/// <summary>
/// Use this constructor to send combined entropy.
/// </summary>
/// <param name="keySizeInBits">The size of the symmetric key.</param>
/// <param name="targetWrappingCredentials">The encrypting credentials for the relying party used to encrypt the key in the SecurityKeyIdentifier property.</param>
/// <param name="requestorWrappingCredentials">The encrypting credentials for the requestor used to encrypt the entropy or the proof token.</param>
/// <param name="sourceEntropy">The requestor's entropy.</param>
/// <param name="encryptWith">The algorithm Uri using which to encrypt the proof key.</param>
/// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
/// <exception cref="ArgumentNullException">When source entorpy is null or is an empty array.</exception>
public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials,
EncryptingCredentials requestorWrappingCredentials, byte[] sourceEntropy, string encryptWith)
{
if (sourceEntropy == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sourceEntropy");
}
if (sourceEntropy.Length == 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("sourceEntropy", SR.GetString(SR.ID2058));
}
_keySizeInBits = keySizeInBits;
_sourceEntropy = sourceEntropy;
//
// Generate proof key using sender entropy
//
if (encryptWith == SecurityAlgorithms.DesEncryption ||
encryptWith == SecurityAlgorithms.TripleDesEncryption ||
encryptWith == SecurityAlgorithms.TripleDesKeyWrap)
{
_key = CryptoHelper.KeyGenerator.GenerateDESKey(_keySizeInBits, _sourceEntropy, out _targetEntropy);
}
else
{
_key = CryptoHelper.KeyGenerator.GenerateSymmetricKey(_keySizeInBits, _sourceEntropy, out _targetEntropy);
}
//
// Set up the wrapping credentials
//
_requestorWrappingCredentials = requestorWrappingCredentials;
_targetWrappingCredentials = targetWrappingCredentials;
}
/// <summary>
/// Use this constructor if you want the sts to use the given key bytes.
/// This happens when client sends the entropy, and the sts would just use that
/// as the key for the issued token.
/// </summary>
/// <param name="key">The symmetric key that are used inside the issued token.</param>
/// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param>
/// <exception cref="ArgumentNullException">When the key is null.</exception>
public SymmetricProofDescriptor(byte[] key, EncryptingCredentials targetWrappingCredentials)
{
if (key == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("key");
}
_keySizeInBits = key.Length;
_key = key;
_targetWrappingCredentials = targetWrappingCredentials;
}
/// <summary>
/// Use this constructor if you want the sts to use the given key bytes.
/// This happens when client sends the entropy, and the sts would just use that
/// as the key for the issued token.
/// </summary>
/// <param name="key">The symmetric key that are used inside the issued token.</param>
/// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param>
/// <exception cref="ArgumentNullException">When the key is null.</exception>
public SymmetricProofDescriptor(byte[] key, EncryptingCredentials targetWrappingCredentials)
{
if (key == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("key");
}
_keySizeInBits = key.Length;
_key = key;
_targetWrappingCredentials = targetWrappingCredentials;
}
/// <summary>
/// Creates an instance of EncryptedSecurityToken.
