/// <summary> /// Use this constructor to send combined entropy. /// </summary> /// <param name="keySizeInBits">The size of the symmetric key.</param> /// <param name="targetWrappingCredentials">The encrypting credentials for the relying party used to encrypt the key in the SecurityKeyIdentifier property.</param> /// <param name="requestorWrappingCredentials">The encrypting credentials for the requestor used to encrypt the entropy or the proof token.</param> /// <param name="sourceEntropy">The requestor's entropy.</param> /// <param name="encryptWith">The algorithm Uri using which to encrypt the proof key.</param> /// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception> /// <exception cref="ArgumentNullException">When source entorpy is null or is an empty array.</exception> public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials, EncryptingCredentials requestorWrappingCredentials, byte[] sourceEntropy, string encryptWith) { if (sourceEntropy == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sourceEntropy"); } if (sourceEntropy.Length == 0) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("sourceEntropy", SR.GetString(SR.ID2058)); } _keySizeInBits = keySizeInBits; _sourceEntropy = sourceEntropy; // // Generate proof key using sender entropy // if (encryptWith == SecurityAlgorithms.DesEncryption || encryptWith == SecurityAlgorithms.TripleDesEncryption || encryptWith == SecurityAlgorithms.TripleDesKeyWrap) { _key = CryptoHelper.KeyGenerator.GenerateDESKey(_keySizeInBits, _sourceEntropy, out _targetEntropy); } else { _key = CryptoHelper.KeyGenerator.GenerateSymmetricKey(_keySizeInBits, _sourceEntropy, out _targetEntropy); } // // Set up the wrapping credentials // _requestorWrappingCredentials = requestorWrappingCredentials; _targetWrappingCredentials = targetWrappingCredentials; }
/// <summary> /// Use this constructor if you want the sts to use the given key bytes. /// This happens when client sends the entropy, and the sts would just use that /// as the key for the issued token. /// </summary> /// <param name="key">The symmetric key that are used inside the issued token.</param> /// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param> /// <exception cref="ArgumentNullException">When the key is null.</exception> public SymmetricProofDescriptor(byte[] key, EncryptingCredentials targetWrappingCredentials) { if (key == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("key"); } _keySizeInBits = key.Length; _key = key; _targetWrappingCredentials = targetWrappingCredentials; }
/// <summary> /// Creates an instance of EncryptedSecurityToken. /// </summary> /// <param name="token">The <see cref="SecurityToken"/> to encrypt.</param> /// <param name="encryptingCredentials">The <see cref="EncryptingCredentials"/> to use for encryption.</param> public EncryptedSecurityToken(SecurityToken token, EncryptingCredentials encryptingCredentials) { if (null == token) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } if (null == encryptingCredentials) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("encryptingCredentials"); } _encryptingCredentials = encryptingCredentials; _realToken = token; }
public STSService(SecurityTokenServiceConfiguration configuration) : base(configuration) { _signingCredentials = new X509SigningCredentials( CertificateUtility.GetCertificateByThumbprint( StoreLocation.LocalMachine, StoreName.My, WebConfigurationManager.AppSettings["SigningCertificateThumbprint"].ToString())); if (!string.IsNullOrWhiteSpace(WebConfigurationManager.AppSettings["EncryptingCertificateName"].ToString())) { _encryptingCredentials = new X509EncryptingCredentials( CertificateUtility.GetCertificateByThumbprint( StoreLocation.LocalMachine, StoreName.My, WebConfigurationManager.AppSettings["EncryptingCertificateName"].ToString())); } }
/// <summary> /// Use this constructor to have the STS autogenerate a key and /// send it in the proof token as encrypted key. Two cases are covered here /// 1. client sends the entropy, but server rejects it /// 2. client did not send a entropy, so just use server's entropy /// </summary> /// <param name="keySizeInBits">the size of the symmetric key</param> /// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param> /// <param name="requestorWrappingCredentials">The key encrypting credentials for the requestor.</param> /// <param name="encryptWith">The a----thm specified in the EncryptWith element of the RST.