Saml2EncryptedAssertion

[GeoK]

Key Point:

AES-GCM is still not supported by System.Security.Cryptography. Therefore using IdentityModel extensions project to Encrypt/Decrypt a Saml2 Assertion, using an AES-GCM algorithm, will result with an exception. One should override CryptoProviderFactory and AuthenticationEncryptionProvider (similar to the ones developed for test) in order to use existing logic to Encrypt/Decrypt a Saml2 Assertion (using an AES-GCM algorithm).

Summary:

Saml2 tokens can have encrypted assertions. The goal of this PR is to enable basic support for encrypting and decrypting a Saml2Assertion, based on the latest xml enc standard, using modern authenticated encryption mechanism (AES-GCM) and key wrap (transport) mechanism (RSA-OAEP-MGF1P), and without introducing any breaking changes to the current project infrastructure.

The following scenarios are supported:

1. Encryption using a pre-shared symmetric key (session key) to encrypt an assertion: Session key will not be serialized and Relying Party must be able to locally determine the decryption key.

2. New session key will be created to encrypt an assertion and session key will be wrapped using a provided asymmetric public-key (X.509 certificate).

Saml2EncryptedAssertion support (basic profile):

• When an assertion is to be signed and encrypted, the following rules apply. A relying party MUST perform signature validation and decryption in the reverse order that signing and encryption were performed. When a signed element is encrypted, the signature MUST first be calculated and placed within the element before the element is encrypted.
• The following authenticated encryption algorithms are supported: AES128-GCM, AES192-GCM, and AES256-GCM
• The following key-wrap algorithms is supported: RSA-OAEP-MGF1P
• EncryptionMethod element is treated as required as there is no support for users to provide an encryption algorithm.
• If an encrypted key is NOT included in the XML instance, then the relying party must be able to locally determine the decryption key.
• EncryptedKey element (if available) must be next to associated EncryptedData element, within the enclosing Saml parent element. EncryptedKey element embedded in EncryptedData element is not currently supported.
• If the encrypted key is included in the XML instance, then it SHOULD be referenced within the associated xenc:EncryptedData element. When an xenc:EncryptedKey element is used, the ds:KeyInfo element within xenc:EncryptedData SHOULD reference the xenc:EncryptedKey element using a ds:RetrievalMethod element of Type http://www.w3.org/2001/04/xmlenc#EncryptedKey. In addition, an xenc:EncryptedKey element SHOULD contain an xenc:ReferenceList element containing a xenc:DataReference that references the corresponding xenc:EncryptedData element(s) that the key was used to encrypt.
• CarriedKeyName (multicast) is not supported.
• Encoding attribute of EncryptedType is always set to base64 and MimeType attribute is ignored.

Implementation notes:

• Current Saml2 project infrastructure is leverage to seamlessly include support for Saml2EncryptedAssertion, without introducing any breaking changes.
• Saml2Assertion is enriched with a public bool property Encrypted which indicates if the assertion is Encrypted or not. In case when the assertion is encrypted, public string property EncryptedAssertion will be populated with raw assertion data. Any GET operation on encrypted Saml2Assertion will result with a corresponding exception being throw.
• In order to encrypt a Saml2Assertion, one needs to set EncryptingCredentials on SecurityTokenDescriptor, while creating a Saml2SecurityToken. In case when EncryptingCredentials key is an asymmetric security key, an assertion will be encrypted using a new session key (and encryption algorithm) that will be wrapped using a provided asymmetric key and an algorithm. In case when EncryptingCredentials key is a symmetric security key, an assertion will be encrypted using a pre-shared symmetric key (session key) and a provided encryption algorithm.
• In order to decrypt a Saml2EncryptedAssertion, one needs to set TokenDecryptionKey or TokenDecryptionKeyResolver delegate on TokenValidationParamaters when calling ValidateToken method.
• New classes are added under Microsoft.IdentityModel.Xml project to support XML encryption data types used for Saml2EncryptedAssertion encryption operations.
• KeyInfo class was not fully refactored to support KeyInfo clauses as that would lead to a breaking change.
• Saml2EncryptedAssertion related logic is mostly concentrated in Saml2Serializer class.

Resolves: #734

[henrik-me]

In order to use the algorithm '{0}' one should override CryptoProviderFactory and AuthenticatedEncryptionProvider to provide support. [](start = 98, length = 133)

suggestion, replace "in order...
with:
It's possible to provide your own implementation of the algorithm by overriding CryptoProviderFactory and AuthenticatedEncryptionProvider.

You can potentially add an aka.ms link which points to the test implementation you have. #Closed

[GeoK]

Good point. I'll create the link and edit the log message #Closed

[GeoK]

addressed with: b9c796d
#Closed

[henrik-me]

suggestion: move setting key/algorithm to after if/else. This means you can make the above just an if (!isAes...)
objective: reduce nesting for readability.

I supose this algo can be considered "SupportedIfYouBringYourOwnImplementation" #Closed

[GeoK]

I'll put a comment on top of AES-GCM algo definitions to improve clarity and set expectations.
Also, I'll refactor the constructor to increase current readability.
When we add AES-GCM support it might be better to return to if (isAesGcm) to separate support for AES-GCM from other authenticated encryption algorithms. #Closed

[GeoK]

addressed with: c9daa02 and c80fbb9 #Closed

[henrik-me]

XmlReader.Create(stringReader, settings)) [](start = 36, length = 41)

Suggestion: The library could have a utility function to create this one ensuring that everyone creates the XmlReader with the appropriate (secure) XmlReaderSettings #Closed

[GeoK]

agree - same settings are created more than once throughout the project. #Closed

[GeoK]

addressed with: bfaa792 #Closed

[henrik-me]

is it possible to catch only specific exceptions? Ideally some system exceptions should not be swallowed. #Pending

[GeoK]

I'll think about this. The goal of this method is just to return True if first/start element of provided string is EncryptedAssertion and return False otherwise. I don't really care at that point if the string is valid XML or not.

However, I think that it definitely adds value to include exception message to log information.

[GeoK]

addressed with: 6434db7
#Closed

[henrik-me]

another reason for me asking is that it's a best practice to only catch exceptions you know what are. as mentioned certain system exceptions should ideally never be captured, it's better from a security perspective to let the code fail with an exception.

---

In reply to: 221345997 [](ancestors = 221345997)

[henrik-me]

will thinks just work if the digest method is not set? otherwise perhaps you will have to throw an exception?

[GeoK]

Other algorithms may not have DigestMethod (e.g. rsa-1_5) under EncryptionMethod element. For the current implementation we are using default rsa-oaep-mgf1p parameters.

[henrik-me]

if (encryptingCredentials.Key is X509SecurityKey) [](start = 15, length = 50)

same though as above, what if this is not true, will the method still behave as expected? what about dependencies upstream? consider if an exception should be thrown.

[GeoK]

this element is optional, but it's might be useful when when users are providing custom KeyResolving logic using TokenDecryptionKeyResolver delegate.
Current implementation is relying on using TokenDecryptionKey (set on TokenValidationParams) to decrypt an assertion, if TokenDecryptionKeyResolver delegate is not set.

[henrik-me]

as mentioned, a utility method for this and perhaps even for the variations of readers. #Closed

[GeoK]

agree - same settings are created more than once throughout the project. #Closed

[GeoK]

addressed with: bfaa792 #Closed

[henrik-me]

[](start = 36, length = 1)

consider : gt; ? ... same towards the end of the line..

[GeoK]

Just being consistent - this pattern (&lt NODE >) is used across the library.

[henrik-me]

private E [](start = 8, length = 9)

it seems to me like the functions for creating the helper which essentially returns Encrypted data (I'm a bit confused about that), should be in another class? Or the methods names should simply not be called Helper #Closed

[GeoK]

I'll think about refactoring these. #Closed

[GeoK]

addressed with: ac21868
#Closed

[henrik-me]

while (reader.IsStartElement()) [](start = 16, length = 31)

what is reader.IsSTartElement supposed to do? Reading this code I would be afraid that it would either potentially just have one element to read, however if it never reads anything this will be an endless loop

[GeoK]

IsStartElement checks if xml reader is pointing to a start tag or empty element tag.
In case where there is nothing to read, reader will be pointing to an EndElement and exit from the while loop.

This logic is implemented because EncryptionMethod supports any element as a child. For now, we care only about DigestMethod and we are ignoring (but logging) other elements that may appear.

That said, it might be better to use reader.Skip() instead of reader.Read() on ln. 109 as DigestMethod by xenc xsd schema might have child elements (it's usually an empty element)

[henrik-me]

does this library use embedding of types inside of other types? If not I would have suggested moving to separate files and separate by namespace instead of using embedded types, thoughts?

[GeoK]

This is more of a utility class. While coding it's easy to find a specific constant i.e. an Attribute by typing XmlEncCostants.Attribute.

Not really sure if I understand - Are you suggesting that it would be a good idea to create a class hierarchy based on an xenc xsd schema e.g. EncryptionMethod contains only Algorithm as an attribute and KeySize, OAEPparams as elements.

[GeoK]

addressed with: 3ebd2b7

[henrik-me]

RsaOaepKeyWrap [](start = 129, length = 14)

don't you still need the old test?

[GeoK]

that's a good point. We decided to support wrong RsaOaepKeyWrap identifier so we should have tests for that one too.

[GeoK]

addressed with: 0b0abbf

[henrik-me]

nit: one empty too many

[GeoK]

addressed with: 86c0809

[henrik-me]

// [](start = 4, length = 2)

it seems like you are not using xml comments, I suggest using xml comments instead of this. Also in test code

[GeoK]

Are we compiling doc for test code as well?
Is using xml comments in test projects needed by some process or it serves for readability purposes?

[henrik-me]

suggestion: SafeXmlReaderSettings

[GeoK]

addressed with: 81f395c

[henrik-me]

EncryptedData [](start = 16, length = 13)

suggestion: instead of an out parameter you can also return a tuple (if the platforms this runs on support value tuples that might be even better.

[GeoK]

I was thinking tuples while refactoring this method, and it seemed to me that using out param is a bit cleaner, considering that it works on each platform and that CreateEncryptedData is a private method.
Is there a reason why tuples (not ValueTuples) are preferable over out param, for this specific case?

[henrik-me]

if [](start = 12, length = 2)

consider inverting all your if's moving all the short functions on top (e.g. Symmetric does nothing, and not assymetric does nothing. this will give an easy overview of the various return statements from the function.

[GeoK]

addressed with: a562057

[henrik-me]

consider adding these as xml comments to all the consts. that way a developer will actually see these comments in the tooltip.

[GeoK]

addressed with: c8e9d09

[henrik-me]

aka.ms/identitymodel-aesgcm-support [](start = 246, length = 35)

did you add the wiki page/sample for this and enable the aka.ms link?

[GeoK]

aka.ms links points to the code developed to support AES-GCM tests. Do you suggest that code sample doesn't give enough information/guidance to a developer and that I should add a wiki page as well?

[henrik-me]

🕐

[brentschmaltz]

We could just return null here, and not throw.
The use case is a user created a SAML token with just encrypted assertion, that would be the only value that is not null.

This would allow us to remove the type Saml2SecurityTokenEncryptedAssertionException.

[616b2f]

Looks great! Any clue in which version this would be awailable?

[GeoK]

Looks great! Any clue in which version this would be awailable?

The plan is to make this feature available in the next major release, probably 6.x.
That being said, this is feature is currently on hold and requires more work.

[616b2f]

Thank you for your prompt reply. Looking forward to 6.x :)

[thuannguy]

I would love to have this feature. Encryption is mandatory for my customers :)

[brentschmaltz]

@thuannguy yep, we need this feature.
I will see if we can get a timeline established.

[brentschmaltz]

We may want to include aes-256cbc as AzureAD supports this.