Validate SAML assertion

[wichert]

This needs a few things:

• Update the code to reflect that the X-saml-attribute-token1 (and successive) headers are base64-encoded, so we need to decode them
• Add a utility function to verify the signature

Relevant code is in cmd/health-api-server

Example headers

X-uid: 1-900018101-Z-90000381-01.015-00000000
X-saml-attribute-token1: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwyOkFzc2VydGlvbiBJRD0iSUM1MzJBQ0U0NDMxOENGN0Q0OUM1RDI3QjBCMDc1RUQ0QzIzODA0NEQiIElzc3VlSW5zdGFudD0iMjAyMC0wNC0xNFQxODoyNjowOC4wNTFaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sMjpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL3NpYW0xLnRlc3QuYW5vaWdvLm5sL2FzZWxlY3RzZXJ2ZXIvc2VydmVyPC9zYW1sMjpJc3N1ZXI PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI PGRzOlNpZ25lZEluZm8 PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8 PGRzOlJlZmVyZW5jZSBVUkk9IiNJQzUzMkFDRTQ0MzE4Q0Y3RDQ5QzVEMjdCMEIwNzVFRDRDMjM4MDQ0RCI PGRzOlRyYW5zZm9ybXM PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8 PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgUHJlZml4TGlzdD0ieHMiIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8 PGRzOkRpZ2VzdFZhbHVlPnNVRGJDaUJSYlZnTDFCOE5tazE4OTVUU2pLbz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU Qmdzc3JobmJHQnhpYWVSOHUzQmh5SEp4WUNlMjV0QXpqaE8zVi8xODRFWGljL0xHcGdaTVQzUmp4OGtrOXFWT1QvV1owNnpleDlreWI3dWY2VURjZnlhcVhOZEdDUWRMQ21KQ0U1Ukc3SVZWclBOeWROUTM2RnZuVzl6Zkw1NVR4RklFcTJuckpVeVJIc1RWbGJvTGpsQnpCQlRaYVpaS1c5WFhnQ2tHRlRYc2VaMWZOQ0VoZWNXSDl5U1QxNGx4T0pGeTA2WlNSMkdRRHY4d2s2Z243UWZBTDJsUHViQ2xxbndQakdydjI3TVUzeTdJNlhTWlZUcHZuQzdSNWl0WUtaTGwxKzdKaWdBNTRnQ0VRUThjcGdpZDlBREk3WkhIRXhUdHlWYmdOVTh1dGRxSkg4d3BBZk8wVm44WmRjVmsrdXExQVpLTFVXbENXMGM4YnJTOEx3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjwvZHM6U2lnbmF0dXJlPjxzYW1sMjpTdWJqZWN0IHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50IiBOYW1lUXVhbGlmaWVyPSJodHRwczovL3NpYW0xLnRlc3QuYW5vaWdvLm5sL2FzZWxlY3RzZXJ2ZXIvc2VydmVyIj4wM0EzNkQxODZGRjAzRDI1MUQ1NDRGMTgxQUVCQzgyNkJENkM1QTQ4MTc1MzVBNjdENzBBRUYzNjEzNENFODcwQkZBODgxRjQwMjQ5MkNFQTc1OUQ3MkFDQjQwOUI3Q0EyNEJEMjM1RjZDQUIyMkVFNzdCMEZFMjNFMTYzREIxRTI1Rjc0MzBBNjY4RjhDQzIxOEU3ODM4RDI3RDEzRTc2OUY1QzgxM0U5NTRDMjJBQTNGNTgxOTZGREExOTRENDdGOTIzRjJGNDNFMjg0REFFOUU1NDYwQzlGNEREMTY3MjRBMkI1MUEyODhEMkZFQ0Y8L3NhbWwyOk5hbWVJRD48L3NhbWwyOlN1YmplY3Q PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudCB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJ1aWQiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPjEtOTAwMDE4MTAxLVotOTAwMDAzODEtMDEuMDE1LTAwMDAwMDAwPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Imxhc3RzeW5jdGltZSI PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI MTU4Njg4ODc2Nzk5NDwvc2FtbDI6QXR0cmlidXRlVmFsdWU PC9zYW1sMjpBdHRyaWJ1dGU PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ PC9zYW1sMjpBc3NlcnRpb24

