public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement.TokenType == SecurityTokenTypes.Saml || tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
SamlAssertion samlAssertion = this.samlClientCredentials.Assertion;
SecurityToken securityToken = this.samlClientCredentials.ProofToken;
if (samlAssertion == null || securityToken == null)
{
SecurityBindingElement securityBindingElement = null;
SecurityAlgorithmSuite algoSuite = null;
if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out securityBindingElement))
{
algoSuite = securityBindingElement.DefaultAlgorithmSuite;
}
if (tokenRequirement.KeyType == SecurityKeyType.SymmetricKey)
{
securityToken = SamlUtilities.CreateSymmetricProofToken(tokenRequirement.KeySize);
samlAssertion = SamlUtilities.CreateSymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, new X509SecurityToken(this.samlClientCredentials.ClientCertificate.Certificate), new X509SecurityToken(this.samlClientCredentials.ServiceCertificate.DefaultCertificate), (BinarySecretSecurityToken)securityToken, algoSuite);
}
else
{
securityToken = SamlUtilities.CreateAsymmetricProofToken();
samlAssertion = SamlUtilities.CreateAsymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, securityToken, algoSuite);
}
}
return(new SamlSecurityTokenProvider(samlAssertion, securityToken));
}
return(base.CreateSecurityTokenProvider(tokenRequirement));
}
public IssuedTokenWSTrustBinding(Binding issuerBinding, EndpointAddress issuerAddress, SecurityMode mode, TrustVersion version, SecurityKeyType keyType, SecurityAlgorithmSuite algorithmSuite, string tokenType, IEnumerable <ClaimTypeRequirement> claimTypeRequirements, EndpointAddress issuerMetadataAddress)
: base(mode, version)
{
this._claimTypeRequirements = new Collection <ClaimTypeRequirement>();
if ((SecurityMode.Message != mode) && (SecurityMode.TransportWithMessageCredential != mode))
{
throw new InvalidOperationException("ID3226");
}
if ((this._keyType == SecurityKeyType.BearerKey) && (version == TrustVersion.WSTrustFeb2005))
{
throw new InvalidOperationException("ID3267");
}
this._keyType = keyType;
this._algorithmSuite = algorithmSuite;
this._tokenType = tokenType;
this._issuerBinding = issuerBinding;
this._issuerAddress = issuerAddress;
this._issuerMetadataAddress = issuerMetadataAddress;
if (claimTypeRequirements != null)
{
foreach (ClaimTypeRequirement requirement in claimTypeRequirements)
{
this._claimTypeRequirements.Add(requirement);
}
}
}
public IssuedTokenWSTrustBinding(Binding issuerBinding, EndpointAddress issuerAddress, SecurityKeyType keyType,
SecurityAlgorithmSuite algorithmSuite, string tokenType,
IEnumerable <ClaimTypeRequirement> claimTypeRequirements)
: this(issuerBinding, issuerAddress, SecurityMode.Message, TrustVersion.WSTrust13, keyType, algorithmSuite,
tokenType, claimTypeRequirements, null)
{
}
internal SecurityBindingElement(SecurityBindingElement elementToBeCloned)
: base(elementToBeCloned)
{
if (elementToBeCloned == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(elementToBeCloned));
}
_defaultAlgorithmSuite = elementToBeCloned._defaultAlgorithmSuite;
IncludeTimestamp = elementToBeCloned.IncludeTimestamp;
_keyEntropyMode = elementToBeCloned._keyEntropyMode;
_messageSecurityVersion = elementToBeCloned._messageSecurityVersion;
_securityHeaderLayout = elementToBeCloned._securityHeaderLayout;
EndpointSupportingTokenParameters = (SupportingTokenParameters)elementToBeCloned.EndpointSupportingTokenParameters.Clone();
OptionalEndpointSupportingTokenParameters = (SupportingTokenParameters)elementToBeCloned.OptionalEndpointSupportingTokenParameters.Clone();
_operationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
foreach (string key in elementToBeCloned._operationSupportingTokenParameters.Keys)
{
_operationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned._operationSupportingTokenParameters[key].Clone();
}
_optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
foreach (string key in elementToBeCloned._optionalOperationSupportingTokenParameters.Keys)
{
_optionalOperationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned._optionalOperationSupportingTokenParameters[key].Clone();
}
LocalServiceSettings = (LocalServiceSecuritySettings)elementToBeCloned.LocalServiceSettings.Clone();
// this.internalDuplexBindingElement = elementToBeCloned.internalDuplexBindingElement;
MaxReceivedMessageSize = elementToBeCloned.MaxReceivedMessageSize;
ReaderQuotas = elementToBeCloned.ReaderQuotas;
DoNotEmitTrust = elementToBeCloned.DoNotEmitTrust;
AllowInsecureTransport = elementToBeCloned.AllowInsecureTransport;
EnableUnsecuredResponse = elementToBeCloned.EnableUnsecuredResponse;
SupportsExtendedProtectionPolicy = elementToBeCloned.SupportsExtendedProtectionPolicy;
ProtectTokens = elementToBeCloned.ProtectTokens;
}
internal SecurityBindingElement(SecurityBindingElement elementToBeCloned)
: base(elementToBeCloned)
{