/// </summary>
/// <param name="token">The <see cref="SecurityToken"/> to encrypt.</param>
/// <param name="encryptingCredentials">The <see cref="EncryptingCredentials"/> to use for encryption.</param>
public EncryptedSecurityToken(SecurityToken token, EncryptingCredentials encryptingCredentials)
{
if (null == token)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
if (null == encryptingCredentials)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("encryptingCredentials");
}
_encryptingCredentials = encryptingCredentials;
_realToken = token;
}
public STSService(SecurityTokenServiceConfiguration configuration)
: base(configuration)
{
_signingCredentials = new X509SigningCredentials(
CertificateUtility.GetCertificateByThumbprint(
StoreLocation.LocalMachine,
StoreName.My,
WebConfigurationManager.AppSettings["SigningCertificateThumbprint"].ToString()));
if (!string.IsNullOrWhiteSpace(WebConfigurationManager.AppSettings["EncryptingCertificateName"].ToString()))
{
_encryptingCredentials = new X509EncryptingCredentials(
CertificateUtility.GetCertificateByThumbprint(
StoreLocation.LocalMachine, StoreName.My,
WebConfigurationManager.AppSettings["EncryptingCertificateName"].ToString()));
}
}
/// <summary>
/// Use this constructor to have the STS autogenerate a key and
/// send it in the proof token as encrypted key. Two cases are covered here
/// 1. client sends the entropy, but server rejects it
/// 2. client did not send a entropy, so just use server's entropy
/// </summary>
/// <param name="keySizeInBits">the size of the symmetric key</param>
/// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param>
/// <param name="requestorWrappingCredentials">The key encrypting credentials for the requestor.</param>
/// <param name="encryptWith">The a----thm specified in the EncryptWith element of the RST.</param>
/// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
/// <remarks>If EncryptWith is a DES algorithm, the key is guaranteed not to be a weak DES key.</remarks>
public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials,
EncryptingCredentials requestorWrappingCredentials, string encryptWith)
{
_keySizeInBits = keySizeInBits;
if (encryptWith == SecurityAlgorithms.DesEncryption ||
encryptWith == SecurityAlgorithms.TripleDesEncryption ||
encryptWith == SecurityAlgorithms.TripleDesKeyWrap)
{
_key = CryptoHelper.KeyGenerator.GenerateDESKey(_keySizeInBits);
}
else
{
_key = CryptoHelper.KeyGenerator.GenerateSymmetricKey(_keySizeInBits);
}
_requestorWrappingCredentials = requestorWrappingCredentials;
_targetWrappingCredentials = targetWrappingCredentials;
}
/// <summary>
/// Use this constructor if users already have an encryting credentials and want to use that as a wrapping credentials.
/// </summary>
/// <param name="wrappingCredentials">The key wrapping credentials used to encrypt the session key.</param>
/// <param name="keySizeInBits">The key size of the wrapped session key.</param>
/// <param name="encryptionAlgorithm">The encryption algorithm when session key is used. This should be symmetric key algorithm.</param>
/// <exception cref="ArgumentNullException">When the wrappingCredentials is null.</exception>
public EncryptedKeyEncryptingCredentials( EncryptingCredentials wrappingCredentials, int keySizeInBits, string encryptionAlgorithm )
{
if ( wrappingCredentials == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "wrappingCredentials" );
}
//
// Key materials
//
if ( encryptionAlgorithm == SecurityAlgorithms.DesEncryption ||
encryptionAlgorithm == SecurityAlgorithms.TripleDesEncryption ||
encryptionAlgorithm == SecurityAlgorithms.TripleDesKeyWrap )
{
_keyBytes = CryptoHelper.KeyGenerator.GenerateDESKey( keySizeInBits );
}
else
{
_keyBytes = CryptoHelper.KeyGenerator.GenerateSymmetricKey( keySizeInBits );
}
base.SecurityKey = new InMemorySymmetricSecurityKey( _keyBytes );
//
// Wrapping key
//
_wrappingCredentials = wrappingCredentials;
//
// key identifier
//
byte[] encryptedKey = _wrappingCredentials.SecurityKey.EncryptKey( _wrappingCredentials.Algorithm, _keyBytes );
base.SecurityKeyIdentifier = new SecurityKeyIdentifier( new EncryptedKeyIdentifierClause( encryptedKey, _wrappingCredentials.Algorithm, _wrappingCredentials.SecurityKeyIdentifier ) );
//
// encryption algorithm
//
base.Algorithm = encryptionAlgorithm;
}
/// <summary>
/// Use this constructor if users already have an encryting credentials and want to use that as a wrapping credentials.
