private static Saml20EncryptedAssertion GetDecryptedAssertion(XmlElement elem) { Saml20EncryptedAssertion decryptedAssertion = new Saml20EncryptedAssertion((RSA)FederationConfig.GetConfig().SigningCertificate.GetCertificate().PrivateKey); decryptedAssertion.LoadXml(elem); decryptedAssertion.Decrypt(); return(decryptedAssertion); }
/// <summary> /// Decrypts an encrypted assertion if any of the configured certificates contains the correct /// private key to use for decrypting. If no configured certificates can be used to decrypt the /// encrypted assertion, the first exception will be rethrown. /// </summary> /// <param name="elem"></param> /// <returns></returns> private static Saml20EncryptedAssertion GetDecryptedAssertion(XmlElement elem) { var tryDecryptAssertion = new Func <X509Certificate2, Saml20EncryptedAssertion>((certificate) => { Saml20EncryptedAssertion decryptedAssertion = new Saml20EncryptedAssertion((RSA)certificate.PrivateKey); decryptedAssertion.LoadXml(elem); decryptedAssertion.Decrypt(); return(decryptedAssertion); }); var allValidX509Certificates = new List <X509Certificate2>(); foreach (var certificate in FederationConfig.GetConfig().SigningCertificates) { var x509Certificates = certificate.GetAllValidX509Certificates(); if (x509Certificates == null) { continue; } foreach (var x in x509Certificates) { allValidX509Certificates.Add(x); } } foreach (var certificate in allValidX509Certificates) { try { return(tryDecryptAssertion(certificate)); } catch (Exception) { foreach (var certificate2 in allValidX509Certificates) { if (certificate != certificate2) { try { return(tryDecryptAssertion(certificate2)); } catch (Exception) { continue; } } } throw; } } var msg = $"Found no valid certificate configured in the certificate configuration. Make sure at least one valid certificate is configured."; throw new ConfigurationErrorsException(msg); }
/// <summary> /// Decrypts an assertion we received from "fælles-offentlige brugerstyring". /// </summary> private static void DecryptFOBSAssertion(string file) { string assertionBase64 = File.ReadAllText(file); byte[] assertionBytes = Convert.FromBase64String(assertionBase64); XmlDocument doc = new XmlDocument(); doc.PreserveWhitespace = true; doc.Load(new MemoryStream(assertionBytes)); XmlNodeList encryptedList = doc.GetElementsByTagName(EncryptedAssertion.ELEMENT_NAME, Saml20Constants.ASSERTION); Assert.That(encryptedList.Count == 1); // Do some mock configuration. FederationConfig config = FederationConfig.GetConfig(); config.AllowedAudienceUris.Audiences.Add("https://saml.safewhere.net"); SAML20FederationConfig descr = SAML20FederationConfig.GetConfig(); descr.Endpoints.MetadataLocation = @"Saml20\Protocol\MetadataDocs\FOBS"; // Set it manually. Assert.That(Directory.Exists(descr.Endpoints.MetadataLocation)); X509Certificate2 cert = new X509Certificate2(@"Saml20\Certificates\SafewhereTest_SFS.pfx", "test1234"); Saml20EncryptedAssertion encass = new Saml20EncryptedAssertion((RSA)cert.PrivateKey); encass.LoadXml((XmlElement)encryptedList[0]); encass.Decrypt(); // Retrieve metadata Saml20Assertion assertion = new Saml20Assertion(encass.Assertion.DocumentElement, null, false); IDPEndPoint endp = descr.FindEndPoint(assertion.Issuer); Assert.IsNotNull(endp, "Endpoint not found"); Assert.IsNotNull(endp.metadata, "Metadata not found"); try { assertion.CheckValid(AssertionUtil.GetTrustedSigners(assertion.Issuer)); Assert.Fail("Verification should fail. Token does not include its signing key."); } catch (InvalidOperationException) {} Assert.IsNull(assertion.SigningKey, "Signing key is already present on assertion. Modify test."); IEnumerable <string> validationFailures; Assert.That(assertion.CheckSignature(Saml20SignonHandler.GetTrustedSigners(endp.metadata.GetKeys(KeyTypes.signing), endp, out validationFailures))); Assert.IsNotNull(assertion.SigningKey, "Signing key was not set on assertion instance."); }
