public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
EncryptedKeyIdentifierClause e =
keyIdentifierClause as EncryptedKeyIdentifierClause;
return(e != null && Matches(e.GetRawBuffer(), e.EncryptionMethod, e.CarriedKeyName));
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
EncryptedKeyIdentifierClause that = keyIdentifierClause as EncryptedKeyIdentifierClause;
// PreSharp
#pragma warning suppress 56506
return(ReferenceEquals(this, that) || (that != null && that.Matches(this.GetRawBuffer(), this.encryptionMethod, this.carriedKeyName)));
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
EncryptedKeyIdentifierClause that = keyIdentifierClause as EncryptedKeyIdentifierClause;
// PreSharp Bug: Parameter 'that' to this public method must be validated: A null-dereference can occur here.
#pragma warning suppress 56506
return(ReferenceEquals(this, that) || (that != null && that.Matches(this.GetRawBuffer(), this.encryptionMethod, this.carriedKeyName)));
}
/// <summary>
/// Creates a SAML Token with the input parameters
/// </summary>
/// <param name="stsName">Name of the STS issuing the SAML Token</param>
/// <param name="proofToken">Associated Proof Token</param>
/// <param name="issuerToken">Associated Issuer Token</param>
/// <param name="proofKeyEncryptionToken">Token to encrypt the proof key with</param>
/// <param name="samlConditions">The Saml Conditions to be used in the construction of the SAML Token</param>
/// <param name="samlAttributes">The Saml Attributes to be used in the construction of the SAML Token</param>
/// <returns>A SAML Token</returns>
public static SamlSecurityToken CreateSamlToken(string stsName,
BinarySecretSecurityToken proofToken,
SecurityToken issuerToken,
SecurityToken proofKeyEncryptionToken,
SamlConditions samlConditions,
IEnumerable<SamlAttribute> samlAttributes)
{
// Create a security token reference to the issuer certificate
SecurityKeyIdentifierClause skic = issuerToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>();
SecurityKeyIdentifier issuerKeyIdentifier = new SecurityKeyIdentifier(skic);
// Create an encrypted key clause containing the encrypted proof key
byte[] wrappedKey = proofKeyEncryptionToken.SecurityKeys[0].EncryptKey(SecurityAlgorithms.RsaOaepKeyWrap, proofToken.GetKeyBytes());
SecurityKeyIdentifierClause encryptingTokenClause = proofKeyEncryptionToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>();
EncryptedKeyIdentifierClause encryptedKeyClause = new EncryptedKeyIdentifierClause(wrappedKey, SecurityAlgorithms.RsaOaepKeyWrap, new SecurityKeyIdentifier(encryptingTokenClause) );
SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(encryptedKeyClause);
// Create a comfirmationMethod for HolderOfKey
List<string> confirmationMethods = new List<string>(1);
confirmationMethods.Add(SamlConstants.HolderOfKey);
// Create a SamlSubject with proof key and confirmation method from above
SamlSubject samlSubject = new SamlSubject(null,
null,
null,
confirmationMethods,
null,
proofKeyIdentifier);
// Create a SamlAttributeStatement from the passed in SamlAttribute collection and the SamlSubject from above
SamlAttributeStatement samlAttributeStatement = new SamlAttributeStatement(samlSubject, samlAttributes);
// Put the SamlAttributeStatement into a list of SamlStatements
List<SamlStatement> samlSubjectStatements = new List<SamlStatement>();
samlSubjectStatements.Add(samlAttributeStatement);
// Create a SigningCredentials instance from the key associated with the issuerToken.
SigningCredentials signingCredentials = new SigningCredentials(issuerToken.SecurityKeys[0],
SecurityAlgorithms.RsaSha1Signature,
SecurityAlgorithms.Sha1Digest,
issuerKeyIdentifier);
// Create a SamlAssertion from the list of SamlStatements created above and the passed in
// SamlConditions.
SamlAssertion samlAssertion = new SamlAssertion("_" + Guid.NewGuid().ToString(),
stsName,
DateTime.UtcNow,
samlConditions,
new SamlAdvice(),
samlSubjectStatements
);
// Set the SigningCredentials for the SamlAssertion
samlAssertion.SigningCredentials = signingCredentials;
// Create a SamlSecurityToken from the SamlAssertion and return it
return new SamlSecurityToken(samlAssertion);
}
public void Constructors ()
{
byte [] bytes = new byte [32];
// null identifier / null CarriedKeyName
EncryptedKeyIdentifierClause ekic =
new EncryptedKeyIdentifierClause (bytes, SecurityAlgorithms.Aes256Encryption, null, null);
Assert.IsNull (ekic.EncryptingKeyIdentifier, "#1");
Assert.IsNull (ekic.CarriedKeyName, "#2");
// any EncryptionMethods are allowed here..
new EncryptedKeyIdentifierClause (new byte [32], "urn:foo");
}
/// <summary>
/// Resolves the given SecurityKeyIdentifierClause to a SecurityKey.
