【问题标题】:How to disable Subject Key Identifier in SecurityTokenResolver如何在 SecurityTokenResolver 中禁用主题密钥标识符
【发布时间】:2012-08-06 10:02:31
【问题描述】:

我正在 WIF 中处理包含 EncryptedAssertion 的 SAML2 令牌。标记不包含“主题标识符密钥”扩展属性,因此 WIF SecurityTokenHandler 在尝试从 LocalMachineStore/Personal 获取正确的 X509 证书时失败。

问题显然是用于加密令牌的证书不包含 SKI 扩展,当然令牌生成代码 (Java) 似乎并不需要它。为了避免修改生成代码,有没有一种方法可以让 WIF SecuityTokenResolver 不检查收到的 SKI 令牌,而直接使用本地存储证书来解密令牌?

【问题讨论】:

    标签: model-view-controller wif saml-2.0


    【解决方案1】:

    最后我只是实现了一个自定义的 SecurityTokenResolver 并实现了 TryResolveSecurityKeyCore 方法。

    代码如下:

    public class mySaml2SSOSecurityTokenResolver : SecurityTokenResolver
    {
        List<SecurityToken> _tokens;
    
        public PortalSSOSecurityTokenResolver(List<SecurityToken> tokens)
        {
            _tokens = tokens;
        }
        protected override bool TryResolveSecurityKeyCore(System.IdentityModel.Tokens.SecurityKeyIdentifierClause keyIdentifierClause, out System.IdentityModel.Tokens.SecurityKey key)
        {
            var token = _tokens[0] as X509SecurityToken;
    
            var myCert = token.Certificate;
    
            key = null;
    
            try
            {
    
                var ekec = keyIdentifierClause as EncryptedKeyIdentifierClause;
    
                if (ekec != null)
                {
    
                    switch (ekec.EncryptionMethod)
                    {
    
                        case "http://www.w3.org/2001/04/xmlenc#rsa-1_5":
                            {
                                var encKey = ekec.GetEncryptedKey();
    
                                var rsa = myCert.PrivateKey as RSACryptoServiceProvider;
    
                                var decKey = rsa.Decrypt(encKey, false);
    
                                key = new InMemorySymmetricSecurityKey(decKey);
    
                                return true;
    
                            }
    
                    }
    
                    var data = ekec.GetEncryptedKey();
    
                    var id = ekec.EncryptingKeyIdentifier;
    
                }
    
            }
    
            catch (Exception ex)
            {
               // Do something here            }
    
                return true;
    
        }
    
        protected override bool TryResolveTokenCore(System.IdentityModel.Tokens.SecurityKeyIdentifierClause keyIdentifierClause, out System.IdentityModel.Tokens.SecurityToken token)
        {
            throw new NotImplementedException();
        }
    
        protected override bool TryResolveTokenCore(System.IdentityModel.Tokens.SecurityKeyIdentifier keyIdentifier, out System.IdentityModel.Tokens.SecurityToken token)
        {
            throw new NotImplementedException();
        }
    }
    

    }

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2020-05-20
      • 2017-01-05
      • 1970-01-01
      • 1970-01-01
      • 2014-02-06
      • 1970-01-01
      相关资源
      最近更新 更多