Support SAML2 EncryptedAssertion WriteToken

* Set EncryptingCredentials to Saml2Assertion when creating a saml2 token
* Add support classes for SAML2 Encryption - TODO comments and xml read/write
implementation
* Cover encryption with pre-shared session key

# Conflicts:
#	src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2Assertion.cs
#	src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2Serializer.cs
#	src/Microsoft.IdentityModel.Tokens/Encryption/AuthenticatedEncryptionProvider.cs
#	src/Microsoft.IdentityModel.Tokens/Utility.cs

Author: brentschmaltz

build/targets.props

@@ -1,6 +1,6 @@
 <Project>
   <PropertyGroup>
-    <SrcTargets>net45;net461;netstandard2.0</SrcTargets>
+    <SrcTargets>net45;net461;netstandard2.0;netstandard2.1</SrcTargets>
     <SrcStandardTargets>netstandard2.0</SrcStandardTargets>
   </PropertyGroup>
 </Project>

src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.cs

@@ -157,10 +157,7 @@ public override bool CanReadToken(string securityToken)
 #if NET45
                     settings.XmlResolver = null;
 #endif
-                    using (var reader = XmlDictionaryReader.CreateDictionaryReader(XmlReader.Create(sr, settings))) 
-                    {
-                        return CanReadToken(reader);
-                    }
+                    return CanReadToken(reader);
                 }
             }
             catch (Exception)

src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2Assertion.cs

@@ -158,6 +158,7 @@ internal string CanonicalString
             }
         }
 
+        /// <summary>
         /// Gets or sets the credentials used for encrypting the assertion.
         /// </summary>
         /// <exception cref="Saml2SecurityTokenEncryptedAssertionException"> If this assertion is encrypted.</exception>

src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.cs

@@ -106,10 +106,7 @@ public override bool CanReadToken(string token)
 #if NET45
                     settings.XmlResolver = null;
 #endif                 
-                    using (var reader = XmlDictionaryReader.CreateDictionaryReader(XmlReader.Create(sr, settings)))
-                    {
-                        return CanReadToken(reader);
-                    }
+                    return CanReadToken(reader);
                 }
             }
             catch(Exception )

src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2Serializer.cs

@@ -45,6 +45,14 @@ public class Saml2Serializer
         private string _prefix = Saml2Constants.Prefix;
         private readonly IEncryptedAssertionHandler _encryptedAssertionHandler;
 
+        /// <summary>
+        /// Instantiates a new instance of <see cref="Saml2Serializer"/>.
+        /// </summary>
+        public Saml2Serializer()
+        {
+            _encryptedAssertionHandler = null;
+        }
+
         /// <summary>
         /// Instantiates a new instance of <see cref="Saml2Serializer"/>.
         /// </summary>

src/Microsoft.IdentityModel.Tokens/Encryption/AuthenticatedEncryptionProvider.cs

@@ -37,9 +37,10 @@ namespace Microsoft.IdentityModel.Tokens
     /// </summary>
     public class AuthenticatedEncryptionProvider : IDisposable
     {
+#if NETSTANDARD2_1
         private const int AES_GCM_IV_SIZE = 12;
         private const int AES_GCM_TAG_SIZE = 16;
-
+#endif
         private struct AuthenticatedKeys
         {
             public SymmetricSecurityKey AesKey;
@@ -148,39 +149,42 @@ public virtual AuthenticatedEncryptionResult Encrypt(byte[] plaintext, byte[] au
             if (_disposed)
                 throw LogHelper.LogExceptionMessage(new ObjectDisposedException(GetType().ToString()));
 
+            byte[] ciphertext;
+
+#if NETSTANDARD2_1
             if (IsAesGcmAlgorithm(Algorithm))
             {
-                byte[] ciphertext = new byte[plaintext.Length];
+                ciphertext = new byte[plaintext.Length];
                 byte[] nonce = new byte[AES_GCM_IV_SIZE];
                 byte[] tag = new byte[AES_GCM_TAG_SIZE];
-
                 using (var aesGcm = new AesGcm(GetKeyBytes(Key)))
                 {
                     //random nonce
                     RandomNumberGenerator rng = RandomNumberGenerator.Create();
                     rng.GetBytes(nonce);
+
                     try
--                   {
+                    {
                         aesGcm.Encrypt(nonce, plaintext, ciphertext, tag);
                     }
-                    catch (Exception ex)
--                   {
+                    catch(Exception ex)
+                    {
                         throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(LogMessages.IDX10618, Algorithm), ex));
                     }
                 }
 
                 return new AuthenticatedEncryptionResult(Key, ciphertext, nonce, tag);
             }
             else
-            { 
+            {
+#endif
                 Aes aes = Aes.Create();
                 aes.Mode = CipherMode.CBC;
                 aes.Padding = PaddingMode.PKCS7;
                 aes.Key = _authenticatedkeys.AesKey.Key;
                 if (iv != null)
                     aes.IV = iv;
 
-                byte[] ciphertext;
                 try
                 {
                     ciphertext = Transform(aes.CreateEncryptor(), plaintext, 0, plaintext.Length);
@@ -201,8 +205,10 @@ public virtual AuthenticatedEncryptionResult Encrypt(byte[] plaintext, byte[] au
                 Array.Copy(macHash, authenticationTag, authenticationTag.Length);
 
                 return new AuthenticatedEncryptionResult(Key, ciphertext, aes.IV, authenticationTag);
+#if NETSTANDARD2_1
+                }
+#endif
             }
-        }
 
         /// <summary>
         /// Decrypts ciphertext into plaintext

src/Microsoft.IdentityModel.Tokens/LogMessages.cs

@@ -123,8 +123,8 @@ internal static class LogMessages
         public const string IDX10616 = "IDX10616: Encryption failed. EncryptionProvider failed for: Algorithm: '{0}', SecurityKey: '{1}'. See inner exception.";
         public const string IDX10617 = "IDX10617: Encryption failed. Keywrap is only supported for: '{0}', '{1}' and '{2}'. The content encryption specified is: '{3}'.";
         public const string IDX10618 = "IDX10618: Encryption failed. EncryptionProvider failed for: Algorithm: '{0}'. See inner exception.";
-        public const string IDX10619 = "IDX10619: Decryption failed. EncryptionProvider failed for: Algorithm: '{0}'. See inner exception.";
-        public const string IDX10620 = "IDX10620: Decryption failed. Cipher-text size is less than 1.";
+        //public const string IDX10619 = "IDX10619: Decryption failed. EncryptionProvider failed for: Algorithm: '{0}'. See inner exception.";
+        //public const string IDX10620 = "IDX10620: Decryption failed. Cipher-text size is less than 1.";
 
         // Formating
         public const string IDX10400 = "IDX10400: Unable to decode: '{0}' as Base64url encoded string.";

test/Microsoft.IdentityModel.Tokens.Saml.Tests/Helpers/AesGcmAuthenticatedEncryptionProvider.cs

@@ -31,6 +31,8 @@
 
 namespace Microsoft.IdentityModel.Tokens.Saml.Tests
 {
+
+#if FALSE
     // Helper AuthenticatedEncryptionProvider class made to mimic AES-GCM
     // remove when AES-GCM is released and supported
     public class AesGcmAuthenticatedEncryptionProvider : AuthenticatedEncryptionProvider
@@ -69,7 +71,7 @@ public override AuthenticatedEncryptionResult Encrypt(byte[] plaintext, byte[] a
                     }
                     catch (Exception ex)
                     {
-                        throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(Tokens.LogMessages.IDX10618, Algorithm), ex));
+                        throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant("Tokens.LogMessages.IDX10618", Algorithm), ex));
                     }
                 }
 
@@ -87,7 +89,7 @@ public override byte[] Decrypt(byte[] ciphertext, byte[] authenticatedData, byte
                 int cipherSize = ciphertext.Length - AES_GCM_IV_SIZE - AES_GCM_TAG_SIZE;
 
                 if (cipherSize < 1)
-                    throw LogHelper.LogExceptionMessage(new SecurityTokenDecryptionFailedException(LogHelper.FormatInvariant(Tokens.LogMessages.IDX10620)));
+                    throw LogHelper.LogExceptionMessage(new SecurityTokenDecryptionFailedException(LogHelper.FormatInvariant("Tokens.LogMessages.IDX10620")));
 
                 byte[] cipher = new byte[cipherSize];
                 byte[] nonce = new byte[AES_GCM_IV_SIZE];
@@ -156,4 +158,5 @@ public void Decrypt(byte[] nonce, byte[] ciphertext, byte[] tag, byte[] plaintex
             Array.Copy(ciphertext, plaintext, ciphertext.Length);
         }
     }
+#endif
 }