public static void Encrypt(XmlDocument Doc, string ElementToEncrypt, X509Certificate2 Cert)
{
XmlElement elementToEncrypt = Doc.GetElementsByTagName(ElementToEncrypt)[0] as XmlElement;
if (elementToEncrypt == null)
{
throw new XmlException("The specified element was not found");
}
EncryptedXml eXml = new EncryptedXml();
EncryptedData edElement = eXml.Encrypt(elementToEncrypt, Cert);
EncryptedXml.ReplaceElement(elementToEncrypt, edElement, false);
}
public static XmlElement Encrypt(SmtpAddress externalId, SymmetricSecurityKey symmetricSecurityKey)
{
XmlDocument xmlDocument = new SafeXmlDocument();
XmlElement xmlElement = xmlDocument.CreateElement("SharingKey");
xmlElement.InnerText = externalId.ToString();
EncryptedXml encryptedXml = new EncryptedXml();
encryptedXml.AddKeyNameMapping("key", symmetricSecurityKey.GetSymmetricAlgorithm("http://www.w3.org/2001/04/xmlenc#tripledes-cbc"));
EncryptedData encryptedData = encryptedXml.Encrypt(xmlElement, "key");
return(encryptedData.GetXml());
}
public static void Encrypt(XmlDocument Doc, string ElementToEncrypt, SymmetricAlgorithm Alg, string KeyName)
{
// Check the arguments.
if (Doc == null)
{
throw new ArgumentNullException("Doc");
}
if (ElementToEncrypt == null)
{
throw new ArgumentNullException("ElementToEncrypt");
}
if (Alg == null)
{
throw new ArgumentNullException("Alg");
}
////////////////////////////////////////////////
// Find the specified element in the XmlDocument
// object and create a new XmlElemnt object.
////////////////////////////////////////////////
XmlElement elementToEncrypt = Doc.GetElementsByTagName(ElementToEncrypt)[0] as XmlElement;
// Throw an XmlException if the element was not found.
if (elementToEncrypt == null)
{
throw new XmlException("The specified element was not found");
}
//////////////////////////////////////////////////
// Create a new instance of the EncryptedXml class
// and use it to encrypt the XmlElement with the
// symmetric key.
//////////////////////////////////////////////////
EncryptedXml eXml = new EncryptedXml();
// Add the key mapping.
eXml.AddKeyNameMapping(KeyName, Alg);
// Encrypt the element.
EncryptedData edElement = eXml.Encrypt(elementToEncrypt, KeyName);
////////////////////////////////////////////////////
// Replace the element from the original XmlDocument
// object with the EncryptedData element.
////////////////////////////////////////////////////
EncryptedXml.ReplaceElement(elementToEncrypt, edElement, false);
}
public override XmlNode Encrypt(XmlNode node)
{
XmlDocument doc = new ConfigurationXmlDocument();
doc.Load(new StringReader(node.OuterXml));
EncryptedXml ex = new EncryptedXml(doc);
ex.AddKeyNameMapping("Rsa Key", GetProvider());
EncryptedData d = ex.Encrypt(doc.DocumentElement, "Rsa Key");
return(d.GetXml());
}
public override XmlNode Encrypt(XmlNode node)
{
// Load config section to encrypt into xmlDocument instance
XmlDocument doc = new XmlDocument {
PreserveWhitespace = true
};
doc.LoadXml(node.OuterXml);
// Encrypt it
EncryptedXml eXml = new EncryptedXml();
EncryptedData eData = eXml.Encrypt(doc.DocumentElement, this.cert);
return(eData.GetXml());
}
public static void Encrypt(XmlDocument Doc, string ElementToEncrypt, X509Certificate2 Cert)
{
// Check the arguments.
if (Doc == null)
{
throw new ArgumentNullException("Doc");
}
if (ElementToEncrypt == null)
{
throw new ArgumentNullException("ElementToEncrypt");
}
if (Cert == null)
{
throw new ArgumentNullException("Cert");
}
////////////////////////////////////////////////
// Find the specified element in the XmlDocument
// object and create a new XmlElemnt object.
////////////////////////////////////////////////
XmlElement elementToEncrypt = Doc.GetElementsByTagName(ElementToEncrypt)[0] as XmlElement;
// Throw an XmlException if the element was not found.
if (elementToEncrypt == null)
{
throw new XmlException("The specified element was not found");
}
//////////////////////////////////////////////////
// Create a new instance of the EncryptedXml class
// and use it to encrypt the XmlElement with the
// X.509 Certificate.