public void CanDecryptAssertionWithPeerIncludedKeysWithoutSpecifiedEncryptionMethod() { // Arrange var doc = AssertionUtil.LoadXmlDocument(Path.Combine("Assertions", "EncryptedAssertion_03")); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)_context.Sts_Dev_cetificate.PrivateKey, doc); // Act encryptedAssertion.Decrypt(); // Assert Assert.NotNull(encryptedAssertion.Assertion); }
/// <summary> /// Gets the decrypted assertion. /// </summary> /// <param name="elem">The elem.</param> /// <returns>The decrypted <see cref="Saml20EncryptedAssertion"/>.</returns> public static Saml20EncryptedAssertion GetDecryptedAssertion(XmlElement elem, Saml2Configuration config) { logger.Debug(TraceMessages.EncryptedAssertionDecrypting); var decryptedAssertion = new Saml20EncryptedAssertion((RSA)config.ServiceProvider.SigningCertificate.PrivateKey); decryptedAssertion.LoadXml(elem); decryptedAssertion.Decrypt(); logger.DebugFormat(TraceMessages.EncryptedAssertionDecrypted, decryptedAssertion.Assertion.DocumentElement.OuterXml); return decryptedAssertion; }
public void CanDecryptAssertionWithPeerIncludedAesKeys() { // Arrange var doc = AssertionUtil.LoadXmlDocument(Path.Combine("Assertions", "EncryptedAssertion_05")); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)_context.Sts_Dev_cetificate.PrivateKey, doc); // Act encryptedAssertion.Decrypt(); // Assert Assert.NotNull(encryptedAssertion.Assertion); Assert.Equal(1, encryptedAssertion.Assertion.GetElementsByTagName(Assertion.ElementName, Saml20Constants.Assertion).Count); }
public void CanDecryptAssertion() { // Arrange var doc = AssertionUtil.LoadXmlDocument(Path.Combine("Assertions", "EncryptedAssertion_01")); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)_context.Sts_Dev_cetificate.PrivateKey, doc); // Act encryptedAssertion.Decrypt(); var assertion = new Saml20Assertion(encryptedAssertion.Assertion.DocumentElement, null, false, TestConfiguration.Configuration); // Assert Assert.NotNull(encryptedAssertion.Assertion); }
public void CanDecryptAssertionWithPeerIncludedKeys() { // Arrange var doc = AssertionUtil.LoadXmlDocument(@"Assertions\EncryptedAssertion_02"); var cert = new X509Certificate2(@"Certificates\sts_dev_certificate.pfx", "test1234"); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey, doc); // Act encryptedAssertion.Decrypt(); // Assert Assert.IsNotNull(encryptedAssertion.Assertion); }
public void CanDecryptAssertionWithPeerIncludedKeysWithoutSpecifiedEncryptionMethod() { // Arrange var doc = AssertionUtil.LoadXmlDocument(TestContext.CurrentContext.TestDirectory + @"\Assertions\EncryptedAssertion_03"); var cert = new X509Certificate2(TestContext.CurrentContext.TestDirectory + @"\Certificates\sts_dev_certificate.pfx", "test1234"); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey, doc); // Act encryptedAssertion.Decrypt(); // Assert Assert.IsNotNull(encryptedAssertion.Assertion); }
/// <summary> /// Gets the decrypted assertion. /// </summary> /// <param name="elem">The elem.</param> /// <returns>The decrypted <see cref="Saml20EncryptedAssertion"/>.</returns> private static Saml20EncryptedAssertion GetDecryptedAssertion(XmlElement elem) { Logger.Debug(TraceMessages.EncryptedAssertionDecrypting); var decryptedAssertion = new Saml20EncryptedAssertion((RSA)Saml2Config.Current.ServiceProvider.SigningCertificate.GetCertificate().PrivateKey); decryptedAssertion.LoadXml(elem); decryptedAssertion.Decrypt(); Logger.DebugFormat(TraceMessages.EncryptedAssertionDecrypted, decryptedAssertion.Assertion.DocumentElement.OuterXml); return(decryptedAssertion); }
