WIF RSA-unwrapping the proof-key estaliblished between a WCF client and STS handling symmetric keytypes


Our STS produces in the RSTR as cleartext SAML (signed) assertion within which is a subject field with an per-recipient token – an RSA-wrapped DES key. The WIF code below, in part #2, acting as the intended-recipient computes the DES key. Of course, it basically unwraps the RSA-encryption of the key, using an key-unwrapping primitive.

{
    string baseUri = "https://me:44305/FederationSample/HomeRealmSTS/STS.svc";

    //Limited edition of WSTrustClient:)
    IssuedSecurityTokenProvider provider = new IssuedSecurityTokenProvider();
    provider.SecurityTokenSerializer = new WSSecurityTokenSerializer();

    //Relying Party's identifier
    provider.TargetAddress = new EndpointAddress(new Uri("https://me:44303/FederationSample/BookStoreService/store.svc"));
    provider.IssuerAddress = new EndpointAddress(new Uri(baseUri));

    provider.SecurityAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
    provider.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;

    HttpsTransportBindingElement tbe = new HttpsTransportBindingElement();
    tbe.AuthenticationScheme = AuthenticationSchemes.Negotiate;

    CustomBinding stsBinding = new CustomBinding(tbe);
    provider.IssuerBinding = stsBinding;

    provider.Open();
    //Request a token from ADFS STS
    SecurityToken issuedToken = provider.GetToken(TimeSpan.FromSeconds(30));
    var samlt = issuedToken as GenericXmlSecurityToken;


///  part #2

    var certHome = LookupCertificate(ServiceConstants.CertStoreName, ServiceConstants.CertStoreLocation, "CN=HomeRealmSTS.com");
    var certBook = LookupCertificate(ServiceConstants.CertStoreName, ServiceConstants.CertStoreLocation, "CN=BookStoreSTS.com");

      
    SecurityTokenHandlerCollection collection = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
     
    List<SecurityToken> l = new List<SecurityToken>();
    l.Add(new X509SecurityToken(certHome));
    l.Add(new X509SecurityToken(certBook));

    SecurityTokenResolver AcsIssuerResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(l.AsReadOnly(), false);
    collection.Configuration.IssuerTokenResolver = AcsIssuerResolver;
    collection.Configuration.ServiceTokenResolver = AcsIssuerResolver;

    collection.Configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;

    IClaimsIdentity claimsIdentity = null;
    using (var reader = XmlReader.Create(new StringReader(samlt.TokenXml.OuterXml)))
    {
        SamlSecurityToken samltoken = collection.ReadToken(reader) as SamlSecurityToken;

        var sk = samltoken.SecurityKeys.First();
        var proofKey2 = (sk as InMemorySymmetricSecurityKey).GetSymmetricKey();
        var bprime = "";
        using (HMACSHA256 hmac = new HMACSHA256(proofKey2))
        {
            byte[] signatureBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(samlt.TokenXml.OuterXml));

            bprime = Convert.ToBase64String(signatureBytes);
        }
    }
}
Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in coding theory. Bookmark the permalink.