public void Sign(ICredentialVault signingVault)
{
var signer = new SealSignedXml(XAssertion);
var signedXml = signer.SignAssertion(signingVault.GetSystemCredentials(), XAssertion.Attribute(SamlAttributes.Id).Value);
dom = XElement.Parse(signedXml.OuterXml, LoadOptions.PreserveWhitespace);
}
/// <summary>
/// Checks the signature on the <see cref="OioWsTrustMessage"/> - no trust-checks are performed.
/// </summary>
public void ValidateSignature()
{
var signedXml = new SealSignedXml(dom);
if (!signedXml.CheckEnvelopeSignature() || !signedXml.CheckAssertionSignature())
{
throw new ModelBuildException("Liberty signature could not be validated");
}
}
protected void SignAssertion(XDocument document)
{
//SignatureConfiguration signatureConfiguration = new SignatureConfiguration(new string[] { assertionID }, assertionID, IDValues.Id);
//signatureConfiguration.setSignatureSiblingNode(subjectNode);
//AddExtraSignatureConfiguration(signatureConfiguration);
//SignatureUtil.Sign(SignatureProviderFactory.fromCredentialVault(signingVault), document, signatureConfiguration);
var signer = new SealSignedXml(document);
XmlDocument envelope = signer.SignAssertion(SigningVault.GetSystemCredentials(), AssertionId);
// TODO: Assign back
}
/// <summary>
/// Build the final response <code>Document</code>.<br />
/// Before the<code>Document</code> is generated all attributes will be validated.<br />
/// <br />
/// A<code> Document</code> is generated each time this method is called.Calling this method multiple times will therefore return multiple objects.
/// </summary>
/// <returns></returns>
public override XDocument Build()
{
var document = CreateDocument();
SealUtilities.CheckAndSetSamlDsPreFix(document);
NameSpaces.SetMissingNamespaces(document);
if (SigningVault != null)
{
var signer = new SealSignedXml(document);
var signedXml = signer.Sign(SigningVault.GetSystemCredentials());
var xDocument = XDocument.Parse(signedXml.OuterXml, LoadOptions.PreserveWhitespace);
return(xDocument);
}
return(document);
}
public override OioSamlAssertion Build()
{
ValidateBeforeBuild();
XElement assertion = CreateDocument();
if (IncludeIdCardAsBootstrapToken)
{
AddIdCardAsBootstrapToken(assertion);
}
var signer = new SealSignedXml(assertion);
var signedXml = signer.SignAssertion(SigningVault.GetSystemCredentials(), AssertionId);
var signedXelement = XElement.Parse(signedXml.OuterXml, LoadOptions.PreserveWhitespace);
return(new OioSamlAssertion(signedXelement));
}
static void Main(string[] args)
{
/**
* We load SignIn_Xml.xml with a "<signature id=.../>" and attempt to check the signature
* Open SealSignedXml to switch between copied/test dotnetcore impletation and actual framework
* Open SignIn_Xml.xml and find <ds:Signature id="OCESSignature"> and correct id to Id as test
*
* Note that the files have been reduced to minimum to showcase the error in question.
*
* The Exception will be thrown by throw new CryptographicException("Hej2", "Signature"); in Signature.cs
*
*
* See https://github.com/dotnet/corefx/issues/29698 for additional comments (if any)
*/
using (FileStream fileStream = new FileStream("SignIn_Xml.xml", FileMode.Open))
{
SealSignedXml sealSignedXml = new SealSignedXml(fileStream);
sealSignedXml.CheckAssertionSignature();
}
}
private static bool InternalValidate(XElement signatureToValidate, Federation.Federation federation, ICredentialVault vault, bool checkForTrustedCertificates, bool checkRevoked)
{
if (signatureToValidate.NodeType != XmlNodeType.Element)
{
throw new ModelException("The signature to validate must be a ds:Signature Element!");
}
var xml = new XmlDocument();
xml.Load(signatureToValidate.CreateReader());
bool isAssertion = false;
var nsManager = NameSpaces.MakeNsManager(xml.NameTable);
var sig = xml.SelectSingleNode("/soap:Envelope/soap:Header/wsse:Security/ds:Signature", nsManager) as XmlElement;
if (sig == null)
{
sig = xml.SelectSingleNode("/saml:Assertion/ds:Signature", nsManager) as XmlElement;
isAssertion = true;
if (sig == null)
{
sig = xml.GetElementsByTagName("Signature", NameSpaces.ds)[0] as XmlElement;
isAssertion = true;
}
}
if (sig == null)
{
return(false);
}
var signature = new Signature();
sig = MakeSignatureCheckSamlCompliant(sig);
signature.LoadXml(sig);
var cert = signature.KeyInfo.Cast <KeyInfoX509Data>().Select(d => d.Certificates[0] as X509Certificate2).FirstOrDefault(c => c != null);
if (!ConfigurationManager.AppSettings.AllKeys.Contains("CheckDate") || !ConfigurationManager.AppSettings["CheckDate"].ToLower().Equals("false"))
{
//check if certificate is expired or cannot be used yet
if (!CheckDates(cert))
{
return(false);
}
}
//Check that the certificate used for validation is trusted. If a Federation has been specified
//the signature must have been created by the STS. If no federation is specified, the
//certificate must be trusted in the CredentialVault.
if (checkForTrustedCertificates)
{
var trusted = false;
if (federation != null)
{
trusted = federation.IsValidSTSCertificate(cert);
}
else if (vault != null)
{
trusted = vault.IsTrustedCertificate(cert);
}
if (!trusted)
{
throw new ModelException("The certificate that signed the security token is not trusted!");
}
}
// check the certificates CRL if the certificate is revoked
if (checkRevoked)
{
CrlCertificateStatusChecker crlChecker = new CrlCertificateStatusChecker();
var isValid = crlChecker.GetRevocationStatus(cert).IsValid;
if (!isValid)
{
throw new ModelException("The certificate or one in its certificate chain has been revoked!");
}
}
// check if xml is actually signed with key sent in message
var signed = new SealSignedXml(signatureToValidate);
if (isAssertion)
{
return(signed.CheckAssertionSignature());
}
return(signed.CheckEnvelopeSignature());
}