Example SAML assertion

<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="I52BBD41096FDC5520F194ED63535F54D0CE58BE4" IssueInstant="2020-04-14T18:53:16.539Z" Version="2.0" xmlns:saml2="urn:oasis:
names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:enti
ty" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://siam1.test.anoigo.nl/aselectserver/server</saml2:Issuer>
  <ds:Signature xmlns:d="xmlns:d" s="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:Sig natureMethod="natureMethod" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#I52BBD41096FDC5520F194ED63535F54D0CE58BE4">
        <ds:Trans forms="forms"><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml
-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
        </ds:Transforms><ds:Di gestMethod="gestMethod" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>PdRGFJGGlNhePM8cJfxL41HPeFs=</ds:DigestValue>
      </ds:Reference>
    </ ds:SignedInfo>
    <ds:SignatureValue>ZNDOAmm00w4KiZaJo9UFNRkrOanZglDofVaC4F8Ab6FJTrcHniOS4KIhM/iHD2GGZYds3LINwPvOhFBKxTO1nNlEzXUHk6GMbKiXdOTH8PAs      wJjKD1imSZoaa0xLKtwKcQO8aYbyxZJ6ZY8MKHjmkTYJoglmvROACMbaxoP5AbGjFgKxLA7QXzlg69I6EL7MG0tE6BOgcsGZlX0qUITFSQayI8FTFqp7gqD3s5m4Nj+hLNteAz0p7p4vh D8g1ApBzRAHF4NTET3pBKRxgQz67eNmUsc9R4oCNr9EKAium9g3ravUz6+zkp4BOfR/nBQD9OzO4MjjxwHaCScQs9Updg==</ds:SignatureValue>
  </ds:Signature>
  <saml2:Subj ect="ect" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualif="NameQualif" ier="https://siam1.test.anoigo.nl/aselectserver/server">B0BFB5A75C24CF6B7C9BD56113D0EA018AD578B08C6B6A66DC554CEC4526D3E96A06D2C73B03BA1D90A3442D743BB3FF45F7D686FAC872493C7AD3E41E4F2D4DAECAC003E2BB7EA964A538CDC753B4FBC7F948A9B6A015D22C9DEC6FCF0A2836F16646AE3205B7930BD85251D45ED84095E9D048CE3B7C62</saml2:NameID>
  </saml2:Subject>
  <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Attribute N="N" ame="uid">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="x
s:string">1-900018101-Z-90000381-01.015-00000000</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="lastsynctime">
      <saml2:Attribut eValue="eValue" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1586890396484</ saml2:AttributeValue>
    </saml2:Attribute>
  </saml2:AttributeStatement>
</saml2:Assertion>

