Use canonicalization from sig info

canonicalize.go

@@ -13,6 +13,22 @@ type Canonicalizer interface {
 	Algorithm() AlgorithmID
 }
 
+type NullCanonicalizer struct {
+}
+
+func MakeNullCanonicalizer() Canonicalizer {
+	return &NullCanonicalizer{}
+}
+
+func (c *NullCanonicalizer) Algorithm() AlgorithmID {
+	return AlgorithmID("NULL")
+}
+
+func (c *NullCanonicalizer) Canonicalize(el *etree.Element) ([]byte, error) {
+	scope := make(map[string]struct{})
+	return canonicalSerialize(canonicalPrep(el, scope, false))
+}
+
 type c14N10ExclusiveCanonicalizer struct {
 	prefixList string
 }
@@ -49,7 +65,7 @@ func MakeC14N11Canonicalizer() Canonicalizer {
 // Canonicalize transforms the input Element into a serialized XML document in canonical form.
 func (c *c14N11Canonicalizer) Canonicalize(el *etree.Element) ([]byte, error) {
 	scope := make(map[string]struct{})
-	return canonicalSerialize(canonicalPrep(el, scope))
+	return canonicalSerialize(canonicalPrep(el, scope, true))
 }
 
 func (c *c14N11Canonicalizer) Algorithm() AlgorithmID {
@@ -66,7 +82,7 @@ func MakeC14N10RecCanonicalizer() Canonicalizer {
 // Canonicalize transforms the input Element into a serialized XML document in canonical form.
 func (c *c14N10RecCanonicalizer) Canonicalize(el *etree.Element) ([]byte, error) {
 	scope := make(map[string]struct{})
-	return canonicalSerialize(canonicalPrep(el, scope))
+	return canonicalSerialize(canonicalPrep(el, scope, true))
 }
 
 func (c *c14N10RecCanonicalizer) Algorithm() AlgorithmID {
@@ -83,7 +99,7 @@ func MakeC14N10CommentCanonicalizer() Canonicalizer {
 // Canonicalize transforms the input Element into a serialized XML document in canonical form.
 func (c *c14N10CommentCanonicalizer) Canonicalize(el *etree.Element) ([]byte, error) {
 	scope := make(map[string]struct{})
-	return canonicalSerialize(canonicalPrep(el, scope))
+	return canonicalSerialize(canonicalPrep(el, scope, true))
 }
 
 func (c *c14N10CommentCanonicalizer) Algorithm() AlgorithmID {
@@ -116,7 +132,7 @@ const nsSpace = "xmlns"
 //
 // TODO(russell_h): This is very similar to excCanonicalPrep - perhaps they should
 // be unified into one parameterized function?
-func canonicalPrep(el *etree.Element, seenSoFar map[string]struct{}) *etree.Element {
+func canonicalPrep(el *etree.Element, seenSoFar map[string]struct{}, strip bool) *etree.Element {
 	_seenSoFar := make(map[string]struct{})
 	for k, v := range seenSoFar {
 		_seenSoFar[k] = v
@@ -141,7 +157,7 @@ func canonicalPrep(el *etree.Element, seenSoFar map[string]struct{}) *etree.Elem
 	for i, token := range ne.Child {
 		childElement, ok := token.(*etree.Element)
 		if ok {
-			ne.Child[i] = canonicalPrep(childElement, _seenSoFar)
+			ne.Child[i] = canonicalPrep(childElement, _seenSoFar, strip)
 		}
 	}
 

sign.go

@@ -92,10 +92,11 @@ func (ctx *SigningContext) constructSignedInfo(el *etree.Element, enveloped bool
 
 	dataId := el.SelectAttrValue(ctx.IdAttribute, "")
 	if dataId == "" {
-		return nil, errors.New("Missing data ID")
+		reference.CreateAttr(URIAttr, "")
+	} else {
+		reference.CreateAttr(URIAttr, "#"+dataId)
 	}
 
-	reference.CreateAttr(URIAttr, "#"+dataId)
 
