public void FailsOnDocumentWithoutPreserveWhitespace()
{
// Arrange
var doc = LoadDocument(@"Assertions\EncryptedAssertion_01");
doc.PreserveWhitespace = false;
// Act
XmlSignatureUtils.IsSigned(doc);
// Assert
Assert.Fail("Signed documents that do not have PreserveWhitespace set should fail to be processed.");
}
public bool CheckSamlMessageSignature(KeyInfo keyInfo)
{
foreach (KeyInfoClause clause in keyInfo)
{
var key = XmlSignatureUtils.ExtractKey(clause);
if (key != null && CheckSignature(key))
{
return(true);
}
}
return(false);
}
public void SignatureResponseTest()
{
// Arrange
var rtsrSoapMessageSigned = XDocument.Load(@"Resources\Response25022015.xml");
var cert = new X509Certificate2(Convert.FromBase64String("MIIGRTCCBS2gAwIBAgIEUw8DszANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSQwIgYDVQQDDBtUUlVTVDI0MDggU3lzdGVtdGVzdCBYSVggQ0EwHhcNMTQwNTA1MTMzNTU4WhcNMTcwNTA1MTMzNTEyWjCBljELMAkGA1UEBhMCREsxMTAvBgNVBAoMKERpZ2l0YWxpc2VyaW5nc3N0eXJlbHNlbiAvLyBDVlI6MzQwNTExNzgxVDAgBgNVBAUTGUNWUjozNDA1MTE3OC1VSUQ6ODMzODQ5NzAwMAYDVQQDDClEaWdpdGFsaXNlcmluZ3NzdHlyZWxzZW4gLSBOZW1Mb2ctaW4gVGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALnCmDRMztjDckSupQBLcEzrRRJnAFxzEFdB7Cj6ApMQ/YxqKzfL/TSIr3v2mdgQNnsJGz91YbAteDPRHR/K1W3kqoIX/qH2uXDzHK+qi4YD9D8s4MnHAt02x6t0TgKQGjn1XO6lgLQ563DjtgD2fdPm9USV2Lkxe5ofNRG7yvWowBWjXKia8D64k6zSzoHKdPz6GCy9S0NmwIyJE0sJavcfwxT3/ia0g63/xD77SteT4H/OR/DLis7FLnfkLp8yrd5xAk4nEGizmjrg2OVJmIMMPK6PQdw+/lqSdgaPDxMD6yoIwWshux5Rup1+piMLg852odHR6EhUzjEsi9DnWWcCAwEAAaOCAucwggLjMA4GA1UdDwEB/wQEAwIEsDCBlwYIKwYBBQUHAQEEgYowgYcwPAYIKwYBBQUHMAGGMGh0dHA6Ly9vY3NwLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3Jlc3BvbmRlcjBHBggrBgEFBQcwAoY7aHR0cDovL3YuYWlhLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QxOS1jYS5jZXIwggEgBgNVHSAEggEXMIIBEzCCAQ8GDSsGAQQBgfRRAgQGAwQwgf0wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHJBggrBgEFBQcCAjCBvDAMFgVEYW5JRDADAgEBGoGrRGFuSUQgdGVzdCBjZXJ0aWZpa2F0ZXIgZnJhIGRlbm5lIENBIHVkc3RlZGVzIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4zLjQuIERhbklEIHRlc3QgY2VydGlmaWNhdGVzIGZyb20gdGhpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4zLjQuMBwGA1UdEQQVMBOBEW5lbWxvZ2luQGRpZ3N0LmRrMIGpBgNVHR8EgaEwgZ4wPKA6oDiGNmh0dHA6Ly9jcmwuc3lzdGVtdGVzdDE5LnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDE5LmNybDBeoFygWqRYMFYxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJDAiBgNVBAMMG1RSVVNUMjQwOCBTeXN0ZW10ZXN0IFhJWCBDQTENMAsGA1UEAwwEQ1JMMjAfBgNVHSMEGDAWgBTMAlUM5IF0ryBU1REUV5yRUjh/oDAdBgNVHQ4EFgQUwm9c3oUHE/zZ/43g4RUhswnMVAowCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEACLh3Ovvljv4b/Ywf/8WxoB2y50Oqt8rpwXZp+no4d5tLqIMTSAlQxL0lAf4Qm4e6tF5m/55+dLwxw5/Dqwa0bQXHt98vJjSBYLQH6rwfDzNmVGimO1n84k4MMYY449ykjqRNDfCS3+5+zV/An4CH9eUhvB0AHHWbD6eALw39sPGxc5kHADTOdJ5SboSm9DHYdLLt9k8HyxrHIkcJApLWPgyFmkE0+8jtuQQluN62F5+j5d53oTKinHEd7adM0ea537vNf5uBGu6h9OTXlhZwM9tlnrsTYQTTAIzdxGPlpD9Zvo5nmJHwILdRonm8rZf3vAm59/U6+Cht4+X2l5zxyg=="));
