types

package
v0.4.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 4, 2020 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Overview

Copyright 2016 Russell Haering et al.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2016 Russell Haering et al.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2016 Russell Haering et al.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2016 Russell Haering et al.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source
const (
	MethodRSAOAEP  = "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
	MethodRSAOAEP2 = "http://www.w3.org/2009/xmlenc11#rsa-oaep"
	MethodRSAv1_5  = "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
)

Well-known public-key encryption methods

View Source
const (
	MethodAES128GCM    = "http://www.w3.org/2009/xmlenc11#aes128-gcm"
	MethodAES128CBC    = "http://www.w3.org/2001/04/xmlenc#aes128-cbc"
	MethodAES256CBC    = "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
	MethodTripleDESCBC = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
)

Well-known private key encryption methods

View Source
const (
	MethodSHA1   = "http://www.w3.org/2000/09/xmldsig#sha1"
	MethodSHA256 = "http://www.w3.org/2000/09/xmldsig#sha256"
	MethodSHA512 = "http://www.w3.org/2000/09/xmldsig#sha512"
)

Well-known hash methods

Variables

This section is empty.

Functions

This section is empty.

Types

type Assertion

type Assertion struct {
	XMLName            xml.Name            `xml:"urn:oasis:names:tc:SAML:2.0:assertion Assertion"`
	Version            string              `xml:"Version,attr"`
	ID                 string              `xml:"ID,attr"`
	IssueInstant       time.Time           `xml:"IssueInstant,attr"`
	Issuer             *Issuer             `xml:"Issuer"`
	Signature          *Signature          `xml:"Signature"`
	Subject            *Subject            `xml:"Subject"`
	Conditions         *Conditions         `xml:"Conditions"`
	AttributeStatement *AttributeStatement `xml:"AttributeStatement"`
	AuthnStatement     *AuthnStatement     `xml:"AuthnStatement"`
	SignatureValidated bool                `xml:"-"` // not read, not dumped
}

type Attribute

type Attribute struct {
	XMLName      xml.Name         `xml:"urn:oasis:names:tc:SAML:2.0:assertion Attribute"`
	FriendlyName string           `xml:"FriendlyName,attr"`
	Name         string           `xml:"Name,attr"`
	NameFormat   string           `xml:"NameFormat,attr"`
	Values       []AttributeValue `xml:"AttributeValue"`
}

type AttributeStatement

type AttributeStatement struct {
	XMLName    xml.Name    `xml:"urn:oasis:names:tc:SAML:2.0:assertion AttributeStatement"`
	Attributes []Attribute `xml:"Attribute"`
}

type AttributeValue

type AttributeValue struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion AttributeValue"`
	Type    string   `xml:"xsi:type,attr"`
	Value   string   `xml:",chardata"`
}

type Audience

type Audience struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Audience"`
	Value   string   `xml:",chardata"`
}

type AudienceRestriction

type AudienceRestriction struct {
	XMLName   xml.Name   `xml:"urn:oasis:names:tc:SAML:2.0:assertion AudienceRestriction"`
	Audiences []Audience `xml:"Audience"`
}

type AuthnContext added in v0.2.0

type AuthnContext struct {
	XMLName              xml.Name              `xml:urn:oasis:names:tc:SAML:2.0:assertion AuthnContext"`
	AuthnContextClassRef *AuthnContextClassRef `xml:"AuthnContextClassRef"`
}

type AuthnContextClassRef added in v0.2.0

type AuthnContextClassRef struct {
	XMLName xml.Name `xml:urn:oasis:names:tc:SAML:2.0:assertion AuthnContextClassRef"`
	Value   string   `xml:",chardata"`
}

