I’m in the process of moving a .NET Framework application using the SAML v2.0 for ASP.NET library to a .NET Core implementation and the licensed .NET Core library. One of the use cases is decrypting an assertion using a provided certificate (and potentially password), which we don’t know ahead of time. In the .NET Framework version, I have code similar to this:
SAMLResponse samlResponse = new SAMLResponse(responseElement);
EncryptedAssertion encryptedAssertion = samlResponse.GetEncryptedAssertion();
System.Security.Crytography.RSA rsa = Utility.ConvertFromPEM(privateCert, password);
XmlElement decryptedAssertionElement = encryptedAssertion.DecryptToXml(rsa);
I don’t see a .NET Core equivalent version for DecryptToXml(). I saw another forum post that indicated that you can configure a certificate in a LocalCertificateFile element in saml.config, which I guess we could dynamically create and modify, but it wouldn’t be ideal since we don’t know the certificate(s) ahead of time and aren’t necessarily guaranteed that we’ll have write access to the file/directory.
Do you have any suggestions for resolving this issue and/or do you have example code for using EncryptedAssertion? This isn’t a ASP.NET application, if that matters.
Normally you wouldn’t have to decrypt SAML assertions directly as this is handled by the SAML SSO API.
However, this can be done from your code if required.
XML encryption support is exposed through the ComponentSpace.Saml2.XmlSecurity.IXmlEncryption interface.
IXmlEncryption includes the following method.
///
/// Decrypts the XML.
///
/// The encrypted XML.
/// The encrypted keys XML or null if included in the encrypted data.
/// The asymmetric key decrypting key.
/// The key encryption algorithm or null if specified in the encrypted key.
/// The data encryption algorithm or null if specified in the encrypted data.
/// The plaintext XML.
///
/// Thrown if an error occurs during decryption.
///
public XmlElement Decrypt(
XmlElement encryptedElement,
IEnumerable encryptedKeyElements,
AsymmetricAlgorithm keyDecryptingKey,
string keyEncryptionAlgorithm,
string dataEncryptionAlgorithm)
The following code demonstrates calling this method.
var serviceCollection = new ServiceCollection();
serviceCollection.AddLogging();
serviceCollection.AddSaml();
var serviceProvider = serviceCollection.BuildServiceProvider();
var xmlEncryption = serviceProvider.GetService();
var samlAssertionElement = xmlEncryption.Decrypt(
encryptedAssertion.EncryptedData,
encryptedAssertion.EncryptedKeys,
x509Certificate.GetRSAPrivateKey(),
"<a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”,
"<a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc");">http://www.w3.org/2001/04/xmlenc#aes256-cbc”);
Thank you for your rapid response!
I was able to get the above code working with the addition of a 3rd party package (https://www.nuget.org/packages/OpenSSL.PrivateKeyDecoder/) as follows:
var serviceCollection = new ServiceCollection();
serviceCollection.AddLogging();
serviceCollection.AddSaml();
System.Security.SecureString ss = new System.Net.NetworkCredential(“”, password).SecurePassword;
var decoder = new OpenSSL.PrivateKeyDecoder.OpenSSLPrivateKeyDecoder();
RSA rsa = RSA.Create(decoder.DecodeParameters(pem, ss));
IXmlEncryption xmlEncryption = serviceCollection.BuildServiceProvider().GetService();
XmlElement decryptedAssertionElement = xmlEncryption.Decrypt(encryptedAssertion.EncryptedData,
encryptedAssertion.EncryptedKeys,
rsa, null, null);
where pem is a PKCS#8 format RSA private key. Is there equivalent functionality in the ComponentSpace code to obtain a AsymmetricAlgorithm object from a PKCS#8 or other format certificates?
We support the formats supported by the underlying Windows APIs. We don’t include code to convert from/to other formats.
Normally we suggest using the openssl command line utility to convert between the various formats.
https://www.sslshopper.com/article-most-common-openssl-commands.html