private void InternalValidateSignature(Federation.Federation federation, ICredentialVault vault, bool checkTrust = true) { if (AuthenticationLevel.Level < AuthenticationLevel.VocesTrustedSystem.Level) { throw new ModelException("AuthenticationLevel does not support signature"); } if (Xassertion == null) { throw new ModelException("Assertion not initialized"); } if (!SealUtilities.CheckAssertionSignature(Xassertion)) { throw new ModelException("IDCard is not signed!"); } if (ConfigurationManager.AppSettings.AllKeys.Contains("CheckTrust")) { checkTrust = ConfigurationManager.AppSettings["CheckTrust"].ToLower().Equals("true"); } if (checkTrust) { var checkCrl = true; if (ConfigurationManager.AppSettings.AllKeys.Contains("CheckCrl")) { checkCrl = ConfigurationManager.AppSettings["CheckCrl"].ToLower().Equals("true"); } //Check that Signature is in credentialVault and that no certificate in chain is revoked if (!SignatureUtil.Validate(Xassertion, federation, vault, checkTrust, checkCrl)) { throw new ModelException("Signature on IdCard could not be validated"); } } }
public void Sign(ICredentialVault signingVault) { var signer = new SealSignedXml(XAssertion); var signedXml = signer.SignAssertion(signingVault.GetSystemCredentials(), XAssertion.Attribute(SamlAttributes.Id).Value); dom = XElement.Parse(signedXml.OuterXml, LoadOptions.PreserveWhitespace); }
/// <summary> /// Constructs an <see cref="MsaAuthenticationProvider"/>. /// </summary> public MsaAuthenticationProvider( string clientId, string clientSecret, string returnUrl, string[] scopes, CredentialCache credentialCache, ICredentialVault credentialVault) : this(clientId, clientSecret, returnUrl, scopes, credentialCache) { if (credentialVault != null) { this.CredentialCache.BeforeAccess = cacheArgs => { credentialVault.RetrieveCredentialCache(cacheArgs.CredentialCache); cacheArgs.CredentialCache.HasStateChanged = false; }; this.CredentialCache.AfterAccess = cacheArgs => { if (cacheArgs.CredentialCache.HasStateChanged) { credentialVault.AddCredentialCacheToVault(cacheArgs.CredentialCache); } }; } }
/// <summary> /// Checks the signature on the <see cref="OioSamlAssertion"/>. /// </summary> /// <param name="vault">The <see cref="ICredentialVault"/> containing trusted certificates used to check trust for the <see cref="OioSamlAssertion"/>.</param> public void ValidateSignatureAndTrust(ICredentialVault vault) { var signatureElement = dom.Element(DsTags.Signature.Ns + DsTags.Signature.TagName); //dom.XPathSelectElement("/" + ); if (signatureElement == null) { throw new ModelException("OIOSAMLAssertion is not signed"); } List <XElement> referencedSignedElements = SignatureUtil.DereferenceSignedElements(signatureElement, dom); if (!referencedSignedElements.Contains(dom)) { throw new ModelException("OIOSAMLAssertion element is not referenced by contained signature"); } var checkTrust = false; if (ConfigurationManager.AppSettings.AllKeys.Contains("CheckTrust")) { checkTrust = ConfigurationManager.AppSettings["CheckTrust"].ToLower().Equals("true"); } var checkCrl = false; if (ConfigurationManager.AppSettings.AllKeys.Contains("CheckCrl")) { checkCrl = ConfigurationManager.AppSettings["CheckCrl"].ToLower().Equals("true"); } if (!SignatureUtil.Validate(dom, null, vault, checkTrust, checkCrl)) { throw new ModelException("Signature on OIOSAMLAssertion is invalid"); } }
public CredentialVaultSignatureProvider(ICredentialVault vault) { if (vault == null) { throw new ArgumentException("CredentialVault cannot be null"); } Vault = vault; }
protected SoapMessageDomBuilder(XDocument document, Message message, ICredentialVault vault) { //base(); this.document = document; this.message = message; //this.signatureProvider = SignatureProviderFactory.fromCredentialVault(vault); InitializeSoap(); }
/// <summary> /// Checks the signature on the <see cref="OioWsTrustRequest"/> and whether the signing certificate is trusted. /// </summary> /// <param name="vault">The CredentialVault containing trusted certificates used to check trust for the <see cref="OioWsTrustRequest"/>.</param> public void ValidateSignatureAndTrust(ICredentialVault vault) { var checkTrust = false; if (ConfigurationManager.AppSettings.AllKeys.Contains("CheckTrust")) { checkTrust = ConfigurationManager.AppSettings["CheckTrust"].ToLower().Equals("true"); } var checkCrl = false; if (ConfigurationManager.AppSettings.AllKeys.Contains("CheckCrl")) { checkCrl = ConfigurationManager.AppSettings["CheckCrl"].ToLower().Equals("true"); } if (!SignatureUtil.Validate(dom, null, vault, checkTrust, checkCrl)) { throw new ModelBuildException("Liberty signature could not be validated"); } }
public void ValidateSignatureAndTrust(ICredentialVault trustVault) { InternalValidateSignature(null, trustVault); }
private static bool InternalValidate(XElement signatureToValidate, Federation.Federation federation, ICredentialVault vault, bool checkForTrustedCertificates, bool checkRevoked) { if (signatureToValidate.NodeType != XmlNodeType.Element) { throw new ModelException("The signature to validate must be a ds:Signature Element!"); } var xml = new XmlDocument(); xml.Load(signatureToValidate.CreateReader()); bool isAssertion = false; var nsManager = NameSpaces.MakeNsManager(xml.NameTable); var sig = xml.SelectSingleNode("/soap:Envelope/soap:Header/wsse:Security/ds:Signature", nsManager) as XmlElement; if (sig == null) { sig = xml.SelectSingleNode("/saml:Assertion/ds:Signature", nsManager) as XmlElement; isAssertion = true; if (sig == null) { sig = xml.GetElementsByTagName("Signature", NameSpaces.ds)[0] as XmlElement; isAssertion = true; } } if (sig == null) { return(false); } var signature = new Signature(); sig = MakeSignatureCheckSamlCompliant(sig); signature.LoadXml(sig); var cert = signature.KeyInfo.Cast <KeyInfoX509Data>().Select(d => d.Certificates[0] as X509Certificate2).FirstOrDefault(c => c != null); if (!ConfigurationManager.AppSettings.AllKeys.Contains("CheckDate") || !ConfigurationManager.AppSettings["CheckDate"].ToLower().Equals("false")) { //check if certificate is expired or cannot be used yet if (!CheckDates(cert)) { return(false); } } //Check that the certificate used for validation is trusted. If a Federation has been specified //the signature must have been created by the STS. If no federation is specified, the //certificate must be trusted in the CredentialVault. if (checkForTrustedCertificates) { var trusted = false; if (federation != null) { trusted = federation.IsValidSTSCertificate(cert); } else if (vault != null) { trusted = vault.IsTrustedCertificate(cert); } if (!trusted) { throw new ModelException("The certificate that signed the security token is not trusted!"); } } // check the certificates CRL if the certificate is revoked if (checkRevoked) { CrlCertificateStatusChecker crlChecker = new CrlCertificateStatusChecker(); var isValid = crlChecker.GetRevocationStatus(cert).IsValid; if (!isValid) { throw new ModelException("The certificate or one in its certificate chain has been revoked!"); } } // check if xml is actually signed with key sent in message var signed = new SealSignedXml(signatureToValidate); if (isAssertion) { return(signed.CheckAssertionSignature()); } return(signed.CheckEnvelopeSignature()); }
public static bool Validate(XElement signatureToValidate, Federation.Federation federation, ICredentialVault vault, bool checkTrust, bool checkRevoked) { return(InternalValidate(signatureToValidate, federation, vault, checkTrust, checkRevoked)); }
/// <summary> /// Constructs an <see cref="AuthenticationProvider"/>. /// </summary> public MsaAuthenticationProvider(string clientId, string returnUrl, string[] scopes, ICredentialVault credentialVault) : this(clientId, /*clientSecret*/ null, returnUrl, scopes, /* credentialCache */ null, credentialVault) { }
public void TearDown() { vocesVault = null; mocesVault = null; }
public void Init() { vocesVault = CredentialVaultTestUtil.GetVocesCredentialVault(); mocesVault = CredentialVaultTestUtil.GetCredentialVault(); factory = new OIOSAMLFactory(); }