internal static SecurityKey ResolveSecurityKey(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver) { if (ski == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("ski"); } if (tokenResolver != null) { for (int i = 0; i < ski.Count; ++i) { SecurityKey key = null; if (tokenResolver.TryResolveSecurityKey(ski[i], out key)) { return(key); } } } if (ski.CanCreateKey) { return(ski.CreateKey()); } return(null); }
/// <summary> /// Inherited from <see cref="SecurityTokenResolver"/>. /// </summary> protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key) { if (keyIdentifierClause == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause"); } key = null; X509RawDataKeyIdentifierClause rawDataClause = keyIdentifierClause as X509RawDataKeyIdentifierClause; if (rawDataClause != null) { key = rawDataClause.CreateKey(); return(true); } RsaKeyIdentifierClause rsaClause = keyIdentifierClause as RsaKeyIdentifierClause; if (rsaClause != null) { key = rsaClause.CreateKey(); return(true); } if (_wrappedTokenResolver.TryResolveSecurityKey(keyIdentifierClause, out key)) { return(true); } return(false); }
byte [] GetEncryptionKeyForData(EncryptedData ed2, EncryptedXml encXml, byte [] dummyEncKey) { // Since ReferenceList could be embedded directly in wss_header without // key indication, it must iterate all the derived keys to find out // appropriate one. foreach (DerivedKeySecurityToken dk in header.FindAll <DerivedKeySecurityToken> ()) { if (dk.ReferenceList == null) { continue; } foreach (DataReference dr in dk.ReferenceList) { if (StripUri(dr.Uri) == ed2.Id) { return(((SymmetricSecurityKey)dk.SecurityKeys [0]).GetSymmetricKey()); } } } foreach (WrappedKeySecurityToken wk in header.FindAll <WrappedKeySecurityToken> ()) { if (wk.ReferenceList == null) { continue; } foreach (DataReference dr in wk.ReferenceList) { if (StripUri(dr.Uri) == ed2.Id) { return(((SymmetricSecurityKey)wk.SecurityKeys [0]).GetSymmetricKey()); } } } if (ed2.KeyInfo == null) { return(null); } foreach (KeyInfoClause kic in ed2.KeyInfo) { SecurityKeyIdentifierClause skic = serializer.ReadKeyIdentifierClause(new XmlNodeReader(kic.GetXml())); SecurityKey skey = null; if (!resolver.TryResolveSecurityKey(skic, out skey)) { throw new MessageSecurityException(String.Format("The signing key could not be resolved from {0}", skic)); } SymmetricSecurityKey ssk = skey as SymmetricSecurityKey; if (ssk != null) { return(ssk.GetSymmetricKey()); } } return(null); // no applicable key info clause. }
internal static XmlDocument GetPlainAsertion(SecurityTokenResolver securityTokenResolver, XmlElement el) { var encryptedDataElement = GetElement(HttpRedirectBindingConstants.EncryptedData, Saml20Constants.Xenc, el); var encryptedData = new System.Security.Cryptography.Xml.EncryptedData(); encryptedData.LoadXml(encryptedDataElement); var encryptedKey = new System.Security.Cryptography.Xml.EncryptedKey(); var encryptedKeyElement = GetElement(HttpRedirectBindingConstants.EncryptedKey, Saml20Constants.Xenc, el); encryptedKey.LoadXml(encryptedKeyElement); var securityKeyIdentifier = new SecurityKeyIdentifier(); foreach (KeyInfoX509Data v in encryptedKey.KeyInfo) { foreach (X509Certificate2 cert in v.Certificates) { var cl = new X509RawDataKeyIdentifierClause(cert); securityKeyIdentifier.Add(cl); } } var clause = new EncryptedKeyIdentifierClause(encryptedKey.CipherData.CipherValue, encryptedKey.EncryptionMethod.KeyAlgorithm, securityKeyIdentifier); SecurityKey key; var success = securityTokenResolver.TryResolveSecurityKey(clause, out key); if (!success) { throw new InvalidOperationException("Cannot locate security key"); } SymmetricSecurityKey symmetricSecurityKey = key as SymmetricSecurityKey; if (symmetricSecurityKey == null) { throw new InvalidOperationException("Key must be symmentric key"); } SymmetricAlgorithm symmetricAlgorithm = symmetricSecurityKey.GetSymmetricAlgorithm(encryptedData.EncryptionMethod.KeyAlgorithm); var encryptedXml = new System.Security.Cryptography.Xml.EncryptedXml(); var plaintext = encryptedXml.DecryptData(encryptedData, symmetricAlgorithm); var assertion = new XmlDocument { PreserveWhitespace = true }; assertion.Load(new StringReader(Encoding.UTF8.GetString(plaintext))); return(assertion); }
private static SecurityKey IssuerSigningKeyResolver(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver securityTokenResolver) { SecurityKey key = null; foreach (var keyIdentifierClause in keyIdentifier) { var isResolved = securityTokenResolver.TryResolveSecurityKey(keyIdentifierClause, out key); if (isResolved) { break; } } return(key); }
