Exemplo n.º 1
0
        public void GetHashAlgorithmForSignatureFine()
        {
            X509AsymmetricSecurityKey k = new X509AsymmetricSecurityKey(cert);

            k.GetHashAlgorithmForSignature(SignedXml.XmlDsigRSASHA1Url);
            k.GetHashAlgorithmForSignature(SecurityAlgorithms.RsaSha256Signature);
        }
Exemplo n.º 2
0
        SamlSecurityToken GetSamlToken()
        {
            SamlAssertion a = new SamlAssertion();

            SamlSubject subject = new SamlSubject(
                SamlConstants.UserNameNamespace,
                "urn:myqualifier",
                "myname");
            SamlAttribute          attr      = new SamlAttribute(Claim.CreateNameClaim("myname"));
            SamlAttributeStatement statement =
                new SamlAttributeStatement(subject, new SamlAttribute [] { attr });

            a.Statements.Add(statement);
            a.Issuer = "my_hero";

            X509Certificate2          cert = new X509Certificate2(TestResourceHelper.GetFullPathOfResource("Test/Resources/test.pfx"), "mono");
            X509AsymmetricSecurityKey key  =
                new X509AsymmetricSecurityKey(cert);

            a.SigningCredentials =
                new SigningCredentials(key,
                                       SecurityAlgorithms.HmacSha1Signature,
                                       SecurityAlgorithms.Sha256Digest);
            XmlDocument doc = new XmlDocument();
            XmlWriter   w   = doc.CreateNavigator().AppendChild();

            using (XmlDictionaryWriter dw = XmlDictionaryWriter.CreateDictionaryWriter(w)) {
                a.WriteXml(dw, new SamlSerializer(), new MySecurityTokenSerializer());
            }
            Console.Error.WriteLine(doc.OuterXml);
            return(new SamlSecurityToken(a));
        }
Exemplo n.º 3
0
        public byte[] SignWithCertificate(string message, X509Certificate2 certificate)
        {
            if (certificate.PublicKey.Key.KeySize < ClientAssertionCertificate.MinKeySizeInBits)
            {
                throw new ArgumentOutOfRangeException("rawData",
                                                      string.Format(CultureInfo.InvariantCulture, AdalErrorMessage.CertificateKeySizeTooSmallTemplate, ClientAssertionCertificate.MinKeySizeInBits));
            }

            X509AsymmetricSecurityKey x509Key = new X509AsymmetricSecurityKey(certificate);
            RSACryptoServiceProvider  rsa     = x509Key.GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha256Signature, true) as RSACryptoServiceProvider;

            RSACryptoServiceProvider newRsa = null;

            try
            {
                newRsa = GetCryptoProviderForSha256(rsa);
                using (SHA256Cng sha = new SHA256Cng())
                {
                    return(newRsa.SignData(Encoding.UTF8.GetBytes(message), sha));
                }
            }
            finally
            {
                if (newRsa != null && !ReferenceEquals(rsa, newRsa))
                {
                    newRsa.Dispose();
                }
            }
        }
        private static bool Matches(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey key, CertMatcher certMatcher, out SecurityToken token)
        {
            token = null;
            if (certMatcher != null)
            {
                X509SecurityKey x509Key = key as X509SecurityKey;
                if (x509Key != null)
                {
                    if (certMatcher(x509Key.Certificate))
                    {
                        token = new X509SecurityToken(x509Key.Certificate);
                        return(true);
                    }
                }
                else
                {
                    X509AsymmetricSecurityKey x509AsymmKey = key as X509AsymmetricSecurityKey;
                    if (x509AsymmKey != null)
                    {
                        X509Certificate2 cert = _certFieldInfo.GetValue(x509AsymmKey) as X509Certificate2;
                        if (cert != null && certMatcher(cert))
                        {
                            token = new X509SecurityToken(cert);
                            return(true);
                        }
                    }
                }
            }

            return(false);
        }
Exemplo n.º 5
0
        public void IsAsymmetricAlgorithm()
        {
            X509AsymmetricSecurityKey key = new X509AsymmetricSecurityKey(cert);

