public void TestSigning03()
{
// Load an unsigned assertion.
var assertion = new Saml20Assertion(AssertionUtil.GetTestAssertion().DocumentElement, null, false);
// Check that the assertion is not considered valid in any way.
try
{
assertion.CheckValid(AssertionUtil.GetTrustedSigners(assertion.Issuer));
Assert.Fail("Unsigned assertion was passed off as valid.");
}
catch
{
// Added to make resharper happy
Assert.That(true);
}
var cert = new X509Certificate2(TestContext.CurrentContext.TestDirectory + @"\Certificates\sts_dev_certificate.pfx", "test1234");
Assert.That(cert.HasPrivateKey, "Certificate no longer contains a private key. Modify test.");
assertion.Sign(cert);
// Check that the signature is now valid
assertion.CheckValid(new[] { cert.PublicKey.Key });
}
public void VerifySignatureByDefault()
{
// Arrange
// Any key-containing algorithm will do - the basic assertion is NOT signed anyway
var cert = new X509Certificate2(@"Certificates\sts_dev_certificate.pfx", "test1234");
// Act
var assertion = new Saml20Assertion(AssertionUtil.GetTestAssertion().DocumentElement, new[] { cert.PublicKey.Key }, false, TestConfiguration.Configuration);
}
/// <summary>
/// Generates an encrypted assertion and writes it to disk.
/// </summary>
public static void GenerateEncryptedAssertion()
{
var assertion = AssertionUtil.GetTestAssertion();
// Create an EncryptedData instance to hold the results of the encryption.o
var encryptedData = new EncryptedData
{
Type = EncryptedXml.XmlEncElementUrl,
EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncAES256Url)
};
// Create a symmetric key.
var aes = new RijndaelManaged {
KeySize = 256
};
aes.GenerateKey();
// Encrypt the assertion and add it to the encryptedData instance.
var encryptedXml = new EncryptedXml();
var encryptedElement = encryptedXml.EncryptData(assertion.DocumentElement, aes, false);
encryptedData.CipherData.CipherValue = encryptedElement;
// Add an encrypted version of the key used.
encryptedData.KeyInfo = new KeyInfo();
var encryptedKey = new EncryptedKey();
// Use this certificate to encrypt the key.
var cert = new X509Certificate2(@"Certificates\sts_dev_certificate.pfx", "test1234");
var publicKeyRsa = cert.PublicKey.Key as RSA;
Assert.IsNotNull(publicKeyRsa, "Public key of certificate was not an RSA key. Modify test.");
encryptedKey.EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncRSA15Url);
encryptedKey.CipherData = new CipherData(EncryptedXml.EncryptKey(aes.Key, publicKeyRsa, false));
encryptedData.KeyInfo.AddClause(new KeyInfoEncryptedKey(encryptedKey));
// Create the resulting Xml-document to hook into.
var encryptedAssertion = new EncryptedAssertion
{
EncryptedData = new Schema.XEnc.EncryptedData(),
EncryptedKey = new Schema.XEnc.EncryptedKey[1]
};
encryptedAssertion.EncryptedKey[0] = new Schema.XEnc.EncryptedKey();
var result = Serialization.Serialize(encryptedAssertion);
var encryptedDataElement = GetElement(Schema.XEnc.EncryptedData.ElementName, Saml20Constants.Xenc, result);
EncryptedXml.ReplaceElement(encryptedDataElement, encryptedData, false);
// At this point, result can be output to text
}
public void VerifySignatureByDefault()
{
// Arrange
// Any key-containing algorithm will do - the basic assertion is NOT signed anyway
var cert = new X509Certificate2(TestContext.CurrentContext.TestDirectory + @"\Certificates\sts_dev_certificate.pfx", "test1234");
// Act
Assert.Throws<InvalidOperationException>(() => new Saml20Assertion(AssertionUtil.GetTestAssertion().DocumentElement, new[] { cert.PublicKey.Key }, false),
"Document does not contain a signature to verify.");
}
public void AssertionCanBeSignedAndVerified()
{
// Arrange
var token = AssertionUtil.GetTestAssertion();
SignDocument(token);
// Act
var verified = VerifySignature(token);
// Assert
Assert.That(verified);
}
public void CanEncryptAssertionFull()
{
// Arrange
var encryptedAssertion = new Saml20EncryptedAssertion
{
SessionKeyAlgorithm = EncryptedXml.XmlEncAES128Url,
Assertion = AssertionUtil.GetTestAssertion()
};
var cert = new X509Certificate2(TestContext.CurrentContext.TestDirectory + @"\Certificates\sts_dev_certificate.pfx", "test1234");
encryptedAssertion.TransportKey = (RSA)cert.PublicKey.Key;
// Act
encryptedAssertion.Encrypt();
var encryptedAssertionXml = encryptedAssertion.GetXml();
// Now decrypt the assertion, and verify that it recognizes the Algorithm used.
var decrypter = new Saml20EncryptedAssertion((RSA)cert.PrivateKey);
decrypter.LoadXml(encryptedAssertionXml.DocumentElement);
// Set a wrong algorithm and make sure that the class gets it algorithm info from the assertion itself.
decrypter.SessionKeyAlgorithm = EncryptedXml.XmlEncTripleDESUrl;
decrypter.Decrypt();
// Assert
// Go through the children and look for the EncryptionMethod element, and verify its algorithm attribute.
var encryptionMethodFound = false;
foreach (XmlNode node in encryptedAssertionXml.GetElementsByTagName(Schema.XEnc.EncryptedData.ElementName, Saml20Constants.Xenc)[0].ChildNodes)
{
if (node.LocalName == Schema.XEnc.EncryptionMethod.ElementName && node.NamespaceURI == Saml20Constants.Xenc)
{
var element = (XmlElement)node;
Assert.AreEqual(EncryptedXml.XmlEncAES128Url, element.GetAttribute("Algorithm"));
encryptionMethodFound = true;
}
}
Assert.That(encryptionMethodFound, "Unable to find EncryptionMethod element in EncryptedData.");
// Verify that the class has discovered the correct algorithm and set the SessionKeyAlgorithm property accordingly.
Assert.AreEqual(EncryptedXml.XmlEncAES128Url, decrypter.SessionKeyAlgorithm);
Assert.IsNotNull(decrypter.Assertion);
}
public void ManipulatingAssertionMakesSignatureInvalid()
{
// Arrange
var token = AssertionUtil.GetTestAssertion();
SignDocument(token);
// Manipulate the #%!;er: Attempt to remove the <AudienceRestriction> from the list of conditions.
var conditions = (XmlElement)token.GetElementsByTagName("Conditions", "urn:oasis:names:tc:SAML:2.0:assertion")[0];
var audienceRestriction = (XmlElement)conditions.GetElementsByTagName("AudienceRestriction", "urn:oasis:names:tc:SAML:2.0:assertion")[0];
conditions.RemoveChild(audienceRestriction);
// Act
var verified = VerifySignature(token);
// Assert
Assert.IsFalse(verified);
}
public void CanEncryptAssertion()
{
// Arrange
var encryptedAssertion = new Saml20EncryptedAssertion {
Assertion = AssertionUtil.GetTestAssertion()
};
var cert = new X509Certificate2(TestContext.CurrentContext.TestDirectory + @"\Certificates\sts_dev_certificate.pfx", "test1234");
encryptedAssertion.TransportKey = (RSA)cert.PublicKey.Key;
// Act
encryptedAssertion.Encrypt();
var encryptedAssertionXml = encryptedAssertion.GetXml();
// Assert
Assert.IsNotNull(encryptedAssertionXml);
Assert.AreEqual(1, encryptedAssertionXml.GetElementsByTagName(EncryptedAssertion.ElementName, Saml20Constants.Assertion).Count);
Assert.AreEqual(1, encryptedAssertionXml.GetElementsByTagName(Schema.XEnc.EncryptedKey.ElementName, Saml20Constants.Xenc).Count);
}
