Commit 5ddbb622-f2ef-41b9-b314-5e0ed3b9dccd/main - golang-github-russellhaering-goxmldsig

+4

-0

.travis.yml less more

	0	arch:
	1	- amd64
	2	- ppc64le
	3
0	4	language: go
1	5
2	6	go:

+21

-5

canonicalize.go less more

10	10	type Canonicalizer interface {
11	11	Canonicalize(el *etree.Element) ([]byte, error)
12	12	Algorithm() AlgorithmID
	13	}
	14
	15	type NullCanonicalizer struct {
	16	}
	17
	18	func MakeNullCanonicalizer() Canonicalizer {
	19	return &NullCanonicalizer{}
	20	}
	21
	22	func (c *NullCanonicalizer) Algorithm() AlgorithmID {
	23	return AlgorithmID("NULL")
	24	}
	25
	26	func (c NullCanonicalizer) Canonicalize(el etree.Element) ([]byte, error) {
	27	scope := make(map[string]struct{})
	28	return canonicalSerialize(canonicalPrep(el, scope, false))
13	29	}
14	30
15	31	type c14N10ExclusiveCanonicalizer struct {

48	64	// Canonicalize transforms the input Element into a serialized XML document in canonical form.
49	65	func (c c14N11Canonicalizer) Canonicalize(el etree.Element) ([]byte, error) {
50	66	scope := make(map[string]struct{})
51		return canonicalSerialize(canonicalPrep(el, scope))
	67	return canonicalSerialize(canonicalPrep(el, scope, true))
52	68	}
53	69
54	70	func (c *c14N11Canonicalizer) Algorithm() AlgorithmID {

65	81	// Canonicalize transforms the input Element into a serialized XML document in canonical form.
66	82	func (c c14N10RecCanonicalizer) Canonicalize(el etree.Element) ([]byte, error) {
67	83	scope := make(map[string]struct{})
68		return canonicalSerialize(canonicalPrep(el, scope))
	84	return canonicalSerialize(canonicalPrep(el, scope, true))
69	85	}
70	86
71	87	func (c *c14N10RecCanonicalizer) Algorithm() AlgorithmID {

82	98	// Canonicalize transforms the input Element into a serialized XML document in canonical form.
83	99	func (c c14N10CommentCanonicalizer) Canonicalize(el etree.Element) ([]byte, error) {
84	100	scope := make(map[string]struct{})
85		return canonicalSerialize(canonicalPrep(el, scope))
	101	return canonicalSerialize(canonicalPrep(el, scope, true))
86	102	}
87	103
88	104	func (c *c14N10CommentCanonicalizer) Algorithm() AlgorithmID {

115	131	//
116	132	// TODO(russell_h): This is very similar to excCanonicalPrep - perhaps they should
117	133	// be unified into one parameterized function?
118		func canonicalPrep(el etree.Element, seenSoFar map[string]struct{}) etree.Element {
	134	func canonicalPrep(el etree.Element, seenSoFar map[string]struct{}, strip bool) etree.Element {
119	135	_seenSoFar := make(map[string]struct{})
120	136	for k, v := range seenSoFar {
121	137	_seenSoFar[k] = v

140	156	for i, token := range ne.Child {
141	157	childElement, ok := token.(*etree.Element)
142	158	if ok {
143		ne.Child[i] = canonicalPrep(childElement, _seenSoFar)
	159	ne.Child[i] = canonicalPrep(childElement, _seenSoFar, strip)
144	160	}
145	161	}
146	162

+6

-0

debian/changelog less more

	0	golang-github-russellhaering-goxmldsig (1.1.0+git20201210.1.3541f5e-1) UNRELEASED; urgency=low
	1
	2	* New upstream snapshot.
	3
	4	-- Debian Janitor <janitor@jelmer.uk> Thu, 10 Jun 2021 23:09:05 -0000
	5
0	6	golang-github-russellhaering-goxmldsig (1.1.0-1) unstable; urgency=medium
1	7
2	8	* New upstream release (Closes: #971615)

+5

-4

sign.go less more

91	91
92	92	dataId := el.SelectAttrValue(ctx.IdAttribute, "")
93	93	if dataId == "" {
94		return nil, errors.New("Missing data ID")
95		}
96
97		reference.CreateAttr(URIAttr, "#"+dataId)
	94	reference.CreateAttr(URIAttr, "")
	95	} else {
	96	reference.CreateAttr(URIAttr, "#"+dataId)
	97	}
	98
98	99
99	100	// /SignedInfo/Reference/Transforms
100	101	transforms := ctx.createNamespacedElement(reference, TransformsTag)

