public void Properties()
{
X509ThumbprintKeyIdentifierClause ic =
new X509ThumbprintKeyIdentifierClause(cert);
Assert.AreEqual(cert.GetCertHash(), ic.GetX509Thumbprint(), "#1-1");
Assert.AreEqual(null, ic.ClauseType, "#1-2");
ic = new X509SecurityToken(cert).CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause> ();
Assert.AreEqual(cert.GetCertHash(), ic.GetX509Thumbprint(), "#2-1");
Assert.AreEqual(null, ic.ClauseType, "#2-2");
}
WrappedKeySecurityToken GetReferent()
{
string id = "referent";
byte [] key = new byte [32];
X509SecurityToken token = new X509SecurityToken(cert);
SecurityKeyIdentifierClause kic =
new X509ThumbprintKeyIdentifierClause(cert);
string alg = SecurityAlgorithms.RsaOaepKeyWrap;
return(new WrappedKeySecurityToken(id, key, alg, token,
new SecurityKeyIdentifier(kic)));
}
/// <summary>
/// Verifies the signature.
/// </summary>
/// <param name="xml">The XML.</param>
/// <returns>The issuer certificate</returns>
protected virtual X509Certificate2 VerifySignature(XElement xml)
{
Contract.Requires(xml != null);
Contract.Ensures(Contract.Result <X509Certificate2>() != null);
if ((Configuration == null) || (Configuration.IssuerTokenResolver == null))
{
throw new SecurityTokenException("No issuer token resolver configured");
}
var xmlElement = xml.ToXmlElement();
var signedXml = new SignedXml(xmlElement);
// find signature
XmlNodeList nodeList = xmlElement.GetElementsByTagName("Signature");
// throw an exception if no signature was found.
if (nodeList.Count <= 0)
{
throw new CryptographicException("Verification failed: No Signature was found in the document.");
}
// throw an exception if more than one signature was found.
if (nodeList.Count > 1)
{
throw new CryptographicException("Verification failed: More that one signature was found for the document.");
}
// load the <signature> node.
signedXml.LoadXml((XmlElement)nodeList[0]);
// resolve the issuer certificate
byte[] thumbprint = Convert.FromBase64String(GetIssuerThumbprint(signedXml));
var identifier = new X509ThumbprintKeyIdentifierClause(thumbprint);
var issuerKey = Configuration.IssuerTokenResolver.ResolveToken(identifier) as X509SecurityToken;
// check the signature
if (!signedXml.CheckSignature(issuerKey.Certificate, true))
{
throw new CryptographicException("Signature verification failed");
}
if (issuerKey.Certificate != null)
{
return(issuerKey.Certificate);
}
else
{
throw new CryptographicException("No issuer certificate found");
}
}
void WriteX509ThumbprintKeyIdentifierClause(
XmlWriter w, X509ThumbprintKeyIdentifierClause ic)
{
w.WriteStartElement("o", "SecurityTokenReference", Constants.WssNamespace);
w.WriteStartElement("o", "KeyIdentifier", Constants.WssNamespace);
w.WriteAttributeString("ValueType", Constants.WssKeyIdentifierX509Thumbptint);
if (EmitBspRequiredAttributes)
{
w.WriteAttributeString("EncodingType", Constants.WssBase64BinaryEncodingType);
}
w.WriteString(Convert.ToBase64String(ic.GetX509Thumbprint()));
w.WriteEndElement();
w.WriteEndElement();
}
/// <summary>
/// Resolves the given SecurityKeyIdentifierClause to a SecurityToken.
/// </summary>
/// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to resolve.</param>
/// <param name="token">The resolved SecurityToken.</param>
/// <returns>True if successfully resolved.</returns>
/// <exception cref="ArgumentNullException">The input argument 'keyIdentifierClause' is null.</exception>
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
if (keyIdentifierClause == null)
{
throw new ArgumentNullException("keyIdentifierClause");
}
token = null;
foreach (X509Certificate2 cert in trustedIssuerCertificates)
{
X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if ((thumbprintKeyIdentifierClause != null) && (thumbprintKeyIdentifierClause.Matches(cert)))
{
token = new X509SecurityToken(cert);
return(true);
}
X509IssuerSerialKeyIdentifierClause issuerSerialKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if ((issuerSerialKeyIdentifierClause != null) && (issuerSerialKeyIdentifierClause.Matches(cert)))
{
token = new X509SecurityToken(cert);
return(true);
}
X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if ((subjectKeyIdentifierClause != null) && (subjectKeyIdentifierClause.Matches(cert)))
{
token = new X509SecurityToken(cert);
return(true);
}
X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if ((rawDataKeyIdentifierClause != null) && (rawDataKeyIdentifierClause.Matches(cert)))
{
token = new X509SecurityToken(cert);
return(true);
}
}
return(false);
}
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
token = null;
X509Certificate2 matched = null;
X509ThumbprintKeyIdentifierClause clause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if ((clause != null) && this.TryMatchCertificates(clause.Matches, out matched))
{
token = new X509SecurityToken(matched);
return(true);
}
X509IssuerSerialKeyIdentifierClause clause2 = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if ((clause2 != null) && TryMatchCertificates(clause2.Matches, out matched))
{
token = new X509SecurityToken(matched);
return(true);
}
X509SubjectKeyIdentifierClause clause3 = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if ((clause3 != null) && TryMatchCertificates(clause3.Matches, out matched))
{
token = new X509SecurityToken(matched);
return(true);
}
X509RawDataKeyIdentifierClause clause4 = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if ((clause4 != null) && TryMatchCertificates(clause4.Matches, out matched))
{
token = new X509SecurityToken(matched);
return(true);
}
if (this.innerResolver != null)
{
return(this.innerResolver.TryResolveToken(keyIdentifierClause, out token));
}
return(false);
}
public void X509WrappingToken1()
{
byte [] bytes = new byte [32];
X509SecurityToken xt = new X509SecurityToken(cert);
SecurityKeyIdentifierClause kic =
new X509ThumbprintKeyIdentifierClause(cert);
string alg = SecurityAlgorithms.RsaOaepKeyWrap;
WrappedKeySecurityToken token = new WrappedKeySecurityToken("urn:gyabo",
bytes, alg, xt,
new SecurityKeyIdentifier(kic));
Assert.AreEqual("urn:gyabo", token.Id, "#1");
Assert.AreEqual(alg, token.WrappingAlgorithm, "#3");
Assert.AreEqual(xt, token.WrappingToken, "#4");
Assert.AreEqual(1, token.WrappingTokenReference.Count, "#5");
Assert.AreEqual(1, token.SecurityKeys.Count, "#6");
Assert.IsTrue(token.SecurityKeys [0] is InMemorySymmetricSecurityKey, "#7");
Assert.AreEqual(bytes, new X509AsymmetricSecurityKey(cert).DecryptKey(token.WrappingAlgorithm, token.GetWrappedKey()), "#8");
// wrapped keys cannot be compared, due to the nature of rsa-oaep.
