private void InternalValidateSignature(Federation.Federation federation, ICredentialVault vault, bool checkTrust = true)
{
if (AuthenticationLevel.Level < AuthenticationLevel.VocesTrustedSystem.Level)
{
throw new ModelException("AuthenticationLevel does not support signature");
}
if (Xassertion == null)
{
throw new ModelException("Assertion not initialized");
}
if (!SealUtilities.CheckAssertionSignature(Xassertion))
{
throw new ModelException("IDCard is not signed!");
}
if (ConfigurationManager.AppSettings.AllKeys.Contains("CheckTrust"))
{
checkTrust = ConfigurationManager.AppSettings["CheckTrust"].ToLower().Equals("true");
}
if (checkTrust)
{
var checkCrl = true;
if (ConfigurationManager.AppSettings.AllKeys.Contains("CheckCrl"))
{
checkCrl = ConfigurationManager.AppSettings["CheckCrl"].ToLower().Equals("true");
}
//Check that Signature is in credentialVault and that no certificate in chain is revoked
if (!SignatureUtil.Validate(Xassertion, federation, vault, checkTrust, checkCrl))
{
throw new ModelException("Signature on IdCard could not be validated");
}
}
}
public void Sign(ICredentialVault signingVault)
{
var signer = new SealSignedXml(XAssertion);
var signedXml = signer.SignAssertion(signingVault.GetSystemCredentials(), XAssertion.Attribute(SamlAttributes.Id).Value);
dom = XElement.Parse(signedXml.OuterXml, LoadOptions.PreserveWhitespace);
}
/// <summary>
/// Constructs an <see cref="MsaAuthenticationProvider"/>.
/// </summary>
public MsaAuthenticationProvider(
string clientId,
string clientSecret,
string returnUrl,
string[] scopes,
CredentialCache credentialCache,
ICredentialVault credentialVault)
: this(clientId, clientSecret, returnUrl, scopes, credentialCache)
{
if (credentialVault != null)
{
this.CredentialCache.BeforeAccess = cacheArgs =>
{
credentialVault.RetrieveCredentialCache(cacheArgs.CredentialCache);
cacheArgs.CredentialCache.HasStateChanged = false;
};
this.CredentialCache.AfterAccess = cacheArgs =>
{
if (cacheArgs.CredentialCache.HasStateChanged)
{
credentialVault.AddCredentialCacheToVault(cacheArgs.CredentialCache);
}
};
}
}
/// <summary>
/// Checks the signature on the <see cref="OioSamlAssertion"/>.
/// </summary>
/// <param name="vault">The <see cref="ICredentialVault"/> containing trusted certificates used to check trust for the <see cref="OioSamlAssertion"/>.</param>
public void ValidateSignatureAndTrust(ICredentialVault vault)
{
var signatureElement = dom.Element(DsTags.Signature.Ns + DsTags.Signature.TagName); //dom.XPathSelectElement("/" + );
if (signatureElement == null)
{
throw new ModelException("OIOSAMLAssertion is not signed");
}
List <XElement> referencedSignedElements = SignatureUtil.DereferenceSignedElements(signatureElement, dom);
if (!referencedSignedElements.Contains(dom))
{
throw new ModelException("OIOSAMLAssertion element is not referenced by contained signature");
}
var checkTrust = false;
if (ConfigurationManager.AppSettings.AllKeys.Contains("CheckTrust"))
{
checkTrust = ConfigurationManager.AppSettings["CheckTrust"].ToLower().Equals("true");
}
var checkCrl = false;
if (ConfigurationManager.AppSettings.AllKeys.Contains("CheckCrl"))
{
checkCrl = ConfigurationManager.AppSettings["CheckCrl"].ToLower().Equals("true");
}
if (!SignatureUtil.Validate(dom, null, vault, checkTrust, checkCrl))
{
throw new ModelException("Signature on OIOSAMLAssertion is invalid");
}
}
public CredentialVaultSignatureProvider(ICredentialVault vault)
{
if (vault == null)
{
throw new ArgumentException("CredentialVault cannot be null");
}
Vault = vault;
}
protected SoapMessageDomBuilder(XDocument document, Message message, ICredentialVault vault)
{
//base();
this.document = document;
this.message = message;
//this.signatureProvider = SignatureProviderFactory.fromCredentialVault(vault);
InitializeSoap();
}
/// <summary>
/// Checks the signature on the <see cref="OioWsTrustRequest"/> and whether the signing certificate is trusted.
/// </summary>
/// <param name="vault">The CredentialVault containing trusted certificates used to check trust for the <see cref="OioWsTrustRequest"/>.</param>
public void ValidateSignatureAndTrust(ICredentialVault vault)
{
var checkTrust = false;
if (ConfigurationManager.AppSettings.AllKeys.Contains("CheckTrust"))
{
checkTrust = ConfigurationManager.AppSettings["CheckTrust"].ToLower().Equals("true");
}
var checkCrl = false;
if (ConfigurationManager.AppSettings.AllKeys.Contains("CheckCrl"))
{
checkCrl = ConfigurationManager.AppSettings["CheckCrl"].ToLower().Equals("true");
}
if (!SignatureUtil.Validate(dom, null, vault, checkTrust, checkCrl))
{
throw new ModelBuildException("Liberty signature could not be validated");
}
}
public void ValidateSignatureAndTrust(ICredentialVault trustVault)
{
InternalValidateSignature(null, trustVault);
}
private static bool InternalValidate(XElement signatureToValidate, Federation.Federation federation, ICredentialVault vault, bool checkForTrustedCertificates, bool checkRevoked)
{
if (signatureToValidate.NodeType != XmlNodeType.Element)
{
throw new ModelException("The signature to validate must be a ds:Signature Element!");
}
var xml = new XmlDocument();
xml.Load(signatureToValidate.CreateReader());
bool isAssertion = false;
var nsManager = NameSpaces.MakeNsManager(xml.NameTable);
var sig = xml.SelectSingleNode("/soap:Envelope/soap:Header/wsse:Security/ds:Signature", nsManager) as XmlElement;
if (sig == null)
{
sig = xml.SelectSingleNode("/saml:Assertion/ds:Signature", nsManager) as XmlElement;
isAssertion = true;
if (sig == null)
{
sig = xml.GetElementsByTagName("Signature", NameSpaces.ds)[0] as XmlElement;
isAssertion = true;
}
}
if (sig == null)
{
return(false);
}
var signature = new Signature();
sig = MakeSignatureCheckSamlCompliant(sig);
signature.LoadXml(sig);
var cert = signature.KeyInfo.Cast <KeyInfoX509Data>().Select(d => d.Certificates[0] as X509Certificate2).FirstOrDefault(c => c != null);
if (!ConfigurationManager.AppSettings.AllKeys.Contains("CheckDate") || !ConfigurationManager.AppSettings["CheckDate"].ToLower().Equals("false"))
{
//check if certificate is expired or cannot be used yet
if (!CheckDates(cert))
{
return(false);
}
}
//Check that the certificate used for validation is trusted. If a Federation has been specified
//the signature must have been created by the STS. If no federation is specified, the
//certificate must be trusted in the CredentialVault.
if (checkForTrustedCertificates)
{
var trusted = false;
if (federation != null)
{
trusted = federation.IsValidSTSCertificate(cert);
}
else if (vault != null)
{
trusted = vault.IsTrustedCertificate(cert);
}
if (!trusted)
{
throw new ModelException("The certificate that signed the security token is not trusted!");
}
}
// check the certificates CRL if the certificate is revoked
if (checkRevoked)
{
CrlCertificateStatusChecker crlChecker = new CrlCertificateStatusChecker();
var isValid = crlChecker.GetRevocationStatus(cert).IsValid;
if (!isValid)
{
throw new ModelException("The certificate or one in its certificate chain has been revoked!");
}
}
// check if xml is actually signed with key sent in message
var signed = new SealSignedXml(signatureToValidate);
if (isAssertion)
{
return(signed.CheckAssertionSignature());
}
return(signed.CheckEnvelopeSignature());
}
public static bool Validate(XElement signatureToValidate, Federation.Federation federation, ICredentialVault vault, bool checkTrust, bool checkRevoked)
{
return(InternalValidate(signatureToValidate, federation, vault, checkTrust, checkRevoked));
}
/// <summary>
/// Constructs an <see cref="AuthenticationProvider"/>.
/// </summary>
public MsaAuthenticationProvider(string clientId, string returnUrl, string[] scopes, ICredentialVault credentialVault)
: this(clientId, /*clientSecret*/ null, returnUrl, scopes, /* credentialCache */ null, credentialVault)
{
}
public void TearDown()
{
vocesVault = null;
mocesVault = null;
}
public void Init()
{
vocesVault = CredentialVaultTestUtil.GetVocesCredentialVault();
mocesVault = CredentialVaultTestUtil.GetCredentialVault();
factory = new OIOSAMLFactory();
}