 	// /SignedInfo/Reference/Transforms
 	transforms := ctx.createNamespacedElement(reference, TransformsTag)

sign_test.go

@@ -96,17 +96,6 @@ func TestSignErrors(t *testing.T) {
 
 	_, err := ctx.SignEnveloped(authnRequest)
 	require.Error(t, err)
-
-	randomKeyStore = RandomKeyStoreForTest()
-	ctx = NewDefaultSigningContext(randomKeyStore)
-
-	authnRequest = &etree.Element{
-		Space: "samlp",
-		Tag:   "AuthnRequest",
-	}
-
-	_, err = ctx.SignEnveloped(authnRequest)
-	require.Error(t, err)
 }
 
 func TestSignNonDefaultID(t *testing.T) {

validate.go

@@ -110,10 +110,6 @@ func (ctx *ValidationContext) transform(
 	ref *types.Reference) (*etree.Element, Canonicalizer, error) {
 	transforms := ref.Transforms.Transforms
 
-	if len(transforms) != 2 {
-		return nil, nil, errors.New("Expected Enveloped and C14N transforms")
-	}
-
 	// map the path to the passed signature relative to the passed root, in
 	// order to enable removal of the signature by an enveloped signature
 	// transform
@@ -156,7 +152,7 @@ func (ctx *ValidationContext) transform(
 	}
 
 	if canonicalizer == nil {
-		return nil, nil, errors.New("Expected canonicalization transform")
+		canonicalizer = MakeNullCanonicalizer()
 	}
 
 	return el, canonicalizer, nil
@@ -233,16 +229,17 @@ func (ctx *ValidationContext) verifySignedInfo(sig *types.Signature, canonicaliz
 }
 
 func (ctx *ValidationContext) validateSignature(el *etree.Element, sig *types.Signature, cert *x509.Certificate) (*etree.Element, error) {
-	idAttr := el.SelectAttr(ctx.IdAttribute)
-	if idAttr == nil || idAttr.Value == "" {
-		return nil, errors.New("Missing ID attribute")
+	idAttrEl := el.SelectAttr(ctx.IdAttribute)
+	idAttr := ""
+	if idAttrEl != nil {
+		idAttr = idAttrEl.Value
 	}
 
 	var ref *types.Reference
 
 	// Find the first reference which references the top-level element
 	for _, _ref := range sig.SignedInfo.References {
-		if _ref.URI == "" || _ref.URI[1:] == idAttr.Value {
+		if _ref.URI == "" || _ref.URI[1:] == idAttr {
 			ref = &_ref
 		}
 	}
@@ -298,9 +295,10 @@ func contains(roots []*x509.Certificate, cert *x509.Certificate) bool {
 
 // findSignature searches for a Signature element referencing the passed root element.
 func (ctx *ValidationContext) findSignature(el *etree.Element) (*types.Signature, error) {
-	idAttr := el.SelectAttr(ctx.IdAttribute)
-	if idAttr == nil || idAttr.Value == "" {
-		return nil, errors.New("Missing ID attribute")
+	idAttrEl := el.SelectAttr(ctx.IdAttribute)
+	idAttr := ""
+	if idAttrEl != nil {
+		idAttr = idAttrEl.Value
 	}
 
 	var sig *types.Signature
@@ -343,13 +341,13 @@ func (ctx *ValidationContext) findSignature(el *etree.Element) (*types.Signature
 					canonicalSignedInfo = detachedSignedInfo
 
 				case CanonicalXML11AlgorithmId:
-					canonicalSignedInfo = canonicalPrep(detachedSignedInfo, map[string]struct{}{})
+					canonicalSignedInfo = canonicalPrep(detachedSignedInfo, map[string]struct{}{}, true)
 
 				case CanonicalXML10RecAlgorithmId:
-					canonicalSignedInfo = canonicalPrep(detachedSignedInfo, map[string]struct{}{})
+					canonicalSignedInfo = canonicalPrep(detachedSignedInfo, map[string]struct{}{}, true)
 
 				case CanonicalXML10CommentAlgorithmId:
-					canonicalSignedInfo = canonicalPrep(detachedSignedInfo, map[string]struct{}{})
+					canonicalSignedInfo = canonicalPrep(detachedSignedInfo, map[string]struct{}{}, true)
 
 				default:
 					return fmt.Errorf("invalid CanonicalizationMethod on Signature: %s", c14NAlgorithm)
@@ -380,7 +378,7 @@ func (ctx *ValidationContext) findSignature(el *etree.Element) (*types.Signature
 		// Traverse references in the signature to determine whether it has at least
 		// one reference to the top level element. If so, conclude the search.
 		for _, ref := range _sig.SignedInfo.References {
-			if ref.URI == "" || ref.URI[1:] == idAttr.Value {
+			if ref.URI == "" || ref.URI[1:] == idAttr {
 				sig = _sig
 				return etreeutils.ErrTraversalHalted
 			}