public void RoundTripSaml2(EnvelopedSignatureTheoryData theoryData)
{
var context = TestUtilities.WriteHeader($"{this}.RoundTripSaml2", theoryData);
try
{
var serializer = new Saml2Serializer();
var samlAssertion = serializer.ReadAssertion(XmlUtilities.CreateDictionaryReader(theoryData.Xml));
var stream = new MemoryStream();
var writer = XmlDictionaryWriter.CreateTextWriter(stream);
samlAssertion.SigningCredentials = theoryData.SigningCredentials;
serializer.WriteAssertion(writer, samlAssertion);
writer.Flush();
var xml = Encoding.UTF8.GetString(stream.ToArray());
samlAssertion.SigningCredentials = null;
var samlAssertion2 = serializer.ReadAssertion(XmlUtilities.CreateDictionaryReader(xml));
samlAssertion2.Signature.Verify(theoryData.SigningCredentials.Key, theoryData.CryptoProviderFactory);
IdentityComparer.AreEqual(samlAssertion, samlAssertion2, context);
}
catch (Exception ex)
{
theoryData.ExpectedException.ProcessException(ex, context);
}
TestUtilities.AssertFailIfErrors(context);
}
public void ReadKeyInfo(DSigSerializerTheoryData theoryData)
{
TestUtilities.WriteHeader($"{this}.ReadKeyInfo", theoryData);
var context = new CompareContext($"{this}.ReadKeyInfo, {theoryData.TestId}");
try
{
var keyInfo = theoryData.Serializer.ReadKeyInfo(XmlUtilities.CreateDictionaryReader(theoryData.Xml));
theoryData.ExpectedException.ProcessNoException(context.Diffs);
IdentityComparer.AreKeyInfosEqual(keyInfo, theoryData.KeyInfo, context);
// make sure we write and then read
// as we only support partial elements, the KeyInfo's cannot be compared
var ms = new MemoryStream();
var writer = XmlDictionaryWriter.CreateTextWriter(ms);
theoryData.Serializer.WriteKeyInfo(writer, keyInfo);
writer.Flush();
var xml = Encoding.UTF8.GetString(ms.ToArray());
theoryData.Serializer.ReadKeyInfo(XmlUtilities.CreateDictionaryReader(xml));
}
catch (Exception ex)
{
theoryData.ExpectedException.ProcessException(ex, context.Diffs);
}
TestUtilities.AssertFailIfErrors(context);
}
public void RoundTripTokens(SamlRoundTripTheoryData theoryData)
{
var context = TestUtilities.WriteHeader($"{this}.RoundTripTokens", theoryData);
if (theoryData.PropertiesToIgnoreWhenComparing.Count > 0)
{
throw new TestException("This test should not ignore any properties.");
}
try
{
var samlToken = theoryData.Handler.CreateToken(theoryData.TokenDescriptor);
var token = theoryData.Handler.WriteToken(samlToken);
var principal = theoryData.Handler.ValidateToken(token, theoryData.ValidationParameters, out SecurityToken validatedToken);
ClaimsPrincipal principal2 = null;
ClaimsPrincipal principal3 = null;
ClaimsPrincipal principal4 = null;
SecurityToken validatedToken2 = null;
SecurityToken validatedToken3 = null;
SecurityToken validatedToken4 = null;
if (theoryData.Handler is SamlSecurityTokenHandler samlTokenHandler)
{
principal2 = samlTokenHandler.ValidateToken(XmlUtilities.CreateXmlReader(token), theoryData.ValidationParameters, out validatedToken2);
principal3 = samlTokenHandler.ValidateToken(XmlUtilities.CreateDictionaryReader(token), theoryData.ValidationParameters, out validatedToken3);
principal4 = theoryData.Handler.ValidateToken((validatedToken as SamlSecurityToken).Assertion.CanonicalString, theoryData.ValidationParameters, out validatedToken4);
}
if (theoryData.Handler is Saml2SecurityTokenHandler saml2TokenHandler)
{
principal2 = saml2TokenHandler.ValidateToken(XmlUtilities.CreateXmlReader(token), theoryData.ValidationParameters, out validatedToken2);
principal3 = saml2TokenHandler.ValidateToken(XmlUtilities.CreateDictionaryReader(token), theoryData.ValidationParameters, out validatedToken3);
principal4 = theoryData.Handler.ValidateToken((validatedToken as Saml2SecurityToken).Assertion.CanonicalString, theoryData.ValidationParameters, out validatedToken4);
}
// ensure the SamlAssertion.CanonicalString can be validated needed for OnBehalfOf flows.
