// This method encrypts the provided key using the key material associated with the cert
// returned by DetermineEncryptingCert
private byte[] GetEncryptedKey(SecurityToken encryptingToken, byte[] key, out SecurityKeyIdentifier ski)
{
// If encryptingToken is null, we're toast
if (encryptingToken == null)
{
throw new ArgumentNullException("encryptingToken");
}
// If key is null, we're toast
if (key == null)
{
throw new ArgumentNullException("key");
}
// Get the zeroth security key
SecurityKey encryptingKey = encryptingToken.SecurityKeys[0];
// Get the encryption algorithm to use
string keywrapAlgorithm = GetKeyWrapAlgorithm(encryptingKey);
// encrypt the passed in key
byte[] encryptedKey = encryptingKey.EncryptKey(keywrapAlgorithm, key);
// get a key identifier for the encrypting key
SecurityKeyIdentifier eki = GetExternalSecurityKeyIdentifier(encryptingToken);
// return the proof key identifier
ski = GetProofKeyIdentifier(encryptedKey, keywrapAlgorithm, eki);
// return the encrypted key
return(encryptedKey);
}
// This method encrypts the provided key using the key material associated with the certificate
// returned by DetermineEncryptingCert.
private static byte[] GetEncryptedKey(SecurityToken encryptingToken, byte[] key, out SecurityKeyIdentifier ski)
{
// If encryptingToken is null, an exception is thrown.
if (encryptingToken == null)
{
throw new ArgumentNullException("encryptingToken");
}
// If key is null, an exception is thrown.
if (key == null)
{
throw new ArgumentNullException("key");
}
// Get the zeroth security key.
SecurityKey encryptingKey = encryptingToken.SecurityKeys[0];
// Get the encryption algorithm to use.
string keywrapAlgorithm = GetKeyWrapAlgorithm(encryptingKey);
// Encrypt the passed in key.
byte[] encryptedKey = encryptingKey.EncryptKey(keywrapAlgorithm, key);
// Get a key identifier for the encrypting key.
SecurityKeyIdentifier eki = new SecurityKeyIdentifier(encryptingToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>());
// Return the proof key identifier.
ski = GetProofKeyIdentifier(encryptedKey, keywrapAlgorithm, eki);
// Return the encrypted key.
return(encryptedKey);
}
private Saml2Assertion CreateSamlAssertionWithSymmetricKey(BinarySecretSecurityToken proofToken)
{
X509SecurityToken x509SecurityToken = new X509SecurityToken(base.ClientCredentials.ClientCertificate.Certificate);
X509SecurityToken x509SecurityToken2 = new X509SecurityToken(base.ClientCredentials.ServiceCertificate.DefaultCertificate);
SecurityKey signatureKey = x509SecurityToken.SecurityKeys[0];
SecurityKeyIdentifierClause securityKeyIdentifierClause = x509SecurityToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
SecurityKeyIdentifier signatureKeyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[]
{
securityKeyIdentifierClause
});
SecurityKey securityKey = x509SecurityToken2.SecurityKeys[0];
SecurityKeyIdentifierClause securityKeyIdentifierClause2 = x509SecurityToken2.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
SecurityKeyIdentifier encryptingKeyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[]
{
securityKeyIdentifierClause2
});
byte[] keyBytes = proofToken.GetKeyBytes();
byte[] encryptedKey = securityKey.EncryptKey(base.SecurityAlgorithmSuite.DefaultAsymmetricKeyWrapAlgorithm, keyBytes);
SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[]
{
new EncryptedKeyIdentifierClause(encryptedKey, base.SecurityAlgorithmSuite.DefaultAsymmetricKeyWrapAlgorithm, encryptingKeyIdentifier)
});
return(this.CreateSamlAssertion(signatureKey, signatureKeyIdentifier, proofKeyIdentifier));
}
/// <summary>
/// Creates a SAML assertion based on a symmetric proof key
/// </summary>
/// <param name="claims">A ClaimSet containing the claims to be placed into the SAML assertion</param>
/// <param name="signatureToken">An X509SecurityToken that will be used to sign the SAML assertion</param>
/// <param name="encryptionToken">An X509SecurityToken that will be used to encrypt the proof key</param>
/// <param name="proofToken">A BinarySecretSecurityToken containing the proof key</param>
/// <param name="algoSuite">The algorithm suite to use when performing cryptographic operations</param>
/// <returns>A SAML assertion containing the passed in claims and proof key, signed by the provided signature token</returns>
public static SamlAssertion CreateSymmetricKeyBasedAssertion(ClaimSet claims, X509SecurityToken signatureToken, X509SecurityToken encryptionToken, BinarySecretSecurityToken proofToken, SecurityAlgorithmSuite algoSuite)
{
// Check various input parameters
if (claims == null)
{
throw new ArgumentNullException("claims");
}
if (claims.Count == 0)
{
throw new ArgumentException("Provided ClaimSet must contain at least one claim");
}
if (proofToken == null)
{
throw new ArgumentNullException("proofToken");
