static XmlDocument Decrypt(XmlDocument xmldoc, X509Certificate2 certificadoPrivado)
{
//Vamos a buscar el elemento EncryptedKey de la respuesta,
//este encrypted key contiene la llave simétrica usada para encriptar el contenido del body.
XmlNamespaceManager namespaceManager = new XmlNamespaceManager(xmldoc.NameTable);
namespaceManager.AddNamespace("xenc", "http://www.w3.org/2001/04/xmlenc# ");
string cipherValueOfEncryptedKey = xmldoc.FirstChild.NextSibling.FirstChild.LastChild.FirstChild.NextSibling.InnerText;
byte[] cipherByteData = Convert.FromBase64String(cipherValueOfEncryptedKey);
AesManaged symmetricAlgorithm = new AesManaged();
symmetricAlgorithm.Key = EncryptedXml.DecryptKey(cipherByteData, (RSACryptoServiceProvider)certificadoPrivado.PrivateKey, true);
symmetricAlgorithm.CreateDecryptor();
EncryptedData encryptedData = new EncryptedData();
encryptedData.LoadXml(xmldoc.FirstChild.NextSibling.LastChild.FirstChild as XmlElement);
EncryptedXml encryptedXml = new EncryptedXml();
var decrypted = Encoding.UTF8.GetChars(encryptedXml.DecryptData(encryptedData, symmetricAlgorithm));
var plaintext = new string(decrypted);
//TODO: Aquí es cuando debemos descencriptar.
return(new XmlDocument());
}
public override byte[] DecryptKey(string algorithm, byte[] keyData)
{
if (algorithm == null)
{
throw new ArgumentNullException(nameof(algorithm));
}
if (keyData == null)
{
throw new ArgumentNullException(nameof(keyData));
}
if (rsa.KeyExchangeAlgorithm == null)
{
throw new NotSupportedException("The RSA key does not have a key exchange algorithm");
}
bool useOAEP;
switch (algorithm)
{
case EncryptedXml.XmlEncRSA15Url:
useOAEP = false;
break;
case EncryptedXml.XmlEncRSAOAEPUrl:
useOAEP = true;
break;
default:
throw new NotSupportedException($"The encryption algorithm {algorithm} is not supported");
}
return(EncryptedXml.DecryptKey(keyData, rsa, useOAEP));
}
public override byte[] DecryptKey(string algorithm, byte[] keyData)
{
// You can decrypt the key only if you have the private key in the certificate.
if (this.PrivateKey == null)
{
throw new NotSupportedException("Missing private key");
}
RSA rsa = this.PrivateKey as RSA;
if (rsa == null)
{
throw new NotSupportedException("Private key cannot be used with RSA algorithm");
}
// Support exchange keySpec, AT_EXCHANGE ?
if (rsa.KeyExchangeAlgorithm == null)
{
throw new NotSupportedException("Private key does not support key exchange");
}
switch (algorithm)
{
case EncryptedXml.XmlEncRSA15Url:
return(EncryptedXml.DecryptKey(keyData, rsa, false));
case EncryptedXml.XmlEncRSAOAEPUrl:
return(EncryptedXml.DecryptKey(keyData, rsa, true));
default:
throw new NotSupportedException(String.Format("Algorithm {0} is not supported", algorithm));
}
}
public static XmlDocument DecryptXmlDoc(XmlDocument xmlDoc, X509Certificate2 cert)
{
var rsa = cert.GetRSAPrivateKey();
if (rsa == null)
{
throw new IdentityProviderException("X509 must be RSA");
}
var elements = xmlDoc.DocumentElement.GetElements(null, "EncryptedData", true).Select(x => x.ParentNode).OfType <XmlElement>().ToArray();
foreach (var element in elements)
{
var encryptedXml = new EncryptedXml(xmlDoc);
var encryptedDataElement = new EncryptedData();
encryptedDataElement.LoadXml((XmlElement)element.ChildNodes[0]);
var encryptedKeyInfo = encryptedDataElement.KeyInfo.OfType <KeyInfoEncryptedKey>().First();
var encryptionAlgorithm = GetEncryptionAlgorithm(xmlDoc.DocumentElement);
var symmetricAlgorithm = Algorithms.Create(encryptionAlgorithm);
symmetricAlgorithm.Key = EncryptedXml.DecryptKey(encryptedKeyInfo.EncryptedKey.CipherData.CipherValue, rsa, useOeap);
var decryptedBytes = encryptedXml.DecryptData(encryptedDataElement, symmetricAlgorithm);
element.ParentNode.InnerXml = Encoding.UTF8.GetString(decryptedBytes);
}
return(xmlDoc);
}
private static SymmetricAlgorithm DecryptKey(XmlDocument xmlDoc, object decryptKey)
{
XmlNodeList encKeyNodeList = xmlDoc.GetElementsByTagName("EncryptedKey");
