.net WCF SAML:如何将X509Certificate和X509IssuerSerial添加到同一个X509Data节点中?
我需要调用使用SAML对用户进行身份验证的外部web服务。我引用创建saml请求 这里是预期的SAML请求段(注意X509Data节点):.net WCF SAML:如何将X509Certificate和X509IssuerSerial添加到同一个X509Data节点中?,.net,web-services,wcf,saml,.net,Web Services,Wcf,Saml,我需要调用使用SAML对用户进行身份验证的外部web服务。我引用创建saml请求 这里是预期的SAML请求段(注意X509Data节点): <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#SAML-9KTXIL9ap20ntAzPdjYdEg22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>{removed}</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>{removed}</dsig:SignatureValue>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>{removed}</dsig:X509Certificate>
<dsig:X509IssuerSerial>
<dsig:X509IssuerName>{removed}</dsig:X509IssuerName>
<dsig:X509SerialNumber>{removed}</dsig:X509SerialNumber>
</dsig:X509IssuerSerial>
<dsig:X509SubjectName>{removed}</dsig:X509SubjectName>
<dsig:X509SKI>{removed}</dsig:X509SKI>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#SAML-9KTXIL9ap20ntAzPdjYdEg22">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>{removed}</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>{removed}</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>removed</X509Certificate>
</X509Data>
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>{removed}</X509IssuerName>
<X509SerialNumber>{removed}</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
public static SamlAssertion CreateX509Assertion(X509Certificate2 cert)
{
List<string> confirmationMethods = new List<string>(1);
confirmationMethods.Add("urn:oasis:names:tc:SAML:1.0:cm:bearer");
SamlSubject samlSubject = new SamlSubject("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", null, "admin", confirmationMethods, null, null);
SamlAuthenticationStatement samlAuthenticationStatement = new SamlAuthenticationStatement(samlSubject, "urn:oasis:names:tc:SAML:1.0:am:password", DateTime.Now, null, null, null);
List<SamlStatement> samlSubjectStatements = new List<SamlStatement>();
samlSubjectStatements.Add(samlAuthenticationStatement);
DateTime issueInstant = DateTime.UtcNow;
SamlAssertion samlAssertion = new SamlAssertion("SAML-9KTXIL9ap20ntAzPdjYdEg22", "www.site.com",
issueInstant,
new SamlConditions(issueInstant, issueInstant + new TimeSpan(0, 5, 0)),
null,
samlSubjectStatements
);
SecurityKeyIdentifier ski = new SecurityKeyIdentifier();
// Here is the problem!!!
X509RawDataKeyIdentifierClause secClause = new X509RawDataKeyIdentifierClause(cert);
X509IssuerSerialKeyIdentifierClause x509Clause = new X509IssuerSerialKeyIdentifierClause(cert);
ski.Add(secClause);
ski.Add(x509Clause);
X509AsymmetricSecurityKey signingKey = new X509AsymmetricSecurityKey(cert);
samlAssertion.SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest, ski);
return samlAssertion;
}
{删除}
{删除}
{删除}
{删除}
{删除}
{删除}
{删除}
这是我现在制作的SAML请求片段:
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#SAML-9KTXIL9ap20ntAzPdjYdEg22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>{removed}</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>{removed}</dsig:SignatureValue>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>{removed}</dsig:X509Certificate>
<dsig:X509IssuerSerial>
<dsig:X509IssuerName>{removed}</dsig:X509IssuerName>
<dsig:X509SerialNumber>{removed}</dsig:X509SerialNumber>
</dsig:X509IssuerSerial>
<dsig:X509SubjectName>{removed}</dsig:X509SubjectName>
<dsig:X509SKI>{removed}</dsig:X509SKI>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#SAML-9KTXIL9ap20ntAzPdjYdEg22">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>{removed}</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>{removed}</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>removed</X509Certificate>
</X509Data>
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>{removed}</X509IssuerName>
<X509SerialNumber>{removed}</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
public static SamlAssertion CreateX509Assertion(X509Certificate2 cert)
{
List<string> confirmationMethods = new List<string>(1);
confirmationMethods.Add("urn:oasis:names:tc:SAML:1.0:cm:bearer");
SamlSubject samlSubject = new SamlSubject("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", null, "admin", confirmationMethods, null, null);
SamlAuthenticationStatement samlAuthenticationStatement = new SamlAuthenticationStatement(samlSubject, "urn:oasis:names:tc:SAML:1.0:am:password", DateTime.Now, null, null, null);
List<SamlStatement> samlSubjectStatements = new List<SamlStatement>();
samlSubjectStatements.Add(samlAuthenticationStatement);
DateTime issueInstant = DateTime.UtcNow;
SamlAssertion samlAssertion = new SamlAssertion("SAML-9KTXIL9ap20ntAzPdjYdEg22", "www.site.com",
issueInstant,
new SamlConditions(issueInstant, issueInstant + new TimeSpan(0, 5, 0)),
null,
samlSubjectStatements
);
SecurityKeyIdentifier ski = new SecurityKeyIdentifier();
// Here is the problem!!!
X509RawDataKeyIdentifierClause secClause = new X509RawDataKeyIdentifierClause(cert);
X509IssuerSerialKeyIdentifierClause x509Clause = new X509IssuerSerialKeyIdentifierClause(cert);
ski.Add(secClause);
ski.Add(x509Clause);
X509AsymmetricSecurityKey signingKey = new X509AsymmetricSecurityKey(cert);
samlAssertion.SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest, ski);
return samlAssertion;
}
{删除}
{删除}
远离的
{删除}
{删除}
以下是创建上述SAML断言的关键代码:
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#SAML-9KTXIL9ap20ntAzPdjYdEg22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>{removed}</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>{removed}</dsig:SignatureValue>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>{removed}</dsig:X509Certificate>
<dsig:X509IssuerSerial>
<dsig:X509IssuerName>{removed}</dsig:X509IssuerName>
<dsig:X509SerialNumber>{removed}</dsig:X509SerialNumber>
</dsig:X509IssuerSerial>
<dsig:X509SubjectName>{removed}</dsig:X509SubjectName>
<dsig:X509SKI>{removed}</dsig:X509SKI>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#SAML-9KTXIL9ap20ntAzPdjYdEg22">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>{removed}</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>{removed}</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>removed</X509Certificate>
</X509Data>
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>{removed}</X509IssuerName>
<X509SerialNumber>{removed}</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
public static SamlAssertion CreateX509Assertion(X509Certificate2 cert)
{
List<string> confirmationMethods = new List<string>(1);
confirmationMethods.Add("urn:oasis:names:tc:SAML:1.0:cm:bearer");
SamlSubject samlSubject = new SamlSubject("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", null, "admin", confirmationMethods, null, null);
SamlAuthenticationStatement samlAuthenticationStatement = new SamlAuthenticationStatement(samlSubject, "urn:oasis:names:tc:SAML:1.0:am:password", DateTime.Now, null, null, null);
List<SamlStatement> samlSubjectStatements = new List<SamlStatement>();
samlSubjectStatements.Add(samlAuthenticationStatement);
DateTime issueInstant = DateTime.UtcNow;
SamlAssertion samlAssertion = new SamlAssertion("SAML-9KTXIL9ap20ntAzPdjYdEg22", "www.site.com",
issueInstant,
new SamlConditions(issueInstant, issueInstant + new TimeSpan(0, 5, 0)),
null,
samlSubjectStatements
);
SecurityKeyIdentifier ski = new SecurityKeyIdentifier();
// Here is the problem!!!
X509RawDataKeyIdentifierClause secClause = new X509RawDataKeyIdentifierClause(cert);
X509IssuerSerialKeyIdentifierClause x509Clause = new X509IssuerSerialKeyIdentifierClause(cert);
ski.Add(secClause);
ski.Add(x509Clause);
X509AsymmetricSecurityKey signingKey = new X509AsymmetricSecurityKey(cert);
samlAssertion.SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest, ski);
return samlAssertion;
}
公共静态Samlasertion CreateX509Assertion(X509Certificate2Cert)
{
列表确认方法=新列表(1);
确认方法。添加(“urn:oasis:names:tc:SAML:1.0:cm:bearier”);
SamlSubject SamlSubject=新的SamlSubject(“urn:oasis:names:tc:SAML:1.1:nameid格式:未指定”,null,“admin”,confirmationMethods,null,null);
SamlAuthenticationStatement SamlAuthenticationStatement=新的SamlAuthenticationStatement(samlSubject,“urn:oasis:names:tc:SAML:1.0:am:password”,DateTime.Now,null,null,null);
List samlSubjectStatements=new List();
添加(samlAuthenticationStatement);
DateTime issueInstant=DateTime.UtcNow;
samlasertion samlasertion=新的samlasertion(“SAML-9KTXIL9ap20ntAzPdjYdEg22”,“www.site.com”,
发行人,
新的SamlConditions(issueInstant,issueInstant+新的时间跨度(0,5,0)),
无效的
samlsubject语句
);
SecurityKeyIdentifier ski=新的SecurityKeyIdentifier();
//问题就在这里!!!
X509RawDataKeyIdentifierClause secClause=新X509RawDataKeyIdentifierClause(证书);
X509IssuerSerialKeyIdentifierClause x509Clause=新X509IssuerSerialKeyIdentifierClause(证书);
添加(第条);
补充条款(X509条款);
X509AsymmetricSecurityKey signingKey=新X509AsymmetricSecurityKey(证书);
samlAssertion.SigningCredentials=新的签名凭证(signingKey、SecurityAlgorithms.rsasha1签名、SecurityAlgorithms.Sha1Digest、ski);
返回samlasertion;
}
您可以看到,使用上述代码将在KeyInfo节点中生成单独的X509数据。我需要把它们放在同一个KeyInfo节点中。有办法吗