Beispiel #1
0
        /// <summary>
        /// Use this constructor to send combined entropy.
        /// </summary>
        /// <param name="keySizeInBits">The size of the symmetric key.</param>
        /// <param name="targetWrappingCredentials">The encrypting credentials for the relying party used to encrypt the key in the SecurityKeyIdentifier property.</param>
        /// <param name="requestorWrappingCredentials">The encrypting credentials for the requestor used to encrypt the entropy or the proof token.</param>
        /// <param name="sourceEntropy">The requestor's entropy.</param>
        /// <param name="encryptWith">The algorithm Uri using which to encrypt the proof key.</param>
        /// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
        /// <exception cref="ArgumentNullException">When source entorpy is null or is an empty array.</exception>
        public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials,
                                        EncryptingCredentials requestorWrappingCredentials, byte[] sourceEntropy, string encryptWith)
        {
            if (sourceEntropy == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sourceEntropy");
            }

            if (sourceEntropy.Length == 0)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("sourceEntropy", SR.GetString(SR.ID2058));
            }

            _keySizeInBits = keySizeInBits;
            _sourceEntropy = sourceEntropy;
            //
            // Generate proof key using sender entropy
            //
            if (encryptWith == SecurityAlgorithms.DesEncryption ||
                encryptWith == SecurityAlgorithms.TripleDesEncryption ||
                encryptWith == SecurityAlgorithms.TripleDesKeyWrap)
            {
                _key = CryptoHelper.KeyGenerator.GenerateDESKey(_keySizeInBits, _sourceEntropy, out _targetEntropy);
            }
            else
            {
                _key = CryptoHelper.KeyGenerator.GenerateSymmetricKey(_keySizeInBits, _sourceEntropy, out _targetEntropy);
            }

            //
            // Set up the wrapping credentials
            //
            _requestorWrappingCredentials = requestorWrappingCredentials;
            _targetWrappingCredentials    = targetWrappingCredentials;
        }
        /// <summary>
        /// Use this constructor if you want the sts to use the given key bytes.
        /// This happens when client sends the entropy, and the sts would just use that 
        /// as the key for the issued token.
        /// </summary>
        /// <param name="key">The symmetric key that are used inside the issued token.</param>
        /// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param>
        /// <exception cref="ArgumentNullException">When the key is null.</exception>
        public SymmetricProofDescriptor(byte[] key, EncryptingCredentials targetWrappingCredentials)
        {
            if (key == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("key");
            }

            _keySizeInBits = key.Length;
            _key = key;

            _targetWrappingCredentials = targetWrappingCredentials;
        }
Beispiel #3
0
        /// <summary>
        /// Use this constructor if you want the sts to use the given key bytes.
        /// This happens when client sends the entropy, and the sts would just use that
        /// as the key for the issued token.
        /// </summary>
        /// <param name="key">The symmetric key that are used inside the issued token.</param>
        /// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param>
        /// <exception cref="ArgumentNullException">When the key is null.</exception>
        public SymmetricProofDescriptor(byte[] key, EncryptingCredentials targetWrappingCredentials)
        {
            if (key == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("key");
            }

            _keySizeInBits = key.Length;
            _key           = key;

            _targetWrappingCredentials = targetWrappingCredentials;
        }
Beispiel #4
0
        /// <summary>
        /// Creates an instance of EncryptedSecurityToken.
        /// </summary>
        /// <param name="token">The <see cref="SecurityToken"/> to encrypt.</param>
        /// <param name="encryptingCredentials">The <see cref="EncryptingCredentials"/> to use for encryption.</param>
        public EncryptedSecurityToken(SecurityToken token, EncryptingCredentials encryptingCredentials)
        {
            if (null == token)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
            }
            if (null == encryptingCredentials)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("encryptingCredentials");
            }

