/base64"
	"errors"
	"fmt"

	"github.com/beevik/etree"
)

type SigningContext struct {
	Hash          crypto.Hash
	KeyStore      X509KeyStore
	IdAttribute   string
	Prefix        string
	Canonicalizer Canonicalizer
}

func NewDefaultSigningContext(ks X509KeyStore) *SigningContext {
	return &SigningContext{
		Hash:          crypto.SHA256,
		KeyStore:      ks,
		IdAttribute:   DefaultIdAttr,
		Prefix:        DefaultPrefix,
		Canonicalizer: MakeC14N11Canonicalizer(),
	}
}

func (ctx *SigningContext) SetSignatureMethod(algorithmID string) error {
	hash, ok := signatureMethodsByIdentifier[algorithmID]
	if !ok {
		return fmt.Errorf("Unknown SignatureMethod: %s", algorithmID)
	}

	ctx.Hash = hash

	return nil
}

func (ctx *SigningContext) digest(el *etree.Element) ([]byte, error) {
	canonical, err := ctx.Canonicalizer.Canonicalize(el)
	if err != nil {
		return nil, err
	}

	hash := ctx.Hash.New()
	_, err = hash.Write(canonical)
	if err != nil {
		return nil, err
	}

	return hash.Sum(nil), nil
}

func (ctx *SigningContext) constructSignedInfo(el *etree.Element, enveloped bool) (*etree.Element, error) {
	digestAlgorithmIdentifier, ok := digestAlgorithmIdentifiers[ctx.Hash]
	if !ok {
		return nil, errors.New("unsupported hash mechanism")
	}

	signatureMethodIdentifier, ok := signatureMethodIdentifiers[ctx.Hash]
	if !ok {
		return nil, errors.New("unsupported signature method")
	}

	digest, err := ctx.digest(el)
	if err != nil {
		return nil, err
	}

	signedInfo := &etree.Element{
		Tag:   SignedInfoTag,
		Space: ctx.Prefix,
	}

	// /SignedInfo/CanonicalizationMethod
	canonicalizationMethod := ctx.createNamespacedElement(signedInfo, CanonicalizationMethodTag)
	canonicalizationMethod.CreateAttr(AlgorithmAttr, string(ctx.Canonicalizer.Algorithm()))

	// /SignedInfo/SignatureMethod
	signatureMethod := ctx.createNamespacedElement(signedInfo, SignatureMethodTag)
	signatureMethod.CreateAttr(AlgorithmAttr, signatureMethodIdentifier)

	// /SignedInfo/Reference
	reference := ctx.createNamespacedElement(signedInfo, ReferenceTag)

	dataId := el.SelectAttrValue(ctx.IdAttribute, "")
	if dataId == "" {
		return nil, errors.New("Missing data ID")
	}

	reference.CreateAttr(URIAttr, "#"+dataId)

	// /SignedInfo/Reference/Transforms
	transforms := ctx.createNamespacedElement(reference, TransformsTag)
	if enveloped {
		envelopedTransform := ctx.createNamespacedElement(transforms, TransformTag)
		envelopedTransform.CreateAttr(AlgorithmAttr, EnvelopedSignatureAltorithmId.String())
	}
	canonicalizationAlgorithm := ctx.createNamespacedElement(transforms, TransformTag)
	canonicalizationAlgorithm.CreateAttr(AlgorithmAttr, string(ctx.Canonicalizer.Algorithm()))

	// /SignedInfo/Reference/DigestMethod
	digestMethod := ctx.createNamespacedElement(reference, DigestMethodTag)
	digestMethod.CreateAttr(AlgorithmAttr, digestAlgorithmIdentifier)

	// /SignedInfo/Reference/DigestValue
	digestValue := ctx.createNamespacedElement(reference, DigestValueTag)
	digestValue.SetText(base64.StdEncoding.EncodeToString(digest))

	return signedInfo, nil
}

func (ctx *SigningContext) constructSignature(el *etree.Element, enveloped bool) (*etree.Element, error) {
	signedInfo, err := ctx.constructSignedInfo(el, enveloped)
	if err != nil {
		return nil, err
	}

	sig := &etree.Element{
		Tag:   SignatureTag,
		Space: ctx.Prefix,
	}

	xmlns := "xmlns"
	if ctx.Prefix != "" {
		xmlns += ":" + ctx.Prefix
	}

	sig.CreateAttr(xmlns, Namespace)

	sig.Child = append(sig.Child, signedInfo)

