protected internal override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
SecurityKeyIdentifierClause clause = null;
switch (this.x509ReferenceStyle)
{
case X509KeyIdentifierClauseType.Thumbprint:
return base.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
case X509KeyIdentifierClauseType.IssuerSerial:
return base.CreateKeyIdentifierClause<X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
case X509KeyIdentifierClauseType.SubjectKeyIdentifier:
return base.CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
case X509KeyIdentifierClauseType.RawDataKeyIdentifier:
return base.CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
}
if (referenceStyle == SecurityTokenReferenceStyle.External)
{
X509SecurityToken token2 = token as X509SecurityToken;
if (token2 != null)
{
X509SubjectKeyIdentifierClause clause2;
if (X509SubjectKeyIdentifierClause.TryCreateFrom(token2.Certificate, out clause2))
{
clause = clause2;
}
}
else
{
X509SubjectKeyIdentifierClause clause3;
X509WindowsSecurityToken token3 = token as X509WindowsSecurityToken;
if ((token3 != null) && X509SubjectKeyIdentifierClause.TryCreateFrom(token3.Certificate, out clause3))
{
clause = clause3;
}
}
if (clause == null)
{
clause = token.CreateKeyIdentifierClause<X509IssuerSerialKeyIdentifierClause>();
}
if (clause == null)
{
clause = token.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>();
}
return clause;
}
return token.CreateKeyIdentifierClause<LocalIdKeyIdentifierClause>();
}
protected internal override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
if (referenceStyle == SecurityTokenReferenceStyle.Internal)
{
return token.CreateKeyIdentifierClause<LocalIdKeyIdentifierClause>();
}
return null;
}
/// <summary>
/// Creates a SAML Token with the input parameters
/// </summary>
/// <param name="stsName">Name of the STS issuing the SAML Token</param>
/// <param name="proofToken">Associated Proof Token</param>
/// <param name="issuerToken">Associated Issuer Token</param>
/// <param name="proofKeyEncryptionToken">Token to encrypt the proof key with</param>
/// <param name="samlConditions">The Saml Conditions to be used in the construction of the SAML Token</param>
/// <param name="samlAttributes">The Saml Attributes to be used in the construction of the SAML Token</param>
/// <returns>A SAML Token</returns>
public static SamlSecurityToken CreateSamlToken(string stsName,
BinarySecretSecurityToken proofToken,
SecurityToken issuerToken,
SecurityToken proofKeyEncryptionToken,
SamlConditions samlConditions,
IEnumerable<SamlAttribute> samlAttributes)
{
// Create a security token reference to the issuer certificate
SecurityKeyIdentifierClause skic = issuerToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>();
SecurityKeyIdentifier issuerKeyIdentifier = new SecurityKeyIdentifier(skic);
// Create an encrypted key clause containing the encrypted proof key
byte[] wrappedKey = proofKeyEncryptionToken.SecurityKeys[0].EncryptKey(SecurityAlgorithms.RsaOaepKeyWrap, proofToken.GetKeyBytes());
SecurityKeyIdentifierClause encryptingTokenClause = proofKeyEncryptionToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>();
EncryptedKeyIdentifierClause encryptedKeyClause = new EncryptedKeyIdentifierClause(wrappedKey, SecurityAlgorithms.RsaOaepKeyWrap, new SecurityKeyIdentifier(encryptingTokenClause) );
SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(encryptedKeyClause);
// Create a comfirmationMethod for HolderOfKey
List<string> confirmationMethods = new List<string>(1);
confirmationMethods.Add(SamlConstants.HolderOfKey);
// Create a SamlSubject with proof key and confirmation method from above
SamlSubject samlSubject = new SamlSubject(null,
null,
null,
confirmationMethods,
null,
proofKeyIdentifier);
// Create a SamlAttributeStatement from the passed in SamlAttribute collection and the SamlSubject from above
SamlAttributeStatement samlAttributeStatement = new SamlAttributeStatement(samlSubject, samlAttributes);
// Put the SamlAttributeStatement into a list of SamlStatements
List<SamlStatement> samlSubjectStatements = new List<SamlStatement>();
samlSubjectStatements.Add(samlAttributeStatement);
// Create a SigningCredentials instance from the key associated with the issuerToken.
SigningCredentials signingCredentials = new SigningCredentials(issuerToken.SecurityKeys[0],
SecurityAlgorithms.RsaSha1Signature,
SecurityAlgorithms.Sha1Digest,
issuerKeyIdentifier);
// Create a SamlAssertion from the list of SamlStatements created above and the passed in
// SamlConditions.
