private RequestSecurityTokenResponse Issue(RequestSecurityToken rst) { // If rst is null, we're toast if (rst == null) { throw new ArgumentNullException("rst"); } // Create an RSTR object RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(); string tokenType = rst.TokenType; Console.WriteLine("Issue: Request for token type {0}", tokenType); if (tokenType != null && tokenType != "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1") { throw new NotSupportedException("Unsupported token type " + tokenType); } SecurityKey signingKey = issuerToken.SecurityKeys[0]; SecurityKeyIdentifier signingKeyIdentifier = new SecurityKeyIdentifier(issuerToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>()); SecurityKeyIdentifier proofKeyIdentifier = null; if (rst.IsProofKeyAsymmetric()) { throw new NotSupportedException("Public key issuance is not supported"); } // Symmetric proof key Console.WriteLine("Constructing Symmetric Proof Key"); // Construct session key. This is the symmetric key that the client and the service will share. // It actually appears twice in the response message; once for the service and // once for the client. In the former case, it is typically embedded in the issued token, // in the latter case, it is returned in a wst:RequestedProofToken element. byte[] sessionKey = GetSessionKey(rst, rstr); // Get token to use when encrypting key material for the service SecurityToken encryptingToken = DetermineEncryptingToken(rst); // Encrypt the session key for the service GetEncryptedKey(encryptingToken, sessionKey, out proofKeyIdentifier); // Issued tokens are valid for 12 hours by default DateTime effectiveTime = DateTime.Now; DateTime expirationTime = DateTime.Now + new TimeSpan(12, 0, 0); SecurityToken samlToken = CreateSAMLToken(effectiveTime, expirationTime, signingKey, signingKeyIdentifier, proofKeyIdentifier); rstr.RequestedSecurityToken = samlToken; rstr.Context = rst.Context; rstr.TokenType = tokenType; SecurityKeyIdentifierClause samlReference = samlToken.CreateKeyIdentifierClause <SamlAssertionKeyIdentifierClause>(); rstr.RequestedAttachedReference = samlReference; rstr.RequestedUnattachedReference = samlReference; return(rstr); }
private static byte[] GetSessionKey(RequestSecurityToken rst, RequestSecurityTokenResponse rstr) { // If rst is null, we're toast if (rst == null) { throw new ArgumentNullException("rst"); } // If rstr is null, we're toast if (rstr == null) { throw new ArgumentNullException("rstr"); } // Figure out the keySize int keySize = 256; if (rst.KeySize != 0) { keySize = rst.KeySize; } Console.WriteLine("Proof key size {0}", keySize); // Figure out whether we're using Combined or Issuer entropy. byte[] sessionKey = null; byte[] senderEntropy = GetSenderEntropy(rst); byte[] issuerEntropy = GetIssuerEntropy(keySize); if (senderEntropy != null) { // Combined entropy Console.WriteLine("Combined Entropy"); sessionKey = RequestSecurityTokenResponse.ComputeCombinedKey(senderEntropy, issuerEntropy, keySize); rstr.IssuerEntropy = new BinarySecretSecurityToken(issuerEntropy); rstr.ComputeKey = true; } else { // Issuer-only entropy Console.WriteLine("Issuer-only entropy"); sessionKey = issuerEntropy; rstr.RequestedProofToken = new BinarySecretSecurityToken(sessionKey); } rstr.KeySize = keySize; return(sessionKey); }
public Message Issue(Message request) { try { Console.WriteLine("Call to IWSTrust::Issue"); // if request is null, we're toast if (request == null) { throw new ArgumentNullException("request"); } // Create an RST object from the request message RequestSecurityToken rst = RequestSecurityToken.CreateFrom(request.GetReaderAtBodyContents()); // Check that is really is an Issue request if (rst.RequestType == null || rst.RequestType != Constants.Trust.RequestTypes.Issue) { throw new InvalidOperationException(rst.RequestType); } // Create an RSTR object RequestSecurityTokenResponse rstr = Issue(rst); // Create response message Message response = Message.CreateMessage(request.Version, Constants.Trust.Actions.IssueReply, rstr); // Set RelatesTo of response to message id of request response.Headers.RelatesTo = request.Headers.MessageId; // Address response to ReplyTo of request request.Headers.ReplyTo.ApplyTo(response); return(response); } catch (Exception e) { Console.WriteLine("**** Exception thrown while processing Issue request:"); Console.WriteLine(e.Message); throw; } }
private static byte[] GetSessionKey(RequestSecurityToken rst, RequestSecurityTokenResponse rstr) { // If rst is null, we're toast if (rst == null) throw new ArgumentNullException("rst"); // If rstr is null, we're toast if (rstr == null) throw new ArgumentNullException("rstr"); // Figure out the keySize int keySize = 256; if (rst.KeySize != 0) keySize = rst.KeySize; Console.WriteLine("Proof key size {0}", keySize); // Figure out whether we're using Combined or Issuer entropy. byte[] sessionKey = null; byte[] senderEntropy = GetSenderEntropy(rst); byte[] issuerEntropy = GetIssuerEntropy(keySize); if (senderEntropy != null) { // Combined entropy Console.WriteLine("Combined Entropy"); sessionKey = RequestSecurityTokenResponse.ComputeCombinedKey(senderEntropy, issuerEntropy, keySize); rstr.IssuerEntropy = new BinarySecretSecurityToken ( issuerEntropy ); rstr.ComputeKey = true; } else { // Issuer-only entropy Console.WriteLine("Issuer-only entropy"); sessionKey = issuerEntropy; rstr.RequestedProofToken = new BinarySecretSecurityToken(sessionKey); } rstr.KeySize = keySize; return sessionKey; }
private RequestSecurityTokenResponse Issue(RequestSecurityToken rst) { // If rst is null, we're toast if (rst == null) throw new ArgumentNullException("rst"); // Create an RSTR object RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(); string tokenType = rst.TokenType; Console.WriteLine("Issue: Request for token type {0}", tokenType); if (tokenType != null && tokenType != "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1") { throw new NotSupportedException("Unsupported token type " + tokenType); } SecurityKey signingKey = issuerToken.SecurityKeys[0]; SecurityKeyIdentifier signingKeyIdentifier = new SecurityKeyIdentifier(issuerToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>()); SecurityKeyIdentifier proofKeyIdentifier = null; if (rst.IsProofKeyAsymmetric()) { throw new NotSupportedException("Public key issuance is not supported"); } // Symmetric proof key Console.WriteLine("Constructing Symmetric Proof Key"); // Construct session key. This is the symmetric key that the client and the service will share. // It actually appears twice in the response message; once for the service and // once for the client. In the former case, it is typically embedded in the issued token, // in the latter case, it is returned in a wst:RequestedProofToken element. byte[] sessionKey = GetSessionKey(rst, rstr); // Get token to use when encrypting key material for the service SecurityToken encryptingToken = DetermineEncryptingToken(rst); // Encrypt the session key for the service GetEncryptedKey(encryptingToken, sessionKey, out proofKeyIdentifier); // Issued tokens are valid for 12 hours by default DateTime effectiveTime = DateTime.Now; DateTime expirationTime = DateTime.Now + new TimeSpan(12, 0, 0); SecurityToken samlToken = CreateSAMLToken(effectiveTime, expirationTime, signingKey, signingKeyIdentifier, proofKeyIdentifier); rstr.RequestedSecurityToken = samlToken; rstr.Context = rst.Context; rstr.TokenType = tokenType; SecurityKeyIdentifierClause samlReference = samlToken.CreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause>(); rstr.RequestedAttachedReference = samlReference; rstr.RequestedUnattachedReference = samlReference; return rstr; }