//////////////////////////////////////////////////
EncryptedXml eXml = new EncryptedXml();
// Encrypt the element.
EncryptedData edElement = eXml.Encrypt(elementToEncrypt, Cert);
////////////////////////////////////////////////////
// Replace the element from the original XmlDocument
// object with the EncryptedData element.
////////////////////////////////////////////////////
EncryptedXml.ReplaceElement(elementToEncrypt, edElement, false);
}
EncryptedData IInternalCertificateXmlEncryptor.PerformEncryption(EncryptedXml encryptedXml, XmlElement elementToEncrypt)
{
var cert = _certFactory(); // original CryptoUtil.Fail call removed
_logger.LogDebug("Encrypting to X.509 certificate with thumbprint '{Thumbprint}'.", cert.Thumbprint); // original ILogger extensions calls replaced
try
{
return(encryptedXml.Encrypt(elementToEncrypt, cert));
}
catch (Exception ex)
{
_logger.LogError(ex, "An error occurred while encrypting to X.509 certificate with thumbprint '{Thumbprint}'.", cert.Thumbprint); // original ILogger extensions calls replaced
throw;
}
}
EncryptedData IInternalCertificateXmlEncryptor.PerformEncryption(EncryptedXml encryptedXml, XmlElement elementToEncrypt)
{
var cert = _certFactory()
?? CryptoUtil.Fail <X509Certificate2>("Cert factory returned null.");
_logger?.EncryptingToX509CertificateWithThumbprint(cert.Thumbprint);
try
{
return(encryptedXml.Encrypt(elementToEncrypt, cert));
}
catch (Exception ex)
{
_logger?.AnErrorOccurredWhileEncryptingToX509CertificateWithThumbprint(cert.Thumbprint, ex);
throw;
}
}
private static void encryptDocument(X509Certificate2 cert, XmlDocument doc)
{
string encData = "<root xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\">" +
"<xenc:EncryptedKey xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"Cert\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-1_5\">" +
"</xenc:EncryptionMethod><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">" +
"<wsse:SecurityTokenReference><wsse:KeyIdentifier EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\" ValueType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3\">" +
"</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue></xenc:CipherValue></xenc:CipherData>" +
"<xenc:ReferenceList><xenc:DataReference URI=\"#Body\"></xenc:DataReference></xenc:ReferenceList></xenc:EncryptedKey></root>";
XmlDocument encryptedDataTags = new XmlDocument();
encryptedDataTags.LoadXml(encData);
doc.DocumentElement.FirstChild.FirstChild.PrependChild(doc.ImportNode(encryptedDataTags.FirstChild.FirstChild, true));
XmlElement elementToEncrypt = doc.GetElementsByTagName(REQUEST_MESSAGE)[0] as XmlElement;
EncryptedXml eXml = new EncryptedXml();
// Encrypt the element.
EncryptedData edElement = eXml.Encrypt(elementToEncrypt, cert);
EncryptedXml.ReplaceElement(elementToEncrypt, edElement, false);
// Extract cybs certificate and put it in keyidentifier tag
XmlNodeList serverCert = doc.GetElementsByTagName("X509Certificate");
doc.GetElementsByTagName("wsse:KeyIdentifier")[0].InnerText = serverCert[0].InnerText;
// Extract ciphervalues
XmlNodeList tempkey = doc.GetElementsByTagName("CipherValue");
string encryptedPayload = tempkey[1].InnerText;
// Put temporary encrypted key in ciphervalue tag inside keyinfo
doc.GetElementsByTagName("xenc:CipherValue")[0].InnerText = tempkey[0].InnerText;
string encryptedSoapBody = "<xenc:EncryptedData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"Body\" Type=\"http://www.w3.org/2001/04/xmlenc#Content\">" +
"<xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\">" +
"</xenc:EncryptionMethod><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">" +
"<wsse:SecurityTokenReference xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\">" +
"<wsse:Reference URI=\"#Cert\"></wsse:Reference></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>" +
"</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData>";
// Put encypted body inside ciphervalue tag
doc.GetElementsByTagName("SOAP-ENV:Body")[0].InnerXml = encryptedSoapBody;
doc.GetElementsByTagName("xenc:CipherValue")[1].InnerText = encryptedPayload;
}
public static string SerializeAndSignSAMLResponse(ResponseType Response)
{
// Set serializer and writers for action
XmlSerializer responseSerializer = new XmlSerializer(Response.GetType());
StringWriter stringWriter = new StringWriter();
XmlWriter responseWriter = XmlTextWriter.Create(stringWriter, new XmlWriterSettings()
{
OmitXmlDeclaration = true, Indent = true, Encoding = Encoding.UTF8
});
responseSerializer.Serialize(responseWriter, Response);
responseWriter.Close();
XmlDocument xmlResponse = new XmlDocument();
xmlResponse.LoadXml(stringWriter.ToString());
XmlElement elementToEncrypt = xmlResponse.GetElementsByTagName("saml:Assertion")[0] as XmlElement;
/////////////////////////////////////////////////////
// Create a new instance of the EncryptedXml class //
// and use it to encrypt the XmlElement with the //
// X.509 Certificate. //
/////////////////////////////////////////////////////
EncryptedXml eXml = new EncryptedXml();
// Encrypt the element.
X509Certificate2 certificate = new X509Certificate2(@"C:\Program Files\OpenSSL-Win64\bin\certificate.crt");//SAMLConfiguration.Current.CertificateManager.GetPartnerCertificate(partnerSP);
//X509Certificate2 certificate2 = new X509Certificate2(@"C:\Program Files\OpenSSL-Win64\bin\certificate1.pfx", "VSIP@ssw0rd");
//certificate.Import(@"C:\Program Files\OpenSSL-Win64\bin\certificate.crt");
EncryptedData edElement = eXml.Encrypt(elementToEncrypt, certificate);
XmlElement encryptedAssertion = xmlResponse.CreateElement("saml", "EncryptedAssertion", "urn:oasis:names:tc:SAML:2.0:assertion");
EncryptedXml.ReplaceElement(encryptedAssertion, edElement, true);
///////////////////////////////////////////////////////
// Replace the element from the original XmlDocument //
// object with the EncryptedData element. //
///////////////////////////////////////////////////////
xmlResponse.GetElementsByTagName("Response")[0].ReplaceChild(encryptedAssertion, elementToEncrypt);
return(xmlResponse.OuterXml);
}
private void CheckEncryptionMethod(object algorithm, string uri)
{
XmlDocument doc = new XmlDocument();
doc.LoadXml("<root />");
EncryptedXml exml = new EncryptedXml();
exml.AddKeyNameMapping("key", algorithm);
EncryptedData edata = exml.Encrypt(doc.DocumentElement, "key");
IEnumerator keyInfoEnum = edata.KeyInfo.GetEnumerator();
keyInfoEnum.MoveNext();
KeyInfoEncryptedKey kiEncKey = keyInfoEnum.Current as KeyInfoEncryptedKey;
Assert.NotNull(edata);
Assert.Equal(uri, kiEncKey.EncryptedKey.EncryptionMethod.KeyAlgorithm);
Assert.NotNull(edata.CipherData.CipherValue);
}
public void DecryptData_CipherReference_InvalidUri()
{
XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = true;
string xml = "<root> <child>sample</child> </root>";
doc.LoadXml(xml);
using (Aes aes = Aes.Create())
{
EncryptedXml exml = new EncryptedXml();
exml.AddKeyNameMapping("aes", aes);
EncryptedData ed = exml.Encrypt(doc.DocumentElement, "aes");
ed.CipherData = new CipherData();
ed.CipherData.CipherReference = new CipherReference("invaliduri");
Assert.Throws <CryptographicException>(() => exml.DecryptData(ed, aes));
}
}
/// <summary>
/// Encrypt the element within the xml document.
/// </summary>
/// <param name="document">The xml document containing the element to encrypt.</param>
/// <param name="elementToEncrypt">The element to encrypt.</param>
/// <param name="certificate">The certificate used to encrypt the element.</param>
public void Encrypt(XmlDocument document, string elementToEncrypt, X509Certificate2 certificate)
{
// Check the arguments.
if (document == null)
{
throw new ArgumentNullException("document");
}
if (string.IsNullOrEmpty(elementToEncrypt))
{
throw new ArgumentNullException("elementToEncrypt");
}
if (document == null)
{
throw new ArgumentNullException("algorithm");
}
// Find the specified element in the XmlDocument
// object and create a new XmlElemnt object.
XmlElement element = document.GetElementsByTagName(elementToEncrypt)[0] as XmlElement;
// Throw an XmlException if the element was not found.
if (elementToEncrypt == null)
{
throw new XmlException("The specified element was not found");
}
// Create a new instance of the EncryptedXml class
// and use it to encrypt the XmlElement with the
// X.509 Certificate.
EncryptedXml eXml = new EncryptedXml();
// Encrypt the element.
