protected static SymmetricAlgorithm CreateDecryptionAlgorithm(SecurityToken token, string encryptionMethod, SecurityAlgorithmSuite suite)
{
if (encryptionMethod == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.EncryptionMethodMissingInEncryptedData)));
}
suite.EnsureAcceptableEncryptionAlgorithm(encryptionMethod);
SymmetricSecurityKey symmetricSecurityKey = SecurityUtils.GetSecurityKey <SymmetricSecurityKey>(token);
if (symmetricSecurityKey == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.TokenCannotCreateSymmetricCrypto, token)));
}
suite.EnsureAcceptableDecryptionSymmetricKeySize(symmetricSecurityKey, token);
SymmetricAlgorithm algorithm = symmetricSecurityKey.GetSymmetricAlgorithm(encryptionMethod);
if (algorithm == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToCreateSymmetricAlgorithmFromToken, encryptionMethod)));
}
return(algorithm);
}
public static SmtpAddress Decrypt(XmlElement encryptedSharingKey, SymmetricSecurityKey symmetricSecurityKey)
{
XmlDocument xmlDocument = new SafeXmlDocument();
try
{
xmlDocument.AppendChild(xmlDocument.ImportNode(encryptedSharingKey, true));
}
catch (XmlException)
{
SharingKeyHandler.Tracer.TraceError <string>(0L, "Unable to import XML element of sharing key: {0}", encryptedSharingKey.OuterXml);
return(SmtpAddress.Empty);
}
EncryptedXml encryptedXml = new EncryptedXml(xmlDocument);
encryptedXml.AddKeyNameMapping("key", symmetricSecurityKey.GetSymmetricAlgorithm("http://www.w3.org/2001/04/xmlenc#tripledes-cbc"));
try
{
encryptedXml.DecryptDocument();
}
catch (CryptographicException)
{
SharingKeyHandler.Tracer.TraceError <string>(0L, "Unable to decrypt XML element sharing key: {0}", encryptedSharingKey.OuterXml);
return(SmtpAddress.Empty);
}
return(new SmtpAddress(xmlDocument.DocumentElement.InnerText));
}
/// <summary>
/// Decrpyts a security token from an XML EncryptedData
/// </summary>
/// <param name="reader">The encrypted token XML reader.</param>
/// <returns>A byte array of the contents of the encrypted token</returns>
internal byte[] DecryptToken(XmlReader reader)
{
Requires.NotNull(reader, "reader");
Contract.Ensures(Contract.Result <byte[]>() != null);
byte[] securityTokenData;
string encryptionAlgorithm;
SecurityKeyIdentifier keyIdentifier;
bool isEmptyElement;
ErrorUtilities.VerifyInternal(reader.IsStartElement(XmlEncryptionStrings.EncryptedData, XmlEncryptionStrings.Namespace), "Expected encrypted token starting XML element was not found.");
reader.Read(); // get started
// if it's not an encryption method, something is dreadfully wrong.
InfoCardErrorUtilities.VerifyInfoCard(reader.IsStartElement(XmlEncryptionStrings.EncryptionMethod, XmlEncryptionStrings.Namespace), InfoCardStrings.EncryptionAlgorithmNotFound);
// Looks good, let's grab the alg.
isEmptyElement = reader.IsEmptyElement;
encryptionAlgorithm = reader.GetAttribute(XmlEncryptionStrings.Algorithm);
reader.Read();
if (!isEmptyElement)
{
while (reader.IsStartElement())
{
reader.Skip();
}
reader.ReadEndElement();
}
// get the key identifier
keyIdentifier = WSSecurityTokenSerializer.DefaultInstance.ReadKeyIdentifier(reader);
// resolve the symmetric key
SymmetricSecurityKey decryptingKey = (SymmetricSecurityKey)SecurityTokenResolver.CreateDefaultSecurityTokenResolver(this.tokens.AsReadOnly(), false).ResolveSecurityKey(keyIdentifier[0]);
SymmetricAlgorithm algorithm = decryptingKey.GetSymmetricAlgorithm(encryptionAlgorithm);
// dig for the security token data itself.
reader.ReadStartElement(XmlEncryptionStrings.CipherData, XmlEncryptionStrings.Namespace);
reader.ReadStartElement(XmlEncryptionStrings.CipherValue, XmlEncryptionStrings.Namespace);
securityTokenData = Convert.FromBase64String(reader.ReadString());
reader.ReadEndElement(); // CipherValue
reader.ReadEndElement(); // CipherData
reader.ReadEndElement(); // EncryptedData
// decrypto-magic!