            _encryptingCredentials = encryptingCredentials;
            _realToken             = token;
        }
 public STSService(SecurityTokenServiceConfiguration configuration)
     : base(configuration)
 {
     _signingCredentials = new X509SigningCredentials(
         CertificateUtility.GetCertificateByThumbprint(
         StoreLocation.LocalMachine,
         StoreName.My,
         WebConfigurationManager.AppSettings["SigningCertificateThumbprint"].ToString()));
     if (!string.IsNullOrWhiteSpace(WebConfigurationManager.AppSettings["EncryptingCertificateName"].ToString()))
     {
         _encryptingCredentials = new X509EncryptingCredentials(
             CertificateUtility.GetCertificateByThumbprint(
             StoreLocation.LocalMachine, StoreName.My,
             WebConfigurationManager.AppSettings["EncryptingCertificateName"].ToString()));
     }
 }
Beispiel #6
0
        /// <summary>
        /// Use this constructor to have the STS autogenerate a key and
        /// send it in the proof token as encrypted key. Two cases are covered here
        /// 1. client sends the entropy, but server rejects it
        /// 2. client did not send a entropy, so just use server's entropy
        /// </summary>
        /// <param name="keySizeInBits">the size of the symmetric key</param>
        /// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param>
        /// <param name="requestorWrappingCredentials">The key encrypting credentials for the requestor.</param>
        /// <param name="encryptWith">The a----thm specified in the EncryptWith element of the RST.</param>
        /// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
        /// <remarks>If EncryptWith is a DES algorithm, the key is guaranteed not to be a weak DES key.</remarks>
        public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials,
                                        EncryptingCredentials requestorWrappingCredentials, string encryptWith)
        {
            _keySizeInBits = keySizeInBits;

            if (encryptWith == SecurityAlgorithms.DesEncryption ||
                encryptWith == SecurityAlgorithms.TripleDesEncryption ||
                encryptWith == SecurityAlgorithms.TripleDesKeyWrap)
            {
                _key = CryptoHelper.KeyGenerator.GenerateDESKey(_keySizeInBits);
            }
            else
            {
                _key = CryptoHelper.KeyGenerator.GenerateSymmetricKey(_keySizeInBits);
            }

            _requestorWrappingCredentials = requestorWrappingCredentials;
            _targetWrappingCredentials    = targetWrappingCredentials;
        }
        /// <summary>
        /// Use this constructor if users already have an encryting credentials and want to use that as a wrapping credentials.
        /// </summary>
        /// <param name="wrappingCredentials">The key wrapping credentials used to encrypt the session key.</param>
        /// <param name="keySizeInBits">The key size of the wrapped session key.</param>
        /// <param name="encryptionAlgorithm">The encryption algorithm when session key is used. This should be symmetric key algorithm.</param>
        /// <exception cref="ArgumentNullException">When the wrappingCredentials is null.</exception>
        public EncryptedKeyEncryptingCredentials( EncryptingCredentials wrappingCredentials, int keySizeInBits, string encryptionAlgorithm )
        {
            if ( wrappingCredentials == null )
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "wrappingCredentials" );
            }

            //
            // Key materials
            //
            if ( encryptionAlgorithm == SecurityAlgorithms.DesEncryption ||
                 encryptionAlgorithm == SecurityAlgorithms.TripleDesEncryption ||
                 encryptionAlgorithm == SecurityAlgorithms.TripleDesKeyWrap )
            {
                _keyBytes = CryptoHelper.KeyGenerator.GenerateDESKey( keySizeInBits );
            }
            else
            {
                _keyBytes = CryptoHelper.KeyGenerator.GenerateSymmetricKey( keySizeInBits );
            }
            base.SecurityKey = new InMemorySymmetricSecurityKey( _keyBytes );

            //
            // Wrapping key
            //
            _wrappingCredentials = wrappingCredentials;

            //
            // key identifier
            //
            byte[] encryptedKey = _wrappingCredentials.SecurityKey.EncryptKey( _wrappingCredentials.Algorithm, _keyBytes );
            base.SecurityKeyIdentifier = new SecurityKeyIdentifier( new EncryptedKeyIdentifierClause( encryptedKey, _wrappingCredentials.Algorithm, _wrappingCredentials.SecurityKeyIdentifier ) );

            //
            // encryption algorithm
            //
            base.Algorithm = encryptionAlgorithm;
        }
        /// <summary>
        /// Use this constructor if users already have an encryting credentials and want to use that as a wrapping credentials.
        /// </summary>
        /// <param name="wrappingCredentials">The key wrapping credentials used to encrypt the session key.</param>
        /// <param name="keySizeInBits">The key size of the wrapped session key.</param>
        /// <param name="encryptionAlgorithm">The encryption algorithm when session key is used. This should be symmetric key algorithm.</param>
        /// <exception cref="ArgumentNullException">When the wrappingCredentials is null.</exception>
        public EncryptedKeyEncryptingCredentials(EncryptingCredentials wrappingCredentials, int keySizeInBits, string encryptionAlgorithm)
        {
            if (wrappingCredentials == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("wrappingCredentials");
            }

            //
            // Key materials
            //
            if (encryptionAlgorithm == SecurityAlgorithms.DesEncryption ||
                encryptionAlgorithm == SecurityAlgorithms.TripleDesEncryption ||
                encryptionAlgorithm == SecurityAlgorithms.TripleDesKeyWrap)
            {
                _keyBytes = CryptoHelper.KeyGenerator.GenerateDESKey(keySizeInBits);
            }
            else
            {
                _keyBytes = CryptoHelper.KeyGenerator.GenerateSymmetricKey(keySizeInBits);
            }
            base.SecurityKey = new InMemorySymmetricSecurityKey(_keyBytes);

            //
            // Wrapping key
            //
            _wrappingCredentials = wrappingCredentials;

            //
            // key identifier
            //
            byte[] encryptedKey = _wrappingCredentials.SecurityKey.EncryptKey(_wrappingCredentials.Algorithm, _keyBytes);
            base.SecurityKeyIdentifier = new SecurityKeyIdentifier(new EncryptedKeyIdentifierClause(encryptedKey, _wrappingCredentials.Algorithm, _wrappingCredentials.SecurityKeyIdentifier));

            //
            // encryption algorithm
            //
            base.Algorithm = encryptionAlgorithm;
        }
Beispiel #9
0
 /// <summary>
 /// Initializes an instance of <see cref="Scope"/>
 /// </summary>
 /// <param name="appliesToAddress">The appliesTo address of the relying party.</param>
 /// <param name="encryptingCredentials"> The encrypting credentials for the relying party.</param>
 public Scope(string appliesToAddress, EncryptingCredentials encryptingCredentials)
     : this(appliesToAddress, null, encryptingCredentials)
 {
 }
Beispiel #10
0
		public Entropy (byte[] secret, EncryptingCredentials wrappingCredentials) : base (secret, wrappingCredentials)
		{ }
        internal static XmlDictionaryReader CreatePlaintextReaderFromEncryptedData(
                        XmlDictionaryReader reader,
                        SecurityTokenResolver serviceTokenResolver,
                        SecurityTokenSerializer keyInfoSerializer,
                        Collection<EncryptedKeyIdentifierClause> clauses,
                        out EncryptingCredentials encryptingCredentials)
        {
            if (reader == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
            }

            reader.MoveToContent();
            if (reader.IsEmptyElement)
            {
#pragma warning suppress 56504 // bogus - thinks reader.LocalName, reader.NamespaceURI need validation
                throw DiagnosticUtility.ThrowHelperXml(reader, SR.GetString(SR.ID3061, reader.LocalName, reader.NamespaceURI));
            }

            encryptingCredentials = null;

