public static void ServerCertificateValidationUsingIdentity_Throws_EchoString() { EndpointAddress endpointAddress = null; string testString = "Hello"; ChannelFactory <IWcfService> factory = null; IWcfService serviceProxy = null; try { // *** SETUP *** \\ CustomBinding binding = new CustomBinding(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8), new HttpsTransportBindingElement()); // This is intentionally the wrong certificate var identity = new X509CertificateEndpointIdentity(ServiceUtilHelper.ClientCertificate); endpointAddress = new EndpointAddress(new Uri(Endpoints.Https_DefaultBinding_Address_Text), identity); factory = new ChannelFactory <IWcfService>(binding, endpointAddress); serviceProxy = factory.CreateChannel(); // *** EXECUTE *** \\ Assert.Throws <SecurityNegotiationException>(() => { _ = serviceProxy.Echo(testString); }); // *** CLEANUP *** \\ ((ICommunicationObject)serviceProxy).Close(); factory.Close(); } finally { // *** ENSURE CLEANUP *** \\ ScenarioTestHelpers.CloseCommunicationObjects((ICommunicationObject)serviceProxy, factory); } }
EndpointAddress CreateX509EndpointAddress(string uri) { EndpointIdentity identity = new X509CertificateEndpointIdentity(new X509Certificate2(TestResourceHelper.GetFullPathOfResource("Test/Resources/test.pfx"), "mono")); return(new EndpointAddress(new Uri(uri), identity)); }
public void FullRequest() { EndpointIdentity identity = new X509CertificateEndpointIdentity(new X509Certificate2("Test/Resources/test.pfx", "mono")); EndpointAddress address = new EndpointAddress(new Uri("stream:dummy"), identity); Message mreq = Message.CreateMessage(MessageVersion.Default, "myAction"); Message mreply = null; XmlWriterSettings settings = new XmlWriterSettings(); settings.Indent = true; // listener setup ReplyHandler replyHandler = delegate(Message rinput) { mreply = rinput; }; RequestReceiver receiver = delegate() { return(mreq); }; IChannelListener <IReplyChannel> listener = CreateListener(replyHandler, receiver); listener.Open(); IReplyChannel reply = listener.AcceptChannel(); reply.Open(); RequestSender reqHandler = delegate(Message input) { try { // sync version somehow causes an infinite loop (!?) RequestContext ctx = reply.EndReceiveRequest(reply.BeginReceiveRequest(TimeSpan.FromSeconds(5), null, null)); // RequestContext ctx = reply.ReceiveRequest (TimeSpan.FromSeconds (5)); Console.Error.WriteLine("Acquired RequestContext."); ctx.Reply(input); } catch (Exception ex) { Console.Error.WriteLine("ERROR during processing a request in FullRequest()"); Console.Error.WriteLine(ex); Console.Error.Flush(); throw; } return(mreply); }; CustomBinding b = CreateBinding(reqHandler); IRequestChannel ch = ChannelFactory <IRequestChannel> .CreateChannel(b, address); ch.Open(); Console.Error.WriteLine("**** starting a request ****"); IAsyncResult async = ch.BeginRequest(mreq, null, null); Console.Error.WriteLine("**** request started. ****"); Message res = ch.EndRequest(async); }
protected override void ValidateCreateChannelParameters(EndpointAddress remoteAddress, Uri via) { if (remoteAddress.Identity != null) { X509CertificateEndpointIdentity certificateIdentity = remoteAddress.Identity as X509CertificateEndpointIdentity; if (certificateIdentity != null) { if (certificateIdentity.Certificates.Count > 1) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("remoteAddress", SR.GetString( SR.HttpsIdentityMultipleCerts, remoteAddress.Uri)); } } EndpointIdentity identity = remoteAddress.Identity; bool validIdentity = (certificateIdentity != null) || ClaimTypes.Spn.Equals(identity.IdentityClaim.ClaimType) || ClaimTypes.Upn.Equals(identity.IdentityClaim.ClaimType) || ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType); if (!HttpChannelFactory <TChannel> .IsWindowsAuth(this.AuthenticationScheme) && !validIdentity) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("remoteAddress", SR.GetString( SR.HttpsExplicitIdentity)); } } base.ValidateCreateChannelParameters(remoteAddress, via); }
public void ClientAcceptUpgrade() { ServiceCredentials cred = new ServiceCredentials(); X509Certificate2 cert = new X509Certificate2("Test/Resources/test.cer"); cred.ServiceCertificate.Certificate = cert; X509CertificateEndpointIdentity ident = new X509CertificateEndpointIdentity(cert); StreamSecurityUpgradeProvider p = CreateClientProvider(cred, ident); p.Open(); try { StreamSecurityUpgradeAcceptor a = p.CreateUpgradeAcceptor() as StreamSecurityUpgradeAcceptor; Assert.IsNotNull(a, "#1"); SecurityMessageProperty prop = a.GetRemoteSecurity(); Assert.IsNull(prop, "#2"); // hmm Stream s = a.AcceptUpgrade(new MemoryStream(new byte [] { 1, 2, 3, 4, 5 })); } finally { p.Close(); } }
public static void AddServerCertIdentityValidation(HttpClientHandler httpClientHandler, EndpointAddress to) { X509CertificateEndpointIdentity remoteCertificateIdentity = to.Identity as X509CertificateEndpointIdentity; if (remoteCertificateIdentity != null) { // The following condition should have been validated when the channel was created. Fx.Assert(remoteCertificateIdentity.Certificates.Count <= 1, "HTTPS server certificate identity contains multiple certificates"); var rawData = remoteCertificateIdentity.Certificates[0].GetRawCertData(); var thumbprint = remoteCertificateIdentity.Certificates[0].Thumbprint; bool identityValidator(HttpRequestMessage requestMessage, X509Certificate2 cert, X509Chain chain, SslPolicyErrors policyErrors) { try { ValidateServerCertificate(cert, rawData, thumbprint); } catch (SecurityNegotiationException e) { DiagnosticUtility.TraceHandledException(e, TraceEventType.Information); return(false); } return(policyErrors == SslPolicyErrors.None); } SetServerCertificateValidationCallback(httpClientHandler, identityValidator); } }
EndpointAddress CreateX509EndpointAddress(string uri) { EndpointIdentity identity = new X509CertificateEndpointIdentity(new X509Certificate2("Test/Resources/test.pfx", "mono")); return(new EndpointAddress(new Uri(uri), identity)); }
public static void AddServerCertMapping(HttpWebRequest request, EndpointAddress to) { X509CertificateEndpointIdentity identity = to.Identity as X509CertificateEndpointIdentity; if (identity != null) { AddServerCertMapping(request, identity.Certificates[0].Thumbprint); } }
public static void AddServerCertMapping(HttpRequestMessage request, EndpointAddress to) { Fx.Assert(request.RequestUri.Scheme == UriEx.UriSchemeHttps, "Wrong URI scheme for AddServerCertMapping()."); X509CertificateEndpointIdentity remoteCertificateIdentity = to.Identity as X509CertificateEndpointIdentity; if (remoteCertificateIdentity != null) { // The following condition should have been validated when the channel was created. Fx.Assert(remoteCertificateIdentity.Certificates.Count <= 1, "HTTPS server certificate identity contains multiple certificates"); AddServerCertMapping(request, remoteCertificateIdentity.Certificates[0].Thumbprint); } }
public static NCIServiceWCFClient CreateNCIServiceClient(Uri uri) { UCCProxyFactory.ClientCertificatePath = HostingEnvironment.MapPath(@"~/App_Data/isbank_test_private.pfx"); UCCProxyFactory.ServiceCertificatePath = HostingEnvironment.MapPath(@"~/App_Data/ucc_test_public.cer"); UCCProxyFactory.ClientCertificatePassword = "******"; System.Net.ServicePointManager.Expect100Continue = false; if (string.IsNullOrEmpty(ClientCertificatePath) || string.IsNullOrEmpty(ServiceCertificatePath)) { throw new InvalidOperationException("You should specify certificates path first"); } if (string.IsNullOrEmpty(ClientCertificatePassword)) { throw new InvalidOperationException("You should specify ClientCertificatePassword"); } clientCertificate = new X509Certificate2(ClientCertificatePath, ClientCertificatePassword); serviceCertificate = new X509Certificate2(ServiceCertificatePath); endpointIdentity = new X509CertificateEndpointIdentity(serviceCertificate, new X509Certificate2Collection(clientCertificate)); EndpointAddress ea = new EndpointAddress(uri, endpointIdentity); CustomBinding cb = new CustomBinding(); cb.CloseTimeout = new TimeSpan(50000000); TextMessageEncodingBindingElement messageBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8); HttpTransportBindingElement nciTransport = new HttpTransportBindingElement(); nciTransport.MaxReceivedMessageSize = 5000000; //115000000; messageBindingElement.ReaderQuotas.MaxStringContentLength = 1200000; //11200000; AsymmetricSecurityBindingElement abe = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);; abe.AllowSerializedSigningTokenOnReply = true; abe.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt; abe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Rsa15; abe.SetKeyDerivation(false); cb.Elements.Add(abe); cb.Elements.Add(messageBindingElement); cb.Elements.Add(nciTransport); NCIServiceWCFClient nciClient = new NCIServiceWCFClient(cb, ea); nciClient.ClientCredentials.ServiceCertificate.DefaultCertificate = serviceCertificate; nciClient.ClientCredentials.ClientCertificate.Certificate = clientCertificate; nciClient.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; return(nciClient); }
private static EndpointAddress ReadFrom(System.ServiceModel.Channels.AddressingVersion addressingVersion, XmlReader xreader) { string xml = xreader.ReadOuterXml(); StringReader sreader = new StringReader(xml); XmlReader reader = XmlReader.Create(sreader); Uri uri = null; EndpointIdentity identity = null; reader.MoveToContent(); List <AddressHeader> header = new List <AddressHeader> (); while (reader.NodeType == XmlNodeType.Element && !reader.IsEmptyElement) { if (reader.LocalName == "EndpointReference") { reader.Read(); } else if (reader.LocalName == "Address" && reader.NodeType == XmlNodeType.Element && !reader.IsEmptyElement) { uri = new Uri(reader.ReadElementContentAsString()); } else if (reader.LocalName == "Identity" && reader.NodeType == XmlNodeType.Element && !reader.IsEmptyElement) { //How can key re-empact Identity identity = new X509CertificateEndpointIdentity(new System.Security.Cryptography.X509Certificates.X509Certificate2("powershell.pfx", "mono")); break; } else { var headerName = reader.LocalName; var headerNamespace = reader.NamespaceURI; reader.MoveToContent(); reader.ReadStartElement(); var obj = reader.ReadElementContentAs(GetTypeFromLocalName(reader.LocalName), new XmlNamespaceManager(reader.NameTable)); header.Add(AddressHeader.CreateAddressHeader(headerName, headerNamespace, obj)); reader.MoveToContent(); reader.ReadEndElement(); } } return(identity == null ? new EndpointAddress(uri, header.ToArray()) : new EndpointAddress(uri, identity, header.ToArray())); }
protected override void ValidateCreateChannelParameters(EndpointAddress remoteAddress, Uri via) { if (remoteAddress.Identity != null) { X509CertificateEndpointIdentity identity = remoteAddress.Identity as X509CertificateEndpointIdentity; if ((identity != null) && (identity.Certificates.Count > 1)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("remoteAddress", System.ServiceModel.SR.GetString("HttpsIdentityMultipleCerts", new object[] { remoteAddress.Uri })); } EndpointIdentity identity2 = remoteAddress.Identity; bool flag = (((identity != null) || ClaimTypes.Spn.Equals(identity2.IdentityClaim.ClaimType)) || ClaimTypes.Upn.Equals(identity2.IdentityClaim.ClaimType)) || ClaimTypes.Dns.Equals(identity2.IdentityClaim.ClaimType); if (!AuthenticationSchemesHelper.IsWindowsAuth(base.AuthenticationScheme) && !flag) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("remoteAddress", System.ServiceModel.SR.GetString("HttpsExplicitIdentity")); } } base.ValidateCreateChannelParameters(remoteAddress, via); }
public void CreateX509CertificateIdentity() { X509CertificateEndpointIdentity identity = EndpointIdentity.CreateX509CertificateIdentity(cert) as X509CertificateEndpointIdentity; Claim c = identity.IdentityClaim; Assert.IsNotNull(c, "#1"); Assert.AreEqual(ClaimTypes.Thumbprint, c.ClaimType, "#2"); DataContractSerializer ser = new DataContractSerializer(c.GetType()); StringWriter sw = new StringWriter(); XmlWriter xw = XmlWriter.Create(sw); ser.WriteObject(xw, c); xw.Close(); string xml = @"<?xml version=""1.0"" encoding=""utf-16""?><Claim xmlns:i=""http://www.w3.org/2001/XMLSchema-instance"" xmlns=""http://schemas.xmlsoap.org/ws/2005/05/identity""><ClaimType>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint</ClaimType><Resource xmlns:d2p1=""http://www.w3.org/2001/XMLSchema"" i:type=""d2p1:base64Binary"">GQ3YHlGQhDF1bvMixHliX4uLjlY=</Resource><Right>http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty</Right></Claim>"; Assert.AreEqual(C14N(xml), C14N(sw.ToString()), "#3"); Assert.AreEqual("identity(" + c + ")", identity.ToString(), "#4"); }
/// <summary> /// Finds the leaf certificate on an X509EndpointIdentity /// </summary> /// <param name="epi">The epi.</param> /// <returns>The target site X509 certificate</returns> public static X509Certificate2 GetEndCertificate(this X509CertificateEndpointIdentity epi) { Contract.Requires(epi != null); Contract.Requires(epi.IdentityClaim != null); Contract.Requires(epi.IdentityClaim.Resource != null); Contract.Ensures(Contract.Result <X509Certificate2>() != null); string primaryHash64 = Convert.ToBase64String((byte[])epi.IdentityClaim.Resource); foreach (var certificate in epi.Certificates) { string certHash64 = Convert.ToBase64String(certificate.GetCertHash()); if (string.Equals(primaryHash64, certHash64, StringComparison.OrdinalIgnoreCase)) { return(certificate); } } throw new InvalidOperationException("No leaf certificate found"); }
protected override void ValidateCreateChannelParameters(EndpointAddress remoteAddress, Uri via) { if (remoteAddress.Identity != null) { X509CertificateEndpointIdentity certificateIdentity = remoteAddress.Identity as X509CertificateEndpointIdentity; if (certificateIdentity != null) { if (certificateIdentity.Certificates.Count > 1) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(nameof(remoteAddress), SR.Format( SR.HttpsIdentityMultipleCerts, remoteAddress.Uri)); } } EndpointIdentity identity = remoteAddress.Identity; bool validIdentity = (certificateIdentity != null) || ClaimTypes.Spn.Equals(identity.IdentityClaim.ClaimType) || ClaimTypes.Upn.Equals(identity.IdentityClaim.ClaimType) || ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType); if (!IsWindowsAuth(AuthenticationScheme) && !validIdentity) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(nameof(remoteAddress), SR.HttpsExplicitIdentity); } } if (string.Compare(via.Scheme, "wss", StringComparison.OrdinalIgnoreCase) != 0) { ValidateScheme(via); } if (MessageVersion.Addressing == AddressingVersion.None && remoteAddress.Uri != via) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateToMustEqualViaException(remoteAddress.Uri, via)); } }
/// <summary> /// This method returns the configuration for the token issuance request. The configuration /// is represented by the Scope class. In our case, we are only capable of issuing a token to a /// single RP identity represented by CN=localhost. /// </summary> /// <param name="principal">The caller's principal</param> /// <param name="request">The incoming RST</param> /// <returns>The configuration for the token issuance request.</returns> protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request) { // Validate the AppliesTo on the incoming request ValidateAppliesTo(request.AppliesTo); // Normally the STS will have a trust relationship with the RP and can look up a trusted encrypting certficate // using the AppliesTo endpoint. This is necessary to ensure that only the RP will be able to read the claims. // // In this sample the certificate of the AppliesTo Identity is used to encrypt the contents, so there is no // validation of any trust relationship with the RP. Since the certificate is not validated, // a malicious client can provide a known certificate allowing it to read the returned claims. // For this reason, THIS APPROACH SHOULD NOT BE USED if the claims should be kept private. It may be reasonable, // though, if the STS is simply verifying public information such as the client's email address. // Get RP certificate X509CertificateEndpointIdentity appliesToIdentity = (X509CertificateEndpointIdentity)request.AppliesTo.Identity; X509EncryptingCredentials encryptingCredentials = new X509EncryptingCredentials(appliesToIdentity.Certificates[0]); // Create the scope using the request AppliesTo address and the STS signing certificate Scope scope = new Scope(request.AppliesTo.Uri.AbsoluteUri, SecurityTokenServiceConfiguration.SigningCredentials, encryptingCredentials); return(scope); }
public static async Task ServerCertificateValidationUsingIdentity_EchoString() { EndpointAddress endpointAddress = null; X509Certificate2 serviceCertificate = null; string testString = "Hello"; ChannelFactory <IWcfService> factory = null; IWcfService serviceProxy = null; try { // *** SETUP *** \\ CustomBinding binding = new CustomBinding(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8), new HttpsTransportBindingElement()); serviceCertificate = await ServiceUtilHelper.GetServiceMacineCertFromServerAsync(); var identity = new X509CertificateEndpointIdentity(serviceCertificate); endpointAddress = new EndpointAddress(new Uri(Endpoints.Https_DefaultBinding_Address_Text), identity); factory = new ChannelFactory <IWcfService>(binding, endpointAddress); serviceProxy = factory.CreateChannel(); // *** EXECUTE *** \\ string result = serviceProxy.Echo(testString); // *** VALIDATE *** \\ Assert.Equal(testString, result); // *** CLEANUP *** \\ ((ICommunicationObject)serviceProxy).Close(); factory.Close(); } finally { // *** ENSURE CLEANUP *** \\ ScenarioTestHelpers.CloseCommunicationObjects((ICommunicationObject)serviceProxy, factory); } }
public CardspacePolicyInfo(CardSpacePolicyElement[] policyElements) { if (policyElements.Length > 0) { System.IO.TextReader tr = new System.IO.StringReader(policyElements[0].Target.OuterXml.ToString()); XmlTextReader xmltr = new XmlTextReader(tr); XmlDictionaryReader xmldr = XmlDictionaryReader.CreateDictionaryReader(xmltr); EndpointAddress endpointAddress = EndpointAddress.ReadFrom(xmldr); _relyingParty = endpointAddress.Uri.Host; X509CertificateEndpointIdentity endpointIdentity = (X509CertificateEndpointIdentity)endpointAddress.Identity; _certificate = endpointIdentity.Certificates[0].GetCertHashString(); if (policyElements[0].Issuer != null) { tr = new System.IO.StringReader(policyElements[0].Issuer.OuterXml.ToString()); xmltr = new XmlTextReader(tr); xmldr = XmlDictionaryReader.CreateDictionaryReader(xmltr); endpointAddress = EndpointAddress.ReadFrom(xmldr); _identityProvider = endpointAddress.Uri.ToString(); } } }
public CardspacePolicyInfo(CardSpacePolicyElement[] policyElements) { _requiredClaims = new List <string>(); if (policyElements.Length > 0) { System.IO.TextReader tr = new System.IO.StringReader(policyElements[0].Target.OuterXml.ToString()); XmlTextReader xmltr = new XmlTextReader(tr); XmlDictionaryReader xmldr = XmlDictionaryReader.CreateDictionaryReader(xmltr); EndpointAddress endpointAddress = EndpointAddress.ReadFrom(xmldr); _relyingParty = endpointAddress.Uri.Host; foreach (XmlElement xmlPolicyElement in policyElements[0].Parameters) { if (xmlPolicyElement.Name == "t:Claims") { XmlNode claimsNode = xmlPolicyElement; foreach (XmlNode claimNode in claimsNode.ChildNodes) { _requiredClaims.Add(claimNode.Attributes["Uri"].Value); } } } X509CertificateEndpointIdentity endpointIdentity = (X509CertificateEndpointIdentity)endpointAddress.Identity; _certificate = endpointIdentity.Certificates[0].GetCertHashString(); if (policyElements[0].Issuer != null) { tr = new System.IO.StringReader(policyElements[0].Issuer.OuterXml.ToString()); xmltr = new XmlTextReader(tr); xmldr = XmlDictionaryReader.CreateDictionaryReader(xmltr); endpointAddress = EndpointAddress.ReadFrom(xmldr); _identityProvider = endpointAddress.Uri.ToString(); } } }