Skip to content
This repository has been archived by the owner on Jun 6, 2023. It is now read-only.

Handling signature in Assertions (POC) #27

Closed
wants to merge 3 commits into from
Closed

Handling signature in Assertions (POC) #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f30289d
inital commit for signatures in response
brianasapp Jun 13, 2017
ebc3bdf
Add existing changes in
brianasapp Jun 13, 2017
49d8ccd
bit of refactoring
brianasapp Jun 13, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions authnresponse.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ func (r *Response) Validate(s *ServiceProviderSettings) error {
return errors.New("no Assertions")
}

if len(r.Signature.SignatureValue.Value) == 0 {
if len(r.Signature.SignatureValue.Value) == 0 && len(r.Assertion.Signature.SignatureValue.Value) == 0 {
return errors.New("no signature")
}

Expand All @@ -75,7 +75,12 @@ func (r *Response) Validate(s *ServiceProviderSettings) error {
return errors.New("subject recipient mismatch, expected: " + s.AssertionConsumerServiceURL + " not " + r.Assertion.Subject.SubjectConfirmation.SubjectConfirmationData.Recipient)
}

err := VerifyResponseSignature(r.originalString, s.IDPPublicCertPath)
var err error
if s.SignaturesInAssertion {
err = VerifyAssertionSignature(r.originalString, s.IDPPublicCertPath)
} else {
err = VerifyResponseSignature(r.originalString, s.IDPPublicCertPath)
}
if err != nil {
return err
}
Expand Down
1 change: 1 addition & 0 deletions saml.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ type ServiceProviderSettings struct {
IDPPublicCertPath string
AssertionConsumerServiceURL string
SPSignRequest bool
SignaturesInAssertion bool

hasInit bool
publicCert string
Expand Down
1 change: 1 addition & 0 deletions types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,7 @@ type Assertion struct {
SAML string `xml:"saml,attr"`
IssueInstant string `xml:"IssueInstant,attr"`
Issuer Issuer `xml:"Issuer"`
Signature Signature
Subject Subject
Conditions Conditions
AttributeStatement AttributeStatement
Expand Down
12 changes: 10 additions & 2 deletions xmlsec.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,9 @@ import (
)

const (
xmlResponseID = "urn:oasis:names:tc:SAML:2.0:protocol:Response"
xmlRequestID = "urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest"
xmlResponseID = "urn:oasis:names:tc:SAML:2.0:protocol:Response"
xmlRequestID = "urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest"
xmlAssertionID = "urn:oasis:names:tc:SAML:2.0:assertion:Assertion"
)

// SignRequest sign a SAML 2.0 AuthnRequest
Expand Down Expand Up @@ -77,6 +78,13 @@ func VerifyRequestSignature(xml string, publicCertPath string) error {
return verify(xml, publicCertPath, xmlRequestID)
}

// VerifyAssertionSignature verify signature of a SAML 2.0 Response document
// `publicCertPath` must be a path on the filesystem, xmlsec1 is run out of process
// through `exec`
func VerifyAssertionSignature(xml string, publicCertPath string) error {
return verify(xml, publicCertPath, xmlAssertionID)
}

func verify(xml string, publicCertPath string, id string) error {
//Write saml to
samlXmlsecInput, err := ioutil.TempFile(os.TempDir(), "tmpgs")
Expand Down