How do I verify an xml document containing a signature and X.509 data?

[Peter Kleiweg]

I have an XML file. It is *possibly* a response in SAML format from an SSO (single sign-on service).

The XML file contains a signature value and an X509 certificate.

I also have a public certificate file from the SSO.

I know the certificate file from the SSO is genuine.

How do I determine if the XML file really is from the SSO?

Here is an example: 

https://rnd.feide.no/2007/12/10/example_saml_2_0_request_and_response/

[andrey mirtchovski]

> I have an XML file. It is *possibly* a response in SAML format from an SSO
> (single sign-on service).

I haven't seen a package that does that. I'm using cgo and linking
with xmlsec. Another package that I've seen uses the xmlsec1 command
to do that: https://github.com/mattbaird/gosaml

I wish it was something I could implement natively, though:
http://www.w3.org/TR/xmldsig-core/

[Peter Kleiweg]

Op vrijdag 16 januari 2015 23:58:50 UTC+1 schreef andrey mirtchovski:

I wish it was something I could implement natively, though:
http://www.w3.org/TR/xmldsig-core/

Go has  crypto/x509, encoding/pem, and encoding/xml. Aren't those enough? I just don't know how to use them in this situation.

[andrey mirtchovski]

me neither. i was just following xmlsec's suggestions to get around
it. now that my interest has been piqued i'll follow this discussion
to see if it can be done.

> --
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Peter Kleiweg]

Op vrijdag 16 januari 2015 23:58:50 UTC+1 schreef andrey mirtchovski:

> I have an XML file. It is *possibly* a response in SAML format from an SSO

> (single sign-on service).

I haven't seen a package that does that. I'm using cgo and linking
with xmlsec. Another package that I've seen uses the xmlsec1 command
to do that: https://github.com/mattbaird/gosaml

I have looked at gosaml. It doesn't use xmlsec1. It's pure Go. But it doesn't do verification.

[Peter Kleiweg]

Op zaterdag 17 januari 2015 00:31:30 UTC+1 schreef Peter Kleiweg:

Ah, I thought you meant it links with a C library. But it uses the external program xmlsec1. That works for verification too.  

[andrey mirtchovski]

> I have looked at gosaml. It doesn't use xmlsec1. It's pure Go. But it
> doesn't do verification.

i looked only briefly and this made me think it wasn't:

https://github.com/mattbaird/gosaml/blob/master/authnrequest.go#L242

nonetheless, i'll try to research it this weekend and see what can be
done with just go's primitives.

[Eric Johnson]

xmlsec is a major, serious, crazy, difficult to implement specification.

At least, the fully conformant spec is. Because along the path to signing something (or verifying the signature for something), you can "transform" the XML. Which can involve XPath selection, XSLT transforms, and one of multiple forms of canonicalization. I did some work related to Apache Santuario project, and was surprised along the way to discover that to be fully conformant, you need XPath 1.0, and XSLT 1.0 support. So - not an easy task to re-implement. And certainly, the Go primitives aren't going to get you there.

Eric.