            XmlUtil.ValidateXsiType(reader, Saml2Constants.Types.EncryptedElementType, Saml2Constants.Namespace);

            reader.ReadStartElement();
            EncryptedDataElement encryptedData = new EncryptedDataElement(keyInfoSerializer);

            // <xenc:EncryptedData> 1
            encryptedData.ReadXml(reader);

            // <xenc:EncryptedKey> 0-oo
            reader.MoveToContent();
            while (reader.IsStartElement(XmlEncryptionConstants.Elements.EncryptedKey, XmlEncryptionConstants.Namespace))
            {
                SecurityKeyIdentifierClause skic;
                if (keyInfoSerializer.CanReadKeyIdentifierClause(reader))
                {
                    skic = keyInfoSerializer.ReadKeyIdentifierClause(reader);
                }
                else
                {
                    EncryptedKeyElement encryptedKey = new EncryptedKeyElement(keyInfoSerializer);
                    encryptedKey.ReadXml(reader);
                    skic = encryptedKey.GetClause();
                }

                EncryptedKeyIdentifierClause encryptedKeyClause = skic as EncryptedKeyIdentifierClause;
                if (null == encryptedKeyClause)
                {
                    throw DiagnosticUtility.ThrowHelperXml(reader, SR.GetString(SR.ID4172));
                }

                clauses.Add(encryptedKeyClause);
            }

            reader.ReadEndElement();

            // Try to resolve the decryption key from both the embedded 
            // KeyInfo and any external clauses
            SecurityKey decryptionKey = null;
            SecurityKeyIdentifierClause matchingClause = null;

            foreach (SecurityKeyIdentifierClause clause in encryptedData.KeyIdentifier)
            {
                if (serviceTokenResolver.TryResolveSecurityKey(clause, out decryptionKey))
                {
                    matchingClause = clause;
                    break;
                }
            }

            if (null == decryptionKey)
            {
                foreach (SecurityKeyIdentifierClause clause in clauses)
                {
                    if (serviceTokenResolver.TryResolveSecurityKey(clause, out decryptionKey))
                    {
                        matchingClause = clause;
                        break;
                    }
                }
            }

            if (null == decryptionKey)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                    new EncryptedTokenDecryptionFailedException());
            }

            // Need a symmetric key
            SymmetricSecurityKey symmetricKey = decryptionKey as SymmetricSecurityKey;
            if (null == symmetricKey)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                    new SecurityTokenException(SR.GetString(SR.ID4023)));
            }

            // Do the actual decryption
            SymmetricAlgorithm decryptor = symmetricKey.GetSymmetricAlgorithm(encryptedData.Algorithm);
            byte[] plainText = encryptedData.Decrypt(decryptor);

            // Save off the encrypting credentials for roundtrip
            encryptingCredentials = new ReceivedEncryptingCredentials(decryptionKey, new SecurityKeyIdentifier(matchingClause), encryptedData.Algorithm);