public void TestAlgorithmConfiguration_02() { Saml20EncryptedAssertion encryptedAssertion = new Saml20EncryptedAssertion(); encryptedAssertion.SessionKeyAlgorithm = EncryptedXml.XmlEncAES128Url; encryptedAssertion.Assertion = AssertionUtil.GetTestAssertion_01(); X509Certificate2 cert = new X509Certificate2(@"Saml20\Certificates\sts_dev_certificate.pfx", "test1234"); encryptedAssertion.TransportKey = (RSA)cert.PublicKey.Key; encryptedAssertion.Encrypt(); XmlDocument encryptedAssertionXML = encryptedAssertion.GetXml(); Assert.IsNotNull(encryptedAssertionXML); // Verify that the EncryptionMethod element is set correctly. XmlNodeList list = encryptedAssertionXML.GetElementsByTagName(dk.nita.saml20.Schema.XEnc.EncryptedData.ELEMENT_NAME, Saml20Constants.XENC); Assert.AreEqual(1, list.Count); XmlElement el = (XmlElement)list[0]; // Go through the children and look for the EncryptionMethod element, and verify its algorithm attribute. bool encryptionMethodFound = false; foreach (XmlNode node in el.ChildNodes) { if (node.LocalName == dk.nita.saml20.Schema.XEnc.EncryptionMethod.ELEMENT_NAME && node.NamespaceURI == Saml20Constants.XENC) { el = (XmlElement)node; Assert.AreEqual(EncryptedXml.XmlEncAES128Url, el.GetAttribute("Algorithm")); encryptionMethodFound = true; } } Assert.That(encryptionMethodFound, "Unable to find EncryptionMethod element in EncryptedData."); // Now decrypt the assertion, and verify that it recognizes the Algorithm used. Saml20EncryptedAssertion decrypter = new Saml20EncryptedAssertion((RSA)cert.PrivateKey); Assert.IsNull(decrypter.Assertion); decrypter.LoadXml(encryptedAssertionXML.DocumentElement); // Set a wrong algorithm and make sure that the class gets it algorithm info from the assertion itself. decrypter.SessionKeyAlgorithm = EncryptedXml.XmlEncTripleDESUrl; decrypter.Decrypt(); // Verify that the class has discovered the correct algorithm and set the SessionKeyAlgorithm property accordingly. Assert.AreEqual(EncryptedXml.XmlEncAES128Url, decrypter.SessionKeyAlgorithm); Assert.IsNotNull(decrypter.Assertion); }
public void CanDecryptAssertion() { // Arrange var doc = AssertionUtil.LoadXmlDocument(TestContext.CurrentContext.TestDirectory + @"\Assertions\EncryptedAssertion_01"); var cert = new X509Certificate2(TestContext.CurrentContext.TestDirectory + @"\Certificates\sts_dev_certificate.pfx", "test1234"); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey, doc); // Act encryptedAssertion.Decrypt(); var assertion = new Saml20Assertion(encryptedAssertion.Assertion.DocumentElement, null, false); // Assert Assert.IsNotNull(encryptedAssertion.Assertion); }
public void CanDecryptAssertionWithPeerIncludedAesKeys() { // Arrange var doc = AssertionUtil.LoadXmlDocument(TestContext.CurrentContext.TestDirectory + @"\Assertions\EncryptedAssertion_05"); var cert = new X509Certificate2(TestContext.CurrentContext.TestDirectory + @"\Certificates\sts_dev_certificate.pfx", "test1234"); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey, doc); // Act encryptedAssertion.Decrypt(); // Assert Assert.IsNotNull(encryptedAssertion.Assertion); Assert.AreEqual(1, encryptedAssertion.Assertion.GetElementsByTagName(Assertion.ElementName, Saml20Constants.Assertion).Count); }
