internal static SecurityKey ResolveSecurityKey(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver)
{
if (ski == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("ski");
}
if (tokenResolver != null)
{
for (int i = 0; i < ski.Count; ++i)
{
SecurityKey key = null;
if (tokenResolver.TryResolveSecurityKey(ski[i], out key))
{
return(key);
}
}
}
if (ski.CanCreateKey)
{
return(ski.CreateKey());
}
return(null);
}
/// <summary>
/// Inherited from <see cref="SecurityTokenResolver"/>.
/// </summary>
protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
key = null;
X509RawDataKeyIdentifierClause rawDataClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if (rawDataClause != null)
{
key = rawDataClause.CreateKey();
return(true);
}
RsaKeyIdentifierClause rsaClause = keyIdentifierClause as RsaKeyIdentifierClause;
if (rsaClause != null)
{
key = rsaClause.CreateKey();
return(true);
}
if (_wrappedTokenResolver.TryResolveSecurityKey(keyIdentifierClause, out key))
{
return(true);
}
return(false);
}
byte [] GetEncryptionKeyForData(EncryptedData ed2, EncryptedXml encXml, byte [] dummyEncKey)
{
// Since ReferenceList could be embedded directly in wss_header without
// key indication, it must iterate all the derived keys to find out
// appropriate one.
foreach (DerivedKeySecurityToken dk in header.FindAll <DerivedKeySecurityToken> ())
{
if (dk.ReferenceList == null)
{
continue;
}
foreach (DataReference dr in dk.ReferenceList)
{
if (StripUri(dr.Uri) == ed2.Id)
{
return(((SymmetricSecurityKey)dk.SecurityKeys [0]).GetSymmetricKey());
}
}
}
foreach (WrappedKeySecurityToken wk in header.FindAll <WrappedKeySecurityToken> ())
{
if (wk.ReferenceList == null)
{
continue;
}
foreach (DataReference dr in wk.ReferenceList)
{
if (StripUri(dr.Uri) == ed2.Id)
{
return(((SymmetricSecurityKey)wk.SecurityKeys [0]).GetSymmetricKey());
}
}
}
if (ed2.KeyInfo == null)
{
return(null);
}
foreach (KeyInfoClause kic in ed2.KeyInfo)
{
SecurityKeyIdentifierClause skic = serializer.ReadKeyIdentifierClause(new XmlNodeReader(kic.GetXml()));
SecurityKey skey = null;
if (!resolver.TryResolveSecurityKey(skic, out skey))
{
throw new MessageSecurityException(String.Format("The signing key could not be resolved from {0}", skic));
}
SymmetricSecurityKey ssk = skey as SymmetricSecurityKey;
if (ssk != null)
{
return(ssk.GetSymmetricKey());
}
}
return(null); // no applicable key info clause.
}
internal static XmlDocument GetPlainAsertion(SecurityTokenResolver securityTokenResolver, XmlElement el)
{
var encryptedDataElement = GetElement(HttpRedirectBindingConstants.EncryptedData, Saml20Constants.Xenc, el);
var encryptedData = new System.Security.Cryptography.Xml.EncryptedData();
encryptedData.LoadXml(encryptedDataElement);
var encryptedKey = new System.Security.Cryptography.Xml.EncryptedKey();
var encryptedKeyElement = GetElement(HttpRedirectBindingConstants.EncryptedKey, Saml20Constants.Xenc, el);
encryptedKey.LoadXml(encryptedKeyElement);
var securityKeyIdentifier = new SecurityKeyIdentifier();
foreach (KeyInfoX509Data v in encryptedKey.KeyInfo)
{
foreach (X509Certificate2 cert in v.Certificates)
{
var cl = new X509RawDataKeyIdentifierClause(cert);
securityKeyIdentifier.Add(cl);
}
}
var clause = new EncryptedKeyIdentifierClause(encryptedKey.CipherData.CipherValue, encryptedKey.EncryptionMethod.KeyAlgorithm, securityKeyIdentifier);
SecurityKey key;
var success = securityTokenResolver.TryResolveSecurityKey(clause, out key);
if (!success)
{
throw new InvalidOperationException("Cannot locate security key");
}
SymmetricSecurityKey symmetricSecurityKey = key as SymmetricSecurityKey;
if (symmetricSecurityKey == null)
{
throw new InvalidOperationException("Key must be symmentric key");
}
SymmetricAlgorithm symmetricAlgorithm = symmetricSecurityKey.GetSymmetricAlgorithm(encryptedData.EncryptionMethod.KeyAlgorithm);
var encryptedXml = new System.Security.Cryptography.Xml.EncryptedXml();
var plaintext = encryptedXml.DecryptData(encryptedData, symmetricAlgorithm);
var assertion = new XmlDocument {
PreserveWhitespace = true
};
assertion.Load(new StringReader(Encoding.UTF8.GetString(plaintext)));
return(assertion);
}
private static SecurityKey IssuerSigningKeyResolver(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver securityTokenResolver)
{
SecurityKey key = null;
foreach (var keyIdentifierClause in keyIdentifier)
{
var isResolved = securityTokenResolver.TryResolveSecurityKey(keyIdentifierClause, out key);
if (isResolved)
{
break;
}
}
return(key);
}
void ResolveSigningCredentials()
{
if (_signedXml.Signature == null || _signedXml.Signature.KeyIdentifier == null || _signedXml.Signature.KeyIdentifier.Count == 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID3276)));
}
SecurityKey signingKey = null;
if (!_signingTokenResolver.TryResolveSecurityKey(_signedXml.Signature.KeyIdentifier[0], out signingKey))
{
if (_resolveIntrinsicSigningKeys && _signedXml.Signature.KeyIdentifier.CanCreateKey)
{
signingKey = _signedXml.Signature.KeyIdentifier.CreateKey();
}
else
{
//
// we cannot find the signing key to verify the signature
//
EncryptedKeyIdentifierClause encryptedKeyClause;
if (_signedXml.Signature.KeyIdentifier.TryFind <EncryptedKeyIdentifierClause>(out encryptedKeyClause))
{
//
// System.IdentityModel.Tokens.EncryptedKeyIdentifierClause.ToString() does not print out
// very good information except the cipher data in this case. We have worked around that
// by using the token serializer to serialize the key identifier clause again.