/// </summary>
/// <param name="wrappingCredentials">The key wrapping credentials used to encrypt the session key.</param>
/// <param name="keySizeInBits">The key size of the wrapped session key.</param>
/// <param name="encryptionAlgorithm">The encryption algorithm when session key is used. This should be symmetric key algorithm.</param>
/// <exception cref="ArgumentNullException">When the wrappingCredentials is null.</exception>
public EncryptedKeyEncryptingCredentials(EncryptingCredentials wrappingCredentials, int keySizeInBits, string encryptionAlgorithm)
{
if (wrappingCredentials == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("wrappingCredentials");
}
//
// Key materials
//
if (encryptionAlgorithm == SecurityAlgorithms.DesEncryption ||
encryptionAlgorithm == SecurityAlgorithms.TripleDesEncryption ||
encryptionAlgorithm == SecurityAlgorithms.TripleDesKeyWrap)
{
_keyBytes = CryptoHelper.KeyGenerator.GenerateDESKey(keySizeInBits);
}
else
{
_keyBytes = CryptoHelper.KeyGenerator.GenerateSymmetricKey(keySizeInBits);
}
base.SecurityKey = new InMemorySymmetricSecurityKey(_keyBytes);
//
// Wrapping key
//
_wrappingCredentials = wrappingCredentials;
//
// key identifier
//
byte[] encryptedKey = _wrappingCredentials.SecurityKey.EncryptKey(_wrappingCredentials.Algorithm, _keyBytes);
base.SecurityKeyIdentifier = new SecurityKeyIdentifier(new EncryptedKeyIdentifierClause(encryptedKey, _wrappingCredentials.Algorithm, _wrappingCredentials.SecurityKeyIdentifier));
//
// encryption algorithm
//
base.Algorithm = encryptionAlgorithm;
}
/// <summary>
/// Initializes an instance of <see cref="Scope"/>
/// </summary>
/// <param name="appliesToAddress">The appliesTo address of the relying party.</param>
/// <param name="encryptingCredentials"> The encrypting credentials for the relying party.</param>
public Scope(string appliesToAddress, EncryptingCredentials encryptingCredentials)
: this(appliesToAddress, null, encryptingCredentials)
{
}
public Entropy (byte[] secret, EncryptingCredentials wrappingCredentials) : base (secret, wrappingCredentials)
{ }
internal static XmlDictionaryReader CreatePlaintextReaderFromEncryptedData(
XmlDictionaryReader reader,
SecurityTokenResolver serviceTokenResolver,
SecurityTokenSerializer keyInfoSerializer,
Collection<EncryptedKeyIdentifierClause> clauses,
out EncryptingCredentials encryptingCredentials)
{
if (reader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
}
reader.MoveToContent();
if (reader.IsEmptyElement)
{
#pragma warning suppress 56504 // bogus - thinks reader.LocalName, reader.NamespaceURI need validation
throw DiagnosticUtility.ThrowHelperXml(reader, SR.GetString(SR.ID3061, reader.LocalName, reader.NamespaceURI));
}
encryptingCredentials = null;
XmlUtil.ValidateXsiType(reader, Saml2Constants.Types.EncryptedElementType, Saml2Constants.Namespace);
reader.ReadStartElement();
EncryptedDataElement encryptedData = new EncryptedDataElement(keyInfoSerializer);
// <xenc:EncryptedData> 1
encryptedData.ReadXml(reader);
// <xenc:EncryptedKey> 0-oo
reader.MoveToContent();
while (reader.IsStartElement(XmlEncryptionConstants.Elements.EncryptedKey, XmlEncryptionConstants.Namespace))
{
SecurityKeyIdentifierClause skic;
if (keyInfoSerializer.CanReadKeyIdentifierClause(reader))
{
skic = keyInfoSerializer.ReadKeyIdentifierClause(reader);
}
else
{
EncryptedKeyElement encryptedKey = new EncryptedKeyElement(keyInfoSerializer);
encryptedKey.ReadXml(reader);
skic = encryptedKey.GetClause();
}
EncryptedKeyIdentifierClause encryptedKeyClause = skic as EncryptedKeyIdentifierClause;
if (null == encryptedKeyClause)
{
throw DiagnosticUtility.ThrowHelperXml(reader, SR.GetString(SR.ID4172));
}
clauses.Add(encryptedKeyClause);
}
reader.ReadEndElement();
// Try to resolve the decryption key from both the embedded
// KeyInfo and any external clauses
SecurityKey decryptionKey = null;
SecurityKeyIdentifierClause matchingClause = null;
foreach (SecurityKeyIdentifierClause clause in encryptedData.KeyIdentifier)
{
if (serviceTokenResolver.TryResolveSecurityKey(clause, out decryptionKey))
{
matchingClause = clause;
break;
}
}
if (null == decryptionKey)
{
foreach (SecurityKeyIdentifierClause clause in clauses)
{
if (serviceTokenResolver.TryResolveSecurityKey(clause, out decryptionKey))
{
matchingClause = clause;
break;
}
}
}
if (null == decryptionKey)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new EncryptedTokenDecryptionFailedException());
}
// Need a symmetric key
SymmetricSecurityKey symmetricKey = decryptionKey as SymmetricSecurityKey;
