public void MatchesKeyIdentifierClause ()
{
UniqueId id = new UniqueId ();
X509SecurityToken t = new X509SecurityToken (cert, id.ToString ());
LocalIdKeyIdentifierClause l =
new LocalIdKeyIdentifierClause (id.ToString ());
Assert.IsTrue (t.MatchesKeyIdentifierClause (l), "#1-1");
l = new LocalIdKeyIdentifierClause ("#" + id.ToString ());
Assert.IsFalse (t.MatchesKeyIdentifierClause (l), "#1-2");
X509ThumbprintKeyIdentifierClause h =
new X509ThumbprintKeyIdentifierClause (cert);
Assert.IsTrue (t.MatchesKeyIdentifierClause (h), "#2-1");
h = new X509ThumbprintKeyIdentifierClause (cert2);
Assert.IsFalse (t.MatchesKeyIdentifierClause (h), "#2-2");
X509IssuerSerialKeyIdentifierClause i =
new X509IssuerSerialKeyIdentifierClause (cert);
Assert.IsTrue (t.MatchesKeyIdentifierClause (i), "#3-1");
i = new X509IssuerSerialKeyIdentifierClause (cert2);
Assert.IsFalse (t.MatchesKeyIdentifierClause (i), "#3-2");
X509RawDataKeyIdentifierClause s =
new X509RawDataKeyIdentifierClause (cert);
Assert.IsTrue (t.MatchesKeyIdentifierClause (s), "#4-1");
s = new X509RawDataKeyIdentifierClause (cert2);
Assert.IsFalse (t.MatchesKeyIdentifierClause (s), "#4-2");
}
WrappedKeySecurityToken GetReferent ()
{
string id = "referent";
byte [] key = new byte [32];
X509SecurityToken token = new X509SecurityToken (cert);
SecurityKeyIdentifierClause kic =
new X509ThumbprintKeyIdentifierClause (cert);
string alg = SecurityAlgorithms.RsaOaepKeyWrap;
return new WrappedKeySecurityToken (id, key, alg, token,
new SecurityKeyIdentifier (kic));
}
public void Properties ()
{
X509ThumbprintKeyIdentifierClause ic =
new X509ThumbprintKeyIdentifierClause (cert);
Assert.AreEqual (cert.GetCertHash (), ic.GetX509Thumbprint (), "#1-1");
Assert.AreEqual (null, ic.ClauseType, "#1-2");
ic = new X509SecurityToken (cert).CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause> ();
Assert.AreEqual (cert.GetCertHash (), ic.GetX509Thumbprint (), "#2-1");
Assert.AreEqual (null, ic.ClauseType, "#2-2");
}
public override bool MatchesKeyIdentifierClause(
SecurityKeyIdentifierClause keyIdentifierClause)
{
LocalIdKeyIdentifierClause l =
keyIdentifierClause as LocalIdKeyIdentifierClause;
if (l != null)
{
return(l.LocalId == Id);
}
X509ThumbprintKeyIdentifierClause t =
keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if (t != null)
{
return(t.Matches(cert));
}
X509IssuerSerialKeyIdentifierClause i =
keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if (i != null)
{
return(i.Matches(cert));
}
X509SubjectKeyIdentifierClause s =
keyIdentifierClause as X509SubjectKeyIdentifierClause;
if (s != null)
{
return(s.Matches(cert));
}
X509RawDataKeyIdentifierClause r =
keyIdentifierClause as X509RawDataKeyIdentifierClause;
if (r != null)
{
return(r.Matches(cert));
}
return(false);
}
void WriteX509ThumbprintKeyIdentifierClause (
