This repository has been archived on 2022-08-17. You can view files and clone it, but cannot push or open issues or pull requests.
dex/vendor/github.com/russellhaering/goxmldsig
Stephan Renatus 076cd77469
run 'go get -u; make revendor'
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-31 08:09:38 +02:00
..
etreeutils run 'go get -u; make revendor' 2019-07-31 08:09:38 +02:00
types run 'go get -u; make revendor' 2019-07-31 08:09:38 +02:00
.gitignore run 'go get -u; make revendor' 2019-07-31 08:09:38 +02:00
.travis.yml run 'go get -u; make revendor' 2019-07-31 08:09:38 +02:00
canonicalize.go run 'go get -u; make revendor' 2019-07-31 08:09:38 +02:00
clock.go vendor: revendor 2017-01-09 18:30:58 -08:00
keystore.go run 'go get -u; make revendor' 2019-07-31 08:09:38 +02:00
LICENSE vendor: revendor 2017-01-09 18:30:58 -08:00
README.md vendor: make revendor 2018-12-03 17:13:56 +00:00
run_test.sh run 'go get -u; make revendor' 2019-07-31 08:09:38 +02:00
sign.go run 'go get -u; make revendor' 2019-07-31 08:09:38 +02:00
tls_keystore.go run 'go get -u; make revendor' 2019-07-31 08:09:38 +02:00
validate.go run 'go get -u; make revendor' 2019-07-31 08:09:38 +02:00
xml_constants.go run 'go get -u; make revendor' 2019-07-31 08:09:38 +02:00

goxmldsig

Build Status GoDoc

XML Digital Signatures implemented in pure Go.

Installation

Install goxmldsig into your $GOPATH using go get:

$ go get github.com/russellhaering/goxmldsig

Usage

Signing

package main

import (
    "github.com/beevik/etree"
    "github.com/russellhaering/goxmldsig"
)

func main() {
    // Generate a key and self-signed certificate for signing
    randomKeyStore := dsig.RandomKeyStoreForTest()
    ctx := dsig.NewDefaultSigningContext(randomKeyStore)
    elementToSign := &etree.Element{
        Tag: "ExampleElement",
    }
    elementToSign.CreateAttr("ID", "id1234")

    // Sign the element
    signedElement, err := ctx.SignEnveloped(elementToSign)
    if err != nil {
        panic(err)
    }

    // Serialize the signed element. It is important not to modify the element
    // after it has been signed - even pretty-printing the XML will invalidate
    // the signature.
    doc := etree.NewDocument()
    doc.SetRoot(signedElement)
    str, err := doc.WriteToString()
    if err != nil {
        panic(err)
    }

    println(str)
}

Signature Validation

// Validate an element against a root certificate
func validate(root *x509.Certificate, el *etree.Element) {
    // Construct a signing context with one or more roots of trust.
    ctx := dsig.NewDefaultValidationContext(&dsig.MemoryX509CertificateStore{
        Roots: []*x509.Certificate{root},
    })

    // It is important to only use the returned validated element.
    // See: https://www.w3.org/TR/xmldsig-bestpractices/#check-what-is-signed
    validated, err := ctx.Validate(el)
    if err != nil {
        panic(err)
    }

    doc := etree.NewDocument()
    doc.SetRoot(validated)
    str, err := doc.WriteToString()
    if err != nil {
        panic(err)
    }

    println(str)
}

Limitations

This library was created in order to implement SAML 2.0 without needing to execute a command line tool to create and validate signatures. It currently only implements the subset of relevant standards needed to support that implementation, but I hope to make it more complete over time. Contributions are welcome.