public void TestAssertionEncryption()
{
Saml20EncryptedAssertion encryptedAssertion = new Saml20EncryptedAssertion();
encryptedAssertion.Assertion = AssertionUtil.GetTestAssertion_01();
X509Certificate2 cert = new X509Certificate2(@"Saml20\Certificates\sts_dev_certificate.pfx", "test1234");
encryptedAssertion.TransportKey = (RSA)cert.PublicKey.Key;
encryptedAssertion.Encrypt();
XmlDocument encryptedAssertionXML = encryptedAssertion.GetXml();
Assert.IsNotNull(encryptedAssertionXML);
// A number of simple tests until we get some better way to verify the generated encrypted assertion.
XmlNodeList list;
list = encryptedAssertionXML.GetElementsByTagName(EncryptedAssertion.ELEMENT_NAME, Saml20Constants.ASSERTION);
Assert.AreEqual(1, list.Count);
list = encryptedAssertionXML.GetElementsByTagName(dk.nita.saml20.Schema.XEnc.EncryptedKey.ELEMENT_NAME, Saml20Constants.XENC);
Assert.AreEqual(1, list.Count);
}
public void TestSigning_04()
{
// Any key-containing algorithm will do - the basic assertion is NOT signed anyway
X509Certificate2 cert = new X509Certificate2(@"Saml20\Certificates\sts_dev_certificate.pfx", "test1234");
new Saml20Assertion(AssertionUtil.GetTestAssertion_01().DocumentElement, new AsymmetricAlgorithm[] { cert.PublicKey.Key }, false);
}
[Ignore] // TODO: test data needs fixing
public void TestSigning_03()
{
// Load an unsigned assertion.
Saml20Assertion assertion = new Saml20Assertion(AssertionUtil.GetTestAssertion_01().DocumentElement, null, false);
// Check that the assertion is not considered valid in any way.
try
{
assertion.CheckValid(AssertionUtil.GetTrustedSigners(assertion.Issuer));
Assert.Fail("Unsigned assertion was passed off as valid.");
}
catch
{
//Added to make resharper happy
Assert.That(true);
}
X509Certificate2 cert = new X509Certificate2(@"Saml20\Certificates\sts_dev_certificate.pfx", "test1234");
Assert.That(cert.HasPrivateKey, "Certificate no longer contains a private key. Modify test.");
assertion.Sign(cert);
// Check that the signature is now valid
assertion.CheckValid(new AsymmetricAlgorithm[] { cert.PublicKey.Key });
WriteToFile(@"\signedassertion.xml", assertion.GetXml());
}
public void TestSigning_01()
{
XmlDocument token = AssertionUtil.GetTestAssertion_01();
SignDocument(token);
bool verified = VerifySignature(token);
Assert.That(verified);
WriteToFile(@"signedassertion.xml", token.DocumentElement);
}
public void GenerateEncryptedAssertion_01()
{
XmlDocument assertion = AssertionUtil.GetTestAssertion_01();
// Create an EncryptedData instance to hold the results of the encryption.o
EncryptedData encryptedData = new EncryptedData();
encryptedData.Type = EncryptedXml.XmlEncElementUrl;
encryptedData.EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncAES256Url);
// Create a symmetric key.
RijndaelManaged aes = new RijndaelManaged();
aes.KeySize = 256;
aes.GenerateKey();
// Encrypt the assertion and add it to the encryptedData instance.
EncryptedXml encryptedXml = new EncryptedXml();
byte[] encryptedElement = encryptedXml.EncryptData(assertion.DocumentElement, aes, false);
encryptedData.CipherData.CipherValue = encryptedElement;
// Add an encrypted version of the key used.
encryptedData.KeyInfo = new KeyInfo();
EncryptedKey encryptedKey = new EncryptedKey();
// Use this certificate to encrypt the key.
X509Certificate2 cert = new X509Certificate2(@"Saml20\Certificates\sts_dev_certificate.pfx", "test1234");
RSA publicKeyRSA = cert.PublicKey.Key as RSA;
Assert.IsNotNull(publicKeyRSA, "Public key of certificate was not an RSA key. Modify test.");
encryptedKey.EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncRSA15Url);
encryptedKey.CipherData = new CipherData(EncryptedXml.EncryptKey(aes.Key, publicKeyRSA, false));
encryptedData.KeyInfo.AddClause(new KeyInfoEncryptedKey(encryptedKey));
// Create the resulting Xml-document to hook into.