XmlWriter w, X509ThumbprintKeyIdentifierClause ic)
{
w.WriteStartElement ("o", "SecurityTokenReference", Constants.WssNamespace);
w.WriteStartElement ("o", "KeyIdentifier", Constants.WssNamespace);
w.WriteAttributeString ("ValueType", Constants.WssKeyIdentifierX509Thumbptint);
if (EmitBspRequiredAttributes)
w.WriteAttributeString ("EncodingType", Constants.WssBase64BinaryEncodingType);
w.WriteString (Convert.ToBase64String (ic.GetX509Thumbprint ()));
w.WriteEndElement ();
w.WriteEndElement ();
}
public void X509WrappingToken1 ()
{
byte [] bytes = new byte [32];
X509SecurityToken xt = new X509SecurityToken (cert);
SecurityKeyIdentifierClause kic =
new X509ThumbprintKeyIdentifierClause (cert);
string alg = SecurityAlgorithms.RsaOaepKeyWrap;
WrappedKeySecurityToken token = new WrappedKeySecurityToken ("urn:gyabo",
bytes, alg, xt,
new SecurityKeyIdentifier (kic));
Assert.AreEqual ("urn:gyabo", token.Id, "#1");
Assert.AreEqual (alg, token.WrappingAlgorithm, "#3");
Assert.AreEqual (xt, token.WrappingToken, "#4");
Assert.AreEqual (1, token.WrappingTokenReference.Count, "#5");
Assert.AreEqual (1, token.SecurityKeys.Count, "#6");
Assert.IsTrue (token.SecurityKeys [0] is InMemorySymmetricSecurityKey, "#7");
Assert.AreEqual (bytes, new X509AsymmetricSecurityKey (cert).DecryptKey (token.WrappingAlgorithm, token.GetWrappedKey ()), "#8");
// wrapped keys cannot be compared, due to the nature of rsa-oaep.
// Assert.AreEqual (new X509AsymmetricSecurityKey (cert).EncryptKey (token.WrappingAlgorithm, bytes), token.GetWrappedKey (), "#9-1");
// Assert.AreEqual (token.GetWrappedKey (), new WrappedKeySecurityToken ("urn:gyabo",
// bytes, alg, xt,
// new SecurityKeyIdentifier (kic)).GetWrappedKey (), "#9");
}
public void BinarySecretTokenForAsymmetricKeyWrap ()
{
byte [] bytes = new byte [32];
SecurityToken wt = new BinarySecretSecurityToken (bytes);
SecurityKeyIdentifierClause kic =
new X509ThumbprintKeyIdentifierClause (cert);
new WrappedKeySecurityToken ("urn:gyabo",
bytes, SecurityAlgorithms.RsaOaepKeyWrap, wt,
new SecurityKeyIdentifier (kic));
}
public void X509TokenForSymmetricKeyWrap ()
{
byte [] bytes = new byte [32];
SecurityToken wt = new X509SecurityToken (cert);
SecurityKeyIdentifierClause kic =
new X509ThumbprintKeyIdentifierClause (cert);
new WrappedKeySecurityToken ("urn:gyabo",
bytes, SecurityAlgorithms.Aes256KeyWrap, wt,
new SecurityKeyIdentifier (kic));
}
public void UserNameToken () // it does not support any encryption operation.
{
byte [] bytes = new byte [32];
SecurityToken wt = new UserNameSecurityToken ("eno", "enopass");
SecurityKeyIdentifierClause kic =
new X509ThumbprintKeyIdentifierClause (cert);
new WrappedKeySecurityToken ("urn:gyabo",
bytes, SecurityAlgorithms.RsaOaepKeyWrap, wt,
new SecurityKeyIdentifier (kic));
}
/// <summary>
/// Verifies the signature.