//[ExpectedException(typeof(Saml20Exception), ExpectedMessage = "Assertion is no longer valid.")] public void CanDecryptFOBSAssertion() { // Arrange var doc = AssertionUtil.LoadBase64EncodedXmlDocument(@"Assertions\fobs-assertion2"); var encryptedList = doc.GetElementsByTagName(EncryptedAssertion.ElementName, Saml20Constants.Assertion); // Do some mock configuration. var idpSource = new IdentityProviders(); var config = new Saml2Configuration { AllowedAudienceUris = new System.Collections.Generic.List <Uri>(), IdentityProvidersSource = idpSource }; config.AllowedAudienceUris.Add(new Uri("https://saml.safewhere.net")); idpSource.AddByMetadataDirectory(@"Protocol\MetadataDocs\FOBS"); // Set it manually. var cert = new X509Certificate2(@"Certificates\SafewhereTest_SFS.pfx", "test1234"); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey); encryptedAssertion.LoadXml((XmlElement)encryptedList[0]); // Act encryptedAssertion.Decrypt(); // Retrieve metadata var assertion = new Saml20Assertion(encryptedAssertion.Assertion.DocumentElement, null, false, TestConfiguration.Configuration); var endp = config.IdentityProvidersSource.GetById(assertion.Issuer); // Assert Assert.That(encryptedList.Count == 1); Assert.IsNotNull(endp, "Endpoint not found"); Assert.IsNotNull(endp.Metadata, "Metadata not found"); try { assertion.CheckValid(AssertionUtil.GetTrustedSigners(assertion.Issuer)); Assert.Fail("Verification should fail. Token does not include its signing key."); } catch (InvalidOperationException) { } Assert.IsNull(assertion.SigningKey, "Signing key is already present on assertion. Modify test."); //Assert.IsTrue("We have tested this next test" == ""); //Assert.That(assertion.CheckSignature(Saml20SignonHandler.GetTrustedSigners(endp.Metadata.GetKeys(KeyTypes.Signing), endp))); //Assert.IsNotNull(assertion.SigningKey, "Signing key was not set on assertion instance."); }
public void DecryptPingAssertion() { // Load the assertion var doc = new XmlDocument(); doc.Load(File.OpenRead(@"c:\tmp\pingassertion.txt")); var xe = GetElement(EncryptedAssertion.ElementName, Saml20Constants.Assertion, doc); var doc2 = new XmlDocument(); doc2.AppendChild(doc2.ImportNode(xe, true)); var store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection coll = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, "CN=SafewhereTest_SFS, O=Safewhere, C=DK", true); Assert.That(coll.Count == 1); var cert = coll[0]; var encass = new Saml20EncryptedAssertion((RSA)cert.PrivateKey, doc2); encass.Decrypt(); var writer = new XmlTextWriter(Console.Out) { Formatting = Formatting.Indented, Indentation = 3, IndentChar = ' ' }; encass.Assertion.WriteTo(writer); writer.Flush(); var assertion = new Saml20Assertion(encass.Assertion.DocumentElement, AssertionUtil.GetTrustedSigners(encass.Assertion.Attributes["Issuer"].Value), false, TestConfiguration.Configuration); Assert.That(encass.Assertion != null); Console.WriteLine(); foreach (SamlAttribute attribute in assertion.Attributes) { Console.WriteLine(attribute.Name + " : " + attribute.AttributeValue[0]); } }
public void TestAssertionDecryption_03() { // Load the assertion XmlDocument doc = new XmlDocument(); doc.Load(File.OpenRead(@"Saml20\Assertions\EncryptedAssertion_03")); // Find the transport key. X509Certificate2 cert = new X509Certificate2(@"Saml20\Certificates\sts_dev_certificate.pfx", "test1234"); Saml20EncryptedAssertion encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey, doc); Assert.IsNull(encryptedAssertion.Assertion); // Check that it does not contain an assertion prior to decryption. encryptedAssertion.Decrypt(); Assert.IsNotNull(encryptedAssertion.Assertion); }
public void CanEncryptAssertionFull() { // Arrange var encryptedAssertion = new Saml20EncryptedAssertion { SessionKeyAlgorithm = EncryptedXml.XmlEncAES128Url, Assertion = AssertionUtil.GetTestAssertion() }; var cert = new X509Certificate2(TestContext.CurrentContext.TestDirectory + @"\Certificates\sts_dev_certificate.pfx", "test1234"); encryptedAssertion.TransportKey = (RSA)cert.PublicKey.Key; // Act encryptedAssertion.Encrypt(); var encryptedAssertionXml = encryptedAssertion.GetXml(); // Now decrypt the assertion, and verify that it recognizes the Algorithm used. var decrypter = new