XmlNodeList encDataNodeList = xmlDoc.GetElementsByTagName("EncryptedData");
if (encDataNodeList.Count > 0 && encKeyNodeList.Count > 0)
{
XmlElement encryptedKey = encKeyNodeList[0] as XmlElement;
EncryptedKey ek = new EncryptedKey();
ek.LoadXml(encryptedKey);
byte[] decryptedData = null;
//if (decryptKey is SymmetricAlgorithm)
if (decryptKey is Rijndael || decryptKey is TripleDES)
{
decryptedData = EncryptedXml.DecryptKey(ek.CipherData.CipherValue, (SymmetricAlgorithm)decryptKey);
}
else if (decryptKey is RSA)
{
bool fOAEP = (ek.EncryptionMethod != null && ek.EncryptionMethod.KeyAlgorithm == EncryptedXml.XmlEncRSAOAEPUrl);
decryptedData = EncryptedXml.DecryptKey(ek.CipherData.CipherValue, (RSA)decryptKey, fOAEP);
}
else
{
return(null);
}
XmlElement encryptDataXml = encDataNodeList[0] as XmlElement;
EncryptedData encryptData = new EncryptedData();
encryptData.LoadXml(encryptDataXml);
return(GenerateSyAlgKey(decryptedData, encryptData.EncryptionMethod));
}
return(null);
}
public void DecryptKey_KeyNull()
{
using (Aes aes = Aes.Create())
{
Assert.Throws <ArgumentNullException>(() => EncryptedXml.DecryptKey(null, aes));
}
}
public override byte[] DecryptKey(string algorithm, byte[] keyData)
{
if (this.PrivateKey == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.IdentityModel.SR.GetString("MissingPrivateKey")));
}
RSA privateKey = this.PrivateKey as RSA;
if (privateKey == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.IdentityModel.SR.GetString("PrivateKeyNotRSA")));
}
if (privateKey.KeyExchangeAlgorithm == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.IdentityModel.SR.GetString("PrivateKeyExchangeNotSupported")));
}
switch (algorithm)
{
case "http://www.w3.org/2001/04/xmlenc#rsa-1_5":
return(EncryptedXml.DecryptKey(keyData, privateKey, false));
case "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p":
return(EncryptedXml.DecryptKey(keyData, privateKey, true));
}
if (!this.IsSupportedAlgorithm(algorithm))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.IdentityModel.SR.GetString("UnsupportedCryptoAlgorithm", new object[] { algorithm })));
}
return(EncryptedXml.DecryptKey(keyData, privateKey, true));
}
/// <summary>Decrypts the specified encrypted key using the specified cryptographic algorithm.</summary>
/// <param name="algorithm">The cryptographic algorithm to decrypt the key.</param>
/// <param name="keyData">An array of <see cref="T:System.Byte" /> that contains the encrypted key.</param>
/// <returns>An array of <see cref="T:System.Byte" /> that contains the decrypted key.</returns>
/// <exception cref="T:System.NotSupportedException">The X.509 certificate specified in the constructor does not have a private key.-or-The X.509 certificate has a private key, but it was not generated using the <see cref="T:System.Security.Cryptography.RSA" /> algorithm.-or-The X.509 certificate has a private key, it was generated using the <see cref="T:System.Security.Cryptography.RSA" /> algorithm, but the <see cref="P:System.Security.Cryptography.AsymmetricAlgorithm.KeyExchangeAlgorithm" /> property is <see langword="null" />.-or-The <paramref name="algorithm" /> parameter is not supported. The supported algorithms are <see cref="F:System.Security.Cryptography.Xml.EncryptedXml.XmlEncRSA15Url" /> and <see cref="F:System.Security.Cryptography.Xml.EncryptedXml.XmlEncRSAOAEPUrl" />.</exception>
public byte[] DecryptKey(string algorithm, byte[] keyData)
{
if (PrivateKey == null)
{
throw new NotSupportedException("Missing Private Key");
}
var priv = PrivateKey as RSA;
if (priv == null)
{
throw new NotSupportedException("Private Key is not an RSA key");
}
if (priv.KeyExchangeAlgorithm == null)
{
throw new NotSupportedException("Private Key exchange algorithm was not available");
}
if (algorithm == "http://www.w3.org/2001/04/xmlenc#rsa-1_5")
{
return(EncryptedXml.DecryptKey(keyData, priv, false));
}
if (algorithm == "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" || this.IsSupportedAlgorithm(algorithm))