if (elementToBeCloned == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(elementToBeCloned));
}
_defaultAlgorithmSuite = elementToBeCloned._defaultAlgorithmSuite;
IncludeTimestamp = elementToBeCloned.IncludeTimestamp;
_keyEntropyMode = elementToBeCloned._keyEntropyMode;
_messageSecurityVersion = elementToBeCloned._messageSecurityVersion;
_securityHeaderLayout = elementToBeCloned._securityHeaderLayout;
EndpointSupportingTokenParameters = elementToBeCloned.EndpointSupportingTokenParameters.Clone();
OptionalEndpointSupportingTokenParameters = elementToBeCloned.OptionalEndpointSupportingTokenParameters.Clone();
_operationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
foreach (string key in elementToBeCloned._operationSupportingTokenParameters.Keys)
{
_operationSupportingTokenParameters[key] = elementToBeCloned._operationSupportingTokenParameters[key].Clone();
}
_optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
foreach (string key in elementToBeCloned._optionalOperationSupportingTokenParameters.Keys)
{
_optionalOperationSupportingTokenParameters[key] = elementToBeCloned._optionalOperationSupportingTokenParameters[key].Clone();
}
LocalClientSettings = elementToBeCloned.LocalClientSettings.Clone();
MaxReceivedMessageSize = elementToBeCloned.MaxReceivedMessageSize;
ReaderQuotas = elementToBeCloned.ReaderQuotas;
EnableUnsecuredResponse = elementToBeCloned.EnableUnsecuredResponse;
}
EncryptedData Encrypt(XmlElement target, SymmetricAlgorithm actualKey, string ekeyId, ReferenceList refList, SecurityKeyIdentifierClause encClause, EncryptedXml exml, XmlDocument doc, string elementType)
{
SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite;
SecurityTokenSerializer serializer = security.TokenSerializer;
byte [] encrypted = exml.EncryptData(target, actualKey, false);
EncryptedData edata = new EncryptedData();
edata.Id = GenerateId(doc);
edata.Type = elementType;
edata.EncryptionMethod = new EncryptionMethod(suite.DefaultEncryptionAlgorithm);
// FIXME: here wsse:DigestMethod should be embedded
// inside EncryptionMethod. Since it is not possible
// with S.S.C.Xml.EncryptionMethod, we will have to
// build our own XML encryption classes.
edata.CipherData.CipherValue = encrypted;
DataReference dr = new DataReference();
dr.Uri = "#" + edata.Id;
refList.Add(dr);
if (ShouldOutputEncryptedKey && !CounterParameters.RequireDerivedKeys)
{
edata.KeyInfo = null;
}
else
{
edata.KeyInfo = new KeyInfo();
edata.KeyInfo.AddClause(new SecurityTokenReferenceKeyInfo(encClause, serializer, doc));
}
return(edata);
}
internal SecurityBindingElement(SecurityBindingElement elementToBeCloned)
: base(elementToBeCloned)
{
if (elementToBeCloned == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("elementToBeCloned");
}
this.defaultAlgorithmSuite = elementToBeCloned.defaultAlgorithmSuite;
this.includeTimestamp = elementToBeCloned.includeTimestamp;
this.keyEntropyMode = elementToBeCloned.keyEntropyMode;
this.messageSecurityVersion = elementToBeCloned.messageSecurityVersion;
this.securityHeaderLayout = elementToBeCloned.securityHeaderLayout;
this.endpointSupportingTokenParameters = (SupportingTokenParameters)elementToBeCloned.endpointSupportingTokenParameters.Clone();
this.optionalEndpointSupportingTokenParameters = (SupportingTokenParameters)elementToBeCloned.optionalEndpointSupportingTokenParameters.Clone();
this.operationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
foreach (string key in elementToBeCloned.operationSupportingTokenParameters.Keys)
{
this.operationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned.operationSupportingTokenParameters[key].Clone();
}
this.optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
foreach (string key in elementToBeCloned.optionalOperationSupportingTokenParameters.Keys)
{
this.optionalOperationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned.optionalOperationSupportingTokenParameters[key].Clone();
}
this.localServiceSettings = (LocalServiceSecuritySettings)elementToBeCloned.localServiceSettings.Clone();
// this.internalDuplexBindingElement = elementToBeCloned.internalDuplexBindingElement;
this.maxReceivedMessageSize = elementToBeCloned.maxReceivedMessageSize;
this.readerQuotas = elementToBeCloned.readerQuotas;
this.doNotEmitTrust = elementToBeCloned.doNotEmitTrust;
this.allowInsecureTransport = elementToBeCloned.allowInsecureTransport;
this.enableUnsecuredResponse = elementToBeCloned.enableUnsecuredResponse;
this.supportsExtendedProtectionPolicy = elementToBeCloned.supportsExtendedProtectionPolicy;
this.protectTokens = elementToBeCloned.protectTokens;
}
internal void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, SecurityKeyType issuedKeyType)
{
this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm));
this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm));
if (this._keyType == SecurityKeyType.BearerKey)
{
// As the client does not have a proof token in the Bearer case
// we don't have any specific algorithms to request for.
