private SOAPEnvelope <SAMLRequestBody> BuildEIDSamlRequest(string pin)
{
SOAPEnvelope <SAMLRequestBody> samlEnv = null;
var orgAuthCertificate = _keyStoreManager.GetOrgAuthCertificate();
using (var discovery = new BeIDCardDiscovery())
{
var readers = discovery.GetReaders();
using (var connection = discovery.Connect(readers.First()))
{
var certificate = connection.GetAuthCertificate();
var idAuthCertificate = new MedikitCertificate(new X509Certificate2(connection.GetAuthCertificate().Export(X509ContentType.Cert)), null);
samlEnv = BuildRequest(idAuthCertificate, orgAuthCertificate, (_ =>
{
byte[] hashPayload = null;
using (var sha = new SHA1CryptoServiceProvider())
{
hashPayload = sha.ComputeHash(_);
}
return(connection.SignWithAuthenticationCertificate(hashPayload, BeIDDigest.Sha1, pin));
}));
}
}
return(samlEnv);
}
public SOAPRequestBuilder <T> SignWithCertificate(MedikitCertificate certificate)
{
return(SignWithCertificate(_ =>
{
var privateKey = (RSA)certificate.PrivateKey;
var signaturePayload = privateKey.SignData(_, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1);
return signaturePayload;
}));
}
public static byte[] Seal(byte[] payload, MedikitCertificate senderCertificate, string keyId, SymmetricAlgorithm symmetricAlg)
{
var lst = new List <X509Certificate2>
{
senderCertificate.Certificate
};
var signer = new CertificateSigner(senderCertificate);
var inner = Sign(payload, senderCertificate.Certificate, null, SigningPolicy.EHEALTH_CERT, signer);
var envelopedMessage = Encrypt(inner, symmetricAlg, keyId);
var outer = Sign(envelopedMessage, senderCertificate.Certificate, lst, SigningPolicy.EHEALTH_CERT, signer);
return(outer);
}
public static byte[] Seal(byte[] payload, MedikitCertificate senderCertificate, X509Certificate2 recipientCertificate)
{
var lst = new List <X509Certificate2>
{
senderCertificate.Certificate
};
var signer = new CertificateSigner(senderCertificate);
var inner = Sign(payload, senderCertificate.Certificate, null, SigningPolicy.EHEALTH_CERT, signer);
var envelopedMessage = Encrypt(inner, recipientCertificate);
var outer = Sign(envelopedMessage, senderCertificate.Certificate, lst, SigningPolicy.EHEALTH_CERT, signer);
return(outer);
}
public Task <int> Update(MedikitCertificate certificate)
{
return(_database.UpdateAsync(certificate));
}
public Task <int> Add(MedikitCertificate certificate)
{
return(_database.InsertAsync(certificate));
}
private SOAPEnvelope <SAMLRequestBody> BuildRequest(MedikitCertificate idAuthCertificate, MedikitCertificate orgAuthCertificate, Func <byte[], byte[]> signCallback)
{
var samlAttributes = new List <SAMLAttribute>
{
new SAMLAttribute
{
AttributeName = Constants.AttributeStatementNames.CertificateHolderPersonSSIN,
AttributeNamespace = Constants.AttributeStatementNamespaces.Identification,
AttributeValue = idAuthCertificate.Certificate.ExtractSSIN()
},
new SAMLAttribute
{
AttributeName = Constants.AttributeStatementNames.PersonSSIN,
AttributeNamespace = Constants.AttributeStatementNamespaces.Identification,
AttributeValue = idAuthCertificate.Certificate.ExtractSSIN()
},
new SAMLAttribute
{
AttributeName = _options.IdentityProfession.Code,
AttributeNamespace = Constants.AttributeStatementNamespaces.Certified
},
new SAMLAttribute
{
AttributeName = _options.IdentityProfession.CertificationAttribute,
AttributeNamespace = Constants.AttributeStatementNamespaces.Certified
}
};
var issueInstant = DateTime.UtcNow;
var majorVersion = 1;
var minorVersion = 1;
var bodyId = $"id-{Guid.NewGuid().ToString()}";
var requestId = $"request-{Guid.NewGuid().ToString()}";
var assertionId = $"assertion-{Guid.NewGuid().ToString()}";
var userSubject = FormatSubject(idAuthCertificate.Certificate.Subject);
var issuerSubject = FormatSubject(idAuthCertificate.Certificate.Issuer);
var nameIdentifier = new SAMLNameIdentifier
{
Format = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName",
NameQualifier = issuerSubject,
Content = userSubject
};
var samlRequest = new SAMLRequest
{
MajorVersion = majorVersion,
MinorVersion = minorVersion,
RequestId = requestId,
IssueInstant = issueInstant,
AttributeQuery = new SAMLAttributeQuery
{
Subject = new SAMLSubject
{
NameIdentifier = nameIdentifier,
SubjectConfirmation = new SAMLSubjectConfirmation
{
ConfirmationMethod = "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key",
SubjectConfirmationData = new SAMLSubjectConfirmationData
{
Assertion = new SAMLAssertion
{
IssueInstant = issueInstant,
AssertionId = assertionId,
Issuer = userSubject,
MajorVersion = majorVersion,
MinorVersion = minorVersion,
Conditions = new SAMLConditions
{
NotBefore = issueInstant,
NotOnOrAfter = issueInstant.AddDays(1)
},
AttributeStatement = new SAMLAttributeStatement
{
Subject = new SAMLSubject
{
NameIdentifier = nameIdentifier
},
Attribute = samlAttributes.Where(_ => !string.IsNullOrWhiteSpace(_.AttributeValue)).ToList()
}
}
},
KeyInfo = new SOAPKeyInfo
{
X509Data = new SOAPX509Data
{
X509Certificate = Convert.ToBase64String(orgAuthCertificate.Certificate.Export(X509ContentType.Cert))
}
}
}
},
AttributeDesignator = samlAttributes.Select(a => new SAMLAttributeDesignator
{
AttributeName = a.AttributeName,
AttributeNamespace = a.AttributeNamespace
}).ToList()
}
};
var samlRequestBody = new SAMLRequestBody
{
Id = bodyId,
Request = samlRequest
};
var signedInfo = CanonicalizeHelper.Canonicalize(samlRequestBody.Serialize().SerializeToString(), new List <string>
{
samlRequest.RequestId
}, new List <Transform>
{
new XmlDsigEnvelopedSignatureTransform(),
new XmlDsigExcC14NTransform()
});
var payload = signedInfo.ComputeSignature();
var privateKey = (RSA)orgAuthCertificate.PrivateKey;
var signaturePayload = privateKey.SignData(payload, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1);
var signatureStr = Convert.ToBase64String(signaturePayload);
samlRequest.Signature = new SOAPSignature
{
KeyInfo = new SOAPKeyInfo
{
X509Data = new SOAPX509Data
{
X509Certificate = Convert.ToBase64String(orgAuthCertificate.Certificate.Export(X509ContentType.Cert))
}
},
SignatureValue = signatureStr,
SignedInfo = signedInfo
};
return(SOAPRequestBuilder <SAMLRequestBody> .New(samlRequestBody)
.AddTimestamp(issueInstant)
.AddBinarySecurityToken(idAuthCertificate.Certificate)
.AddReferenceToBinarySecurityToken()
.SignWithCertificate(signCallback)
.Build());
}
