SecurityBindingElement CreateSecurityBindingElement()
{
SecurityBindingElement element;
switch (Security.Mode)
{
case BasicHttpsSecurityMode.TransportWithMessageCredential:
#if NET_2_1
throw new NotImplementedException();
#else
if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
{
// FIXME: pass proper security token parameters.
element = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
}
else
{
element = new AsymmetricSecurityBindingElement();
}
break;
#endif
default:
return(null);
}
#if !NET_2_1
element.SetKeyDerivation(false);
element.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
#endif
return(element);
}
public static Binding GetIssuedTokenBindingSSL()
{
var textmessageEncoding = new TextMessageEncodingBindingElement();
textmessageEncoding.WriteEncoding = Encoding.UTF8;
textmessageEncoding.MessageVersion = MessageVersion.Soap11WSAddressing10;
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters = x509SecurityParamter;
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);
initiator.RequireDerivedKeys = false;
messageSecurity.InitiatorTokenParameters = initiator;
messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
return(new CustomBinding(
messageSecurity,
textmessageEncoding,
new HttpsTransportBindingElement()));
}
SecurityBindingElement CreateSecurityBindingElement()
{
SecurityBindingElement element;
switch (Security.Mode)
{
case BasicHttpSecurityMode.Message:
if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
{
throw new InvalidOperationException("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate.");
}
element = SecurityBindingElement.CreateMutualCertificateBindingElement(
MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
break;
case BasicHttpSecurityMode.TransportWithMessageCredential:
if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
{
// FIXME: pass proper security token parameters.
element = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
}
else
{
element = new AsymmetricSecurityBindingElement();
}
break;
default:
return(null);
}
element.SetKeyDerivation(false);
element.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
return(element);
}
//<snippet1>
public Binding CreateClientBinding()
{
AsymmetricSecurityBindingElement abe =
(AsymmetricSecurityBindingElement)SecurityBindingElement.
CreateMutualCertificateBindingElement(
MessageSecurityVersion.
WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
abe.SetKeyDerivation(false);
X509SecurityTokenParameters istp =
abe.InitiatorTokenParameters as X509SecurityTokenParameters;
if (istp != null)
{
istp.X509ReferenceStyle =
X509KeyIdentifierClauseType.IssuerSerial;
}
X509SecurityTokenParameters rstp =
abe.RecipientTokenParameters as X509SecurityTokenParameters;
if (rstp != null)
{
rstp.X509ReferenceStyle =
X509KeyIdentifierClauseType.IssuerSerial;
}
HttpTransportBindingElement transport =
new HttpTransportBindingElement();
return(new CustomBinding(abe, transport));
}
private SecurityBindingElement CreateSecurity()
{
AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement();
X509SecurityTokenParameters clientToken = new X509SecurityTokenParameters();
clientToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any;
clientToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
clientToken.RequireDerivedKeys = false;
clientToken.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
security.InitiatorTokenParameters = clientToken; //Creates an _unsigned_ binary token + signature that references the other binary token.
X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters();
serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any;
serverToken.InclusionMode = SecurityTokenInclusionMode.Never;
serverToken.RequireDerivedKeys = false;
serverToken.ReferenceStyle = SecurityTokenReferenceStyle.External;
security.RecipientTokenParameters = serverToken; //Only to make asymetric binding work
security.EndpointSupportingTokenParameters.Signed.Add(clientToken); //Create a signed binary token + signature that does _not_ references other binary token.
//Later on the unsigned binary token is removed and the non referecing signature is removed. The signed token and referencing signature are linked.
