public void CreateTokenAndParseEncodedMultipleClaims() { var handler = new SimpleWebTokenHandler(); byte[] key = GetKey(); var token = this.CreateToken(key); var tokenString = TokenToString(token); var signedToken = handler.ReadToken(new XmlTextReader(new StringReader(tokenString))); handler.Configuration = new SecurityTokenHandlerConfiguration(); var symmetricKey = new InMemorySymmetricSecurityKey(key); handler.Configuration.AudienceRestriction.AllowedAudienceUris.Add( new Uri("http://audience")); var resolverTable = new Dictionary<string, IList<SecurityKey>> { { "http://issuer", new SecurityKey[] { symmetricKey } } }; handler.Configuration.IssuerTokenResolver = new NamedKeyIssuerTokenResolver(resolverTable); var ids = handler.ValidateToken(signedToken); var id = ids.FirstOrDefault(); Assert.IsNotNull(id); var testClaims = GetClaims(); Assert.IsTrue(id.Claims.Count() == 3); Assert.IsTrue(id.HasClaim(testClaims[0].Type, testClaims[0].Value)); Assert.IsTrue(id.HasClaim(testClaims[1].Type, testClaims[1].Value)); Assert.IsTrue(id.HasClaim(testClaims[2].Type, testClaims[2].Value)); }
public DerivedKeySecurityToken (string id, string algorithm, SecurityKeyIdentifierClause reference, SymmetricSecurityKey referencedKey, string name, int? generation, int? offset, int? length, string label, byte [] nonce) { algorithm = algorithm ?? SecurityAlgorithms.Psha1KeyDerivation; this.id = id; this.algorithm = algorithm; this.reference = reference; this.generation = generation; this.offset = offset; this.length = length; this.nonce = nonce; this.name = name; this.label = label; SecurityKey key = new InMemorySymmetricSecurityKey ( referencedKey.GenerateDerivedKey ( algorithm, Encoding.UTF8.GetBytes (label ?? Constants.WsscDefaultLabel), nonce, (length ?? 32) * 8, offset ?? 0)); keys = new ReadOnlyCollection<SecurityKey> ( new SecurityKey [] {key}); }
private static void ValidateSwtToken(string tokenString) { var configuration = new SecurityTokenHandlerConfiguration(); var validationKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(signingKey)); // audience validation configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(realm)); // signature & issuer validation var resolverTable = new Dictionary<string, IList<SecurityKey>> { { issuerUri, new SecurityKey[] { validationKey } } }; configuration.IssuerTokenResolver = new NamedKeyIssuerTokenResolver(resolverTable); var handler = new SimpleWebTokenHandler(); handler.Configuration = configuration; var token = handler.ReadToken(tokenString); var ids = handler.ValidateToken(token); "\n\nValidated Claims:".ConsoleYellow(); foreach (var claim in ids.First().Claims) { Console.WriteLine("{0}\n {1}\n", claim.Type, claim.Value); } }
public override SecurityKey CreateKey() { if (this.symmetricKey == null) this.symmetricKey = new InMemorySymmetricSecurityKey(GetBuffer(), false); return this.symmetricKey; }
public void GetSymmetricAlgorithmAES() { byte [] bytes = new byte [32]; Key key = new Key(bytes); SymmetricAlgorithm alg = key.GetSymmetricAlgorithm( SecurityAlgorithms.Aes128Encryption); Assert.AreEqual(256, alg.KeySize, "#1-1"); Assert.AreEqual(CipherMode.CBC, alg.Mode, "#1-2"); Assert.AreEqual(PaddingMode.PKCS7, alg.Padding, "#1-3"); alg = key.GetSymmetricAlgorithm(SecurityAlgorithms.Aes192Encryption); Assert.AreEqual(256, alg.KeySize, "#2-1"); Assert.AreEqual(CipherMode.CBC, alg.Mode, "#2-2"); Assert.AreEqual(PaddingMode.PKCS7, alg.Padding, "#2-3"); alg = key.GetSymmetricAlgorithm(SecurityAlgorithms.Aes256Encryption); Assert.AreEqual(256, alg.KeySize, "#3-1"); Assert.AreEqual(CipherMode.CBC, alg.Mode, "#3-2"); Assert.AreEqual(PaddingMode.PKCS7, alg.Padding, "#3-3"); alg = key.GetSymmetricAlgorithm(SecurityAlgorithms.Aes128KeyWrap); Assert.IsTrue(alg is AES, "#4"); alg = key.GetSymmetricAlgorithm(SecurityAlgorithms.Aes192KeyWrap); Assert.IsTrue(alg is AES, "#5"); alg = key.GetSymmetricAlgorithm(SecurityAlgorithms.Aes256KeyWrap); Assert.IsTrue(alg is AES, "#6"); //alg = key.GetSymmetricAlgorithm (SecurityAlgorithms.TripleDesKeyWrap); //Assert.IsTrue (alg is TripleDES, "#7"); }
public void CreateSimple () { Key key = new Key (raw); Assert.AreEqual (256, key.KeySize, "#1"); // the returned value must be a clone. Assert.IsFalse (Object.ReferenceEquals (key.GetSymmetricKey (), raw), "#2"); }
static string BearerToken() { var signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"; var digestAlgorithm = "http://www.w3.org/2001/04/xmlenc#sha256"; var securityKey = Convert.FromBase64String(mainKey); var inMemKey = new InMemorySymmetricSecurityKey(securityKey); ClaimsIdentity identity = new ClaimsIdentity(); identity.AddClaim(new Claim("scope", "Full")); JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); SecurityToken securityToken = handler.CreateToken(new SecurityTokenDescriptor() { TokenType = "Bearer", Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddHours(1)), SigningCredentials = new SigningCredentials(inMemKey, signatureAlgorithm, digestAlgorithm), //This data I would get by matching the jwtSecurityToken.Audience to database or something TokenIssuerName = "PaulsSite", AppliesToAddress = "http://JoshsSite", Subject = identity } ); return handler.WriteToken(securityToken); }
public void GetSymmetricAlgorithmAES () { byte [] bytes = new byte [32]; Key key = new Key (bytes); SymmetricAlgorithm alg = key.GetSymmetricAlgorithm ( SecurityAlgorithms.Aes128Encryption); Assert.AreEqual (256, alg.KeySize, "#1-1"); Assert.AreEqual (CipherMode.CBC, alg.Mode, "#1-2"); Assert.AreEqual (PaddingMode.PKCS7, alg.Padding, "#1-3"); alg = key.GetSymmetricAlgorithm (SecurityAlgorithms.Aes192Encryption); Assert.AreEqual (256, alg.KeySize, "#2-1"); Assert.AreEqual (CipherMode.CBC, alg.Mode, "#2-2"); Assert.AreEqual (PaddingMode.PKCS7, alg.Padding, "#2-3"); alg = key.GetSymmetricAlgorithm (SecurityAlgorithms.Aes256Encryption); Assert.AreEqual (256, alg.KeySize, "#3-1"); Assert.AreEqual (CipherMode.CBC, alg.Mode, "#3-2"); Assert.AreEqual (PaddingMode.PKCS7, alg.Padding, "#3-3"); alg = key.GetSymmetricAlgorithm (SecurityAlgorithms.Aes128KeyWrap); Assert.IsTrue (alg is AES, "#4"); alg = key.GetSymmetricAlgorithm (SecurityAlgorithms.Aes192KeyWrap); Assert.IsTrue (alg is AES, "#5"); alg = key.GetSymmetricAlgorithm (SecurityAlgorithms.Aes256KeyWrap); Assert.IsTrue (alg is AES, "#6"); //alg = key.GetSymmetricAlgorithm (SecurityAlgorithms.TripleDesKeyWrap); //Assert.IsTrue (alg is TripleDES, "#7"); }