// Assert.AreEqual (new X509AsymmetricSecurityKey (cert).EncryptKey (token.WrappingAlgorithm, bytes), token.GetWrappedKey (), "#9-1");
// Assert.AreEqual (token.GetWrappedKey (), new WrappedKeySecurityToken ("urn:gyabo",
// bytes, alg, xt,
// new SecurityKeyIdentifier (kic)).GetWrappedKey (), "#9");
}
public void MatchesKeyIdentifierClause()
{
UniqueId id = new UniqueId();
X509SecurityToken t = new X509SecurityToken(cert, id.ToString());
LocalIdKeyIdentifierClause l =
new LocalIdKeyIdentifierClause(id.ToString());
Assert.IsTrue(t.MatchesKeyIdentifierClause(l), "#1-1");
l = new LocalIdKeyIdentifierClause("#" + id.ToString());
Assert.IsFalse(t.MatchesKeyIdentifierClause(l), "#1-2");
X509ThumbprintKeyIdentifierClause h =
new X509ThumbprintKeyIdentifierClause(cert);
Assert.IsTrue(t.MatchesKeyIdentifierClause(h), "#2-1");
h = new X509ThumbprintKeyIdentifierClause(cert2);
Assert.IsFalse(t.MatchesKeyIdentifierClause(h), "#2-2");
X509IssuerSerialKeyIdentifierClause i =
new X509IssuerSerialKeyIdentifierClause(cert);
Assert.IsTrue(t.MatchesKeyIdentifierClause(i), "#3-1");
i = new X509IssuerSerialKeyIdentifierClause(cert2);
Assert.IsFalse(t.MatchesKeyIdentifierClause(i), "#3-2");
X509RawDataKeyIdentifierClause s =
new X509RawDataKeyIdentifierClause(cert);
Assert.IsTrue(t.MatchesKeyIdentifierClause(s), "#4-1");
s = new X509RawDataKeyIdentifierClause(cert2);
Assert.IsFalse(t.MatchesKeyIdentifierClause(s), "#4-2");
}
private bool ResolvesToSigningToken(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key, out SecurityToken token)
{
token = null;
key = null;
CertMatcher certMatcher = null;
// for SAML tokens the highest probability are certs, with RawData first
X509RawDataKeyIdentifierClause rawCertKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if (rawCertKeyIdentifierClause != null)
{
certMatcher = rawCertKeyIdentifierClause.Matches;
}
else
{
X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if (subjectKeyIdentifierClause != null)
{
certMatcher = subjectKeyIdentifierClause.Matches;
}
else
{
X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if (thumbprintKeyIdentifierClause != null)
{
certMatcher = thumbprintKeyIdentifierClause.Matches;
}
else
{
X509IssuerSerialKeyIdentifierClause issuerKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if (issuerKeyIdentifierClause != null)
{
certMatcher = issuerKeyIdentifierClause.Matches;
}
}
}
}
if (_validationParameters.IssuerSigningKeyResolver != null)
{
key = _validationParameters.IssuerSigningKeyResolver(token: _securityToken, securityToken: null, keyIdentifier: new SecurityKeyIdentifier(keyIdentifierClause), validationParameters: _validationParameters);
if (key != null)
{
this.IsKeyMatched = true;
}
}
if (_validationParameters.IssuerSigningKey != null)
{
if (Matches(keyIdentifierClause, _validationParameters.IssuerSigningKey, certMatcher, out token))
{
key = _validationParameters.IssuerSigningKey;
this.IsKeyMatched = true;
}
}
if (_validationParameters.IssuerSigningKeys != null)
{
foreach (SecurityKey securityKey in _validationParameters.IssuerSigningKeys)
{
if (Matches(keyIdentifierClause, securityKey, certMatcher, out token))
{
key = securityKey;
this.IsKeyMatched = true;
break;
}
}
}
if (_validationParameters.IssuerSigningToken != null)
{
if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause))
{
token = _validationParameters.IssuerSigningToken;
key = token.SecurityKeys[0];
this.IsKeyMatched = true;
}
}
if (_validationParameters.IssuerSigningTokens != null)
{
foreach (SecurityToken issuerToken in _validationParameters.IssuerSigningTokens)
{
if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause))
{
token = issuerToken;
key = token.SecurityKeys[0];
this.IsKeyMatched = true;
break;
}
}
}
return(this.IsKeyMatched);
}