SamlAssertion samlAssertion = new SamlAssertion("_" + Guid.NewGuid().ToString(),
stsName,
DateTime.UtcNow,
samlConditions,
new SamlAdvice(),
samlSubjectStatements
);
// Set the SigningCredentials for the SamlAssertion
samlAssertion.SigningCredentials = signingCredentials;
// Create a SamlSecurityToken from the SamlAssertion and return it
return new SamlSecurityToken(samlAssertion);
}
protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(System.IdentityModel.Tokens.SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
if (referenceStyle == SecurityTokenReferenceStyle.Internal)
{
return(token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>());
}
throw new NotSupportedException("External references are not supported for tokens");
}
protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
if (referenceStyle == SecurityTokenReferenceStyle.Internal)
{
return token.CreateKeyIdentifierClause<LocalIdKeyIdentifierClause>();
}
else
{
throw new NotSupportedException("External references are not supported for credit card tokens");
}
}
/// <summary>
/// Creates a SAML assertion based on an Asymmetric proof key
/// </summary>
/// <param name="claims">A ClaimSet containing the claims to be placed into the SAML assertion</param>
/// <param name="proofToken">An RsaSecurityToken containing the proof key</param>
/// <param name="algoSuite">The algorithm suite to use when performing cryptographic operations</param>
/// <returns>A SAML assertion containing the passed in claims and proof key, signed by the proof key</returns>
public static SamlAssertion CreateAsymmetricKeyBasedAssertion(ClaimSet claims, SecurityToken proofToken, SecurityAlgorithmSuite algoSuite)
{
// Check various input parameters
if (claims == null)
throw new ArgumentNullException("claims");
if (proofToken == null)
throw new ArgumentNullException("proofToken");
if (claims.Count == 0)
throw new ArgumentException("Provided ClaimSet must contain at least one claim");
// Create key identifier for proof key
SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(proofToken.CreateKeyIdentifierClause<RsaKeyIdentifierClause>());
// Get signing key and a key identifier for same
SecurityKey signatureKey = proofToken.SecurityKeys[0];
SecurityKeyIdentifier signatureKeyIdentifier = proofKeyIdentifier;
// Create the assertion
return CreateAssertion(claims, signatureKey, signatureKeyIdentifier, proofKeyIdentifier, algoSuite);
}
/// <summary>
///
/// </summary>
/// <param name="token"></param>
/// <param name="attached"></param>
/// <returns></returns>
public override SecurityKeyIdentifierClause CreateSecurityTokenReference(SecurityToken token, Boolean attached)
{
return token.CreateKeyIdentifierClause<LocalIdKeyIdentifierClause>();
}
protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause (
SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
if (token == null)
throw new ArgumentNullException ("token");
if (referenceStyle == SecurityTokenReferenceStyle.Internal)
return new LocalIdKeyIdentifierClause (token.Id, token.GetType ());
switch (reference_style) {
default:
return token.CreateKeyIdentifierClause<X509IssuerSerialKeyIdentifierClause> ();
case X509KeyIdentifierClauseType.Thumbprint:
return token.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause> ();
case X509KeyIdentifierClauseType.SubjectKeyIdentifier:
return token.CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause> ();
case X509KeyIdentifierClauseType.RawDataKeyIdentifier:
return token.CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause> ();
case X509KeyIdentifierClauseType.Any:
if (token.CanCreateKeyIdentifierClause<X509SubjectKeyIdentifierClause> ())
goto case X509KeyIdentifierClauseType.SubjectKeyIdentifier;
goto default;
}
}
/// <summary>
/// Creates the security securityToken reference when the securityToken is not attached to the message.
/// </summary>
/// <param name="token">The saml securityToken.</param>
/// <param name="attached">Boolean that indicates if a attached or unattached
/// reference needs to be created.</param>
/// <returns>A <see cref="Saml2AssertionKeyIdentifierClause"/>.</returns>
public override SecurityKeyIdentifierClause CreateSecurityTokenReference(SecurityToken token, bool attached)
{
if (null == token)
{
throw new ArgumentNullException("token");
}
return token.CreateKeyIdentifierClause<Saml2AssertionKeyIdentifierClause>();
}
// This method returns a security key identifier that can be used to refer to the provided security token when
// the provided token does not appear in the message
private SecurityKeyIdentifier GetExternalSecurityKeyIdentifier(SecurityToken t)
{
// If t is null, we're toast
if (t == null)
throw new ArgumentNullException("t");
// Set skiClause to null
SecurityKeyIdentifierClause skiClause = null;
// Try for an encrypted key reference first...
if (t.CanCreateKeyIdentifierClause<EncryptedKeyIdentifierClause>())
{
Console.WriteLine("GetExternalSecurityKeyIdentifier using EncryptedKeyIdentifierClause");
skiClause = t.CreateKeyIdentifierClause<EncryptedKeyIdentifierClause>();
}
// ... kerb token reference next...
