/// <summary>
/// Gets the trusted signers.
/// </summary>
/// <param name="keys">The keys.</param>
/// <param name="identityProvider">The identity provider.</param>
/// <returns>List of trusted certificate signers.</returns>
public static IEnumerable <AsymmetricAlgorithm> GetTrustedSigners(ICollection <KeyDescriptor> keys, IdentityProvider identityProvider)
{
if (keys == null)
{
throw new ArgumentNullException("keys");
}
foreach (var item in keys.SelectMany(k => k.KeyInfo.Items))
{
var clause = item as KeyInfoClause;
var x509Data = clause as KeyInfoX509Data ?? (item as KeyInfoClause <KeyInfoX509Data>)?.GetKeyInfoClause();
if (x509Data != null)
{
var cert = XmlSignatureUtils.GetCertificateFromKeyInfo(x509Data);
if (!CertificateSatisfiesSpecifications(identityProvider, cert))
{
continue;
}
}
var key = XmlSignatureUtils.ExtractKey(x509Data ?? clause);
yield return(key);
}
}
/// <summary>
/// Gets the trusted signers.
/// </summary>
/// <param name="keys">The keys.</param>
/// <param name="identityProvider">The identity provider.</param>
/// <returns>List of trusted certificate signers.</returns>
public static IEnumerable <AsymmetricAlgorithm> GetTrustedSigners(ICollection <KeyDescriptor> keys, IdentityProvider identityProvider)
{
if (keys == null)
{
throw new ArgumentNullException("keys");
}
var result = new List <AsymmetricAlgorithm>(keys.Count);
foreach (var keyDescriptor in keys)
{
foreach (KeyInfoClause clause in (KeyInfo)keyDescriptor.KeyInfo)
{
// Check certificate specifications
if (clause is KeyInfoX509Data)
{
var cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause);
if (!CertificateSatisfiesSpecifications(identityProvider, cert))
{
continue;
}
}
var key = XmlSignatureUtils.ExtractKey(clause);
result.Add(key);
}
}
return(result);
}
internal static IEnumerable <AsymmetricAlgorithm> GetTrustedSigners(ICollection <KeyDescriptor> keys, IDPEndPoint ep)
{
if (keys == null)
{
throw new ArgumentNullException("keys");
}
List <AsymmetricAlgorithm> result = new List <AsymmetricAlgorithm>(keys.Count);
foreach (KeyDescriptor keyDescriptor in keys)
{
KeyInfo ki = (KeyInfo)keyDescriptor.KeyInfo;
foreach (KeyInfoClause clause in ki)
{
if (clause is KeyInfoX509Data)
{
X509Certificate2 cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause);
if (!IsSatisfiedByAllSpecifications(ep, cert))
{
continue;
}
}
AsymmetricAlgorithm key = XmlSignatureUtils.ExtractKey(clause);
result.Add(key);
}
}
return(result);
}
/// <summary>
/// Gets the trusted signers.
/// </summary>
/// <param name="keys">The keys.</param>
/// <param name="identityProvider">The identity provider.</param>
/// <returns>List of trusted certificate signers.</returns>
public static IEnumerable <AsymmetricAlgorithm> GetTrustedSigners(ICollection <KeyDescriptor> keys, IdentityProvider identityProvider)
{
if (keys == null)
{
throw new ArgumentNullException(nameof(keys));
}
var keyClauses = keys.SelectMany(x => x.KeyInfo.Items).OfType <X509Data>().SelectMany(x => x.Items).OfType <byte[]>().ToList();
foreach (var keyClause in keyClauses)
{
var cert = new X509Certificate2(keyClause);
if (CertificateSatisfiesSpecifications(identityProvider, cert))
{
yield return(cert.PublicKey.Key);
}
}
foreach (var clause in keys.SelectMany(k => k.KeyInfo.Items.AsEnumerable().OfType <KeyInfoClause>()))
{
// Check certificate specifications
if (clause is KeyInfoX509Data)
{
var cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause);
if (!CertificateSatisfiesSpecifications(identityProvider, cert))
{
continue;
}
}
var key = XmlSignatureUtils.ExtractKey(clause);
yield return(key);
}
}
private static AsymmetricAlgorithm GetTrustedSigner(KeyInfoClause clause, IdentityProvider identityProvider)
{
// Check certificate specifications
if (clause is KeyInfoX509Data)
{
var cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause);
if (!CertificateSatisfiesSpecifications(identityProvider, cert))
{
return(null);
}
}
return(XmlSignatureUtils.ExtractKey(clause));
}
/// <summary>
/// Gets the trusted signers.
