Merge pull request #227 from ITfoxtec/development

Revsgaard · web-flow · commit f89d15dba3a3 · 2024-10-16T21:37:49.000+02:00
Make KeyInfoName configurable.
diff --git a/src/ITfoxtec.Identity.Saml2.Mvc/ITfoxtec.Identity.Saml2.Mvc.csproj b/src/ITfoxtec.Identity.Saml2.Mvc/ITfoxtec.Identity.Saml2.Mvc.csproj
@@ -26,10 +26,10 @@ Support the Danish NemLog-in 2 / OIOSAML 2 and NemLog-in 3 / OIOSAML 3.</Descrip
     <PackageTags>SAML SAML 2.0 SAML2.0 SAML2 SAML 2 SAML-P SAMLP SSO Identity Provider (IdP) and Relying Party (RP) Authentication Metadata OIOSAML OIOSAML 2 OIOSAML 3 NemLogin NemLog-in 2 NemLog-in 3 ASP.NET MVC</PackageTags>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageIconUrl>https://itfoxtec.com/favicon.ico</PackageIconUrl>
-    <AssemblyVersion>4.13.1</AssemblyVersion>
-    <FileVersion>4.13.1</FileVersion>
+    <AssemblyVersion>4.13.2</AssemblyVersion>
+    <FileVersion>4.13.2</FileVersion>
     <Copyright>Copyright © 2024</Copyright>
-    <Version>4.13.1</Version>
+    <Version>4.13.2</Version>
     <SignAssembly>true</SignAssembly>
     <AssemblyOriginatorKeyFile>ITfoxtec.SAML2.snk</AssemblyOriginatorKeyFile>
     <DelaySign>false</DelaySign>
diff --git a/src/ITfoxtec.Identity.Saml2.MvcCore/ITfoxtec.Identity.Saml2.MvcCore.csproj b/src/ITfoxtec.Identity.Saml2.MvcCore/ITfoxtec.Identity.Saml2.MvcCore.csproj
@@ -29,10 +29,10 @@ Support the Danish NemLog-in 2 / OIOSAML 2 and NemLog-in 3 / OIOSAML 3.</Descrip
     <PackageTags>SAML SAML 2.0 SAML2.0 SAML2 SAML 2 SAML-P SAMLP SSO Identity Provider (IdP) Relying Party (RP) Authentication Metadata OIOSAML OIOSAML 2 OIOSAML 3 NemLogin NemLog-in 2 NemLog-in 3 ASP.NET MVC Core</PackageTags>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageIconUrl>https://itfoxtec.com/favicon.ico</PackageIconUrl>
-    <AssemblyVersion>4.13.1</AssemblyVersion>
-    <FileVersion>4.13.1</FileVersion>
+    <AssemblyVersion>4.13.2</AssemblyVersion>
+    <FileVersion>4.13.2</FileVersion>
     <Copyright>Copyright © 2024</Copyright>
-    <Version>4.13.1</Version>
+    <Version>4.13.2</Version>
     <SignAssembly>true</SignAssembly>
     <AssemblyOriginatorKeyFile>ITfoxtec.SAML2.snk</AssemblyOriginatorKeyFile>
     <DelaySign>false</DelaySign>
diff --git a/src/ITfoxtec.Identity.Saml2/Bindings/Saml2PostBinding.cs b/src/ITfoxtec.Identity.Saml2/Bindings/Saml2PostBinding.cs
@@ -50,7 +50,7 @@ protected override void BindInternal(Saml2Request saml2RequestResponse, string m
                 {
                     Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);
                     Cryptography.XmlCanonicalizationMethod.ValidateCanonicalizationMethod(saml2RequestResponse.Config.XmlCanonicalizationMethod);
-                    XmlDocument = XmlDocument.SignDocument(saml2RequestResponse.Config.SigningCertificate, saml2RequestResponse.Config.SignatureAlgorithm, saml2RequestResponse.Config.XmlCanonicalizationMethod, CertificateIncludeOption, saml2RequestResponse.IdAsString);
+                    XmlDocument = XmlDocument.SignDocument(saml2RequestResponse.Config.SigningCertificate, saml2RequestResponse.Config.SignatureAlgorithm, saml2RequestResponse.Config.XmlCanonicalizationMethod, CertificateIncludeOption, saml2RequestResponse.IdAsString, saml2RequestResponse.Config.IncludeKeyInfoName);
                 }
             }
 