</param> /// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception> /// <remarks>If EncryptWith is a DES algorithm, the key is guaranteed not to be a weak DES key.</remarks> public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials, EncryptingCredentials requestorWrappingCredentials, string encryptWith) { _keySizeInBits = keySizeInBits; if (encryptWith == SecurityAlgorithms.DesEncryption || encryptWith == SecurityAlgorithms.TripleDesEncryption || encryptWith == SecurityAlgorithms.TripleDesKeyWrap) { _key = CryptoHelper.KeyGenerator.GenerateDESKey(_keySizeInBits); } else { _key = CryptoHelper.KeyGenerator.GenerateSymmetricKey(_keySizeInBits); } _requestorWrappingCredentials = requestorWrappingCredentials; _targetWrappingCredentials = targetWrappingCredentials; }
/// <summary> /// Use this constructor if users already have an encryting credentials and want to use that as a wrapping credentials. /// </summary> /// <param name="wrappingCredentials">The key wrapping credentials used to encrypt the session key.</param> /// <param name="keySizeInBits">The key size of the wrapped session key.</param> /// <param name="encryptionAlgorithm">The encryption algorithm when session key is used. This should be symmetric key algorithm.</param> /// <exception cref="ArgumentNullException">When the wrappingCredentials is null.</exception> public EncryptedKeyEncryptingCredentials( EncryptingCredentials wrappingCredentials, int keySizeInBits, string encryptionAlgorithm ) { if ( wrappingCredentials == null ) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "wrappingCredentials" ); } // // Key materials // if ( encryptionAlgorithm == SecurityAlgorithms.DesEncryption || encryptionAlgorithm == SecurityAlgorithms.TripleDesEncryption || encryptionAlgorithm == SecurityAlgorithms.TripleDesKeyWrap ) { _keyBytes = CryptoHelper.KeyGenerator.GenerateDESKey( keySizeInBits ); } else { _keyBytes = CryptoHelper.KeyGenerator.GenerateSymmetricKey( keySizeInBits ); } base.SecurityKey = new InMemorySymmetricSecurityKey( _keyBytes ); // // Wrapping key // _wrappingCredentials = wrappingCredentials; // // key identifier // byte[] encryptedKey = _wrappingCredentials.SecurityKey.EncryptKey( _wrappingCredentials.Algorithm, _keyBytes ); base.SecurityKeyIdentifier = new SecurityKeyIdentifier( new EncryptedKeyIdentifierClause( encryptedKey, _wrappingCredentials.Algorithm, _wrappingCredentials.SecurityKeyIdentifier ) ); // // encryption algorithm // base.Algorithm = encryptionAlgorithm; }
/// <summary> /// Use this constructor if users already have an encryting credentials and want to use that as a wrapping credentials. /// </summary> /// <param name="wrappingCredentials">The key wrapping credentials used to encrypt the session key.</param> /// <param name="keySizeInBits">The key size of the wrapped session key.</param> /// <param name="encryptionAlgorithm">The encryption algorithm when session key is used. This should be symmetric key algorithm.</param> /// <exception cref="ArgumentNullException">When the wrappingCredentials is null.</exception> public EncryptedKeyEncryptingCredentials(EncryptingCredentials wrappingCredentials, int keySizeInBits, string encryptionAlgorithm) { if (wrappingCredentials == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("wrappingCredentials"); } // // Key materials // if (encryptionAlgorithm == SecurityAlgorithms.DesEncryption || encryptionAlgorithm == SecurityAlgorithms.TripleDesEncryption || encryptionAlgorithm == SecurityAlgorithms.TripleDesKeyWrap) { _keyBytes = CryptoHelper.KeyGenerator.GenerateDESKey(keySizeInBits); } else { _keyBytes = CryptoHelper.KeyGenerator.GenerateSymmetricKey(keySizeInBits); } base.SecurityKey = new InMemorySymmetricSecurityKey(_keyBytes); // // Wrapping key // _wrappingCredentials = wrappingCredentials; // // key identifier // byte[] encryptedKey = _wrappingCredentials.SecurityKey.EncryptKey(_wrappingCredentials.Algorithm, _keyBytes); base.SecurityKeyIdentifier = new SecurityKeyIdentifier(new EncryptedKeyIdentifierClause(encryptedKey, _wrappingCredentials.Algorithm, _wrappingCredentials.SecurityKeyIdentifier)); // // encryption algorithm // base.Algorithm = encryptionAlgorithm; }
/// <summary> /// Initializes an instance of <see cref="Scope"/> /// </summary> /// <param name="appliesToAddress">The appliesTo address of the relying party.</param> /// <param name="encryptingCredentials"> The encrypting credentials for the relying party.</param> public Scope(string appliesToAddress, EncryptingCredentials encryptingCredentials) : this(appliesToAddress, null, encryptingCredentials) { }
public Entropy (byte[] secret, EncryptingCredentials wrappingCredentials) : base (secret, wrappingCredentials) { }
internal static XmlDictionaryReader CreatePlaintextReaderFromEncryptedData( XmlDictionaryReader reader, SecurityTokenResolver serviceTokenResolver, SecurityTokenSerializer keyInfoSerializer, Collection<EncryptedKeyIdentifierClause> clauses, out EncryptingCredentials encryptingCredentials) { if (reader == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader"); } reader.MoveToContent(); if (reader.IsEmptyElement) { #pragma warning suppress 56504 // bogus - thinks reader.LocalName, reader.NamespaceURI need validation throw DiagnosticUtility.ThrowHelperXml(reader, SR.GetString(SR.ID3061, reader.LocalName, reader.NamespaceURI)); } encryptingCredentials = null; XmlUtil.ValidateXsiType(reader, Saml2Constants.Types.EncryptedElementType, Saml2Constants.Namespace); reader.ReadStartElement(); EncryptedDataElement encryptedData = new EncryptedDataElement(keyInfoSerializer); // <xenc:EncryptedData> 1 encryptedData.ReadXml(reader); // <xenc:EncryptedKey> 0-oo reader.MoveToContent(); while (reader.IsStartElement(XmlEncryptionConstants.Elements.EncryptedKey, XmlEncryptionConstants.Namespace)) { SecurityKeyIdentifierClause skic; if (keyInfoSerializer.CanReadKeyIdentifierClause(reader)) { skic = keyInfoSerializer.ReadKeyIdentifierClause(reader); } else { EncryptedKeyElement encryptedKey = new EncryptedKeyElement(keyInfoSerializer); encryptedKey.ReadXml(reader); skic = encryptedKey.GetClause(); } EncryptedKeyIdentifierClause encryptedKeyClause = skic as EncryptedKeyIdentifierClause; if (null == encryptedKeyClause) { throw DiagnosticUtility.ThrowHelperXml(reader, SR.GetString(SR.ID4172)); } clauses.Add(encryptedKeyClause); } reader.ReadEndElement(); // Try to resolve the decryption key from both the embedded // KeyInfo and any external clauses SecurityKey decryptionKey = null; SecurityKeyIdentifierClause matchingClause = null; foreach (SecurityKeyIdentifierClause clause in encryptedData.KeyIdentifier) { if (serviceTokenResolver.TryResolveSecurityKey(clause, out decryptionKey)) { matchingClause = clause; break; } } if (null == decryptionKey) { foreach (SecurityKeyIdentifierClause clause in clauses) { if (serviceTokenResolver.TryResolveSecurityKey(clause, out decryptionKey)) { matchingClause = clause; break; } } } if (null == decryptionKey) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new EncryptedTokenDecryptionFailedException()); } // Need a symmetric key SymmetricSecurityKey symmetricKey = decryptionKey as SymmetricSecurityKey; if (null == symmetricKey) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new SecurityTokenException(SR.GetString(SR.ID4023))); } // Do the actual decryption SymmetricAlgorithm decryptor = symmetricKey.GetSymmetricAlgorithm(encryptedData.Algorithm); byte[] plainText = encryptedData.Decrypt(decryptor); // Save off the encrypting credentials for roundtrip encryptingCredentials = new ReceivedEncryptingCredentials(decryptionKey, new SecurityKeyIdentifier(matchingClause), encryptedData.Algorithm); return XmlDictionaryReader.CreateTextReader(plainText, reader.Quotas); }
/// <summary> /// Use this constructor if we want to send the key material encrypted. /// </summary> /// <param name="secret">The key material that needs to be protected.</param> /// <param name="wrappingCredentials">The encrypting credentials used to encrypt the key material.</param> public ProtectedKey(byte[] secret, EncryptingCredentials wrappingCredentials) { _secret = secret; _wrappingCredentials = wrappingCredentials; }
/// <summary> /// Use this constructor to have the STS autogenerate a key and /// send it in the proof token as encrypted key. Two cases are covered here /// 1. client sends the entropy, but server rejects it /// 2. client did not send a entropy, so just use server's entropy /// </summary> /// <param name="keySizeInBits">the size of the symmetric key</param> /// <param name="targetWrappingCredentials">The key encrypting credentials for the relying party.</param> /// <param name="requestorWrappingCredentials">The key encrypting credentials for the requestor.</param> /// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception> public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials, EncryptingCredentials requestorWrappingCredentials) : this(keySizeInBits, targetWrappingCredentials, requestorWrappingCredentials, (string)null) { }
/// <summary> /// Use this constructor if you want the sts to use the given <see cref="EncryptingCredentials"/>. /// </summary> /// <param name="targetWrappingCredentials">The <see cref="EncryptingCredentials"/> to be used.</param> public SymmetricProofDescriptor(EncryptingCredentials targetWrappingCredentials) : this(SecurityTokenServiceConfiguration.DefaultKeySizeInBitsConstant, targetWrappingCredentials) { }
/// <summary> /// Use this constructor if you want to send combined entropy. /// </summary> /// <param name="keySizeInBits">The size of the symmetric key.</param> /// <param name="targetWrappingCredentials">The encrypting credentials for the relying party used to encrypt the key in the SecurityKeyIdentifier property.</param> /// <param name="requestorWrappingCredentials">The encrypting credentials for the requestor used to encrypt the entropy or the proof token.</param> /// <param name="sourceEntropy">The requestor's entropy.</param> /// <exception cref="ArgumentOutOfRangeException">When keySizeInBits is less than or equal to zero.</exception> /// <exception cref="ArgumentNullException">When source entorpy is null or is an empty array.</exception> public SymmetricProofDescriptor(int keySizeInBits, EncryptingCredentials targetWrappingCredentials, EncryptingCredentials requestorWrappingCredentials, byte[] sourceEntropy) : this(keySizeInBits, targetWrappingCredentials, requestorWrappingCredentials, sourceEntropy, null) { }
/// <summary> /// Writes a <see cref="EncryptedSecurityToken"/> using the xmlWriter. /// </summary> /// <param name="writer">The XmlWriter to which the encrypted token is written.</param> /// <param name="token">The <see cref="SecurityToken"/> which must be an instance of <see cref="EncryptedSecurityToken"/>.</param> /// <exception cref="ArgumentNullException">The input prameter 'writer' is null.</exception> /// <exception cref="ArgumentNullException">The input prameter 'token' is null.</exception> /// <exception cref="ArgumentException">The <see cref="SecurityToken"/> is not an instance of <see cref="EncryptedSecurityToken"/>.</exception> /// <exception cref="InvalidOperationException">The property 'Configuration' is null. This property is required for obtaining keys for encryption.</exception> /// <exception cref="InvalidOperationException">The ContaingCollection was unable to find a <see cref="SecurityTokenHandler"/> that is able to write /// the <see cref="SecurityToken"/> returned by 'EncryptedSecurityToken.Token'.</exception> /// <exception cref="SecurityTokenException">The property 'EncryptinCredentials.SecurityKey is not a <see cref="SymmetricSecurityKey"/></exception> public override void WriteToken(XmlWriter writer, SecurityToken token) { if (null == writer) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer"); } if (null == token) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } EncryptedSecurityToken encryptedToken = token as EncryptedSecurityToken; if (null == encryptedToken) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID4024)); } if (this.ContainingCollection == null) { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4279)); } // // This implementation simply wraps the token in xenc:EncryptedData // EncryptedDataElement encryptedData = new EncryptedDataElement(KeyInfoSerializer); using (MemoryStream plaintextStream = new MemoryStream()) { // // Buffer the plaintext // using (XmlDictionaryWriter plaintextWriter = XmlDictionaryWriter.CreateTextWriter(plaintextStream, Encoding.UTF8, false)) { SecurityTokenHandler securityTokenHandler = this.ContainingCollection[encryptedToken.Token.GetType()]; if (securityTokenHandler != null) { securityTokenHandler.WriteToken(plaintextWriter, encryptedToken.Token); } else { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4224, encryptedToken.Token.GetType())); } } // // Set up the EncryptedData element // EncryptingCredentials encryptingCredentials = encryptedToken.EncryptingCredentials; encryptedData.Type = XmlEncryptionConstants.EncryptedDataTypes.Element; encryptedData.KeyIdentifier = encryptingCredentials.SecurityKeyIdentifier; encryptedData.Algorithm = encryptingCredentials.Algorithm; // // Get the encryption key, which must be symmetric // SymmetricSecurityKey encryptingKey = encryptingCredentials.SecurityKey as SymmetricSecurityKey; if (encryptingKey == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID3064))); } // // Do the actual encryption // using (SymmetricAlgorithm symmetricAlgorithm = encryptingKey.GetSymmetricAlgorithm(encryptingCredentials.Algorithm)) { byte[] plainTextBytes = plaintextStream.GetBuffer(); DebugEncryptedTokenClearText(plainTextBytes, Encoding.UTF8); encryptedData.Encrypt(symmetricAlgorithm, plainTextBytes, 0, (int)plaintextStream.Length); } } // // Write the EncryptedData element // encryptedData.WriteXml(writer, KeyInfoSerializer); }
/// <summary> /// Initializes an instance of <see cref="Scope"/> /// </summary> /// <param name="appliesToAddress">The appliesTo address of the relying party.</param> /// <param name="signingCredentials">The signing credentials for the relying party.</param> /// <param name="encryptingCredentials"> The encrypting credentials for the relying party.</param> public Scope(string appliesToAddress, SigningCredentials signingCredentials, EncryptingCredentials encryptingCredentials) { _appliesToAddress = appliesToAddress; _signingCredentials = signingCredentials; _encryptingCredentials = encryptingCredentials; }
public CustomSecurityTokenService(SecurityTokenServiceConfiguration securityTokenServiceConfiguration, EncryptingCredentials encryptingCredentials, IDragonUserStore<AppMember> userStore) : base(securityTokenServiceConfiguration) { _encryptingCredentials = encryptingCredentials; _userStore = userStore; }
public CustomSecurityTokenService(SecurityTokenServiceConfiguration configuration) : base(configuration) { _signingCreds = new X509SigningCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, SIGNING_CERTIFICATE_NAME)); _encryptingCreds = new X509EncryptingCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, ENCRYPTING_CERTIFICATE_NAME)); }
/// <summary> /// Gets a security key identifier which contains the BinarySecretKeyIdentifierClause or /// EncryptedKeyIdentifierClause if the wrapping credentials is available. /// </summary> public static SecurityKeyIdentifier GetSecurityKeyIdentifier(byte[] secret, EncryptingCredentials wrappingCredentials) { if (secret == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("secret"); } if (secret.Length == 0) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("secret", SR.GetString(SR.ID6031)); } if (wrappingCredentials == null || wrappingCredentials.SecurityKey == null) { // // BinarySecret case // return new SecurityKeyIdentifier(new BinarySecretKeyIdentifierClause(secret)); } else { // // EncryptedKey case // byte[] wrappedKey = wrappingCredentials.SecurityKey.EncryptKey(wrappingCredentials.Algorithm, secret); return new SecurityKeyIdentifier(new EncryptedKeyIdentifierClause(wrappedKey, wrappingCredentials.Algorithm, wrappingCredentials.SecurityKeyIdentifier)); } }
// This method reads the binary secret or encrypted key public static ProtectedKey ReadProtectedKey(XmlReader reader, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants) { if (reader == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader"); } if (trustConstants == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("trustConstants"); } ProtectedKey protectedKey = null; if (!reader.IsEmptyElement) { if (reader.IsStartElement(trustConstants.Elements.BinarySecret, trustConstants.NamespaceURI)) { // BinarySecret case BinarySecretSecurityToken token = ReadBinarySecretSecurityToken(reader, trustConstants); byte[] secret = token.GetKeyBytes(); protectedKey = new ProtectedKey(secret); } else if (context.SecurityTokenHandlers.CanReadKeyIdentifierClause(reader)) { // EncryptedKey case EncryptedKeyIdentifierClause encryptedKeyClause = context.SecurityTokenHandlers.ReadKeyIdentifierClause(reader) as EncryptedKeyIdentifierClause; if (encryptedKeyClause != null) { SecurityKey wrappingKey = null; byte[] secret; foreach (SecurityKeyIdentifierClause wrappingKeyClause in encryptedKeyClause.EncryptingKeyIdentifier) { if (context.TokenResolver.TryResolveSecurityKey(wrappingKeyClause, out wrappingKey)) { break; } } if (wrappingKey == null) { // We can't resolve the ski, throw throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new WSTrustSerializationException(SR.GetString(SR.ID3027, "the SecurityHeaderTokenResolver or OutOfBandTokenResolver"))); } secret = wrappingKey.DecryptKey(encryptedKeyClause.EncryptionMethod, encryptedKeyClause.GetEncryptedKey()); EncryptingCredentials wrappingCredentials = new EncryptingCredentials(wrappingKey, encryptedKeyClause.EncryptingKeyIdentifier, encryptedKeyClause.EncryptionMethod); protectedKey = new ProtectedKey(secret, wrappingCredentials); } } } return protectedKey; }
public RequestedProofToken (Byte[] secret, EncryptingCredentials wrappingCredentials) { ProtectedKey = new ProtectedKey (secret, wrappingCredentials); }