EncryptedAssertion encryptedAssertion = new EncryptedAssertion();
encryptedAssertion.encryptedData = new saml20.Schema.XEnc.EncryptedData();
encryptedAssertion.encryptedKey = new saml20.Schema.XEnc.EncryptedKey[1];
encryptedAssertion.encryptedKey[0] = new saml20.Schema.XEnc.EncryptedKey();
XmlDocument result;
result = Serialization.Serialize(encryptedAssertion);
XmlElement encryptedDataElement = GetElement(dk.nita.saml20.Schema.XEnc.EncryptedData.ELEMENT_NAME, Saml20Constants.XENC, result);
EncryptedXml.ReplaceElement(encryptedDataElement, encryptedData, false);
}
public void TestAlgorithmConfiguration_02()
{
Saml20EncryptedAssertion encryptedAssertion = new Saml20EncryptedAssertion();
encryptedAssertion.SessionKeyAlgorithm = EncryptedXml.XmlEncAES128Url;
encryptedAssertion.Assertion = AssertionUtil.GetTestAssertion_01();
X509Certificate2 cert = new X509Certificate2(@"Saml20\Certificates\sts_dev_certificate.pfx", "test1234");
encryptedAssertion.TransportKey = (RSA)cert.PublicKey.Key;
encryptedAssertion.Encrypt();
XmlDocument encryptedAssertionXML = encryptedAssertion.GetXml();
Assert.IsNotNull(encryptedAssertionXML);
// Verify that the EncryptionMethod element is set correctly.
XmlNodeList list =
encryptedAssertionXML.GetElementsByTagName(dk.nita.saml20.Schema.XEnc.EncryptedData.ELEMENT_NAME,
Saml20Constants.XENC);
Assert.AreEqual(1, list.Count);
XmlElement el = (XmlElement)list[0];
// Go through the children and look for the EncryptionMethod element, and verify its algorithm attribute.
bool encryptionMethodFound = false;
foreach (XmlNode node in el.ChildNodes)
{
if (node.LocalName == dk.nita.saml20.Schema.XEnc.EncryptionMethod.ELEMENT_NAME &&
node.NamespaceURI == Saml20Constants.XENC)
{
el = (XmlElement)node;
Assert.AreEqual(EncryptedXml.XmlEncAES128Url, el.GetAttribute("Algorithm"));
encryptionMethodFound = true;
}
}
Assert.That(encryptionMethodFound, "Unable to find EncryptionMethod element in EncryptedData.");
// Now decrypt the assertion, and verify that it recognizes the Algorithm used.
Saml20EncryptedAssertion decrypter = new Saml20EncryptedAssertion((RSA)cert.PrivateKey);
Assert.IsNull(decrypter.Assertion);
decrypter.LoadXml(encryptedAssertionXML.DocumentElement);
// Set a wrong algorithm and make sure that the class gets it algorithm info from the assertion itself.
decrypter.SessionKeyAlgorithm = EncryptedXml.XmlEncTripleDESUrl;
decrypter.Decrypt();
// Verify that the class has discovered the correct algorithm and set the SessionKeyAlgorithm property accordingly.
Assert.AreEqual(EncryptedXml.XmlEncAES128Url, decrypter.SessionKeyAlgorithm);
Assert.IsNotNull(decrypter.Assertion);
}
public void TestSigning_02()
{
XmlDocument token = AssertionUtil.GetTestAssertion_01();
SignDocument(token);
// Manipulate the #%!;er: Attempt to remove the <AudienceRestriction> from the list of conditions.
XmlElement conditions =
(XmlElement)token.GetElementsByTagName("Conditions", "urn:oasis:names:tc:SAML:2.0:assertion")[0];
XmlElement audienceRestriction =
(XmlElement)conditions.GetElementsByTagName("AudienceRestriction", "urn:oasis:names:tc:SAML:2.0:assertion")[0];
conditions.RemoveChild(audienceRestriction);
bool verified = VerifySignature(token);
Assert.IsFalse(verified);
}