diff --git a/src/ITfoxtec.Identity.Saml2/Configuration/Saml2Configuration.cs b/src/ITfoxtec.Identity.Saml2/Configuration/Saml2Configuration.cs
@@ -77,5 +77,10 @@ public X509Certificate2 DecryptionCertificate
         /// Sign type for the authn responses created by the library.
         /// </summary>
         public Saml2AuthnResponseSignTypes AuthnResponseSignType { get; set; } = Saml2AuthnResponseSignTypes.SignResponse;
+
+        /// <summary>
+        /// Include key info name in signature.
+        /// </summary>
+        public bool IncludeKeyInfoName { get; set; }
     }
 }
diff --git a/src/ITfoxtec.Identity.Saml2/Cryptography/Saml2SignedXml.cs b/src/ITfoxtec.Identity.Saml2/Cryptography/Saml2SignedXml.cs
@@ -22,7 +22,7 @@ public Saml2SignedXml(XmlElement element, X509Certificate2 certificate, string s
             Saml2Signer = new Saml2Signer(certificate, signatureAlgorithm);
         }
 
-        public void ComputeSignature(X509IncludeOption includeOption, string id)
+        public void ComputeSignature(X509IncludeOption includeOption, string id, bool includeKeyInfoName)
         {
             var reference = new Reference("#" + id);
             reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
@@ -36,7 +36,10 @@ public void ComputeSignature(X509IncludeOption includeOption, string id)
             ComputeSignature();
 
             KeyInfo = new KeyInfo();
-            KeyInfo.AddClause(new KeyInfoName(Convert.ToBase64String(Saml2Signer.Certificate.GetCertHash())));
+            if (includeKeyInfoName)
+            {
+                KeyInfo.AddClause(new KeyInfoName(Convert.ToBase64String(Saml2Signer.Certificate.GetCertHash())));
+            }
             KeyInfo.AddClause(new KeyInfoX509Data(Saml2Signer.Certificate, includeOption));
         }
 
diff --git a/src/ITfoxtec.Identity.Saml2/Extensions/XmlDocumentExtensions.cs b/src/ITfoxtec.Identity.Saml2/Extensions/XmlDocumentExtensions.cs
@@ -20,15 +20,16 @@ internal static class XmlDocumentExtensions
         /// <param name="xmlCanonicalizationMethod">The Signature XML canonicalization method used to sign the document</param>
         /// <param name="includeOption">Certificate include option</param>
         /// <param name="id">The id of the topmost element in the XML document</param>
-        internal static XmlDocument SignDocument(this XmlDocument xmlDocument, X509Certificate2 certificate, string signatureAlgorithm, string xmlCanonicalizationMethod, X509IncludeOption includeOption, string id)
+        /// <param name="includeKeyInfoName">Include key info name clause in signature</param>
+        internal static XmlDocument SignDocument(this XmlDocument xmlDocument, X509Certificate2 certificate, string signatureAlgorithm, string xmlCanonicalizationMethod, X509IncludeOption includeOption, string id, bool includeKeyInfoName)
         {
             if (certificate == null)
             {
                 throw new ArgumentNullException(nameof(certificate));
             }
 
             var signedXml = new Saml2SignedXml(xmlDocument.DocumentElement, certificate, signatureAlgorithm, xmlCanonicalizationMethod);
-            signedXml.ComputeSignature(includeOption, id);
+            signedXml.ComputeSignature(includeOption, id, includeKeyInfoName);
 
             var issuer = xmlDocument.DocumentElement[Saml2Constants.Message.Issuer, Saml2Constants.AssertionNamespace.OriginalString];
             xmlDocument.DocumentElement.InsertAfter(xmlDocument.ImportNode(signedXml.GetXml(), true), issuer);
@@ -42,7 +43,8 @@ internal static XmlDocument SignDocument(this XmlDocument xmlDocument, X509Certi
         /// <param name="signatureAlgorithm">The Signature Algorithm used to sign the assertion</param>
         /// <param name="xmlCanonicalizationMethod">The Signature XML canonicalization method used to sign the assertion</param>
         /// <param name="includeOption">Certificate include option</param>
-        internal static void SignAssertion(this XmlDocument xmlDocument, XmlElement xmlAssertionElement, X509Certificate2 certificate, string signatureAlgorithm, string xmlCanonicalizationMethod, X509IncludeOption includeOption)
+        /// <param name="includeKeyInfoName">Include key info name clause in signature</param>
+        internal static void SignAssertion(this XmlDocument xmlDocument, XmlElement xmlAssertionElement, X509Certificate2 certificate, string signatureAlgorithm, string xmlCanonicalizationMethod, X509IncludeOption includeOption, bool includeKeyInfoName)
         {
             if (certificate == null)
             {
@@ -52,7 +54,7 @@ internal static void SignAssertion(this XmlDocument xmlDocument, XmlElement xmlA
             var id = xmlAssertionElement.GetAttribute(Saml2Constants.Message.Id);
 