// Act
var verified = XmlSignatureUtils.VerifySignature(rtsrSoapMessageSigned, cert);
// Assert
Assert.IsTrue(verified);
}
public void SignatureTest()
{
// Arrange
var rtsSoapMessageNotSigned = XDocument.Load(@"Resources\RST_Not_Signed.xml");
var ids = new[] { "action", "msgid", "to", "sec-ts", "sec-binsectoken", "body" };
var cert = CertificateUtil.GetCertificate("0E6DBCC6EFAAFF72E3F3D824E536381B26DEECF5");
// Act
var rtsSoapMessageSigned = XmlSignatureUtils.SignDocument(rtsSoapMessageNotSigned, ids, cert);
// Assert
Assert.IsTrue(XmlSignatureUtils.VerifySignature(rtsSoapMessageSigned, cert));
}
private void Initialize(XmlDocument entityDescriptor)
{
if (XmlSignatureUtils.IsSigned(entityDescriptor))
{
if (!XmlSignatureUtils.CheckSignature(entityDescriptor))
{
throw new Saml20Exception("Metadata signature could not be verified.");
}
}
ExtractKeyDescriptors(entityDescriptor);
Entity = Serialization.DeserializeFromXmlString <EntityDescriptor>(entityDescriptor.OuterXml);
}
/// <summary>
/// Signs the document.
/// </summary>
/// <param name="doc">The doc.</param>
private static void SignDocument(XmlDocument doc, X509Certificate2 certificate, AlgorithmType signatureAlgorithm)
{
if (!certificate.HasPrivateKey)
{
throw new InvalidOperationException("Private key access to the signing certificate is required.");
}
XmlSignatureUtils.GenericSign(doc, doc.DocumentElement.GetAttribute("ID"), certificate, (appDoc, xmlElm) =>
{
// Append the computed signature. The signature must be placed as the sibling of the Issuer element.
appDoc.DocumentElement.InsertBefore(appDoc.ImportNode(xmlElm, true), appDoc.DocumentElement.FirstChild);
}, signatureAlgorithm);
}
public void TestMetadataloadWithNoUseTypeSigning()
{
var doc = new XmlDocument {
PreserveWhitespace = true
};
doc.Load(@"Protocol\MetadataDocs\rmit-metadata.xml");
// Act
var metadata = new Saml20MetadataDocument(doc);
var l = XmlSignatureUtils.CheckSignature(doc);
var a = "";
}
public void SignatureFinalRequestTest()
{
// Arrange
var rtsSoapMessageSigned = XDocument.Load(@"Resources\Request25022015.xml");
var cert = new X509Certificate2(Convert.FromBase64String("MIIGLjCCBRagAwIBAgIEUw9wBzANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSQwIgYDVQQDDBtUUlVTVDI0MDggU3lzdGVtdGVzdCBYSVggQ0EwHhcNMTQxMTEwMTQwMTQxWhcNMTcxMTEwMTQwMTMxWjB2MQswCQYDVQQGEwJESzEqMCgGA1UECgwhw5hrb25vbWlzdHlyZWxzZW4gLy8gQ1ZSOjEwMjEzMjMxMTswFwYDVQQDDBBNb3J0ZW4gTW9ydGVuc2VuMCAGA1UEBRMZQ1ZSOjEwMjEzMjMxLVJJRDo5Mzk0NzU1MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDVoVZz4QT+WP43mTl28pM9+Jy4JtBFV4R/LP2d2xLrAUGnDXn8dkAnTn4xcDll7t1kzCceI4/0ngN/CGwMpxynBbWRhoYWk4DesR34G2XehPiAf4E8Wsup2adyDWbqUUmrbFoyVsN8XCm/O32WSH19hn9nU5zOc0K4C2d0LJRcfsMCwSlQDu7BtEAjCRxYYw3pxnRu2vvzynW7j4txVbp82aGvZnJ0Fq6fvf+99sVBpyfAgHSAmhR5A5CzjlIpW9vG1WjGG8be5OgV+WurUzN9A1bjoXRpKkG9h035KKn6fRZEjI9Ztxd1JoeVkiBQaYdH1O3OW6rXKsfPLtyiCYsCAwEAAaOCAvEwggLtMA4GA1UdDwEB/wQEAwID+DCBlwYIKwYBBQUHAQEEgYowgYcwPAYIKwYBBQUHMAGGMGh0dHA6Ly9vY3NwLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3Jlc3BvbmRlcjBHBggrBgEFBQcwAoY7aHR0cDovL20uYWlhLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QxOS1jYS5jZXIwggEgBgNVHSAEggEXMIIBEzCCAQ8GDSsGAQQBgfRRAgQGAgUwgf0wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHJBggrBgEFBQcCAjCBvDAMFgVEYW5JRDADAgEBGoGrRGFuSUQgdGVzdCBjZXJ0aWZpa2F0ZXIgZnJhIGRlbm5lIENBIHVkc3RlZGVzIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuIERhbklEIHRlc3QgY2VydGlmaWNhdGVzIGZyb20gdGhpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuMCUGA1UdEQQeMByBGmtmb2JzX3Rlc3RAbm92b25vcmRpc2suY29tMIGqBgNVHR8EgaIwgZ8wPKA6oDiGNmh0dHA6Ly9jcmwuc3lzdGVtdGVzdDE5LnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDE5LmNybDBfoF2gW6RZMFcxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJDAiBgNVBAMMG1RSVVNUMjQwOCBTeXN0ZW10ZXN0IFhJWCBDQTEOMAwGA1UEAwwFQ1JMMTYwHwYDVR0jBBgwFoAUzAJVDOSBdK8gVNURFFeckVI4f6AwHQYDVR0OBBYEFKuH3e+mCu7y3/brN7zXSkvo6MwKMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAESudYwnM/vbo5cMrUvgnpSgJUZhsQnSzLMwJTsT45OS3O+yct1ci9vPI1ExFZeAisC0bROV3tlsPuDiAVgmErgrHbrz1CmNqIxNcQvkqeL1sQtsrMSRicyILvU7Ve0N0gryR/axG+7D3U488X3oxXtJlS/9WZd33FVDnTIo7Asb+c1clqlUa/DSeBBdZ19L4DbfEkamLA96trEkH1hUTZfRXLFvYW5w8w+muaBu7eL84zzTxpGZxYM14ap+cQHuq+uczDsGDDUKc/BHUmN1UuQ0QCCxHegMHUDD8KXVsosj5wUXOLzd8WwKjPyUTxKPAI5xv9/Bim4mAA7eYc+3lXs="));
// Act
var verified = XmlSignatureUtils.VerifySignature(rtsSoapMessageSigned, cert);
// Assert
Assert.IsTrue(verified);
}
public void CanDetectIfDocumentIsSigned()
{
// Arrange
var badDocument = LoadDocument(TestContext.CurrentContext.TestDirectory + @"\Assertions\EncryptedAssertion_01");
var goodDocument = LoadDocument(TestContext.CurrentContext.TestDirectory + @"\Assertions\Saml2Assertion_01");
// Act
var badResult = XmlSignatureUtils.IsSigned(badDocument);
var goodResult = XmlSignatureUtils.IsSigned(goodDocument);
// Assert
Assert.IsFalse(badResult);
Assert.IsTrue(goodResult);
}
public void CanDetectIfDocumentIsSigned()
{
// Arrange
var badDocument = LoadDocument(Path.Combine("Assertions", "EncryptedAssertion_01"));
var goodDocument = LoadDocument(Path.Combine("Assertions", "Saml2Assertion_01"));
// Act
var badResult = XmlSignatureUtils.IsSigned(badDocument);
var goodResult = XmlSignatureUtils.IsSigned(goodDocument);
// Assert
Assert.False(badResult);
Assert.True(goodResult);
}
private static AsymmetricAlgorithm GetTrustedSigner(KeyInfoClause clause, IdentityProvider identityProvider)
{
// Check certificate specifications
if (clause is KeyInfoX509Data)
{
var cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause);
if (!CertificateSatisfiesSpecifications(identityProvider, cert))
{
return(null);
}
}
return(XmlSignatureUtils.ExtractKey(clause));
}
/// <summary>
/// Check the signature of a HTTP-Redirect message using the list of keys.
