Error while decrypting SAML token from Live Id

Question

In the previous question, I wrote about requesting a token from Live Id using WSTrustClient and at the end, I was able to perform this. Unfortunately, there was a break in these experiments, but when I wanted to continue, I found that I am not able to decrypt this token.

I tried approach described here , but no success. I also tried to send this token to a preconfigured service, but the same error occurs internally on the server side.

The exception I get is XmlException "There was an error deserializing the security key identifier clause XML. Please see the inner exception for more details.". Inner exception says "Value cannot be null. Parameter name: certificate". I followed the stack trace and, with the help of Reflector, found a source of the error. It seems that serializer just can't deal with "< ds:X509SKI > rxh/...CcpZk= </ ds:X509SKI > " part of the token. Since ACS and Geneva custom STSes use another <X509IssuerSerial > instead of X509SKI, their tokens are deserealized well.

Is there a way to decrypt tokens, which use X509SKI to point to the certificate, and how to configure web service to use this deserializer?

Stack trace:
Inner Exception: "
   at System.IdentityModel.Tokens.X509RawDataKeyIdentifierClause.GetRawData(X509Certificate certificate)
   at System.IdentityModel.Tokens.X509RawDataKeyIdentifierClause..ctor(X509Certificate2 certificate)
   at System.ServiceModel.Security.XmlDsigSep2000.X509CertificateClauseEntry.ReadKeyIdentifierClauseCore(XmlDictionaryReader reader)
   at System.ServiceModel.Security.WSSecurityTokenSerializer.ReadKeyIdentifierClauseCore(XmlReader reader)
"

Exception: "
   at System.ServiceModel.Security.WSSecurityTokenSerializer.ReadKeyIdentifierClauseCore(XmlReader reader)
   at System.ServiceModel.Security.XmlDsigSep2000.KeyInfoEntry.ReadKeyIdentifierCore(XmlDictionaryReader reader)
   at System.ServiceModel.Security.WSSecurityTokenSerializer.ReadKeyIdentifierCore(XmlReader reader)
   at System.ServiceModel.Security.XmlEncApr2001.EncryptedKeyClauseEntry.ReadKeyIdentifierClauseCore(XmlDictionaryReader reader)
   at System.ServiceModel.Security.WSSecurityTokenSerializer.ReadKeyIdentifierClauseCore(XmlReader reader)
   at System.ServiceModel.Security.XmlDsigSep2000.KeyInfoEntry.ReadKeyIdentifierCore(XmlDictionaryReader reader)
   at System.ServiceModel.Security.WSSecurityTokenSerializer.ReadKeyIdentifierCore(XmlReader reader)
   at Microsoft.IdentityModel.Protocols.XmlEncryption.EncryptedDataElement.ReadXml(XmlReader reader, SecurityTokenSerializer securityTokenSerializer)
   at Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler.ReadToken(XmlReader reader)
   at Microsoft.IdentityModel.Tokens.SecurityTokenSerializerAdapter.ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver)
   at WsTrustClient1.WSTrustUtility.ToClaimsIdentityCollection(GenericXmlSecurityToken token, TrustVersion trustVersion) in C:\Projects\Test\C#\WsTrustClient1\WsTrustClient1\WSTrustUtility.cs:line 58
   at WsTrustClient1.Program.Main(String[] args) in C:\Projects\Test\C#\WsTrustClient1\WsTrustClient1\Program.cs:line 47
   at System.AppDomain._nExecuteAssembly(Assembly assembly, String[] args)
   at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ThreadHelper.ThreadStart()
"

SAML token XML:"
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Assertion0" Type="http://www.w3.org/2001/04/xmlenc#Element">
  <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"></EncryptionMethod>
  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <EncryptedKey>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509SKI>wfc...VaF6c=</ds:X509SKI>
        </ds:X509Data>
        <ds:KeyName>appliesto.net</ds:KeyName>
      </ds:KeyInfo>
      <CipherData>
        <CipherValue>...</CipherValue>
      </CipherData>
    </EncryptedKey>
  </ds:KeyInfo>
  <CipherData>
    <CipherValue>...</CipherValue>
  </CipherData>
</EncryptedData>
"

Answer 1

I guess you need to set a different key identifier - have a look here:

http://www.leastprivilege.com/SettingKeyIdentifiersInGeneva.aspx

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 2

Thank you for the information.

However, it mostly related to creating X509SKI in custom STS, but my intention is to consume such tokens. I have surfed Microsoft.IdentityModel, System.IdentityModel and System.ServiceModel.Security in reflector for an hour, but didn't find how to use this key identifier in deserialization.

The problem is that all serialization goes from SecurityTokenSerializerAdapter to WSSecurityTokenSerializer pretty quickly, and this class (and it's KeyIdentifierClauseEntries) doesn't know how to read X509SKI (but, interestingly, knows how to write it in X509SkiStrEntry).

Maybe I am making things too complex, because the only thing I need is standard WCF service with federation binding, even without Geneva, which can accept Live Id tokens.

Answer 3

Yeah - it is not obvious how it works - but i am sure it is related to the key identifier. Would have to try it myself.

Alternatively also have a look here - Justin does somethig very similar to that:
http://blogs.msdn.com/justinjsmith/archive/2009/03/24/tokenclient-mix-introduction.aspx

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 4

Thank you for answering.

After some period of brownian motion, I found how to resolve X509SKI certificate. The problem was with EncryptedSecurityTokenHandler. By default, it creates WSSecurityTokenSerializer with WSTrust1.3, WSSecurity1.1 and so on. And since WSSecurityTokenSerializer doesn't work with X509SKI, the problem occurs.

I tried to replace WSSecurityTokenSerializer with SecurityTokenSerializerAdapter with correct versions and X509SecurityTokenHandler in handlers collection. With this update, certificate is found, but another problem appears.

Now, when SecurityTokenResolver tries to decrypt session key with my certificate, "Error occurred while decoding OAEP padding" exception is thrown. I tried to encrypt and decrypt some test data and everything works fine. Decrypting data from ACS with this certificate also works fine. So, this means that at least certificate is OK. My concern is that Live Id encrypts this key with something else but my certificate. At msm.live.com I checked certificate twice and reuploaded it in my PPE environment, but the problem remains.

It will also be really useful if you can try it yourself, because maybe there are some problems with WS-Trust in Live Id PPE environment. Or I am doing something wrong.

P.S. BTW, it is also pretty strange that WSSecurityTokenSerializer doesn't handle X509SKI out of the box.

Answer 5

Anyone any updates on this ?
I have through much pai got to the same  origianl Issue Deserialising a LIveID token.
It seems such an obvious thing to want to do. I'm trying to pass the LIVEID on as an act as from My Original RP to my Internal STS, I want to iterate its claims to trasnsform it into a Local Identity.

Any updates/ ideas before I spend another Futile few days , and my employer gives up on Geneva framework altogether , would be much appreciated.
regards Iain