ITfoxtec SAML 2.0加密声明

时间:2018-11-26 23:20:02

标签: encryption saml-2.0 itfoxtec-identity-saml2

是否可以使用ITfoxtec Identity Saml2(开源-https://itfoxtec.com/identitysaml2)对断言响应进行加密?找不到任何东西。

GitHub网站(https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2)提到解密但没有加密。似乎也没有任何加密示例。

感谢您的帮助。谢谢。

2 个答案:

答案 0 :(得分:2)

在saml2postbinding类中,将BindInternal方法替换为以下代码。

protected override Saml2PostBinding BindInternal(Saml2Request saml2RequestResponse, string messageName)
    {
        BindInternal(saml2RequestResponse);

        var element1 = XmlDocument.CreateElement("saml2", "EncryptedAssertion", "urn:oasis:names:tc:SAML:2.0:assertion");
        XmlDocument xmlDoc = new XmlDocument();
        var assertionElements = XmlDocument.DocumentElement.SelectNodes($"//*[local-name()='{Saml2Constants.Message.Assertion}']");
        var assertionElement = (assertionElements[0] as XmlElement).ToXmlDocument().DocumentElement;
        var certificate = ITfoxtec.Identity.Saml2.Util.CertificateUtil.Load(@"F:\IT-FoxTec-Core Copy\ITfoxtec.Identity.Saml2-master (1)\ITfoxtec.Identity.Saml2-master\test\TestIdPCore\itfoxtec.identity.saml2.testwebappcore_Certificate.crt");



        var wrappedAssertion = $@"<saml2:EncryptedAssertion xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion"">{assertionElement.OuterXml}</saml2:EncryptedAssertion>";
        xmlDoc.LoadXml(wrappedAssertion);
        var elementToEncrypt = (XmlElement)xmlDoc.GetElementsByTagName("Assertion", Saml2Constants.AssertionNamespace.OriginalString)[0];
        element1.InnerXml = wrappedAssertion.ToXmlDocument().DocumentElement.SelectNodes($"//*[local-name()='{Saml2Constants.Message.Assertion}']")[0].OuterXml;
        var element2 = wrappedAssertion.ToXmlDocument().DocumentElement;
        var childNode = XmlDocument.GetElementsByTagName("Assertion", Saml2Constants.AssertionNamespace.OriginalString)[0];
        XmlDocument.DocumentElement.RemoveChild(childNode);
        var status = XmlDocument.DocumentElement[Saml2Constants.Message.Status, Saml2Constants.ProtocolNamespace.OriginalString];
        XmlDocument.DocumentElement.InsertAfter(element1, status);




        if (certificate == null) throw new ArgumentNullException(nameof(certificate));

        var encryptedData = new EncryptedData
        {
            Type = EncryptedXml.XmlEncElementUrl,
            EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncAES256Url)
        };

        var algorithm = true ? EncryptedXml.XmlEncRSAOAEPUrl : EncryptedXml.XmlEncRSA15Url;
        var encryptedKey = new EncryptedKey
        {
            EncryptionMethod = new EncryptionMethod(algorithm),
        };

        var encryptedXml = new EncryptedXml();
        byte[] encryptedElement;
        using (var encryptionAlgorithm = new AesCryptoServiceProvider())
        {
            encryptionAlgorithm.KeySize = 256;

            encryptedKey.CipherData = new CipherData(EncryptedXml.EncryptKey(encryptionAlgorithm.Key, (RSA)certificate.PublicKey.Key, true));
            encryptedElement = encryptedXml.EncryptData(elementToEncrypt, encryptionAlgorithm, false);
        }
        encryptedData.CipherData.CipherValue = encryptedElement;



        encryptedData.KeyInfo = new KeyInfo();
        encryptedData.KeyInfo.AddClause(new KeyInfoEncryptedKey(encryptedKey));
        EncryptedXml.ReplaceElement((XmlElement)xmlDoc.GetElementsByTagName("Assertion", Saml2Constants.AssertionNamespace.OriginalString)[0], encryptedData, false);
        EncryptedXml.ReplaceElement((XmlElement)XmlDocument.GetElementsByTagName("Assertion", Saml2Constants.AssertionNamespace.OriginalString)[0], encryptedData, false);

        if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
        {
            Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);
            XmlDocument = XmlDocument.SignDocument(saml2RequestResponse.Config.SigningCertificate, saml2RequestResponse.Config.SignatureAlgorithm, CertificateIncludeOption, saml2RequestResponse.Id.Value);

        }
        PostContent = string.Concat(HtmlPostPage(saml2RequestResponse.Destination, messageName));
        return this;
    }

这里的证书是任何依赖方的公钥证书。

答案 1 :(得分:1)

很抱歉,当前不支持断言响应加密。

欢迎您在丢失的加密功能项目上创建一个issue。 如果您实现该功能,请共享代码。