/// </summary>
/// <param name="keys">The keys.</param>
/// <param name="identityProvider">The identity provider.</param>
/// <returns>List of trusted certificate signers.</returns>
public static IEnumerable<AsymmetricAlgorithm> GetTrustedSigners(ICollection<KeyDescriptor> keys, IdentityProvider identityProvider)
{
if (keys == null) {
throw new ArgumentNullException("keys");
}
foreach (var clause in keys.SelectMany(k => k.KeyInfo.Items.AsEnumerable().Cast<KeyInfoClause>())) {
// Check certificate specifications
if (clause is KeyInfoX509Data) {
var cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause);
if (!CertificateSatisfiesSpecifications(identityProvider, cert)) {
continue;
}
}
var key = XmlSignatureUtils.ExtractKey(clause);
yield return key;
}
}
private void CreateAssertionResponse(User user)
{
string entityId = request.Issuer.Value;
Saml20MetadataDocument metadataDocument = IDPConfig.GetServiceProviderMetadata(entityId);
IDPEndPointElement endpoint =
metadataDocument.AssertionConsumerServiceEndpoints().Find(delegate(IDPEndPointElement e) { return(e.Binding == SAMLBinding.POST); });
if (endpoint == null)
{
Context.Response.Write(string.Format("'{0}' does not have a SSO endpoint that supports the POST binding.", entityId));
Context.Response.End();
return;
}
UserSessionsHandler.AddLoggedInSession(entityId);
Response response = new Response();
response.Destination = endpoint.Url;
response.InResponseTo = request.ID;
response.Status = new Status();
response.Status.StatusCode = new StatusCode();
response.Status.StatusCode.Value = Saml20Constants.StatusCodes.Success;
var nameIdFormat = metadataDocument.Entity.Items.OfType <SPSSODescriptor>().SingleOrDefault()?.NameIDFormat.SingleOrDefault() ?? Saml20Constants.NameIdentifierFormats.Persistent;
Assertion assertion = CreateAssertion(user, entityId, nameIdFormat);
var signatureProvider = SignatureProviderFactory.CreateFromShaHashingAlgorithmName(ShaHashingAlgorithm.SHA256);
EncryptedAssertion encryptedAssertion = null;
var keyDescriptors = metadataDocument.Keys.Where(x => x.use == KeyTypes.encryption);
if (keyDescriptors.Any())
{
foreach (KeyDescriptor keyDescriptor in keyDescriptors)
{
KeyInfo ki = (KeyInfo)keyDescriptor.KeyInfo;
foreach (KeyInfoClause clause in ki)
{
if (clause is KeyInfoX509Data)
{
X509Certificate2 cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause);
var spec = new DefaultCertificateSpecification();
string error;
if (spec.IsSatisfiedBy(cert, out error))
{
AsymmetricAlgorithm key = XmlSignatureUtils.ExtractKey(clause);
AssertionEncryptionUtility.AssertionEncryptionUtility encryptedAssertionUtil = new AssertionEncryptionUtility.AssertionEncryptionUtility((RSA)key, assertion);
// Sign the assertion inside the response message.
signatureProvider.SignAssertion(encryptedAssertionUtil.Assertion, assertion.ID, IDPConfig.IDPCertificate);
encryptedAssertionUtil.Encrypt();
encryptedAssertion = Serialization.DeserializeFromXmlString <EncryptedAssertion>(encryptedAssertionUtil.EncryptedAssertion.OuterXml);
break;
}
}
}
if (encryptedAssertion != null)
{
break;
}
}
if (encryptedAssertion == null)
{
throw new Exception("Could not encrypt. No valid certificates found.");
}
}
if (encryptedAssertion != null)
{
response.Items = new object[] { encryptedAssertion };
}
else
{
response.Items = new object[] { assertion };
}
// Serialize the response.
XmlDocument responseDoc = new XmlDocument();
responseDoc.XmlResolver = null;
responseDoc.PreserveWhitespace = true;
responseDoc.LoadXml(Serialization.SerializeToXmlString(response));
if (encryptedAssertion == null)
{
// Sign the assertion inside the response message.
signatureProvider.SignAssertion(responseDoc, assertion.ID, IDPConfig.IDPCertificate);
}
HttpPostBindingBuilder builder = new HttpPostBindingBuilder(endpoint);
builder.Action = SAMLAction.SAMLResponse;
builder.Response = responseDoc.OuterXml;
builder.GetPage().ProcessRequest(Context);
Context.Response.End();
}