}
if (signatureToken == null)
{
throw new ArgumentNullException("signatureToken");
}
if (encryptionToken == null)
{
throw new ArgumentNullException("encryptionToken");
}
if (proofToken == null)
{
throw new ArgumentNullException("proofToken");
}
if (algoSuite == null)
{
throw new ArgumentNullException("algoSuite");
}
// Get signing key and a key identifier for same
SecurityKey signatureKey = signatureToken.SecurityKeys[0];
SecurityKeyIdentifierClause signatureSkic = signatureToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
SecurityKeyIdentifier signatureKeyIdentifier = new SecurityKeyIdentifier(signatureSkic);
// Get encryption key and a key identifier for same
SecurityKey encryptionKey = encryptionToken.SecurityKeys[0];
SecurityKeyIdentifierClause encryptionSkic = encryptionToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
SecurityKeyIdentifier encryptionKeyIdentifier = new SecurityKeyIdentifier(encryptionSkic);
// Encrypt the proof key and create a key identifier for same
byte[] proofKey = proofToken.GetKeyBytes();
byte[] encryptedSecret = new byte[proofKey.Length];
encryptedSecret = encryptionKey.EncryptKey(algoSuite.DefaultAsymmetricKeyWrapAlgorithm, proofKey);
SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(new EncryptedKeyIdentifierClause(encryptedSecret, algoSuite.DefaultAsymmetricKeyWrapAlgorithm, encryptionKeyIdentifier));
// Create the assertion
return(CreateAssertion(claims, signatureKey, signatureKeyIdentifier, proofKeyIdentifier, algoSuite));
}
public static SamlAssertion CreateSymmetricKeyBasedAssertion(ClaimSet claims, X509SecurityToken signatureToken, X509SecurityToken encryptionToken, BinarySecretSecurityToken proofToken, SecurityAlgorithmSuite algoSuite)
{
if (claims == null)
{
throw new ArgumentNullException("claims");
}
if (claims.Count == 0)
{
throw new ArgumentException("Provided ClaimSet must contain at least one claim");
}
if (proofToken == null)
{
throw new ArgumentNullException("proofToken");
}
if (signatureToken == null)
{
throw new ArgumentNullException("signatureToken");
}
if (encryptionToken == null)
{
throw new ArgumentNullException("encryptionToken");
}
if (proofToken == null)
{
throw new ArgumentNullException("proofToken");
}
if (algoSuite == null)
{
throw new ArgumentNullException("algoSuite");
}
SecurityKey signatureKey = signatureToken.SecurityKeys[0];
SecurityKeyIdentifierClause securityKeyIdentifierClause = signatureToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
SecurityKeyIdentifier signatureKeyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[]
{
securityKeyIdentifierClause
});
SecurityKey securityKey = encryptionToken.SecurityKeys[0];
SecurityKeyIdentifierClause securityKeyIdentifierClause2 = encryptionToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
SecurityKeyIdentifier encryptingKeyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[]
{
securityKeyIdentifierClause2
});
byte[] keyBytes = proofToken.GetKeyBytes();
byte[] encryptedKey = new byte[keyBytes.Length];
encryptedKey = securityKey.EncryptKey(algoSuite.DefaultAsymmetricKeyWrapAlgorithm, keyBytes);
SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[]
{
new EncryptedKeyIdentifierClause(encryptedKey, algoSuite.DefaultAsymmetricKeyWrapAlgorithm, encryptingKeyIdentifier)
});
return(SamlUtilities.CreateAssertion(claims, signatureKey, signatureKeyIdentifier, proofKeyIdentifier, algoSuite));
}
internal static byte[] EncryptKey(SecurityToken wrappingToken, string encryptionMethod, byte[] keyToWrap)
{
SecurityKey wrappingSecurityKey = null;
if (wrappingToken.SecurityKeys != null)
{
for (int i = 0; i < wrappingToken.SecurityKeys.Count; ++i)
{
if (wrappingToken.SecurityKeys[i].IsSupportedAlgorithm(encryptionMethod))
{
wrappingSecurityKey = wrappingToken.SecurityKeys[i];
break;
}
}
}
if (wrappingSecurityKey == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.CannotFindMatchingCrypto, encryptionMethod));
}
return(wrappingSecurityKey.EncryptKey(encryptionMethod, keyToWrap));
}
internal static byte[] EncryptKey(SecurityToken wrappingToken, string encryptionMethod, byte[] keyToWrap)
{
SecurityKey securityKey = (SecurityKey)null;
if (wrappingToken.SecurityKeys != null)
{
for (int index = 0; index < wrappingToken.SecurityKeys.Count; ++index)
{
if (wrappingToken.SecurityKeys[index].IsSupportedAlgorithm(encryptionMethod))
{
securityKey = wrappingToken.SecurityKeys[index];
break;
}
}
}
if (securityKey == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString("CannotFindMatchingCrypto", new object[1] {
(object)encryptionMethod
}));
}
return(securityKey.EncryptKey(encryptionMethod, keyToWrap));
}
//</snippet1>
//<snippet2>
byte[] EncryptKey(byte[] plainTextKey, SecurityKey encryptingKey)
{
return(encryptingKey.EncryptKey(SecurityAlgorithms.RsaOaepKeyWrap, plainTextKey));
}
