我正在 WIF 中处理包含 EncryptedAssertion 的 SAML2 令牌。标记不包含“主题标识符密钥”扩展属性,因此 WIF SecurityTokenHandler 在尝试从 LocalMachineStore/Personal 获取正确的 X509 证书时失败。
问题显然是用于加密令牌的证书不包含 SKI 扩展,当然令牌生成代码 (Java) 似乎并不需要它。为了避免修改生成代码,有没有一种方法可以让 WIF SecuityTokenResolver 不检查收到的 SKI 令牌,而只需直接使用本地存储证书来解密令牌?
最后我只是实现了一个自定义的 SecurityTokenResolver 并实现了 TryResolveSecurityKeyCore 方法。
这是代码:
public class mySaml2SSOSecurityTokenResolver : SecurityTokenResolver
{
List<SecurityToken> _tokens;
public PortalSSOSecurityTokenResolver(List<SecurityToken> tokens)
{
_tokens = tokens;
}
protected override bool TryResolveSecurityKeyCore(System.IdentityModel.Tokens.SecurityKeyIdentifierClause keyIdentifierClause, out System.IdentityModel.Tokens.SecurityKey key)
{
var token = _tokens[0] as X509SecurityToken;
var myCert = token.Certificate;
key = null;
try
{
var ekec = keyIdentifierClause as EncryptedKeyIdentifierClause;
if (ekec != null)
{
switch (ekec.EncryptionMethod)
{
case "http://www.w3.org/2001/04/xmlenc#rsa-1_5":
{
var encKey = ekec.GetEncryptedKey();
var rsa = myCert.PrivateKey as RSACryptoServiceProvider;
var decKey = rsa.Decrypt(encKey, false);
key = new InMemorySymmetricSecurityKey(decKey);
return true;
}
}
var data = ekec.GetEncryptedKey();
var id = ekec.EncryptingKeyIdentifier;
}
}
catch (Exception ex)
{
// Do something here }
return true;
}
protected override bool TryResolveTokenCore(System.IdentityModel.Tokens.SecurityKeyIdentifierClause keyIdentifierClause, out System.IdentityModel.Tokens.SecurityToken token)
{
throw new NotImplementedException();
}
protected override bool TryResolveTokenCore(System.IdentityModel.Tokens.SecurityKeyIdentifier keyIdentifier, out System.IdentityModel.Tokens.SecurityToken token)
{
throw new NotImplementedException();
}
}
}