             var signedXml = new Saml2SignedXml(xmlAssertionElement, certificate, signatureAlgorithm, xmlCanonicalizationMethod);
-            signedXml.ComputeSignature(includeOption, id);
+            signedXml.ComputeSignature(includeOption, id, includeKeyInfoName);
 
             var issuer = xmlAssertionElement[Saml2Constants.Message.Issuer, Saml2Constants.AssertionNamespace.OriginalString];
             xmlAssertionElement.InsertAfter(xmlDocument.ImportNode(signedXml.GetXml(), true), issuer);
diff --git a/src/ITfoxtec.Identity.Saml2/ITfoxtec.Identity.Saml2.csproj b/src/ITfoxtec.Identity.Saml2/ITfoxtec.Identity.Saml2.csproj
@@ -30,10 +30,10 @@ Support the Danish NemLog-in 2 / OIOSAML 2 and NemLog-in 3 / OIOSAML 3.</Descrip
     <PackageTags>SAML SAML 2.0 SAML2.0 SAML2 SAML 2 SAML-P SAMLP SSO Identity Provider (IdP) Relying Party (RP) Authentication Metadata OIOSAML OIOSAML 2 OIOSAML 3 NemLogin NemLog-in 2 NemLog-in 3</PackageTags>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageIconUrl>https://itfoxtec.com/favicon.ico</PackageIconUrl>
-    <AssemblyVersion>4.13.1</AssemblyVersion>
-    <FileVersion>4.13.1</FileVersion>
+    <AssemblyVersion>4.13.2</AssemblyVersion>
+    <FileVersion>4.13.2</FileVersion>
     <Copyright>Copyright © 2024</Copyright>
-    <Version>4.13.1</Version>
+    <Version>4.13.2</Version>
     <SignAssembly>true</SignAssembly>
     <AssemblyOriginatorKeyFile>ITfoxtec.SAML2.snk</AssemblyOriginatorKeyFile>
     <DelaySign>false</DelaySign>
diff --git a/src/ITfoxtec.Identity.Saml2/Request/Saml2ArtifactResolve.cs b/src/ITfoxtec.Identity.Saml2/Request/Saml2ArtifactResolve.cs
@@ -109,7 +109,7 @@ protected internal void SignArtifactResolve()
         {
             Cryptography.SignatureAlgorithm.ValidateAlgorithm(Config.SignatureAlgorithm);
             Cryptography.XmlCanonicalizationMethod.ValidateCanonicalizationMethod(Config.XmlCanonicalizationMethod);
-            XmlDocument = XmlDocument.SignDocument(Config.SigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, CertificateIncludeOption, Id.Value);
+            XmlDocument = XmlDocument.SignDocument(Config.SigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, CertificateIncludeOption, Id.Value, Config.IncludeKeyInfoName);
         }
 
         protected override IEnumerable<XObject> GetXContent()
diff --git a/src/ITfoxtec.Identity.Saml2/Request/Saml2ArtifactResponse.cs b/src/ITfoxtec.Identity.Saml2/Request/Saml2ArtifactResponse.cs
@@ -48,7 +48,7 @@ protected internal void SignArtifactResponse()
         {
             Cryptography.SignatureAlgorithm.ValidateAlgorithm(Config.SignatureAlgorithm);
             Cryptography.XmlCanonicalizationMethod.ValidateCanonicalizationMethod(Config.XmlCanonicalizationMethod);
-            XmlDocument = XmlDocument.SignDocument(Config.SigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, CertificateIncludeOption, Id.Value);
+            XmlDocument = XmlDocument.SignDocument(Config.SigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, CertificateIncludeOption, Id.Value, Config.IncludeKeyInfoName);
         }
 
         protected override void ValidateElementName()
diff --git a/src/ITfoxtec.Identity.Saml2/Request/Saml2AuthnResponse.cs b/src/ITfoxtec.Identity.Saml2/Request/Saml2AuthnResponse.cs
@@ -247,7 +247,7 @@ protected internal void SignAuthnResponseAssertion(X509IncludeOption certificate
 
             Cryptography.SignatureAlgorithm.ValidateAlgorithm(Config.SignatureAlgorithm);
             Cryptography.XmlCanonicalizationMethod.ValidateCanonicalizationMethod(Config.XmlCanonicalizationMethod);
-            XmlDocument.SignAssertion(GetAssertionElementReference(), Config.SigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, certificateIncludeOption);
+            XmlDocument.SignAssertion(GetAssertionElementReference(), Config.SigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, certificateIncludeOption, Config.IncludeKeyInfoName);
         }
 
         protected internal override void Read(string xml, bool validate = false, bool detectReplayedTokens = true)
diff --git a/src/ITfoxtec.Identity.Saml2/Schemas/Metadata/EntitiesDescriptor.cs b/src/ITfoxtec.Identity.Saml2/Schemas/Metadata/EntitiesDescriptor.cs
@@ -102,7 +102,7 @@ public XmlDocument ToXmlDocument()
             var xmlDocument = envelope.ToXmlDocument();
             if(MetadataSigningCertificate != null)
             {
-                xmlDocument.SignDocument(MetadataSigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, CertificateIncludeOption, IdAsString);
+                xmlDocument.SignDocument(MetadataSigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, CertificateIncludeOption, IdAsString, Config.IncludeKeyInfoName);
             }
             return xmlDocument;
         }
diff --git a/src/ITfoxtec.Identity.Saml2/Schemas/Metadata/EntityDescriptor.cs b/src/ITfoxtec.Identity.Saml2/Schemas/Metadata/EntityDescriptor.cs
@@ -130,7 +130,7 @@ public XmlDocument ToXmlDocument()
             var xmlDocument = envelope.ToXmlDocument();
             if(MetadataSigningCertificate != null)
             {
-                xmlDocument.SignDocument(MetadataSigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, CertificateIncludeOption, IdAsString);
+                xmlDocument.SignDocument(MetadataSigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, CertificateIncludeOption, IdAsString, Config.IncludeKeyInfoName);
             }
             return xmlDocument;
         }
diff --git a/test/TestIdPCore/Controllers/AuthController.cs b/test/TestIdPCore/Controllers/AuthController.cs
@@ -244,7 +244,8 @@ private Saml2Configuration GetRpSaml2Configuration(RelyingParty relyingParty = n
                 SigningCertificate = config.SigningCertificate,
                 SignatureAlgorithm = config.SignatureAlgorithm,
                 CertificateValidationMode = config.CertificateValidationMode,
-                RevocationMode = config.RevocationMode
+                RevocationMode = config.RevocationMode,
+                IncludeKeyInfoName = config.IncludeKeyInfoName,
             };
 
             rpConfig.AllowedAudienceUris.AddRange(config.AllowedAudienceUris);
diff --git a/test/TestIdPCore/Startup.cs b/test/TestIdPCore/Startup.cs
@@ -42,6 +42,8 @@ public void ConfigureServices(IServiceCollection services)
                 }
                 saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);
 
+                saml2Configuration.IncludeKeyInfoName = true;
+
                 return saml2Configuration;
             });
 

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ protected override void BindInternal(Saml2Request saml2RequestResponse, string m`
`50`	`50`	`{`
`51`	`51`	`Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);`
`52`	`52`	`Cryptography.XmlCanonicalizationMethod.ValidateCanonicalizationMethod(saml2RequestResponse.Config.XmlCanonicalizationMethod);`
`53`		`- XmlDocument = XmlDocument.SignDocument(saml2RequestResponse.Config.SigningCertificate, saml2RequestResponse.Config.SignatureAlgorithm, saml2RequestResponse.Config.XmlCanonicalizationMethod, CertificateIncludeOption, saml2RequestResponse.IdAsString);`
	`53`	`+ XmlDocument = XmlDocument.SignDocument(saml2RequestResponse.Config.SigningCertificate, saml2RequestResponse.Config.SignatureAlgorithm, saml2RequestResponse.Config.XmlCanonicalizationMethod, CertificateIncludeOption, saml2RequestResponse.IdAsString, saml2RequestResponse.Config.IncludeKeyInfoName);`
`54`	`54`	`}`
`55`	`55`	`}`
`56`	`56`
Original file line number	Diff line number	Diff line change
`@@ -77,5 +77,10 @@ public X509Certificate2 DecryptionCertificate`
`77`	`77`	`/// Sign type for the authn responses created by the library.`
`78`	`78`	`/// </summary>`
`79`	`79`	`public Saml2AuthnResponseSignTypes AuthnResponseSignType { get; set; } = Saml2AuthnResponseSignTypes.SignResponse;`
	`80`	`+`
	`81`	`+ /// <summary>`
	`82`	`+ /// Include key info name in signature.`
	`83`	`+ /// </summary>`
	`84`	`+ public bool IncludeKeyInfoName { get; set; }`
`80`	`85`	`}`
`81`	`86`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ public Saml2SignedXml(XmlElement element, X509Certificate2 certificate, string s`
`22`	`22`	`Saml2Signer = new Saml2Signer(certificate, signatureAlgorithm);`
`23`	`23`	`}`
`24`	`24`
`25`		`- public void ComputeSignature(X509IncludeOption includeOption, string id)`
	`25`	`+ public void ComputeSignature(X509IncludeOption includeOption, string id, bool includeKeyInfoName)`
`26`	`26`	`{`
`27`	`27`	`var reference = new Reference("#" + id);`
`28`	`28`	`reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());`
`@@ -36,7 +36,10 @@ public void ComputeSignature(X509IncludeOption includeOption, string id)`
`36`	`36`	`ComputeSignature();`
`37`	`37`
`38`	`38`	`KeyInfo = new KeyInfo();`
`39`		`- KeyInfo.AddClause(new KeyInfoName(Convert.ToBase64String(Saml2Signer.Certificate.GetCertHash())));`
	`39`	`+ if (includeKeyInfoName)`
	`40`	`+ {`
	`41`	`+ KeyInfo.AddClause(new KeyInfoName(Convert.ToBase64String(Saml2Signer.Certificate.GetCertHash())));`
	`42`	`+ }`
`40`	`43`	`KeyInfo.AddClause(new KeyInfoX509Data(Saml2Signer.Certificate, includeOption));`
`41`	`44`	`}`
`42`	`45`
Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ protected internal void SignArtifactResolve()`
`109`	`109`	`{`
`110`	`110`	`Cryptography.SignatureAlgorithm.ValidateAlgorithm(Config.SignatureAlgorithm);`
`111`	`111`	`Cryptography.XmlCanonicalizationMethod.ValidateCanonicalizationMethod(Config.XmlCanonicalizationMethod);`
`112`		`- XmlDocument = XmlDocument.SignDocument(Config.SigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, CertificateIncludeOption, Id.Value);`
	`112`	`+ XmlDocument = XmlDocument.SignDocument(Config.SigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, CertificateIncludeOption, Id.Value, Config.IncludeKeyInfoName);`
`113`	`113`	`}`
`114`	`114`
`115`	`115`	`protected override IEnumerable<XObject> GetXContent()`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ protected internal void SignArtifactResponse()`
`48`	`48`	`{`
`49`	`49`	`Cryptography.SignatureAlgorithm.ValidateAlgorithm(Config.SignatureAlgorithm);`
`50`	`50`	`Cryptography.XmlCanonicalizationMethod.ValidateCanonicalizationMethod(Config.XmlCanonicalizationMethod);`
`51`		`- XmlDocument = XmlDocument.SignDocument(Config.SigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, CertificateIncludeOption, Id.Value);`
	`51`	`+ XmlDocument = XmlDocument.SignDocument(Config.SigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, CertificateIncludeOption, Id.Value, Config.IncludeKeyInfoName);`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`protected override void ValidateElementName()`
Original file line number	Diff line number	Diff line change
`@@ -247,7 +247,7 @@ protected internal void SignAuthnResponseAssertion(X509IncludeOption certificate`
`247`	`247`
`248`	`248`	`Cryptography.SignatureAlgorithm.ValidateAlgorithm(Config.SignatureAlgorithm);`
`249`	`249`	`Cryptography.XmlCanonicalizationMethod.ValidateCanonicalizationMethod(Config.XmlCanonicalizationMethod);`
`250`		`- XmlDocument.SignAssertion(GetAssertionElementReference(), Config.SigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, certificateIncludeOption);`
	`250`	`+ XmlDocument.SignAssertion(GetAssertionElementReference(), Config.SigningCertificate, Config.SignatureAlgorithm, Config.XmlCanonicalizationMethod, certificateIncludeOption, Config.IncludeKeyInfoName);`
`251`	`251`	`}`
`252`	`252`
`253`	`253`	`protected internal override void Read(string xml, bool validate = false, bool detectReplayedTokens = true)`