security.EnableUnsecuredResponse = true;
security.IncludeTimestamp = true;
security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
security.SetKeyDerivation(false);
return(security);
}
public void ServiceRecipientHasNoKeys()
{
AsymmetricSecurityBindingElement sbe =
new AsymmetricSecurityBindingElement();
sbe.InitiatorTokenParameters =
new X509SecurityTokenParameters();
sbe.RecipientTokenParameters =
new UserNameSecurityTokenParameters();
//sbe.SetKeyDerivation (false);
//sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
CustomBinding binding = new CustomBinding(sbe,
new HttpTransportBindingElement());
IChannelListener <IReplyChannel> l =
binding.BuildChannelListener <IReplyChannel> (new Uri("http://localhost:37564"), new BindingParameterCollection());
try {
l.Open();
} finally {
if (l.State == CommunicationState.Opened)
{
l.Close();
}
}
}
private static SecurityBindingElement CreateSecurityBindingElement()
{
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
messageSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Sha256;
messageSecurity.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
messageSecurity.LocalClientSettings.MaxClockSkew = new TimeSpan(0, 0, 1, 0);
messageSecurity.LocalClientSettings.TimestampValidityDuration = new TimeSpan(0, 0, 10, 0);
messageSecurity.LocalServiceSettings.MaxClockSkew = new TimeSpan(0, 0, 1, 0);
messageSecurity.LocalClientSettings.TimestampValidityDuration = new TimeSpan(0, 0, 10, 0);
var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters = x509SecurityParamter;
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient)
{
RequireDerivedKeys = false
};
messageSecurity.InitiatorTokenParameters = initiator;
return(messageSecurity);
}
public void ClientInitiatorHasNoKeysCore(bool deriveKeys, MessageProtectionOrder order)
{
AsymmetricSecurityBindingElement sbe =
new AsymmetricSecurityBindingElement();
sbe.InitiatorTokenParameters =
new UserNameSecurityTokenParameters();
sbe.RecipientTokenParameters =
new X509SecurityTokenParameters();
sbe.SetKeyDerivation(deriveKeys);
sbe.MessageProtectionOrder = order;
TransportBindingElement tbe = new HandlerTransportBindingElement(delegate(Message input) {
// funky, but .NET does not raise an error
// until it writes the message to somewhere.
// That is, it won't raise an error if this
// HandlerTransportBindingElement does not
// write the input message to somewhere.
// It is an obvious bug.
input.WriteMessage(XmlWriter.Create(TextWriter.Null));
throw new Exception();
});
CustomBinding binding = new CustomBinding(sbe, tbe);
EndpointAddress address = new EndpointAddress(
new Uri("stream:dummy"),
new X509CertificateEndpointIdentity(cert2));
CalcProxy proxy = new CalcProxy(binding, address);
proxy.ClientCredentials.UserName.UserName = "******";
proxy.Open();
// Until here the wrong parameters are not checked.
proxy.Sum(1, 2);
}
public void RejectInclusionModeNever()
{
AsymmetricSecurityBindingElement sbe =
new AsymmetricSecurityBindingElement();
sbe.InitiatorTokenParameters = sbe.RecipientTokenParameters =
new X509SecurityTokenParameters(
X509KeyIdentifierClauseType.Thumbprint,
// this leads to the failure.
SecurityTokenInclusionMode.Never);
ServiceHost host = new ServiceHost(typeof(Foo));
HttpTransportBindingElement hbe =
new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(sbe, hbe);
host.AddServiceEndpoint(typeof(IFoo),
binding, new Uri("http://localhost:37564"));
ServiceCredentials cred = new ServiceCredentials();
cred.ServiceCertificate.Certificate =
new X509Certificate2("Test/Resources/test.pfx", "mono");
cred.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
host.Description.Behaviors.Add(cred);
try {
host.Open();
} finally {
if (host.State == CommunicationState.Opened)
{
host.Close();
}
}
}
public void VerifyX509MessageSecurityAtService()
{
AsymmetricSecurityBindingElement clisbe =
new AsymmetricSecurityBindingElement();
clisbe.InitiatorTokenParameters =
new X509SecurityTokenParameters();
clisbe.RecipientTokenParameters =
new X509SecurityTokenParameters();
AsymmetricSecurityBindingElement svcsbe =
new AsymmetricSecurityBindingElement();
svcsbe.InitiatorTokenParameters =
new X509SecurityTokenParameters();
svcsbe.RecipientTokenParameters =
new X509SecurityTokenParameters();
CustomBinding b_req = new CustomBinding(clisbe,
new HttpTransportBindingElement());
b_req.ReceiveTimeout = b_req.SendTimeout = TimeSpan.FromSeconds(10);
CustomBinding b_res = new CustomBinding(svcsbe, new HttpTransportBindingElement());
b_res.ReceiveTimeout = b_res.SendTimeout = TimeSpan.FromSeconds(10);
EndpointAddress remaddr = new EndpointAddress(
new Uri("http://localhost:37564"),
new X509CertificateEndpointIdentity(cert2));
CalcProxy proxy = null;
ServiceHost host = new ServiceHost(typeof(CalcService));
host.AddServiceEndpoint(typeof(ICalc), b_res, "http://localhost:37564");
ServiceCredentials cred = new ServiceCredentials();
cred.ServiceCertificate.Certificate = cert;
host.Description.Behaviors.Add(cred);
try {
host.Open();
proxy = new CalcProxy(b_req, remaddr);
proxy.ClientCredentials.ClientCertificate.Certificate = cert;
// FIXME: on WinFX, when this Begin method
// is invoked before the listener setup, it
// somehow works, while ours doesn't.
//IAsyncResult result = proxy.BeginSum (1, 2, null, null);
//Assert.AreEqual (3, proxy.EndSum (result));
Assert.AreEqual(3, proxy.Sum(1, 2));
} finally {
if (host.State == CommunicationState.Opened)
{
host.Close();
}
}
}
public override Binding CreateBinding()
{
Binding bin;
var tcpBin = new NetTcpBinding();
tcpBin.ReliableSession.InactivityTimeout = InactivityTimeout;
tcpBin.MaxBufferPoolSize = MaxBufferPoolSize;
tcpBin.MaxBufferSize = MaxBufferSize;
tcpBin.MaxConnections = MaxConnections;
tcpBin.MaxReceivedMessageSize = MaxReceivedMessageSize;
tcpBin.ReaderQuotas.MaxBytesPerRead = ReaderQuotas_MaxBytesPerRead;
tcpBin.ReaderQuotas.MaxStringContentLength = ReaderQuotas_MaxStringContentLength;
tcpBin.ReaderQuotas.MaxArrayLength = ReaderQuotas_MaxArrayLength;
tcpBin.Security.Mode = SecurityMode;
tcpBin.Security.Message.ClientCredentialType = ClientCredentialType;
tcpBin.TransferMode = TransferMode;
ConfigureTcpBindingAction?.Invoke(tcpBin);
bin = tcpBin;
// Check if ClockSkew has default values (300 segundos)
if (LocalClientMaxClockSkew != TimeSpan.FromMinutes(5) || LocalServiceMaxClockSkew != TimeSpan.FromMinutes(5))
{
CustomBinding cusBin = new CustomBinding(tcpBin);
SymmetricSecurityBindingElement symetricSecurity = cusBin.Elements.Find <SymmetricSecurityBindingElement>();
if (symetricSecurity != null)
{
//symetricSecurity.LocalServiceSettings.DetectReplays = false;
//symetricSecurity.LocalClientSettings.DetectReplays = false;
symetricSecurity.LocalServiceSettings.MaxClockSkew = LocalServiceMaxClockSkew;
symetricSecurity.LocalClientSettings.MaxClockSkew = LocalClientMaxClockSkew;
if (symetricSecurity.ProtectionTokenParameters is SecureConversationSecurityTokenParameters tokens)
{
//tokens.BootstrapSecurityBindingElement.LocalClientSettings.DetectReplays = false;
//tokens.BootstrapSecurityBindingElement.LocalServiceSettings.DetectReplays = false;
tokens.BootstrapSecurityBindingElement.LocalClientSettings.MaxClockSkew = LocalClientMaxClockSkew;
tokens.BootstrapSecurityBindingElement.LocalServiceSettings.MaxClockSkew = LocalServiceMaxClockSkew;
}
}
AsymmetricSecurityBindingElement asymetricSecurity = cusBin.Elements.Find <AsymmetricSecurityBindingElement>();
if (asymetricSecurity != null)
{
asymetricSecurity.LocalServiceSettings.MaxClockSkew = LocalServiceMaxClockSkew;
asymetricSecurity.LocalClientSettings.MaxClockSkew = LocalClientMaxClockSkew;
if (asymetricSecurity.InitiatorTokenParameters is SecureConversationSecurityTokenParameters tokens)
{
tokens.BootstrapSecurityBindingElement.LocalClientSettings.MaxClockSkew = LocalClientMaxClockSkew;
tokens.BootstrapSecurityBindingElement.LocalServiceSettings.MaxClockSkew = LocalServiceMaxClockSkew;
}
}
bin = cusBin;
}
bin.CloseTimeout = CloseTimeout;
bin.OpenTimeout = OpenTimeout;
bin.ReceiveTimeout = ReceiveTimeout;
bin.SendTimeout = SendTimeout;
return(bin);
}
public override BindingElementCollection CreateBindingElements()
{
var transport =
_useHttps
? new HttpsTransportBindingElement()
: new HttpTransportBindingElement();
if (_maxReceivedMessageSize.HasValue)
{
transport.MaxReceivedMessageSize =
_maxReceivedMessageSize.Value;
}
var encoding = new TextMessageEncodingBindingElement();
// [OIO IDWS SOAP 1.1] requires SOAP 1.2 and WS-Adressing 1.0
encoding.MessageVersion = MessageVersion.Soap12WSAddressing10;
// AlwaysToInitiator is required by the [OIO IDWS SOAP 1.1] profile. This specifies that the server certificate must be embedded in the response.
