1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
|
//-----------------------------------------------------------------------
// <copyright file="TokenUtility.cs" company="Microsoft Corporation">
// Copyright (c) Microsoft Corporation. All rights reserved.
// </copyright>
// <license>
// Microsoft Public License (Ms-PL).
// See http://www.microsoft.com/opensource/licenses.mspx#Ms-PL
// </license>
//-----------------------------------------------------------------------
namespace DotNetOpenAuth.InfoCard {
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Diagnostics.CodeAnalysis;
using System.Diagnostics.Contracts;
using System.IdentityModel.Claims;
using System.IdentityModel.Policy;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.IO;
using System.Linq;
using System.Net.Mail;
using System.Security.Cryptography;
using System.Security.Principal;
using System.ServiceModel.Security;
using System.Text;
using System.Xml;
using DotNetOpenAuth.Messaging;
/// <summary>
/// Tools for reading InfoCard tokens.
/// </summary>
internal static class TokenUtility {
/// <summary>
/// Gets the maximum amount the token can be out of sync with time.
/// </summary>
internal static TimeSpan MaximumClockSkew {
get { return DotNetOpenAuth.Configuration.DotNetOpenAuthSection.Messaging.MaximumClockSkew; }
}
/// <summary>
/// Token Authentication. Translates the decrypted data into a AuthContext.
/// </summary>
/// <param name="reader">The token XML reader.</param>
/// <param name="audience">The audience that the token must be scoped for.
/// Use <c>null</c> to indicate any audience is acceptable.</param>
/// <returns>
/// The authorization context carried by the token.
/// </returns>
internal static AuthorizationContext AuthenticateToken(XmlReader reader, Uri audience) {
Contract.Ensures(Contract.Result<AuthorizationContext>() != null);
// Extensibility Point:
// in order to accept different token types, you would need to add additional
// code to create an authenticationcontext from the security token.
// This code only supports SamlSecurityToken objects.
SamlSecurityToken token = WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null) as SamlSecurityToken;
if (null == token) {
throw new InformationCardException("Unable to read security token");
}
if (null != token.SecurityKeys && token.SecurityKeys.Count > 0) {
throw new InformationCardException("Token Security Keys Exist");
}
if (audience == null) {
Logger.InfoCard.Warn("SAML token Audience checking will be skipped.");
} else {
if (token.Assertion.Conditions != null &&
token.Assertion.Conditions.Conditions != null) {
foreach (SamlCondition condition in token.Assertion.Conditions.Conditions) {
SamlAudienceRestrictionCondition audienceCondition = condition as SamlAudienceRestrictionCondition;
if (audienceCondition != null) {
Logger.InfoCard.DebugFormat("SAML token audience(s): {0}", audienceCondition.Audiences.ToStringDeferred());
bool match = audienceCondition.Audiences.Contains(audience);
if (!match && Logger.InfoCard.IsErrorEnabled) {
Logger.InfoCard.ErrorFormat("Expected SAML token audience of {0} but found {1}.", audience.AbsoluteUri, audienceCondition.Audiences.Select(aud => aud.AbsoluteUri).ToStringDeferred());
}
// The token is invalid if any condition is not valid.
// An audience restriction condition is valid if any audience
// matches the Relying Party.
InfoCardErrorUtilities.VerifyInfoCard(match, InfoCardStrings.AudienceMismatch);
}
}
}
}
var samlAuthenticator = new SamlSecurityTokenAuthenticator(
new List<SecurityTokenAuthenticator>(
new SecurityTokenAuthenticator[] {
new RsaSecurityTokenAuthenticator(),
new X509SecurityTokenAuthenticator(),
}),
MaximumClockSkew);
if (audience != null) {
samlAuthenticator.AllowedAudienceUris.Add(audience.AbsoluteUri);
}
return AuthorizationContext.CreateDefaultAuthorizationContext(samlAuthenticator.ValidateToken(token));
}
/// <summary>
/// Translates claims to strings
/// </summary>
/// <param name="claim">Claim to translate to a string</param>
/// <returns>The string representation of a claim's value.</returns>
[SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Justification = "False positive.")]
internal static string GetResourceValue(Claim claim) {
string strClaim = claim.Resource as string;
if (!string.IsNullOrEmpty(strClaim)) {
return strClaim;
}
IdentityReference reference = claim.Resource as IdentityReference;
if (null != reference) {
return reference.Value;
}
ICspAsymmetricAlgorithm rsa = claim.Resource as ICspAsymmetricAlgorithm;
if (null != rsa) {
using (SHA256 sha = new SHA256Managed()) {
return Convert.ToBase64String(sha.ComputeHash(rsa.ExportCspBlob(false)));
}
}
MailAddress mail = claim.Resource as MailAddress;
if (null != mail) {
return mail.ToString();
}
byte[] bufferValue = claim.Resource as byte[];
if (null != bufferValue) {
return Convert.ToBase64String(bufferValue);
}
return claim.Resource.ToString();
}
/// <summary>
/// Generates a UniqueID based off the Issuer's key
/// </summary>
/// <param name="authzContext">the Authorization Context</param>
/// <returns>the hash of the internal key of the issuer</returns>
internal static string GetIssuerPubKeyHash(AuthorizationContext authzContext) {
foreach (ClaimSet cs in authzContext.ClaimSets) {
Claim currentIssuerClaim = GetUniqueRsaClaim(cs.Issuer);
if (currentIssuerClaim != null) {
RSA rsa = currentIssuerClaim.Resource as RSA;
if (null == rsa) {
return null;
}
return ComputeCombinedId(rsa, string.Empty);
}
}
return null;
}
/// <summary>
/// Generates a UniqueID based off the Issuer's key and the PPID.