EncryptedData edElement = eXml.Encrypt(element, certificate);
// Replace the element from the original XmlDocument
// object with the EncryptedData element.
EncryptedXml.ReplaceElement(element, edElement, false);
}
// Зашифрование узла в адрес абонента, заданного сертификатом
// получателя.
static void Encrypt(XmlDocument Doc, string xpath,
X509Certificate2 Cert)
{
// Ищем заданный элемент для заширования.
XmlElement elementToEncrypt = Doc.SelectSingleNode(xpath) as XmlElement;
if (elementToEncrypt == null)
{
throw new XmlException("Узел не найден");
}
// Создаем объект EncryptedXml для
// шифрования XmlElement
EncryptedXml eXml = new EncryptedXml();
// Шифруем элемент на сертификате.
EncryptedData edElement = eXml.Encrypt(elementToEncrypt, Cert);
// Заменяем исходный элемент XML документа зашифрованным.
EncryptedXml.ReplaceElement(elementToEncrypt, edElement, false);
}
public static XDocument EncodeXML(XmlDocument srcDoc)
{
if (srcDoc == null)
{
return(null);
}
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
rsa.FromXmlString(x302c4346ab49b3404);
EncryptedXml encXml = new EncryptedXml(srcDoc);
encXml.AddKeyNameMapping("asyncKey", rsa);
var docElement = srcDoc.DocumentElement;
if (docElement != null)
{
EncryptedData encryptedData = encXml.Encrypt(docElement, "asyncKey");
EncryptedXml.ReplaceElement(docElement, encryptedData, false);
}
return(XDocument.Parse(srcDoc.OuterXml));
}
public static void DecryptWithCertificate_NotInStore()
{
const string SecretMessage = "Grilled cheese is tasty";
XmlDocument document = new XmlDocument();
document.LoadXml($"<data><secret>{SecretMessage}</secret></data>");
XmlElement toEncrypt = (XmlElement)document.DocumentElement.FirstChild;
var cert = TestHelpers.GetSampleX509Certificate();
EncryptedXml encryptor = new EncryptedXml(document);
EncryptedData encryptedElement = encryptor.Encrypt(toEncrypt, cert.Item1);
EncryptedXml.ReplaceElement(toEncrypt, encryptedElement, false);
XmlDocument document2 = new XmlDocument();
document2.LoadXml(document.OuterXml);
EncryptedXml decryptor = new EncryptedXml(document2);
Assert.Throws<System.Security.Cryptography.CryptographicException>(() => decryptor.DecryptDocument());
Assert.DoesNotContain(SecretMessage, document2.OuterXml);
}
public void ReplaceData2NonDocumentElementTest()
{
XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = true;
doc.LoadXml(InputXml);
using (Rijndael aes = new RijndaelManaged())
{
aes.GenerateKey();
aes.GenerateIV();
// Encrypt the XML document
EncryptedXml encryptedXml = new EncryptedXml(doc);
encryptedXml.AddKeyNameMapping("key", aes);
XmlElement secretElement = doc.GetElementsByTagName("child")[0] as XmlElement;
EncryptedData encrypted = encryptedXml.Encrypt(secretElement, "key");
EncryptedXml.ReplaceElement(secretElement, encrypted, false);
// Decrypt it back
XmlElement encryptedElement = doc.GetElementsByTagName("EncryptedData", EncryptedXml.XmlEncNamespaceUrl)[0] as XmlElement;
EncryptedData encryptedData = new EncryptedData();
encryptedData.LoadXml(encryptedElement);
EncryptedXml decryptXml = new EncryptedXml(doc);
decryptXml.AddKeyNameMapping("key", aes);
byte[] decryptedData = decryptXml.DecryptData(encryptedData,
decryptXml.GetDecryptionKey(encryptedData, null));
decryptXml.ReplaceData2(encryptedElement, decryptedData);
}
// Now that we've encrypted and decrypted the data, ensure that we have both the XML
// declaration, and the root node in place.
