1

Right now I am completely stuck on how to generate Keyinfo from my cert and get into the SAML Schema classes. My internet searches have been pretty much fruitless. I am not using any 3rd party components, nor will I be able to. I need to this in straight c#, no WIF either, using the available cryptographic .net classes. I am trying to adapt my working codebase for SSO Identity Provider with Assertion Encryption to one that supports Assertion Encryption. Can anyone point me to some resources that explain how to go about doing this?

I need to generate the following portion of a SAML2 token:

<saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <X509Data>
                        <X509Certificate>
                            MIIEyzCCBDSgAwIBAgIQJw04cdtYORKGDtzhzZj1gjANBgkqhkiG9w0BAQUFADCBujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0wODA2MDQwMDAwMDBaFw0xMTA2MDQyMzU5NTlaMIHPMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcUB0NoaWNhZ28xEzARBgNVBAoUCkJTV0lGVCBMTEMxNTAzBgNVBAsULElUVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTAwMTMwMQYDVQQLFCpUZXJtcyBvZiB1c2UgYXQgd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDUxGjAYBgNVBAMUEXNlY3VyZS5ic3dpZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+/7/2effMEkqUPQHlrrGJfYnkhucEu+hTjK0P9FEavfM/y57mDXVaN7Qn1BjnfUwC9sDlI4qOdwKDx02zsy9CEJBmvFjXvkivGZPirrdGpITD5sPQHNOkANHfVW5sL0QPNyEBrWt9cex1udeEaqZDALLImRYxx9CGvhWqaNWmrQIDAQABo4IBuTCCAbUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9TVlJJbnRsLWNybC52ZXJpc2lnbi5jb20vU1ZSSW50bC5jcmwwNAYDVR0lBC0wKwYIKwYBBQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEGCisGAQQBgjcKAwMwcQYIKwYBBQUHAQEEZTBjMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9TVlJJbnRsLWFpYS52ZXJpc2lnbi5jb20vU1ZSSW50bC1haWEuY2VyMG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjANBgkqhkiG9w0BAQUFAAOBgQBh7xTf+MBRNcgKIuJjz6tuyHp9KfhoYFidXNrbb1Tdso41iMLOkrd6gdONd4wjA2DCDzn6OFharKkEUdVYilINW+I57MvYIZaxwUskfivaOUEPdU/5gBmTlxJVQqQr2UM1zi70DpWmAR46zFfwqAxrMoqFjkP+Z2iWGyYipM8Weg==
                        </X509Certificate>
                    </X509Data>
                </KeyInfo>
                <CipherData>
                    <CipherValue>
                        PVKYYTNGIjuYQCCTyS4LriEyIq1njqotkyJvmoO+WvQSc34plBcfUvGS/zDoKj329528gwctTikXxsCPXJJvISdFdew/t+qIVISnob5TzxSjmhlWJVHOzhx2UAbfqxvVkpCPIJr2uskYzRdeHez77g1UZe82BTGGG9S2SXZI9fM=
                    </CipherValue>
                </CipherData>
            </EncryptedKey>
        </KeyInfo>
        <CipherData>
            <CipherValue>
                QQeOIBWvGnI7dYR2o2TMGdh6NfG3V26Y2USKNuj5j3z5woUTu8wYR77ddSMlQjZ+fL6dB3Ozr6RzPYOevkX67uXWAlGVOOcz0OH48RajJBfGRZNHWHQfjF4liLsLZ9yOj2rMiXsEBZzVjkpxBQ5kb3/a3Mfi6xQb8/kQnrBpDyaidP2VVW1AmplqV9aYyWgM+CBTXndkFY1xS52YqmWIP5AYT04Hl5m/e3SmY0/QmUWBV+di75VFP3yv+iWtAqjZoxEtmiGXdzZLqDbbVUgbvzZjLl2oEfXDh/7gEslb3aB0wx5iK7n4vCeSSZYJxrndbNPIpqRXL+1bgAdrHdiTVrDYfsrK3GRp3nEjqxRFrAald/GyrU1RH2q3q4qOvwLpHAE1oD0SekErDM8With5tZ3a3IUhaUu6gVIp2nCWRVC3PzdRGpld6ZRJ03h8QFGqPuabbbFWPJJf233N0yuueB52s5gw3RPiUYKEQVoqkh0ZkXUUDmvXdr6cE4z2ztCX5W4rplJ3j8qowScilmKGveU6HIM+1KBKD9Xgw2ph1YQ4CTLKGEl1VNmvjGIjvLBmr6oj453BCnJZ/IFVhCScdDn+4yYG9SKenzuarv+//ZnoUkybOQDNvzyFiV3/pT1xIPXN6MQWLqZVO3OmoTdGdhFcKHbUxRwVd4GJeri64h0fCsC8Po4HG+FtbaJtoJRmGEfaNqnv7S8lapxLjAINon6XO6uyFsdEGaLpc5zx0oVrY/rNrZGerVXb2y91dp89A/y3Z/pdlXCDRr5aa4UYQ4BELHHzTqNa9LowStBKiIQBs954X/b0E2W1miy7u2gdS44pfzlReh6xKH5FJV1gqqEWAlyFoXcNlFcpAzQ5cp3u3sS4k5HmScvs0U1TkrX0ldW3uNe2gKbJZzRiiSkoN1uVzSBlOcjU5fBf4fL+P/JdZir3zbg7jK4PcwdBFUm7wATf/n+PBv9xkAUtatDNdnpy83Us8oDjTlyuClt28osFM/WU+NWko+6+ggYx/nTPAENYL454CTemg8vpmtizOzZGtC+SWMU+hWTExCtcDIDjb/vdbQ/8NMn87Esic0P0AtnMBnt50z1xeZxy3Nbgs7py+EwI//CjXjmjVD1LYawXDiIxpuTjaHf05AxoolBdHYkA41tK2uh9CN7G4DmdWdqVA46kiOZLHwpzCk1OV+bGn6xiLsp9lYU7lCKU8Lj56VtKvNoetJUbDxsPOnJLbYYnqm2feqVhSMVl7wUSMIbMdWg0nxI8EhDLfVAVirPLOL1yl8Kp749Cr9peDkrUGN0tWLwnU1Eg4mBZ9Iyj9be32KSXVjoqJzdzaD6W+oycJC68gnE/+67AKsKiJXaB6stywfND+QXeuDDO2FveGaKfaAfY+d5HFLWcjh0ojSL8MQzOr92fX51tQhviw+xXWCme1SPFc1p9K8A9WrcHo/MCY9J48Cx4pm/uc1nKnl50bQMCOLs9ttgD+jRaaNpBMBsBh2M4/pmp6LSUdULif4UeBajvI1Zu/czFyhx/7rnMQzC9++du/w8b7CDm1a2q54VPOHBbOHPBtEwk05ovdwrV1pVAVNuNk7QcIq5mK0UQXVLuCNVqNRLwr76Bjp9988UewzQXVUSM8DPkAQW3ZufKi0fnsnJ6JL6jw8ey3vrqZ/fVAq06So/nh1dXWg/cfZzN0VLbwEM2RlFl3s3rnVkNuuCYFgKJ+5o6Lm68eeIE1aeiJpTd4W3I1tBgkG1nAhmrMOGJVho/6QXboxWcHCd+pApNwlmeiNmtzp8mqJBn03rT6mo8svqY2ph0fOEq83d5mxVFze1hd9DigOlZH5kILnC09XI/epZry3c4VX9/r8Pz1KoQXOfd1OVyWvXRuwfgVF7xj2MeP2EyL9j2Y65o6Ip5Ps1GzV51gnO97PCN6P+pB9iMiy9RNlFf32F1ycZ2EZ78BQGPfpA91QzTRO/hsL9BsF66LIWPaMUSGKdN9sxzY3V8HxxE6SH8wDq+1c5kpfHdWQBVjQqWruTKbAbc0sO7rkZvfW3bILst7F6Uqn4nHZ9g23KtyXzEDWZkXQW3U2CXEpytUEfEn9X2xToIJZVbcr6V0bxABw7GspghilkmXrKyKqjJ9lUQZq1kN5Za/tVdFh2WQMeztqwTibi9DZyZHh/h43ILC/Kv7RTlQ18TUi0kQS8Ll1Rx1yQ9atpk3XRSTQZBMc77nkzOkApIgRh+gHyBeUG3tDdKyHId
            </CipherValue>
        </CipherData>
    </EncryptedData>
</saml:EncryptedAssertion>

And so far I have gotten to this point:

                EncryptedElementType encryptedAssertion = new EncryptedElementType();

            EncryptedDataType encryptedData = new EncryptedDataType();
            encryptedData.Type = "http://www.w3.org/2001/04/xmlenc#Element";

            EncryptionMethodType encryptionMethod = new EncryptionMethodType();
            encryptionMethod.Algorithm = "http://www.w3.org/2001/04/xmlenc#aes128-cbc";

            KeyInfoType keyInfoRoot = new KeyInfoType();

            EncryptedKeyType encryptedKey = new EncryptedKeyType();


            X509Certificate2 encryptingCert = null;
            if (findValueSigning.ToString() == findValueEncryption.ToString()) encryptingCert = signingCert;
            else encryptingCert = GetCertBySerialNumber(storeLocation, storeName, findType, findValueEncryption);

            KeyInfo keyInfo = new KeyInfo();
            KeyInfoX509Data keyData = new KeyInfoX509Data(encryptingCert);
            keyInfo.AddClause(keyData);



            //keyInfoRoot.Items = object[] { encryptedKey };
            encryptedData.EncryptionMethod = encryptionMethod;
            encryptedData.KeyInfo = keyInfoRoot;
            encryptedAssertion.EncryptedData = encryptedData;

            response.Items = new EncryptedElementType[] { encryptedAssertion };
JCleveland
  • 337
  • 3
  • 16
  • 2
    I am using a commercial lib for doing that so I can't give you any advice on your current code. What I can do is point you to the following following code: https://saml2.codeplex.com/SourceControl/latest#src/SAML2/Saml20EncryptedAssertion.cs which is from a open source SAML 2.0 implementation written in .NET. May be it helps. – Martijn B Nov 12 '13 at 15:52
  • There is another SO post here https://stackoverflow.com/questions/29279947/create-saml-2-0-response-with-signed-and-encrypted-assertion-using-c-sharp about the same topic.Please have a look to see that helps – dotnetdev_2009 Oct 14 '17 at 11:48

0 Answers0