/// </summary>
/// <param name="keys">A list of KeyDescriptor elements. Probably extracted from the metadata describing the IDP that sent the message.</param>
/// <returns>True, if one of the given keys was able to verify the signature. False in all other cases.</returns>
public bool VerifySignature(IEnumerable <KeyDescriptor> keys)
{
foreach (var keyDescriptor in keys)
{
foreach (KeyInfoClause clause in (KeyInfo)keyDescriptor.KeyInfo)
{
var key = XmlSignatureUtils.ExtractKey(clause);
if (key != null && CheckSignature(key))
{
return(true);
}
}
}
return(false);
}
/// <summary>
/// Checks the SAML message signature.
/// </summary>
/// <param name="keys">The keys to check the signature against.</param>
/// <returns>True if the signature is valid, else false.</returns>
public bool CheckSamlMessageSignature(List <KeyDescriptor> keys)
{
foreach (var keyDescriptor in keys)
{
foreach (KeyInfoClause clause in (KeyInfo)keyDescriptor.KeyInfo)
{
var key = XmlSignatureUtils.ExtractKey(clause);
if (key != null && CheckSignature(key))
{
return(true);
}
}
}
return(false);
}
public void FailsOnDocumentWithoutPreserveWhitespace()
{
// Arrange
var doc = LoadDocument(Path.Combine("Assertions", "EncryptedAssertion_01"));
doc.PreserveWhitespace = false;
// Act
Assert.Throws(typeof(InvalidOperationException), () =>
{
XmlSignatureUtils.IsSigned(doc);
// Assert
//Assert.Fail("Signed documents that do not have PreserveWhitespace set should fail to be processed.");
});
}
/// <summary>
/// Check the signature of a HTTP-Redirect message using the list of keys.
/// </summary>
/// <param name="keys">A list of KeyDescriptor elements. Probably extracted from the metadata describing the IDP that sent the message.</param>
/// <returns>True, if one of the given keys was able to verify the signature. False in all other cases.</returns>
public bool VerifySignature(IEnumerable <KeyDescriptor> keys)
{
foreach (KeyDescriptor keyDescriptor in keys)
{
KeyInfo ki = (KeyInfo)keyDescriptor.KeyInfo;
foreach (KeyInfoClause clause in ki)
{
AsymmetricAlgorithm key = XmlSignatureUtils.ExtractKey(clause);
if (key != null && CheckSignature(key))
{
return(true);
}
}
}
return(false);
}
public void TestSHA256Signature()
{
var xmlDocument = new XmlDocument();
xmlDocument.PreserveWhitespace = true;
xmlDocument.Load(@"Saml20\Assertions\SHA256Signedtest.xml");
var result = "";
if (XmlSignatureUtils.CheckSignature(xmlDocument))
{
result = "Works, must be using .NET 4.0 or greater.";
}
else
{
result = "Doesn't work, must be using .NET 3.5 or something... (default for this project)";
}
}
/// <summary>
/// Loads an assertion from XML.
/// </summary>
/// <param name="element">The element.</param>
/// <param name="trustedSigners">The trusted signers.</param>
private void LoadXml(XmlElement element, IEnumerable <AsymmetricAlgorithm> trustedSigners)
{
_samlAssertion = element;
if (trustedSigners != null && XmlSignatureUtils.IsSigned(element))
{
if (!CheckSignature(trustedSigners))
{
throw new Saml2Exception("Assertion signature could not be verified.");
}
}
// Validate the saml20Assertion.
if (_autoValidate)
{
AssertionValidator.ValidateAssertion(Assertion);
}
}
private void CreateAssertionResponse(User user)
{
string entityId = request.Issuer.Value;
Saml20MetadataDocument metadataDocument = IDPConfig.GetServiceProviderMetadata(entityId);
IDPEndPointElement endpoint =
metadataDocument.AssertionConsumerServiceEndpoints().Find(delegate(IDPEndPointElement e) { return(e.Binding == SAMLBinding.POST); });
if (endpoint == null)
{
Context.Response.Write(string.Format("'{0}' does not have a SSO endpoint that supports the POST binding.", entityId));
Context.Response.End();
return;
}
UserSessionsHandler.AddLoggedInSession(entityId);
Response response = new Response();
response.Destination = endpoint.Url;
response.InResponseTo = request.ID;
response.Status = new Status();
response.Status.StatusCode = new StatusCode();
response.Status.StatusCode.Value = Saml20Constants.StatusCodes.Success;
Assertion assertion = CreateAssertion(user, entityId);
response.Items = new object[] { assertion };
// Serialize the response.