	// Must propagate down the attributes to the 'SignedInfo' before digesting
	for _, attr := range sig.Attr {
		signedInfo.CreateAttr(attr.Space+":"+attr.Key, attr.Value)
	}

	digest, err := ctx.digest(signedInfo)
	if err != nil {
		return nil, err
	}

	key, cert, err := ctx.KeyStore.GetKeyPair()
	if err != nil {
		return nil, err
	}

	rawSignature, err := rsa.SignPKCS1v15(rand.Reader, key, ctx.Hash, digest)
	if err != nil {
		return nil, err
	}

	signatureValue := ctx.createNamespacedElement(sig, SignatureValueTag)
	signatureValue.SetText(base64.StdEncoding.EncodeToString(rawSignature))

	keyInfo := ctx.createNamespacedElement(sig, KeyInfoTag)
	x509Data := ctx.createNamespacedElement(keyInfo, X509DataTag)
	x509Certificate := ctx.createNamespacedElement(x509Data, X509CertificateTag)
	x509Certificate.SetText(base64.StdEncoding.EncodeToString(cert))

	return sig, nil
}

func (ctx *SigningContext) createNamespacedElement(el *etree.Element, tag string) *etree.Element {
	child := el.CreateElement(tag)
	child.Space = ctx.Prefix
	return child
}

func (ctx *SigningContext) SignEnveloped(el *etree.Element) (*etree.Element, error) {
	sig, err := ctx.constructSignature(el, true)
	if err != nil {
		return nil, err
	}

	ret := el.Copy()
	ret.Child = append(ret.Child, sig)

	return ret, nil
}
vendor: revendor 2017-01-10 04:21:47 +05:30			`package dsig`

			`import (`
			`"crypto"`
			`"crypto/rand"`
			`"crypto/rsa"`
			`_ "crypto/sha1"`
			`_ "crypto/sha256"`
			`"encoding/base64"`
			`"errors"`
			`"fmt"`

			`"github.com/beevik/etree"`
			`)`

			`type SigningContext struct {`
			`Hash crypto.Hash`
			`KeyStore X509KeyStore`
			`IdAttribute string`
			`Prefix string`
			`Canonicalizer Canonicalizer`
			`}`

			`func NewDefaultSigningContext(ks X509KeyStore) *SigningContext {`
			`return &SigningContext{`
			`Hash: crypto.SHA256,`
			`KeyStore: ks,`
			`IdAttribute: DefaultIdAttr,`
			`Prefix: DefaultPrefix,`
			`Canonicalizer: MakeC14N11Canonicalizer(),`
			`}`
			`}`

			`func (ctx *SigningContext) SetSignatureMethod(algorithmID string) error {`
			`hash, ok := signatureMethodsByIdentifier[algorithmID]`
			`if !ok {`
			`return fmt.Errorf("Unknown SignatureMethod: %s", algorithmID)`
			`}`

			`ctx.Hash = hash`

			`return nil`
			`}`

			`func (ctx SigningContext) digest(el etree.Element) ([]byte, error) {`
			`canonical, err := ctx.Canonicalizer.Canonicalize(el)`
			`if err != nil {`
			`return nil, err`
			`}`

			`hash := ctx.Hash.New()`
			`_, err = hash.Write(canonical)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return hash.Sum(nil), nil`
			`}`

			`func (ctx SigningContext) constructSignedInfo(el etree.Element, enveloped bool) (*etree.Element, error) {`
			`digestAlgorithmIdentifier, ok := digestAlgorithmIdentifiers[ctx.Hash]`
			`if !ok {`
			`return nil, errors.New("unsupported hash mechanism")`
			`}`

			`signatureMethodIdentifier, ok := signatureMethodIdentifiers[ctx.Hash]`
			`if !ok {`
			`return nil, errors.New("unsupported signature method")`
			`}`

			`digest, err := ctx.digest(el)`
			`if err != nil {`
			`return nil, err`
			`}`

			`signedInfo := &etree.Element{`
			`Tag: SignedInfoTag,`
			`Space: ctx.Prefix,`
			`}`

			`// /SignedInfo/CanonicalizationMethod`
			`canonicalizationMethod := ctx.createNamespacedElement(signedInfo, CanonicalizationMethodTag)`
			`canonicalizationMethod.CreateAttr(AlgorithmAttr, string(ctx.Canonicalizer.Algorithm()))`