var principal5 = theoryData.Handler.ValidateToken((principal.Identity as ClaimsIdentity).BootstrapContext as string, theoryData.ValidationParameters, out SecurityToken validatedToken5);
IdentityComparer.AreEqual(validatedToken, validatedToken2, context);
IdentityComparer.AreEqual(validatedToken, validatedToken3, context);
IdentityComparer.AreEqual(validatedToken, validatedToken4, context);
IdentityComparer.AreEqual(validatedToken, validatedToken5, context);
IdentityComparer.AreEqual(principal, principal2, context);
IdentityComparer.AreEqual(principal, principal3, context);
IdentityComparer.AreEqual(principal, principal4, context);
IdentityComparer.AreEqual(principal, principal5, context);
theoryData.ExpectedException.ProcessNoException(context);
}
catch (Exception ex)
{
theoryData.ExpectedException.ProcessException(ex, context);
}
TestUtilities.AssertFailIfErrors(context);
}
public void ReadXmlElements(EnvelopedSignatureTheoryData theoryData)
{
TestUtilities.WriteHeader($"{this}.ReadXmlElements", theoryData);
var context = new CompareContext($"{this}.ReadXmlElements : {theoryData.TestId}.");
try
{
XmlReader reader = XmlUtilities.CreateDictionaryReader(theoryData.Xml);
EnvelopedSignatureReader envelopedReader;
if (theoryData.XmlElementReader == null)
{
envelopedReader = new EnvelopedSignatureReader(reader);
}
else
{
envelopedReader = new EnvelopedSignatureReader(reader, theoryData.XmlElementReader);
}
while (envelopedReader.Read())
{
;
}
if (theoryData.XmlElementReader != null)
{
foreach (var item in theoryData.XmlElementReader.Items)
{
if (item is SamlSecurityToken samlToken)
{
samlToken.Assertion.Signature.Verify(theoryData.TokenSecurityKey);
}
if (item is Saml2SecurityToken saml2Token)
{
saml2Token.Assertion.Signature.Verify(theoryData.TokenSecurityKey);
}
}
}
if (envelopedReader.Signature != null)
{
envelopedReader.Signature.Verify(theoryData.SecurityKey, theoryData.SecurityKey.CryptoProviderFactory);
}
}
catch (Exception ex)
{
theoryData.ExpectedException.ProcessException(ex, context);
}
TestUtilities.AssertFailIfErrors(context);
}
public void ReadSignedInfo(DSigSerializerTheoryData theoryData)
{
var context = TestUtilities.WriteHeader($"{this}.ReadSignedInfo", theoryData);
try
{
var signedInfo = theoryData.Serializer.ReadSignedInfo(XmlUtilities.CreateDictionaryReader(theoryData.Xml));
theoryData.ExpectedException.ProcessNoException(context);
IdentityComparer.AreSignedInfosEqual(signedInfo, theoryData.SignedInfo, context);
}
catch (Exception ex)
{
theoryData.ExpectedException.ProcessException(ex, context);
}
TestUtilities.AssertFailIfErrors(context);
}
public void ReadReference(DSigSerializerTheoryData theoryData)
{
TestUtilities.WriteHeader($"{this}.ReadReference", theoryData);
var context = new CompareContext($"{this}.ReadReference, {theoryData.TestId}");
try
{
var reference = theoryData.Serializer.ReadReference(XmlUtilities.CreateDictionaryReader(theoryData.Xml));
theoryData.ExpectedException.ProcessNoException(context);
IdentityComparer.AreEqual(reference, theoryData.Reference, context);
}
catch (Exception ex)
{
theoryData.ExpectedException.ProcessException(ex, context);
}
TestUtilities.AssertFailIfErrors(context);
}
public void ReadAction(Saml2TheoryData theoryData)
{
var context = TestUtilities.WriteHeader($"{this}.ReadAction", theoryData);
try
{
var reader = XmlUtilities.CreateDictionaryReader(theoryData.Xml);
var action = (theoryData.Saml2Serializer as Saml2SerializerPublic).ReadActionPublic(reader);
theoryData.ExpectedException.ProcessNoException(context);
IdentityComparer.AreEqual(action, theoryData.Action, context);
}
catch (Exception ex)
{
theoryData.ExpectedException.ProcessException(ex, context);
}
TestUtilities.AssertFailIfErrors(context);
}
public void ReadAdvice(Saml2TheoryData theoryData)
{
TestUtilities.WriteHeader($"{this}.ReadAdvice", theoryData);
var context = new CompareContext($"{this}.ReadAdvice, {theoryData.TestId}");
try
{
var reader = XmlUtilities.CreateDictionaryReader(theoryData.Xml);
var advice = (theoryData.Saml2Serializer as Saml2SerializerPublic).ReadAdvicePublic(reader);
theoryData.ExpectedException.ProcessNoException();
IdentityComparer.AreEqual(advice, theoryData.Advice, context);
}
catch (Exception ex)
{
theoryData.ExpectedException.ProcessException(ex);
}
TestUtilities.AssertFailIfErrors(context);
}
public void ReadTransforms(DSigSerializerTheoryData theoryData)
{
var context = TestUtilities.WriteHeader($"{this}.ReadTransform", theoryData);
try
{
var reference = new Reference();
var reader = XmlUtilities.CreateDictionaryReader(theoryData.Xml);
theoryData.Serializer.ReadTransforms(reader, reference);
theoryData.ExpectedException.ProcessNoException(context);
IdentityComparer.AreEqual(reference.Transforms, theoryData.Transforms, context);
IdentityComparer.AreEqual(reference.CanonicalizingTransfrom, theoryData.CanonicalizingTransfrom, context);
}
catch (Exception ex)
{
theoryData.ExpectedException.ProcessException(ex, context);
}
TestUtilities.AssertFailIfErrors(context);
}
public void WriteSignedInfo(DSigSerializerTheoryData theoryData)
{
var context = TestUtilities.WriteHeader($"{this}.WriteSignedInfo", theoryData);
try
{
var signedInfo = theoryData.Serializer.ReadSignedInfo(XmlUtilities.CreateDictionaryReader(theoryData.Xml));
theoryData.ExpectedException.ProcessNoException(context);
IdentityComparer.AreEqual(signedInfo, theoryData.SignedInfo, context);
var ms = new MemoryStream();
var writer = XmlDictionaryWriter.CreateTextWriter(ms);
theoryData.Serializer.WriteSignedInfo(writer, signedInfo);
writer.Flush();
var xml = Encoding.UTF8.GetString(ms.ToArray());
IdentityComparer.AreEqual(theoryData.Xml, xml, context);
}
catch (Exception ex)
{
theoryData.ExpectedException.ProcessException(ex, context.Diffs);
}
TestUtilities.AssertFailIfErrors(context);
}
public void CreateSignatureWithoutSpecifyingDigest(EnvelopedSignatureTheoryData theoryData)
{
var context = TestUtilities.WriteHeader($"{this}.CreateSignatureWithoutSpecifyingDigest", theoryData);
try
{
using (var buffer = new MemoryStream())
{
var writer = new EnvelopedSignatureWriter(XmlWriter.Create(buffer), theoryData.SigningCredentials, theoryData.ReferenceId);
writer.WriteStartElement("EntityDescriptor", "urn:oasis:names:tc:SAML:2.0:metadata");
writer.WriteAttributeString("entityID", "issuer");
writer.WriteEndElement();
// read and verify signatures