            Assert.IsTrue(key.IsAsymmetricAlgorithm(EncryptedXml.XmlEncRSA15Url), "#1");
            Assert.IsTrue(key.IsAsymmetricAlgorithm(SignedXml.XmlDsigDSAUrl), "#2");               // It is asymmetric but not supported.
            Assert.IsFalse(key.IsAsymmetricAlgorithm(SignedXml.XmlDsigHMACSHA1Url), "#3");
        }
Exemplo n.º 6
0
        private static X509AsymmetricSecurityKey GetSecurityKey()
        {
            var certificate = new X509Certificate2(
                HttpContext.Current.Server.MapPath(ConfigurationManager.AppSettings[CertificatePath]),
                ConfigurationManager.AppSettings[CertificatePassword]);
            var securityKey = new X509AsymmetricSecurityKey(certificate);

            return(securityKey);
        }
Exemplo n.º 7
0
        private static void SignSamlAssertion(SamlAssertion assertion)
        {
            var certificate2 = GetCertificateFromStore(System.Configuration.ConfigurationManager.AppSettings["TokenSigningCeritificate"]);
            var securityKey  = new X509AsymmetricSecurityKey(certificate2);

            assertion.SigningCredentials = new SigningCredentials(
                securityKey,
                SecurityAlgorithms.RsaSha1Signature,
                SecurityAlgorithms.Sha1Digest,
                new SecurityKeyIdentifier(new X509ThumbprintKeyIdentifierClause(certificate2)));
        }
Exemplo n.º 8
0
        public Saml2Signer(X509Certificate2 certificate, string signatureAlgorithm = null)
        {
            if (certificate == null)
            {
                throw new ArgumentNullException(nameof(certificate));
            }

            Certificate        = certificate;
            Key                = new X509AsymmetricSecurityKey(certificate);
            SignatureAlgorithm = signatureAlgorithm;
        }
Exemplo n.º 9
0
        public void GetAsymmetricAlgorithm()
        {
            X509AsymmetricSecurityKey key = new X509AsymmetricSecurityKey(cert);
            string name             = EncryptedXml.XmlEncRSA15Url;
            AsymmetricAlgorithm alg = key.GetAsymmetricAlgorithm(name, false);

            Assert.IsNotNull(alg, "#1");
            alg = key.GetAsymmetricAlgorithm(name, true);
            Assert.IsNotNull(alg, "#2");

            key = new X509AsymmetricSecurityKey(cert2);
            alg = key.GetAsymmetricAlgorithm(name, false);
            Assert.IsNotNull(alg, "#3");
        }
Exemplo n.º 10
0
        private static void SignSamlAssertion(SamlAssertion assertion)
        {
            var certificate2 = GetCertificateFromStore(StoreLocation.CurrentUser, DateTime.Now, "CN=SamlTokenSigningCertificate");

            if (certificate2 != null)
            {
                var securityKey = new X509AsymmetricSecurityKey(certificate2);
                assertion.SigningCredentials = new SigningCredentials(
                    securityKey,
                    SecurityAlgorithms.RsaSha1Signature,
                    SecurityAlgorithms.Sha1Digest,
                    new SecurityKeyIdentifier(new X509ThumbprintKeyIdentifierClause(certificate2)));
            }
        }
        public byte[] SignWithCertificate(string message, X509Certificate2 certificate)
        {
            if (certificate.PublicKey.Key.KeySize < ClientAssertionCertificate.MinKeySizeInBits)
            {
                throw new ArgumentOutOfRangeException(nameof(certificate),
                                                      string.Format(CultureInfo.InvariantCulture, AdalErrorMessage.CertificateKeySizeTooSmallTemplate,
                                                                    ClientAssertionCertificate.MinKeySizeInBits));
            }

            byte[] messageBytes = Encoding.UTF8.GetBytes(message);
            var    x509Key      = new X509AsymmetricSecurityKey(certificate);

            RSA rsa = x509Key.GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha256Signature, true) as RSA;

            RSACryptoServiceProvider newRsa = null;

            try
            {
                if (rsa is RSACryptoServiceProvider cspRsa)
                {
                    // For .NET 4.6 and below we get the old RSACryptoServiceProvider implementation as the default.
                    // Try and get an instance of RSACryptoServiceProvider which supports SHA256
                    newRsa = GetCryptoProviderForSha256(cspRsa);