var recipientTokenParameters = new X509SecurityTokenParameters(
X509KeyIdentifierClauseType.Any,
SecurityTokenInclusionMode.AlwaysToInitiator);
var initiatorTokenParameters =
new CustomizedIssuedSecurityTokenParameters(
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
);
initiatorTokenParameters.UseStrTransform = true;
var asymmetric = new AsymmetricSecurityBindingElement(recipientTokenParameters, initiatorTokenParameters);
// Must be true in order for client to accept embedded server certificates instead of references. This is required by the [OIO IDWS SOAP 1.1] profile.
// However, the client must still specify the server certificate explicitly.
// Have not figured out how the client can use the embedded server certificate and make trust to it through a CA certificate and a CN (Common Name). This way the client should not need the server certificate.
asymmetric.AllowSerializedSigningTokenOnReply = true;
// No need for derived keys when both parties has a certificate. Also OIO-IDWS-SOAP does not make use of derived keys.
asymmetric.SetKeyDerivation(false);
// Include token (encrypted assertion from NemLog-in STS) in signature
asymmetric.ProtectTokens = true;
// Specifies that WCF can send and receive unsecured responses to secured requests.
// Concrete this means that SOAP faults are send unencrypted. [OIO IDWS SOAP 1.1] does not specify whether or not SOAP faults can be encrypted but it looks like they should not be encrypted.
// If encrypted the client is not able to process the encrypted SOAP fault if client is not setup correctly.
// setting EnableUnsecuredResponse to true makes normal responses unsigned and processed by the client without error. This is not what we want :)
//asymmetric.EnableUnsecuredResponse = true;
var elements = new BindingElementCollection();
elements.Add(asymmetric);
elements.Add(encoding);
elements.Add(transport);
return(elements);
}
public IEnumerator <SecurityTokenParameters> GetEnumerator()
{
foreach (SecurityTokenParameters iteratorVariable0 in this.sbe.EndpointSupportingTokenParameters.Endorsing)
{
if (iteratorVariable0 != null)
{
yield return(iteratorVariable0);
}
}
foreach (SecurityTokenParameters iteratorVariable1 in this.sbe.EndpointSupportingTokenParameters.SignedEndorsing)
{
if (iteratorVariable1 == null)
{
continue;
}
yield return(iteratorVariable1);
}
foreach (SupportingTokenParameters iteratorVariable2 in this.sbe.OperationSupportingTokenParameters.Values)
{
if (iteratorVariable2 != null)
{
foreach (SecurityTokenParameters iteratorVariable3 in iteratorVariable2.Endorsing)
{
if (iteratorVariable3 == null)
{
continue;
}
yield return(iteratorVariable3);
}
foreach (SecurityTokenParameters iteratorVariable4 in iteratorVariable2.SignedEndorsing)
{
if (iteratorVariable4 == null)
{
continue;
}
yield return(iteratorVariable4);
}
}
}
if (this.sbe is SymmetricSecurityBindingElement)
{
SymmetricSecurityBindingElement sbe = (SymmetricSecurityBindingElement)this.sbe;
if (sbe.ProtectionTokenParameters != null)
{
yield return(sbe.ProtectionTokenParameters);
}
}
else if (this.sbe is AsymmetricSecurityBindingElement)
{
AsymmetricSecurityBindingElement iteratorVariable6 = (AsymmetricSecurityBindingElement)this.sbe;
if (iteratorVariable6.RecipientTokenParameters != null)
{
yield return(iteratorVariable6.RecipientTokenParameters);
}
}
}
public static void Main ()
{
AsymmetricSecurityBindingElement sbe =
new AsymmetricSecurityBindingElement ();
//sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
//sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
//sbe.RequireSignatureConfirmation = true;
//sbe.LocalServiceSettings.DetectReplays = false;
//sbe.IncludeTimestamp = false;
sbe.RecipientTokenParameters =
new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
sbe.InitiatorTokenParameters =
new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