XmlDocument assertionDoc = new XmlDocument();
assertionDoc.XmlResolver = null;
assertionDoc.PreserveWhitespace = true;
assertionDoc.LoadXml(Serialization.SerializeToXmlString(response));
// Sign the assertion inside the response message.
XmlSignatureUtils.SignDocument(assertionDoc, assertion.ID, IDPConfig.IDPCertificate);
HttpPostBindingBuilder builder = new HttpPostBindingBuilder(endpoint);
builder.Action = SAMLAction.SAMLResponse;
builder.Response = assertionDoc.OuterXml;
builder.GetPage().ProcessRequest(Context);
Context.Response.End();
}
/// <summary>
/// Adds the signature.
/// </summary>
/// <param name="assertionDocument">The assertion document.</param>
/// <param name="cert">The cert.</param>
private static void AddSignature(XmlDocument assertionDocument, X509Certificate2 cert, AlgorithmType algorithmType)
{
var list = assertionDocument.GetElementsByTagName(Assertion.ElementName, Saml20Constants.Assertion);
var el = (XmlElement)list[0];
XmlSignatureUtils.GenericSign(assertionDocument, el.GetAttribute("ID"), cert, (doc, signedXml) =>
{
// Append the computed signature. The signature must be placed as the sibling of the Issuer element.
var nodes = doc.DocumentElement.GetElementsByTagName("Issuer", Saml20Constants.Assertion);
if (nodes.Count != 1)
{
throw new Saml20Exception("Assertion MUST contain one <Issuer> element.");
}
doc.DocumentElement.InsertAfter(assertionDocument.ImportNode(signedXml, true), nodes[0]);
}, algorithmType);
}
/// <summary>
/// Checks the signature of a message received using the redirect binding using the keys found in the
/// metadata of the federation partner that sent the request.
/// </summary>
protected static bool CheckRedirectSignature(HttpRedirectBindingParser parser, Saml20MetadataDocument metadata)
{
List <KeyDescriptor> keys = metadata.GetKeys(KeyTypes.signing);
// Go through the list of signing keys (usually only one) and use it to verify the REDIRECT request.
foreach (KeyDescriptor key in keys)
{
KeyInfo keyinfo = (KeyInfo)key.KeyInfo;
foreach (KeyInfoClause keyInfoClause in keyinfo)
{
AsymmetricAlgorithm signatureKey = XmlSignatureUtils.ExtractKey(keyInfoClause);
if (signatureKey != null && parser.CheckSignature(signatureKey))
{
return(true);
}
}
}
return(false);
}
/// <summary>
/// Gets the trusted signers.
/// </summary>
/// <param name="keys">The keys.</param>
/// <param name="identityProvider">The identity provider.</param>
/// <returns>List of trusted certificate signers.</returns>
public static IEnumerable<AsymmetricAlgorithm> GetTrustedSigners(ICollection<KeyDescriptor> keys, IdentityProvider identityProvider)
{
if (keys == null) {
throw new ArgumentNullException("keys");
}
foreach (var clause in keys.SelectMany(k => k.KeyInfo.Items.AsEnumerable().Cast<KeyInfoClause>())) {
// Check certificate specifications
if (clause is KeyInfoX509Data) {
var cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause);
if (!CertificateSatisfiesSpecifications(identityProvider, cert)) {
continue;
}
}
var key = XmlSignatureUtils.ExtractKey(clause);
yield return key;
}
}
/// <summary>
/// Checks the signature of the message, using a specific set of keys
/// </summary>
/// <param name="keys">The set of keys to check the signature against</param>
/// <returns></returns>
public bool CheckSignature(IEnumerable <KeyDescriptor> keys)
{
foreach (var keyDescriptor in keys)
{
var ki = (KeyInfo)keyDescriptor.KeyInfo;
foreach (KeyInfoClause clause in ki)
{
var key = XmlSignatureUtils.ExtractKey(clause);
if (key != null && XmlSignatureUtils.CheckSignature(_samlMessage, key))
{
return(true);
}
}
}
return(false);
}
public void SignsXml()
{
// Arrange
var doc = new Saml20MetadataDocument(true);
var entity = doc.CreateDefaultEntity();
entity.ValidUntil = DateTime.Now.AddDays(14);
// Act
var metadata = doc.ToXml();
var document = new XmlDocument {
PreserveWhitespace = true
};
document.LoadXml(metadata);
var result = XmlSignatureUtils.CheckSignature(document);
// Assert
Assert.That(result);
}
/// <summary>
/// Loads an assertion, deserializes it using the <code>Assertion</code> class and returns the
/// resulting <code>Assertion</code> instance.
/// </summary>
/// <param name="assertionFile">The assertion file.</param>
/// <param name="verify">if set to <c>true</c> [verify].</param>
/// <returns>The <see cref="Saml20Assertion"/>.</returns>
public static Saml20Assertion DeserializeToken(string assertionFile, bool verify)
{
var document = LoadXmlDocument(assertionFile);
var assertion = new Saml20Assertion(document.DocumentElement, null, false, TestConfiguration.Configuration);
if (verify)
{
var result = new List <AsymmetricAlgorithm>(1);
foreach (KeyInfoClause clause in assertion.GetSignatureKeys())
{
var key = XmlSignatureUtils.ExtractKey(clause);
result.Add(key);
}
assertion.CheckValid(result);
}
return(assertion);
}
public static IEnumerable <AsymmetricAlgorithm> GetTrustedSigners(string issuer)
{
if (issuer == null)
{
throw new ArgumentNullException("issuer");
}
SAML20FederationConfig config = ConfigurationReader.GetConfig <SAML20FederationConfig>();
config.Endpoints.Refresh();
IDPEndPoint idpEndpoint = config.FindEndPoint(issuer);
if (idpEndpoint == null)
{
throw new InvalidOperationException(String.Format("No idp endpoint found for issuer {0}", issuer));
}
if (idpEndpoint.metadata == null)
{
throw new InvalidOperationException(String.Format("No metadata found for issuer {0}", issuer));
}
if (idpEndpoint.metadata.Keys == null)
{
throw new InvalidOperationException(String.Format("No key descriptors found in metadata found for issuer {0}", issuer));
}
List <AsymmetricAlgorithm> result = new List <AsymmetricAlgorithm>(1);
foreach (KeyDescriptor key in idpEndpoint.metadata.Keys)
{
KeyInfo ki = (KeyInfo)key.KeyInfo;
foreach (KeyInfoClause clause in ki)
{
AsymmetricAlgorithm aa = XmlSignatureUtils.ExtractKey(clause);
result.Add(aa);
}
}
return(result);
}
/// <summary>
/// Gets the trusted signers.
/// </summary>
/// <param name="issuer">The issuer.</param>
/// <returns>A list of trusted signing certificates.</returns>
public static IEnumerable <AsymmetricAlgorithm> GetTrustedSigners(string issuer)
{
if (issuer == null)
{
throw new ArgumentNullException("issuer");
}
var config = Saml2Config.GetConfig();
config.IdentityProviders.Refresh();
var idpEndpoint = config.IdentityProviders.FirstOrDefault(x => x.Id == issuer);
if (idpEndpoint == null)
{
throw new InvalidOperationException(string.Format("No idp endpoint found for issuer {0}", issuer));
}
if (idpEndpoint.Metadata == null)
{
throw new InvalidOperationException(string.Format("No metadata found for issuer {0}", issuer));
}
if (idpEndpoint.Metadata.Keys == null)
{
throw new InvalidOperationException(string.Format("No key descriptors found in metadata found for issuer {0}", issuer));
}
var result = new List <AsymmetricAlgorithm>(1);
foreach (var key in idpEndpoint.Metadata.Keys)
{
foreach (KeyInfoClause clause in (KeyInfo)key.KeyInfo)
{
var aa = XmlSignatureUtils.ExtractKey(clause);
result.Add(aa);
}
}
return(result);
}
public void SignsXml()
{
// Arrange
var doc = new Saml20MetadataDocument(true);
var entity = doc.CreateDefaultEntity();
entity.ValidUntil = DateTime.Now.AddDays(14);
var certificate = new X509Certificate2(FileEmbeddedResource("SAML2.Tests.Certificates.sts_dev_certificate.pfx"), "test1234");
// Act
var metadata = doc.ToXml(null, certificate);
var document = new XmlDocument {
PreserveWhitespace = true
};
document.LoadXml(metadata);
var result = XmlSignatureUtils.CheckSignature(document);
// Assert
Assert.That(result);
}
/// <summary>
/// Handles responses to an artifact resolve message.