Saml20EncryptedAssertion((RSA)cert.PrivateKey); decrypter.LoadXml(encryptedAssertionXml.DocumentElement); // Set a wrong algorithm and make sure that the class gets it algorithm info from the assertion itself. decrypter.SessionKeyAlgorithm = EncryptedXml.XmlEncTripleDESUrl; decrypter.Decrypt(); // Assert // Go through the children and look for the EncryptionMethod element, and verify its algorithm attribute. var encryptionMethodFound = false; foreach (XmlNode node in encryptedAssertionXml.GetElementsByTagName(Schema.XEnc.EncryptedData.ElementName, Saml20Constants.Xenc)[0].ChildNodes) { if (node.LocalName == Schema.XEnc.EncryptionMethod.ElementName && node.NamespaceURI == Saml20Constants.Xenc) { var element = (XmlElement)node; Assert.AreEqual(EncryptedXml.XmlEncAES128Url, element.GetAttribute("Algorithm")); encryptionMethodFound = true; } } Assert.That(encryptionMethodFound, "Unable to find EncryptionMethod element in EncryptedData."); // Verify that the class has discovered the correct algorithm and set the SessionKeyAlgorithm property accordingly. Assert.AreEqual(EncryptedXml.XmlEncAES128Url, decrypter.SessionKeyAlgorithm); Assert.IsNotNull(decrypter.Assertion); }
public void CanDecryptFOBSAssertion() { // Arrange var doc = AssertionUtil.LoadBase64EncodedXmlDocument(@"Assertions\fobs-assertion2"); var encryptedList = doc.GetElementsByTagName(EncryptedAssertion.ElementName, Saml20Constants.Assertion); // Do some mock configuration. var config = Saml2Config.GetConfig(); config.AllowedAudienceUris.Add(new AudienceUriElement { Uri = "https://saml.safewhere.net" }); config.IdentityProviders.MetadataLocation = @"Protocol\MetadataDocs\FOBS"; // Set it manually. Assert.That(Directory.Exists(config.IdentityProviders.MetadataLocation)); var cert = new X509Certificate2(@"Certificates\SafewhereTest_SFS.pfx", "test1234"); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey); encryptedAssertion.LoadXml((XmlElement)encryptedList[0]); // Act encryptedAssertion.Decrypt(); // Retrieve metadata var assertion = new Saml20Assertion(encryptedAssertion.Assertion.DocumentElement, null, false); var endp = config.IdentityProviders.FirstOrDefault(x => x.Id == assertion.Issuer); // Assert Assert.That(encryptedList.Count == 1); Assert.IsNotNull(endp, "Endpoint not found"); Assert.IsNotNull(endp.Metadata, "Metadata not found"); try { assertion.CheckValid(AssertionUtil.GetTrustedSigners(assertion.Issuer)); Assert.Fail("Verification should fail. Token does not include its signing key."); } catch (InvalidOperationException) { } Assert.IsNull(assertion.SigningKey, "Signing key is already present on assertion. Modify test."); Assert.That(assertion.CheckSignature(Saml20SignonHandler.GetTrustedSigners(endp.Metadata.GetKeys(KeyTypes.Signing), endp))); Assert.IsNotNull(assertion.SigningKey, "Signing key was not set on assertion instance."); }
public void CanEncryptAssertionFull() { // Arrange var encryptedAssertion = new Saml20EncryptedAssertion { SessionKeyAlgorithm = EncryptedXml.XmlEncAES128Url, Assertion = AssertionUtil.GetTestAssertion() }; var cert = new X509Certificate2(@"Certificates\sts_dev_certificate.pfx", "test1234"); encryptedAssertion.TransportKey = (RSA)cert.PublicKey.Key; // Act encryptedAssertion.Encrypt(); var encryptedAssertionXml = encryptedAssertion.GetXml(); // Now decrypt the assertion, and verify that it recognizes the Algorithm used. var decrypter = new Saml20EncryptedAssertion((RSA)cert.PrivateKey); decrypter.LoadXml(encryptedAssertionXml.DocumentElement); // Set a wrong algorithm and make sure that the class gets it algorithm info from the assertion itself. decrypter.SessionKeyAlgorithm = EncryptedXml.XmlEncTripleDESUrl; decrypter.Decrypt(); // Assert // Go through the children and look for the EncryptionMethod element, and verify its algorithm