EnvelopedSignatureReader envelopedReader = new EnvelopedSignatureReader(XmlUtilities.CreateDictionaryReader(Encoding.UTF8.GetString(buffer.ToArray())));
while (envelopedReader.Read())
{
;
}
envelopedReader.Signature.Verify(theoryData.SigningCredentials.Key, theoryData.SigningCredentials.Key.CryptoProviderFactory);
theoryData.ExpectedException.ProcessNoException(context);
}
}
catch (Exception ex)
{
theoryData.ExpectedException.ProcessException(ex, context);
}
TestUtilities.AssertFailIfErrors(context);
}
public void RoundTripSamlPSignatureAfterAssertion()
{
var context = new CompareContext($"{this}.RoundTripSamlPSignatureAfterAssertion");
ExpectedException expectedException = ExpectedException.NoExceptionExpected;
var samlpTokenKey = KeyingMaterial.RsaSigningCreds_4096_Public.Key;
var samlpTokenSigningCredentials = KeyingMaterial.RsaSigningCreds_4096;
var samlpKey = KeyingMaterial.RsaSigningCreds_2048_Public.Key;
var samlpSigningCredentials = KeyingMaterial.RsaSigningCreds_2048;
try
{
// write samlp
var settings = new XmlWriterSettings
{
Encoding = new UTF8Encoding(false)
};
var buffer = new MemoryStream();
var esw = new EnvelopedSignatureWriter(XmlWriter.Create(buffer, settings), samlpSigningCredentials, "id-uAOhNLe7abGB6WGPk");
esw.WriteStartElement("ns0", "Response", "urn:oasis:names:tc:SAML:2.0:protocol");
esw.WriteAttributeString("ns1", "urn:oasis:names:tc:SAML:2.0:assertion");
esw.WriteAttributeString("ns2", "http://www.w3.org/2000/09/xmldsig#");
esw.WriteAttributeString("Destination", "https://tnia.eidentita.cz/fpsts/processRequest.aspx");
esw.WriteAttributeString("ID", "id-uAOhNLe7abGB6WGPk");
esw.WriteAttributeString("InResponseTo", "ida5714d006fcc430c92aacf34ab30b166");
esw.WriteAttributeString("IssueInstant", "2019-04-08T10:30:49Z");
esw.WriteAttributeString("Version", "2.0");
esw.WriteStartElement("ns1", "Issuer");
esw.WriteAttributeString("Format", "urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
esw.WriteString("https://mojeid.regtest.nic.cz/saml/idp.xml");
esw.WriteEndElement();
esw.WriteStartElement("ns0", "Status", null);
esw.WriteStartElement("ns0", "StatusCode", null);
esw.WriteAttributeString("Value", "urn:oasis:names:tc:SAML:2.0:status:Success");
esw.WriteEndElement();
esw.WriteEndElement();
Saml2Serializer samlSerializer = new Saml2Serializer();
Saml2Assertion assertion = CreateAssertion(samlpTokenSigningCredentials);
samlSerializer.WriteAssertion(esw, assertion);
esw.WriteSignature();
esw.WriteEndElement();
var xml = Encoding.UTF8.GetString(buffer.ToArray());
// read samlp and verify signatures
XmlReader reader = XmlUtilities.CreateDictionaryReader(xml);
IXmlElementReader tokenReaders = new TokenReaders(new List <SecurityTokenHandler> {
new Saml2SecurityTokenHandler()
});
EnvelopedSignatureReader envelopedReader = new EnvelopedSignatureReader(reader, tokenReaders);
while (envelopedReader.Read())
{
;
}
foreach (var item in tokenReaders.Items)
{
if (item is Saml2SecurityToken samlToken)
{
samlToken.Assertion.Signature.Verify(samlpTokenKey);
}
}
envelopedReader.Signature.Verify(samlpKey, samlpKey.CryptoProviderFactory);
expectedException.ProcessNoException(context);
}
catch (Exception ex)
{
expectedException.ProcessException(ex, context);
}
TestUtilities.AssertFailIfErrors(context);
}
