From 5c90051ea8d7c4b01ba56fb0d9841b74fdd80113 Mon Sep 17 00:00:00 2001 From: Benjamin Schubert Date: Wed, 28 Nov 2018 18:54:33 +0000 Subject: [PATCH] SP: Add capability to provide intermediate certs --- samlsp/samlsp.go | 2 ++ service_provider.go | 9 +++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/samlsp/samlsp.go b/samlsp/samlsp.go index 24f471a3..52d99149 100644 --- a/samlsp/samlsp.go +++ b/samlsp/samlsp.go @@ -24,6 +24,7 @@ type Options struct { Key *rsa.PrivateKey Logger logger.Interface Certificate *x509.Certificate + Intermediates []*x509.Certificate AllowIDPInitiated bool IDPMetadata *saml.EntityDescriptor IDPMetadataURL *url.URL @@ -56,6 +57,7 @@ func New(opts Options) (*Middleware, error) { Key: opts.Key, Logger: logr, Certificate: opts.Certificate, + Intermediates: opts.Intermediates, MetadataURL: metadataURL, AcsURL: acsURL, IDPMetadata: opts.IDPMetadata, diff --git a/service_provider.go b/service_provider.go index 6061b04a..1a53d44d 100644 --- a/service_provider.go +++ b/service_provider.go @@ -55,6 +55,7 @@ type ServiceProvider struct { // Certificate is the RSA public part of Key. Certificate *x509.Certificate + Intermediates []*x509.Certificate // MetadataURL is the full URL to the metadata endpoint on this host, // i.e. https://example.com/saml/metadata @@ -109,6 +110,10 @@ func (sp *ServiceProvider) Metadata() *EntityDescriptor { authnRequestsSigned := false wantAssertionsSigned := true validUntil := TimeNow().Add(validDuration) + certBytes := sp.Certificate.Raw + for _, intermediate := range sp.Intermediates { + certBytes = append(certBytes, intermediate.Raw...) + } return &EntityDescriptor{ EntityID: sp.MetadataURL.String(), ValidUntil: validUntil, @@ -122,13 +127,13 @@ func (sp *ServiceProvider) Metadata() *EntityDescriptor { { Use: "signing", KeyInfo: KeyInfo{ - Certificate: base64.StdEncoding.EncodeToString(sp.Certificate.Raw), + Certificate: base64.StdEncoding.EncodeToString(certBytes), }, }, { Use: "encryption", KeyInfo: KeyInfo{ - Certificate: base64.StdEncoding.EncodeToString(sp.Certificate.Raw), + Certificate: base64.StdEncoding.EncodeToString(certBytes), }, EncryptionMethods: []EncryptionMethod{ {Algorithm: "http://www.w3.org/2001/04/xmlenc#aes128-cbc"},