{
return(EncryptedXml.DecryptKey(keyData, priv, true));
}
throw new NotSupportedException($"The requested cryptography algorithm '{algorithm}' is not supported by this library");
}
/// <summary>Decrypts the specified encrypted key using the specified cryptographic algorithm.</summary>
/// <param name="algorithm">The cryptographic algorithm to decrypt the key.</param>
/// <param name="keyData">An array of <see cref="T:System.Byte" /> that contains the encrypted key.</param>
/// <returns>An array of <see cref="T:System.Byte" /> that contains the decrypted key.</returns>
/// <exception cref="T:System.NotSupportedException">The X.509 certificate specified in the constructor does not have a private key.-or-The X.509 certificate has a private key, but it was not generated using the <see cref="T:System.Security.Cryptography.RSA" /> algorithm.-or-The X.509 certificate has a private key, it was generated using the <see cref="T:System.Security.Cryptography.RSA" /> algorithm, but the <see cref="P:System.Security.Cryptography.AsymmetricAlgorithm.KeyExchangeAlgorithm" /> property is <see langword="null" />.-or-The <paramref name="algorithm" /> parameter is not supported. The supported algorithms are <see cref="F:System.Security.Cryptography.Xml.EncryptedXml.XmlEncRSA15Url" /> and <see cref="F:System.Security.Cryptography.Xml.EncryptedXml.XmlEncRSAOAEPUrl" />.</exception>
public override byte[] DecryptKey(string algorithm, byte[] keyData)
{
if (this.PrivateKey == null)
{
throw new NotSupportedException("MissingPrivateKey");
}
RSA privateKey = this.PrivateKey as RSA;
if (privateKey == null)
{
throw new NotSupportedException("PrivateKeyNotRSA");
}
if (privateKey.KeyExchangeAlgorithm == null)
{
throw new NotSupportedException("PrivateKeyExchangeNotSupported");
}
if (algorithm == "http://www.w3.org/2001/04/xmlenc#rsa-1_5")
{
return(EncryptedXml.DecryptKey(keyData, privateKey, false));
}
if (algorithm == "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" || this.IsSupportedAlgorithm(algorithm))
{
return(EncryptedXml.DecryptKey(keyData, privateKey, true));
}
throw new NotSupportedException("UnsupportedCryptoAlgorithm");
}
private static SymmetricAlgorithm ExtractSessionKey(
this XmlElement samlElement,
XmlNamespaceManager namespaceManager,
X509Certificate2 signingCertificate)
{
var xPath =
$"./{XmlPrefixes.DsigPrefix}:KeyInfo/" +
$"{XmlPrefixes.XmlEncPrefix}:EncryptedKey";
var node = (XmlElement)samlElement.SelectSingleNode(
xPath,
namespaceManager);
var encryptedKey = new EncryptedKey();
encryptedKey.LoadXml(node);
var decryptedKey = EncryptedXml.DecryptKey(
encryptedKey.CipherData.CipherValue,
(RSA)signingCertificate.PrivateKey,
true);
var key = new RijndaelManaged {
KeySize = 256,
Key = decryptedKey,
};
return(key);
}
public void ShouldInteropWithEncryptedXml(KeyWrapProviderTestData data)
{
var crypto = CreateCryptoProviderFactory();
var wrapped = null as string;
if (data.Wrap && data.Unwrap)
{
var provider = crypto.CreateKeyWrapProvider(data.SecurityKey, data.Algorithm);
Assert.NotNull(provider);
wrapped = Convert.ToBase64String(provider.WrapKey(Convert.FromBase64String(data.PlainText)));
}
if (data.Unwrap)
{
var provider = crypto.CreateKeyWrapProviderForUnwrap(data.SecurityKey, data.Algorithm);
Assert.NotNull(provider);
var unwrapped = Convert.ToBase64String(provider.UnwrapKey(Convert.FromBase64String(data.Wrapped)));
Assert.Equal(data.PlainText, unwrapped);
if (wrapped != null)
{
var rsa = null as RSA;
if (data.SecurityKey is X509SecurityKey x509SecurityKey)
{
rsa = x509SecurityKey.Certificate.GetRSAPrivateKey();
}
if (data.SecurityKey is RsaSecurityKey rsaSecurityKey)
{
rsa = rsaSecurityKey.Rsa ?? RSA.Create(rsaSecurityKey.Parameters);
}
var unwrapped2 = Convert.ToBase64String(EncryptedXml.DecryptKey(Convert.FromBase64String(wrapped), rsa, true));
Assert.Equal(data.PlainText, unwrapped2);
}
}
}
/// <summary>
/// Extracts the key from a <EncryptedKey> element.
