使用证书加密数据时,如何让 WIF 使用 RSA15? [英] How do I make WIF use RSA15 when encrypting data using a certificate?
问题描述
我一直在研究 WCF 服务,该服务将返回 Base64 编码的字符串,实际上,它是一个完整的 SAML 响应 XML 文档.由于此信息将移交给供应商,因此我必须满足他们对 SAML 文档的外观和编码方式的要求.我无法获得满足他们要求的输出.
I have been working on a WCF service which will return a Base64 encoded string which is, in reality, a full SAML response XML document. Because this information will be handed off to a vendor, I have to meet their requirements for how the SAML document will look and be encoded. I am having trouble getting an output which meets their requirements.
我知道 WCF 和 WIF 一起应该可以帮助我.我最初使用 WIF 构建服务来创建 SAML 断言(令牌)和其他 C# 代码来生成最终的 SAML 文档.所有这些都有效并满足供应商的要求,除了 <EncryptedData>文档的节点.本节使用 AES256 和 RSAOAEP,但供应商需要 AES128 和 RSA15.因此,我正在寻找解决方案.任何帮助将不胜感激.
I know WCF and WIF together should help me. I originally built the service using WIF to create the SAML Assertions (token) and other C# code to generate the final SAML document. All of this works and meets the vendor's requirements except for the <EncryptedData> node of the document. This section uses AES256 and RSAOAEP but the vendor wants AES128 and RSA15. Thus, I am hunting for a resolution. Any help would be greatly appreciated.
这是一个步行.
该服务接受一个 GUID,用于调用数据库和返回字段.然后像这样使用它们:
The service takes in a GUID which is used to call the database and return fields. These are then used like so:
DataTable userData = GetDataForUser(userId);
List<Claim> claims = new List<Claim>()
{
new Claim("ClientId", "NameOfClient")
};
foreach (DataRow row in userData.Rows)
{
string memberId = row["MemberId"].ToString().Trim();
string firstName = row["FirstName"].ToString().Trim();
string lastName = row["LastName"].ToString().Trim();
DateTime dob = Convert.ToDateTime(row["DateOfBirth"], CultureInfo.InvariantCulture);
claims.Add(new Claim("MemberId", memberId));
claims.Add(new Claim("FirstName", firstName));
claims.Add(new Claim("LastName", lastName));
claims.Add(new Claim("DOB", dob.ToString("MM/dd/yyyy")));
}
return claims;
然后我像这样创建一个 SecurityTokenDescriptor:
I then create a SecurityTokenDescriptor like this:
SecurityTokenDescriptor descriptor = new SecurityTokenDescriptor();
声明被添加到描述符中,如下所示:
The claims are added to the descriptor like so:
descriptor.Subject = new ClaimsIdentity(claims);
指示描述符像这样加密令牌:
The descriptor is instructed to encrypt the token like this:
descriptor.EncryptingCredentials = GetEncryptingCredentials();
GetEncryptingCredentials() 例程如下所示:
and the GetEncryptingCredentials() routine looks like this:
private EncryptedKeyEncryptingCredentials GetEncryptingCredentials()
{
// Get the Encrypting Certificate
X509Certificate2 encryptCert = CertificateHelper.FindSingleCertificate(StoreName.TrustedPeople, StoreLocation.LocalMachine, X509FindType.FindBySubjectDistinguishedName, "<<certificate stuff here >>", true);
EncryptedKeyEncryptingCredentials encryptingCreds = new EncryptedKeyEncryptingCredentials(encryptCert);
return encryptingCreds;
}
所有这些都会生成一个令牌,当写入文件时会给我这个:
All of this generates a token which, when written to a file gives me this:
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Id="_16584ace-9f3e-4352-9fc9-f6db8b2e925c" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<X509Data>
<X509IssuerSerial>
<X509IssuerName><!-- value --></X509IssuerName>
<X509SerialNumber><!-- value --></X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue><!-- value -->CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData><xenc:CipherValue><!-- value --></xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</EncryptedAssertion>
很好,对吧?不.供应商需要<EncryptedData>部分具有以下子节点:
Great, right? Nope. The vendor needs the <EncryptedData> section to have the following child node:
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
他们需要
And they need the <KeyInfo><EncryptedKey> section to show this:
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
我在 GetEncryptingCredentials() 例程中尝试了我能想到的所有组合.没有任何事情产生预期的结果.我收到的最有希望的错误消息如下所示:
I have tried every combination I can think of within the GetEncryptingCredentials() routine. Nothing has produced the desired results. The most promising error message I receive looks like this:
ID4178:加密凭证中提供的SecurityTokenDescriptor 用于非对称密钥.您必须使用EncryptedKeyEncryptingCredentials 到加密令牌.
ID4178: The EncryptingCredentials provided in the SecurityTokenDescriptor is for an asymmetric key. You must use an EncryptedKeyEncryptingCredentials to encrypt the token.
有人有什么建议吗?不要害怕告诉我重新开始.没关系.我只需要让它工作.
Anyone have a suggestion? Don't be afraid to tell me to start all over. That's all right. I just need to get this to work.
提前致谢.
推荐答案
我找到了一个有效的解决方案.至少,它会根据我的需要生成 XML,并且供应商表示他们可以使用我发送给他们的内容.
I found a solution which works. At least, it generates the XML as I need it to and the vendor has said they are able to use what I am sending them.
我稍微重写了 GetEncryptingCredentials() 例程.现在看起来像这样:
I rewrote the GetEncryptingCredentials() routine slightly. It now looks like this:
private EncryptingCredentials GetEncryptingCredentials()
{
string keyWrapAlgorithm = SecurityAlgorithms.RsaV15KeyWrap; //"http://www.w3.org/2001/04/xmlenc#aes256-cbc";
string encryptionAlgorithm = SecurityAlgorithms.Aes128Encryption; //"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";
int keySize = 128;
X509Certificate2 encryptCert = CertificateHelper.FindSingleCertificate(StoreName.TrustedPeople, StoreLocation.LocalMachine, X509FindType.FindBySubjectDistinguishedName, _settings.EncryptingCredentials, true);
EncryptingCredentials encryptingCredentials = new EncryptedKeyEncryptingCredentials(encryptCert, keyWrapAlgorithm, keySize, encryptionAlgorithm);
return encryptingCredentials;
}
只是想我会让每个人都知道并结束这个循环.
Just thought I would let everyone know and close the loop on this.
这篇关于使用证书加密数据时,如何让 WIF 使用 RSA15?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!