else if (t.CanCreateKeyIdentifierClause<KerberosTicketHashKeyIdentifierClause>())
{
Console.WriteLine("GetExternalSecurityKeyIdentifier using KerberosTicketHashKeyIdentifierClause");
skiClause = t.CreateKeyIdentifierClause<KerberosTicketHashKeyIdentifierClause>();
}
// ... X509 thumbprint next...
else if (t.CanCreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>())
{
Console.WriteLine("GetExternalSecurityKeyIdentifier using X509ThumbprintKeyIdentifierClause");
skiClause = t.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>();
}
// ... X509 raw reference next...
else if (t.CanCreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>())
{
Console.WriteLine("GetExternalSecurityKeyIdentifier using X509RawDataKeyIdentifierClause");
skiClause = t.CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>();
}
// ... X509 SKI next...
else if (t.CanCreateKeyIdentifierClause<X509SubjectKeyIdentifierClause>())
{
Console.WriteLine("GetExternalSecurityKeyIdentifier using X509SubjectKeyIdentifierClause");
skiClause = t.CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause>();
}
// ... try for a binary secret...
else if (t.CanCreateKeyIdentifierClause<BinarySecretKeyIdentifierClause>())
{
Console.WriteLine("GetExternalSecurityKeyIdentifier using BinarySecretKeyIdentifierClause");
skiClause = t.CreateKeyIdentifierClause<BinarySecretKeyIdentifierClause>();
}
// ... then a X509IssuerSerial reference ...
else if (t.CanCreateKeyIdentifierClause<X509IssuerSerialKeyIdentifierClause>())
{
Console.WriteLine("GetExternalSecurityKeyIdentifier using X509IssuerSerialKeyIdentifierClause");
skiClause = t.CreateKeyIdentifierClause<X509IssuerSerialKeyIdentifierClause>();
}
// ... then a SAML assertion reference...
else if (t.CanCreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause>())
{
Console.WriteLine("GetExternalSecurityKeyIdentifier using SamlAssertionKeyIdentifierClause");
skiClause = t.CreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause>();
}
// ... then an RSA key reference...
else if (t.CanCreateKeyIdentifierClause<RsaKeyIdentifierClause>())
{
Console.WriteLine("GetExternalSecurityKeyIdentifier using RsaKeyIdentifierClause");
skiClause = t.CreateKeyIdentifierClause<RsaKeyIdentifierClause>();
}
// ... then a key name reference...
else if (t.CanCreateKeyIdentifierClause<KeyNameIdentifierClause>())
{
Console.WriteLine("GetExternalSecurityKeyIdentifier using KeyNameIdentifierClause");
skiClause = t.CreateKeyIdentifierClause<KeyNameIdentifierClause>();
}
// ... and finally an SCT reference...
else if (t.CanCreateKeyIdentifierClause<SecurityContextKeyIdentifierClause>())
{
Console.WriteLine("GetExternalSecurityKeyIdentifier using SecurityContextKeyIdentifierClause");
skiClause = t.CreateKeyIdentifierClause<SecurityContextKeyIdentifierClause>();
}
// return a SecurityKeyIdentifier
return new SecurityKeyIdentifier(skiClause);
}
public virtual IIdentity ResolveIdentity (SecurityToken token)
{
return ResolveIdentity (new SecurityKeyIdentifier (
token.CreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause> ()));
}
/// <summary>
/// Creates a <see cref="SecurityKeyIdentifierClause"/> to be used as the security token reference when the token is not attached to the message.
/// </summary>
/// <param name="token">The saml token.</param>
/// <param name="attached">Boolean that indicates if a attached or unattached
/// reference needs to be created.</param>
/// <returns>A <see cref="SamlAssertionKeyIdentifierClause"/> instance.</returns>
public override SecurityKeyIdentifierClause CreateSecurityTokenReference(SecurityToken token, bool attached)
{
if (null == token)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
return token.CreateKeyIdentifierClause<Saml2AssertionKeyIdentifierClause>();
}
/// <summary>
/// Helper Method to set up the RSTR
/// </summary>
/// <param name="rst">RequestSecurityToken</param>
/// <param name="keySize">keySize</param>
/// <param name="proofToken">proofToken</param>
/// <param name="samlToken">The SAML Token to be issued</param>
/// <returns>RequestSecurityTokenResponse</returns>
protected static RequestSecurityTokenBase GetRequestSecurityTokenResponse(RequestSecurityTokenBase requestSecurityToken,
int keySize,
SecurityToken proofToken,
SecurityToken samlToken,
byte[] senderEntropy,
byte[] stsEntropy)
{
// Create an uninitialized RequestSecurityTokenResponse object and set the various properties
RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse();
rstr.TokenType = Constants.SamlTokenTypeUri;
rstr.RequestedSecurityToken = samlToken;
rstr.RequestedUnattachedReference = samlToken.CreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause>();
rstr.RequestedAttachedReference = samlToken.CreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause>();
rstr.Context = requestSecurityToken.Context;
rstr.KeySize = keySize;
// If sender provided entropy then use combined entropy so set the IssuerEntropy
if (senderEntropy != null)
{
rstr.IssuerEntropy = new BinarySecretSecurityToken(stsEntropy);
rstr.ComputeKey = true;
}
else // Issuer entropy only...
