/// <summary> /// Generates an encrypted assertion and writes it to disk. /// </summary> public static void GenerateEncryptedAssertion() { var cert = Certificates.InMemoryResourceUtility.GetInMemoryCertificate("sts_dev_certificate.pfx", "test1234"); var assertion = AssertionUtil.GetTestAssertion(); // Create an EncryptedData instance to hold the results of the encryption.o var encryptedData = new EncryptedData { Type = EncryptedXml.XmlEncElementUrl, EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncAES256Url) }; // Create a symmetric key. var aes = new RijndaelManaged { KeySize = 256 }; aes.GenerateKey(); // Encrypt the assertion and add it to the encryptedData instance. var encryptedXml = new EncryptedXml(); var encryptedElement = encryptedXml.EncryptData(assertion.DocumentElement, aes, false); encryptedData.CipherData.CipherValue = encryptedElement; // Add an encrypted version of the key used. encryptedData.KeyInfo = new KeyInfo(); var encryptedKey = new EncryptedKey(); // Use this certificate to encrypt the key. var publicKeyRsa = cert.PublicKey.Key as RSA; Assert.True(publicKeyRsa != null, "Public key of certificate was not an RSA key. Modify test."); encryptedKey.EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncRSA15Url); encryptedKey.CipherData = new CipherData(EncryptedXml.EncryptKey(aes.Key, publicKeyRsa, false)); encryptedData.KeyInfo.AddClause(new KeyInfoEncryptedKey(encryptedKey)); // Create the resulting Xml-document to hook into. var encryptedAssertion = new EncryptedAssertion { EncryptedData = new Schema.XEnc.EncryptedData(), EncryptedKey = new Schema.XEnc.EncryptedKey[1] }; encryptedAssertion.EncryptedKey[0] = new Schema.XEnc.EncryptedKey(); var result = Serialization.Serialize(encryptedAssertion); var encryptedDataElement = GetElement(Schema.XEnc.EncryptedData.ElementName, Saml20Constants.Xenc, result); EncryptedXml.ReplaceElement(encryptedDataElement, encryptedData, false); // At this point, result can be output to text }
//ExpectedMessage = "Document does not contain a signature to verify." public void VerifySignatureByDefault() { // Arrange // Any key-containing algorithm will do - the basic assertion is NOT signed anyway var cert = _context.Sts_Dev_cetificate; // Act Assert.Throws(typeof(InvalidOperationException), () => { var assertion = new Saml20Assertion(AssertionUtil.GetTestAssertion().DocumentElement, new[] { cert.PublicKey.Key }, false, TestConfiguration.Configuration); }); }
public void AssertionCanBeSignedAndVerified() { // Arrange var token = AssertionUtil.GetTestAssertion(); SignDocument(token); // Act var verified = VerifySignature(token); // Assert Assert.True(verified); }
public void CanEncryptAssertion() { // Arrange var encryptedAssertion = new Saml20EncryptedAssertion { Assertion = AssertionUtil.GetTestAssertion() }; encryptedAssertion.TransportKey = (RSA)_context.Sts_Dev_cetificate.PublicKey.Key; // Act encryptedAssertion.Encrypt(); var encryptedAssertionXml = encryptedAssertion.GetXml(); // Assert Assert.NotNull(encryptedAssertionXml); Assert.Equal(1, encryptedAssertionXml.GetElementsByTagName(EncryptedAssertion.ElementName, Saml20Constants.Assertion).Count); Assert.Equal(1, encryptedAssertionXml.GetElementsByTagName(Schema.XEnc.EncryptedKey.ElementName, Saml20Constants.Xenc).Count); }
public void CanEncryptAssertionFull() { // Arrange var encryptedAssertion = new Saml20EncryptedAssertion { SessionKeyAlgorithm = EncryptedXml.XmlEncAES128Url, Assertion = AssertionUtil.GetTestAssertion() }; encryptedAssertion.TransportKey = (RSA)_context.Sts_Dev_cetificate.PublicKey.Key; // Act encryptedAssertion.Encrypt(); var encryptedAssertionXml = encryptedAssertion.GetXml(); // Now decrypt the assertion, and verify that it recognizes the Algorithm used. var decrypter = new Saml20EncryptedAssertion((RSA)_context.Sts_Dev_cetificate.PrivateKey); decrypter.LoadXml(encryptedAssertionXml.DocumentElement); // Set a wrong algorithm and make sure that the class gets it algorithm info from the assertion itself. decrypter.SessionKeyAlgorithm = EncryptedXml.XmlEncTripleDESUrl; decrypter.Decrypt(); // Assert // Go through the children and look for the EncryptionMethod element, and verify its algorithm attribute. var encryptionMethodFound = false; foreach (XmlNode node in encryptedAssertionXml.GetElementsByTagName(Schema.XEnc.EncryptedData.ElementName, Saml20Constants.Xenc)[0].ChildNodes) { if (node.LocalName == Schema.XEnc.EncryptionMethod.ElementName && node.NamespaceURI == Saml20Constants.Xenc) { var element = (XmlElement)node; Assert.Equal(EncryptedXml.XmlEncAES128Url, element.GetAttribute("Algorithm")); encryptionMethodFound = true; } } Assert.True(encryptionMethodFound, "Unable to find EncryptionMethod element in EncryptedData."); // Verify that the class has discovered the correct algorithm and set the SessionKeyAlgorithm property accordingly. Assert.Equal(EncryptedXml.XmlEncAES128Url, decrypter.SessionKeyAlgorithm); Assert.NotNull(decrypter.Assertion); }
public void ManipulatingAssertionMakesSignatureInvalid() { // Arrange var token = AssertionUtil.GetTestAssertion(); SignDocument(token); // Manipulate the #%!;er: Attempt to remove the <AudienceRestriction> from the list of conditions. var conditions = (XmlElement)token.GetElementsByTagName("Conditions", "urn:oasis:names:tc:SAML:2.0:assertion")[0]; var audienceRestriction = (XmlElement)conditions.GetElementsByTagName("AudienceRestriction", "urn:oasis:names:tc:SAML:2.0:assertion")[0]; conditions.RemoveChild(audienceRestriction); // Act var verified = VerifySignature(token); // Assert Assert.False(verified); }
public void TestSigning03() { // Load an unsigned assertion. var assertion = new Saml20Assertion(AssertionUtil.GetTestAssertion().DocumentElement, null, false, null); // Check that the assertion is not considered valid in any way. try { assertion.CheckValid(AssertionUtil.GetTrustedSigners(assertion.Issuer)); //Assert.Fail("Unsigned assertion was passed off as valid."); } catch { // Added to make resharper happy Assert.True(true); } var cert = _context.Sts_Dev_cetificate; assertion.Sign(cert, null); // Check that the signature is now valid assertion.CheckValid(new[] { cert.PublicKey.Key }); }