if (null == symmetricKey)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new SecurityTokenException(SR.GetString(SR.ID4023)));
}
// Do the actual decryption
SymmetricAlgorithm decryptor = symmetricKey.GetSymmetricAlgorithm(encryptedData.Algorithm);
byte[] plainText = encryptedData.Decrypt(decryptor);
// Save off the encrypting credentials for roundtrip
encryptingCredentials = new ReceivedEncryptingCredentials(decryptionKey, new SecurityKeyIdentifier(matchingClause), encryptedData.Algorithm);
return XmlDictionaryReader.CreateTextReader(plainText, reader.Quotas);
}
/// <summary>
/// Use this constructor if we want to send the key material encrypted.
/// </summary>
/// <param name="secret">The key material that needs to be protected.</param>
/// <param name="wrappingCredentials">The encrypting credentials used to encrypt the key material.</param>
public ProtectedKey(byte[] secret, EncryptingCredentials wrappingCredentials)
{
_secret = secret;
_wrappingCredentials = wrappingCredentials;
}
/// <summary>
/// Use this constructor to have the STS autogenerate a key and
/// send it in the proof token as encrypted key. Two cases are covered here
/// 1. client sends the entropy, but server rejects it
/// 2. client did not send a entropy, so just use server's entropy
/// </summary>
/// <param name="keySizeInBits">the size of the symmetric key</param>
/// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param>
/// <param name="requestorWrappingCredentials">The key encrypting credentials for the requestor.</param>
/// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials, EncryptingCredentials requestorWrappingCredentials)
: this(keySizeInBits, targetWrappingCredentials, requestorWrappingCredentials, (string)null)
{
}
/// <summary>
/// Use this constructor if you want the sts to use the given <see cref="EncryptingCredentials"/>.
/// </summary>
/// <param name="targetWrappingCredentials">The <see cref="EncryptingCredentials"/> to be used.</param>
public SymmetricProofDescriptor(EncryptingCredentials targetWrappingCredentials)
: this(SecurityTokenServiceConfiguration.DefaultKeySizeInBitsConstant, targetWrappingCredentials)
{
}
/// <summary>
/// Use this constructor if you want the sts to use the given <see cref="EncryptingCredentials"/>.
/// </summary>
/// <param name="targetWrappingCredentials">The <see cref="EncryptingCredentials"/> to be used.</param>
public SymmetricProofDescriptor(EncryptingCredentials targetWrappingCredentials)
: this(SecurityTokenServiceConfiguration.DefaultKeySizeInBitsConstant, targetWrappingCredentials)
{
}
/// <summary>
/// Use this constructor to send combined entropy.
/// </summary>
/// <param name="keySizeInBits">The size of the symmetric key.</param>
/// <param name="targetWrappingCredentials">The encrypting credentials for the relying party used to encrypt the key in the SecurityKeyIdentifier property.</param>
/// <param name="requestorWrappingCredentials">The encrypting credentials for the requestor used to encrypt the entropy or the proof token.</param>
/// <param name="sourceEntropy">The requestor's entropy.</param>
/// <param name="encryptWith">The algorithm Uri using which to encrypt the proof key.</param>
/// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
/// <exception cref="ArgumentNullException">When source entorpy is null or is an empty array.</exception>
public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials,
EncryptingCredentials requestorWrappingCredentials, byte[] sourceEntropy, string encryptWith)
{
if (sourceEntropy == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sourceEntropy");
}
if (sourceEntropy.Length == 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("sourceEntropy", SR.GetString(SR.ID2058));
}
_keySizeInBits = keySizeInBits;
_sourceEntropy = sourceEntropy;
//
// Generate proof key using sender entropy
//
if (encryptWith == SecurityAlgorithms.DesEncryption ||
encryptWith == SecurityAlgorithms.TripleDesEncryption ||
encryptWith == SecurityAlgorithms.TripleDesKeyWrap)
{
_key = CryptoHelper.KeyGenerator.GenerateDESKey(_keySizeInBits, _sourceEntropy, out _targetEntropy);
}
else
{
_key = CryptoHelper.KeyGenerator.GenerateSymmetricKey(_keySizeInBits, _sourceEntropy, out _targetEntropy);
}
//
// Set up the wrapping credentials
//
_requestorWrappingCredentials = requestorWrappingCredentials;
_targetWrappingCredentials = targetWrappingCredentials;
}
/// <summary>
/// Use this constructor if you want to send combined entropy.