            return XmlDictionaryReader.CreateTextReader(plainText, reader.Quotas);
        }
 /// <summary>
 /// Use this constructor if we want to send the key material encrypted.
 /// </summary>
 /// <param name="secret">The key material that needs to be protected.</param>
 /// <param name="wrappingCredentials">The encrypting credentials used to encrypt the key material.</param>
 public ProtectedKey(byte[] secret, EncryptingCredentials wrappingCredentials)
 {
     _secret = secret;
     _wrappingCredentials = wrappingCredentials;
 }
 /// <summary>
 /// Use this constructor to have the STS autogenerate a key and
 /// send it in the proof token as encrypted key. Two cases are covered here
 /// 1. client sends the entropy, but server rejects it
 /// 2. client did not send a entropy, so just use server's entropy
 /// </summary>
 /// <param name="keySizeInBits">the size of the symmetric key</param>
 /// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param>
 /// <param name="requestorWrappingCredentials">The key encrypting credentials for the requestor.</param>
 /// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
 public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials, EncryptingCredentials requestorWrappingCredentials)
     : this(keySizeInBits, targetWrappingCredentials, requestorWrappingCredentials, (string)null)
 {
 }
 /// <summary>
 /// Use this constructor if you want the sts to use the given <see cref="EncryptingCredentials"/>.
 /// </summary>
 /// <param name="targetWrappingCredentials">The <see cref="EncryptingCredentials"/> to be used.</param>
 public SymmetricProofDescriptor(EncryptingCredentials targetWrappingCredentials)
     : this(SecurityTokenServiceConfiguration.DefaultKeySizeInBitsConstant, targetWrappingCredentials)
 {
 }
Beispiel #15
0
 /// <summary>
 /// Use this constructor if you want the sts to use the given <see cref="EncryptingCredentials"/>.
 /// </summary>
 /// <param name="targetWrappingCredentials">The <see cref="EncryptingCredentials"/> to be used.</param>
 public SymmetricProofDescriptor(EncryptingCredentials targetWrappingCredentials)
     : this(SecurityTokenServiceConfiguration.DefaultKeySizeInBitsConstant, targetWrappingCredentials)
 {
 }
        /// <summary>
        /// Use this constructor to send combined entropy.
        /// </summary>
        /// <param name="keySizeInBits">The size of the symmetric key.</param>
        /// <param name="targetWrappingCredentials">The encrypting credentials for the relying party used to encrypt the key in the SecurityKeyIdentifier property.</param>
        /// <param name="requestorWrappingCredentials">The encrypting credentials for the requestor used to encrypt the entropy or the proof token.</param>
        /// <param name="sourceEntropy">The requestor's entropy.</param>
        /// <param name="encryptWith">The algorithm Uri using which to encrypt the proof key.</param>
        /// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
        /// <exception cref="ArgumentNullException">When source entorpy is null or is an empty array.</exception>
        public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials,
                                         EncryptingCredentials requestorWrappingCredentials, byte[] sourceEntropy, string encryptWith)
        {
            if (sourceEntropy == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sourceEntropy");
            }

            if (sourceEntropy.Length == 0)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("sourceEntropy", SR.GetString(SR.ID2058));
            }

            _keySizeInBits = keySizeInBits;
            _sourceEntropy = sourceEntropy;
            //
            // Generate proof key using sender entropy
            //
            if (encryptWith == SecurityAlgorithms.DesEncryption ||
                 encryptWith == SecurityAlgorithms.TripleDesEncryption ||
                 encryptWith == SecurityAlgorithms.TripleDesKeyWrap)
            {
                _key = CryptoHelper.KeyGenerator.GenerateDESKey(_keySizeInBits, _sourceEntropy, out _targetEntropy);
            }
            else
            {
                _key = CryptoHelper.KeyGenerator.GenerateSymmetricKey(_keySizeInBits, _sourceEntropy, out _targetEntropy);
            }