/// </summary>
/// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to resolve</param>
/// <param name="key">The resolved SecurityKey.</param>
/// <returns>True if successfully resolved.</returns>
/// <exception cref="ArgumentNullException">The input argument 'keyIdentifierClause' is null.</exception>
protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
key = null;
EncryptedKeyIdentifierClause encryptedKeyIdentifierClause = keyIdentifierClause as EncryptedKeyIdentifierClause;
if (encryptedKeyIdentifierClause != null)
{
SecurityKeyIdentifier keyIdentifier = encryptedKeyIdentifierClause.EncryptingKeyIdentifier;
if (keyIdentifier != null && keyIdentifier.Count > 0)
{
for (int i = 0; i < keyIdentifier.Count; i++)
{
SecurityKey unwrappingSecurityKey = null;
if (TryResolveSecurityKey(keyIdentifier[i], out unwrappingSecurityKey))
{
byte[] wrappedKey = encryptedKeyIdentifierClause.GetEncryptedKey();
string wrappingAlgorithm = encryptedKeyIdentifierClause.EncryptionMethod;
byte[] unwrappedKey = unwrappingSecurityKey.DecryptKey(wrappingAlgorithm, wrappedKey);
key = new InMemorySymmetricSecurityKey(unwrappedKey, false);
return(true);
}
}
}
}
else
{
SecurityToken token = null;
if (TryResolveToken(keyIdentifierClause, out token))
{
if (token.SecurityKeys.Count > 0)
{
key = token.SecurityKeys[0];
return(true);
}
}
}
return(false);
}
public override void WriteKeyIdentifierClauseCore(XmlDictionaryWriter writer, SecurityKeyIdentifierClause keyIdentifierClause)
{
EncryptedKeyIdentifierClause encryptedKeyClause = keyIdentifierClause as EncryptedKeyIdentifierClause;
writer.WriteStartElement(XD.XmlEncryptionDictionary.Prefix.Value, XD.XmlEncryptionDictionary.EncryptedKey, NamespaceUri);
if (encryptedKeyClause.EncryptionMethod != null)
{
writer.WriteStartElement(XD.XmlEncryptionDictionary.Prefix.Value, XD.XmlEncryptionDictionary.EncryptionMethod, NamespaceUri);
writer.WriteAttributeString(XD.XmlEncryptionDictionary.AlgorithmAttribute, null, encryptedKeyClause.EncryptionMethod);
if (encryptedKeyClause.EncryptionMethod == XD.SecurityAlgorithmDictionary.RsaOaepKeyWrap.Value)
{
writer.WriteStartElement(XmlSignatureStrings.Prefix, XD.XmlSignatureDictionary.DigestMethod, XD.XmlSignatureDictionary.Namespace);
writer.WriteAttributeString(XD.XmlSignatureDictionary.Algorithm, null, SecurityAlgorithms.Sha1Digest);
writer.WriteEndElement();
}
writer.WriteEndElement();
}
if (encryptedKeyClause.EncryptingKeyIdentifier != null)
{
this.securityTokenSerializer.WriteKeyIdentifier(writer, encryptedKeyClause.EncryptingKeyIdentifier);
}
writer.WriteStartElement(XD.XmlEncryptionDictionary.Prefix.Value, XD.XmlEncryptionDictionary.CipherData, NamespaceUri);
writer.WriteStartElement(XD.XmlEncryptionDictionary.Prefix.Value, XD.XmlEncryptionDictionary.CipherValue, NamespaceUri);
byte[] encryptedKey = encryptedKeyClause.GetEncryptedKey();
writer.WriteBase64(encryptedKey, 0, encryptedKey.Length);
writer.WriteEndElement();
writer.WriteEndElement();
if (encryptedKeyClause.CarriedKeyName != null)
{
writer.WriteElementString(XD.XmlEncryptionDictionary.Prefix.Value, XD.XmlEncryptionDictionary.CarriedKeyName, NamespaceUri, encryptedKeyClause.CarriedKeyName);
}
writer.WriteEndElement();
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
EncryptedKeyIdentifierClause objB = keyIdentifierClause as EncryptedKeyIdentifierClause;
return(object.ReferenceEquals(this, objB) || ((objB != null) && objB.Matches(base.GetRawBuffer(), this.encryptionMethod, this.carriedKeyName)));
}
void WriteEncryptedKeyIdentifierClause (
XmlWriter w, EncryptedKeyIdentifierClause ic)
{
w.WriteStartElement ("e", "EncryptedKey", EncryptedXml.XmlEncNamespaceUrl);
w.WriteStartElement ("EncryptionMethod", EncryptedXml.XmlEncNamespaceUrl);
w.WriteAttributeString ("Algorithm", ic.EncryptionMethod);
w.WriteEndElement ();
if (ic.EncryptingKeyIdentifier != null) {
w.WriteStartElement ("KeyInfo", SignedXml.XmlDsigNamespaceUrl);