/// </summary>
/// <param name="keySizeInBits">The size of the symmetric key.</param>
/// <param name="targetWrappingCredentials">The encrypting credentials for the relying party used to encrypt the key in the SecurityKeyIdentifier property.</param>
/// <param name="requestorWrappingCredentials">The encrypting credentials for the requestor used to encrypt the entropy or the proof token.</param>
/// <param name="sourceEntropy">The requestor's entropy.</param>
/// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
/// <exception cref="ArgumentNullException">When source entorpy is null or is an empty array.</exception>
public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials,
EncryptingCredentials requestorWrappingCredentials, byte[] sourceEntropy)
: this(keySizeInBits, targetWrappingCredentials, requestorWrappingCredentials, sourceEntropy, null)
{
}
/// <summary>
/// Use this constructor if you want to send combined entropy.
/// </summary>
/// <param name="keySizeInBits">The size of the symmetric key.</param>
/// <param name="targetWrappingCredentials">The encrypting credentials for the relying party used to encrypt the key in the SecurityKeyIdentifier property.</param>
/// <param name="requestorWrappingCredentials">The encrypting credentials for the requestor used to encrypt the entropy or the proof token.</param>
/// <param name="sourceEntropy">The requestor's entropy.</param>
/// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
/// <exception cref="ArgumentNullException">When source entorpy is null or is an empty array.</exception>
public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials,
EncryptingCredentials requestorWrappingCredentials, byte[] sourceEntropy)
: this(keySizeInBits, targetWrappingCredentials, requestorWrappingCredentials, sourceEntropy, null)
{
}
/// <summary>
/// Writes a <see cref="EncryptedSecurityToken"/> using the xmlWriter.
/// </summary>
/// <param name="writer">The XmlWriter to which the encrypted token is written.</param>
/// <param name="token">The <see cref="SecurityToken"/> which must be an instance of <see cref="EncryptedSecurityToken"/>.</param>
/// <exception cref="ArgumentNullException">The input prameter 'writer' is null.</exception>
/// <exception cref="ArgumentNullException">The input prameter 'token' is null.</exception>
/// <exception cref="ArgumentException">The <see cref="SecurityToken"/> is not an instance of <see cref="EncryptedSecurityToken"/>.</exception>
/// <exception cref="InvalidOperationException">The property 'Configuration' is null. This property is required for obtaining keys for encryption.</exception>
/// <exception cref="InvalidOperationException">The ContaingCollection was unable to find a <see cref="SecurityTokenHandler"/> that is able to write
/// the <see cref="SecurityToken"/> returned by 'EncryptedSecurityToken.Token'.</exception>
/// <exception cref="SecurityTokenException">The property 'EncryptinCredentials.SecurityKey is not a <see cref="SymmetricSecurityKey"/></exception>
public override void WriteToken(XmlWriter writer, SecurityToken token)
{
if (null == writer)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
}
if (null == token)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
EncryptedSecurityToken encryptedToken = token as EncryptedSecurityToken;
if (null == encryptedToken)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID4024));
}
if (this.ContainingCollection == null)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4279));
}
//
// This implementation simply wraps the token in xenc:EncryptedData
//
EncryptedDataElement encryptedData = new EncryptedDataElement(KeyInfoSerializer);
using (MemoryStream plaintextStream = new MemoryStream())