Server public key

-----BEGIN CERTIFICATE-----
MIIIhTCCBm2gAwIBAgIQD+Lj1t5WsQpXaYE94pUr3TANBgkqhkiG9w0BAQsFADCB
gTELMAkGA1UEBhMCTkwxGTAXBgNVBAoMEERpZ2lkZW50aXR5IEIuVi4xFzAVBgNV
BGEMDk5UUk5MLTI3MzIyNjMxMT4wPAYDVQQDDDVEaWdpZGVudGl0eSBCViBQS0lv
dmVyaGVpZCBPcmdhbmlzYXRpZSBTZXJ2ZXIgQ0EgLSBHMzAeFw0xOTAzMDgxNTE3
MzRaFw0yMTAzMDkxNTE3MzRaMIGvMR0wGwYDVQQDExRzaWFtMS50ZXN0LmFub2ln
by5ubDEdMBsGA1UEBRMUMDAwMDAwMDMxNzIyMzg3NzAwMDAxFDASBgNVBAsTC0Rl
dmVsb3BtZW50MSAwHgYDVQQKExdBbm9pZ28gU2VydmljZXMgTGltaXRlZDESMBAG
A1UEBxMJRWluZGhvdmVuMRYwFAYDVQQIEw1Ob29yZC1CcmFiYW50MQswCQYDVQQG
EwJOTDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANIo8B42gooGH6vU
0EDkTmrq6kJjiLeajqKCG7qOY8Mq2BVkoM1JLfUs18PoXS4XNSKq081iNtdUM1jl
aXflozkT7/ij96yyUY5m+oUyR1Tapy9Pols2WeNE0dH0KLwZjwuru8ZWWh0Ml9V0
ToJP6r/u7p0u4EPEkIzitgBrPzx1A/kLXVuTF6mnVKls9obGGp+g5/m+5p76OE4F
K5i40URKwRSgeHlSS4RhlfGHRvOvHh+TLgk88g42nZw35G5BCSGZPAWyBsxHWWuR
AjM3Uj8l35xDx62MubN21mXEmlqVsTTOfVoNF96hm7DFdyEq6122gWC63HSZAfp2
41JUoV0CAwEAAaOCA8cwggPDMB8GA1UdIwQYMBaAFBTaSElwUbQ0EnjmisAVe9ga
9x/qMIGoBggrBgEFBQcBAQSBmzCBmDBqBggrBgEFBQcwAoZeaHR0cDovL2NlcnRp
ZmljYXRlcy5jYS5kaWdpZGVudGl0eS5jb20vRGlnaWRlbnRpdHktQlYtUEtJb3Zl
cmhlaWQtT3JnYW5pc2F0aWUtU2VydmVyLUNBLUczLnBlbTAqBggrBgEFBQcwAYYe
aHR0cDovL29jc3AuY2EuZGlnaWRlbnRpdHkuY29tMB8GA1UdEQQYMBaCFHNpYW0x
LnRlc3QuYW5vaWdvLm5sMIGdBgNVHSAEgZUwgZIwgYUGCmCEEAGHawECBQYwdzBJ
BggrBgEFBQcCAjA9DDtGb3IgdGhlIHVzZSBvZiB0aGlzIGNlcnRpZmljYXRlIHRo
ZSBhc3NvY2lhdGVkIENQUyBhcHBsaWVzLjAqBggrBgEFBQcCARYeaHR0cHM6Ly9j
cHMuY2EuZGlnaWRlbnRpdHkuY29tMAgGBmeBDAECAjAdBgNVHSUEFjAUBggrBgEF
BQcDAgYIKwYBBQUHAwEwZgYDVR0fBF8wXTBboFmgV4ZVaHR0cDovL2NybC5jYS5k
aWdpZGVudGl0eS5jb20vRGlnaWRlbnRpdHktQlYtUEtJb3ZlcmhlaWQtT3JnYW5p
c2F0aWUtU2VydmVyLUNBLUczLmRlcjAdBgNVHQ4EFgQUEAiGZKGfDo8ondARhtlg
PvnkpdUwDgYDVR0PAQH/BAQDAgWgMIIBfAYKKwYBBAHWeQIEAgSCAWwEggFoAWYA
dQCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWld6rWdAAAEAwBG
MEQCIAyH+OD/534qWfzvjy0nycpw14EkuG8Quak2bOR8TQ4qAiB/ULmTFoyIoOS5
v34h2Qb1mbBEq+RWP04Y4TpFup7SagB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEA
KQaNsgiaN9kTAAABaV3quK0AAAQDAEcwRQIhAM4gfo7T7QcePIvDO/jgYHw+H2ox
b5OA1YGZ/Ee3zqaZAiAJz79H+ZdcJ+h9ZMo20ujSzATbKoJ0HVDdVbJqyXnedwB1
ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaV3qtZ0AAAQDAEYw
RAIgW5eDf7TBKJZwDwPQfKN0e2wbX8XIL3/QpOxhnZZId3YCIHB9qyAM4aC5Ub7O
UtJpIsL59xpei9OhR872tJoY8+zWMA0GCSqGSIb3DQEBCwUAA4ICAQAO/rfTMgq5
QYAcTT9aPOMC6v1wJ5JPMp2sPOl+coQGRXLG6XmpmVkqQZ7vK9uTCyZ6J00iECz0
7RpBpE9uIQ3CTFfDOGkgjuFZGrBC0q37IpKuPkzOCTTVMGYdobd2PFGVUJM1NbXU
vEOwBdGSQ6jok1FMz8gv1CdYINzf+sKUUl8/rvsMdH/eyZjPqamol0mXSI9zSPjP
LU021++tMrQLAR3zJt3NafNb0ttf9uFVYkjattA4LqAm6Ef4a4Tq/wBe5kiYKgOm
GVLMTpztPTmxaJVzAfrlXd/7mDnQwx33kuvBX8VSB7EfrYNPzikxsDWV2T2itjSg
gzvDpferVKdC17QmOdUPgGsY1cxddVD8dIkJVNgzWZbMYZIUAHavXq81sgMox3La
QVtSm2E5fiS0wuTsgkqTAqYUY5bxk2UyZorbrOLLX5t5VLLNQ99r8YApdQT4odlk
ix+jpM/JujvCdTSJYbDUMK3eHB5/AAMoiA5Ofc5e5htDI+B0VO5CgzvnM9E2SEnK
IsqZMI3DThANDWQuK8nlE2GqyXAIwnqNZotNoTUoQqn62cHUDZVnZa2Hu+4QU6PG
AoNpZFxqyEgFJ8mVRXvfb2WE5GLclOSXDQ6/oKlRhpSzywnQ6xlK74EfWM1WXQD7
xFNAT3d13Pp2v6ttNMkJHpvgBt3wbhVHCg==
-----END CERTIFICATE-----

[jap]

Completed step one, the code now does base64 decoding of these headers.

[jap]

Implemented base64 decoding, now on to validation..