type AuthnStatement

type AuthnStatement struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion AuthnStatement"`
	//Section 4.1.4.2 - https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
	//If the identity provider supports the Single Logout profile, defined in Section 4.4
	//, any such authentication statements MUST include a SessionIndex attribute to enable
	//per-session logout requests by the service provider.
	SessionIndex        string        `xml:"SessionIndex,attr,omitempty"`
	AuthnInstant        *time.Time    `xml:"AuthnInstant,attr,omitempty"`
	SessionNotOnOrAfter *time.Time    `xml:"SessionNotOnOrAfter,attr,omitempty"`
	AuthnContext        *AuthnContext `xml:"AuthnContext"`
}

type Conditions

type Conditions struct {
	XMLName              xml.Name              `xml:"urn:oasis:names:tc:SAML:2.0:assertion Conditions"`
	NotBefore            string                `xml:"NotBefore,attr"`
	NotOnOrAfter         string                `xml:"NotOnOrAfter,attr"`
	AudienceRestrictions []AudienceRestriction `xml:"AudienceRestriction"`
	OneTimeUse           *OneTimeUse           `xml:"OneTimeUse"`
	ProxyRestriction     *ProxyRestriction     `xml:"ProxyRestriction"`
}

type DigestMethod

type DigestMethod struct {
	Algorithm string `xml:",attr,omitempty"`
}

DigestMethod is a digest type specification

type EncryptedAssertion

type EncryptedAssertion struct {
	XMLName          xml.Name         `xml:"urn:oasis:names:tc:SAML:2.0:assertion EncryptedAssertion"`
	EncryptionMethod EncryptionMethod `xml:"EncryptedData>EncryptionMethod"`
	EncryptedKey     EncryptedKey     `xml:"EncryptedData>KeyInfo>EncryptedKey"`
	DetEncryptedKey  EncryptedKey     `xml:"EncryptedKey"` // detached EncryptedKey element
	CipherValue      string           `xml:"EncryptedData>CipherData>CipherValue"`
}

func (*EncryptedAssertion) Decrypt

func (ea *EncryptedAssertion) Decrypt(cert *tls.Certificate) (*Assertion, error)

Decrypt decrypts and unmarshals the EncryptedAssertion.

func (*EncryptedAssertion) DecryptBytes

func (ea *EncryptedAssertion) DecryptBytes(cert *tls.Certificate) ([]byte, error)

type EncryptedKey

type EncryptedKey struct {
	// EncryptionMethod string `xml:"EncryptionMethod>Algorithm"`
	X509Data         string `xml:"KeyInfo>X509Data>X509Certificate"`
	CipherValue      string `xml:"CipherData>CipherValue"`
	EncryptionMethod EncryptionMethod
}

EncryptedKey contains the decryption key data from the saml2 core and xmlenc standards.

func (*EncryptedKey) DecryptSymmetricKey

func (ek *EncryptedKey) DecryptSymmetricKey(cert *tls.Certificate) (cipher.Block, error)

DecryptSymmetricKey returns the private key contained in the EncryptedKey document

type EncryptionMethod

type EncryptionMethod struct {
	Algorithm string `xml:",attr,omitempty"`
	// Digest method is present for algorithms like RSA-OAEP.
	// See https://www.w3.org/TR/xmlenc-core1/.
	// To convey the digest methods an entity supports,
	// DigestMethod in extensions element is used.
	// See http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport.html.
	DigestMethod *DigestMethod `xml:",omitempty"`
}

EncryptionMethod specifies the type of encryption that was used.

type Endpoint

type Endpoint struct {
	Binding          string `xml:"Binding,attr"`
	Location         string `xml:"Location,attr"`
	ResponseLocation string `xml:"ResponseLocation,attr,omitempty"`
}

type EntityDescriptor

type EntityDescriptor struct {
	XMLName    xml.Name  `xml:"urn:oasis:names:tc:SAML:2.0:metadata EntityDescriptor"`
	ValidUntil time.Time `xml:"validUntil,attr"`
	// SAML 2.0 8.3.6 Entity Identifier could be used to represent issuer
	EntityID         string            `xml:"entityID,attr"`
	SPSSODescriptor  *SPSSODescriptor  `xml:"SPSSODescriptor,omitempty"`
	IDPSSODescriptor *IDPSSODescriptor `xml:"IDPSSODescriptor,omitempty"`
	Extensions       *Extensions       `xml:"Extensions,omitempty"`
}