{
//
// Buffer the plaintext
//
using (XmlDictionaryWriter plaintextWriter = XmlDictionaryWriter.CreateTextWriter(plaintextStream, Encoding.UTF8, false))
{
SecurityTokenHandler securityTokenHandler = this.ContainingCollection[encryptedToken.Token.GetType()];
if (securityTokenHandler != null)
{
securityTokenHandler.WriteToken(plaintextWriter, encryptedToken.Token);
}
else
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4224, encryptedToken.Token.GetType()));
}
}
//
// Set up the EncryptedData element
//
EncryptingCredentials encryptingCredentials = encryptedToken.EncryptingCredentials;
encryptedData.Type = XmlEncryptionConstants.EncryptedDataTypes.Element;
encryptedData.KeyIdentifier = encryptingCredentials.SecurityKeyIdentifier;
encryptedData.Algorithm = encryptingCredentials.Algorithm;
//
// Get the encryption key, which must be symmetric
//
SymmetricSecurityKey encryptingKey = encryptingCredentials.SecurityKey as SymmetricSecurityKey;
if (encryptingKey == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID3064)));
}
//
// Do the actual encryption
//
using (SymmetricAlgorithm symmetricAlgorithm = encryptingKey.GetSymmetricAlgorithm(encryptingCredentials.Algorithm))
{
byte[] plainTextBytes = plaintextStream.GetBuffer();
DebugEncryptedTokenClearText(plainTextBytes, Encoding.UTF8);
encryptedData.Encrypt(symmetricAlgorithm, plainTextBytes, 0, (int)plaintextStream.Length);
}
}
//
// Write the EncryptedData element
//
encryptedData.WriteXml(writer, KeyInfoSerializer);
}
/// <summary>
/// Initializes an instance of <see cref="Scope"/>
/// </summary>
/// <param name="appliesToAddress">The appliesTo address of the relying party.</param>
/// <param name="signingCredentials">The signing credentials for the relying party.</param>
/// <param name="encryptingCredentials"> The encrypting credentials for the relying party.</param>
public Scope(string appliesToAddress, SigningCredentials signingCredentials, EncryptingCredentials encryptingCredentials)
{
_appliesToAddress = appliesToAddress;
_signingCredentials = signingCredentials;
_encryptingCredentials = encryptingCredentials;
}
/// <summary>
/// Use this constructor to have the STS autogenerate a key and
/// send it in the proof token as encrypted key. Two cases are covered here
/// 1. client sends the entropy, but server rejects it
/// 2. client did not send a entropy, so just use server's entropy
/// </summary>
/// <param name="keySizeInBits">the size of the symmetric key</param>
/// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param>
/// <param name="requestorWrappingCredentials">The key encrypting credentials for the requestor.</param>
/// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials, EncryptingCredentials requestorWrappingCredentials)
: this(keySizeInBits, targetWrappingCredentials, requestorWrappingCredentials, (string)null)
{
}
public CustomSecurityTokenService(SecurityTokenServiceConfiguration securityTokenServiceConfiguration, EncryptingCredentials encryptingCredentials, IDragonUserStore<AppMember> userStore)
: base(securityTokenServiceConfiguration)
{
_encryptingCredentials = encryptingCredentials;
_userStore = userStore;
}
public CustomSecurityTokenService(SecurityTokenServiceConfiguration configuration)
: base(configuration)
{
_signingCreds = new X509SigningCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, SIGNING_CERTIFICATE_NAME));
_encryptingCreds = new X509EncryptingCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, ENCRYPTING_CERTIFICATE_NAME));
}
/// <summary>
/// Gets a security key identifier which contains the BinarySecretKeyIdentifierClause or
/// EncryptedKeyIdentifierClause if the wrapping credentials is available.
/// </summary>
public static SecurityKeyIdentifier GetSecurityKeyIdentifier(byte[] secret, EncryptingCredentials wrappingCredentials)
{
if (secret == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("secret");
}
if (secret.Length == 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("secret", SR.GetString(SR.ID6031));
}
if (wrappingCredentials == null || wrappingCredentials.SecurityKey == null)
{
//
// BinarySecret case
//
return new SecurityKeyIdentifier(new BinarySecretKeyIdentifierClause(secret));
}
else
{
//
// EncryptedKey case
//
byte[] wrappedKey = wrappingCredentials.SecurityKey.EncryptKey(wrappingCredentials.Algorithm, secret);
return new SecurityKeyIdentifier(new EncryptedKeyIdentifierClause(wrappedKey, wrappingCredentials.Algorithm, wrappingCredentials.SecurityKeyIdentifier));
}
}
// This method reads the binary secret or encrypted key
public static ProtectedKey ReadProtectedKey(XmlReader reader, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants)
{
if (reader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
}
if (trustConstants == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("trustConstants");
}
ProtectedKey protectedKey = null;
if (!reader.IsEmptyElement)
{
if (reader.IsStartElement(trustConstants.Elements.BinarySecret, trustConstants.NamespaceURI))
{
// BinarySecret case
BinarySecretSecurityToken token = ReadBinarySecretSecurityToken(reader, trustConstants);
byte[] secret = token.GetKeyBytes();
protectedKey = new ProtectedKey(secret);
}
else if (context.SecurityTokenHandlers.CanReadKeyIdentifierClause(reader))
{
// EncryptedKey case
EncryptedKeyIdentifierClause encryptedKeyClause = context.SecurityTokenHandlers.ReadKeyIdentifierClause(reader) as EncryptedKeyIdentifierClause;
if (encryptedKeyClause != null)
{
SecurityKey wrappingKey = null;
byte[] secret;
foreach (SecurityKeyIdentifierClause wrappingKeyClause in encryptedKeyClause.EncryptingKeyIdentifier)
{
if (context.TokenResolver.TryResolveSecurityKey(wrappingKeyClause, out wrappingKey))
{
break;
}
}
if (wrappingKey == null)
{
// We can't resolve the ski, throw
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new WSTrustSerializationException(SR.GetString(SR.ID3027, "the SecurityHeaderTokenResolver or OutOfBandTokenResolver")));
}
secret = wrappingKey.DecryptKey(encryptedKeyClause.EncryptionMethod, encryptedKeyClause.GetEncryptedKey());
EncryptingCredentials wrappingCredentials = new EncryptingCredentials(wrappingKey, encryptedKeyClause.EncryptingKeyIdentifier, encryptedKeyClause.EncryptionMethod);
protectedKey = new ProtectedKey(secret, wrappingCredentials);
}
}
}
return protectedKey;
}
public RequestedProofToken (Byte[] secret, EncryptingCredentials wrappingCredentials) {
ProtectedKey = new ProtectedKey (secret, wrappingCredentials);
}
/// <summary>
/// Use this constructor to have the STS autogenerate a key and
/// send it in the proof token as encrypted key. Two cases are covered here
/// 1. client sends the entropy, but server rejects it
/// 2. client did not send a entropy, so just use server's entropy
/// </summary>
/// <param name="keySizeInBits">the size of the symmetric key</param>
/// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param>
/// <param name="requestorWrappingCredentials">The key encrypting credentials for the requestor.</param>
/// <param name="encryptWith">The a----thm specified in the EncryptWith element of the RST.</param>
/// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception>
/// <remarks>If EncryptWith is a DES algorithm, the key is guaranteed not to be a weak DES key.</remarks>
public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials,
EncryptingCredentials requestorWrappingCredentials, string encryptWith)
{
_keySizeInBits = keySizeInBits;
if (encryptWith == SecurityAlgorithms.DesEncryption ||
encryptWith == SecurityAlgorithms.TripleDesEncryption ||
encryptWith == SecurityAlgorithms.TripleDesKeyWrap)
{
_key = CryptoHelper.KeyGenerator.GenerateDESKey(_keySizeInBits);
}
else
{
_key = CryptoHelper.KeyGenerator.GenerateSymmetricKey(_keySizeInBits);
}
_requestorWrappingCredentials = requestorWrappingCredentials;
_targetWrappingCredentials = targetWrappingCredentials;
}