attribute. var encryptionMethodFound = false; foreach (XmlNode node in encryptedAssertionXml.GetElementsByTagName(Schema.XEnc.EncryptedData.ElementName, Saml20Constants.Xenc)[0].ChildNodes) { if (node.LocalName == Schema.XEnc.EncryptionMethod.ElementName && node.NamespaceURI == Saml20Constants.Xenc) { var element = (XmlElement)node; Assert.AreEqual(EncryptedXml.XmlEncAES128Url, element.GetAttribute("Algorithm")); encryptionMethodFound = true; } } Assert.That(encryptionMethodFound, "Unable to find EncryptionMethod element in EncryptedData."); // Verify that the class has discovered the correct algorithm and set the SessionKeyAlgorithm property accordingly. Assert.AreEqual(EncryptedXml.XmlEncAES128Url, decrypter.SessionKeyAlgorithm); Assert.IsNotNull(decrypter.Assertion); }
public void TestAssertionDecryption_05() { // Load the assertion XmlDocument doc = new XmlDocument(); doc.Load(File.OpenRead(@"Saml20\Assertions\EncryptedAssertion_05")); // Find the transport key. X509Certificate2 cert = new X509Certificate2(@"Saml20\Certificates\sts_dev_certificate.pfx", "test1234"); Saml20EncryptedAssertion encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey, doc); Assert.IsNull(encryptedAssertion.Assertion); // Check that it does not contain an assertion prior to decryption. encryptedAssertion.Decrypt(); Assert.IsNotNull(encryptedAssertion.Assertion); XmlNodeList list; // Perform some rudimentary tests on the output. list = encryptedAssertion.Assertion.GetElementsByTagName(Assertion.ELEMENT_NAME, Saml20Constants.ASSERTION); Assert.AreEqual(1, list.Count); }
public void CanDecryptFOBSAssertion() { // Arrange var doc = AssertionUtil.LoadBase64EncodedXmlDocument(TestContext.CurrentContext.TestDirectory + @"\Assertions\fobs-assertion2"); var encryptedList = doc.GetElementsByTagName(EncryptedAssertion.ElementName, Saml20Constants.Assertion); // Do some mock configuration. var config = Saml2Config.Current; config.AllowedAudienceUris.Add("https://saml.safewhere.net"); config.IdentityProviders.MetadataLocation = TestContext.CurrentContext.TestDirectory + @"\Protocol\MetadataDocs\FOBS"; // Set it manually. config.IdentityProviders.Refresh(); var cert = new X509Certificate2(TestContext.CurrentContext.TestDirectory + @"\Certificates\SafewhereTest_SFS.pfx", "test1234"); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey); encryptedAssertion.LoadXml((XmlElement)encryptedList[0]); // Act encryptedAssertion.Decrypt(); // Retrieve metadata var assertion = new Saml20Assertion(encryptedAssertion.Assertion.DocumentElement, null, false); var endp = config.IdentityProviders.FirstOrDefault(x => x.Id == assertion.Issuer); // Assert Assert.That(encryptedList.Count == 1); Assert.IsNotNull(endp, "Endpoint not found"); Assert.IsNotNull(endp.Metadata, "Metadata not found"); Assert.Throws <Saml20Exception>(() => assertion.CheckValid(AssertionUtil.GetTrustedSigners(assertion.Issuer)), "Assertion is no longer valid."); // Assert.IsNull(assertion.SigningKey, "Signing key is already present on assertion. Modify test."); // Assert.That(assertion.CheckSignature(Saml20SignonHandler.GetTrustedSigners(endp.Metadata.GetKeys(KeyTypes.Signing), endp))); // Assert.IsNotNull(assertion.SigningKey, "Signing key was not set on assertion instance."); }
public void CanDecryptAssertionWithPeerIncludedAesKeys() { // Arrange var doc = AssertionUtil.LoadXmlDocument(@"Assertions\EncryptedAssertion_05"); var cert = new X509Certificate2(@"Certificates\sts_dev_certificate.pfx", "test1234"); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey, doc); // Act encryptedAssertion.Decrypt(); // Assert Assert.IsNotNull(encryptedAssertion.Assertion); Assert.AreEqual(1, encryptedAssertion.Assertion.GetElementsByTagName(Assertion.ElementName, Saml20Constants.Assertion).Count); }