                    using (var sha = new SHA256Cng())
                    {
                        return(newRsa.SignData(messageBytes, sha));
                    }
                }
                else
                {
                    CngKey key = GetCngPrivateKey(certificate);
                    using (RSACng rsaCng = new RSACng(key))
                    {
                        rsaCng.SignatureHashAlgorithm = CngAlgorithm.Sha256;
                        return(rsaCng.SignData(messageBytes));
                    }
                }
            }
            finally
            {
                // We only want to dispose of the 'newRsa' instance if it is a *different instance*
                // from the original one that was used to create it.
                if (newRsa != null && !ReferenceEquals(rsa, newRsa))
                {
                    newRsa.Dispose();
                }
            }
        }
        /// <inheritdoc />
        public byte[] SignWithCertificate(string message, X509Certificate2 certificate)
        {
            if (certificate.PublicKey.Key.KeySize < ClientAssertionCertificateWrapper.MinKeySizeInBits)
            {
                throw new ArgumentOutOfRangeException(nameof(certificate),
                                                      string.Format(CultureInfo.InvariantCulture, MsalErrorMessage.CertificateKeySizeTooSmallTemplate,
                                                                    ClientAssertionCertificateWrapper.MinKeySizeInBits));
            }

            byte[] messageBytes = Encoding.UTF8.GetBytes(message);
            var    x509Key      = new X509AsymmetricSecurityKey(certificate);

            RSA rsa = x509Key.GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha256Signature, true) as RSA;

            RSACryptoServiceProvider newRsa = null;

            try
            {
                if (rsa is RSACryptoServiceProvider cspRsa)
                {
                    // For .NET 4.6 and below we get the old RSACryptoServiceProvider implementation as the default.
                    // Try and get an instance of RSACryptoServiceProvider which supports SHA256
                    newRsa = GetCryptoProviderForSha256(cspRsa);
                }
                else
                {
                    // For .NET Framework 4.7 and onwards the RSACng implementation is the default.
                    // Since we're targeting .NET Framework 4.5, we cannot actually use this type as it was
                    // only introduced with .NET Framework 4.6.
                    // Instead we try and create an RSACryptoServiceProvider based on the private key from the
                    // certificate.
                    newRsa = GetCryptoProviderForSha256(certificate);
                }

                using (var sha = new SHA256Cng())
                {
                    return(newRsa.SignData(messageBytes, sha));
                }
            }
            finally
            {
                // We only want to dispose of the 'newRsa' instance if it is a *different instance*
                // from the original one that was used to create it.
                if (newRsa != null && !ReferenceEquals(rsa, newRsa))
                {
                    newRsa.Dispose();
                }
            }
        }
Exemplo n.º 13
0
        /// <summary>
        /// Validate whether the unsigned value is same as signed value
        /// </summary>
        /// <param name="uval">
        /// The raw input of the string signed using the key
        /// </param>
        /// <param name="sval">
        /// The signature of the string
        /// </param>
        /// <param name="certthumb">
        /// The thumbprint of cert used to encrypt token
        /// </param>
        /// <returns>
        /// True if same, false otherwise.
        /// </returns>
        private static bool ValidateSig(byte[] uval, byte[] sval, byte[] certthumb)
        {
            try {
                bool ret = false;

                X509Certificate2[] certx509     = GetEncodingCert();
                string             certthumbhex = string.Empty;

                // Get the hexadecimail representation of the certthumbprint
                for (int i = 0; i < certthumb.Length; i++)
                {
                    certthumbhex += certthumb[i].ToString("X2");
                }

                for (int c = 0; c < certx509.Length; c++)
                {
                    // Skip any cert that does not have the same thumbprint as token
                    if (certx509[c].Thumbprint.ToLower() != certthumbhex.ToLower())
                    {
                        continue;
                    }
                    X509SecurityToken tok = new X509SecurityToken(certx509[c]);
                    if (tok == null)
                    {
                        return(false);
                    }
                    for (int i = 0; i < tok.SecurityKeys.Count; i++)
                    {
                        X509AsymmetricSecurityKey key = tok.SecurityKeys[i] as X509AsymmetricSecurityKey;
                        RSACryptoServiceProvider  rsa = key.GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha256Signature, false) as RSACryptoServiceProvider;

                        if (rsa == null)
                        {
                            continue;
                        }
                        ret = rsa.VerifyData(uval, hash, sval);
                        if (ret == true)
                        {
                            return(ret);
                        }
                    }
                }
                return(ret);
            } catch (CryptographicException e) {
                Console.WriteLine(e.ToStringDescriptive());
                return(false);
            }
        }
Exemplo n.º 14
0
        public IHttpActionResult Get()
        {
            SecurityKey issuerSigningKey = null;

            // You can utilize MetadataSerializer class to read signing key from AD federation metadata
            MetadataSerializer serializer = new MetadataSerializer();

            serializer.CertificateValidationMode = X509CertificateValidationMode.None;
            var metaData = serializer.ReadMetadata(new XmlTextReader(metadataUri));

            issuerSigningKey = metaData.SigningCredentials.SigningKey;



            ////Or you can mannually parse metadata if you want to persist signing key in your service store and use it later
            XPathDocument       xmlReader = new XPathDocument(metadataUri);
            XPathNavigator      navigator = xmlReader.CreateNavigator();
            XmlNamespaceManager manager   = new XmlNamespaceManager(navigator.NameTable);

            manager.AddNamespace("", "urn:oasis:names:tc:SAML:2.0:metadata");
            manager.AddNamespace("ns1", "urn:oasis:names:tc:SAML:2.0:metadata");
            manager.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
            manager.PushScope();
            XPathNodeIterator nodes = navigator.Select("//ns1:EntityDescriptor/ns1:RoleDescriptor/ns1:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate", manager);

            nodes.MoveNext();
            XPathNavigator nodesNavigator = nodes.Current;

            //Cert body is base64 encoded in metadata doc
            X509Certificate2 cert = new X509Certificate2(Convert.FromBase64String(nodesNavigator.InnerXml));

            issuerSigningKey = new X509AsymmetricSecurityKey(cert);



            JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
            var validationParameters        = new TokenValidationParameters
            {
                IssuerSigningKey = issuerSigningKey,
                ValidAudience    = audience,
                ValidateIssuer   = false,
                ValidateLifetime = true,
            };
            SecurityToken validated;

            handler.ValidateToken(this.Request.Headers.Authorization.Parameter, validationParameters, out validated);
            return(Ok(Order.CreateOrders()));
        }
Exemplo n.º 15
0
        protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key)
        {
            key = null;
            var kn = keyIdentifierClause as X509RawDataKeyIdentifierClause;

            if (kn == null)
            {
                return(false);
            }
            var cert = new X509Certificate2(kn.GetX509RawData());

            if (cert == null)
            {
                return(false);
            }
            key = new X509AsymmetricSecurityKey(cert);
            return(key != null);
        }
        /// <summary>
        /// Sign the data with the X509Certificate
        /// </summary>
        /// <param name="signingCertificate">Signing certificate.</param>
        /// <param name="data">Data to be signed.</param>
        /// <returns>RSA SHA 256 Signature</returns>
        public static byte[] SignData(X509Certificate2 signingCertificate, string data)
        {
            X509AsymmetricSecurityKey securityKey = new X509AsymmetricSecurityKey(signingCertificate);

            RSACryptoServiceProvider rsa =
                securityKey.GetAsymmetricAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", true)
                as RSACryptoServiceProvider;

            if (!signingCertificate.HasPrivateKey)
            {
                throw new ArgumentException(string.Format(
                                                "Private key is not found in the certificate: {0}",
                                                signingCertificate.Subject));
            }

            if (rsa != null)
            {
                rsa.FromXmlString(signingCertificate.PrivateKey.ToXmlString(true));

                if (rsa.CspKeyContainerInfo.ProviderType != 24)
                {
                    System.Security.Cryptography.CspParameters cspParameters =
                        new System.Security.Cryptography.CspParameters
                    {
                        ProviderType     = 24,
                        KeyContainerName = rsa.CspKeyContainerInfo.KeyContainerName,
                        KeyNumber        = (int)rsa.CspKeyContainerInfo.KeyNumber
                    };

                    if (rsa.CspKeyContainerInfo.MachineKeyStore)
                    {
                        cspParameters.Flags = CspProviderFlags.UseMachineKeyStore;
                    }

                    rsa = new System.Security.Cryptography.RSACryptoServiceProvider(cspParameters);
                }
            }

            HashAlgorithm hashAlgo = System.Security.Cryptography.SHA256.Create();

            byte[] signatureInBytes = rsa.SignData(Encoding.UTF8.GetBytes(data), hashAlgo);

            return(signatureInBytes);
        }
Exemplo n.º 17
0
        private static SigningCredentials GenerateSigningCredentials()
        {
            X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

            store.Open(OpenFlags.ReadOnly);
            var x509Certificate2 = store.Certificates.Find(X509FindType.FindByThumbprint, "4443BE13F1B67C4D2733FFBF100E4F114B08FFBF", false).OfType <X509Certificate2>().FirstOrDefault();

            // Both signatures work
            var signingToken           = new X509AsymmetricSecurityKey(x509Certificate2);
            var securityKeyIdentifier1 = new SecurityKeyIdentifier(new X509RawDataKeyIdentifierClause(x509Certificate2));
            var signingCredentials1    = new SigningCredentials(signingToken, SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.Sha256Digest, securityKeyIdentifier1);

            //RSACryptoServiceProvider rsa = x509Certificate2.PrivateKey as RSACryptoServiceProvider;
            //RsaSecurityKey rsaKey = new RsaSecurityKey(rsa);
            //X509RawDataKeyIdentifierClause x509RawClause = new X509RawDataKeyIdentifierClause(x509Certificate2);
            //SecurityKeyIdentifier securityKeyIdentifier2 = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { x509RawClause });
            //SigningCredentials signingCredentials2 = new SigningCredentials(rsaKey, SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest, securityKeyIdentifier2);

            return(signingCredentials1);
        }
Exemplo n.º 18
0
        public static string GetAssertion(
            string issuer, string subject, string certLocation, string certPassword,
            Dictionary <string, string> attributes)
        {
            // Create certificate from file. It must contain private key!
            X509Certificate2 cert = new X509Certificate2(certLocation, certPassword);

            // The private key contained in the certificate will be used to sign the token.
            X509AsymmetricSecurityKey signingKey = new X509AsymmetricSecurityKey(cert);

            SecurityKeyIdentifier ski = new SecurityKeyIdentifier(new
                                                                  X509ThumbprintKeyIdentifierClause(cert));

            SamlAssertion assertion =
                SamlHelper.CreateSamlAssertion(issuer, subject, subject, attributes);

            assertion.SigningCredentials = new
                                           SigningCredentials(signingKey, SecurityAlgorithms.RsaSha1Signature,
                                                              SecurityAlgorithms.Sha1Digest, ski);
            return(SamlHelper.SerializeToken(assertion));
        }
        public byte[] Sign(byte[] input)
        {
            X509Certificate2 x509Certificate2 = new X509Certificate2(
                Convert.FromBase64String(Keys.DefaultX509Data_2048),
                Keys.CertPassword,
                X509KeyStorageFlags.MachineKeySet);

            X509AsymmetricSecurityKey signSecurityKey = new X509AsymmetricSecurityKey(x509Certificate2);

            var algorithm = SecurityAlgorithms.RsaSha256Signature;

            var hash = signSecurityKey.GetHashAlgorithmForSignature(algorithm);

            var formatter = signSecurityKey.GetSignatureFormatter(algorithm);

            formatter.SetHashAlgorithm(hash.GetType().ToString());

            var sig = formatter.CreateSignature(hash.ComputeHash(input));

            return(sig);
        }
Exemplo n.º 20
0
        public static SamlSecurityToken CreateSamlToken(string issuedBy, string subject, string attrNamespace, Dictionary <string, string> claims, string certThumbPrint)
        {
            SamlAssertion assertion = new SamlAssertion();

            assertion.AssertionId = string.Format("icfi_{0}", Guid.NewGuid().ToString());
            assertion.Issuer      = issuedBy;

            SamlSubject subj = new SamlSubject();

            subj.Name = subject;

            SamlAttributeStatement samlAttrStatement = new SamlAttributeStatement();

            foreach (string claimKey in claims.Keys)
            {
                SamlAttribute attr = new SamlAttribute();
                attr.Namespace = attrNamespace;
                attr.AttributeValues.Add(claims[claimKey]);
                samlAttrStatement.Attributes.Add(attr);
            }
            samlAttrStatement.SamlSubject = subj;

            assertion.Statements.Add(samlAttrStatement);

            X509Certificate2 cert = GetCertificate(certThumbPrint);

            X509AsymmetricSecurityKey signingKey = new X509AsymmetricSecurityKey(cert);

            assertion.SigningCredentials = new SigningCredentials(
                signingKey,
                cert.PublicKey.Key.SignatureAlgorithm,
                SecurityAlgorithms.Sha1Digest,
                new SecurityKeyIdentifier(new X509ThumbprintKeyIdentifierClause(cert)));

            SamlSecurityToken samlToken = new SamlSecurityToken(assertion);

            return(samlToken);
        }
        public bool Verify(byte[] input, byte[] sig)
        {
            X509Certificate2 x509Certificate2 = new X509Certificate2(
                Convert.FromBase64String(Keys.DefaultX509Data_2048),
                Keys.CertPassword,
                X509KeyStorageFlags.MachineKeySet);

            var publicKey = x509Certificate2.Export(X509ContentType.Cert);

            X509Certificate2 cert = new X509Certificate2(publicKey);

            X509AsymmetricSecurityKey securityKey = new X509AsymmetricSecurityKey(cert);

            var algorithm = SecurityAlgorithms.RsaSha256Signature;

            var hash = securityKey.GetHashAlgorithmForSignature(algorithm);

            var deformatter = securityKey.GetSignatureDeformatter(algorithm);

            deformatter.SetHashAlgorithm(hash.GetType().ToString());

            return(deformatter.VerifySignature(hash.ComputeHash(input), sig));
        }
        public static byte[] SignWithCertificate(string message, X509Certificate2 x509Certificate)
        {
            X509AsymmetricSecurityKey x509Key = new X509AsymmetricSecurityKey(x509Certificate);
            RSACryptoServiceProvider  rsa     = x509Key.GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha256Signature, true) as RSACryptoServiceProvider;

            RSACryptoServiceProvider newRsa = null;

            try
            {
                newRsa = GetCryptoProviderForSha256(rsa);
                using (SHA256 sha = SHA256.Create())
                {
                    return(newRsa.SignData(Encoding.UTF8.GetBytes(message), sha));
                }
            }
            finally
            {
                if (newRsa != null && !object.ReferenceEquals(rsa, newRsa))
                {
                    newRsa.Dispose();
                }
            }
        }
Exemplo n.º 23
0
        public static Saml2SecurityToken CreateSaml2Token(string issuedBy, string subject, Dictionary <string, string> claimValues, string certThumbPrint)
        {
            Trace.TraceInformation("Entering CreateSaml2Token with issuedBy '{0}', subject '{1}', and thumbprint '{2}'", issuedBy, subject, certThumbPrint);

            Saml2Assertion assertion = new Saml2Assertion(new Saml2NameIdentifier(issuedBy));

            assertion.Id = new Saml2Id(string.Format("icfi_{0}", Guid.NewGuid().ToString()));
            //assertion.Issuer = new Saml2NameIdentifier(issuedBy);

            Saml2Subject subj = new Saml2Subject();

            subj.NameId       = new Saml2NameIdentifier(subject);
            assertion.Subject = subj;

            Saml2AttributeStatement samlAttrStatement = new Saml2AttributeStatement();

            foreach (string claimKey in claimValues.Keys)
            {
                samlAttrStatement.Attributes.Add(new Saml2Attribute(claimKey, claimValues[claimKey]));
            }
            assertion.Statements.Add(samlAttrStatement);

            X509Certificate2 cert = GetCertificate(certThumbPrint);

            X509AsymmetricSecurityKey signingKey = new X509AsymmetricSecurityKey(cert);

            assertion.SigningCredentials = new SigningCredentials(
                signingKey,
                cert.PublicKey.Key.SignatureAlgorithm,
                SecurityAlgorithms.Sha1Digest,
                new SecurityKeyIdentifier(new X509ThumbprintKeyIdentifierClause(cert)));

            Saml2SecurityToken samlToken = new Saml2SecurityToken(assertion);

            return(samlToken);
        }
Exemplo n.º 24
0
        private static bool AreSecurityKeysEqual(SecurityKey securityKey1, SecurityKey securityKey2, CompareContext context)
        {
            if (context.IgnoreType && (securityKey1.GetType() != securityKey2.GetType()))
            {
                return(false);
            }

            // Check X509SecurityKey first so we don't have to use reflection to get cert.
            X509SecurityKey x509Key1 = securityKey1 as X509SecurityKey;

            if (x509Key1 != null)
            {
                X509SecurityKey x509Key2 = securityKey2 as X509SecurityKey;
                if (x509Key1.Certificate.Thumbprint == x509Key2.Certificate.Thumbprint)
                {
                    return(true);
                }

                return(false);
            }

            X509AsymmetricSecurityKey x509AsymmKey1 = securityKey1 as X509AsymmetricSecurityKey;

            if (x509AsymmKey1 != null)
            {
                X509AsymmetricSecurityKey x509AsymmKey2 = securityKey2 as X509AsymmetricSecurityKey;
                X509Certificate2          x509Cert1     = TestUtilities.GetField(x509AsymmKey1, "certificate") as X509Certificate2;
                X509Certificate2          x509Cert2     = TestUtilities.GetField(x509AsymmKey2, "certificate") as X509Certificate2;
                if (x509Cert1 == null && x509Cert2 == null)
                {
                    return(true);
                }

                if (x509Cert1 == null || x509Cert2 == null)
                {
                    return(false);
                }

                if (x509Cert1.Thumbprint != x509Cert2.Thumbprint)
                {
                    return(false);
                }
            }

            SymmetricSecurityKey symKey1 = securityKey1 as SymmetricSecurityKey;

            if (symKey1 != null)
            {
                SymmetricSecurityKey symKey2 = securityKey2 as SymmetricSecurityKey;
                if (!AreBytesEqual(symKey1.GetSymmetricKey(), symKey2.GetSymmetricKey()))
                {
                    return(false);
                }
            }

            RsaSecurityKey rsaKey = securityKey1 as RsaSecurityKey;

            if (rsaKey != null)
            {
                RSA rsa1 = (rsaKey.GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha256Signature, false)) as RSA;
                RSA rsa2 = ((securityKey2 as RsaSecurityKey).GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha256Signature, false)) as RSA;

                if (!string.Equals(rsa1.ToXmlString(false), rsa2.ToXmlString(false), StringComparison.Ordinal))
                {
                    return(false);
                }
            }

            return(true);
        }
Exemplo n.º 25
0
        [Category("NotDotNet")]          // buggy FormatException occurs instead
        public void GetAsymmetricAlgorithmHMACSHA1()
        {
            X509AsymmetricSecurityKey key = new X509AsymmetricSecurityKey(cert);

            key.GetAsymmetricAlgorithm(SignedXml.XmlDsigHMACSHA1Url, false);
        }
Exemplo n.º 26
0
 public void GetAsymmetricAlgorithmDSA()
 {
     X509AsymmetricSecurityKey key = new X509AsymmetricSecurityKey(cert);
     AsymmetricAlgorithm       alg = key.GetAsymmetricAlgorithm(SignedXml.XmlDsigDSAUrl, false);
 }
Exemplo n.º 27
0
        [Category("NotDotNet")]          // buggy FormatException occurs instead
        public void GetAsymmetricAlgorithmNullAlgName()
        {
            X509AsymmetricSecurityKey key = new X509AsymmetricSecurityKey(cert);

            key.GetAsymmetricAlgorithm(null, false);
        }
Exemplo n.º 28
0
        public void GetAsymmetricAlgorithmWhereNoPrivKey()
        {
            X509AsymmetricSecurityKey key = new X509AsymmetricSecurityKey(cert2);

            key.GetAsymmetricAlgorithm(EncryptedXml.XmlEncRSA15Url, true);
        }
        // Get the access token via straight http post request doing client credential flow
        private async Task <String> GetAppOnlyAccessTokenWithHttpRequest(string resource, string tenantId)
        {
            /**
             * use the tenant specific endpoint for requesting the app-only access token
             */
            string tokenIssueEndpoint = appConfig.TokenIssueingUri.Replace("common", tenantId);

            /**
             * sign the assertion with the private key
             */
            string           certfile = Server.MapPath(appConfig.ClientCertificatePfx);
            X509Certificate2 cert     = new X509Certificate2(
                certfile,
                appConfig.ClientCertificatePfxPassword,
                X509KeyStorageFlags.MachineKeySet);

            /**
             * Example building assertion using Json Tokenhandler.
             * Sort of cheating, but just if someone wonders ... there are always more ways to do something :-)
             */
            Dictionary <string, string> claims = new Dictionary <string, string>()
            {
                { "sub", appConfig.ClientId },
                { "jti", Guid.NewGuid().ToString() },
            };

            JwtSecurityTokenHandler tokenHandler       = new JwtSecurityTokenHandler();
            X509SigningCredentials  signingCredentials = new X509SigningCredentials(cert, SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.Sha256Digest);

            JwtSecurityToken selfSignedToken = new JwtSecurityToken(
                appConfig.ClientId,
                tokenIssueEndpoint,
                claims.Select(c => new Claim(c.Key, c.Value)),
                DateTime.UtcNow,
                DateTime.UtcNow.Add(TimeSpan.FromMinutes(15)),
                signingCredentials);

            string signedAssertion = tokenHandler.WriteToken(selfSignedToken);

            //---- End example with Json Tokenhandler... now to the fun part doing it all ourselves ...

            /**
             * Example building assertion from scratch with Crypto APIs
             */
            JObject clientAssertion = new JObject();

            clientAssertion.Add("aud", tokenIssueEndpoint);
            clientAssertion.Add("iss", appConfig.ClientId);
            clientAssertion.Add("sub", appConfig.ClientId);
            clientAssertion.Add("jti", Guid.NewGuid().ToString());
            clientAssertion.Add("nbf", WebConvert.EpocTime(DateTime.UtcNow + TimeSpan.FromMinutes(-5)));
            clientAssertion.Add("exp", WebConvert.EpocTime(DateTime.UtcNow + TimeSpan.FromMinutes(15)));

            string assertionPayload = clientAssertion.ToString(Newtonsoft.Json.Formatting.None);

            X509AsymmetricSecurityKey x509Key = new X509AsymmetricSecurityKey(cert);
            RSACryptoServiceProvider  rsa     = x509Key.GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha256Signature, true) as RSACryptoServiceProvider;
            RSACryptoServiceProvider  newRsa  = GetCryptoProviderForSha256(rsa);
            SHA256Cng sha = new SHA256Cng();

            JObject header     = new JObject(new JProperty("alg", "RS256"));
            string  thumbprint = WebConvert.Base64UrlEncoded(WebConvert.HexStringToBytes(cert.Thumbprint));

            header.Add(new JProperty("x5t", thumbprint));

            string encodedHeader  = WebConvert.Base64UrlEncoded(header.ToString());
            string encodedPayload = WebConvert.Base64UrlEncoded(assertionPayload);

            string signingInput = String.Concat(encodedHeader, ".", encodedPayload);

            byte[] signature = newRsa.SignData(Encoding.UTF8.GetBytes(signingInput), sha);

            signedAssertion = string.Format("{0}.{1}.{2}",
                                            encodedHeader,
                                            encodedPayload,
                                            WebConvert.Base64UrlEncoded(signature));

            /**
             * build the request payload
             */
            FormUrlEncodedContent tokenRequestForm;

            tokenRequestForm = new FormUrlEncodedContent(
                new[] {
                new KeyValuePair <string, string>("resource", appConfig.ExchangeResourceUri),
                new KeyValuePair <string, string>("client_id", appConfig.ClientId),
                new KeyValuePair <string, string>("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"),
                new KeyValuePair <string, string>("client_assertion", signedAssertion),
                new KeyValuePair <string, string>("grant_type", "client_credentials"),
            }
                );

            /*
             * Do the web request
             */
            HttpClient client = new HttpClient();

            Task <string> requestString  = tokenRequestForm.ReadAsStringAsync();
            StringContent requestContent = new StringContent(requestString.Result);

            requestContent.Headers.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded");
            requestContent.Headers.Add("client-request-id", System.Guid.NewGuid().ToString());
            requestContent.Headers.Add("return-client-request-id", "true");
            requestContent.Headers.Add("UserAgent", "MatthiasLeibmannsAppOnlyAppSampleBeta/0.1");

            HttpResponseMessage response       = client.PostAsync(tokenIssueEndpoint, requestContent).Result;
            JObject             jsonResponse   = JObject.Parse(response.Content.ReadAsStringAsync().Result);
            JsonSerializer      jsonSerializer = new JsonSerializer();

            if (response.IsSuccessStatusCode == true)
            {
                AADClientCredentialSuccessResponse s = (AADClientCredentialSuccessResponse)jsonSerializer.Deserialize(new JTokenReader(jsonResponse), typeof(AADClientCredentialSuccessResponse));
                return(s.access_token);
            }

            AADClientCredentialErrorResponse e = (AADClientCredentialErrorResponse)jsonSerializer.Deserialize(new JTokenReader(jsonResponse), typeof(AADClientCredentialErrorResponse));

            throw new Exception(e.error_description);
        }
Exemplo n.º 30
0
        // huh?
        //[ExpectedException (typeof (ArgumentNullException))]
        public void IsSupportedAlgorithmNullAlgName()
        {
            X509AsymmetricSecurityKey key = new X509AsymmetricSecurityKey(cert);

            Assert.IsFalse(key.IsSupportedAlgorithm(null));
        }