System.Security.Cryptography.Xml.EncryptedXml issue with .NET Fx WS-Fed replies #60184
Labels
area-System.Security
needs-further-triage
Issue has been initially triaged, but needs deeper consideration or reconsideration
Milestone
Description
[EDIT: Not sure if this is runtime or SDK. If SDK I can close]
Consider the following Encrypted XML. This fragment is an encrypted SAML 1.1 assertion emitted from the .NET Fx 4.8
System.IdentityModel
WS-Fed implementation, and is the inner content of the<trust:RequestedSecurityToken>
element:We are trying to parse/decrypt this XML using the
System.Security.Cryptography.Xml.EncryptedXml
class. However, it seems the structure of this<EncryptedData>
fragement is incompatible with what the EncryptedXml class expects and it throws an exception when attempting to decrypt.Reproduction Steps
With the cert on-hand and using a full WS-Fed reply (containing the fragment above), and are using the basic following psuedo-code:
Expected behavior
EncryptedXml should be able to decrypt a standard piece of XML generated from the BCL.
Actual behavior
Running the sample code above results in
After some experimentation, it seems that the
<o:SecurityTokenReference>
element inside the inner<KeyInfo>
isunexpected. After
removing thatcommenting the <o:SecurityTokenReference> elements out (thereby making the x509Data element a direct child of the KeyInfo), we get a proper decryption, and can select the embedded assertion and read its' contents:Not sure if we're missing something to make
EncryptedXml
understand the embedded<o:SecurityTokenReference>
, or ifthis is a known issue.
Note that this fragment is able to be decrypted directly via NodeJS using the
wsfed
NPM package. After some inspection of its' source, it appears to be directly looking for KeyInfo/X509 data, so it isn't tripped up by the<o:SecurityTokenReference>
elements.Regression?
No response
Known Workarounds
2 workarounds we were able to identity:
Configuration
Environment
Other information
No response
The text was updated successfully, but these errors were encountered: