Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- package main
- import (
- "crypto/tls"
- "io/ioutil"
- "log"
- "github.com/beevik/etree"
- "github.com/russellhaering/goxmldsig"
- )
- func failOnError(err error, msg string) {
- if err != nil {
- log.Fatalf("%s: %s", msg, err)
- }
- }
- func main() {
- certBytes := []byte(`-----BEGIN CERTIFICATE-----
- MIID3TCCAsWgAwIBAgIJAKMxnSbqmztEMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD
- VQQGEwJHQjETMBEGA1UECAwKQmlybWluZ2hhbTETMBEGA1UEBwwKQmlybWluZ2hh
- bTEOMAwGA1UECgwFVGFsaXMxDjAMBgNVBAsMBVRhbGlzMQ4wDAYDVQQDDAVUYWxp
- czEbMBkGCSqGSIb3DQEJARYMbXdAdGFsaXMuY29tMB4XDTE3MDgwODIxNTA0NFoX
- DTI3MDgwNjIxNTA0NFowgYQxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApCaXJtaW5n
- aGFtMRMwEQYDVQQHDApCaXJtaW5naGFtMQ4wDAYDVQQKDAVUYWxpczEOMAwGA1UE
- CwwFVGFsaXMxDjAMBgNVBAMMBVRhbGlzMRswGQYJKoZIhvcNAQkBFgxtd0B0YWxp
- cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfyQiwTxAbc6HJ
- 6aB6NrmDYoVUBqWZ4njZyQqnhf0ZvpqGh8ppMiXjiuJjn72pJYHnOqRQNgJDNhAZ
- X5KtJ/YI4XbOruJU3TWX/KnGn7l8TJ5FFmnJWHohJ0f9/+uVv0hivRkSVUwh+q2e
- TpKNypNu2Kf8iiGW3dMOY1CYWxWnksM1xoaWKV3mWgMqRqcj4kyLT1t8UctOhKhg
- m04HPNTeFCkcmH3IuIiVAi3uVU+zDKec8+cxSHHmnm0iphm8jpT0OjNSGWt7F7+N
- NhIa2FOI+Lz6t+VU0WToWnB16qJIhMGcIGPZR7fp/di/0h9Huc+GJBNfbgdVEYiv
- 7DuF28zzAgMBAAGjUDBOMB0GA1UdDgQWBBRjnMEGZsZR+cSX5/UJcwAZULsKijAf
- BgNVHSMEGDAWgBRjnMEGZsZR+cSX5/UJcwAZULsKijAMBgNVHRMEBTADAQH/MA0G
- CSqGSIb3DQEBCwUAA4IBAQBNrPOgLt1bZPO8283HddeASfzoVK40qqBP0HgLihja
- VvABPRkE2046lka6MSDXJTpbg9rMT/JDplWea4gCroD+UX79W/r2WBEHgJ63piq+
- wVFoxB4S8IgbQi2N5CEM/yLexWq9O2YDl7gemRc1EES01x64YBlBgHGpMvc6NyjD
- ecMdTmUAXgNTTGKlpistVRtArQHaqw3FJE3LfoyEx9fP0joA7Q5U7Z6pvveYXEHl
- fSoCeI4UUPOlAGBOR5VWnDYuS+FwB9RIcegycxB12Sd+RLxojpFg6VSk2SSiG9/4
- u02uKxgXiZ7/41lHjoTHS9BOoPOT0ZD8C7Goeg8OAMgs
- -----END CERTIFICATE-----`)
- keyBytes := []byte(`-----BEGIN RSA PRIVATE KEY-----
- MIIEowIBAAKCAQEAn8kIsE8QG3Ohyemgeja5g2KFVAalmeJ42ckKp4X9Gb6ahofK
- aTIl44riY5+9qSWB5zqkUDYCQzYQGV+SrSf2COF2zq7iVN01l/ypxp+5fEyeRRZp
- yVh6ISdH/f/rlb9IYr0ZElVMIfqtnk6SjcqTbtin/Iohlt3TDmNQmFsVp5LDNcaG
- lild5loDKkanI+JMi09bfFHLToSoYJtOBzzU3hQpHJh9yLiIlQIt7lVPswynnPPn
- MUhx5p5tIqYZvI6U9DozUhlrexe/jTYSGthTiPi8+rflVNFk6FpwdeqiSITBnCBj
- 2Ue36f3Yv9IfR7nPhiQTX24HVRGIr+w7hdvM8wIDAQABAoIBADrEjdWKvrnaBZ9l
- tgg9KG4SRkdpSm8WxKwVLT4AId7eI6dnOiMGtrjB1BIgJnmXufd5sgVuV9awg6tR
- Y3kcQXlys2fBGq1rztJfs3HCPU5iP7PZUn8jc4fOEsRw5AznlY/7TMVZae71a/XV
- oEFWSHN0bBSOGVyLqZyZGoNuvMAsvZ7ObmfAddLQerPV0nOvv9X332wgo2a+8rnb
- NHqcZOLdmGjJRkBbAd0IHFciynb1YlhHIEObmZzD8LVFV0UxhhPDHbRwmrj1T2+j
- u9U3rBduJKG+mQxelLOLUB6CNbvcyNtj3wAnyq6IVA9qb/CLXJbEhTgnvNTLnYA3
- FJxZysECgYEAzw67MVhQY1VZnN49NiXhhl6ypVIlp3fKOUMMZVgiUeSDPSs4Un9q
- ABoFBHT9x/Rs6repl/Yr6V3o8uWz/7V7yArom9/yhErunW8bORfiGVUqibYIKi51
- qNJMpamQGI/Uw2AbKCjKhpnCcRjt0YTfuTWXxAxOPYNJZqXEvUaUoNUCgYEAxY3P
- H07aR2zTDfjvddG2eieaMLoaTWSuGTUH1P7KplQHEsoE135PyLayzYy5I2HX+JDn
- fUDDWXWeI4+NdGdUnRrXOedr/Rewu8RZFxxqBV0TJhmTJzGpoun08YXkj7CBCs60
- faohJS5iSpi39XNf2k5/RJHGm2FePfPYQR7sWqcCgYEAx6LYcZdIyr18DXdpZU/Y
- xgmADU3K6FDjNZqj1QLI9FRzBQMq5r/aoAZ2V/nExomwig5TAiVj6TmWZLt8dUux
- 8QozhDbESTFGJ5z8jmusn+gxf113OdRZtVAufnuiZ0wmQ8nh5TKPMoAFra3vfley
- rYwyq9+BgGWY29NwgV4P55ECgYB5ThRqkw6xYP9PyxWu8PDtnTeux/eyoinNTKTc
- gv+Ilnwpa2cBs4vmIVk1oj1knoXxGXkrjgLmAbTy/QjM+04Xkg2qfpHuvQdGpNBX
- wpjPZlGFyZp0LKiPYr2HOMIaATWbn0VxDHCB1jOAvrnmu8uVzzGStziO3IDz5bFa
- e1SCbQKBgGNUKKppH7BYDMrb+dqRsB6YI5mFlHZoDhVWkPgDba8klp/NvhTI8ACu
- URVaPLlgTRdiG2Q5NVDYPpTrhsCbKwE6HeshNKqhL/VsrK77/oSpSQHeLf88oBV2
- rDFpN/In31Wp6c+C4crPQNSWZ9jMohHQkCFOUAyBc6UzcqCa4vqd
- -----END RSA PRIVATE KEY-----`)
- xmlBytes := []byte(`<EntitiesDescriptor Name="https://your-federation.org/metadata/federation-name.xml" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><EntityDescriptor entityID="https://idp.example.org/idp/shibboleth"><IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol"><Extensions><shibmd:Scope regexp="false">example.org</shibmd:Scope></Extensions><KeyDescriptor><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEKjCCAxKgAwIBAgIJAIgUuHL4QvkYMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNVq1og9SGCUU2yRL1tC+Y=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></KeyDescriptor><NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.example.org/idp/profile/Shibboleth/SSO" /><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.org/idp/profile/SAML2/POST/SSO" /><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.org/idp/profile/SAML2/Redirect/SSO" /></IDPSSODescriptor><AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"><KeyDescriptor><ds:KeyInfo><ds:X509Data><ds:X509Certificate> MIIEKjCCAxKgAwIBAgIJAIgUuHL4QvkYMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNVq1og9SGCUU2yRL1tC+Y= </ds:X509Certificate></ds:X509Data></ds:KeyInfo></KeyDescriptor><AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/AttributeQuery" /><AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/AttributeQuery" /><NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat></AttributeAuthorityDescriptor><Organization><OrganizationName xml:lang="en">Your Identities</OrganizationName><OrganizationDisplayName xml:lang="en"> Your Identities</OrganizationDisplayName><OrganizationURL xml:lang="en">http://www.example.org/</OrganizationURL></Organization><ContactPerson contactType="technical"><GivenName>Your</GivenName><SurName>Contact</SurName><EmailAddress>admin@example.org</EmailAddress></ContactPerson></EntityDescriptor><EntityDescriptor