type Extensions added in v0.4.1

type Extensions struct {
	DigestMethod  *DigestMethod  `xml:",omitempty"`
	SigningMethod *SigningMethod `xml:",omitempty"`
}

type IDPSSODescriptor

type IDPSSODescriptor struct {
	XMLName                 xml.Name              `xml:"urn:oasis:names:tc:SAML:2.0:metadata IDPSSODescriptor"`
	WantAuthnRequestsSigned bool                  `xml:"WantAuthnRequestsSigned,attr"`
	KeyDescriptors          []KeyDescriptor       `xml:"KeyDescriptor"`
	NameIDFormats           []NameIDFormat        `xml:"NameIDFormat"`
	SingleSignOnServices    []SingleSignOnService `xml:"SingleSignOnService"`
	SingleLogoutServices    []SingleLogoutService `xml:"SingleLogoutService"`
	Attributes              []Attribute           `xml:"Attribute"`
	Extensions              *Extensions           `xml:"Extensions,omitempty"`
}

type IndexedEndpoint

type IndexedEndpoint struct {
	Binding  string `xml:"Binding,attr"`
	Location string `xml:"Location,attr"`
	Index    int    `xml:"index,attr"`
}

type Issuer

type Issuer struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
	Value   string   `xml:",chardata"`
}

type KeyDescriptor

type KeyDescriptor struct {
	XMLName           xml.Name           `xml:"urn:oasis:names:tc:SAML:2.0:metadata KeyDescriptor"`
	Use               string             `xml:"use,attr"`
	KeyInfo           dsigtypes.KeyInfo  `xml:"KeyInfo"`
	EncryptionMethods []EncryptionMethod `xml:"EncryptionMethod"`
}

type LogoutResponse added in v0.4.1

type LogoutResponse struct {
	XMLName            xml.Name  `xml:"urn:oasis:names:tc:SAML:2.0:protocol LogoutResponse"`
	ID                 string    `xml:"ID,attr"`
	InResponseTo       string    `xml:"InResponseTo,attr"`
	Destination        string    `xml:"Destination,attr"`
	Version            string    `xml:"Version,attr"`
	IssueInstant       time.Time `xml:"IssueInstant,attr"`
	Status             *Status   `xml:"Status"`
	Issuer             *Issuer   `xml:"Issuer"`
	SignatureValidated bool      `xml:"-"` // not read, not dumped
}

type NameID

type NameID struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion NameID"`
	Value   string   `xml:",chardata"`
}

type NameIDFormat

type NameIDFormat struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata NameIDFormat"`
	Value   string   `xml:",chardata"`
}

type OneTimeUse

type OneTimeUse struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion OneTimeUse"`
}

type ProxyRestriction

type ProxyRestriction struct {
	XMLName  xml.Name   `xml:"urn:oasis:names:tc:SAML:2.0:assertion ProxyRestriction"`
	Count    int        `xml:"Count,attr"`
	Audience []Audience `xml:"Audience"`
}

type Response

type Response struct {
	XMLName             xml.Name             `xml:"urn:oasis:names:tc:SAML:2.0:protocol Response"`
	ID                  string               `xml:"ID,attr"`
	InResponseTo        string               `xml:"InResponseTo,attr"`
	Destination         string               `xml:"Destination,attr"`
	Version             string               `xml:"Version,attr"`
	IssueInstant        time.Time            `xml:"IssueInstant,attr"`
	Status              *Status              `xml:"Status"`
	Issuer              *Issuer              `xml:"Issuer"`
	Assertions          []Assertion          `xml:"Assertion"`
	EncryptedAssertions []EncryptedAssertion `xml:"EncryptedAssertion"`
	SignatureValidated  bool                 `xml:"-"` // not read, not dumped
}