//
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new SignatureVerificationFailedException(
SR.GetString(SR.ID4036, XmlUtil.SerializeSecurityKeyIdentifier(_signedXml.Signature.KeyIdentifier, _tokenSerializer))));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new SignatureVerificationFailedException(SR.GetString(SR.ID4037, _signedXml.Signature.KeyIdentifier.ToString())));
}
}
}
WifSignedInfo signedInfo = _signedXml.Signature.SignedInfo as WifSignedInfo;
_signingCredentials = new SigningCredentials(signingKey, _signedXml.Signature.SignedInfo.SignatureMethod, signedInfo[0].DigestMethod, _signedXml.Signature.KeyIdentifier);
}
/// <summary>
/// Attempts to resolve the _securityKeyIdentifier into a securityKey. If successful, the private _securityKey is set.
/// Uses the tokenresolver that was passed in, it may be the case a keyIdentifier can
/// generate a securityKey. A RSA key can generate a key with just the public part.
/// </summary>
/// <returns>void</returns>
void ResolveKey()
{
if (_securityKeyIdentifier == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("ski");
}
if (_securityKey == null)
{
lock (_keyLock)
{
if (_securityKey == null)
{
if (_securityTokenResolver != null)
{
for (int i = 0; i < _securityKeyIdentifier.Count; ++i)
{
if (_securityTokenResolver.TryResolveSecurityKey(_securityKeyIdentifier[i], out _securityKey))
{
return;
}
}
}
// most likely a public key, do this last
if (_securityKeyIdentifier.CanCreateKey)
{
_securityKey = _securityKeyIdentifier.CreateKey();
return;
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelper(
new SecurityTokenException(SR.GetString(SR.ID2080,
_securityTokenResolver == null ? "null" : _securityTokenResolver.ToString(),
_securityKeyIdentifier == null ? "null" : _securityKeyIdentifier.ToString())), System.Diagnostics.TraceEventType.Error);
}
}
}
}
private static SecurityKey ResolveSecurityKey(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver, out SecurityKeyIdentifierClause clause)
{
if (ski == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("ski");
}
clause = null;
if (tokenResolver != null)
{
for (int i = 0; i < ski.Count; ++i)
{
SecurityKey key = null;
if (tokenResolver.TryResolveSecurityKey(ski[i], out key))
{
clause = ski[i];
return(key);
}
}
}
if (ski.CanCreateKey)
{
foreach (var skiClause in ski)
{
if (skiClause.CanCreateKey)
{
clause = skiClause;
return(clause.CreateKey());
}
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.KeyIdentifierCannotCreateKey)));
}
return(null);
}
internal ReadOnlyCollection <SecurityKey> ResolveSecurityKeys(Saml2Assertion assertion, SecurityTokenResolver resolver)
{
Saml2Subject subject = assertion.Subject;
Saml2SubjectConfirmation confirmation = subject.SubjectConfirmations[0];
if (confirmation.SubjectConfirmationData != null)
{
this.ValidateConfirmationData(confirmation.SubjectConfirmationData);
}
List <SecurityKey> list = new List <SecurityKey>();
foreach (SecurityKeyIdentifier identifier in confirmation.SubjectConfirmationData.KeyIdentifiers)
{
SecurityKey key = null;
foreach (SecurityKeyIdentifierClause clause in identifier)
{
if ((resolver != null) && resolver.TryResolveSecurityKey(clause, out key))
{
list.Add(key);
break;
}
}
if (key == null)
{
if (identifier.CanCreateKey)
{
key = identifier.CreateKey();
list.Add(key);
continue;
}
list.Add(new SecurityKeyElement(identifier, resolver));
}
}
return(list.AsReadOnly());
}