/// </summary>
/// <param name="authzContext">The Authorization Context</param>
/// <returns>A unique ID for this user at this web site.</returns>
internal static string GetUniqueName(AuthorizationContext authzContext) {
Requires.NotNull(authzContext, "authzContext");
Claim uniqueIssuerClaim = null;
Claim uniqueUserClaim = null;
foreach (ClaimSet cs in authzContext.ClaimSets) {
Claim currentIssuerClaim = GetUniqueRsaClaim(cs.Issuer);
foreach (Claim c in cs.FindClaims(ClaimTypes.PPID, Rights.PossessProperty)) {
if (null == currentIssuerClaim) {
// Found a claim in a ClaimSet with no RSA issuer.
return null;
}
if (null == uniqueUserClaim) {
uniqueUserClaim = c;
uniqueIssuerClaim = currentIssuerClaim;
} else if (!uniqueIssuerClaim.Equals(currentIssuerClaim)) {
// Found two of the desired claims with different
// issuers. No unique name.
return null;
} else if (!uniqueUserClaim.Equals(c)) {
// Found two of the desired claims with different
// values. No unique name.
return null;
}
}
}
// No claim of the desired type was found
if (null == uniqueUserClaim) {
return null;
}
// Unexpected resource type
string claimValue = uniqueUserClaim.Resource as string;
if (null == claimValue) {
return null;
}
// Unexpected resource type for RSA
RSA rsa = uniqueIssuerClaim.Resource as RSA;
if (null == rsa) {
return null;
}
return ComputeCombinedId(rsa, claimValue);
}
/// <summary>
/// Generates the Site Specific ID to match the one in the Identity Selector.
/// </summary>
/// <value>The ID displayed by the Identity Selector.</value>
/// <param name="ppid">The personal private identifier.</param>
/// <returns>A string containing the XXX-XXXX-XXX cosmetic value.</returns>
[SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Justification = "False positive.")]
internal static string CalculateSiteSpecificID(string ppid) {
Requires.NotNull(ppid, "ppid");
Contract.Ensures(!string.IsNullOrEmpty(Contract.Result<string>()));
int callSignChars = 10;
char[] charMap = "QL23456789ABCDEFGHJKMNPRSTUVWXYZ".ToCharArray();
int charMapLength = charMap.Length;
byte[] raw = Convert.FromBase64String(ppid);
using (HashAlgorithm hasher = SHA1.Create()) {
raw = hasher.ComputeHash(raw);
}
StringBuilder callSign = new StringBuilder();
for (int i = 0; i < callSignChars; i++) {
// after char 3 and char 7, place a dash
if (i == 3 || i == 7) {
callSign.Append('-');
}
callSign.Append(charMap[raw[i] % charMapLength]);
}
return callSign.ToString();
}
/// <summary>
/// Gets the Unique RSA Claim from the SAML token.
/// </summary>
/// <param name="cs">the claimset which contains the claim</param>
/// <returns>a RSA claim</returns>
private static Claim GetUniqueRsaClaim(ClaimSet cs) {
Requires.NotNull(cs, "cs");
Claim rsa = null;
foreach (Claim c in cs.FindClaims(ClaimTypes.Rsa, Rights.PossessProperty)) {
if (null == rsa) {
rsa = c;
} else if (!rsa.Equals(c)) {
// Found two non-equal RSA claims
return null;
}
}
return rsa;
}
/// <summary>
/// Does the actual calculation of a combined ID from a value and an RSA key.
/// </summary>
/// <param name="issuerKey">The key of the issuer of the token</param>
/// <param name="claimValue">the claim value to hash with.</param>
/// <returns>A base64 representation of the combined ID.</returns>
[SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Justification = "False positive.")]
private static string ComputeCombinedId(RSA issuerKey, string claimValue) {
Requires.NotNull(issuerKey, "issuerKey");
Requires.NotNull(claimValue, "claimValue");
Contract.Ensures(Contract.Result<string>() != null);
int nameLength = Encoding.UTF8.GetByteCount(claimValue);
RSAParameters rsaParams = issuerKey.ExportParameters(false);
byte[] shaInput;
byte[] shaOutput;
int i = 0;
shaInput = new byte[rsaParams.Modulus.Length + rsaParams.Exponent.Length + nameLength];
rsaParams.Modulus.CopyTo(shaInput, i);
i += rsaParams.Modulus.Length;
rsaParams.Exponent.CopyTo(shaInput, i);
i += rsaParams.Exponent.Length;
i += Encoding.UTF8.GetBytes(claimValue, 0, claimValue.Length, shaInput, i);
using (SHA256 sha = SHA256.Create()) {
shaOutput = sha.ComputeHash(shaInput);
}
return Convert.ToBase64String(shaOutput);
}
}
}
|