/// </summary>
/// <param name="encryptedKeyElement"></param>
/// <param name="keyAlgorithm"></param>
/// <returns></returns>
private SymmetricAlgorithm ToSymmetricKey(XmlElement encryptedKeyElement, string keyAlgorithm)
{
EncryptedKey encryptedKey = new EncryptedKey();
encryptedKey.LoadXml(encryptedKeyElement);
bool useOAEP = USE_OAEP_DEFAULT;
if (encryptedKey.EncryptionMethod != null)
{
if (encryptedKey.EncryptionMethod.KeyAlgorithm == EncryptedXml.XmlEncRSAOAEPUrl)
{
useOAEP = true;
}
else
{
useOAEP = false;
}
}
if (encryptedKey.CipherData.CipherValue != null)
{
SymmetricAlgorithm key = GetKeyInstance(keyAlgorithm);
key.Key = EncryptedXml.DecryptKey(encryptedKey.CipherData.CipherValue, TransportKey, useOAEP);
return(key);
}
throw new NotImplementedException("Unable to decode CipherData of type \"CipherReference\".");
}
public void DecryptKey_RSA_KeyDataNull()
{
using (RSA rsa = RSA.Create())
{
Assert.Throws <ArgumentNullException>(() => EncryptedXml.DecryptKey(null, rsa, false));
}
}
public void DecryptKey_TripleDESWrongKeySize()
{
using (TripleDES tripleDES = TripleDES.Create())
{
byte[] key = "123" u8.ToArray();
Assert.Throws <CryptographicException>(() => EncryptedXml.DecryptKey(key, tripleDES));
}
}
public void DecryptKey_TripleDESWrongKeySize()
{
using (TripleDES tripleDES = TripleDES.Create())
{
byte[] key = Encoding.ASCII.GetBytes("123");
Assert.Throws <CryptographicException>(() => EncryptedXml.DecryptKey(key, tripleDES));
}
}
public void DecryptKey_AESWrongKeySize()
{
using (Aes aes = Aes.Create())
{
byte[] key = Encoding.ASCII.GetBytes("123");
Assert.Throws <CryptographicException>(() => EncryptedXml.DecryptKey(key, aes));
}
}
public void DecryptKey_RSA_KeyDataNull()
{
var keyGen = GeneratorUtilities.GetKeyPairGenerator("RSA");
keyGen.Init(new KeyGenerationParameters(new SecureRandom(), 1024));
var pair = keyGen.GenerateKeyPair();
Assert.Throws <ArgumentNullException>(() => EncryptedXml.DecryptKey(null, (RsaKeyParameters)pair.Private, false));
}
public void DecryptKey_AESWrongKeySize()
{
using (Aes aes = Aes.Create())
{
byte[] key = "123" u8.ToArray();
Assert.Throws <CryptographicException>(() => EncryptedXml.DecryptKey(key, aes));
}
}
public void EncryptKey_RSA_UseOAEP()
{
byte[] data = Encoding.ASCII.GetBytes("12345678");
using (RSA rsa = RSA.Create())
{
byte[] encryptedData = EncryptedXml.EncryptKey(data, rsa, true);
byte[] decryptedData = EncryptedXml.DecryptKey(encryptedData, rsa, true);
Assert.Equal(data, decryptedData);
}
}
public void EncryptKey_RSA_UseOAEP()
{
byte[] data = "12345678" u8.ToArray();
using (RSA rsa = RSA.Create())
{
byte[] encryptedData = EncryptedXml.EncryptKey(data, rsa, true);
byte[] decryptedData = EncryptedXml.DecryptKey(encryptedData, rsa, true);
Assert.Equal(data, decryptedData);
}
}
public void EncryptKey_AES8Bytes()
{
using (Aes aes = Aes.Create())
{
byte[] key = "12345678" u8.ToArray();
byte[] encryptedKey = EncryptedXml.EncryptKey(key, aes);
Assert.NotNull(encryptedKey);
Assert.Equal(key, EncryptedXml.DecryptKey(encryptedKey, aes));
