public void TestSigning03() { // Load an unsigned assertion. var assertion = new Saml20Assertion(AssertionUtil.GetTestAssertion().DocumentElement, null, false); // Check that the assertion is not considered valid in any way. try { assertion.CheckValid(AssertionUtil.GetTrustedSigners(assertion.Issuer)); Assert.Fail("Unsigned assertion was passed off as valid."); } catch { // Added to make resharper happy Assert.That(true); } var cert = new X509Certificate2(TestContext.CurrentContext.TestDirectory + @"\Certificates\sts_dev_certificate.pfx", "test1234"); Assert.That(cert.HasPrivateKey, "Certificate no longer contains a private key. Modify test."); assertion.Sign(cert); // Check that the signature is now valid assertion.CheckValid(new[] { cert.PublicKey.Key }); }
public void VerifySignatureByDefault() { // Arrange // Any key-containing algorithm will do - the basic assertion is NOT signed anyway var cert = new X509Certificate2(@"Certificates\sts_dev_certificate.pfx", "test1234"); // Act var assertion = new Saml20Assertion(AssertionUtil.GetTestAssertion().DocumentElement, new[] { cert.PublicKey.Key }, false, TestConfiguration.Configuration); }
/// <summary> /// Generates an encrypted assertion and writes it to disk. /// </summary> public static void GenerateEncryptedAssertion() { var assertion = AssertionUtil.GetTestAssertion(); // Create an EncryptedData instance to hold the results of the encryption.o var encryptedData = new EncryptedData { Type = EncryptedXml.XmlEncElementUrl, EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncAES256Url) }; // Create a symmetric key. var aes = new RijndaelManaged { KeySize = 256 }; aes.GenerateKey(); // Encrypt the assertion and add it to the encryptedData instance. var encryptedXml = new EncryptedXml(); var encryptedElement = encryptedXml.EncryptData(assertion.DocumentElement, aes, false); encryptedData.CipherData.CipherValue = encryptedElement; // Add an encrypted version of the key used. encryptedData.KeyInfo = new KeyInfo(); var encryptedKey = new EncryptedKey(); // Use this certificate to encrypt the key. var cert = new X509Certificate2(@"Certificates\sts_dev_certificate.pfx", "test1234"); var publicKeyRsa = cert.PublicKey.Key as RSA; Assert.IsNotNull(publicKeyRsa, "Public key of certificate was not an RSA key. Modify test."); encryptedKey.EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncRSA15Url); encryptedKey.CipherData = new CipherData(EncryptedXml.EncryptKey(aes.Key, publicKeyRsa, false)); encryptedData.KeyInfo.AddClause(new KeyInfoEncryptedKey(encryptedKey)); // Create the resulting Xml-document to hook into. var encryptedAssertion = new EncryptedAssertion { EncryptedData = new Schema.XEnc.EncryptedData(), EncryptedKey = new Schema.XEnc.EncryptedKey[1] }; encryptedAssertion.EncryptedKey[0] = new Schema.XEnc.EncryptedKey(); var result = Serialization.Serialize(encryptedAssertion); var encryptedDataElement = GetElement(Schema.XEnc.EncryptedData.ElementName, Saml20Constants.Xenc, result); EncryptedXml.ReplaceElement(encryptedDataElement, encryptedData, false); // At this point, result can be output to text }
public void VerifySignatureByDefault() { // Arrange // Any key-containing algorithm will do - the basic assertion is NOT signed anyway var cert = new X509Certificate2(TestContext.CurrentContext.TestDirectory + @"\Certificates\sts_dev_certificate.pfx", "test1234"); // Act Assert.Throws<InvalidOperationException>(() => new Saml20Assertion(AssertionUtil.GetTestAssertion().DocumentElement, new[] { cert.PublicKey.Key }, false), "Document does not contain a signature to verify."); }
public void AssertionCanBeSignedAndVerified() { // Arrange var token = AssertionUtil.GetTestAssertion(); SignDocument(token); // Act var verified = VerifySignature(token); // Assert Assert.That(verified); }
public void CanEncryptAssertionFull() { // Arrange var encryptedAssertion = new Saml20EncryptedAssertion { SessionKeyAlgorithm = EncryptedXml.XmlEncAES128Url, Assertion = AssertionUtil.GetTestAssertion() }; var cert = new X509Certificate2(TestContext.CurrentContext.TestDirectory + @"\Certificates\sts_dev_certificate.pfx", "test1234"); encryptedAssertion.TransportKey = (RSA)cert.PublicKey.Key; // Act encryptedAssertion.Encrypt(); var encryptedAssertionXml = encryptedAssertion.GetXml(); // Now decrypt the assertion, and verify that it recognizes the Algorithm used. var decrypter = new Saml20EncryptedAssertion((RSA)cert.PrivateKey); decrypter.LoadXml(encryptedAssertionXml.DocumentElement); // Set a wrong algorithm and make sure that the class gets it algorithm info from the assertion itself. decrypter.SessionKeyAlgorithm = EncryptedXml.XmlEncTripleDESUrl; decrypter.Decrypt(); // Assert // Go through the children and look for the EncryptionMethod element, and verify its algorithm attribute. var encryptionMethodFound = false; foreach (XmlNode node in encryptedAssertionXml.GetElementsByTagName(Schema.XEnc.EncryptedData.ElementName, Saml20Constants.Xenc)[0].ChildNodes) { if (node.LocalName == Schema.XEnc.EncryptionMethod.ElementName && node.NamespaceURI == Saml20Constants.Xenc) { var element = (XmlElement)node; Assert.AreEqual(EncryptedXml.XmlEncAES128Url, element.GetAttribute("Algorithm")); encryptionMethodFound = true; } } Assert.That(encryptionMethodFound, "Unable to find EncryptionMethod element in EncryptedData."); // Verify that the class has discovered the correct algorithm and set the SessionKeyAlgorithm property accordingly. Assert.AreEqual(EncryptedXml.XmlEncAES128Url, decrypter.SessionKeyAlgorithm); Assert.IsNotNull(decrypter.Assertion); }
public void ManipulatingAssertionMakesSignatureInvalid() { // Arrange var token = AssertionUtil.GetTestAssertion(); SignDocument(token); // Manipulate the #%!;er: Attempt to remove the <AudienceRestriction> from the list of conditions. var conditions = (XmlElement)token.GetElementsByTagName("Conditions", "urn:oasis:names:tc:SAML:2.0:assertion")[0]; var audienceRestriction = (XmlElement)conditions.GetElementsByTagName("AudienceRestriction", "urn:oasis:names:tc:SAML:2.0:assertion")[0]; conditions.RemoveChild(audienceRestriction); // Act var verified = VerifySignature(token); // Assert Assert.IsFalse(verified); }
public void CanEncryptAssertion() { // Arrange var encryptedAssertion = new Saml20EncryptedAssertion { Assertion = AssertionUtil.GetTestAssertion() }; var cert = new X509Certificate2(TestContext.CurrentContext.TestDirectory + @"\Certificates\sts_dev_certificate.pfx", "test1234"); encryptedAssertion.TransportKey = (RSA)cert.PublicKey.Key; // Act encryptedAssertion.Encrypt(); var encryptedAssertionXml = encryptedAssertion.GetXml(); // Assert Assert.IsNotNull(encryptedAssertionXml); Assert.AreEqual(1, encryptedAssertionXml.GetElementsByTagName(EncryptedAssertion.ElementName, Saml20Constants.Assertion).Count); Assert.AreEqual(1, encryptedAssertionXml.GetElementsByTagName(Schema.XEnc.EncryptedKey.ElementName, Saml20Constants.Xenc).Count); }