int blockSizeBytes = algorithm.BlockSize / 8;
byte[] iv = new byte[blockSizeBytes];
Buffer.BlockCopy(securityTokenData, 0, iv, 0, iv.Length);
algorithm.Padding = PaddingMode.ISO10126;
algorithm.Mode = CipherMode.CBC;
ICryptoTransform decrTransform = algorithm.CreateDecryptor(algorithm.Key, iv);
byte[] plainText = decrTransform.TransformFinalBlock(securityTokenData, iv.Length, securityTokenData.Length - iv.Length);
decrTransform.Dispose();
return(plainText);
}
public static XmlElement Encrypt(XmlElement xmlElement, SymmetricSecurityKey symmetricSecurityKey)
{
EncryptedXml encryptedXml = new EncryptedXml();
encryptedXml.AddKeyNameMapping("key", symmetricSecurityKey.GetSymmetricAlgorithm("http://www.w3.org/2001/04/xmlenc#tripledes-cbc"));
EncryptedData encryptedData = encryptedXml.Encrypt(xmlElement, "key");
return(encryptedData.GetXml());
}
public static XmlElement Decrypt(XmlElement xmlElement, SymmetricSecurityKey symmetricSecurityKey)
{
XmlDocument xmlDocument = new SafeXmlDocument();
XmlNode newChild = xmlDocument.ImportNode(xmlElement, true);
xmlDocument.AppendChild(newChild);
EncryptedXml encryptedXml = new EncryptedXml(xmlDocument);
encryptedXml.AddKeyNameMapping("key", symmetricSecurityKey.GetSymmetricAlgorithm("http://www.w3.org/2001/04/xmlenc#tripledes-cbc"));
encryptedXml.DecryptDocument();
return(xmlDocument.DocumentElement);
}
public static XmlElement Encrypt(SmtpAddress externalId, SymmetricSecurityKey symmetricSecurityKey)
{
XmlDocument xmlDocument = new SafeXmlDocument();
XmlElement xmlElement = xmlDocument.CreateElement("SharingKey");
xmlElement.InnerText = externalId.ToString();
EncryptedXml encryptedXml = new EncryptedXml();
encryptedXml.AddKeyNameMapping("key", symmetricSecurityKey.GetSymmetricAlgorithm("http://www.w3.org/2001/04/xmlenc#tripledes-cbc"));
EncryptedData encryptedData = encryptedXml.Encrypt(xmlElement, "key");
return(encryptedData.GetXml());
}
internal static XmlDocument GetPlainAsertion(SecurityTokenResolver securityTokenResolver, XmlElement el)
{
var encryptedDataElement = GetElement(HttpRedirectBindingConstants.EncryptedData, Saml20Constants.Xenc, el);
var encryptedData = new System.Security.Cryptography.Xml.EncryptedData();
encryptedData.LoadXml(encryptedDataElement);
var encryptedKey = new System.Security.Cryptography.Xml.EncryptedKey();
var encryptedKeyElement = GetElement(HttpRedirectBindingConstants.EncryptedKey, Saml20Constants.Xenc, el);
encryptedKey.LoadXml(encryptedKeyElement);
var securityKeyIdentifier = new SecurityKeyIdentifier();
foreach (KeyInfoX509Data v in encryptedKey.KeyInfo)
{
foreach (X509Certificate2 cert in v.Certificates)
{
var cl = new X509RawDataKeyIdentifierClause(cert);
securityKeyIdentifier.Add(cl);
}
}
var clause = new EncryptedKeyIdentifierClause(encryptedKey.CipherData.CipherValue, encryptedKey.EncryptionMethod.KeyAlgorithm, securityKeyIdentifier);
SecurityKey key;
var success = securityTokenResolver.TryResolveSecurityKey(clause, out key);
if (!success)
{
throw new InvalidOperationException("Cannot locate security key");
}
SymmetricSecurityKey symmetricSecurityKey = key as SymmetricSecurityKey;
if (symmetricSecurityKey == null)
{
throw new InvalidOperationException("Key must be symmentric key");
}
SymmetricAlgorithm symmetricAlgorithm = symmetricSecurityKey.GetSymmetricAlgorithm(encryptedData.EncryptionMethod.KeyAlgorithm);
var encryptedXml = new System.Security.Cryptography.Xml.EncryptedXml();
var plaintext = encryptedXml.DecryptData(encryptedData, symmetricAlgorithm);
var assertion = new XmlDocument {
PreserveWhitespace = true
};
assertion.Load(new StringReader(Encoding.UTF8.GetString(plaintext)));