}
}
public void DecryptKey_KeyNull()
{
var random = new SecureRandom();
var ivdata = new byte[128 / 8];
var keydata = new byte[256 / 8];
random.NextBytes(ivdata);
random.NextBytes(keydata);
var param = new ParametersWithIV(new KeyParameter(keydata), ivdata);
Assert.Throws <ArgumentNullException>(() => EncryptedXml.DecryptKey(null, new KeyParameter(keydata)));
}
public void DecryptKey_AESCorruptedKey()
{
using (Aes aes = Aes.Create())
{
byte[] key = "123456781234567812345678" u8.ToArray();
byte[] encryptedKey = EncryptedXml.EncryptKey(key, aes);
encryptedKey[0] ^= 0xFF;
Assert.Throws <CryptographicException>(() => EncryptedXml.DecryptKey(encryptedKey, aes));
}
}
public void DecryptKey_AESCorruptedKey8Bytes()
{
using (Aes aes = Aes.Create())
{
byte[] key = Encoding.ASCII.GetBytes("12345678");
byte[] encryptedKey = EncryptedXml.EncryptKey(key, aes);
encryptedKey[0] ^= 0xFF;
Assert.Throws <CryptographicException>(() => EncryptedXml.DecryptKey(encryptedKey, aes));
}
}
public void EncryptKey_RSA_UseOAEP()
{
byte[] data = Encoding.ASCII.GetBytes("12345678");
var keyGen = GeneratorUtilities.GetKeyPairGenerator("RSA");
keyGen.Init(new KeyGenerationParameters(new SecureRandom(), 1024));
var pair = keyGen.GenerateKeyPair();
byte[] encryptedData = EncryptedXml.EncryptKey(data, (RsaKeyParameters)pair.Public, true);
byte[] decryptedData = EncryptedXml.DecryptKey(encryptedData, (RsaKeyParameters)pair.Private, true);
Assert.Equal(data, decryptedData);
}
public override byte [] DecryptKey(string algorithm, byte [] keyData)
{
if (algorithm == null)
{
throw new ArgumentNullException("algorithm");
}
if (keyData == null)
{
throw new ArgumentNullException("keyData");
}
return(EncryptedXml.DecryptKey(keyData, GetSymmetricAlgorithm(algorithm)));
}
public void DecryptKey_TripleDESCorruptedKey()
{
using (TripleDES tripleDES = TripleDES.Create())
{
byte[] key = Encoding.ASCII.GetBytes("123456781234567812345678");
byte[] encryptedKey = EncryptedXml.EncryptKey(key, tripleDES);
encryptedKey[0] ^= 0xFF;
Assert.Throws <CryptographicException>(() => EncryptedXml.DecryptKey(encryptedKey, tripleDES));
}
}
public void EncryptKey_TripleDES()
{
using (TripleDES tripleDES = TripleDES.Create())
{
byte[] key = "123456781234567812345678" u8.ToArray();
byte[] encryptedKey = EncryptedXml.EncryptKey(key, tripleDES);
Assert.NotNull(encryptedKey);
Assert.Equal(key, EncryptedXml.DecryptKey(encryptedKey, tripleDES));
}
}
public void EncryptKey_AES8Bytes()
{
using (Aes aes = Aes.Create())
{
byte[] key = Encoding.ASCII.GetBytes("12345678");
byte[] encryptedKey = EncryptedXml.EncryptKey(key, aes);
Assert.NotNull(encryptedKey);
Assert.Equal(key, EncryptedXml.DecryptKey(encryptedKey, aes));
}
}
public void EncryptKey_TripleDES()
{
using (TripleDES tripleDES = TripleDES.Create())
{
byte[] key = Encoding.ASCII.GetBytes("123456781234567812345678");
byte[] encryptedKey = EncryptedXml.EncryptKey(key, tripleDES);
Assert.NotNull(encryptedKey);
Assert.Equal(key, EncryptedXml.DecryptKey(encryptedKey, tripleDES));
}
}
