xmldsig

Documentation

Overview

Implements a useful subset of the xmldsig specification for creating signatures over XML documents.

Index

• Constants
• Variables
• func HashAlgorithm(hashAlg string) (string, crypto.Hash)
• func RemoveElements(root *etree.Element, tag string)
• func SerializeCanonical(oldroot *etree.Element) ([]byte, error)
• func Sign(root, parent *etree.Element, hash crypto.Hash, privKey crypto.Signer, ...) error
• func SignEnveloping(object *etree.Element, hash crypto.Hash, privKey crypto.Signer, ...) (*etree.Element, error)
• type SignOptions
• type Signature
  • func Verify(root *etree.Element, sigpath string, extraCerts []*x509.Certificate) (*Signature, error)
  • func (s Signature) Leaf() *x509.Certificate

Constants

const (
	NsXMLDsig        = "http://www.w3.org/2000/09/xmldsig#"
	NsXMLDsigMore    = "http://www.w3.org/2001/04/xmldsig-more#"
	NsXMLEnc         = "http://www.w3.org/2001/04/xmlenc#"
	NsXsi            = "http://www.w3.org/2001/XMLSchema-instance"
	AlgXMLExcC14n    = "http://www.w3.org/2001/10/xml-exc-c14n#"
	AlgXMLExcC14nRec = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" // draft version

	AlgDsigEnvelopedSignature = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
)

Variables

var HashUris = map[crypto.Hash]string{
	crypto.SHA1:   NsXMLDsig + "sha1",
	crypto.SHA224: NsXMLDsigMore + "sha224",
	crypto.SHA256: NsXMLEnc + "sha256",
	crypto.SHA384: NsXMLDsigMore + "sha384",
	crypto.SHA512: NsXMLEnc + "sha512",
}

Functions

func HashAlgorithm

func HashAlgorithm(hashAlg string) (string, crypto.Hash)

func RemoveElements

func RemoveElements(root *etree.Element, tag string)

Remove all child elements with this tag from the element

func SerializeCanonical

func SerializeCanonical(oldroot *etree.Element) ([]byte, error)

Canonicalize a document starting from the given element and return the serialized bytes. Implements something vaguely like xml-exc-c14n. Namespaces declared in parent nodes are pulled in, and namespaces not used in the element where they are declared are pushed further down to the elements that use them.

This is not a standards-conforming implementation. Use at your own peril.

func Sign

func Sign(root, parent *etree.Element, hash crypto.Hash, privKey crypto.Signer, certs []*x509.Certificate, opts SignOptions) error

Create an enveloped signature from the document rooted at "root", replacing any existing signature and adding it as a last child of "parent".

func SignEnveloping

func SignEnveloping(object *etree.Element, hash crypto.Hash, privKey crypto.Signer, certs []*x509.Certificate, opts SignOptions) (*etree.Element, error)

Build an enveloping Signature document around the given Object element

Types

type SignOptions

type SignOptions struct {
	// Use non-standard namespace for SHA-256 found in Microsoft ClickOnce manifests
	MsCompatHashNames bool
	// Use REC namespace for c14n method instead of the finalized one
	UseRecC14n bool
	// Add the X509 certificate chain to the KeyInfo
	IncludeX509 bool
	// Add a KeyValue element with the public key
	IncludeKeyValue bool
}

type Signature

type Signature struct {
	PublicKey       crypto.PublicKey
	Certificates    []*x509.Certificate
	Hash            crypto.Hash
	EncryptedDigest []byte
	Reference       *etree.Element
}

func Verify

func Verify(root *etree.Element, sigpath string, extraCerts []*x509.Certificate) (*Signature, error)

Extract and verify an enveloped signature at the given root

func (Signature) Leaf

func (s Signature) Leaf() *x509.Certificate