public void Sign(ICredentialVault signingVault) { var signer = new SealSignedXml(XAssertion); var signedXml = signer.SignAssertion(signingVault.GetSystemCredentials(), XAssertion.Attribute(SamlAttributes.Id).Value); dom = XElement.Parse(signedXml.OuterXml, LoadOptions.PreserveWhitespace); }
/// <summary> /// Checks the signature on the <see cref="OioWsTrustMessage"/> - no trust-checks are performed. /// </summary> public void ValidateSignature() { var signedXml = new SealSignedXml(dom); if (!signedXml.CheckEnvelopeSignature() || !signedXml.CheckAssertionSignature()) { throw new ModelBuildException("Liberty signature could not be validated"); } }
protected void SignAssertion(XDocument document) { //SignatureConfiguration signatureConfiguration = new SignatureConfiguration(new string[] { assertionID }, assertionID, IDValues.Id); //signatureConfiguration.setSignatureSiblingNode(subjectNode); //AddExtraSignatureConfiguration(signatureConfiguration); //SignatureUtil.Sign(SignatureProviderFactory.fromCredentialVault(signingVault), document, signatureConfiguration); var signer = new SealSignedXml(document); XmlDocument envelope = signer.SignAssertion(SigningVault.GetSystemCredentials(), AssertionId); // TODO: Assign back }
/// <summary> /// Build the final response <code>Document</code>.<br /> /// Before the<code>Document</code> is generated all attributes will be validated.<br /> /// <br /> /// A<code> Document</code> is generated each time this method is called.Calling this method multiple times will therefore return multiple objects. /// </summary> /// <returns></returns> public override XDocument Build() { var document = CreateDocument(); SealUtilities.CheckAndSetSamlDsPreFix(document); NameSpaces.SetMissingNamespaces(document); if (SigningVault != null) { var signer = new SealSignedXml(document); var signedXml = signer.Sign(SigningVault.GetSystemCredentials()); var xDocument = XDocument.Parse(signedXml.OuterXml, LoadOptions.PreserveWhitespace); return(xDocument); } return(document); }
public override OioSamlAssertion Build() { ValidateBeforeBuild(); XElement assertion = CreateDocument(); if (IncludeIdCardAsBootstrapToken) { AddIdCardAsBootstrapToken(assertion); } var signer = new SealSignedXml(assertion); var signedXml = signer.SignAssertion(SigningVault.GetSystemCredentials(), AssertionId); var signedXelement = XElement.Parse(signedXml.OuterXml, LoadOptions.PreserveWhitespace); return(new OioSamlAssertion(signedXelement)); }
static void Main(string[] args) { /** * We load SignIn_Xml.xml with a "<signature id=.../>" and attempt to check the signature * Open SealSignedXml to switch between copied/test dotnetcore impletation and actual framework * Open SignIn_Xml.xml and find <ds:Signature id="OCESSignature"> and correct id to Id as test * * Note that the files have been reduced to minimum to showcase the error in question. * * The Exception will be thrown by throw new CryptographicException("Hej2", "Signature"); in Signature.cs * * * See https://github.com/dotnet/corefx/issues/29698 for additional comments (if any) */ using (FileStream fileStream = new FileStream("SignIn_Xml.xml", FileMode.Open)) { SealSignedXml sealSignedXml = new SealSignedXml(fileStream); sealSignedXml.CheckAssertionSignature(); } }
private static bool InternalValidate(XElement signatureToValidate, Federation.Federation federation, ICredentialVault vault, bool checkForTrustedCertificates, bool checkRevoked) { if (signatureToValidate.NodeType != XmlNodeType.Element) { throw new ModelException("The signature to validate must be a ds:Signature Element!"); } var xml = new XmlDocument(); xml.Load(signatureToValidate.CreateReader()); bool isAssertion = false; var nsManager = NameSpaces.MakeNsManager(xml.NameTable); var sig = xml.SelectSingleNode("/soap:Envelope/soap:Header/wsse:Security/ds:Signature", nsManager) as XmlElement; if (sig == null) { sig = xml.SelectSingleNode("/saml:Assertion/ds:Signature", nsManager) as XmlElement; isAssertion = true; if (sig == null) { sig = xml.GetElementsByTagName("Signature", NameSpaces.ds)[0] as XmlElement; isAssertion = true; } } if (sig == null) { return(false); } var signature = new Signature(); sig = MakeSignatureCheckSamlCompliant(sig); signature.LoadXml(sig); var cert = signature.KeyInfo.Cast <KeyInfoX509Data>().Select(d => d.Certificates[0] as X509Certificate2).FirstOrDefault(c => c != null); if (!ConfigurationManager.AppSettings.AllKeys.Contains("CheckDate") || !ConfigurationManager.AppSettings["CheckDate"].ToLower().Equals("false")) { //check if certificate is expired or cannot be used yet if (!CheckDates(cert)) { return(false); } } //Check that the certificate used for validation is trusted. If a Federation has been specified //the signature must have been created by the STS. If no federation is specified, the //certificate must be trusted in the CredentialVault. if (checkForTrustedCertificates) { var trusted = false; if (federation != null) { trusted = federation.IsValidSTSCertificate(cert); } else if (vault != null) { trusted = vault.IsTrustedCertificate(cert); } if (!trusted) { throw new ModelException("The certificate that signed the security token is not trusted!"); } } // check the certificates CRL if the certificate is revoked if (checkRevoked) { CrlCertificateStatusChecker crlChecker = new CrlCertificateStatusChecker(); var isValid = crlChecker.GetRevocationStatus(cert).IsValid; if (!isValid) { throw new ModelException("The certificate or one in its certificate chain has been revoked!"); } } // check if xml is actually signed with key sent in message var signed = new SealSignedXml(signatureToValidate); if (isAssertion) { return(signed.CheckAssertionSignature()); } return(signed.CheckEnvelopeSignature()); }