// This method encrypts the provided key using the key material associated with the cert // returned by DetermineEncryptingCert private byte[] GetEncryptedKey(SecurityToken encryptingToken, byte[] key, out SecurityKeyIdentifier ski) { // If encryptingToken is null, we're toast if (encryptingToken == null) { throw new ArgumentNullException("encryptingToken"); } // If key is null, we're toast if (key == null) { throw new ArgumentNullException("key"); } // Get the zeroth security key SecurityKey encryptingKey = encryptingToken.SecurityKeys[0]; // Get the encryption algorithm to use string keywrapAlgorithm = GetKeyWrapAlgorithm(encryptingKey); // encrypt the passed in key byte[] encryptedKey = encryptingKey.EncryptKey(keywrapAlgorithm, key); // get a key identifier for the encrypting key SecurityKeyIdentifier eki = GetExternalSecurityKeyIdentifier(encryptingToken); // return the proof key identifier ski = GetProofKeyIdentifier(encryptedKey, keywrapAlgorithm, eki); // return the encrypted key return(encryptedKey); }
// This method encrypts the provided key using the key material associated with the certificate // returned by DetermineEncryptingCert. private static byte[] GetEncryptedKey(SecurityToken encryptingToken, byte[] key, out SecurityKeyIdentifier ski) { // If encryptingToken is null, an exception is thrown. if (encryptingToken == null) { throw new ArgumentNullException("encryptingToken"); } // If key is null, an exception is thrown. if (key == null) { throw new ArgumentNullException("key"); } // Get the zeroth security key. SecurityKey encryptingKey = encryptingToken.SecurityKeys[0]; // Get the encryption algorithm to use. string keywrapAlgorithm = GetKeyWrapAlgorithm(encryptingKey); // Encrypt the passed in key. byte[] encryptedKey = encryptingKey.EncryptKey(keywrapAlgorithm, key); // Get a key identifier for the encrypting key. SecurityKeyIdentifier eki = new SecurityKeyIdentifier(encryptingToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>()); // Return the proof key identifier. ski = GetProofKeyIdentifier(encryptedKey, keywrapAlgorithm, eki); // Return the encrypted key. return(encryptedKey); }
private Saml2Assertion CreateSamlAssertionWithSymmetricKey(BinarySecretSecurityToken proofToken) { X509SecurityToken x509SecurityToken = new X509SecurityToken(base.ClientCredentials.ClientCertificate.Certificate); X509SecurityToken x509SecurityToken2 = new X509SecurityToken(base.ClientCredentials.ServiceCertificate.DefaultCertificate); SecurityKey signatureKey = x509SecurityToken.SecurityKeys[0]; SecurityKeyIdentifierClause securityKeyIdentifierClause = x509SecurityToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>(); SecurityKeyIdentifier signatureKeyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { securityKeyIdentifierClause }); SecurityKey securityKey = x509SecurityToken2.SecurityKeys[0]; SecurityKeyIdentifierClause securityKeyIdentifierClause2 = x509SecurityToken2.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>(); SecurityKeyIdentifier encryptingKeyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { securityKeyIdentifierClause2 }); byte[] keyBytes = proofToken.GetKeyBytes(); byte[] encryptedKey = securityKey.EncryptKey(base.SecurityAlgorithmSuite.DefaultAsymmetricKeyWrapAlgorithm, keyBytes); SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { new EncryptedKeyIdentifierClause(encryptedKey, base.SecurityAlgorithmSuite.DefaultAsymmetricKeyWrapAlgorithm, encryptingKeyIdentifier) }); return(this.CreateSamlAssertion(signatureKey, signatureKeyIdentifier, proofKeyIdentifier)); }
/// <summary> /// Creates a SAML assertion based on a symmetric proof key /// </summary> /// <param name="claims">A ClaimSet containing the claims to be placed into the SAML assertion</param> /// <param name="signatureToken">An X509SecurityToken that will be used to sign the SAML assertion</param> /// <param name="encryptionToken">An X509SecurityToken that will be used to encrypt the proof key</param> /// <param name="proofToken">A BinarySecretSecurityToken containing the proof key</param> /// <param name="algoSuite">The algorithm suite to use when performing cryptographic operations</param> /// <returns>A SAML assertion containing the passed in claims and proof key, signed by the provided signature token</returns> public static SamlAssertion CreateSymmetricKeyBasedAssertion(ClaimSet claims, X509SecurityToken signatureToken, X509SecurityToken encryptionToken, BinarySecretSecurityToken proofToken, SecurityAlgorithmSuite algoSuite) { // Check various input parameters if (claims == null) { throw new ArgumentNullException("claims"); } if (claims.Count == 0) { throw new ArgumentException("Provided ClaimSet must contain at least one claim"); } if (proofToken == null) { throw new ArgumentNullException("proofToken"); } if (signatureToken == null) { throw new ArgumentNullException("signatureToken"); } if (encryptionToken == null) { throw new ArgumentNullException("encryptionToken"); } if (proofToken == null) { throw new ArgumentNullException("proofToken"); } if (algoSuite == null) { throw new ArgumentNullException("algoSuite"); } // Get signing key and a key identifier for same SecurityKey signatureKey = signatureToken.SecurityKeys[0]; SecurityKeyIdentifierClause signatureSkic = signatureToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>(); SecurityKeyIdentifier signatureKeyIdentifier = new SecurityKeyIdentifier(signatureSkic); // Get encryption key and a key identifier for same SecurityKey encryptionKey = encryptionToken.SecurityKeys[0]; SecurityKeyIdentifierClause encryptionSkic = encryptionToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>(); SecurityKeyIdentifier encryptionKeyIdentifier = new SecurityKeyIdentifier(encryptionSkic); // Encrypt the proof key and create a key identifier for same byte[] proofKey = proofToken.GetKeyBytes(); byte[] encryptedSecret = new byte[proofKey.Length]; encryptedSecret = encryptionKey.EncryptKey(algoSuite.DefaultAsymmetricKeyWrapAlgorithm, proofKey); SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(new EncryptedKeyIdentifierClause(encryptedSecret, algoSuite.DefaultAsymmetricKeyWrapAlgorithm, encryptionKeyIdentifier)); // Create the assertion return(CreateAssertion(claims, signatureKey, signatureKeyIdentifier, proofKeyIdentifier, algoSuite)); }
public static SamlAssertion CreateSymmetricKeyBasedAssertion(ClaimSet claims, X509SecurityToken signatureToken, X509SecurityToken encryptionToken, BinarySecretSecurityToken proofToken, SecurityAlgorithmSuite algoSuite) { if (claims == null) { throw new ArgumentNullException("claims"); } if (claims.Count == 0) { throw new ArgumentException("Provided ClaimSet must contain at least one claim"); } if (proofToken == null) { throw new ArgumentNullException("proofToken"); } if (signatureToken == null) { throw new ArgumentNullException("signatureToken"); } if (encryptionToken == null) { throw new ArgumentNullException("encryptionToken"); } if (proofToken == null) { throw new ArgumentNullException("proofToken"); } if (algoSuite == null) { throw new ArgumentNullException("algoSuite"); } SecurityKey signatureKey = signatureToken.SecurityKeys[0]; SecurityKeyIdentifierClause securityKeyIdentifierClause = signatureToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>(); SecurityKeyIdentifier signatureKeyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { securityKeyIdentifierClause }); SecurityKey securityKey = encryptionToken.SecurityKeys[0]; SecurityKeyIdentifierClause securityKeyIdentifierClause2 = encryptionToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>(); SecurityKeyIdentifier encryptingKeyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { securityKeyIdentifierClause2 }); byte[] keyBytes = proofToken.GetKeyBytes(); byte[] encryptedKey = new byte[keyBytes.Length]; encryptedKey = securityKey.EncryptKey(algoSuite.DefaultAsymmetricKeyWrapAlgorithm, keyBytes); SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { new EncryptedKeyIdentifierClause(encryptedKey, algoSuite.DefaultAsymmetricKeyWrapAlgorithm, encryptingKeyIdentifier) }); return(SamlUtilities.CreateAssertion(claims, signatureKey, signatureKeyIdentifier, proofKeyIdentifier, algoSuite)); }
internal static byte[] EncryptKey(SecurityToken wrappingToken, string encryptionMethod, byte[] keyToWrap) { SecurityKey wrappingSecurityKey = null; if (wrappingToken.SecurityKeys != null) { for (int i = 0; i < wrappingToken.SecurityKeys.Count; ++i) { if (wrappingToken.SecurityKeys[i].IsSupportedAlgorithm(encryptionMethod)) { wrappingSecurityKey = wrappingToken.SecurityKeys[i]; break; } } } if (wrappingSecurityKey == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.CannotFindMatchingCrypto, encryptionMethod)); } return(wrappingSecurityKey.EncryptKey(encryptionMethod, keyToWrap)); }
internal static byte[] EncryptKey(SecurityToken wrappingToken, string encryptionMethod, byte[] keyToWrap) { SecurityKey securityKey = (SecurityKey)null; if (wrappingToken.SecurityKeys != null) { for (int index = 0; index < wrappingToken.SecurityKeys.Count; ++index) { if (wrappingToken.SecurityKeys[index].IsSupportedAlgorithm(encryptionMethod)) { securityKey = wrappingToken.SecurityKeys[index]; break; } } } if (securityKey == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString("CannotFindMatchingCrypto", new object[1] { (object)encryptionMethod })); } return(securityKey.EncryptKey(encryptionMethod, keyToWrap)); }
//</snippet1> //<snippet2> byte[] EncryptKey(byte[] plainTextKey, SecurityKey encryptingKey) { return(encryptingKey.EncryptKey(SecurityAlgorithms.RsaOaepKeyWrap, plainTextKey)); }