ComponentSpace

Forums



Handling EncryptedAssertion in .NET Core vs. .NET Framework libraries


Handling EncryptedAssertion in .NET Core vs. .NET Framework libraries

Author
Message
doctordoctor
doctordoctor
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 2, Visits: 6
I'm in the process of moving a .NET Framework application using the SAML v2.0 for ASP.NET library to a .NET Core implementation and the licensed .NET Core library.  One of the use cases is decrypting an assertion using a provided certificate (and potentially password), which we don't know ahead of time.  In the .NET Framework version, I have code similar to this:

SAMLResponse samlResponse = new SAMLResponse(responseElement);
EncryptedAssertion encryptedAssertion = samlResponse.GetEncryptedAssertion();
System.Security.Crytography.RSA rsa = Utility.ConvertFromPEM(privateCert, password);
XmlElement decryptedAssertionElement = encryptedAssertion.DecryptToXml(rsa);

I don't see a .NET Core equivalent version for DecryptToXml().  I saw another forum post that indicated that you can configure a certificate in a LocalCertificateFile element in saml.config, which I guess we could dynamically create and modify, but it wouldn't be ideal since we don't know the certificate(s) ahead of time and aren't necessarily guaranteed that we'll have write access to the file/directory.

Do you have any suggestions for resolving this issue and/or do you have example code for using EncryptedAssertion?  This isn't a ASP.NET application, if that matters.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Normally you wouldn't have to decrypt SAML assertions directly as this is handled by the SAML SSO API.
However, this can be done from your code if required.
XML encryption support is exposed through the ComponentSpace.Saml2.XmlSecurity.IXmlEncryption interface.
IXmlEncryption includes the following method.


/// <summary>
/// Decrypts the XML.
/// </summary>
/// <param name="encryptedElement">The encrypted XML.</param>
/// <param name="encryptedKeyElements">The encrypted keys XML or <c>null</c> if included in the encrypted data.</param>
/// <param name="keyDecryptingKey">The asymmetric key decrypting key.</param>
/// <param name="keyEncryptionAlgorithm">The key encryption algorithm or <c>null</c> if specified in the encrypted key.</param>
/// <param name="dataEncryptionAlgorithm">The data encryption algorithm or <c>null</c> if specified in the encrypted data.</param>
/// <returns>The plaintext XML.</returns>
/// <exception cref="SamlEncryptionException">
/// Thrown if an error occurs during decryption.
/// </exception>
public XmlElement Decrypt(
  XmlElement encryptedElement,
  IEnumerable<XmlElement> encryptedKeyElements,
  AsymmetricAlgorithm keyDecryptingKey,
  string keyEncryptionAlgorithm,
  string dataEncryptionAlgorithm)



The following code demonstrates calling this method.


var serviceCollection = new ServiceCollection();

serviceCollection.AddLogging();
serviceCollection.AddSaml();

var serviceProvider = serviceCollection.BuildServiceProvider();
var xmlEncryption = serviceProvider.GetService<IXmlEncryption>();

var samlAssertionElement = xmlEncryption.Decrypt(
  encryptedAssertion.EncryptedData,
  encryptedAssertion.EncryptedKeys,
  x509Certificate.GetRSAPrivateKey(),
  "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
  "http://www.w3.org/2001/04/xmlenc#aes256-cbc");




Regards
ComponentSpace Development
doctordoctor
doctordoctor
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 2, Visits: 6

Thank you for your rapid response!  

I was able to get the above code working with the addition of a 3rd party package (https://www.nuget.org/packages/OpenSSL.PrivateKeyDecoder/) as follows:


    var serviceCollection = new ServiceCollection();
   serviceCollection.AddLogging();
   serviceCollection.AddSaml();

   System.Security.SecureString ss = new System.Net.NetworkCredential("", password).SecurePassword;
   var decoder = new OpenSSL.PrivateKeyDecoder.OpenSSLPrivateKeyDecoder();
   RSA rsa = RSA.Create(decoder.DecodeParameters(pem, ss));

   IXmlEncryption xmlEncryption = serviceCollection.BuildServiceProvider().GetService<IXmlEncryption>();
   XmlElement decryptedAssertionElement = xmlEncryption.Decrypt(encryptedAssertion.EncryptedData,
                                                                 encryptedAssertion.EncryptedKeys,
                                                                 rsa, null, null);


 where pem is a PKCS#8 format RSA private key.  Is there equivalent functionality in the ComponentSpace code to obtain a AsymmetricAlgorithm object from a PKCS#8 or other format certificates?



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
We support the formats supported by the underlying Windows APIs. We don't include code to convert from/to other formats.
Normally we suggest using the openssl command line utility to convert between the various formats.
https://www.sslshopper.com/article-most-common-openssl-commands.html


Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search