Assert.IsTrue(doc.FirstChild.NodeType == XmlNodeType.XmlDeclaration);
Assert.AreEqual("root", doc.FirstChild.NextSibling.Name);
Assert.AreEqual(InputXml, doc.OuterXml);
}
public void Encrypt_X509()
{
XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = true;
string xml = "<root> <child>sample</child> </root>";
doc.LoadXml(xml);
var certificate = TestHelpers.GetSampleX509Certificate();
EncryptedXml exml = new EncryptedXml();
EncryptedData ed = exml.Encrypt(doc.DocumentElement, certificate.Item1);
Assert.NotNull(ed);
doc.LoadXml(ed.GetXml().OuterXml);
XmlNamespaceManager nm = new XmlNamespaceManager(doc.NameTable);
nm.AddNamespace("enc", EncryptedXml.XmlEncNamespaceUrl);
Assert.NotNull(doc.SelectSingleNode("//enc:EncryptedKey", nm));
Assert.DoesNotContain("sample", doc.OuterXml);
}
public void Encrypt_DecryptDocument_AES()
{
XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = true;
string xml = "<root> <child>sample</child> </root>";
doc.LoadXml(xml);
using (Aes aes = Aes.Create())
{
EncryptedXml exml = new EncryptedXml();
exml.AddKeyNameMapping("aes", aes);
EncryptedData ed = exml.Encrypt(doc.DocumentElement, "aes");
doc.LoadXml(ed.GetXml().OuterXml);
EncryptedXml exmlDecryptor = new EncryptedXml(doc);
exmlDecryptor.AddKeyNameMapping("aes", aes);
exmlDecryptor.DecryptDocument();
Assert.Equal(xml, doc.OuterXml);
}
}
EncryptedData IInternalCertificateXmlEncryptor.PerformEncryption(EncryptedXml encryptedXml, XmlElement elementToEncrypt)
{
var cert = _certFactory()
?? CryptoUtil.Fail <X509Certificate2>("Cert factory returned null.");
if (_logger.IsVerboseLevelEnabled())
{
_logger.LogVerboseF($"Encrypting to X.509 certificate with thumbprint '{cert.Thumbprint}'.");
}
try
{
return(encryptedXml.Encrypt(elementToEncrypt, cert));
}
catch (Exception ex)
{
if (_logger.IsErrorLevelEnabled())
{
_logger.LogErrorF(ex, $"An error occurred while encrypting to X.509 certificate with thumbprint '{cert.Thumbprint}'.");
}
throw;
}
}
private XmlDocument GetTransformedOutput(XmlDocument doc, string nodeToEncrypt)
{
using (var aesAlgo = Aes.Create())
{
var encryptedXml = new EncryptedXml();
encryptedXml.AddKeyNameMapping("aes", aesAlgo);
XmlElement elementToEncrypt = (XmlElement)doc.DocumentElement.SelectSingleNode(nodeToEncrypt);
EncryptedData encryptedData = encryptedXml.Encrypt(elementToEncrypt, "aes");
EncryptedXml.ReplaceElement(elementToEncrypt, encryptedData, false);
XmlNamespaceManager xmlNamespaceManager = new XmlNamespaceManager(doc.NameTable);
xmlNamespaceManager.AddNamespace("enc", EncryptedXml.XmlEncNamespaceUrl);
XmlElement encryptedNode = (XmlElement)doc.DocumentElement.SelectSingleNode("//enc:EncryptedData", xmlNamespaceManager);
encryptedNode.SetAttribute("ID", "#_0");
transform.LoadInput(doc);
transform.EncryptedXml = encryptedXml;
XmlDocument transformedDocument = (XmlDocument)transform.GetOutput();
transform.EncryptedXml = null;
return(transformedDocument);
}
}
/// <summary>
/// Шифрует XML файл по пути
/// </summary>
/// <param name="filename">Путь файла</param>
/// <returns>Путь зашифрованного файла</returns>
public string encryptXml(string filename)
{
if (externalFileSign) // Если выставлен флаг подписи внешними средствами - грузим его.
