(Swift 3,4,5...) Sign Italian SPID Metadata XML

Demonstrates how to create an XML digital signature for Italian SPID Metadata.

Chilkat Downloads for the Swift Programming Language MAC OS X (Cocoa) Objective-C/Swift Libs iOS Objective-C/Swift Libs

func chilkatTest() {
    // This example assumes the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    var success: Bool = true

    // Load the XML to be signed.
    let sbXml = CkoStringBuilder()!
    success = sbXml.loadFile("qa_data/xml_dsig/spid_metadata.xml", charset: "utf-8")
    if success == false {
        print("Failed to load the input file.")
        return
    }

    // The XML to sign contains XML such as this:

    // <?xml version="1.0" encoding="utf-8"?>
    // <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://***.it" ID="_AE17AFFF-A600-49D5-B81D-76EEA55B50FF">
    //     <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
    //         <md:KeyDescriptor use="signing">
    //             <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    //                 <ds:X509Data>
    //                     <ds:X509Certificate>MIIF5...</ds:X509Certificate>
    //                 </ds:X509Data>
    //             </ds:KeyInfo>
    //         </md:KeyDescriptor>
    //         <md:KeyDescriptor use="encryption">
    //             <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    //                 <ds:X509Data>
    //                     <ds:X509Certificate>MIIF5...</ds:X509Certificate>
    //                 </ds:X509Data>
    //             </ds:KeyInfo>
    //         </md:KeyDescriptor>
    //         <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://***.it/it-it/spid/logout"/>
    //         <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    //         <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://***.it/it-it/spid/loginresp" index="0" isDefault="true"/>
    //         <md:AttributeConsumingService index="1">
    //             <md:ServiceName xml:lang="it">Servizi Online</md:ServiceName>
    //             <md:ServiceDescription xml:lang="it">Accesso ai Servizi Online</md:ServiceDescription>
    //             <md:RequestedAttribute Name="spidCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
    //             <md:RequestedAttribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
    //             <md:RequestedAttribute Name="familyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
    //             <md:RequestedAttribute Name="fiscalNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
    //         </md:AttributeConsumingService>
    //     </md:SPSSODescriptor>
    //     <md:Organization>
    //         <md:OrganizationName xml:lang="it">SomeCompany s.r.l.</md:OrganizationName>
    //         <md:OrganizationDisplayName xml:lang="it">SomeCompany s.r.l.</md:OrganizationDisplayName>
    //         <md:OrganizationURL xml:lang="it">https://***.it</md:OrganizationURL>
    //     </md:Organization>
    // </md:EntityDescriptor>

    let gen = CkoXmlDSigGen()!

    gen.sigLocation = "md:EntityDescriptor|md:SPSSODescriptor"
    gen.sigLocationMod = 2
    gen.signedInfoCanonAlg = "EXCL_C14N"
    gen.signedInfoDigestMethod = "sha256"

    // -------- Reference 1 --------
    gen.addSameDocRef("_AE17AFFF-A600-49D5-B81D-76EEA55B50FF", digestMethod: "sha256", canonMethod: "EXCL_C14N", prefixList: "", refType: "")

    // Provide a certificate + private key. (PFX password is test123)
    let cert = CkoCert()!
    success = cert.loadPfxFile("qa_data/pfx/cert_test123.pfx", password: "test123")
    if success != true {
        print("\(cert.lastErrorText!)")
        return
    }

    gen.setX509Cert(cert, usePrivateKey: true)

    gen.keyInfoType = "X509Data+KeyValue"
    gen.x509Type = "Certificate"

    gen.behaviors = "IndentedSignature,ForceAddEnvelopedSignatureTransform,OmitAlreadyDefinedSigNamespace"

    // Sign the XML...
    success = gen.createXmlDSigSb(sbXml)
    if success != true {
        print("\(gen.lastErrorText!)")
        return
    }

    // -----------------------------------------------

    // Save the signed XML to a file.
    success = sbXml.writeFile("qa_output/signedXml.xml", charset: "utf-8", emitBom: false)

    print("\(sbXml.getAsString()!)")

    // ----------------------------------------
    // Verify the signatures we just produced...
    let verifier = CkoXmlDSig()!
    success = verifier.loadSignatureSb(sbXml)
    if success != true {
        print("\(verifier.lastErrorText!)")
        return
    }

    var numSigs: Int = verifier.numSignatures.intValue
    var verifyIdx: Int = 0
    while verifyIdx < numSigs {
        verifier.selector = verifyIdx
        var verified: Bool = verifier.verifySignature(true)
        if verified != true {
            print("\(verifier.lastErrorText!)")
            return
        }

        verifyIdx = verifyIdx + 1
    }

    print("All signatures were successfully verified.")

}