|
Chilkat • HOME • .NET Core C# • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi ActiveX • Delphi DLL • Go • Java • Lianja • Mono C# • Node.js • Objective-C • PHP ActiveX • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift 2 • Swift 3,4,5... • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(DataFlex) Decrypt a SAML ResponseDemonstrates how to decrypt a SAML response. Note: This example requires Chilkat v9.5.0.76 or greater.
Use ChilkatAx-win32.pkg Procedure Test Handle hoHttp Variant vSbSamlResponse Handle hoSbSamlResponse Variant vSbPrivateKeyPem Handle hoSbPrivateKeyPem Boolean iSuccess Handle hoXml Variant vPrivkey Handle hoPrivkey Handle hoRsa String sEncryptedAesKey Variant vBdAesKey Handle hoBdAesKey Handle hoSbRsaAlg String sEncrypted64 Variant vBdEncrypted Handle hoBdEncrypted Handle hoCrypt Handle hoSbAlg String sDecryptedXml Assertion Handle hoXmlAssertion Variant vXmlEncryptedAssertion Handle hoXmlEncryptedAssertion String sTemp1 Boolean bTemp1 // This example requires the Chilkat API to have been previously unlocked. // See Global Unlock Sample for sample code. // This example decrypts this SAML response: // <?xml version="1.0" encoding="UTF-8" ?> // <saml2p:Response Destination="https://deskflow-asp2.com/ubc/ubcdfe.dll/cwlacs" ID="_e4585eaeedbcaf7c24dff7f1ee2499f5" IssueInstant="2018-10-11T17:46:20.727Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> // <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://authentication.stg.id.ubc.ca</saml2:Issuer> // <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> // <ds:SignedInfo> // <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> // <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> // <ds:Reference URI="#_e4585eaeedbcaf7c24dff7f1ee2499f5"> // <ds:Transforms> // <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> // <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> // </ds:Transforms> // <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> // <ds:DigestValue>1ui22tqFyYEOoWI19CMwz4n+ynxNjLDGdTeRMdi60EU=</ds:DigestValue> // </ds:Reference> // </ds:SignedInfo> // <ds:SignatureValue>ROg7FXV6vsp8socVhdo76/i7cRHGGKIveAiScKdujZT0QrHVqIvvbZ/RnwvEMJ9H9i/kJFAQA171 // Eo2kDjSdvNFQ/YcKaJUwMtAwT05yVatGV42RZKEf7ME+vpcCTR1LWZdrhat1FWCg1MNQwNWB0EL5 // fEP2a4jAcSTB8tFbjTAHsv7IWC39E5RVv99mACYXLa7iGZLtORANZxgYu5qQgmH6pUkI6Z1cpmf+ // m9mIjKM6LF0EvLfWOBWL6udZ+GsHPOLjVTJg+1S0xb9FQCYDVW1QhbjSS0icKHKTNNbrsaxllVDY // m4q27YQjRh+XxugPgvsZ61Pxlto8Jbg+6jUlMQ==</ds:SignatureValue> // <ds:KeyInfo> // <ds:X509Data> // <ds:X509Certificate>MIIDTTCCAjWgAwIBAgIVAJccYyIV6wly8XyddumpgnHMJ2JLMA0GCSqGSIb3DQEBCwUAMCcxJTAj // BgNVBAMMHGF1dGhlbnRpY2F0aW9uLnN0Zy5pZC51YmMuY2EwHhcNMTcwMzAxMTk1NDM0WhcNMzcw // ... // xUuh6HuHKIwQqHBz7udxbH3Zbb6jXGDJjiDHt1LRJ8xbVisFIcDlIwsGQQi0HeEJfx4P</ds:X509Certificate> // </ds:X509Data> // </ds:KeyInfo> // </ds:Signature> // <saml2p:Status> // <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> // </saml2p:Status> // <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> // <xenc:EncryptedData Id="_314d80b9cf02d8eda8d686a6ffd626cf" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> // <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> // <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> // <xenc:EncryptedKey Id="_d7b6da6fb59a627ebb4a96928441ab79" Recipient="https://ubcdfe.deskflow-asp2.com" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> // <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> // <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> // </xenc:EncryptionMethod> // <ds:KeyInfo> // <ds:X509Data> // <ds:X509Certificate>MIICuzCCAiQCCQD3bpigRnKMSzANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCQ0ExEDAOBgNV // BAgMB09udGFyaW8xEDAOBgNVBAcMB1Rvcm9udG8xJjAkBgNVBAoMHVRhY3RpY2FsIEJ1c2luZXNz // ... // kVRcHd1UK3q7G8FoykWjdQz/0EoMTfEZ+Md56mLOe48eMUZV2ONZuL1kDCEKw1UwkaDQI4Pf8pzx // 