{
OpenFileDialog ofd = new OpenFileDialog();
ofd.InitialDirectory = Path.GetTempPath();
ofd.Filter = "*.xml|*.xml";
string f = null;
while (f == null)
{
ofd.ShowDialog();
f = ofd.FileName;
}
filename = f;
}
if (!File.Exists(filename))
{
throw new Exception("Шаг 3. Файл не найден!\r\nПуть:" + filename);
}
string filename3 = filename + ".encrypted.xml";
// Открываем файл для шифрования
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.PreserveWhitespace = true;
xmlDoc.Load(filename);
// Шифруем по методу создания ключа обмена
EncryptedXml eXml = new EncryptedXml();
EncryptedData edElement = eXml.Encrypt(xmlDoc.DocumentElement, certFss);
edElement.Type = CPEncryptedXml.XmlEncGost28147Url;
XmlElement xe = edElement.GetXml();
XmlDocument xmlDocEnc = new XmlDocument();
xmlDocEnc.LoadXml(Properties.Resources.Source2);
// "Правильная" замена сертификата на наш, и вставка прочих данных
xmlDocEnc.DocumentElement.GetElementsByTagName("ds:X509Certificate").Item(0).InnerText =
Convert.ToBase64String(certOur.RawData);
xmlDocEnc.DocumentElement.GetElementsByTagName("xenc:CipherValue").Item(0).InnerText =
xe.GetElementsByTagName("CipherValue").Item(0).InnerText;
xmlDocEnc.DocumentElement.GetElementsByTagName("xenc:CipherValue").Item(1).InnerText =
xe.GetElementsByTagName("CipherValue").Item(1).InnerText;
// Сохраняем зашифрованный документ в файле
xmlDocEnc.Save(filename3);
// Отображаем файл если требуется для дебага
if (DEBUG_STEP < 3)
{
foView view = new foView();
view.Text = filename3;
view.xmlFileName = filename3;
view.Show();
}
return(filename3);
}
private static XElement CreateEncryptedAssertion(string destination, string partnerIdpUrl, string userId, string appKey,
string appSecret, X509Certificate2 encryptionCert)
{
// Create the SAML assertion containing the secrets
string assertionId = "_" + Guid.NewGuid();
string assertionIssuingTime = string.Format("{0:s}Z", DateTime.UtcNow);
string assertionExpiryTime = string.Format("{0:s}Z", DateTime.UtcNow.AddMinutes(2));
XElement assertion =
new XElement(SamlNs + "Assertion",
new XAttribute(XNamespace.Xmlns + "saml", SamlNs),
new XAttribute("Version", "2.0"),
new XAttribute("ID", assertionId),
new XAttribute("IssueInstant", assertionIssuingTime),
new XElement(SamlNs + "Issuer",
partnerIdpUrl),
new XElement(SamlNs + "Subject",
new XElement(SamlNs + "NameID",
userId
),
new XElement(SamlNs + "SubjectConfirmation",
new XAttribute("Method", "urn:oasis:names:tc:SAML:2.0:cm:bearer"),
new XElement(SamlNs + "SubjectConfirmationData",
new XAttribute("Recipient", destination)
)
)
),
new XElement(SamlNs + "Conditions",
new XAttribute("NotOnOrAfter", assertionExpiryTime),
new XElement(SamlNs + "AudienceRestriction",
new XElement(SamlNs + "Audience",
destination
)
)
),
new XElement(SamlNs + "AuthnStatement",
new XAttribute("AuthnInstant", assertionIssuingTime),
new XElement(SamlNs + "AuthnContext",
new XElement(SamlNs + "AuthnContextClassRef",
"urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
)
)
),
new XElement(SamlNs + "AttributeStatement",
new XElement(SamlNs + "Attribute",
new XAttribute("Name", "IsCertificateBasedAuthentication"),
new XAttribute("NameFormat", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"),
new XElement(SamlNs + "AttributeValue",
true
)
)
),
new XElement(SamlNs + "AttributeStatement",
new XElement(SamlNs + "Attribute",
new XAttribute("Name", "AppKey"),
new XAttribute("NameFormat", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"),
new XElement(SamlNs + "AttributeValue",
appKey
)
)
),
new XElement(SamlNs + "AttributeStatement",
new XElement(SamlNs + "Attribute",
new XAttribute("Name", "AppSecret"),
new XAttribute("NameFormat", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"),
new XElement(SamlNs + "AttributeValue",
appSecret
)
)
)
);
// Encrypt the assertion
XmlDocument doc = new XmlDocument();
XmlElement assertionXmlEl = doc.ReadNode(assertion.CreateReader()) as XmlElement;
EncryptedXml eXml = new EncryptedXml();
if (assertionXmlEl == null)
{
throw new NullReferenceException("assertionXmlEl was null");
}
// Encrypt the element.
EncryptedData encryptedElement = eXml.Encrypt(assertionXmlEl, encryptionCert);
XElement encryptedAssertionXElement = XElement.Parse(encryptedElement.GetXml().OuterXml);
// .Net adds the encryption certificate in a KeyInfo->EncryptedKey_>KeyInfo, we don't want that, so we just remove it
encryptedAssertionXElement
.Element(XmlDsigNs + "KeyInfo")
.Element(XmlEncNs + "EncryptedKey")
.Element(XmlDsigNs + "KeyInfo")
.Remove();
return(encryptedAssertionXElement);
}
/// <summary>
/// Accepts SAML Response, serializes it to XML and signs using the supplied certificate
/// </summary>
/// <param name="Response">SAML 2.0 Response</param>
/// <param name="SigningCert">X509 certificate</param>
/// <returns>XML Document with computed signature</returns>
private static XmlDocument SerializeAndSignSAMLResponse(ResponseType Response, string partnerSP)
{
// Set serializer and writers for action
XmlSerializer responseSerializer = new XmlSerializer(Response.GetType());
StringWriter stringWriter = new StringWriter();
XmlWriter responseWriter = XmlTextWriter.Create(stringWriter, new XmlWriterSettings()
{
OmitXmlDeclaration = true, Indent = true, Encoding = Encoding.UTF8
});
responseSerializer.Serialize(responseWriter, Response);
responseWriter.Close();
XmlDocument xmlResponse = new XmlDocument();
xmlResponse.LoadXml(stringWriter.ToString());
XmlElement elementToEncrypt = xmlResponse.GetElementsByTagName("saml:Assertion")[0] as XmlElement;
//////////////////////////////////////////////////
// Create a new instance of the EncryptedXml class
// and use it to encrypt the XmlElement with the
// X.509 Certificate.
//////////////////////////////////////////////////
EncryptedXml eXml = new EncryptedXml();
// Encrypt the element.
var certificate = SAMLConfiguration.Current.CertificateManager.GetPartnerCertificate(partnerSP);
EncryptedData edElement = eXml.Encrypt(elementToEncrypt, certificate);
XmlElement encryptedAssertion = xmlResponse.CreateElement("saml2", "EncryptedAssertion", "urn:oasis:names:tc:SAML:2.0:assertion");
EncryptedXml.ReplaceElement(encryptedAssertion, edElement, true);
////////////////////////////////////////////////////
// Replace the element from the original XmlDocument
// object with the EncryptedData element.
////////////////////////////////////////////////////
xmlResponse.GetElementsByTagName("Response")[0].ReplaceChild(encryptedAssertion, elementToEncrypt);
//Get the X509 info
XmlElement issuerSerialElement = xmlResponse.CreateElement("ds", "X509IssuerSerial", SignedXml.XmlDsigNamespaceUrl);
XmlElement issuerNameElement = xmlResponse.CreateElement("ds", "X509IssuerName", SignedXml.XmlDsigNamespaceUrl);
issuerNameElement.AppendChild(xmlResponse.CreateTextNode(certificate.IssuerName.Name));
issuerSerialElement.AppendChild(issuerNameElement);
XmlElement serialNumberElement = xmlResponse.CreateElement("ds", "X509SerialNumber", SignedXml.XmlDsigNamespaceUrl);
serialNumberElement.AppendChild(xmlResponse.CreateTextNode(certificate.SerialNumber));
issuerSerialElement.AppendChild(serialNumberElement);
// Set requested namespaces
xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["EncryptedData"].Prefix = "xenc";
xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["xenc:EncryptedData"]["EncryptionMethod"].Prefix = "xenc";
xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["xenc:EncryptedData"]["KeyInfo"].Prefix = "ds";
xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["xenc:EncryptedData"]["ds:KeyInfo"]["EncryptedKey"].Prefix = "xenc";
xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["xenc:EncryptedData"]["ds:KeyInfo"]["xenc:EncryptedKey"]["EncryptionMethod"].Prefix = "xenc";
xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["xenc:EncryptedData"]["ds:KeyInfo"]["xenc:EncryptedKey"]["CipherData"].Prefix = "xenc";
xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["xenc:EncryptedData"]["ds:KeyInfo"]["xenc:EncryptedKey"]["xenc:CipherData"]["CipherValue"].Prefix = "xenc";
xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["xenc:EncryptedData"]["ds:KeyInfo"]["xenc:EncryptedKey"]["KeyInfo"].Prefix = "ds";
xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["xenc:EncryptedData"]["ds:KeyInfo"]["xenc:EncryptedKey"]["ds:KeyInfo"]["X509Data"].Prefix = "ds";
// We don't need this for MagnaCare
xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["xenc:EncryptedData"]["ds:KeyInfo"]["xenc:EncryptedKey"]["ds:KeyInfo"]["ds:X509Data"].RemoveChild(xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["xenc:EncryptedData"]["ds:KeyInfo"]["xenc:EncryptedKey"]["ds:KeyInfo"]["ds:X509Data"]["X509Certificate"]);
xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["xenc:EncryptedData"]["CipherData"].Prefix = "xenc";
xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["xenc:EncryptedData"]["xenc:CipherData"]["CipherValue"].Prefix = "xenc";
//Add X509 Issuer Info
xmlResponse.DocumentElement["saml2:EncryptedAssertion"]["xenc:EncryptedData"]["ds:KeyInfo"]["xenc:EncryptedKey"]["ds:KeyInfo"]["ds:X509Data"].AppendChild(issuerSerialElement);
// Set the namespace for prettire and more consistent XML
var ns = new XmlNamespaceManager(xmlResponse.NameTable);
ns.AddNamespace("saml", "urn:oasis:names:tc:SAML:2.0:assertion");
ns.AddNamespace("xenc", "http://www.w3.org/2001/04/xmlenc#");
CertificateUtility.AppendSignatureToXMLDocument(ref xmlResponse, "#" + ((AssertionType)Response.Items[0]).ID);
return(xmlResponse);
}
public void Encrypt_XmlNull()
{
EncryptedXml exml = new EncryptedXml();
Assert.Throws <ArgumentNullException>(() => exml.Encrypt(null, "aes"));
}
public void Encrypt_MissingKey()
{
XmlDocument doc = new XmlDocument();
doc.LoadXml("<root />");
EncryptedXml exml = new EncryptedXml();
Assert.Throws <System.Security.Cryptography.CryptographicException>(() => exml.Encrypt(doc.DocumentElement, "aes"));
}
public ActionResult Index(XmlModel model)
{
if (model.Action == "encrypt")
{
var recipientCertificate = LoadCertificate(model.RecipientThumbprint);
var signingCertificate = LoadCertificate(model.SenderThumbprint);
var xmlDocument = new XmlDocument();
xmlDocument.LoadXml(model.PlainText);
var elementToEncrypt = xmlDocument.GetElementsByTagName("message")[0] as XmlElement;
var encryptedXml = new EncryptedXml();
// Encrypt the element.
var encryptedElement = encryptedXml.Encrypt(elementToEncrypt, recipientCertificate);
EncryptedXml.ReplaceElement(elementToEncrypt, encryptedElement, false);
// Sign the document
var signedXml = new SignedXml(xmlDocument)
{
SigningKey = signingCertificate.PrivateKey
};
var reference = new Reference {
Uri = string.Empty
};
var transform = new XmlDsigC14NTransform();
reference.AddTransform(transform);
var envelope = new XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(envelope);
signedXml.AddReference(reference);
var keyInfo = new KeyInfo();
keyInfo.AddClause(new KeyInfoX509Data(signingCertificate));
signedXml.KeyInfo = keyInfo;
signedXml.ComputeSignature();
var xmlDigitalSignature = signedXml.GetXml();
xmlDocument.DocumentElement.AppendChild(xmlDocument.ImportNode(xmlDigitalSignature, true));
model.PlainText = "";
model.Envelope = XmlToString(xmlDocument);
}
else if (model.Action == "decrypt")
{
var xmlDocument = new XmlDocument();
xmlDocument.LoadXml(model.Envelope);
// Validate the signature
var signedXml = new SignedXml(xmlDocument);
var nodeList = xmlDocument.GetElementsByTagName("Signature");
if (nodeList.Count <= 0)
{
throw new Exception("No signature found.");
}
signedXml.LoadXml((XmlElement)nodeList[0]);
// XML signatures allows signing only parts of a document or
// even worse, can refer to another resource that's not even
// part of the document containing the signature. To make
// sure that the signature we're validating is actually signing
// the document we have to check the reference. An empty
// reference refers to the entire enclosing document.
if (signedXml.SignedInfo.References.Cast <Reference>().Single().Uri != "")
{
throw new Exception("Signature does not refer to entire document. Validating signatures for part of the document is not supported by this code.");
}
AsymmetricAlgorithm signingKey;
if (!signedXml.CheckSignatureReturningKey(out signingKey))
{
throw new Exception("Invalid Signature");
}
else
{
IEnumerable <X509Certificate2> keyInfoCertificates =
signedXml.KeyInfo.OfType <KeyInfoX509Data>()
.SelectMany(x => x.Certificates.Cast <X509Certificate2>());
var signingCertificate = keyInfoCertificates.FirstOrDefault(x => x.PublicKey.Key == signingKey);
if (signingCertificate == null)
{
throw new Exception("Signing certificate not found in KeyInfo.");
}
model.SenderSubject = signingCertificate.Subject;
}
var encryptedXml = new EncryptedXml(xmlDocument);
encryptedXml.DecryptDocument();
model.Envelope = "";
model.PlainText = XmlToString(xmlDocument);
}
ModelState.Clear();
model.RecipientThumbprint = RecipientThumbprint;
model.SenderThumbprint = SenderThumbprint;
return(View(model));
}