/// </summary>
/// <param name="xml">The XML.</param>
/// <returns>The issuer certificate</returns>
protected virtual X509Certificate2 VerifySignature(XElement xml)
{
Contract.Requires(xml != null);
Contract.Ensures(Contract.Result<X509Certificate2>() != null);
if ((Configuration == null) || (Configuration.IssuerTokenResolver == null))
{
throw new SecurityTokenException("No issuer token resolver configured");
}
var xmlElement = xml.ToXmlElement();
var signedXml = new SignedXml(xmlElement);
// find signature
XmlNodeList nodeList = xmlElement.GetElementsByTagName("Signature");
// throw an exception if no signature was found.
if (nodeList.Count <= 0)
{
throw new CryptographicException("Verification failed: No Signature was found in the document.");
}
// throw an exception if more than one signature was found.
if (nodeList.Count > 1)
{
throw new CryptographicException("Verification failed: More that one signature was found for the document.");
}
// load the <signature> node.
signedXml.LoadXml((XmlElement)nodeList[0]);
// resolve the issuer certificate
byte[] thumbprint = Convert.FromBase64String(GetIssuerThumbprint(signedXml));
var identifier = new X509ThumbprintKeyIdentifierClause(thumbprint);
var issuerKey = Configuration.IssuerTokenResolver.ResolveToken(identifier) as X509SecurityToken;
// check the signature
if (!signedXml.CheckSignature(issuerKey.Certificate, true))
{
throw new CryptographicException("Signature verification failed");
}
if (issuerKey.Certificate != null)
{
return issuerKey.Certificate;
}
else
{
throw new CryptographicException("No issuer certificate found");
}
}
public void WriteX509ThumbprintKeyIdentifierClause3 ()
{
// EmitBspRequiredAttributes
StringWriter sw = new StringWriter ();
X509ThumbprintKeyIdentifierClause ic = new X509ThumbprintKeyIdentifierClause (cert);
using (XmlWriter w = XmlWriter.Create (sw, GetWriterSettings ())) {
new WSSecurityTokenSerializer (true).WriteKeyIdentifierClause (w, ic);
}
Assert.AreEqual ("<o:SecurityTokenReference xmlns:o=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"><o:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1\" EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">GQ3YHlGQhDF1bvMixHliX4uLjlY=</o:KeyIdentifier></o:SecurityTokenReference>", sw.ToString ());
}
public void WriteX509ThumbprintKeyIdentifierClause1 ()
{
StringWriter sw = new StringWriter ();
X509ThumbprintKeyIdentifierClause ic = new X509ThumbprintKeyIdentifierClause (cert);
using (XmlWriter w = XmlWriter.Create (sw, GetWriterSettings ())) {
WSSecurityTokenSerializer.DefaultInstance.WriteKeyIdentifierClause (w, ic);
}
Assert.AreEqual ("<o:SecurityTokenReference xmlns:o=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"><o:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1\">GQ3YHlGQhDF1bvMixHliX4uLjlY=</o:KeyIdentifier></o:SecurityTokenReference>", sw.ToString ());
}
/// <summary>
/// Resolves the given SecurityKeyIdentifierClause to a SecurityToken.
/// </summary>
/// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to resolve.</param>
/// <param name="token">The resolved SecurityToken.</param>
/// <returns>True if successfully resolved.</returns>
/// <exception cref="ArgumentNullException">The input argument 'keyIdentifierClause' is null.</exception>
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
token = null;
X509Store store = null;
X509Certificate2Collection certs = null;
try
{
store = new X509Store(this.storeName, this.storeLocation);
store.Open(OpenFlags.ReadOnly);
certs = store.Certificates;
foreach (X509Certificate2 cert in certs)
{
X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if (thumbprintKeyIdentifierClause != null && thumbprintKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return(true);
}
X509IssuerSerialKeyIdentifierClause issuerSerialKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if (issuerSerialKeyIdentifierClause != null && issuerSerialKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return(true);
}
X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if (subjectKeyIdentifierClause != null && subjectKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return(true);
}
X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if (rawDataKeyIdentifierClause != null && rawDataKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return(true);
}
}
}
finally
{
if (certs != null)
{
for (int i = 0; i < certs.Count; i++)
{
certs[i].Reset();
}
}
if (store != null)
{
store.Close();
}
}
return(false);
}
