Categorygithub.com/russellhaering/goxmldsig
modulepackage
1.4.0
Repository: https://github.com/russellhaering/goxmldsig.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
20
Dependents
309
Files
1.2k SLOC

# README

goxmldsig

Build Status GoDoc

XML Digital Signatures implemented in pure Go.

Installation

Install goxmldsig using go get:

$ go get github.com/russellhaering/goxmldsig

Usage

Include the types.Signature struct from this package in your application messages.

import (
    sigtypes "github.com/russellhaering/goxmldsig/types"
)

type AppHdr struct {
    ...
    Signature *sigtypes.Signature
}

Signing

package main

import (
    "github.com/beevik/etree"
    "github.com/russellhaering/goxmldsig"
)

func main() {
    // Generate a key and self-signed certificate for signing
    randomKeyStore := dsig.RandomKeyStoreForTest()
    ctx := dsig.NewDefaultSigningContext(randomKeyStore)
    elementToSign := &etree.Element{
        Tag: "ExampleElement",
    }
    elementToSign.CreateAttr("ID", "id1234")

    // Sign the element
    signedElement, err := ctx.SignEnveloped(elementToSign)
    if err != nil {
        panic(err)
    }

    // Serialize the signed element. It is important not to modify the element
    // after it has been signed - even pretty-printing the XML will invalidate
    // the signature.
    doc := etree.NewDocument()
    doc.SetRoot(signedElement)
    str, err := doc.WriteToString()
    if err != nil {
        panic(err)
    }

    println(str)
}

Signature Validation

// Validate an element against a root certificate
func validate(root *x509.Certificate, el *etree.Element) {
    // Construct a signing context with one or more roots of trust.
    ctx := dsig.NewDefaultValidationContext(&dsig.MemoryX509CertificateStore{
        Roots: []*x509.Certificate{root},
    })

    // It is important to only use the returned validated element.
    // See: https://www.w3.org/TR/xmldsig-bestpractices/#check-what-is-signed
    validated, err := ctx.Validate(el)
    if err != nil {
        panic(err)
    }

    doc := etree.NewDocument()
    doc.SetRoot(validated)
    str, err := doc.WriteToString()
    if err != nil {
        panic(err)
    }

    println(str)
}

Limitations

This library was created in order to implement SAML 2.0 without needing to execute a command line tool to create and validate signatures. It currently only implements the subset of relevant standards needed to support that implementation, but I hope to make it more complete over time. Contributions are welcome.

# Packages

No description provided by the author
No description provided by the author

# Functions

MakeC14N10ExclusiveCanonicalizerWithPrefixList constructs an exclusive Canonicalizer from a PrefixList in NMTOKENS format (a white space separated list).
MakeC14N10ExclusiveWithCommentsCanonicalizerWithPrefixList constructs an exclusive Canonicalizer from a PrefixList in NMTOKENS format (a white space separated list).
MakeC14N10RecCanonicalizer constructs an inclusive canonicalizer.
MakeC14N10WithCommentsCanonicalizer constructs an inclusive canonicalizer.
MakeC14N11Canonicalizer constructs an inclusive canonicalizer.
MakeC14N11WithCommentsCanonicalizer constructs an inclusive canonicalizer.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
NewSigningContext creates a new signing context with the given signer and certificate chain.
No description provided by the author

# Constants

No description provided by the author
Tags.
Supported canonicalization algorithms.
Well-known signature algorithms.
Well-known signature algorithms.
Well-known signature algorithms.
Well-known signature algorithms.
Well-known signature algorithms.
No description provided by the author
No description provided by the author
Tags.
Tags.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
Well-known signature algorithms.
Tags.
Tags.
No description provided by the author
No description provided by the author
Tags.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
Tags.
Tags.
Tags.
Tags.
Tags.
Tags.
No description provided by the author
Tags.
Tags.

# Variables

No description provided by the author
Well-known errors.
ErrMissingSignature indicates that no enveloped signature was found referencing the top level element passed for signature verification.
Well-known errors.

# Structs

Clock wraps a clockwork.Clock (which could be real or fake) in order to default to a real clock when a nil *Clock is used.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author

# Interfaces

Canonicalizer is an implementation of a canonicalization algorithm.
No description provided by the author
No description provided by the author
No description provided by the author

# Type aliases

No description provided by the author
TLSCertKeyStore wraps the stdlib tls.Certificate to return its contained keyand certs.