82b9rgw9wBDtvu5eFPlUGEGIBw==</ds:X509Certificate> // </ds:X509Data> // </ds:KeyInfo> // <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> // <xenc:CipherValue>BNHfUOpgdPE5BgpN2VIZIDthMAv1rxk91qVnWyCZOG9bmUKChJtTUqMpndot7VJwYuyKFshkAdnT // D79KGdlSA1xHKcVeZXXzDWglqSyYjzhDCsyOhPaI4HelMFgCLwyFz89uEpUpqlvfl8ol3Am/XnzQ // Vp7V7oS76hocjUI51Qs=</xenc:CipherValue> // </xenc:CipherData> // </xenc:EncryptedKey> // </ds:KeyInfo> // <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> // <xenc:CipherValue>R6l7tmbnXrOfBgB8lA3KnwLYsLH5ZO5omQ7Hp5K05atzw2o55xmCXVMYhNneFxMtxUh6raEyHeZX // PTZNgWrvdqc4GYND/R7MhRrJzk9OAq1WyoOXwbtRpwNDwWA4N2IuprPQJbvjVxaw/PesZMZwZqlp // ... // zm9zAxahyu8Ooe8M4r3HN2cY0JxxxkZtDiulbnyA+rRtXfBRJtangvFQ4iFAnzM/Yg9hMyW9jcu0 // S7FzuRB9ONMxi+nh0IFWgqp+</xenc:CipherValue> // </xenc:CipherData> // </xenc:EncryptedData> // </saml2:EncryptedAssertion> // </saml2p:Response> // The sample encrypted SAML response and RSA private key are available online: Get Create (RefClass(cComChilkatHttp)) To hoHttp If (Not(IsComObjectCreated(hoHttp))) Begin Send CreateComObject of hoHttp End Get Create (RefClass(cComChilkatStringBuilder)) To hoSbSamlResponse If (Not(IsComObjectCreated(hoSbSamlResponse))) Begin Send CreateComObject of hoSbSamlResponse End Get Create (RefClass(cComChilkatStringBuilder)) To hoSbPrivateKeyPem If (Not(IsComObjectCreated(hoSbPrivateKeyPem))) Begin Send CreateComObject of hoSbPrivateKeyPem End Get pvComObject of hoSbSamlResponse to vSbSamlResponse Get ComQuickGetSb Of hoHttp "https://chilkatdownload.com/data/samlresponse.xml" vSbSamlResponse To iSuccess If (iSuccess = True) Begin Get pvComObject of hoSbPrivateKeyPem to vSbPrivateKeyPem Get ComQuickGetSb Of hoHttp "https://chilkatdownload.com/data/samlresponse_privkey.pem" vSbPrivateKeyPem To iSuccess End If (iSuccess <> True) Begin Get ComLastErrorText Of hoHttp To sTemp1 Showln sTemp1 Procedure_Return End Get Create (RefClass(cComChilkatXml)) To hoXml If (Not(IsComObjectCreated(hoXml))) Begin Send CreateComObject of hoXml End Get pvComObject of hoSbSamlResponse to vSbSamlResponse Get ComLoadSb Of hoXml vSbSamlResponse True To iSuccess // Load the RSA private key.. Get Create (RefClass(cComChilkatPrivateKey)) To hoPrivkey If (Not(IsComObjectCreated(hoPrivkey))) Begin Send CreateComObject of hoPrivkey End Get ComGetAsString Of hoSbPrivateKeyPem To sTemp1 Get ComLoadPem Of hoPrivkey sTemp1 To iSuccess If (iSuccess <> True) Begin Get ComLastErrorText Of hoPrivkey To sTemp1 Showln sTemp1 Procedure_Return End // Prepare an RSA object w/ the private key... Get Create (RefClass(cComChilkatRsa)) To hoRsa If (Not(IsComObjectCreated(hoRsa))) Begin Send CreateComObject of hoRsa End Get pvComObject of hoPrivkey to vPrivkey Get ComImportPrivateKeyObj Of hoRsa vPrivkey To iSuccess If (iSuccess <> True) Begin Get ComLastErrorText Of hoRsa To sTemp1 Showln sTemp1 Procedure_Return End // RSA will be used to decrypt the xenc:EncryptedKey // The bytes to be decrypted are in xenc:CipherValue (in base64 format) Get ComGetChildContent Of hoXml "saml2:EncryptedAssertion|xenc:EncryptedData|ds:KeyInfo|xenc:EncryptedKey|xenc:CipherData|xenc:CipherValue" To sEncryptedAesKey Get ComLastMethodSuccess Of hoXml To bTemp1 If (bTemp1 <> True) Begin Showln "Encrypted AES key not found." Procedure_Return End Showln "Encrypted AES key (base64) = " sEncryptedAesKey Get Create (RefClass(cComChilkatBinData)) To hoBdAesKey If (Not(IsComObjectCreated(hoBdAesKey))) Begin Send CreateComObject of hoBdAesKey End Get ComAppendEncoded Of hoBdAesKey sEncryptedAesKey "base64" To iSuccess Get Create (RefClass(cComChilkatStringBuilder)) To hoSbRsaAlg If (Not(IsComObjectCreated(hoSbRsaAlg))) Begin Send CreateComObject of hoSbRsaAlg End Get ComChilkatPath Of hoXml "saml2:EncryptedAssertion|xenc:EncryptedData|ds:KeyInfo|xenc:EncryptedKey|xenc:EncryptionMethod|(Algorithm)" To sTemp1 Get ComAppend Of hoSbRsaAlg sTemp1 To iSuccess Get ComGetAsString Of hoSbRsaAlg To sTemp1 Showln "sbRsaAlg contains: " sTemp1 Get ComContains Of hoSbRsaAlg "rsa-oaep" True To bTemp1 If (bTemp1 = True) Begin Set ComOaepPadding Of hoRsa To True End // Note: The DecryptBd method is introduced in Chilkat v9.5.0.76 Get pvComObject of hoBdAesKey to vBdAesKey Get ComDecryptBd Of hoRsa vBdAesKey True To iSuccess If (iSuccess <> True) Begin Get ComLastErrorText Of hoRsa To sTemp1 Showln sTemp1 Procedure_Return End Get ComGetEncoded Of hoBdAesKey "hex" To sTemp1 Showln "Decrypted AES key (hex) = " sTemp1 // Get the encrypted XML (in base64) to be decrypted w/ the AES key. Get ComGetChildContent Of hoXml "saml2:EncryptedAssertion|xenc:EncryptedData|xenc:CipherData|xenc:CipherValue" To sEncrypted64 Get ComLastMethodSuccess Of hoXml To bTemp1 If (bTemp1 <> True) Begin Showln "Encrypted data not found." Procedure_Return End Get Create (RefClass(cComChilkatBinData)) To hoBdEncrypted If (Not(IsComObjectCreated(hoBdEncrypted))) Begin Send CreateComObject of hoBdEncrypted End Get ComAppendEncoded Of hoBdEncrypted sEncrypted64 "base64" To iSuccess // Get the symmetric algorithm: "http://www.w3.org/2001/04/xmlenc#aes128-cbc" // and set the symmetric decrypt properties. Get Create (RefClass(cComChilkatCrypt2)) To hoCrypt If (Not(IsComObjectCreated(hoCrypt))) Begin Send CreateComObject of hoCrypt End Get Create (RefClass(cComChilkatStringBuilder)) To hoSbAlg If (Not(IsComObjectCreated(hoSbAlg))) Begin Send CreateComObject of hoSbAlg End Get ComChilkatPath Of hoXml "saml2:EncryptedAssertion|xenc:EncryptedData|xenc:EncryptionMethod|(Algorithm)" To sTemp1 Get ComAppend Of hoSbAlg sTemp1 To iSuccess Get ComContains Of hoSbAlg "aes128-cbc" True To bTemp1 If (bTemp1 = True) Begin Set ComCryptAlgorithm Of hoCrypt To "aes" Set ComKeyLength Of hoCrypt To 128 Set ComCipherMode Of hoCrypt To "cbc" // The 1st 16 bytes of the encrypted data are the AES IV. Get ComGetEncodedChunk Of hoBdEncrypted 0 16 "hex" To sTemp1 Send ComSetEncodedIV To hoCrypt sTemp1 "hex" Get ComRemoveChunk Of hoBdEncrypted 0 16 To iSuccess End // Other algorithms, key lengths, etc, can be supported by checking for different Algorithm attribute values.. Get ComGetEncoded Of hoBdAesKey "hex" To sTemp1 Send ComSetEncodedKey To hoCrypt sTemp1 "hex" // AES decrypt... Get pvComObject of hoBdEncrypted to vBdEncrypted Get ComDecryptBd Of hoCrypt vBdEncrypted To iSuccess If (iSuccess <> True) Begin Get ComLastErrorText Of hoCrypt To sTemp1 Showln sTemp1 Procedure_Return End // Get the decrypted XML Get ComGetString Of hoBdEncrypted "utf-8" To sDecryptedXml Showln "Decrypted XML:" Showln sDecryptedXml // The decrypted XML looks like this: // <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_226e565c548db7986d165d7d969b48b4" IssueInstant="2018-10-11T17:46:20.727Z" Version="2.0"> // ... // ... // ... // </saml2:Assertion> Get Create (RefClass(cComChilkatXml)) To hoXmlAssertion If (Not(IsComObjectCreated(hoXmlAssertion))) Begin Send CreateComObject of hoXmlAssertion End Get ComLoadXml Of hoXmlAssertion sDecryptedXml To iSuccess // Replace the saml2:EncryptedAssertion XML subtree with the saml2:Assertion XML. Get ComFindChild Of hoXml "saml2:EncryptedAssertion" To vXmlEncryptedAssertion If (IsComObject(vXmlEncryptedAssertion)) Begin Get Create (RefClass(cComChilkatXml)) To hoXmlEncryptedAssertion Set pvComObject Of hoXmlEncryptedAssertion To vXmlEncryptedAssertion End Get pvComObject of hoXmlAssertion to vXmlAssertion Get ComSwapTree Of hoXmlEncryptedAssertion vXmlAssertion To iSuccess Send Destroy of hoXmlEncryptedAssertion // The decrypted XML assertion has now replaced the encrypted XML assertion. // Examine the fully decrypted XML document: Showln "Full XML SAML document with decrypted assertion:" Get ComGetXml Of hoXml To sTemp1 Showln sTemp1 End_Procedure |
||||
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.