{
rstr.RequestedProofToken = proofToken;
}
return rstr;
}
/// <summary>
/// Inherited from <see cref="SecurityToken"/>.
/// </summary>
public override T CreateKeyIdentifierClause <T>()
{
return(_realToken.CreateKeyIdentifierClause <T>());
}
internal protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
SecurityKeyIdentifierClause result = null;
switch (this.x509ReferenceStyle)
{
default:
case X509KeyIdentifierClauseType.Any:
if (referenceStyle == SecurityTokenReferenceStyle.External)
{
X509SecurityToken x509Token = token as X509SecurityToken;
if (x509Token != null)
{
X509SubjectKeyIdentifierClause x509KeyIdentifierClause;
if (X509SubjectKeyIdentifierClause.TryCreateFrom(x509Token.Certificate, out x509KeyIdentifierClause))
{
result = x509KeyIdentifierClause;
}
}
else
{
X509WindowsSecurityToken windowsX509Token = token as X509WindowsSecurityToken;
if (windowsX509Token != null)
{
X509SubjectKeyIdentifierClause x509KeyIdentifierClause;
if (X509SubjectKeyIdentifierClause.TryCreateFrom(windowsX509Token.Certificate, out x509KeyIdentifierClause))
{
result = x509KeyIdentifierClause;
}
}
}
if (result == null)
result = token.CreateKeyIdentifierClause<X509IssuerSerialKeyIdentifierClause>();
if (result == null)
result = token.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>();
}
else
result = token.CreateKeyIdentifierClause<LocalIdKeyIdentifierClause>();
break;
case X509KeyIdentifierClauseType.Thumbprint:
result = this.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
case X509KeyIdentifierClauseType.SubjectKeyIdentifier:
result = this.CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
case X509KeyIdentifierClauseType.IssuerSerial:
result = this.CreateKeyIdentifierClause<X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
case X509KeyIdentifierClauseType.RawDataKeyIdentifier:
result = this.CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
}
return result;
}
// This method returns a security key identifier that can be used to refer to the provided security token when
// the provided token appears in the message
private SecurityKeyIdentifier GetInternalSecurityKeyIdentifier(SecurityToken t)
{
// If t is null, we're toast
if ( t == null )
throw new ArgumentNullException ( "t" );
// Set skiClause to null
SecurityKeyIdentifierClause skiClause = null;
// Try for a local id reference first...
if (t.CanCreateKeyIdentifierClause<LocalIdKeyIdentifierClause>())
{
Console.WriteLine("GetInternalSecurityKeyIdentifier using LocalIdKeyIdentifierClause");
skiClause = t.CreateKeyIdentifierClause<LocalIdKeyIdentifierClause>();
// return a SecurityKeyIdentifier
return new SecurityKeyIdentifier(skiClause);
}
else
return GetExternalSecurityKeyIdentifier ( t );
}
// This method encrypts the provided key using the key material associated with the certificate
// returned by DetermineEncryptingCert.
private static byte[] GetEncryptedKey(SecurityToken encryptingToken, byte[] key, out SecurityKeyIdentifier ski)
{
// If encryptingToken is null, an exception is thrown.
if (encryptingToken == null)
throw new ArgumentNullException("encryptingToken");
// If key is null, an exception is thrown.
if (key == null)
throw new ArgumentNullException("key");
// Get the zeroth security key.
SecurityKey encryptingKey = encryptingToken.SecurityKeys[0];
// Get the encryption algorithm to use.
string keywrapAlgorithm = GetKeyWrapAlgorithm(encryptingKey);
// Encrypt the passed in key.
byte[] encryptedKey = encryptingKey.EncryptKey ( keywrapAlgorithm, key );
// Get a key identifier for the encrypting key.
SecurityKeyIdentifier eki = new SecurityKeyIdentifier(encryptingToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>());
// Return the proof key identifier.
ski = GetProofKeyIdentifier ( encryptedKey, keywrapAlgorithm, eki );
// Return the encrypted key.
return encryptedKey;
}
public virtual ClaimSet ResolveClaimSet (SecurityToken token)
{
return ResolveClaimSet (new SecurityKeyIdentifier (
token.CreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause> ()));
}