All geek questions in one place

How to disable the key identifier in SecurityTokenResolver

I am processing a SAML2 token in a WIF that contains EncryptedAssertion. The markup does NOT contain the Subject Identification Key property, and as such the WIF SecurityTokenHandler fails because it is trying to get the correct X509 certificate from LocalMachineStore / Personal.

Obviously, the certificate used to encrypt the token does not contain the SKI extension, and, of course, the token generation code (Java) does not seem to require it. To avoid the need to change the generation code, is there a way to force WIF SecuityTokenResolver to NOT check the received token for SKI, but just use the local storage certificate directly to decrypt the token?

0
source share
1 answer

In the end, I just implemented a special SecurityTokenResolver and implemented the TryResolveSecurityKeyCore method.

Here is the code:

public class mySaml2SSOSecurityTokenResolver : SecurityTokenResolver { List<SecurityToken> _tokens; public PortalSSOSecurityTokenResolver(List<SecurityToken> tokens) { _tokens = tokens; } protected override bool TryResolveSecurityKeyCore(System.IdentityModel.Tokens.SecurityKeyIdentifierClause keyIdentifierClause, out System.IdentityModel.Tokens.SecurityKey key) { var token = _tokens[0] as X509SecurityToken; var myCert = token.Certificate; key = null; try { var ekec = keyIdentifierClause as EncryptedKeyIdentifierClause; if (ekec != null) { switch (ekec.EncryptionMethod) { case "http://www.w3.org/2001/04/xmlenc#rsa-1_5": { var encKey = ekec.GetEncryptedKey(); var rsa = myCert.PrivateKey as RSACryptoServiceProvider; var decKey = rsa.Decrypt(encKey, false); key = new InMemorySymmetricSecurityKey(decKey); return true; } } var data = ekec.GetEncryptedKey(); var id = ekec.EncryptingKeyIdentifier; } } catch (Exception ex) { // Do something here } return true; } protected override bool TryResolveTokenCore(System.IdentityModel.Tokens.SecurityKeyIdentifierClause keyIdentifierClause, out System.IdentityModel.Tokens.SecurityToken token) { throw new NotImplementedException(); } protected override bool TryResolveTokenCore(System.IdentityModel.Tokens.SecurityKeyIdentifier keyIdentifier, out System.IdentityModel.Tokens.SecurityToken token) { throw new NotImplementedException(); } }

}

+4
source

Source: https://habr.com/ru/post/1242935/

More articles:


All Articles