foreach (SecurityKeyIdentifierClause ckic in ic.EncryptingKeyIdentifier)
WriteKeyIdentifierClause (w, ckic);
w.WriteEndElement ();
}
w.WriteStartElement ("CipherData", EncryptedXml.XmlEncNamespaceUrl);
w.WriteStartElement ("CipherValue", EncryptedXml.XmlEncNamespaceUrl);
w.WriteString (Convert.ToBase64String (ic.GetEncryptedKey ()));
w.WriteEndElement ();
w.WriteEndElement ();
if (ic.CarriedKeyName != null)
w.WriteElementString ("CarriedKeyName", EncryptedXml.XmlEncNamespaceUrl, ic.CarriedKeyName);
w.WriteEndElement ();
}
public static void WriteProtectedKey(XmlWriter writer, ProtectedKey protectedKey, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants)
{
if (writer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
}
if (protectedKey == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("protectedKey");
}
if (trustConstants == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("trustConstants");
}
if (protectedKey.WrappingCredentials != null)
{
byte[] encryptedKey = protectedKey.WrappingCredentials.SecurityKey.EncryptKey(protectedKey.WrappingCredentials.Algorithm, protectedKey.GetKeyBytes());
EncryptedKeyIdentifierClause clause = new EncryptedKeyIdentifierClause(encryptedKey, protectedKey.WrappingCredentials.Algorithm, protectedKey.WrappingCredentials.SecurityKeyIdentifier);
context.SecurityTokenHandlers.WriteKeyIdentifierClause(writer, clause);
}
else
{
BinarySecretSecurityToken entropyToken = new BinarySecretSecurityToken(protectedKey.GetKeyBytes());
WriteBinarySecretSecurityToken(writer, entropyToken, trustConstants);
}
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
EncryptedKeyIdentifierClause that = keyIdentifierClause as EncryptedKeyIdentifierClause;
return(ReferenceEquals(this, that) || (that != null && that.Matches(GetRawBuffer(), _encryptionMethod, CarriedKeyName)));
}
public void WriteEncryptedKeyIdentifierClause4 ()
{
StringWriter sw = new StringWriter ();
byte [] bytes = new byte [32];
SecurityKeyIdentifier cki = new SecurityKeyIdentifier ();
cki.Add (new BinarySecretKeyIdentifierClause (bytes));
EncryptedKeyIdentifierClause ic =
new EncryptedKeyIdentifierClause (bytes, SecurityAlgorithms.Aes256Encryption);
using (XmlWriter w = XmlWriter.Create (sw, GetWriterSettings ())) {
WSSecurityTokenSerializer.DefaultInstance.WriteKeyIdentifierClause (w, ic);
}
string expected = String.Format ("<e:EncryptedKey xmlns:e=\"{0}\"><e:EncryptionMethod Algorithm=\"{1}\" /><e:CipherData><e:CipherValue>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</e:CipherValue></e:CipherData></e:EncryptedKey>",
EncryptedXml.XmlEncNamespaceUrl,
SecurityAlgorithms.Aes256Encryption,
SignedXml.XmlDsigNamespaceUrl,
"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1");
Assert.AreEqual (expected, sw.ToString ());
}
public void WriteEncryptedKeyIdentifierClause2 () // derived key
{
StringWriter sw = new StringWriter ();
byte [] bytes = new byte [32];
SecurityKeyIdentifier cki = new SecurityKeyIdentifier ();
cki.Add (new X509ThumbprintKeyIdentifierClause (cert));
EncryptedKeyIdentifierClause ic =
new EncryptedKeyIdentifierClause (bytes, SecurityAlgorithms.Aes256KeyWrap, cki, "carriedKeyNaaaaame", new byte [32], 32);
using (XmlWriter w = XmlWriter.Create (sw, GetWriterSettings ())) {
WSSecurityTokenSerializer.DefaultInstance.WriteKeyIdentifierClause (w, ic);
}
string expected = String.Format ("<e:EncryptedKey xmlns:e=\"{0}\"><e:EncryptionMethod Algorithm=\"{1}\" /><KeyInfo xmlns=\"{2}\"><o:SecurityTokenReference xmlns:o=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"><o:KeyIdentifier ValueType=\"{3}\">GQ3YHlGQhDF1bvMixHliX4uLjlY=</o:KeyIdentifier></o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</e:CipherValue></e:CipherData><e:CarriedKeyName>carriedKeyNaaaaame</e:CarriedKeyName></e:EncryptedKey>",
EncryptedXml.XmlEncNamespaceUrl,
SecurityAlgorithms.Aes256KeyWrap,
SignedXml.XmlDsigNamespaceUrl,
"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1");
Assert.AreEqual (expected, sw.ToString ());
}