            //
            // Set up the wrapping credentials
            //
            _requestorWrappingCredentials = requestorWrappingCredentials;
            _targetWrappingCredentials = targetWrappingCredentials;
        }
 /// <summary>
 /// Use this constructor if you want to send combined entropy.
 /// </summary>
 /// <param name="keySizeInBits">The size of the symmetric key.</param>
 /// <param name="targetWrappingCredentials">The encrypting credentials for the relying party used to encrypt the key in the SecurityKeyIdentifier property.</param>
 /// <param name="requestorWrappingCredentials">The encrypting credentials for the requestor used to encrypt the entropy or the proof token.</param>
 /// <param name="sourceEntropy">The requestor's entropy.</param>
 /// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
 /// <exception cref="ArgumentNullException">When source entorpy is null or is an empty array.</exception>
 public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials,
                                  EncryptingCredentials requestorWrappingCredentials, byte[] sourceEntropy)
     : this(keySizeInBits, targetWrappingCredentials, requestorWrappingCredentials, sourceEntropy, null)
 {
 }
Beispiel #18
0
 /// <summary>
 /// Use this constructor if you want to send combined entropy.
 /// </summary>
 /// <param name="keySizeInBits">The size of the symmetric key.</param>
 /// <param name="targetWrappingCredentials">The encrypting credentials for the relying party used to encrypt the key in the SecurityKeyIdentifier property.</param>
 /// <param name="requestorWrappingCredentials">The encrypting credentials for the requestor used to encrypt the entropy or the proof token.</param>
 /// <param name="sourceEntropy">The requestor's entropy.</param>
 /// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
 /// <exception cref="ArgumentNullException">When source entorpy is null or is an empty array.</exception>
 public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials,
                                 EncryptingCredentials requestorWrappingCredentials, byte[] sourceEntropy)
     : this(keySizeInBits, targetWrappingCredentials, requestorWrappingCredentials, sourceEntropy, null)
 {
 }
        /// <summary>
        /// Writes a <see cref="EncryptedSecurityToken"/> using the xmlWriter.
        /// </summary>
        /// <param name="writer">The XmlWriter to which the encrypted token is written.</param>
        /// <param name="token">The <see cref="SecurityToken"/> which must be an instance of <see cref="EncryptedSecurityToken"/>.</param>
        /// <exception cref="ArgumentNullException">The input prameter 'writer' is null.</exception>
        /// <exception cref="ArgumentNullException">The input prameter 'token' is null.</exception>
        /// <exception cref="ArgumentException">The <see cref="SecurityToken"/> is not an instance of <see cref="EncryptedSecurityToken"/>.</exception>
        /// <exception cref="InvalidOperationException">The property 'Configuration' is null. This property is required for obtaining keys for encryption.</exception>
        /// <exception cref="InvalidOperationException">The ContaingCollection was unable to find a <see cref="SecurityTokenHandler"/> that is able to write
        /// the <see cref="SecurityToken"/> returned by 'EncryptedSecurityToken.Token'.</exception>
        /// <exception cref="SecurityTokenException">The property 'EncryptinCredentials.SecurityKey is not a <see cref="SymmetricSecurityKey"/></exception>
        public override void WriteToken(XmlWriter writer, SecurityToken token)
        {
            if (null == writer)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
            }

            if (null == token)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
            }

            EncryptedSecurityToken encryptedToken = token as EncryptedSecurityToken;

            if (null == encryptedToken)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID4024));
            }

            if (this.ContainingCollection == null)
            {
                throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4279));
            }

            //
            // This implementation simply wraps the token in xenc:EncryptedData
            //
            EncryptedDataElement encryptedData = new EncryptedDataElement(KeyInfoSerializer);

            using (MemoryStream plaintextStream = new MemoryStream())
            {
                //
                // Buffer the plaintext
                //
                using (XmlDictionaryWriter plaintextWriter = XmlDictionaryWriter.CreateTextWriter(plaintextStream, Encoding.UTF8, false))
                {
                    SecurityTokenHandler securityTokenHandler = this.ContainingCollection[encryptedToken.Token.GetType()];
                    if (securityTokenHandler != null)
                    {
                        securityTokenHandler.WriteToken(plaintextWriter, encryptedToken.Token);
                    }
                    else
                    {
                        throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4224, encryptedToken.Token.GetType()));
                    }
                }

                //
                // Set up the EncryptedData element
                //
                EncryptingCredentials encryptingCredentials = encryptedToken.EncryptingCredentials;
                encryptedData.Type          = XmlEncryptionConstants.EncryptedDataTypes.Element;
                encryptedData.KeyIdentifier = encryptingCredentials.SecurityKeyIdentifier;
                encryptedData.Algorithm     = encryptingCredentials.Algorithm;