/// </summary>
/// <param name="artifactResolve">The artifact resolve message.</param>
public void RespondToArtifactResolve(ArtifactResolve artifactResolve, XmlElement samlDoc)
{
var response = Saml20ArtifactResponse.GetDefault(config.ServiceProvider.Id);
response.StatusCode = Saml20Constants.StatusCodes.Success;
response.InResponseTo = artifactResolve.Id;
response.SamlElement = samlDoc; //samlDoc.DocumentElement;
var responseDoc = response.GetXml();
if (responseDoc.FirstChild is XmlDeclaration)
{
responseDoc.RemoveChild(responseDoc.FirstChild);
}
XmlSignatureUtils.SignDocument(responseDoc, response.Id, config);
_logger.LogDebug(TraceMessages.ArtifactResolveResponseSent, artifactResolve.Artifact, responseDoc.OuterXml);
sendResponseMessage(responseDoc.OuterXml);
}
/// <summary>
/// Gets the trusted signers.
/// </summary>
/// <param name="issuer">The issuer.</param>
/// <returns>A list of trusted signing certificates.</returns>
public static IEnumerable <AsymmetricAlgorithm> GetTrustedSigners(string issuer)
{
if (issuer == null)
{
throw new ArgumentNullException(nameof(issuer));
}
// TODO: Mock out a config for this test
SAML2.Config.Saml2Configuration config = TestConfiguration.Configuration; // Saml2Config.GetConfig();
var idpEndpoint = config.IdentityProvidersSource.GetById(issuer);
if (idpEndpoint == null)
{
throw new InvalidOperationException(string.Format("No idp endpoint found for issuer {0}", issuer));
}
if (idpEndpoint.Metadata == null)
{
throw new InvalidOperationException(string.Format("No metadata found for issuer {0}", issuer));
}
if (idpEndpoint.Metadata.Keys == null)
{
throw new InvalidOperationException(string.Format("No key descriptors found in metadata found for issuer {0}", issuer));
}
var result = new List <AsymmetricAlgorithm>(1);
foreach (var key in idpEndpoint.Metadata.Keys)
{
foreach (KeyInfoClause clause in (KeyInfo)key.KeyInfo)
{
var aa = XmlSignatureUtils.ExtractKey(clause);
result.Add(aa);
}
}
return(result);
}
/// <summary>
/// Resolves an artifact.
/// </summary>
/// <returns>A stream containing the artifact response from the IdP</returns>
public Stream ResolveArtifact()
{
Trace.TraceMethodCalled(GetType(), "ResolveArtifact()");
string artifact = _context.Request.Params["SAMLart"];
IDPEndPoint idpEndPoint = DetermineIdp(artifact);
if (idpEndPoint == null)
{
throw new InvalidOperationException("Received artifact from unknown IDP.");
}
ushort endpointIndex = ArtifactUtil.GetEndpointIndex(artifact);
string endpointUrl = idpEndPoint.metadata.GetARSEndpoint(endpointIndex);
Saml20ArtifactResolve resolve = Saml20ArtifactResolve.GetDefault();
resolve.Artifact = artifact;
XmlDocument doc = resolve.GetXml();
if (doc.FirstChild is XmlDeclaration)
{
doc.RemoveChild(doc.FirstChild);
}
XmlSignatureUtils.SignDocument(doc, resolve.ID);
string artifactResolveString = doc.OuterXml;
if (Trace.ShouldTrace(TraceEventType.Information))
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.ResolveArtifact, artifact, idpEndPoint.Id, endpointIndex, endpointUrl, artifactResolveString));
}
return(GetResponse(endpointUrl, artifactResolveString, idpEndPoint.ArtifactResolution));
}