return;
}
string signWithAlgorithm = (this._keyType == SecurityKeyType.SymmetricKey) ? algorithmSuite.DefaultSymmetricSignatureAlgorithm : algorithmSuite.DefaultAsymmetricSignatureAlgorithm;
this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateSignWithElement(signWithAlgorithm));
string encryptWithAlgorithm;
if (issuedKeyType == SecurityKeyType.SymmetricKey)
{
encryptWithAlgorithm = algorithmSuite.DefaultEncryptionAlgorithm;
}
else
{
encryptWithAlgorithm = algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm;
}
this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptWithElement(encryptWithAlgorithm));
if (standardsManager.TrustVersion != TrustVersion.WSTrustFeb2005)
{
this._additionalRequestParameters.Insert(0, ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm));
}
return;
}
private void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, TrustVersion trustVersion, SecurityKeyType keyType, ref IssuedSecurityTokenParameters issuedParameters)
{
issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm));
issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm));
string signatureAlgorithm = null;
string encryptionAlgorithm = null;
switch (keyType)
{
case SecurityKeyType.SymmetricKey:
signatureAlgorithm = algorithmSuite.DefaultSymmetricSignatureAlgorithm;
encryptionAlgorithm = algorithmSuite.DefaultEncryptionAlgorithm;
break;
case SecurityKeyType.AsymmetricKey:
signatureAlgorithm = algorithmSuite.DefaultAsymmetricSignatureAlgorithm;
encryptionAlgorithm = algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm;
break;
case SecurityKeyType.BearerKey:
return;
default:
throw new ArgumentOutOfRangeException("keyType");
}
issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateSignWithElement(signatureAlgorithm));
issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptWithElement(encryptionAlgorithm));
if (trustVersion != TrustVersion.WSTrustFeb2005)
{
issuedParameters.AdditionalRequestParameters.Insert(0, CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm));
}
}
internal MessageSecurityOverTcp()
{
alg_suite = SecurityAlgorithmSuite.Default;
// This default value is *silly* but anyways
// such code that does not change this ClientCredentialType
// won't work on Mono.
client_credential_type = MessageCredentialType.Windows;
}
public static void Property_SecurityAlgorithmSuite_TripleDes(string propertyName, string expectedValue)
{
// Use reflection to get the default value of the properties provided in the inline data.
// Verify the default values are the same as on the full framework.
SecurityAlgorithmSuite suite = SecurityAlgorithmSuite.TripleDes;
PropertyInfo info = suite.GetType().GetProperty(propertyName);
Assert.Equal(info.GetValue(suite).ToString(), expectedValue);
}
internal MessageSecurityOverHttp()
{
alg_suite = SecurityAlgorithmSuite.Default;
// This default value is *silly* but anyways such
// it is silly to expect that such code that does not
// change ClientCredentialType works on Mono.
client_credential_type = MessageCredentialType.Windows;
negotiate_service_credential = true;
}
public FederatedMessageSecurityOverHttp()
{
_negotiateServiceCredential = DefaultNegotiateServiceCredential;
_algorithmSuite = SecurityAlgorithmSuite.Default;
_issuedKeyType = DefaultIssuedKeyType;
_claimTypeRequirements = new Collection <ClaimTypeRequirement>();
_tokenRequestParameters = new Collection <XmlElement>();
_establishSecurityContext = DefaultEstablishSecurityContext;
}
public MessageSecurityOverTcp()
{
#if !MOBILE && !XAMMAC_4_5
alg_suite = SecurityAlgorithmSuite.Default;
#endif
// This default value is *silly* but anyways
// such code that does not change this ClientCredentialType
// won't work on Mono.
client_credential_type = MessageCredentialType.Windows;
}
private static SecurityAlgorithmSuite GetSecurityAlgorithmSuite(SecurityTokenRequirement tokenRequirement)
{
SecurityAlgorithmSuite result = null;
SecurityBindingElement securityBindingElement;
if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out securityBindingElement))
{
result = securityBindingElement.DefaultAlgorithmSuite;
}
return(result);
}
/// <summary>
/// Creates the custom SecurityTokenProvider when SAML tokens are specified in the tokenRequirement
/// </summary>
/// <param name="tokenRequirement">A SecurityTokenRequirement </param>
/// <returns>The appropriate SecurityTokenProvider</returns>
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
// If token requirement matches SAML token return the custom SAML token provider
if (tokenRequirement.TokenType == SecurityTokenTypes.Saml ||
tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
// Retrieve the SAML assertion and proof token from the client credentials
SamlAssertion assertion = this.samlClientCredentials.Assertion;
SecurityToken prooftoken = this.samlClientCredentials.ProofToken;
// If either the assertion of proof token is null...
