Compare revisions

Benedikt Heinrichs · Benedikt Heinrichs · CoscineBot · ea877b5c · ea877b5c · ea877b5c
--- a/src/STS/Controllers/ShibbolethController.cs
+++ b/src/STS/Controllers/ShibbolethController.cs
@@ -43,6 +43,11 @@ namespace Coscine.Api.STS.Controllers
            var externalIdModel = new ExternalIdModel();
            var entity = info.Principal.FindFirstValue(ShibbolethAttributeMapping.Identifier);

+            if (string.IsNullOrWhiteSpace(entity))
+            {
+                entity = info.Principal.FindFirstValue(ShibbolethAttributeMapping.PairwiseID);
+            }
+
            var identifier = entity[(entity.IndexOf(">") + 1)..];
            identifier = identifier.Substring(0, identifier.IndexOf("<"));


--- a/src/STS/STS.csproj
+++ b/src/STS/STS.csproj
@@ -6,7 +6,7 @@
 	<GenerateDocumentationFile>true</GenerateDocumentationFile>
    <TargetFramework>net5.0</TargetFramework>
    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-  <Version>2.2.2</Version></PropertyGroup>
+  <Version>2.2.3</Version></PropertyGroup>
 	<PropertyGroup>
 		<Authors>RWTH Aachen University</Authors>
 		<Company>IT Center, RWTH Aachen University</Company>
@@ -36,5 +36,8 @@
    <Reference Include="Sustainsys.Saml2">
      <HintPath>..\lib\Sustainsys.Saml2.dll</HintPath>
    </Reference>
+    <Reference Include="Sustainsys.Saml2.Metadata">
+      <HintPath>..\lib\Sustainsys.Saml2.Metadata.dll</HintPath>
+    </Reference>
  </ItemGroup>
 </Project>
--- a/src/STS/Startup.cs
+++ b/src/STS/Startup.cs
@@ -10,6 +10,8 @@ using Sustainsys.Saml2.Metadata;
 using System;
 using Sustainsys.Saml2.AspNetCore2;
 using System.Security.Cryptography.X509Certificates;
+using Sustainsys.Saml2.Metadata.Services;
+using System.Security.Cryptography;

 namespace Coscine.Api.STS
 {
@@ -30,6 +32,8 @@ namespace Coscine.Api.STS
        {
            base.ConfigureServicesExtensionLate(services);

+            CryptoConfig.AddAlgorithm(typeof(AesGcmAlgorithm), AesGcmAlgorithm.AesGcm128Identifier);
+
            services.AddDbContext<CoscineDbContext>(
                options =>
                    options.UseInMemoryDatabase("CoscineDbContext")

--- a/src/STS/Utils/AesGcmAlgorithm.cs
+++ b/src/STS/Utils/AesGcmAlgorithm.cs
+using System;
+using System.Security.Cryptography;
+
+namespace Coscine.Api.STS.Utils
+{
+    /// <summary>
+    /// SymmetricAlgorithm decrypting implementation for http://www.w3.org/2009/xmlenc11#aes128-gcm.
+    /// This is class is not a general implementation and can only do decryption.
+    /// </summary>
+    public class AesGcmAlgorithm : SymmetricAlgorithm
+    {
+        public const string AesGcm128Identifier = "http://www.w3.org/2009/xmlenc11#aes128-gcm";
+
+        // "For the purposes of this specification, AES-GCM shall be used with a 96 bit Initialization Vector (IV) and a 128 bit Authentication Tag (T)."
+        // Source: https://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM
+        public const int NonceSizeInBits = 96;
+
+        private const int AuthenticationTagSizeInBits = 128;
+
+        public AesGcmAlgorithm()
+        {
+            //not sure about 128 keysize?
+            LegalKeySizesValue = new[] { new KeySizes(128, 128, 0) };
+
+            //iv setter checks that iv is the size of a block. Not sure if there should be other block sizes
+            LegalBlockSizesValue = new[] { new KeySizes(NonceSizeInBits, NonceSizeInBits, 0) };
+            BlockSizeValue = NonceSizeInBits;
+            //dummy iv value since it is accessed first in EncryptedXml.DecryptData
+            IV = new byte[NonceSizeInBits / 8];
+        }
+
+        public override ICryptoTransform CreateDecryptor(byte[] rgbKey, byte[] rgbIV)
+        {
+            return new AesGcmDecryptor(rgbKey, rgbIV, AuthenticationTagSizeInBits);
+        }
+
+        public override ICryptoTransform CreateEncryptor(byte[] rgbKey, byte[] rgbIV)
+        {
+            throw new NotImplementedException();
+        }
+
+        public override void GenerateIV()
+        {
+            throw new NotImplementedException();
+        }
+
+        public override void GenerateKey()
+        {
+            throw new NotImplementedException();
+        }
+    }
+}
--- a/src/STS/Utils/AesGcmDecryptor.cs
+++ b/src/STS/Utils/AesGcmDecryptor.cs
+using System;
+using System.Security.Cryptography;
+
+namespace Coscine.Api.STS.Utils
+{
+    internal class AesGcmDecryptor : ICryptoTransform
+    {
+        private readonly byte[] key;
+        private readonly byte[] nonce;
+        private readonly int authenticationTagSizeInBits;
+
+        public AesGcmDecryptor(byte[] key, byte[] nonce, int authenticationTagSizeInBits)
+        {
+            this.key = key;
+            this.nonce = nonce;
+            this.authenticationTagSizeInBits = authenticationTagSizeInBits;
+        }
+
+        public bool CanReuseTransform => throw new NotImplementedException();
+
+        public bool CanTransformMultipleBlocks => throw new NotImplementedException();
+
+        public int InputBlockSize => throw new NotImplementedException();
+
+        public int OutputBlockSize => throw new NotImplementedException();
+
+        public void Dispose()
+        {
+            throw new NotImplementedException();
+        }
+
+        public int TransformBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset)
+        {
+            throw new NotImplementedException();
+        }
+
+        public byte[] TransformFinalBlock(byte[] inputBuffer, int inputOffset, int inputCount)
+        {
+            //inspired by https://stackoverflow.com/a/60891115
+
+            var tagSize = authenticationTagSizeInBits / 8;
+            var cipherSize = inputCount - tagSize;
+
+            // "The cipher text contains the IV first, followed by the encrypted octets and finally the Authentication tag."
+            // https://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM
+            var encryptedData = inputBuffer.AsSpan().Slice(inputOffset, inputCount);
+            var tag = encryptedData.Slice(encryptedData.Length - tagSize);
+
+            var cipherBytes = encryptedData.Slice(0, cipherSize);
+
+            var plainBytes = cipherSize < 1024
+              ? stackalloc byte[cipherSize]
+              : new byte[cipherSize];
+
+            using var aes = new AesGcm(key);
+            aes.Decrypt(nonce, cipherBytes, tag, plainBytes);
+
+            return plainBytes.ToArray();
+        }
+    }
+}
--- a/src/STS/Utils/ShibbolethAttributeMapping.cs
+++ b/src/STS/Utils/ShibbolethAttributeMapping.cs
@@ -7,9 +7,12 @@ namespace Coscine.Api.STS.Utils
    public class ShibbolethAttributeMapping
    {
        public static string Identifier { get; private set; } = "urn:oid:1.3.6.1.4.1.5923.1.1.1.10";
+        public static string PairwiseID { get; private set; } = "urn:oasis:names:tc:SAML:attribute:pairwise-id";

        public static Dictionary<string, string> LabelMapping { get; private set; } = new Dictionary<string, string>()
        {
+            { "urn:oid:1.3.6.1.4.1.5923.1.1.1.10", "eduPersonTargetedId" },
+            { "urn:oasis:names:tc:SAML:attribute:pairwise-id", "pairwise-id" },
            { "urn:oid:2.16.840.1.113730.3.1.241", "DisplayName" },
            { "urn:oid:2.5.4.4", "Surname" },
            { "urn:oid:1.3.6.1.4.1.5540.2.1.96", "Givenname" },

--- a/src/lib/Sustainsys.Saml2.AspNetCore2.dll
+++ b/src/lib/Sustainsys.Saml2.AspNetCore2.dll
--- a/src/lib/Sustainsys.Saml2.Metadata.dll
+++ b/src/lib/Sustainsys.Saml2.Metadata.dll
--- a/src/lib/Sustainsys.Saml2.dll
+++ b/src/lib/Sustainsys.Saml2.dll
No results found