SPKeyStore

[avi94]

Is there any actual examples of SPKeyStore being set to a valid keystore? It's really confusing how to make this field consume some sort of keystore, preferably a JKS file.

[konaraya]

TestSAML has an example on how to use SPKeyStore.
Check TLSCertKeyStore from goxmldsig on how to use a crypto/tls certificate with it.
To use a JKS file you would need to convert it to a tls.Certificate and use it.

[shaozi]

I am still confused on how to set the SPKeyStore. Do I need to create my own KeyStore type that conforms with X509KeyStore interface?

[viotile]

How to Set Up an Interface for Handling Key Stores

Below is a complete example demonstrating how to set up an interface to manage private keys and certificates.

1. Define the Key Store Struct
Create a LocalKeyStore struct to hold the file paths for the private key and certificate.

type LocalKeyStore struct {
	privateKeyPath  string
	certificatePath string
}

func NewLocalKeyStore(privateKeyPath, certificatePath string) dsig.X509KeyStore {
	return &LocalKeyStore{
		privateKeyPath:  privateKeyPath,
		certificatePath: certificatePath,
	}
}

2. Implement the GetKeyPair Method
This method reads the private key and certificate from the provided file paths, decodes them, and parses the respective content.

func (s *LocalKeyStore) GetKeyPair() (*rsa.PrivateKey, []byte, error) {
	// Read the private key file
	privateKeyBytes, err := os.ReadFile(s.privateKeyPath)
	if err != nil {
		return nil, nil, fmt.Errorf("failed to read private key file: %w", err)
	}

	// Decode the PEM block
	block, _ := pem.Decode(privateKeyBytes)
	if block == nil || (block.Type != "PRIVATE KEY" && block.Type != "RSA PRIVATE KEY") {
		return nil, nil, fmt.Errorf("invalid PEM block for private key (type: %v)", block.Type)
	}

	// Parse the private key
	var privateKey *rsa.PrivateKey
	if block.Type == "RSA PRIVATE KEY" {
		// PKCS#1 format
		privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
		if err != nil {
			return nil, nil, fmt.Errorf("failed to parse PKCS#1 private key: %w", err)
		}
	} else if block.Type == "PRIVATE KEY" {
		// PKCS#8 format
		parsedKey, err := x509.ParsePKCS8PrivateKey(block.Bytes)
		if err != nil {
			return nil, nil, fmt.Errorf("failed to parse PKCS#8 private key: %w", err)
		}
		// Ensure the parsed key is of type RSA
		var ok bool
		privateKey, ok = parsedKey.(*rsa.PrivateKey)
		if !ok {
			return nil, nil, fmt.Errorf("parsed private key is not an RSA key")
		}
	}

	// Read the certificate file
	certBytes, err := os.ReadFile(s.certificatePath)
	if err != nil {
		return nil, nil, fmt.Errorf("failed to read certificate file: %w", err)
	}

	// Decode the PEM block for the certificate
	block, _ = pem.Decode(certBytes)
	if block == nil || block.Type != "CERTIFICATE" {
		return nil, nil, fmt.Errorf("invalid PEM block for certificate (type: %v)", block.Type)
	}

	// Parse the certificate
	cert, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		return nil, nil, fmt.Errorf("failed to parse certificate: %w", err)
	}

	// Return the private key and raw certificate bytes
	return privateKey, cert.Raw, nil
}

3. Initialize the Key Store
Set the paths for the private key and certificate:

spKeyStore := NewLocalKeyStore("./private.key", "./public.cert")

4. Configure the Service Provider
Assign the initialized key store to your SAML service provider:

sp := &saml2.SAMLServiceProvider{
   SPKeyStore: spKeyStore,
}