                //
                // Get the encryption key, which must be symmetric
                //
                SymmetricSecurityKey encryptingKey = encryptingCredentials.SecurityKey as SymmetricSecurityKey;
                if (encryptingKey == null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID3064)));
                }

                //
                // Do the actual encryption
                //
                using (SymmetricAlgorithm symmetricAlgorithm = encryptingKey.GetSymmetricAlgorithm(encryptingCredentials.Algorithm))
                {
                    byte[] plainTextBytes = plaintextStream.GetBuffer();
                    DebugEncryptedTokenClearText(plainTextBytes, Encoding.UTF8);
                    encryptedData.Encrypt(symmetricAlgorithm, plainTextBytes, 0, (int)plaintextStream.Length);
                }
            }

            //
            // Write the EncryptedData element
            //
            encryptedData.WriteXml(writer, KeyInfoSerializer);
        }
Beispiel #20
0
 /// <summary>
 /// Initializes an instance of <see cref="Scope"/>
 /// </summary>
 /// <param name="appliesToAddress">The appliesTo address of the relying party.</param>
 /// <param name="signingCredentials">The signing credentials for the relying party.</param>
 /// <param name="encryptingCredentials"> The encrypting credentials for the relying party.</param>
 public Scope(string appliesToAddress, SigningCredentials signingCredentials, EncryptingCredentials encryptingCredentials)
 {
     _appliesToAddress = appliesToAddress;
     _signingCredentials = signingCredentials;
     _encryptingCredentials = encryptingCredentials;
 }
Beispiel #21
0
 /// <summary>
 /// Use this constructor to have the STS autogenerate a key and
 /// send it in the proof token as encrypted key. Two cases are covered here
 /// 1. client sends the entropy, but server rejects it
 /// 2. client did not send a entropy, so just use server's entropy
 /// </summary>
 /// <param name="keySizeInBits">the size of the symmetric key</param>
 /// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param>
 /// <param name="requestorWrappingCredentials">The key encrypting credentials for the requestor.</param>
 /// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
 public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials, EncryptingCredentials requestorWrappingCredentials)
     : this(keySizeInBits, targetWrappingCredentials, requestorWrappingCredentials, (string)null)
 {
 }
 public CustomSecurityTokenService(SecurityTokenServiceConfiguration securityTokenServiceConfiguration, EncryptingCredentials encryptingCredentials, IDragonUserStore<AppMember> userStore)
     : base(securityTokenServiceConfiguration)
 {
     _encryptingCredentials = encryptingCredentials;
     _userStore = userStore;
 }
 public CustomSecurityTokenService(SecurityTokenServiceConfiguration configuration)
     : base(configuration)
 {
     _signingCreds = new X509SigningCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, SIGNING_CERTIFICATE_NAME));
     _encryptingCreds = new X509EncryptingCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, ENCRYPTING_CERTIFICATE_NAME));
 }
            /// <summary>
            /// Gets a security key identifier which contains the BinarySecretKeyIdentifierClause or 
            /// EncryptedKeyIdentifierClause if the wrapping credentials is available.
            /// </summary>
            public static SecurityKeyIdentifier GetSecurityKeyIdentifier(byte[] secret, EncryptingCredentials wrappingCredentials)
            {
                if (secret == null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("secret");
                }

                if (secret.Length == 0)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("secret", SR.GetString(SR.ID6031));
                }

                if (wrappingCredentials == null || wrappingCredentials.SecurityKey == null)
                {
                    //
                    // BinarySecret case
                    //
                    return new SecurityKeyIdentifier(new BinarySecretKeyIdentifierClause(secret));
                }
                else
                {
                    //
                    // EncryptedKey case
                    //
                    byte[] wrappedKey = wrappingCredentials.SecurityKey.EncryptKey(wrappingCredentials.Algorithm, secret);

                    return new SecurityKeyIdentifier(new EncryptedKeyIdentifierClause(wrappedKey, wrappingCredentials.Algorithm, wrappingCredentials.SecurityKeyIdentifier));
                }
            }
        // This method reads the binary secret or encrypted key 
        public static ProtectedKey ReadProtectedKey(XmlReader reader, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants)
        {
            if (reader == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
            }

            if (trustConstants == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("trustConstants");
            }