void ResolveSigningCredentials() { if (_signedXml.Signature == null || _signedXml.Signature.KeyIdentifier == null || _signedXml.Signature.KeyIdentifier.Count == 0) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID3276))); } SecurityKey signingKey = null; if (!_signingTokenResolver.TryResolveSecurityKey(_signedXml.Signature.KeyIdentifier[0], out signingKey)) { if (_resolveIntrinsicSigningKeys && _signedXml.Signature.KeyIdentifier.CanCreateKey) { signingKey = _signedXml.Signature.KeyIdentifier.CreateKey(); } else { // // we cannot find the signing key to verify the signature // EncryptedKeyIdentifierClause encryptedKeyClause; if (_signedXml.Signature.KeyIdentifier.TryFind <EncryptedKeyIdentifierClause>(out encryptedKeyClause)) { // // System.IdentityModel.Tokens.EncryptedKeyIdentifierClause.ToString() does not print out // very good information except the cipher data in this case. We have worked around that // by using the token serializer to serialize the key identifier clause again. // throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new SignatureVerificationFailedException( SR.GetString(SR.ID4036, XmlUtil.SerializeSecurityKeyIdentifier(_signedXml.Signature.KeyIdentifier, _tokenSerializer)))); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new SignatureVerificationFailedException(SR.GetString(SR.ID4037, _signedXml.Signature.KeyIdentifier.ToString()))); } } } WifSignedInfo signedInfo = _signedXml.Signature.SignedInfo as WifSignedInfo; _signingCredentials = new SigningCredentials(signingKey, _signedXml.Signature.SignedInfo.SignatureMethod, signedInfo[0].DigestMethod, _signedXml.Signature.KeyIdentifier); }
/// <summary> /// Attempts to resolve the _securityKeyIdentifier into a securityKey. If successful, the private _securityKey is set. /// Uses the tokenresolver that was passed in, it may be the case a keyIdentifier can /// generate a securityKey. A RSA key can generate a key with just the public part. /// </summary> /// <returns>void</returns> void ResolveKey() { if (_securityKeyIdentifier == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("ski"); } if (_securityKey == null) { lock (_keyLock) { if (_securityKey == null) { if (_securityTokenResolver != null) { for (int i = 0; i < _securityKeyIdentifier.Count; ++i) { if (_securityTokenResolver.TryResolveSecurityKey(_securityKeyIdentifier[i], out _securityKey)) { return; } } } // most likely a public key, do this last if (_securityKeyIdentifier.CanCreateKey) { _securityKey = _securityKeyIdentifier.CreateKey(); return; } throw DiagnosticUtility.ExceptionUtility.ThrowHelper( new SecurityTokenException(SR.GetString(SR.ID2080, _securityTokenResolver == null ? "null" : _securityTokenResolver.ToString(), _securityKeyIdentifier == null ? "null" : _securityKeyIdentifier.ToString())), System.Diagnostics.TraceEventType.Error); } } } }
private static SecurityKey ResolveSecurityKey(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver, out SecurityKeyIdentifierClause clause) { if (ski == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("ski"); } clause = null; if (tokenResolver != null) { for (int i = 0; i < ski.Count; ++i) { SecurityKey key = null; if (tokenResolver.TryResolveSecurityKey(ski[i], out key)) { clause = ski[i]; return(key); } } } if (ski.CanCreateKey) { foreach (var skiClause in ski) { if (skiClause.CanCreateKey) { clause = skiClause; return(clause.CreateKey()); } } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.KeyIdentifierCannotCreateKey))); } return(null); }
internal ReadOnlyCollection <SecurityKey> ResolveSecurityKeys(Saml2Assertion assertion, SecurityTokenResolver resolver) { Saml2Subject subject = assertion.Subject; Saml2SubjectConfirmation confirmation = subject.SubjectConfirmations[0]; if (confirmation.SubjectConfirmationData != null) { this.ValidateConfirmationData(confirmation.SubjectConfirmationData); } List <SecurityKey> list = new List <SecurityKey>(); foreach (SecurityKeyIdentifier identifier in confirmation.SubjectConfirmationData.KeyIdentifiers) { SecurityKey key = null; foreach (SecurityKeyIdentifierClause clause in identifier) { if ((resolver != null) && resolver.TryResolveSecurityKey(clause, out key)) { list.Add(key); break; } } if (key == null) { if (identifier.CanCreateKey) { key = identifier.CreateKey(); list.Add(key); continue; } list.Add(new SecurityKeyElement(identifier, resolver)); } } return(list.AsReadOnly()); }