			`// /SignedInfo/SignatureMethod`
			`signatureMethod := ctx.createNamespacedElement(signedInfo, SignatureMethodTag)`
			`signatureMethod.CreateAttr(AlgorithmAttr, signatureMethodIdentifier)`

			`// /SignedInfo/Reference`
			`reference := ctx.createNamespacedElement(signedInfo, ReferenceTag)`

vendor: revendor 2017-03-21 21:57:22 +05:30			`dataId := el.SelectAttrValue(ctx.IdAttribute, "")`
vendor: revendor 2017-01-10 04:21:47 +05:30			`if dataId == "" {`
			`return nil, errors.New("Missing data ID")`
			`}`

			`reference.CreateAttr(URIAttr, "#"+dataId)`

			`// /SignedInfo/Reference/Transforms`
			`transforms := ctx.createNamespacedElement(reference, TransformsTag)`
			`if enveloped {`
			`envelopedTransform := ctx.createNamespacedElement(transforms, TransformTag)`
			`envelopedTransform.CreateAttr(AlgorithmAttr, EnvelopedSignatureAltorithmId.String())`
			`}`
			`canonicalizationAlgorithm := ctx.createNamespacedElement(transforms, TransformTag)`
			`canonicalizationAlgorithm.CreateAttr(AlgorithmAttr, string(ctx.Canonicalizer.Algorithm()))`

			`// /SignedInfo/Reference/DigestMethod`
			`digestMethod := ctx.createNamespacedElement(reference, DigestMethodTag)`
			`digestMethod.CreateAttr(AlgorithmAttr, digestAlgorithmIdentifier)`

			`// /SignedInfo/Reference/DigestValue`
			`digestValue := ctx.createNamespacedElement(reference, DigestValueTag)`
			`digestValue.SetText(base64.StdEncoding.EncodeToString(digest))`

			`return signedInfo, nil`
			`}`

			`func (ctx SigningContext) constructSignature(el etree.Element, enveloped bool) (*etree.Element, error) {`
			`signedInfo, err := ctx.constructSignedInfo(el, enveloped)`
			`if err != nil {`
			`return nil, err`
			`}`

			`sig := &etree.Element{`
			`Tag: SignatureTag,`
			`Space: ctx.Prefix,`
			`}`

			`xmlns := "xmlns"`
			`if ctx.Prefix != "" {`
			`xmlns += ":" + ctx.Prefix`
			`}`

			`sig.CreateAttr(xmlns, Namespace)`

			`sig.Child = append(sig.Child, signedInfo)`

			`// Must propagate down the attributes to the 'SignedInfo' before digesting`
			`for _, attr := range sig.Attr {`
			`signedInfo.CreateAttr(attr.Space+":"+attr.Key, attr.Value)`
			`}`

			`digest, err := ctx.digest(signedInfo)`
			`if err != nil {`
			`return nil, err`
			`}`

			`key, cert, err := ctx.KeyStore.GetKeyPair()`
			`if err != nil {`
			`return nil, err`
			`}`

			`rawSignature, err := rsa.SignPKCS1v15(rand.Reader, key, ctx.Hash, digest)`
			`if err != nil {`
			`return nil, err`
			`}`

			`signatureValue := ctx.createNamespacedElement(sig, SignatureValueTag)`
			`signatureValue.SetText(base64.StdEncoding.EncodeToString(rawSignature))`

			`keyInfo := ctx.createNamespacedElement(sig, KeyInfoTag)`
			`x509Data := ctx.createNamespacedElement(keyInfo, X509DataTag)`
			`x509Certificate := ctx.createNamespacedElement(x509Data, X509CertificateTag)`
			`x509Certificate.SetText(base64.StdEncoding.EncodeToString(cert))`

			`return sig, nil`
			`}`

			`func (ctx SigningContext) createNamespacedElement(el etree.Element, tag string) *etree.Element {`
			`child := el.CreateElement(tag)`
			`child.Space = ctx.Prefix`
			`return child`
			`}`

			`func (ctx SigningContext) SignEnveloped(el etree.Element) (*etree.Element, error) {`
			`sig, err := ctx.constructSignature(el, true)`
			`if err != nil {`
			`return nil, err`
			`}`

			`ret := el.Copy()`
			`ret.Child = append(ret.Child, sig)`

			`return ret, nil`
			`}`