Red*_*ed1 1 model-view-controller wif saml-2.0
我正在 WIF 中处理 SAML2 令牌,其中包含 EncryptedAssertion。标记不包含“主题标识符密钥”扩展属性,因此 WIF SecurityTokenHandler 在尝试从 LocalMachineStore/Personal 获取正确的 X509 证书时失败。
问题很明显,用于加密令牌的证书不包含 SKI 扩展,当然令牌生成代码 (Java) 似乎并不需要它。为了避免修改生成代码,有没有办法让 WIF SecuityTokenResolver 不检查接收到的 SKI 令牌,而是直接使用本地存储证书来解密令牌?
最后我只是实现了一个自定义的SecurityTokenResolver并实现了TryResolveSecurityKeyCore方法。
这是代码:
public class mySaml2SSOSecurityTokenResolver : SecurityTokenResolver
{
List<SecurityToken> _tokens;
public PortalSSOSecurityTokenResolver(List<SecurityToken> tokens)
{
_tokens = tokens;
}
protected override bool TryResolveSecurityKeyCore(System.IdentityModel.Tokens.SecurityKeyIdentifierClause keyIdentifierClause, out System.IdentityModel.Tokens.SecurityKey key)
{
var token = _tokens[0] as X509SecurityToken;
var myCert = token.Certificate;
key = null;
try
{
var ekec = keyIdentifierClause as EncryptedKeyIdentifierClause;
if (ekec != null)
{
switch (ekec.EncryptionMethod)
{
case "http://www.w3.org/2001/04/xmlenc#rsa-1_5":
{
var encKey = ekec.GetEncryptedKey();
var rsa = myCert.PrivateKey as RSACryptoServiceProvider;
var decKey = rsa.Decrypt(encKey, false);
key = new InMemorySymmetricSecurityKey(decKey);
return true;
}
}
var data = ekec.GetEncryptedKey();
var id = ekec.EncryptingKeyIdentifier;
}
}
catch (Exception ex)
{
// Do something here }
return true;
}
protected override bool TryResolveTokenCore(System.IdentityModel.Tokens.SecurityKeyIdentifierClause keyIdentifierClause, out System.IdentityModel.Tokens.SecurityToken token)
{
throw new NotImplementedException();
}
protected override bool TryResolveTokenCore(System.IdentityModel.Tokens.SecurityKeyIdentifier keyIdentifier, out System.IdentityModel.Tokens.SecurityToken token)
{
throw new NotImplementedException();
}
}
}
| 归档时间: |
|
| 查看次数: |
1810 次 |
| 最近记录: |