From 60f4dec555b0f5ccc4b293634c36c46746e9dcc2 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 22 Feb 2022 00:17:38 +0100
Subject: [PATCH] add ability to sign requests

---
 README.md             |  1 +
 pkg/helpers/config.go |  7 +++++++
 pkg/helpers/ssl.go    | 34 ++++++++++++++++++++++++++++++++++
 3 files changed, 42 insertions(+)
 create mode 100644 pkg/helpers/ssl.go

diff --git a/README.md b/README.md
index d9f048f..423bbf7 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ This tool is full configured using environment variables.
 Optionally, if you want to use SSL, set these variables
 - `SP_SSL_CERT`: Path to the SSL Certificate the server should use.
 - `SP_SSL_KEY`: Path to the SSL Key the server should use.
+- `SP_SIGN_REQUESTS`: Enable signing of requests.
 
 Note: If you're manually setting `SP_ROOT_URL`, ensure that you prefix that URL with https.
 
diff --git a/pkg/helpers/config.go b/pkg/helpers/config.go
index 3376fe1..ab6c5d1 100644
--- a/pkg/helpers/config.go
+++ b/pkg/helpers/config.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"strings"
 
 	log "github.com/sirupsen/logrus"
 
@@ -88,6 +89,12 @@ func LoadConfig() samlsp.Options {
 	priv, pub := Generate(fmt.Sprintf("localhost,%s", url.Hostname()))
 	samlOptions.Key = priv
 	samlOptions.Certificate = pub
+	if sign := Env("SP_SIGN_REQUESTS", "false"); strings.ToLower(sign) == "true" {
+		samlOptions.Key = LoadRSAKey(os.Getenv("SP_SSL_KEY"))
+		samlOptions.Certificate = LoadCertificate(os.Getenv("SP_SSL_CERT"))
+		samlOptions.SignRequest = true
+		log.Debug("Signing requests")
+	}
 	log.Debugf("Configuration Optons: %+v", samlOptions)
 	return samlOptions
 }
diff --git a/pkg/helpers/ssl.go b/pkg/helpers/ssl.go
new file mode 100644
index 0000000..fb124bc
--- /dev/null
+++ b/pkg/helpers/ssl.go
@@ -0,0 +1,34 @@
+package helpers
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"io/ioutil"
+)
+
+func LoadRSAKey(path string) *rsa.PrivateKey {
+	data, err := ioutil.ReadFile(path)
+	if err != nil {
+		panic(err)
+	}
+	block, _ := pem.Decode(data)
+	key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		panic(err)
+	}
+	return key.(*rsa.PrivateKey)
+}
+
+func LoadCertificate(path string) *x509.Certificate {
+	data, err := ioutil.ReadFile(path)
+	if err != nil {
+		panic(err)
+	}
+	block, _ := pem.Decode(data)
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		panic(err)
+	}
+	return cert
+}