+0

-11

sign_test.go less more

95	95
96	96	_, err := ctx.SignEnveloped(authnRequest)
97	97	require.Error(t, err)
98
99		randomKeyStore = RandomKeyStoreForTest()
100		ctx = NewDefaultSigningContext(randomKeyStore)
101
102		authnRequest = &etree.Element{
103		Space: "samlp",
104		Tag: "AuthnRequest",
105		}
106
107		_, err = ctx.SignEnveloped(authnRequest)
108		require.Error(t, err)
109	98	}
110	99
111	100	func TestSignNonDefaultID(t *testing.T) {

+14

-16

validate.go less more

110	110	ref types.Reference) (etree.Element, Canonicalizer, error) {
111	111	transforms := ref.Transforms.Transforms
112	112
113		if len(transforms) != 2 {
114		return nil, nil, errors.New("Expected Enveloped and C14N transforms")
115		}
116
117	113	// map the path to the passed signature relative to the passed root, in
118	114	// order to enable removal of the signature by an enveloped signature
119	115	// transform

156	152	}
157	153
158	154	if canonicalizer == nil {
159		return nil, nil, errors.New("Expected canonicalization transform")
	155	canonicalizer = MakeNullCanonicalizer()
160	156	}
161	157
162	158	return el, canonicalizer, nil

233	229	}
234	230
235	231	func (ctx ValidationContext) validateSignature(el etree.Element, sig types.Signature, cert x509.Certificate) (*etree.Element, error) {
236		idAttr := el.SelectAttr(ctx.IdAttribute)
237		if idAttr == nil \|\| idAttr.Value == "" {
238		return nil, errors.New("Missing ID attribute")
	232	idAttrEl := el.SelectAttr(ctx.IdAttribute)
	233	idAttr := ""
	234	if idAttrEl != nil {
	235	idAttr = idAttrEl.Value
239	236	}
240	237
241	238	var ref *types.Reference
242	239
243	240	// Find the first reference which references the top-level element
244	241	for _, _ref := range sig.SignedInfo.References {
245		if _ref.URI == "" \|\| _ref.URI[1:] == idAttr.Value {
	242	if _ref.URI == "" \|\| _ref.URI[1:] == idAttr {
246	243	ref = &_ref
247	244	}
248	245	}

317	314
318	315	// findSignature searches for a Signature element referencing the passed root element.
319	316	func (ctx ValidationContext) findSignature(root etree.Element) (*types.Signature, error) {
320		idAttr := root.SelectAttr(ctx.IdAttribute)
321		if idAttr == nil \|\| idAttr.Value == "" {
322		return nil, errors.New("Missing ID attribute")
	317	idAttrEl := root.SelectAttr(ctx.IdAttribute)
	318	idAttr := ""
	319	if idAttrEl != nil {
	320	idAttr = idAttrEl.Value
323	321	}
324	322
325	323	var sig *types.Signature

365	363	canonicalSignedInfo = detachedSignedInfo
366	364
367	365	case CanonicalXML11AlgorithmId:
368		canonicalSignedInfo = canonicalPrep(detachedSignedInfo, map[string]struct{}{})
	366	canonicalSignedInfo = canonicalPrep(detachedSignedInfo, map[string]struct{}{}, true)
369	367
370	368	case CanonicalXML10RecAlgorithmId:
371		canonicalSignedInfo = canonicalPrep(detachedSignedInfo, map[string]struct{}{})
	369	canonicalSignedInfo = canonicalPrep(detachedSignedInfo, map[string]struct{}{}, true)
372	370
373	371	case CanonicalXML10CommentAlgorithmId:
374		canonicalSignedInfo = canonicalPrep(detachedSignedInfo, map[string]struct{}{})
	372	canonicalSignedInfo = canonicalPrep(detachedSignedInfo, map[string]struct{}{}, true)
375	373
376	374	default:
377	375	return fmt.Errorf("invalid CanonicalizationMethod on Signature: %s", c14NAlgorithm)

402	400	// Traverse references in the signature to determine whether it has at least
403	401	// one reference to the top level element. If so, conclude the search.
404	402	for _, ref := range _sig.SignedInfo.References {
405		if ref.URI == "" \|\| ref.URI[1:] == idAttr.Value {
	403	if ref.URI == "" \|\| ref.URI[1:] == idAttr {
406	404	sig = _sig
407	405	return etreeutils.ErrTraversalHalted
408	406	}