public SimpleWebToken(Uri audienceUri, string issuer, DateTime expiresOn, List<Claim> claims, InMemorySymmetricSecurityKey signingKey) { _audienceUri = audienceUri; _issuer = issuer; _expiresOn = expiresOn; _claims = claims; _signingKey = signingKey; }
public SimpleWebToken2(string key) { TimeSpan ts = DateTime.UtcNow - epochStart + lifeTime; this.ExpiresOn = Convert.ToUInt64(ts.TotalSeconds); var securityKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(key)); keyBytes = securityKey.GetSymmetricKey(); }
public void CreateSimple() { Key key = new Key(raw); Assert.AreEqual(256, key.KeySize, "#1"); // the returned value must be a clone. Assert.IsFalse(Object.ReferenceEquals(key.GetSymmetricKey(), raw), "#2"); }
[ExpectedException(typeof(InvalidOperationException))] // not ArgumentNullException? public void GenerateDerivedKeyNullAlgorithm() { Key key = new Key(raw); byte [] nonce = new byte [256]; key.GenerateDerivedKey(null, wssc_label, nonce, key.KeySize, 0); }
[ExpectedException(typeof(InvalidOperationException))] // not ArgumentNullException? public void GenerateDerivedKeyUnsupportedAlgorithm() { Key key = new Key(raw); byte [] nonce = new byte [256]; key.GenerateDerivedKey("urn:my-own-way", wssc_label, nonce, key.KeySize, 0); }
public void IsSymmetricAlgorithm() { Key key = new Key(raw); Assert.IsTrue(key.IsSymmetricAlgorithm(SecurityAlgorithms.Aes256KeyWrap), "#1"); Assert.IsTrue(key.IsSymmetricAlgorithm(SecurityAlgorithms.TripleDesEncryption), "#2"); Assert.IsFalse(key.IsSymmetricAlgorithm(SecurityAlgorithms.RsaOaepKeyWrap), "#3"); Assert.IsTrue(key.IsSymmetricAlgorithm(SecurityAlgorithms.Psha1KeyDerivation), "#4"); }
public void GetSymmetricAlgorithm3VulnerableTDESEnc() { byte [] bytes = new byte [24]; Key key = new Key(bytes); // strange, TripleDesEncryption works with 32bytes key, // but TripleDesKeyWrap doesn't. key.GetSymmetricAlgorithm(SecurityAlgorithms.TripleDesEncryption); }
public void GenerateDerivedKeyUnusualOffset() { Key key = new Key(raw); byte [] nonce = new byte [256]; key.GenerateDerivedKey( SecurityAlgorithms.Psha1KeyDerivation, wssc_label, nonce, 5, 0); }
public void GenerateDerivedKeyNullNonce() { Key key = new Key(raw); byte [] nonce = new byte [256]; key.GenerateDerivedKey( SecurityAlgorithms.Psha1KeyDerivation, wssc_label, null, key.KeySize, 0); }
public void GenerateDerivedKeyNegativeLength() { Key key = new Key(raw); byte [] nonce = new byte [256]; key.GenerateDerivedKey( SecurityAlgorithms.Psha1KeyDerivation, wssc_label, nonce, -32, 0); }
// no error??? public void GetSymmetricAlgorithmWrongSize2() { AES aes = new AES(); aes.KeySize = 192; aes.GenerateKey(); Key key = new Key(aes.Key); Assert.IsNotNull(key.GetSymmetricAlgorithm(SecurityAlgorithms.Aes256Encryption)); }
private static SecurityTokenDescriptor CreateSecurityTokenDescriptor(List<Claim> claims, InMemorySymmetricSecurityKey key) { return new SecurityTokenDescriptor { TokenIssuerName = TokenConstants.TokenIssuer, AppliesToAddress = TokenConstants.TokenAudience, Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(TokenConstants.TokenLifetimeInMinutes)), Subject = new ClaimsIdentity(claims.ToArray()), SigningCredentials = new SigningCredentials(key, "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"), }; }
public SimpleWebToken() { TimeSpan ts = DateTime.UtcNow - EpochStart + LifeTime; ExpiresOn = Convert.ToUInt64(ts.TotalSeconds); _keyValuePairs = new NameValueCollection(); var key = RoleEnvironment.GetConfigurationSettingValue("SimpleWebTokenKey"); var securityKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(key)); _keyBytes = securityKey.GetSymmetricKey(); Issuer = "ToSavour"; Audience = "ToSavour"; }
/// <summary> /// <![CDATA[配置JWT认证]]> /// </summary> /// <param name="app"></param> public void Configuration(IAppBuilder app) { HttpConfiguration config = new HttpConfiguration(); // 有关如何配置应用程序的详细信息,请访问 https://go.microsoft.com/fwlink/?LinkID=316888 var issuer = "http://localhost:51912/"; //发行者 var audience = "fNm0EDIXbfuuDowUpAoq5GTEiywV8eg0TpiIVnV8"; //观众 var secret = TextEncodings.Base64Url.Decode(OAuthCommon.Constants.Consts.JWT.Security.SecretKey); //秘钥 var signingKey = new System.IdentityModel.Tokens.InMemorySymmetricSecurityKey(secret); //令牌验证参数 TokenValidationParameters tokenValidationParameters = new TokenValidationParameters() { ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, // Validate the JWT Issuer (iss) claim 颁布者 ValidateIssuer = true, ValidIssuer = issuer, // Validate the JWT Audience (aud) claim 观众 ValidateAudience = true, ValidAudience = audience, // Validate the token expiry ValidateLifetime = true, ClockSkew = TimeSpan.Zero, }; //Jwt数据格式 OAuth.JwtDataFormat jwtDataFormat = new OAuth.JwtDataFormat(issuer: issuer, secret: secret); // 有关如何配置应用程序的详细信息,请访问 https://go.microsoft.com/fwlink/?LinkID=316888 app.UseOAuthAuthorizationServer(new Microsoft.Owin.Security.OAuth.OAuthAuthorizationServerOptions() { AllowInsecureHttp = true, AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active, AuthenticationType = "Bearer", AuthorizeEndpointPath = new PathString("/oauth2/authorize"), //http://localhost:50573/oauth2/authorize?response_type=token&client_id=_auth2.0Client&redirect_uri=http://localhost:50573/api/values/ 主要是授权码和客户端模式 TokenEndpointPath = new PathString("/oauth2/token"), // AccessTokenExpireTimeSpan = new TimeSpan(3, 0, 0), AccessTokenFormat = jwtDataFormat, //自定义 RefreshTokenFormat = jwtDataFormat, //AccessTokenProvider = new AuthenticationTokenProvider() //{ //}, Provider = new OAuth.JwtAuthorizationServerProvider(tokenValidationParameters), ApplicationCanDisplayErrors = true, }); }
ReadOnlyCollection <SecurityKey> BuildCryptoList() { List <SecurityKey> cryptoList = new List <SecurityKey>(); for (int i = 0; i < this.statements.Count; ++i) { SamlSubjectStatement statement = this.statements[i] as SamlSubjectStatement; if (statement != null) { bool skipCrypto = false; SecurityKey crypto = null; if (statement.SamlSubject != null) { crypto = statement.SamlSubject.Crypto; } InMemorySymmetricSecurityKey inMemorySymmetricSecurityKey = crypto as InMemorySymmetricSecurityKey; if (inMemorySymmetricSecurityKey != null) { // Verify that you have not already added this to crypto list. for (int j = 0; j < cryptoList.Count; ++j) { if ((cryptoList[j] is InMemorySymmetricSecurityKey) && (cryptoList[j].KeySize == inMemorySymmetricSecurityKey.KeySize)) { byte[] key1 = ((InMemorySymmetricSecurityKey)cryptoList[j]).GetSymmetricKey(); byte[] key2 = inMemorySymmetricSecurityKey.GetSymmetricKey(); int k = 0; for (k = 0; k < key1.Length; ++k) { if (key1[k] != key2[k]) { break; } } skipCrypto = (k == key1.Length); } if (skipCrypto) { break; } } } if (!skipCrypto && (crypto != null)) { cryptoList.Add(crypto); } } } return(cryptoList.AsReadOnly()); }
public void GenerateDerivedKey() { Key key = new Key(raw); byte [] nonce = new byte [256]; byte [] derived = key.GenerateDerivedKey( SecurityAlgorithms.Psha1KeyDerivation, wssc_label, nonce, key.KeySize, 0); Assert.IsTrue(Convert.ToBase64String(derived) != Convert.ToBase64String(raw), "#4"); // the precomputed derivation value. byte [] expected = Convert.FromBase64String("50UfLeg58TbfADujVeafUAS8typGX9LvqLOXezK/eJY="); Assert.AreEqual(Convert.ToBase64String(expected), Convert.ToBase64String(derived), "#5"); }
private ReadOnlyCollection <SecurityKey> BuildCryptoList() { List <SecurityKey> list = new List <SecurityKey>(); for (int i = 0; i < this.statements.Count; i++) { SamlSubjectStatement statement = this.statements[i] as SamlSubjectStatement; if (statement != null) { bool flag = false; SecurityKey item = null; if (statement.SamlSubject != null) { item = statement.SamlSubject.Crypto; } InMemorySymmetricSecurityKey key2 = item as InMemorySymmetricSecurityKey; if (key2 != null) { for (int j = 0; j < list.Count; j++) { if ((list[j] is InMemorySymmetricSecurityKey) && (list[j].KeySize == key2.KeySize)) { byte[] symmetricKey = ((InMemorySymmetricSecurityKey)list[j]).GetSymmetricKey(); byte[] buffer2 = key2.GetSymmetricKey(); int index = 0; index = 0; while (index < symmetricKey.Length) { if (symmetricKey[index] != buffer2[index]) { break; } index++; } flag = index == symmetricKey.Length; } if (flag) { break; } } } if (!flag && (item != null)) { list.Add(item); } } } return(list.AsReadOnly()); }
public static string CreateJwtToken(string userName, string role) { var claimList = new List<Claim>() { new Claim(ClaimTypes.Name, userName), new Claim(ClaimTypes.Role, role) //Not sure what this is for }; var tokenHandler = new JwtSecurityTokenHandler() { RequireExpirationTime = true }; var sSKey = new InMemorySymmetricSecurityKey(SecurityConstants.KeyForHmacSha256); var jwtToken = tokenHandler.CreateToken(makeSecurityTokenDescriptor(sSKey, claimList)); return tokenHandler.WriteToken(jwtToken); }
private static SecurityTokenDescriptor makeSecurityTokenDescriptor(InMemorySymmetricSecurityKey sSKey, List<Claim> claimList) { var now = DateTime.UtcNow; Claim[] claims = claimList.ToArray(); return new SecurityTokenDescriptor { Subject = new ClaimsIdentity(claims), TokenIssuerName = SecurityConstants.TokenIssuer, AppliesToAddress = SecurityConstants.TokenAudience, Lifetime = new Lifetime(now, now.AddMinutes(SecurityConstants.TokenLifetimeMinutes)), SigningCredentials = new SigningCredentials(sSKey, "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"), }; }
protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key) { key = null; var swtClause = keyIdentifierClause as WebTokenSecurityKeyClause; string value; if (_signingKeys.TryGetValue(swtClause.Issuer.ToLowerInvariant(), out value)) { key = new InMemorySymmetricSecurityKey(Convert.FromBase64String(value)); return true; } return false; }
public static Token CreateToken(UserInfo user, string perms) { var claims = new List<Claim>() { new Claim(ClaimTypes.UserData, user.UserId.ToString()), new Claim(ClaimTypes.PrimarySid, user.UserId.ToString()), new Claim(ClaimTypes.Sid, user.UserId.ToString()), new Claim(ClaimTypes.Name, user.FullName.ToString()) }; var key = new InMemorySymmetricSecurityKey(TokenConstants.TokenKey); var jwt = new JwtSecurityTokenHandler() { TokenLifetimeInMinutes = TokenConstants.TokenLifetimeInMinutes }; var token = jwt.CreateToken(CreateSecurityTokenDescriptor(claims, key)); return new Token() { Value = jwt.WriteToken(token), Expiry = TokenConstants.TokenLifetimeInMinutes, User = user.FullName, Perms = perms }; }
public static SimpleWebToken ToSwtToken(this ClaimsPrincipal principal) { var identity = principal.Identities.First(); var context = identity.BootstrapContext as BootstrapContext; var claims = identity.Claims.ToList(); var signValue = ConfigurationManager.AppSettings[SwtConstants.SigningKeyAppSetting]; var issureValue = ConfigurationManager.AppSettings[SwtConstants.IssureAppSetting]; var audiencevalue = ConfigurationManager.AppSettings[SwtConstants.AudienceAppSetting]; var key = new InMemorySymmetricSecurityKey(Convert.FromBase64String(signValue)); return new SimpleWebToken(new Uri(audiencevalue), issureValue, context.SecurityToken.ValidTo, claims, key);; }
protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key) { key = null; CustomTokenKeyIdentifierClause keyClause = keyIdentifierClause as CustomTokenKeyIdentifierClause; if (keyClause != null) { string base64Key = null; _keys.TryGetValue(keyClause.Audience, out base64Key); if (!string.IsNullOrEmpty(base64Key)) { key = new InMemorySymmetricSecurityKey(Encoding.UTF8.GetBytes(base64Key)); return true; } } return false; }
public virtual async Task<TokenValidationResult> ValidateIdentityTokenAsync(string token, string clientId = null, bool validateLifetime = true) { if (clientId.IsMissing()) { clientId = GetClientIdFromJwt(token); if (clientId.IsMissing()) { return Invalid(Constants.ProtectedResourceErrors.InvalidToken); } } var client = await _clients.FindClientByIdAsync(clientId); if (client == null) { return Invalid(Constants.ProtectedResourceErrors.InvalidToken); } SecurityKey signingKey; if (client.IdentityTokenSigningKeyType == SigningKeyTypes.ClientSecret) { signingKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(client.ClientSecret)); } else { signingKey = new X509SecurityKey(_options.SigningCertificate); } var result = await ValidateJwtAsync(token, clientId, signingKey, validateLifetime); result.Client = client; if (result.IsError) { return result; } Logger.Debug("Calling custom token validator"); var customResult = await _customValidator.ValidateIdentityTokenAsync(result); if (customResult.IsError) { Logger.Error("Custom validator failed: " + customResult.Error ?? "unknown"); } return customResult; }
public JwtTokenGenerator() { var random = new byte[64]; using (var rng = RandomNumberGenerator.Create()) rng.GetBytes(random); //Use a in memory random generated symetrickey so when the service is restarted, all token generated before restart are invalidated var symetricSecurityKey = new InMemorySymmetricSecurityKey(Encoding.ASCII.GetBytes("90htwn5AtMMiKBfRsf8BPlnK0uAmyQejcoV0rVWTatLpEZfZhVIjr3l78N28dAB4")); this.credentials = new SigningCredentials(symetricSecurityKey, JwtTokenGenerator.SignatureAlgorithm, JwtTokenGenerator.DigestAlgorithm); this.validationParameters = new TokenValidationParameters { IssuerSigningKey = symetricSecurityKey, ValidateAudience = false, ValidIssuer = JwtTokenGenerator.TokenIssuer }; }
/// <summary> /// Resolves the given SecurityKeyIdentifierClause to a SecurityKey. /// </summary> /// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to resolve</param> /// <param name="key">The resolved SecurityKey.</param> /// <returns>True if successfully resolved.</returns> /// <exception cref="ArgumentNullException">The input argument 'keyIdentifierClause' is null.</exception> protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key) { if (keyIdentifierClause == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause"); } key = null; EncryptedKeyIdentifierClause encryptedKeyIdentifierClause = keyIdentifierClause as EncryptedKeyIdentifierClause; if (encryptedKeyIdentifierClause != null) { SecurityKeyIdentifier keyIdentifier = encryptedKeyIdentifierClause.EncryptingKeyIdentifier; if (keyIdentifier != null && keyIdentifier.Count > 0) { for (int i = 0; i < keyIdentifier.Count; i++) { SecurityKey unwrappingSecurityKey = null; if (TryResolveSecurityKey(keyIdentifier[i], out unwrappingSecurityKey)) { byte[] wrappedKey = encryptedKeyIdentifierClause.GetEncryptedKey(); string wrappingAlgorithm = encryptedKeyIdentifierClause.EncryptionMethod; byte[] unwrappedKey = unwrappingSecurityKey.DecryptKey(wrappingAlgorithm, wrappedKey); key = new InMemorySymmetricSecurityKey(unwrappedKey, false); return(true); } } } } else { SecurityToken token = null; if (TryResolveToken(keyIdentifierClause, out token)) { if (token.SecurityKeys.Count > 0) { key = token.SecurityKeys[0]; return(true); } } } return(false); }
public static ClaimsPrincipal Validate(string token, InMemorySymmetricSecurityKey signingKey, string issuer, string audience) { var tokenHandler = new JwtSecurityTokenHandler(); // Parse JWT from the Base64UrlEncoded wire form //(<Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>) //JwtSecurityToken parsedJwt = tokenHandler.ReadToken(token) as JwtSecurityToken; TokenValidationParameters validationParams = new TokenValidationParameters() { ValidateAudience = true, ValidateIssuer = true, ValidAudience = audience, ValidIssuer = issuer, IssuerSigningKey = signingKey, ValidateLifetime = true }; SecurityToken securityToken = null; return tokenHandler.ValidateToken(token, validationParams, out securityToken); }
public void Init() { DataProtectection.Instance = new NoProtection(); globalConfiguration = new GlobalConfiguration() { Issuer = "Test Issuer" }; rocv = new Mock<IResourceOwnerCredentialValidation>(); config = new Mock<IAuthorizationServerConfiguration>(); handleManager = new Mock<IStoredGrantManager>(); assertionGrantValidator = new Mock<IAssertionGrantValidation>(); clientManager = new Mock<IClientManager>(); tokenService = new TokenService(globalConfiguration); #region Setup Test Client string secret = "12345678"; byte[] encodedByte = System.Text.ASCIIEncoding.ASCII.GetBytes(secret); string base64EncodedSecret = Convert.ToBase64String(encodedByte); _Client = new Client() { ClientId = "MobileAppShop", ClientSecret = base64EncodedSecret, Flow = OAuthFlow.ResourceOwner, AllowRefreshToken = true }; #endregion #region Setup Test Application var scope = new Scope(); scope.Name = "read"; scope.AllowedClients = new List<Client>(); scope.AllowedClients.Add(_Client); _Scopes = new List<Scope>(); _Scopes.Add(scope); string symmetricKey = "C33333333333333333333333335="; byte[] keybytes = Convert.FromBase64String(symmetricKey); SecurityKey securityKey = new InMemorySymmetricSecurityKey(keybytes); _Application = new Application() { Name = "Test Application 1", Scopes = _Scopes, Audience = "Test Audience", TokenLifetime = 1, AllowRefreshToken = true, }; #endregion #region Setup Example StoredGrant Claim[] resourceOwnerClaims = { new Claim("Username", "JohnSmith"), new Claim("sub", "JohnSmith") }; _StoredGrant = new StoredGrant() { GrantId = "MyFavouriteRefrehToken1234", CreateRefreshToken = true, Client = _Client, ResourceOwner = resourceOwnerClaims.ToStoredGrantClaims().ToList(), Expiration = DateTime.Now.AddDays(1), RefreshTokenExpiration = DateTime.Now.AddMonths(1), Type = StoredGrantType.RefreshTokenIdentifier, Scopes = _Scopes, Application = _Application }; #endregion #region Setup Mocking Objects // IAuthorizationServerConfiguration config.Setup(x => x.FindApplication(It.IsNotNull<string>())) .Returns((string name) => { return _Application; }); config.Setup(x => x.GlobalConfiguration).Returns(() => globalConfiguration); // IClientManager clientManager.Setup(x => x.Get(It.IsNotNull<string>())) .Returns((string clientId) => { return _Client; }); // IResourceOwnerCredentialValidation rocv.Setup(x => x.Validate(It.IsNotNull<string>(), It.IsNotNull<string>())) .Returns((string username, string password) => { return Principal.Create("Test", resourceOwnerClaims); }); // IStoredGrantManager handleManager.Setup(x => x.Get(It.IsNotNull<string>())) .Returns((string grantIdentifier) => { return _StoredGrant; }); #endregion _TokenController = new TokenController( rocv.Object, config.Object, handleManager.Object, assertionGrantValidator.Object, tokenService, clientManager.Object); _TokenController.Request = new HttpRequestMessage(); _TokenController.Request.SetConfiguration(new HttpConfiguration()); }
// hmm, no error public void GetSymmetricAlgorithmWrongSize() { Key key = new Key(new byte [32]); Assert.IsNotNull(key.GetSymmetricAlgorithm(SecurityAlgorithms.Aes192Encryption)); }
/// <summary> /// /// </summary> /// <param name="app"></param> public void Configuration(IAppBuilder app) { // 有关如何配置应用程序的详细信息,请访问 https://go.microsoft.com/fwlink/?LinkID=316888 var issuer = "http://localhost:51912/"; //发行者 var audience = "fNm0EDIXbfuuDowUpAoq5GTEiywV8eg0TpiIVnV8"; //观众 var secret = TextEncodings.Base64Url.Decode(OAuthCommon.Constants.Consts.JWT.Security.SecretKey); //秘钥 var signingKey = new System.IdentityModel.Tokens.InMemorySymmetricSecurityKey(secret); //令牌验证参数 TokenValidationParameters tokenValidationParameters = new TokenValidationParameters() { ValidateIssuerSigningKey = true, IssuerSigningKey = signingKey, // Validate the JWT Issuer (iss) claim ValidateIssuer = true, ValidIssuer = "http://localhost:51912/", // Validate the JWT Audience (aud) claim ValidateAudience = false, ValidAudience = audience, // Validate the token expiry ValidateLifetime = true, ClockSkew = TimeSpan.Zero }; //配置JwtBearer授权中间件 这个中间件的作用主要是解决由JWT方式提供的身份认证。算是Resource资源,认证服务器需要另外开发 app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions() { TokenValidationParameters = tokenValidationParameters, AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active, AuthenticationType = "Bearer", AllowedAudiences = new[] { audience }, Description = new AuthenticationDescription(), Realm = "",//领域,范围; Provider = new OAuthBearerAuthenticationProvider() { //验证当前访客身份 OnValidateIdentity = context => { AuthenticationTicket ticket = context.Ticket; //校验身份是否过期 if (ticket.Properties.ExpiresUtc < DateTime.Now) { context.SetError("the token has expired!"); context.Rejected(); } else { context.Validated(ticket); } return(Task.FromResult <object>(context)); }, //处理授权令牌 OAuthBearerAuthenticationHandler //headers Authorization=Bear:token OnRequestToken = (context) => { context.Token = context.Token ?? context.Request.Query["access_token"]; if (context.Token != null) { context.Response.Headers["WWW-Authorization"] = "Bearer"; //protector IDataProtector protector = app.CreateDataProtector(typeof(OAuthAuthorizationServerMiddleware).Namespace, "Access_Token", "v1"); JwtFormat ticketDataFormat = new JwtFormat(tokenValidationParameters); var ticket = ticketDataFormat.Unprotect(context.Token);//从令牌字符串中,获取授权票据 context.Request.User = new ClaimsPrincipal(ticket.Identity); } return(Task.FromResult <object>(context)); }, OnApplyChallenge = (context) => { return(Task.FromResult <object>(context)); } }, IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) //对称加密 } }); }
public void GetSymmetricAlgorithm3VulnerableTDESEnc () { byte [] bytes = new byte [24]; Key key = new Key (bytes); // strange, TripleDesEncryption works with 32bytes key, // but TripleDesKeyWrap doesn't. key.GetSymmetricAlgorithm (SecurityAlgorithms.TripleDesEncryption); }
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { Check.IsNotNull(request, "request"); HttpStatusCode statusCode; string token; if (request.RequestUri.AbsolutePath.Contains("/authenticate")) { return base.SendAsync(request, cancellationToken); } if (request.RequestUri.AbsolutePath.Contains("/signout")) { return base.SendAsync(request, cancellationToken); } if (request.RequestUri.AbsolutePath.Contains("/SignOutCallback")) { return base.SendAsync(request, cancellationToken); } if (request.RequestUri.AbsolutePath.Contains("/windowsLiveAuthorization")) { return base.SendAsync(request, cancellationToken); } if (request.RequestUri.AbsolutePath.Contains("api/GetSupportedIdentityProviders")) { return base.SendAsync(request, cancellationToken); } if (request.RequestUri.AbsolutePath.Contains("api/SignInCallBack")) { return base.SendAsync(request, cancellationToken); } if (!TryRetrieveToken(request, out token)) { statusCode = HttpStatusCode.Unauthorized; return Task<HttpResponseMessage>.Factory.StartNew(() => new HttpResponseMessage(statusCode)); } try { diagnostics.WriteInformationTrace(TraceEventId.Flow, "Validating bearer token: {0}", token); string issuersValue = ConfigurationManager.AppSettings["Issuers"]; string signingSymmetricKey = ConfigurationManager.AppSettings["SigningSymmetricKey"]; string allowedAudience = ConfigurationManager.AppSettings["AllowedAudience"]; // Use JWTSecurityTokenHandler to validate the JWT token ApiJWTSecurityTokenHandler tokenHandler = new ApiJWTSecurityTokenHandler(); List<string> issuers = new List<string>(); issuers.AddRange(issuersValue.Split(new[] { ',' })); InMemorySymmetricSecurityKey securityKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(signingSymmetricKey)); NamedKeySecurityToken namedToken = new NamedKeySecurityToken(allowedAudience, new List<SecurityKey>() { securityKey }); // Set the expected properties of the JWT token in the TokenValidationParameters TokenValidationParameters validationParameters = new TokenValidationParameters() { AllowedAudience = allowedAudience, ValidIssuers = issuers, SigningToken = namedToken }; ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(token, validationParameters); ClaimsIdentity claimsIdentity = (ClaimsIdentity)claimsPrincipal.Identity; try { IUserService userService = (IUserService)GlobalConfiguration.Configuration.DependencyResolver.GetService(typeof(IUserService)); User user = IdentityHelper.GetCurrentUser(userService, claimsPrincipal); foreach (var role in user.UserRoles) { if (!claimsIdentity.HasClaim(ClaimTypes.Role, role.Role.Name)) { claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, role.Role.Name)); } } } catch (UserNotFoundException) { // No need to do anything here because GetUsersByNameIdentifier action in UsersController will take care of sending appropriate http response. } Thread.CurrentPrincipal = claimsPrincipal; if (HttpContext.Current != null) { HttpContext.Current.User = claimsPrincipal; } diagnostics.WriteInformationTrace(TraceEventId.Flow, "Authorization token validated successfully"); return base.SendAsync(request, cancellationToken); } catch (SecurityTokenValidationException secutiryTokenValidationException) { FederatedAuthentication.WSFederationAuthenticationModule.SignOut(true); HttpResponseMessage response = request.CreateErrorResponse(HttpStatusCode.Unauthorized, secutiryTokenValidationException); return Task<HttpResponseMessage>.Factory.StartNew(() => response); } }
static string JWToken() { var domain = "http://localhost"; var allowedAudience = "http://localhost:10100"; var signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"; var digestAlgorithm = "http://www.w3.org/2001/04/xmlenc#sha256"; var issuer = "PareidoliaSW"; var securityKey = Convert.FromBase64String(mainKey); var inMemKey = new InMemorySymmetricSecurityKey(securityKey); var now = DateTime.UtcNow; var expiry = now.AddHours(8); var tokenHandler = new JwtSecurityTokenHandler(); var claimsList = new List<Claim>() { new Claim(ClaimTypes.Webpage, allowedAudience), new Claim(ClaimTypes.Uri, domain), new Claim(ClaimTypes.Expiration,expiry.Ticks.ToString()), new Claim("scope", "WebBridge") }; //var roles = new List<string>() { "admin" }; //claimsList.AddRange(roles.Select(role => new Claim(ClaimTypes.Role, role))); //var identity = new GenericIdentity("user"); var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(claimsList), TokenIssuerName = issuer, AppliesToAddress = allowedAudience, Lifetime = new Lifetime(now, expiry), SigningCredentials = new SigningCredentials(inMemKey, signatureAlgorithm, digestAlgorithm), }; var token = tokenHandler.WriteToken(tokenHandler.CreateToken(tokenDescriptor)); return token; }
public static TokenResult GetTestToken(IAsset MyAsset, CloudMediaContext _context, ContentKeyType? keytype = null, SigningCredentials signingcredentials = null, string optionid = null, bool displayUI = false) { TokenResult MyResult = new TokenResult(); /// WITH UI if (displayUI) { CreateTestToken form = new CreateTestToken(MyAsset, _context, keytype, optionid) { StartDate = DateTime.Now.AddMinutes(-5), EndDate = DateTime.Now.AddMinutes(Properties.Settings.Default.DefaultTokenDuration) }; if (form.ShowDialog() == DialogResult.OK) { if (form.GetOption != null) { string tokenTemplateString = form.GetOption.Restrictions.FirstOrDefault().Requirements; if (!string.IsNullOrEmpty(tokenTemplateString)) { Guid rawkey = EncryptionUtils.GetKeyIdAsGuid(form.GetContentKeyFromSelectedOption.Id); TokenRestrictionTemplate tokenTemplate = TokenRestrictionTemplateSerializer.Deserialize(tokenTemplateString); if (tokenTemplate.OpenIdConnectDiscoveryDocument == null) { MyResult.TokenType = tokenTemplate.TokenType; MyResult.IsTokenKeySymmetric = (tokenTemplate.PrimaryVerificationKey.GetType() == typeof(SymmetricVerificationKey)); MyResult.ContentKeyType = form.GetContentKeyFromSelectedOption.ContentKeyType; if (tokenTemplate.TokenType == TokenType.SWT) //SWT { MyResult.TokenString = TokenRestrictionTemplateSerializer.GenerateTestToken(tokenTemplate, null, rawkey, form.EndDate); } else // JWT { IList<Claim> myclaims = null; myclaims = form.GetTokenRequiredClaims; if (form.PutContentKeyIdentifier) myclaims.Add(new Claim(TokenClaim.ContentKeyIdentifierClaimType, rawkey.ToString())); if (tokenTemplate.PrimaryVerificationKey.GetType() == typeof(SymmetricVerificationKey)) { InMemorySymmetricSecurityKey tokenSigningKey = new InMemorySymmetricSecurityKey((tokenTemplate.PrimaryVerificationKey as SymmetricVerificationKey).KeyValue); signingcredentials = new SigningCredentials(tokenSigningKey, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest); } else if (tokenTemplate.PrimaryVerificationKey.GetType() == typeof(X509CertTokenVerificationKey)) { X509Certificate2 cert = form.GetX509Certificate; if (cert != null) signingcredentials = new X509SigningCredentials(cert); } JwtSecurityToken token = new JwtSecurityToken(issuer: form.GetIssuerUri, audience: form.GetAudienceUri, notBefore: form.StartDate, expires: form.EndDate, signingCredentials: signingcredentials, claims: myclaims); JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); MyResult.TokenString = handler.WriteToken(token); } } } } } } /////////////////////////////// NO UI else if (keytype != null) { IContentKey key = MyAsset.ContentKeys.Where(k => k.ContentKeyType == keytype).FirstOrDefault(); if (key != null && key.AuthorizationPolicyId != null) { IContentKeyAuthorizationPolicy policy = _context.ContentKeyAuthorizationPolicies.Where(p => p.Id == key.AuthorizationPolicyId).FirstOrDefault(); if (policy != null) { IContentKeyAuthorizationPolicyOption option = null; if (optionid == null) // user does not want a specific option { option = policy.Options.Where(o => (ContentKeyRestrictionType)o.Restrictions.FirstOrDefault().KeyRestrictionType == ContentKeyRestrictionType.TokenRestricted).FirstOrDefault(); } else { option = policy.Options.Where(o => o.Id == optionid).FirstOrDefault(); // user wants a token for a specific option } if (option != null) // && option.Restrictions.FirstOrDefault() != null && option.Restrictions.FirstOrDefault().KeyRestrictionType == (int)ContentKeyRestrictionType.TokenRestricted) { string tokenTemplateString = option.Restrictions.FirstOrDefault().Requirements; if (!string.IsNullOrEmpty(tokenTemplateString)) { Guid rawkey = EncryptionUtils.GetKeyIdAsGuid(key.Id); TokenRestrictionTemplate tokenTemplate = TokenRestrictionTemplateSerializer.Deserialize(tokenTemplateString); if (tokenTemplate.OpenIdConnectDiscoveryDocument == null) { MyResult.TokenType = tokenTemplate.TokenType; MyResult.IsTokenKeySymmetric = (tokenTemplate.PrimaryVerificationKey.GetType() == typeof(SymmetricVerificationKey)); MyResult.ContentKeyType = (ContentKeyType)keytype; if (tokenTemplate.TokenType == TokenType.SWT) //SWT { MyResult.TokenString = TokenRestrictionTemplateSerializer.GenerateTestToken(tokenTemplate, null, rawkey, DateTime.Now.AddMinutes(Properties.Settings.Default.DefaultTokenDuration)); } else // JWT { List<Claim> myclaims = null; myclaims = new List<Claim>(); myclaims.Add(new Claim(TokenClaim.ContentKeyIdentifierClaimType, rawkey.ToString())); if (tokenTemplate.PrimaryVerificationKey.GetType() == typeof(SymmetricVerificationKey)) { InMemorySymmetricSecurityKey tokenSigningKey = new InMemorySymmetricSecurityKey((tokenTemplate.PrimaryVerificationKey as SymmetricVerificationKey).KeyValue); signingcredentials = new SigningCredentials(tokenSigningKey, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest); } else if (tokenTemplate.PrimaryVerificationKey.GetType() == typeof(X509CertTokenVerificationKey)) { if (signingcredentials == null) { X509Certificate2 cert = DynamicEncryption.GetCertificateFromFile(true); if (cert != null) signingcredentials = new X509SigningCredentials(cert); } } JwtSecurityToken token = new JwtSecurityToken(issuer: tokenTemplate.Issuer, audience: tokenTemplate.Audience, notBefore: DateTime.Now.AddMinutes(-5), expires: DateTime.Now.AddMinutes(Properties.Settings.Default.DefaultTokenDuration), signingCredentials: signingcredentials, claims: myclaims); JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); MyResult.TokenString = handler.WriteToken(token); } } } } } } } return MyResult; }
public void GetSymmetricAlgorithmNullKey() { Key key = new Key(raw); Assert.IsNotNull(key.GetSymmetricAlgorithm(SecurityAlgorithms.Aes192Encryption)); }
protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key) { if (keyIdentifierClause == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause"); key = null; for (int i = 0; i < this.tokens.Count; ++i) { SecurityKey securityKey = this.tokens[i].ResolveKeyIdentifierClause(keyIdentifierClause); if (securityKey != null) { key = securityKey; return true; } } if (keyIdentifierClause is EncryptedKeyIdentifierClause) { EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause; SecurityKeyIdentifier keyIdentifier = keyClause.EncryptingKeyIdentifier; if (keyIdentifier != null && keyIdentifier.Count > 0) { for (int i = 0; i < keyIdentifier.Count; i++) { SecurityKey unwrappingSecurityKey = null; if (TryResolveSecurityKey(keyIdentifier[i], out unwrappingSecurityKey)) { byte[] wrappedKey = keyClause.GetEncryptedKey(); string wrappingAlgorithm = keyClause.EncryptionMethod; byte[] unwrappedKey = unwrappingSecurityKey.DecryptKey(wrappingAlgorithm, wrappedKey); key = new InMemorySymmetricSecurityKey(unwrappedKey, false); return true; } } } } return key != null; }
XmlElement VerifyInput2 (MessageBuffer buf) { Message msg2 = buf.CreateMessage (); StringWriter sw = new StringWriter (); using (XmlDictionaryWriter w = XmlDictionaryWriter.CreateDictionaryWriter (XmlWriter.Create (sw))) { msg2.WriteMessage (w); } XmlDocument doc = new XmlDocument (); doc.PreserveWhitespace = true; doc.LoadXml (sw.ToString ()); // decrypt the key with service certificate privkey PaddingMode mode = PaddingMode.PKCS7; // not sure which is correct ... ANSIX923, ISO10126, PKCS7, Zeros, None. EncryptedXml encXml = new EncryptedXml (doc); encXml.Padding = mode; X509Certificate2 cert2 = new X509Certificate2 ("Test/Resources/test.pfx", "mono"); XmlNamespaceManager nsmgr = new XmlNamespaceManager (doc.NameTable); nsmgr.AddNamespace ("s", "http://www.w3.org/2003/05/soap-envelope"); nsmgr.AddNamespace ("c", "http://schemas.xmlsoap.org/ws/2005/02/sc"); nsmgr.AddNamespace ("o", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"); nsmgr.AddNamespace ("e", "http://www.w3.org/2001/04/xmlenc#"); nsmgr.AddNamespace ("dsig", "http://www.w3.org/2000/09/xmldsig#"); XmlNode n = doc.SelectSingleNode ("//o:Security/e:EncryptedKey/e:CipherData/e:CipherValue", nsmgr); Assert.IsNotNull (n, "premise: enckey does not exist"); string raw = n.InnerText; byte [] rawbytes = Convert.FromBase64String (raw); RSACryptoServiceProvider rsa = (RSACryptoServiceProvider) cert2.PrivateKey; byte [] decryptedKey = EncryptedXml.DecryptKey (rawbytes, rsa, true);//rsa.Decrypt (rawbytes, true); #if false // create derived keys Dictionary<string,byte[]> keys = new Dictionary<string,byte[]> (); InMemorySymmetricSecurityKey skey = new InMemorySymmetricSecurityKey (decryptedKey); foreach (XmlElement el in doc.SelectNodes ("//o:Security/c:DerivedKeyToken", nsmgr)) { n = el.SelectSingleNode ("c:Offset", nsmgr); int offset = (n == null) ? 0 : int.Parse (n.InnerText, CultureInfo.InvariantCulture); n = el.SelectSingleNode ("c:Length", nsmgr); int length = (n == null) ? 32 : int.Parse (n.InnerText, CultureInfo.InvariantCulture); n = el.SelectSingleNode ("c:Label", nsmgr); byte [] label = (n == null) ? decryptedKey : Convert.FromBase64String (n.InnerText); n = el.SelectSingleNode ("c:Nonce", nsmgr); byte [] nonce = (n == null) ? new byte [0] : Convert.FromBase64String (n.InnerText); byte [] derkey = skey.GenerateDerivedKey ( //SecurityAlgorithms.Psha1KeyDerivation, "http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1", // FIXME: maybe due to the label, this key resolution somehow does not seem to work. label, nonce, length * 8, offset); keys [el.GetAttribute ("Id", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd")] = derkey; } #endif // decrypt the signature with the decrypted key #if true n = doc.SelectSingleNode ("//o:Security/e:EncryptedData/e:CipherData/e:CipherValue", nsmgr); Assert.IsNotNull (n, "premise: encdata does not exist"); raw = n.InnerText; rawbytes = Convert.FromBase64String (raw); Rijndael aes = RijndaelManaged.Create (); // aes.Key = keys [n.SelectSingleNode ("../../dsig:KeyInfo/o:SecurityTokenReference/o:Reference/@URI", nsmgr).InnerText.Substring (1)]; aes.Key = decryptedKey; aes.Mode = CipherMode.CBC; aes.Padding = mode; MemoryStream ms = new MemoryStream (); CryptoStream cs = new CryptoStream (ms, aes.CreateDecryptor (), CryptoStreamMode.Write); cs.Write (rawbytes, 0, rawbytes.Length); cs.Close (); byte [] decryptedSignature = ms.ToArray (); #else Rijndael aes = RijndaelManaged.Create (); // aes.Key = keys [n.SelectSingleNode ("../../dsig:KeyInfo/o:SecurityTokenReference/o:Reference/@URI", nsmgr).InnerText.Substring (1)]; aes.Key = decryptedKey; aes.Mode = CipherMode.CBC; aes.Padding = mode; EncryptedData ed = new EncryptedData (); n = doc.SelectSingleNode ("//o:Security/e:EncryptedData", nsmgr); Assert.IsNotNull (n, "premise: encdata does not exist"); ed.LoadXml (n as XmlElement); byte [] decryptedSignature = encXml.DecryptData (ed, aes); #endif //Console.Error.WriteLine (Encoding.UTF8.GetString (decryptedSignature)); //Console.Error.WriteLine ("============= Decrypted Signature End ==========="); // decrypt the body with the decrypted key #if true n = doc.SelectSingleNode ("//s:Body/e:EncryptedData/e:CipherData/e:CipherValue", nsmgr); Assert.IsNotNull (n, "premise: encdata does not exist"); raw = n.InnerText; rawbytes = Convert.FromBase64String (raw); // aes.Key = keys [n.SelectSingleNode ("../../dsig:KeyInfo/o:SecurityTokenReference/o:Reference/@URI", nsmgr).InnerText.Substring (1)]; aes.Key = decryptedKey; ms = new MemoryStream (); cs = new CryptoStream (ms, aes.CreateDecryptor (), CryptoStreamMode.Write); cs.Write (rawbytes, 0, rawbytes.Length); cs.Close (); byte [] decryptedBody = ms.ToArray (); #else // decrypt the body with the decrypted key EncryptedData ed2 = new EncryptedData (); XmlElement el = doc.SelectSingleNode ("/s:Envelope/s:Body/e:EncryptedData", nsmgr) as XmlElement; ed2.LoadXml (el); // aes.Key = keys [n.SelectSingleNode ("../../dsig:KeyInfo/o:SecurityTokenReference/o:Reference/@URI", nsmgr).InnerText.Substring (1)]; aes.Key = decryptedKey; byte [] decryptedBody = encXml.DecryptData (ed2, aes); #endif //foreach (byte b in decryptedBody) Console.Error.Write ("{0:X02} ", b); Console.Error.WriteLine (Encoding.UTF8.GetString (decryptedBody)); Console.Error.WriteLine ("============= Decrypted Body End ==========="); // FIXME: find out what first 16 bytes mean. for (int mmm = 0; mmm < 16; mmm++) decryptedBody [mmm] = 0x20; doc.LoadXml (Encoding.UTF8.GetString (decryptedBody)); Assert.AreEqual ("RequestSecurityToken", doc.DocumentElement.LocalName, "#b-1"); Assert.AreEqual ("http://schemas.xmlsoap.org/ws/2005/02/trust", doc.DocumentElement.NamespaceURI, "#b-2"); return doc.DocumentElement; }
public void GetSymmetricAlgorithmWrongSizeDES() { Key key = new Key(new byte [32]); Assert.IsNotNull(key.GetSymmetricAlgorithm(SecurityAlgorithms.TripleDesKeyWrap)); }
protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key) { if (keyIdentifierClause == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause"); } key = null; for (int i = 0; i < this.tokens.Count; i++) { SecurityKey key2 = this.tokens[i].ResolveKeyIdentifierClause(keyIdentifierClause); if (key2 != null) { key = key2; return true; } } if (keyIdentifierClause is EncryptedKeyIdentifierClause) { EncryptedKeyIdentifierClause clause = (EncryptedKeyIdentifierClause) keyIdentifierClause; SecurityKeyIdentifier encryptingKeyIdentifier = clause.EncryptingKeyIdentifier; if ((encryptingKeyIdentifier != null) && (encryptingKeyIdentifier.Count > 0)) { for (int j = 0; j < encryptingKeyIdentifier.Count; j++) { SecurityKey key3 = null; if (base.TryResolveSecurityKey(encryptingKeyIdentifier[j], out key3)) { byte[] encryptedKey = clause.GetEncryptedKey(); string encryptionMethod = clause.EncryptionMethod; byte[] symmetricKey = key3.DecryptKey(encryptionMethod, encryptedKey); key = new InMemorySymmetricSecurityKey(symmetricKey, false); return true; } } } } return (key != null); }
public ConfigurationBasedIssuerTokenResolver(XmlNodeList customConfiguration) { this.keys = new Dictionary<string, SecurityKey>(); if (customConfiguration == null) { throw new ArgumentNullException("customConfiguration"); } List<XmlElement> xmlElements = GetXmlElements(customConfiguration); if (xmlElements.Count != 1) { throw new InvalidOperationException("There should be only one xml element as the configuration of this class"); } XmlElement element = xmlElements[0]; if (!StringComparer.Ordinal.Equals(element.LocalName, "serviceKeys")) { throw new InvalidOperationException("The top element of the configuration should be named 'serviceKeys'"); } foreach (XmlNode node in element.ChildNodes) { XmlElement addRemoveNode = node as XmlElement; if (addRemoveNode != null) { if (StringComparer.Ordinal.Equals(addRemoveNode.LocalName, "add")) { XmlNode serviceNameNode = addRemoveNode.Attributes.GetNamedItem("serviceName"); XmlNode serviceKeyNode = addRemoveNode.Attributes.GetNamedItem("serviceKey"); if (((addRemoveNode.Attributes.Count != 2) || (serviceNameNode == null)) || ((serviceKeyNode == null) || string.IsNullOrEmpty(serviceKeyNode.Value))) { throw new InvalidOperationException("The <add> element is malformed. The right format is: <add serviceName=\"name\" serviceKey=\"base64Key\""); } string serviceName = serviceNameNode.Value.ToLowerInvariant(); string serviceKey = string.Intern(serviceKeyNode.Value); var serviceKeySecurityKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(serviceKey)); this.keys.Add(serviceName, serviceKeySecurityKey); } else if (StringComparer.Ordinal.Equals(addRemoveNode.LocalName, "remove")) { if ((addRemoveNode.Attributes.Count != 1) || !StringComparer.Ordinal.Equals(addRemoveNode.Attributes[0].LocalName, "serviceName")) { throw new InvalidOperationException("The <remove> node should have a serviceName attribute"); } string serviceName = addRemoveNode.Attributes.GetNamedItem("serviceName").Value; this.keys.Remove(serviceName); } else { if (!StringComparer.Ordinal.Equals(addRemoveNode.LocalName, "clear")) { throw new InvalidOperationException(string.Format("Invalid element: {0}", addRemoveNode.LocalName)); } this.keys.Clear(); } } } }
/// <summary> /// Resolves the given SecurityKeyIdentifierClause to a SecurityKey. /// </summary> /// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to resolve</param> /// <param name="key">The resolved SecurityKey.</param> /// <returns>True if successfully resolved.</returns> /// <exception cref="ArgumentNullException">The input argument 'keyIdentifierClause' is null.</exception> protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key) { if (keyIdentifierClause == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause"); } key = null; EncryptedKeyIdentifierClause encryptedKeyIdentifierClause = keyIdentifierClause as EncryptedKeyIdentifierClause; if (encryptedKeyIdentifierClause != null) { SecurityKeyIdentifier keyIdentifier = encryptedKeyIdentifierClause.EncryptingKeyIdentifier; if (keyIdentifier != null && keyIdentifier.Count > 0) { for (int i = 0; i < keyIdentifier.Count; i++) { SecurityKey unwrappingSecurityKey = null; if (TryResolveSecurityKey(keyIdentifier[i], out unwrappingSecurityKey)) { byte[] wrappedKey = encryptedKeyIdentifierClause.GetEncryptedKey(); string wrappingAlgorithm = encryptedKeyIdentifierClause.EncryptionMethod; byte[] unwrappedKey = unwrappingSecurityKey.DecryptKey(wrappingAlgorithm, wrappedKey); key = new InMemorySymmetricSecurityKey(unwrappedKey, false); return true; } } } } else { SecurityToken token = null; if (TryResolveToken(keyIdentifierClause, out token)) { if (token.SecurityKeys.Count > 0) { key = token.SecurityKeys[0]; return true; } } } return false; }