/// <summary> /// Gets the decrypted assertion. /// </summary> /// <param name="elem">The elem.</param> /// <returns>The decrypted <see cref="Saml20EncryptedAssertion"/>.</returns> private static Saml20EncryptedAssertion GetDecryptedAssertion(XmlElement elem) { Logger.Debug(TraceMessages.EncryptedAssertionDecrypting); var decryptedAssertion = new Saml20EncryptedAssertion((RSA)Saml2Config.GetConfig().ServiceProvider.SigningCertificate.GetCertificate().PrivateKey); decryptedAssertion.LoadXml(elem); decryptedAssertion.Decrypt(); Logger.DebugFormat(TraceMessages.EncryptedAssertionDecrypted, decryptedAssertion.Assertion.DocumentElement.OuterXml); return decryptedAssertion; }
private static Saml20EncryptedAssertion GetDecryptedAssertion(XmlElement elem) { Saml20EncryptedAssertion decryptedAssertion = new Saml20EncryptedAssertion((RSA)FederationConfig.GetConfig().SigningCertificate.GetCertificate().PrivateKey); decryptedAssertion.LoadXml(elem); decryptedAssertion.Decrypt(); return decryptedAssertion; }
public void CanDecryptAssertion() { // Arrange var doc = AssertionUtil.LoadXmlDocument(@"Assertions\EncryptedAssertion_01"); var cert = new X509Certificate2(@"Certificates\sts_dev_certificate.pfx", "test1234"); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey, doc); // Act encryptedAssertion.Decrypt(); var assertion = new Saml20Assertion(encryptedAssertion.Assertion.DocumentElement, null, false, TestConfiguration.Configuration); // Assert Assert.IsNotNull(encryptedAssertion.Assertion); }
public void CanDecryptAssertionWithPeerIncludedKeysWithoutSpecifiedEncryptionMethod() { // Arrange var doc = AssertionUtil.LoadXmlDocument(@"Assertions\EncryptedAssertion_03"); var cert = new X509Certificate2(@"Certificates\sts_dev_certificate.pfx", "test1234"); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey, doc); // Act encryptedAssertion.Decrypt(); // Assert Assert.IsNotNull(encryptedAssertion.Assertion); }
public void CanDecryptFOBSAssertion() { // Arrange var doc = AssertionUtil.LoadBase64EncodedXmlDocument(@"Assertions\fobs-assertion2"); var encryptedList = doc.GetElementsByTagName(EncryptedAssertion.ElementName, Saml20Constants.Assertion); // Do some mock configuration. var config = new Saml2Configuration { AllowedAudienceUris = new System.Collections.Generic.List<Uri>(), IdentityProviders = new IdentityProviders() }; config.AllowedAudienceUris.Add(new Uri("https://saml.safewhere.net")); config.IdentityProviders.AddByMetadataDirectory(@"Protocol\MetadataDocs\FOBS"); // Set it manually. var cert = new X509Certificate2(@"Certificates\SafewhereTest_SFS.pfx", "test1234"); var encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey); encryptedAssertion.LoadXml((XmlElement)encryptedList[0]); // Act encryptedAssertion.Decrypt(); // Retrieve metadata var assertion = new Saml20Assertion(encryptedAssertion.Assertion.DocumentElement, null, false, TestConfiguration.Configuration); var endp = config.IdentityProviders.FirstOrDefault(x => x.Id == assertion.Issuer); // Assert Assert.That(encryptedList.Count == 1); Assert.IsNotNull(endp, "Endpoint not found"); Assert.IsNotNull(endp.Metadata, "Metadata not found"); try { assertion.CheckValid(AssertionUtil.GetTrustedSigners(assertion.Issuer)); Assert.Fail("Verification should fail. Token does not include its signing key."); } catch (InvalidOperationException) { } Assert.IsNull(assertion.SigningKey, "Signing key is already present on assertion. Modify test."); //Assert.IsTrue("We have tested this next test" == ""); //Assert.That(assertion.CheckSignature(Saml20SignonHandler.GetTrustedSigners(endp.Metadata.GetKeys(KeyTypes.Signing), endp))); //Assert.IsNotNull(assertion.SigningKey, "Signing key was not set on assertion instance."); }