            ProtectedKey protectedKey = null;

            if (!reader.IsEmptyElement)
            {
                if (reader.IsStartElement(trustConstants.Elements.BinarySecret, trustConstants.NamespaceURI))
                {
                    // BinarySecret case
                    BinarySecretSecurityToken token = ReadBinarySecretSecurityToken(reader, trustConstants);
                    byte[] secret = token.GetKeyBytes();
                    protectedKey = new ProtectedKey(secret);
                }
                else if (context.SecurityTokenHandlers.CanReadKeyIdentifierClause(reader))
                {
                    // EncryptedKey case
                    EncryptedKeyIdentifierClause encryptedKeyClause = context.SecurityTokenHandlers.ReadKeyIdentifierClause(reader) as EncryptedKeyIdentifierClause;

                    if (encryptedKeyClause != null)
                    {
                        SecurityKey wrappingKey = null;
                        byte[] secret;

                        foreach (SecurityKeyIdentifierClause wrappingKeyClause in encryptedKeyClause.EncryptingKeyIdentifier)
                        {
                            if (context.TokenResolver.TryResolveSecurityKey(wrappingKeyClause, out wrappingKey))
                            {
                                break;
                            }
                        }

                        if (wrappingKey == null)
                        {
                            // We can't resolve the ski, throw
                            throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new WSTrustSerializationException(SR.GetString(SR.ID3027, "the SecurityHeaderTokenResolver or OutOfBandTokenResolver")));
                        }

                        secret = wrappingKey.DecryptKey(encryptedKeyClause.EncryptionMethod, encryptedKeyClause.GetEncryptedKey());
                        EncryptingCredentials wrappingCredentials = new EncryptingCredentials(wrappingKey, encryptedKeyClause.EncryptingKeyIdentifier, encryptedKeyClause.EncryptionMethod);

                        protectedKey = new ProtectedKey(secret, wrappingCredentials);
                    }
                }
            }

            return protectedKey;
        }
Beispiel #26
0
		public RequestedProofToken (Byte[] secret, EncryptingCredentials wrappingCredentials) {
			ProtectedKey = new ProtectedKey (secret, wrappingCredentials);
		}
        /// <summary>
        /// Use this constructor to have the STS autogenerate a key and
        /// send it in the proof token as encrypted key. Two cases are covered here
        /// 1. client sends the entropy, but server rejects it
        /// 2. client did not send a entropy, so just use server's entropy
        /// </summary>
        /// <param name="keySizeInBits">the size of the symmetric key</param>
        /// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param>
        /// <param name="requestorWrappingCredentials">The key encrypting credentials for the requestor.</param>
        /// <param name="encryptWith">The a----thm specified in the EncryptWith element of the RST.</param>
        /// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
        /// <remarks>If EncryptWith is a DES algorithm, the key is guaranteed not to be a weak DES key.</remarks>
        public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials,
                                         EncryptingCredentials requestorWrappingCredentials, string encryptWith)
        {
            _keySizeInBits = keySizeInBits;

            if (encryptWith == SecurityAlgorithms.DesEncryption ||
                 encryptWith == SecurityAlgorithms.TripleDesEncryption ||
                 encryptWith == SecurityAlgorithms.TripleDesKeyWrap)
            {
                _key = CryptoHelper.KeyGenerator.GenerateDESKey(_keySizeInBits);
            }
            else
            {
                _key = CryptoHelper.KeyGenerator.GenerateSymmetricKey(_keySizeInBits);
            }

            _requestorWrappingCredentials = requestorWrappingCredentials;
            _targetWrappingCredentials = targetWrappingCredentials;
        }