return(assertion);
}
protected static SymmetricAlgorithm CreateDecryptionAlgorithm(SecurityToken token, string encryptionMethod, SecurityAlgorithmSuite suite)
{
if (encryptionMethod == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("EncryptionMethodMissingInEncryptedData")));
}
suite.EnsureAcceptableEncryptionAlgorithm(encryptionMethod);
SymmetricSecurityKey securityKey = System.ServiceModel.Security.SecurityUtils.GetSecurityKey <SymmetricSecurityKey>(token);
if (securityKey == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenCannotCreateSymmetricCrypto", new object[] { token })));
}
suite.EnsureAcceptableDecryptionSymmetricKeySize(securityKey, token);
SymmetricAlgorithm symmetricAlgorithm = securityKey.GetSymmetricAlgorithm(encryptionMethod);
if (symmetricAlgorithm == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToCreateSymmetricAlgorithmFromToken", new object[] { encryptionMethod })));
}
return(symmetricAlgorithm);
}
public override SymmetricAlgorithm GetSymmetricAlgorithm(string algorithm)
{
return(_key.GetSymmetricAlgorithm(algorithm));
}
/// <summary>
/// Decrpyts a security token from an XML EncryptedData
/// </summary>
/// <param name="xmlToken">the XML token to decrypt</param>
/// <returns>A byte array of the contents of the encrypted token</returns>
public static byte[] DecryptToken(string xmlToken)
{
XmlReader reader = new XmlTextReader(new StringReader(xmlToken));
byte[] securityTokenData;
string encryptionAlgorithm;
SecurityKeyIdentifier keyIdentifier;
bool isEmptyElement;
// if it's not an xml:enc element, something is dreadfully wrong.
if (!reader.IsStartElement(XmlEncryptionStrings.EncryptedData, XmlEncryptionStrings.Namespace))
{
throw new InvalidOperationException();
}
reader.Read(); // looks good.
// if it's not an encryption method, something is dreadfully wrong.
if (!reader.IsStartElement(XmlEncryptionStrings.EncryptionMethod, XmlEncryptionStrings.Namespace))
{
throw new InformationCardException("Failed to find the encryptionAlgorithm");
}
// Looks good, let's grab the alg.
isEmptyElement = reader.IsEmptyElement;
encryptionAlgorithm = reader.GetAttribute(XmlEncryptionStrings.Algorithm);
reader.Read();
if (!isEmptyElement)
{
while (reader.IsStartElement())
{
reader.Skip();
}
reader.ReadEndElement();
}
// get the key identifier
keyIdentifier = WSSecurityTokenSerializer.DefaultInstance.ReadKeyIdentifier(reader);
// resolve the symmetric key
SymmetricSecurityKey decryptingKey = (SymmetricSecurityKey)SecurityTokenResolver.CreateDefaultSecurityTokenResolver(Tokens.AsReadOnly(), false).ResolveSecurityKey(keyIdentifier[0]);
SymmetricAlgorithm algorithm = decryptingKey.GetSymmetricAlgorithm(encryptionAlgorithm);
// dig for the security token data itself.
reader.ReadStartElement(XmlEncryptionStrings.CipherData, XmlEncryptionStrings.Namespace);
reader.ReadStartElement(XmlEncryptionStrings.CipherValue, XmlEncryptionStrings.Namespace);
securityTokenData = Convert.FromBase64String(reader.ReadString());
reader.ReadEndElement(); // CipherValue
reader.ReadEndElement(); // CipherData
reader.ReadEndElement(); // EncryptedData
// decrypto-magic!
int ivSize = algorithm.BlockSize / 8;
byte[] iv = new byte[ivSize];
Buffer.BlockCopy(securityTokenData, 0, iv, 0, iv.Length);
algorithm.Padding = PaddingMode.ISO10126;
algorithm.Mode = CipherMode.CBC;
ICryptoTransform decrTransform = algorithm.CreateDecryptor(algorithm.Key, iv);
byte[] plainText = decrTransform.TransformFinalBlock(securityTokenData, iv.Length, securityTokenData.Length - iv.Length);
decrTransform.Dispose();
return(plainText);
}