type SPSSODescriptor

type SPSSODescriptor struct {
	XMLName                    xml.Name          `xml:"urn:oasis:names:tc:SAML:2.0:metadata SPSSODescriptor"`
	AuthnRequestsSigned        bool              `xml:"AuthnRequestsSigned,attr"`
	WantAssertionsSigned       bool              `xml:"WantAssertionsSigned,attr"`
	ProtocolSupportEnumeration string            `xml:"protocolSupportEnumeration,attr"`
	KeyDescriptors             []KeyDescriptor   `xml:"KeyDescriptor"`
	SingleLogoutServices       []Endpoint        `xml:"SingleLogoutService"`
	NameIDFormats              []string          `xml:"NameIDFormat"`
	AssertionConsumerServices  []IndexedEndpoint `xml:"AssertionConsumerService"`
	Extensions                 *Extensions       `xml:"Extensions,omitempty"`
}

type Signature

type Signature struct {
	SignatureDocument []byte `xml:",innerxml"`
}

type SigningMethod added in v0.4.1

type SigningMethod struct {
	Algorithm  string `xml:",attr"`
	MinKeySize string `xml:"MinKeySize,attr,omitempty"`
	MaxKeySize string `xml:"MaxKeySize,attr,omitempty"`
}

type SingleLogoutService added in v0.4.1

type SingleLogoutService struct {
	XMLName  xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata SingleLogoutService"`
	Binding  string   `xml:"Binding,attr"`
	Location string   `xml:"Location,attr"`
}

type SingleSignOnService

type SingleSignOnService struct {
	XMLName  xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata SingleSignOnService"`
	Binding  string   `xml:"Binding,attr"`
	Location string   `xml:"Location,attr"`
}

type Status

type Status struct {
	XMLName    xml.Name    `xml:"urn:oasis:names:tc:SAML:2.0:protocol Status"`
	StatusCode *StatusCode `xml:"StatusCode"`
}

type StatusCode

type StatusCode struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol StatusCode"`
	Value   string   `xml:"Value,attr"`
}

type Subject

type Subject struct {
	XMLName             xml.Name             `xml:"urn:oasis:names:tc:SAML:2.0:assertion Subject"`
	NameID              *NameID              `xml:"NameID"`
	SubjectConfirmation *SubjectConfirmation `xml:"SubjectConfirmation"`
}

type SubjectConfirmation

type SubjectConfirmation struct {
	XMLName                 xml.Name                 `xml:"urn:oasis:names:tc:SAML:2.0:assertion SubjectConfirmation"`
	Method                  string                   `xml:"Method,attr"`
	SubjectConfirmationData *SubjectConfirmationData `xml:"SubjectConfirmationData"`
}

type SubjectConfirmationData

type SubjectConfirmationData struct {
	XMLName      xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion SubjectConfirmationData"`
	NotOnOrAfter string   `xml:"NotOnOrAfter,attr"`
	Recipient    string   `xml:"Recipient,attr"`
	InResponseTo string   `xml:"InResponseTo,attr"`
}

type UnverifiedBaseResponse added in v0.3.0

type UnverifiedBaseResponse struct {
	XMLName      xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol Response"`
	ID           string   `xml:"ID,attr"`
	InResponseTo string   `xml:"InResponseTo,attr"`
	Destination  string   `xml:"Destination,attr"`
	Version      string   `xml:"Version,attr"`
	Issuer       *Issuer  `xml:"Issuer"`
}

UnverifiedBaseResponse extracts several basic attributes of a SAML Response which may be useful in deciding how to validate the Response. An UnverifiedBaseResponse is parsed by this library prior to any validation of the Response, so the values it contains may have been supplied by an attacker and should not be trusted as authoritative from the IdP.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL