/// <summary> /// Gets the trusted signers. /// </summary> /// <param name="keys">The keys.</param> /// <param name="identityProvider">The identity provider.</param> /// <returns>List of trusted certificate signers.</returns> public static IEnumerable <AsymmetricAlgorithm> GetTrustedSigners(ICollection <KeyDescriptor> keys, IdentityProvider identityProvider) { if (keys == null) { throw new ArgumentNullException("keys"); } foreach (var item in keys.SelectMany(k => k.KeyInfo.Items)) { var clause = item as KeyInfoClause; var x509Data = clause as KeyInfoX509Data ?? (item as KeyInfoClause <KeyInfoX509Data>)?.GetKeyInfoClause(); if (x509Data != null) { var cert = XmlSignatureUtils.GetCertificateFromKeyInfo(x509Data); if (!CertificateSatisfiesSpecifications(identityProvider, cert)) { continue; } } var key = XmlSignatureUtils.ExtractKey(x509Data ?? clause); yield return(key); } }
/// <summary> /// Gets the trusted signers. /// </summary> /// <param name="keys">The keys.</param> /// <param name="identityProvider">The identity provider.</param> /// <returns>List of trusted certificate signers.</returns> public static IEnumerable <AsymmetricAlgorithm> GetTrustedSigners(ICollection <KeyDescriptor> keys, IdentityProvider identityProvider) { if (keys == null) { throw new ArgumentNullException("keys"); } var result = new List <AsymmetricAlgorithm>(keys.Count); foreach (var keyDescriptor in keys) { foreach (KeyInfoClause clause in (KeyInfo)keyDescriptor.KeyInfo) { // Check certificate specifications if (clause is KeyInfoX509Data) { var cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause); if (!CertificateSatisfiesSpecifications(identityProvider, cert)) { continue; } } var key = XmlSignatureUtils.ExtractKey(clause); result.Add(key); } } return(result); }
internal static IEnumerable <AsymmetricAlgorithm> GetTrustedSigners(ICollection <KeyDescriptor> keys, IDPEndPoint ep) { if (keys == null) { throw new ArgumentNullException("keys"); } List <AsymmetricAlgorithm> result = new List <AsymmetricAlgorithm>(keys.Count); foreach (KeyDescriptor keyDescriptor in keys) { KeyInfo ki = (KeyInfo)keyDescriptor.KeyInfo; foreach (KeyInfoClause clause in ki) { if (clause is KeyInfoX509Data) { X509Certificate2 cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause); if (!IsSatisfiedByAllSpecifications(ep, cert)) { continue; } } AsymmetricAlgorithm key = XmlSignatureUtils.ExtractKey(clause); result.Add(key); } } return(result); }
/// <summary> /// Gets the trusted signers. /// </summary> /// <param name="keys">The keys.</param> /// <param name="identityProvider">The identity provider.</param> /// <returns>List of trusted certificate signers.</returns> public static IEnumerable <AsymmetricAlgorithm> GetTrustedSigners(ICollection <KeyDescriptor> keys, IdentityProvider identityProvider) { if (keys == null) { throw new ArgumentNullException(nameof(keys)); } var keyClauses = keys.SelectMany(x => x.KeyInfo.Items).OfType <X509Data>().SelectMany(x => x.Items).OfType <byte[]>().ToList(); foreach (var keyClause in keyClauses) { var cert = new X509Certificate2(keyClause); if (CertificateSatisfiesSpecifications(identityProvider, cert)) { yield return(cert.PublicKey.Key); } } foreach (var clause in keys.SelectMany(k => k.KeyInfo.Items.AsEnumerable().OfType <KeyInfoClause>())) { // Check certificate specifications if (clause is KeyInfoX509Data) { var cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause); if (!CertificateSatisfiesSpecifications(identityProvider, cert)) { continue; } } var key = XmlSignatureUtils.ExtractKey(clause); yield return(key); } }
private static AsymmetricAlgorithm GetTrustedSigner(KeyInfoClause clause, IdentityProvider identityProvider) { // Check certificate specifications if (clause is KeyInfoX509Data) { var cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause); if (!CertificateSatisfiesSpecifications(identityProvider, cert)) { return(null); } } return(XmlSignatureUtils.ExtractKey(clause)); }
/// <summary> /// Gets the trusted signers. /// </summary> /// <param name="keys">The keys.</param> /// <param name="identityProvider">The identity provider.</param> /// <returns>List of trusted certificate signers.</returns> public static IEnumerable<AsymmetricAlgorithm> GetTrustedSigners(ICollection<KeyDescriptor> keys, IdentityProvider identityProvider) { if (keys == null) { throw new ArgumentNullException("keys"); } foreach (var clause in keys.SelectMany(k => k.KeyInfo.Items.AsEnumerable().Cast<KeyInfoClause>())) { // Check certificate specifications if (clause is KeyInfoX509Data) { var cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause); if (!CertificateSatisfiesSpecifications(identityProvider, cert)) { continue; } } var key = XmlSignatureUtils.ExtractKey(clause); yield return key; } }
private void CreateAssertionResponse(User user) { string entityId = request.Issuer.Value; Saml20MetadataDocument metadataDocument = IDPConfig.GetServiceProviderMetadata(entityId); IDPEndPointElement endpoint = metadataDocument.AssertionConsumerServiceEndpoints().Find(delegate(IDPEndPointElement e) { return(e.Binding == SAMLBinding.POST); }); if (endpoint == null) { Context.Response.Write(string.Format("'{0}' does not have a SSO endpoint that supports the POST binding.", entityId)); Context.Response.End(); return; } UserSessionsHandler.AddLoggedInSession(entityId); Response response = new Response(); response.Destination = endpoint.Url; response.InResponseTo = request.ID; response.Status = new Status(); response.Status.StatusCode = new StatusCode(); response.Status.StatusCode.Value = Saml20Constants.StatusCodes.Success; var nameIdFormat = metadataDocument.Entity.Items.OfType <SPSSODescriptor>().SingleOrDefault()?.NameIDFormat.SingleOrDefault() ?? Saml20Constants.NameIdentifierFormats.Persistent; Assertion assertion = CreateAssertion(user, entityId, nameIdFormat); var signatureProvider = SignatureProviderFactory.CreateFromShaHashingAlgorithmName(ShaHashingAlgorithm.SHA256); EncryptedAssertion encryptedAssertion = null; var keyDescriptors = metadataDocument.Keys.Where(x => x.use == KeyTypes.encryption); if (keyDescriptors.Any()) { foreach (KeyDescriptor keyDescriptor in keyDescriptors) { KeyInfo ki = (KeyInfo)keyDescriptor.KeyInfo; foreach (KeyInfoClause clause in ki) { if (clause is KeyInfoX509Data) { X509Certificate2 cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause); var spec = new DefaultCertificateSpecification(); string error; if (spec.IsSatisfiedBy(cert, out error)) { AsymmetricAlgorithm key = XmlSignatureUtils.ExtractKey(clause); AssertionEncryptionUtility.AssertionEncryptionUtility encryptedAssertionUtil = new AssertionEncryptionUtility.AssertionEncryptionUtility((RSA)key, assertion); // Sign the assertion inside the response message. signatureProvider.SignAssertion(encryptedAssertionUtil.Assertion, assertion.ID, IDPConfig.IDPCertificate); encryptedAssertionUtil.Encrypt(); encryptedAssertion = Serialization.DeserializeFromXmlString <EncryptedAssertion>(encryptedAssertionUtil.EncryptedAssertion.OuterXml); break; } } } if (encryptedAssertion != null) { break; } } if (encryptedAssertion == null) { throw new Exception("Could not encrypt. No valid certificates found."); } } if (encryptedAssertion != null) { response.Items = new object[] { encryptedAssertion }; } else { response.Items = new object[] { assertion }; } // Serialize the response. XmlDocument responseDoc = new XmlDocument(); responseDoc.XmlResolver = null; responseDoc.PreserveWhitespace = true; responseDoc.LoadXml(Serialization.SerializeToXmlString(response)); if (encryptedAssertion == null) { // Sign the assertion inside the response message. signatureProvider.SignAssertion(responseDoc, assertion.ID, IDPConfig.IDPCertificate); } HttpPostBindingBuilder builder = new HttpPostBindingBuilder(endpoint); builder.Action = SAMLAction.SAMLResponse; builder.Response = responseDoc.OuterXml; builder.GetPage().ProcessRequest(Context); Context.Response.End(); }