entityID="https://sp.example.org/shibboleth-sp"><SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol"><Extensions><idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" index="1" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://sp.example.org/Shibboleth.sso/DS"/><idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" index="2" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://sp.example.org/Shibboleth.sso/DS"/></Extensions><KeyDescriptor><ds:KeyInfo><ds:X509Data><ds:X509Certificate> MIIEPjCCAyagAwIBAgIBADANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJVUzEVInh+vYSYngQB2sx9LGkR9KHaMKNIGCDehk93Xla4pWJx1w== </ds:X509Certificate></ds:X509Data></ds:KeyInfo></KeyDescriptor><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat><AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.example.org/Shibboleth.sso/SAML2/POST"/><AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://sp.example.org/Shibboleth.sso/SAML2/POST-SimpleSign"/><AssertionConsumerService index="3" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sp.example.org/Shibboleth.sso/SAML2/Artifact"/><AssertionConsumerService index="4" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/><AssertionConsumerService index="5" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/></SPSSODescriptor><Organization><OrganizationName xml:lang="en">Your Service</OrganizationName><OrganizationDisplayName xml:lang="en">Your Service</OrganizationDisplayName><OrganizationURL xml:lang="en">http://sp.example.org/</OrganizationURL></Organization><ContactPerson contactType="technical"><GivenName>Your</GivenName><SurName>Admin</SurName><EmailAddress>admin@example.org</EmailAddress></ContactPerson></EntityDescriptor></EntitiesDescriptor>`)
- keyPair, err := tls.X509KeyPair(certBytes, keyBytes)
- failOnError(err, "invalided to load keypair")
- keyStore := dsig.TLSCertKeyStore(keyPair)
- signingContext := dsig.NewDefaultSigningContext(keyStore)
- signingContext.Canonicalizer = dsig.MakeC14N10ExclusiveCanonicalizerWithPrefixList("")
- err = signingContext.SetSignatureMethod(dsig.RSASHA256SignatureMethod)
- failOnError(err, "failed to set signature method")
- readXMLDoc := etree.NewDocument()
- err = readXMLDoc.ReadFromBytes(xmlBytes)
- failOnError(err, "cannot parse xml")
- elementToSign := readXMLDoc.Root()
- elementToSign.CreateAttr("ID", "id1234")
- signedElement, err := signingContext.SignEnveloped(elementToSign)
- failOnError(err, "failed to sign envelop")
- var signedAssertionBuf []byte
- {
- readXMLDoc.SetRoot(signedElement)
- signedAssertionBuf, err = readXMLDoc.WriteToBytes()
- failOnError(err, "failed to convert doc to bytes")
- }
- ioutil.WriteFile("/tmp/test/example.xml", signedAssertionBuf, 0775)
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement