Certificate rollover for decryption certificate

Author: Revsgaard

src/ITfoxtec.Identity.Saml2.Mvc/ITfoxtec.Identity.Saml2.Mvc.csproj

@@ -26,10 +26,10 @@ Support the Danish NemLog-in 2 / OIOSAML 2 and NemLog-in 3 / OIOSAML 3.</Descrip
     <PackageTags>SAML SAML 2.0 SAML2.0 SAML2 SAML 2 SAML-P SAMLP SSO Identity Provider (IdP) and Relying Party (RP) Authentication Metadata OIOSAML OIOSAML 2 OIOSAML 3 NemLogin NemLog-in 2 NemLog-in 3 ASP.NET MVC</PackageTags>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageIconUrl>https://itfoxtec.com/favicon.ico</PackageIconUrl>
-    <AssemblyVersion>4.10.0.0</AssemblyVersion>
-    <FileVersion>4.10.0.0</FileVersion>
+    <AssemblyVersion>4.10.1.0</AssemblyVersion>
+    <FileVersion>4.10.1.0</FileVersion>
     <Copyright>Copyright © 2023</Copyright>
-    <Version>4.10.0-beta1</Version>
+    <Version>4.10.1-beta1</Version>
     <SignAssembly>true</SignAssembly>
     <AssemblyOriginatorKeyFile>ITfoxtec.SAML2.snk</AssemblyOriginatorKeyFile>
     <DelaySign>false</DelaySign>

src/ITfoxtec.Identity.Saml2.MvcCore/ITfoxtec.Identity.Saml2.MvcCore.csproj

@@ -30,10 +30,10 @@ Support the Danish NemLog-in 2 / OIOSAML 2 and NemLog-in 3 / OIOSAML 3.</Descrip
     <PackageTags>SAML SAML 2.0 SAML2.0 SAML2 SAML 2 SAML-P SAMLP SSO Identity Provider (IdP) Relying Party (RP) Authentication Metadata OIOSAML OIOSAML 2 OIOSAML 3 NemLogin NemLog-in 2 NemLog-in 3 ASP.NET MVC Core</PackageTags>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageIconUrl>https://itfoxtec.com/favicon.ico</PackageIconUrl>
-    <AssemblyVersion>4.10.0.0</AssemblyVersion>
-    <FileVersion>4.10.0.0</FileVersion>
+    <AssemblyVersion>4.10.1.0</AssemblyVersion>
+    <FileVersion>4.10.1.0</FileVersion>
     <Copyright>Copyright © 2023</Copyright>
-    <Version>4.10.0-beta1</Version>
+    <Version>4.10.1-beta1</Version>
     <SignAssembly>true</SignAssembly>
     <AssemblyOriginatorKeyFile>ITfoxtec.SAML2.snk</AssemblyOriginatorKeyFile>
     <DelaySign>false</DelaySign>

src/ITfoxtec.Identity.Saml2/Configuration/Saml2Configuration.cs

@@ -5,6 +5,7 @@
 using System.ServiceModel.Security;
 using System.IdentityModel.Selectors;
 using System.Security.Cryptography.Xml;
+using System.Linq;
 #if NETFULL
 using System.IdentityModel.Configuration;
 #else
@@ -32,7 +33,13 @@ public class Saml2Configuration
         public string XmlCanonicalizationMethod { get; set; } = SignedXml.XmlDsigExcC14NTransformUrl;        
 
         public X509Certificate2 SigningCertificate { get; set; }
-        public X509Certificate2 DecryptionCertificate { get; set; }
+        [Obsolete("DecryptionCertificate are obsolete to support multiple decryption certificates. Use DecryptionCertificates instead.")]
+        public X509Certificate2 DecryptionCertificate
+        {
+            get { return DecryptionCertificates?.FirstOrDefault(); }
+            set { DecryptionCertificates = new List<X509Certificate2> { value }; }
+        }
+        public List<X509Certificate2> DecryptionCertificates { get; set; } = new List<X509Certificate2>();
         /// <summary>
         /// If set the authn responses created by the library is encrypt.
         /// </summary>

src/ITfoxtec.Identity.Saml2/Configuration/Saml2IdentityConfiguration.cs

@@ -1,4 +1,5 @@
 using System.ServiceModel.Security;
+using System.Collections.Generic;
 #if NETFULL
 using ITfoxtec.Identity.Saml2.Tokens;
 using System;
@@ -27,7 +28,7 @@ public class Saml2IdentityConfiguration :
 #if !NETFULL
         public X509CertificateValidator CertificateValidator { get; set; }
 
-        public X509Certificate2 DecryptionCertificate { get; set; }
+        public IEnumerable<X509Certificate2> DecryptionCertificates { get; set; }
 #endif
 
         public static Saml2IdentityConfiguration GetIdentityConfiguration(Saml2Configuration config)
@@ -75,7 +76,7 @@ public static Saml2IdentityConfiguration GetIdentityConfiguration(Saml2Configura
                 CertificateValidationMode = config.CertificateValidationMode,
                 RevocationMode = config.RevocationMode,
             };
-            configuration.DecryptionCertificate = config.DecryptionCertificate;
+            configuration.DecryptionCertificates = config.DecryptionCertificates;
             SetCustomCertificateValidator(configuration, config);
 #endif
 

src/ITfoxtec.Identity.Saml2/ITfoxtec.Identity.Saml2.csproj

@@ -31,10 +31,10 @@ Support the Danish NemLog-in 2 / OIOSAML 2 and NemLog-in 3 / OIOSAML 3.</Descrip
     <PackageTags>SAML SAML 2.0 SAML2.0 SAML2 SAML 2 SAML-P SAMLP SSO Identity Provider (IdP) Relying Party (RP) Authentication Metadata OIOSAML OIOSAML 2 OIOSAML 3 NemLogin NemLog-in 2 NemLog-in 3</PackageTags>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageIconUrl>https://itfoxtec.com/favicon.ico</PackageIconUrl>
-    <AssemblyVersion>4.10.0.0</AssemblyVersion>
-    <FileVersion>4.10.0.0</FileVersion>
+    <AssemblyVersion>4.10.1.0</AssemblyVersion>
+    <FileVersion>4.10.1.0</FileVersion>
     <Copyright>Copyright © 2023</Copyright>
-    <Version>4.10.0-beta1</Version>
+    <Version>4.10.1-beta1</Version>
     <SignAssembly>true</SignAssembly>
     <AssemblyOriginatorKeyFile>ITfoxtec.SAML2.snk</AssemblyOriginatorKeyFile>
     <DelaySign>false</DelaySign>

src/ITfoxtec.Identity.Saml2/Request/Saml2AuthnResponse.cs

@@ -26,7 +26,7 @@ public class Saml2AuthnResponse : Saml2Response
     {
         public override string ElementName => Schemas.Saml2Constants.Message.AuthnResponse;
 
-        internal X509Certificate2 DecryptionCertificate { get; private set; }
+        internal IEnumerable<X509Certificate2> DecryptionCertificates { get; private set; }
         internal X509Certificate2 EncryptionCertificate { get; private set; }
 
         /// <summary>
@@ -60,12 +60,12 @@ public Saml2AuthnResponse(Saml2Configuration config) : base(config)
 
             Destination = config.SingleSignOnDestination;
 
-            if (config.DecryptionCertificate != null)
+            if (config.DecryptionCertificates?.Count() > 0)
             {
-                DecryptionCertificate = config.DecryptionCertificate;
-                if (config.DecryptionCertificate.GetSamlRSAPrivateKey() == null)
+                DecryptionCertificates = config.DecryptionCertificates.Where(c => c.GetSamlRSAPrivateKey() != null);
+                if (!(DecryptionCertificates?.Count() > 0))
                 {
-                    throw new ArgumentException("No RSA Private Key present in Decryption Certificate or missing private key read credentials.");
+                    throw new ArgumentException("No RSA Private Key present in Decryption Certificates or missing private key read credentials.");
                 }
             }
             if(config.EncryptionCertificate != null)
@@ -353,9 +353,23 @@ private ClaimsIdentity ReadClaimsIdentity(string tokenString, bool detectReplaye
 
         protected override void DecryptMessage()
         {
-            if (DecryptionCertificate != null)
+            if (DecryptionCertificates?.Count() > 0)
             {
-                new Saml2EncryptedXml(XmlDocument, DecryptionCertificate.GetSamlRSAPrivateKey()).DecryptDocument();
+                var exceptions = new List<Exception>();
+                foreach(var decryptionCertificate in DecryptionCertificates)
+                {
+                    try
+                    {
+                        new Saml2EncryptedXml(XmlDocument, decryptionCertificate.GetSamlRSAPrivateKey()).DecryptDocument();
+                        // Stop the look when the message successfully decrypted.
+                        return;
+                    }
+                    catch (Exception e)
+                    {
+                        exceptions.Add(e);
+                    }
+                }
+                throw new AggregateException("Failed to decrypt message", exceptions);
 #if DEBUG
                 Debug.WriteLine("Saml2P (Decrypted): " + XmlDocument.OuterXml);
 #endif

src/ITfoxtec.Identity.Saml2/Tokens/Saml2ResponseSecurityTokenHandler.cs

@@ -46,7 +46,7 @@ public static Saml2ResponseSecurityTokenHandler GetSaml2SecurityTokenHandler(Sam
             handler.SamlSecurityTokenRequirement.NameClaimType = ClaimTypes.NameIdentifier;
 #else
             handler.TokenValidationParameters = configuration;
-            handler.Serializer = new Saml2TokenSerializer(configuration.DecryptionCertificate);
+            handler.Serializer = new Saml2TokenSerializer(configuration.DecryptionCertificates);
 #endif
             return handler;
         }

src/ITfoxtec.Identity.Saml2/Tokens/Saml2TokenSerializer.cs

@@ -3,30 +3,44 @@
 using Microsoft.IdentityModel.Tokens.Saml2;
 using Microsoft.IdentityModel.Xml;
 using System;
+using System.Collections.Generic;
+using System.Linq;
 using System.Security.Cryptography.X509Certificates;
 using System.Xml;
 
 namespace ITfoxtec.Identity.Saml2.Tokens
 {
     internal class Saml2TokenSerializer : Saml2Serializer
     {
-        private readonly X509Certificate2 decryptionCertificate;
+        private readonly IEnumerable<X509Certificate2> decryptionCertificates;
 
-        public Saml2TokenSerializer(X509Certificate2 decryptionCertificate) : base() 
+        public Saml2TokenSerializer(IEnumerable<X509Certificate2> decryptionCertificates) : base() 
         {
-            this.decryptionCertificate = decryptionCertificate;
+            this.decryptionCertificates = decryptionCertificates;
         }
 
         protected override Saml2NameIdentifier ReadEncryptedId(XmlDictionaryReader reader)
         {
-            if (decryptionCertificate != null)
+            if (decryptionCertificates?.Count() > 0)
             {
                 var xmlDocument = reader.ReadOuterXml().ToXmlDocument();
 
-                new Saml2EncryptedXml(xmlDocument, decryptionCertificate.GetSamlRSAPrivateKey()).DecryptDocument();
-
-                var decryptedReader = XmlDictionaryReader.CreateDictionaryReader(new XmlNodeReader(xmlDocument.DocumentElement.FirstChild));
-                return ReadNameIdentifier(decryptedReader, null);
+                var exceptions = new List<Exception>();
+                foreach (var decryptionCertificate in decryptionCertificates)
+                {
+                    try
+                    {
+                        new Saml2EncryptedXml(xmlDocument, decryptionCertificate.GetSamlRSAPrivateKey()).DecryptDocument();
+                        // Stop the look when the message successfully decrypted.
+                        var decryptedReader = XmlDictionaryReader.CreateDictionaryReader(new XmlNodeReader(xmlDocument.DocumentElement.FirstChild));
+                        return ReadNameIdentifier(decryptedReader, null);
+                    }
+                    catch (Exception e)
+                    {
+                        exceptions.Add(e);
+                    }
+                }
+                throw new AggregateException("Failed to decrypt message", exceptions);
             }
             else
             {

test/TestIdPCore/Controllers/AuthController.cs

@@ -243,8 +243,11 @@ private Saml2Configuration GetRpSaml2Configuration(RelyingParty relyingParty = n
 
             if (relyingParty != null) 
             {
-                rpConfig.SignatureValidationCertificates.Add(relyingParty.SignatureValidationCertificate);
-                rpConfig.EncryptionCertificate = relyingParty.EncryptionCertificate;
+                rpConfig.SignatureValidationCertificates.AddRange(relyingParty.SignatureValidationCertificates);
+                if (relyingParty.EecryptionCertificates?.Count() > 0)
+                {
+                    rpConfig.EncryptionCertificate = relyingParty.EecryptionCertificates.LastOrDefault();
+                }
             }
 
             return rpConfig;
@@ -273,7 +276,8 @@ private async Task LoadRelyingPartyAsync(RelyingParty rp, CancellationTokenSourc
                         rp.AcsDestination = entityDescriptor.SPSsoDescriptor.AssertionConsumerServices.Where(a => a.IsDefault).OrderBy(a => a.Index).First().Location;
                         var singleLogoutService = entityDescriptor.SPSsoDescriptor.SingleLogoutServices.First();
                         rp.SingleLogoutDestination = singleLogoutService.ResponseLocation ?? singleLogoutService.Location;
-                        rp.SignatureValidationCertificate = entityDescriptor.SPSsoDescriptor.SigningCertificates.First();
+                        rp.SignatureValidationCertificates = entityDescriptor.SPSsoDescriptor.SigningCertificates;
+                        rp.EecryptionCertificates = entityDescriptor.SPSsoDescriptor.EncryptionCertificates;
                     }
                     else
                     {

test/TestIdPCore/Controllers/MetadataController.cs

@@ -31,10 +31,7 @@ public IActionResult Index()
                 {
                     config.SigningCertificate
                 },
-                //EncryptionCertificates = new X509Certificate2[]
-                //{
-                //    config.DecryptionCertificate
-                //},
+                //EncryptionCertificates = config.DecryptionCertificates,
                 SingleSignOnServices = new SingleSignOnService[]
                 {
                     new SingleSignOnService { Binding = ProtocolBindings.HttpRedirect, Location = config.SingleSignOnDestination }