if (assertion == null || prooftoken == null)
{
// ...get the SecurityBindingElement and then the specified algorithm suite
SecurityBindingElement sbe = null;
SecurityAlgorithmSuite sas = null;
if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out sbe))
{
sas = sbe.DefaultAlgorithmSuite;
}
// If the token requirement is for a SymmetricKey based token..
if (tokenRequirement.KeyType == SecurityKeyType.SymmetricKey)
{
// Create a symmetric proof token
prooftoken = SamlUtilities.CreateSymmetricProofToken(tokenRequirement.KeySize);
// and a corresponding assertion based on the claims specified in the client credentials
assertion = SamlUtilities.CreateSymmetricKeyBasedAssertion(this.samlClientCredentials.Claims,
new X509SecurityToken(samlClientCredentials.ClientCertificate.Certificate),
new X509SecurityToken(samlClientCredentials.ServiceCertificate.DefaultCertificate),
(BinarySecretSecurityToken)prooftoken,
sas);
}
// otherwise...
else
{
// Create an asymmetric proof token
prooftoken = SamlUtilities.CreateAsymmetricProofToken();
// and a corresponding assertion based on the claims specified in the client credentials
assertion = SamlUtilities.CreateAsymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, prooftoken, sas);
}
}
// Create a SamlSecurityTokenProvider based on the assertion and proof token
return(new SamlSecurityTokenProvider(assertion, prooftoken));
}
// otherwise use base implementation
else
{
return(base.CreateSecurityTokenProvider(tokenRequirement));
}
}
internal void InitializeFrom(MessageSecurityOverMsmq security)
{
if (security == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("security");
}
SetPropertyValueIfNotDefaultValue(ConfigurationStrings.ClientCredentialType, security.ClientCredentialType);
if (security.WasAlgorithmSuiteSet)
{
this.AlgorithmSuite = security.AlgorithmSuite;
}
}
void InitializeProviderCommunicationObject(ProviderCommunicationObject p, SecurityTokenRequirement r)
{
p.TargetAddress = r.GetProperty <EndpointAddress> (ReqType.TargetAddressProperty);
// FIXME: use it somewhere, probably to build
// IssuerBinding. However, there is also IssuerBinding
// property. SecureConversationSecurityBindingElement
// as well.
SecurityBindingElement sbe =
r.GetProperty <SecurityBindingElement> (ReqType.SecurityBindingElementProperty);
// I doubt the binding is acquired this way ...
Binding binding;
if (!r.TryGetProperty <Binding> (ReqType.IssuerBindingProperty, out binding))
{
binding = new CustomBinding(
new TextMessageEncodingBindingElement(),
new HttpTransportBindingElement());
}
p.IssuerBinding = binding;
// not sure if it is used only for this purpose though ...
BindingContext ctx = r.GetProperty <BindingContext> (ReqType.IssuerBindingContextProperty);
foreach (IEndpointBehavior b in ctx.BindingParameters.FindAll <IEndpointBehavior> ())
{
p.IssuerChannelBehaviors.Add(b);
}
SecurityTokenVersion ver =
r.GetProperty <SecurityTokenVersion> (ReqType.MessageSecurityVersionProperty);
p.SecurityTokenSerializer =
CreateSecurityTokenSerializer(ver);
// seems like they are optional here ... (but possibly
// used later)
EndpointAddress address;
if (!r.TryGetProperty <EndpointAddress> (ReqType.IssuerAddressProperty, out address))
{
address = p.TargetAddress;
}
p.IssuerAddress = address;
// It is somehow not checked as mandatory ...
SecurityAlgorithmSuite suite = null;
r.TryGetProperty <SecurityAlgorithmSuite> (ReqType.SecurityAlgorithmSuiteProperty, out suite);
p.SecurityAlgorithmSuite = suite;
}
public static void AssertSymmetricSecurityBindingElement(
SecurityAlgorithmSuite algorithm,
bool includeTimestamp,
SecurityKeyEntropyMode keyEntropyMode,
MessageProtectionOrder messageProtectionOrder,
MessageSecurityVersion messageSecurityVersion,
bool requireSignatureConfirmation,
SecurityHeaderLayout securityHeaderLayout,
// EndpointSupportingTokenParameters
int endorsing, int signed, int signedEncrypted, int signedEndorsing,
// ProtectionTokenParameters
bool hasProtectionTokenParameters,
SecurityTokenInclusionMode protectionTokenInclusionMode,
SecurityTokenReferenceStyle protectionTokenReferenceStyle,
bool protectionTokenRequireDerivedKeys,
// LocalClientSettings
bool cacheCookies,
int renewalThresholdPercentage,
bool detectReplays,
SymmetricSecurityBindingElement be, string label)
{
AssertSecurityBindingElement(
algorithm,
includeTimestamp,
keyEntropyMode,
messageSecurityVersion,
securityHeaderLayout,
// EndpointSupportingTokenParameters
endorsing, signed, signedEncrypted, signedEndorsing,
// LocalClientSettings
cacheCookies,
renewalThresholdPercentage,
detectReplays,
be, label);
Assert.AreEqual(messageProtectionOrder, be.MessageProtectionOrder, label + ".MessageProtectionOrder");
Assert.AreEqual(requireSignatureConfirmation, be.RequireSignatureConfirmation, label + ".RequireSignatureConfirmation");
if (!hasProtectionTokenParameters)
{
Assert.IsNull(be.ProtectionTokenParameters, label + ".ProtectionTokenParameters (null)");
}
else
{
AssertSecurityTokenParameters(
protectionTokenInclusionMode,
protectionTokenReferenceStyle,
protectionTokenRequireDerivedKeys,
be.ProtectionTokenParameters, label + ".ProtectionTokenParameters");
}
}
void CreateReference(Signature sig, XmlDocument doc, string id)
{
SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite;
if (id == String.Empty)
{
id = GenerateId(doc);
}
Reference r = new Reference("#" + id);
r.AddTransform(CreateTransform(suite.DefaultCanonicalizationAlgorithm));
r.DigestMethod = suite.DefaultDigestAlgorithm;
sig.SignedInfo.AddReference(r);
}
internal SecurityBindingElement()
: base()
{
_messageSecurityVersion = MessageSecurityVersion.Default;
_keyEntropyMode = AcceleratedTokenProvider.defaultKeyEntropyMode;
IncludeTimestamp = defaultIncludeTimestamp;
_defaultAlgorithmSuite = defaultDefaultAlgorithmSuite;
LocalClientSettings = new LocalClientSecuritySettings();
EndpointSupportingTokenParameters = new SupportingTokenParameters();
OptionalEndpointSupportingTokenParameters = new SupportingTokenParameters();
_operationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
_optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
_securityHeaderLayout = SecurityProtocolFactory.defaultSecurityHeaderLayout;
}
internal SecurityBindingElement CreateMessageSecurity(bool isSecureTransportMode)
{
SecurityBindingElement algorithmSuite;
if (!isSecureTransportMode)
{
if (this.clientCredentialType != BasicHttpMessageCredentialType.Certificate)
{
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.BasicHttpMessageSecurityRequiresCertificate, new object[0])));
}
algorithmSuite = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10, true);
}
else
{
MessageSecurityVersion wSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
switch (this.clientCredentialType)
{
case BasicHttpMessageCredentialType.UserName:
{
algorithmSuite = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
algorithmSuite.MessageSecurityVersion = wSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
algorithmSuite.DefaultAlgorithmSuite = this.AlgorithmSuite;
algorithmSuite.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
algorithmSuite.SetKeyDerivation(false);
InvokeHelper.InvokeInstanceSet(algorithmSuite.GetType(), algorithmSuite, "DoNotEmitTrust", true);
return(algorithmSuite);
}
case BasicHttpMessageCredentialType.Certificate:
{
algorithmSuite = SecurityBindingElement.CreateCertificateOverTransportBindingElement(wSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
algorithmSuite.DefaultAlgorithmSuite = this.AlgorithmSuite;
algorithmSuite.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
algorithmSuite.SetKeyDerivation(false);
InvokeHelper.InvokeInstanceSet(algorithmSuite.GetType(), algorithmSuite, "DoNotEmitTrust", true);
return(algorithmSuite);
}
}
Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("Unsupported basic http message credential type");
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
algorithmSuite.DefaultAlgorithmSuite = this.AlgorithmSuite;
algorithmSuite.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
algorithmSuite.SetKeyDerivation(false);
InvokeHelper.InvokeInstanceSet(algorithmSuite.GetType(), algorithmSuite, "DoNotEmitTrust", true);
return(algorithmSuite);
}
internal SecurityBindingElement()
: base()
{
_messageSecurityVersion = MessageSecurityVersion.Default;
_keyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; // AcceleratedTokenProvider.defaultKeyEntropyMode;
IncludeTimestamp = DefaultIncludeTimestamp;
_defaultAlgorithmSuite = s_defaultDefaultAlgorithmSuite;
LocalServiceSettings = new LocalServiceSecuritySettings();
EndpointSupportingTokenParameters = new SupportingTokenParameters();
OptionalEndpointSupportingTokenParameters = new SupportingTokenParameters();
_operationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
_optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
_securityHeaderLayout = SecurityHeaderLayout.Strict; // SecurityProtocolFactory.defaultSecurityHeaderLayout;
AllowInsecureTransport = DefaultAllowInsecureTransport;
EnableUnsecuredResponse = DefaultEnableUnsecuredResponse;
ProtectTokens = DefaultProtectTokens;
}
private SecurityAlgorithmSuite Parse(string value, SecurityAlgorithmSuite def)
{
if (value == null)
{
return(def);
}
switch (value.ToLowerInvariant())
{
case "basic128": return(SecurityAlgorithmSuite.Basic128);
case "basic128rsa15": return(SecurityAlgorithmSuite.Basic128Rsa15);
case "basic128sha256": return(SecurityAlgorithmSuite.Basic128Sha256);
case "basic128sha256Rsa15": return(SecurityAlgorithmSuite.Basic128Sha256Rsa15);
case "basic192": return(SecurityAlgorithmSuite.Basic192);
case "basic192rsa15": return(SecurityAlgorithmSuite.Basic192Rsa15);
case "basic192sha256": return(SecurityAlgorithmSuite.Basic192Sha256);
case "basic192sha256rsa15": return(SecurityAlgorithmSuite.Basic192Sha256Rsa15);
case "basic256": return(SecurityAlgorithmSuite.Basic256);
case "basic256rsa15": return(SecurityAlgorithmSuite.Basic256Rsa15);
case "basic256sha256": return(SecurityAlgorithmSuite.Basic256Sha256);
case "basic256sha256rsa15": return(SecurityAlgorithmSuite.Basic256Sha256Rsa15);
case "default": return(SecurityAlgorithmSuite.Default);
case "tripledes": return(SecurityAlgorithmSuite.TripleDes);
case "tripledesrsa15": return(SecurityAlgorithmSuite.TripleDesRsa15);
case "tripledessha256": return(SecurityAlgorithmSuite.TripleDesSha256);
case "tripledessha256rsa15": return(SecurityAlgorithmSuite.TripleDesSha256Rsa15);
default: throw new ArgumentException(string.Format("Unknown WCF [AlgorithmSuite]: {0}", value));
}
}
static void AssertSecurityAlgorithmSuite(
string defaultAsymmetricKeyWrapAlgorithm,
string defaultAsymmetricSignatureAlgorithm,
string defaultCanonicalizationAlgorithm,
string defaultDigestAlgorithm,
string defaultEncryptionAlgorithm,
int defaultEncryptionKeyDerivationLength,
int defaultSignatureKeyDerivationLength,
int defaultSymmetricKeyLength,
string defaultSymmetricKeyWrapAlgorithm,
string defaultSymmetricSignatureAlgorithm,
SecurityAlgorithmSuite target,
string label)
{
Assert.AreEqual(defaultAsymmetricKeyWrapAlgorithm,
target.DefaultAsymmetricKeyWrapAlgorithm,
label + ".DefaultAsymmetricKeyWrapAlgorithm");
Assert.AreEqual(defaultAsymmetricSignatureAlgorithm,
target.DefaultAsymmetricSignatureAlgorithm,
label + ".DefaultAsymmetricSignatureAlgorithm");
Assert.AreEqual(defaultCanonicalizationAlgorithm,
target.DefaultCanonicalizationAlgorithm,
label + ".DefaultCanonicalizationAlgorithm");
Assert.AreEqual(defaultDigestAlgorithm,
target.DefaultDigestAlgorithm,
label + ".DefaultDigestAlgorithm");
Assert.AreEqual(defaultEncryptionAlgorithm,
target.DefaultEncryptionAlgorithm,
label + ".DefaultEncryptionAlgorithm");
Assert.AreEqual(defaultEncryptionKeyDerivationLength,
target.DefaultEncryptionKeyDerivationLength,
label + ".DefaultEncryptionKeyDerivationLength");
Assert.AreEqual(defaultSignatureKeyDerivationLength,
target.DefaultSignatureKeyDerivationLength,
label + ".DefaultSignatureKeyDerivationLength");
Assert.AreEqual(defaultSymmetricKeyLength,
target.DefaultSymmetricKeyLength,
label + ".DefaultSymmetricKeyLength");
Assert.AreEqual(defaultSymmetricKeyWrapAlgorithm,
target.DefaultSymmetricKeyWrapAlgorithm,
label + ".DefaultSymmetricKeyWrapAlgorithm");
Assert.AreEqual(defaultSymmetricSignatureAlgorithm,
target.DefaultSymmetricSignatureAlgorithm,
label + ".DefaultSymmetricSignatureAlgorithm");
}
public void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, SecurityKeyType issuedKeyType)
{
this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm));
this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm));
if (this.keyType == SecurityKeyType.BearerKey)
{
return;
}
string signatureAlgorithm = this.keyType == SecurityKeyType.SymmetricKey ? algorithmSuite.DefaultSymmetricSignatureAlgorithm : algorithmSuite.DefaultAsymmetricSignatureAlgorithm;
this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateSignWithElement(signatureAlgorithm));
string encryptionAlgorithm = issuedKeyType != SecurityKeyType.SymmetricKey ? algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm : algorithmSuite.DefaultEncryptionAlgorithm;
this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptWithElement(encryptionAlgorithm));
if (standardsManager.TrustVersion == TrustVersion.WSTrustFeb2005)
{
return;
}
this.additionalRequestParameters.Insert(0, ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm));
}
public static void Snippet5()
{
// <Snippet5>
BasicHttpBinding binding = new BasicHttpBinding("myBinding");
binding.Name = "binding1";
binding.HostNameComparisonMode = HostNameComparisonMode.StrongWildcard;
binding.Security.Mode = BasicHttpSecurityMode.Message;
// <Snippet6>
BasicHttpSecurity security = binding.Security;
BasicHttpMessageSecurity msgSecurity = security.Message;
// </Snippet6>
// <Snippet7>
SecurityAlgorithmSuite sas = msgSecurity.AlgorithmSuite;
BasicHttpMessageCredentialType credType = msgSecurity.ClientCredentialType;
// </Snippet7>
Console.WriteLine("The algorithm suite used is {0}", sas.ToString());
Console.WriteLine("The client credential type used is {0}", credType.ToString());
// </Snippet5>
}
void ValidateTokensByParameters(IEnumerable <SecurityTokenParameters> plist, List <SupportingTokenInfo> tokens, bool optional, SecurityTokenAttachmentMode attachMode)
{
foreach (SecurityTokenParameters p in plist)
{
SecurityTokenResolver r;
SecurityTokenAuthenticator a =
security.CreateTokenAuthenticator(p, out r);
SupportingTokenSpecification spec = ValidateTokensByParameters(a, r, tokens);
if (spec == null)
{
if (optional)
{
continue;
}
else
{
throw new MessageSecurityException(String.Format("No security token could be validated for authenticator '{0}' which is indicated by the '{1}' supporting token parameters", a, attachMode));
}
}
else
{
// For endorsing tokens, verify corresponding signatures.
switch (attachMode)
{
case SecurityTokenAttachmentMode.Endorsing:
case SecurityTokenAttachmentMode.SignedEndorsing:
WSSignedXml esxml = GetSignatureForToken(spec.SecurityToken);
if (esxml == null)
{
throw new MessageSecurityException(String.Format("The '{1}' token '{0}' is expected to endorse the primary signature but no corresponding signature is found.", spec.SecurityToken, attachMode));
}
bool confirmed;
SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite;
foreach (SecurityTokenReferenceKeyInfo kic in esxml.KeyInfo)
{
SecurityKey signKey = spec.SecurityToken.ResolveKeyIdentifierClause(kic.Clause);
SymmetricSecurityKey symkey = signKey as SymmetricSecurityKey;
if (symkey != null)
{
confirmed = esxml.CheckSignature(symkey.GetKeyedHashAlgorithm(suite.DefaultSymmetricSignatureAlgorithm));
}
else
{
AsymmetricAlgorithm alg = ((AsymmetricSecurityKey)signKey).GetAsymmetricAlgorithm(suite.DefaultAsymmetricSignatureAlgorithm, false);
confirmed = esxml.CheckSignature(alg);
}
if (!confirmed)
{
throw new MessageSecurityException(String.Format("Signature for '{1}' token '{0}' is invalid.", spec.SecurityToken, attachMode));
}
break;
}
sec_prop.ConfirmedSignatures.Insert(0, Convert.ToBase64String(esxml.SignatureValue));
break;
}
}
sec_prop.IncomingSupportingTokens.Add(spec);
}
}
internal static bool TryCreate <TSecurity>(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, out TSecurity messageSecurity)
where TSecurity : MessageSecurityOverHttp
{
Fx.Assert(null != sbe, string.Empty);
messageSecurity = null;
// do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings
if (!sbe.IncludeTimestamp)
{
return(false);
}
// Do not check MessageSecurityVersion: it maybe changed by the wrapper element and gets checked later in the SecuritySection.AreBindingsMatching()
if (sbe.SecurityHeaderLayout != SecurityProtocolFactory.defaultSecurityHeaderLayout)
{
return(false);
}
bool negotiateServiceCredential = DefaultNegotiateServiceCredential;
MessageCredentialType clientCredentialType;
SecurityAlgorithmSuite algorithmSuite = SecurityAlgorithmSuite.Default;
bool isSecureConversation;
SecurityBindingElement bootstrapSecurity;
if (!SecurityBindingElement.IsSecureConversationBinding(sbe, true, out bootstrapSecurity))
{
isSecureConversation = false;
bootstrapSecurity = sbe;
}
else
{
isSecureConversation = true;
}
if (!isSecureConversation && typeof(TSecurity).Equals(typeof(MessageSecurityOverHttp)))
{
return(false);
}
if (!isSecureConversation && isReliableSession)
{
return(false);
}
if (isSecureTransportMode && !(bootstrapSecurity is TransportSecurityBindingElement))
{
return(false);
}
IssuedSecurityTokenParameters infocardParameters;
if (isSecureTransportMode)
{
if (SecurityBindingElement.IsUserNameOverTransportBinding(bootstrapSecurity))
{
clientCredentialType = MessageCredentialType.UserName;
}
else if (SecurityBindingElement.IsCertificateOverTransportBinding(bootstrapSecurity))
{
clientCredentialType = MessageCredentialType.Certificate;
}
else if (SecurityBindingElement.IsSspiNegotiationOverTransportBinding(bootstrapSecurity, true))
{
clientCredentialType = MessageCredentialType.Windows;
}
else if (SecurityBindingElement.IsIssuedTokenOverTransportBinding(bootstrapSecurity, out infocardParameters))
{
if (!IssuedSecurityTokenParameters.IsInfoCardParameters(
infocardParameters,
new SecurityStandardsManager(
sbe.MessageSecurityVersion,
new WSSecurityTokenSerializer(
sbe.MessageSecurityVersion.SecurityVersion,
sbe.MessageSecurityVersion.TrustVersion,
sbe.MessageSecurityVersion.SecureConversationVersion,
true,
null, null, null))))
{
return(false);
}
clientCredentialType = MessageCredentialType.IssuedToken;
}
else
{
// the standard binding does not support None client credential type in mixed mode
return(false);
}
}
else
{
if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, false, true))
{
negotiateServiceCredential = true;
clientCredentialType = MessageCredentialType.None;
}
else if (SecurityBindingElement.IsUserNameForSslBinding(bootstrapSecurity, true))
{
negotiateServiceCredential = true;
clientCredentialType = MessageCredentialType.UserName;
}
else if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, true, true))
{
negotiateServiceCredential = true;
clientCredentialType = MessageCredentialType.Certificate;
}
else if (SecurityBindingElement.IsSspiNegotiationBinding(bootstrapSecurity, true))
{
negotiateServiceCredential = true;
clientCredentialType = MessageCredentialType.Windows;
}
else if (SecurityBindingElement.IsIssuedTokenForSslBinding(bootstrapSecurity, true, out infocardParameters))
{
if (!IssuedSecurityTokenParameters.IsInfoCardParameters(
infocardParameters,
new SecurityStandardsManager(
sbe.MessageSecurityVersion,
new WSSecurityTokenSerializer(
sbe.MessageSecurityVersion.SecurityVersion,
sbe.MessageSecurityVersion.TrustVersion,
sbe.MessageSecurityVersion.SecureConversationVersion,
true,
null, null, null))))
{
return(false);
}
negotiateServiceCredential = true;
clientCredentialType = MessageCredentialType.IssuedToken;
}
else if (SecurityBindingElement.IsUserNameForCertificateBinding(bootstrapSecurity))
{
negotiateServiceCredential = false;
clientCredentialType = MessageCredentialType.UserName;
}
else if (SecurityBindingElement.IsMutualCertificateBinding(bootstrapSecurity))
{
negotiateServiceCredential = false;
clientCredentialType = MessageCredentialType.Certificate;
}
else if (SecurityBindingElement.IsKerberosBinding(bootstrapSecurity))
{
negotiateServiceCredential = false;
clientCredentialType = MessageCredentialType.Windows;
}
else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(bootstrapSecurity, out infocardParameters))
{
if (!IssuedSecurityTokenParameters.IsInfoCardParameters(
infocardParameters,
new SecurityStandardsManager(
sbe.MessageSecurityVersion,
new WSSecurityTokenSerializer(
sbe.MessageSecurityVersion.SecurityVersion,
sbe.MessageSecurityVersion.TrustVersion,
sbe.MessageSecurityVersion.SecureConversationVersion,
true,
null, null, null))))
{
return(false);
}
negotiateServiceCredential = false;
clientCredentialType = MessageCredentialType.IssuedToken;
}
else if (SecurityBindingElement.IsAnonymousForCertificateBinding(bootstrapSecurity))
{
negotiateServiceCredential = false;
clientCredentialType = MessageCredentialType.None;
}
else
{
return(false);
}
}
// Do not check any Local* settings
// Do not check DefaultAlgorithmSuite: is it often changed after the Security element is created, it will verified by SecuritySectionBase.AreBindingsMatching().
if (typeof(NonDualMessageSecurityOverHttp).Equals(typeof(TSecurity)))
{
messageSecurity = (TSecurity)(object)new NonDualMessageSecurityOverHttp();
((NonDualMessageSecurityOverHttp)(object)messageSecurity).EstablishSecurityContext = isSecureConversation;
}
else
{
messageSecurity = (TSecurity)(object)new MessageSecurityOverHttp();
}
messageSecurity.ClientCredentialType = clientCredentialType;
messageSecurity.NegotiateServiceCredential = negotiateServiceCredential;
messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite;
return(true);
}
public MessageSecurityOverHttp()
{
clientCredentialType = DefaultClientCredentialType;
negotiateServiceCredential = DefaultNegotiateServiceCredential;
algorithmSuite = SecurityAlgorithmSuite.Default;
}