X509SecurityTokenParameters p =
new X509SecurityTokenParameters (X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
p.RequireDerivedKeys = false;
//sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
UserNameSecurityTokenParameters up =
new UserNameSecurityTokenParameters ();
sbe.EndpointSupportingTokenParameters.Signed.Add (up);
sbe.SetKeyDerivation (false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
ServiceHost host = new ServiceHost (typeof (Foo));
HttpTransportBindingElement hbe =
new HttpTransportBindingElement ();
CustomBinding binding = new CustomBinding (sbe, hbe);
binding.ReceiveTimeout = TimeSpan.FromSeconds (5);
host.AddServiceEndpoint ("IFoo",
binding, new Uri ("http://localhost:8080"));
ServiceCredentials cred = new ServiceCredentials ();
cred.ServiceCertificate.Certificate =
new X509Certificate2 ("test.pfx", "mono");
cred.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
cred.UserNameAuthentication.UserNamePasswordValidationMode =
UserNamePasswordValidationMode.Custom;
cred.UserNameAuthentication.CustomUserNamePasswordValidator =
UserNamePasswordValidator.None;
host.Description.Behaviors.Add (cred);
host.Description.Behaviors.Find<ServiceDebugBehavior> ()
.IncludeExceptionDetailInFaults = true;
foreach (ServiceEndpoint se in host.Description.Endpoints)
se.Behaviors.Add (new StdErrInspectionBehavior ());
ServiceMetadataBehavior smb = new ServiceMetadataBehavior ();
smb.HttpGetEnabled = true;
smb.HttpGetUrl = new Uri ("http://localhost:8080/wsdl");
host.Description.Behaviors.Add (smb);
host.Open ();
Console.WriteLine ("Hit [CR] key to close ...");
Console.ReadLine ();
host.Close ();
}
public AsymetricSecurityBE()
{
MessageSecurityVersion securityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
SecurityBindingElement securityBE = SecurityBindingElement.CreateMutualCertificateBindingElement(securityVersion, true);
securityBE.IncludeTimestamp = true;
securityBE.SetKeyDerivation(false);
securityBE.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
securityBE.EnableUnsecuredResponse = true;
m_asymSecBE = securityBE as AsymmetricSecurityBindingElement;
}
public static void Main()
{
AsymmetricSecurityBindingElement sbe =
new AsymmetricSecurityBindingElement();
//sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
//sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
//sbe.RequireSignatureConfirmation = true;
//sbe.LocalServiceSettings.DetectReplays = false;
//sbe.IncludeTimestamp = false;
sbe.RecipientTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
sbe.InitiatorTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
X509SecurityTokenParameters p =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
p.RequireDerivedKeys = false;
//sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
sbe.SetKeyDerivation(false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
ServiceHost host = new ServiceHost(typeof(Foo));
HttpTransportBindingElement hbe =
new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(sbe, hbe);
binding.ReceiveTimeout = TimeSpan.FromSeconds(5);
host.AddServiceEndpoint("IFoo",
binding, new Uri("http://localhost:8080"));
ServiceCredentials cred = new ServiceCredentials();
cred.ServiceCertificate.Certificate =
new X509Certificate2("test.pfx", "mono");
cred.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
host.Description.Behaviors.Add(cred);
host.Description.Behaviors.Find <ServiceDebugBehavior> ()
.IncludeExceptionDetailInFaults = true;
foreach (ServiceEndpoint se in host.Description.Endpoints)
{
se.Behaviors.Add(new StdErrInspectionBehavior());
}
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
smb.HttpGetUrl = new Uri("http://localhost:8080/wsdl");
host.Description.Behaviors.Add(smb);
host.Open();
Console.WriteLine("Hit [CR] key to close ...");
Console.ReadLine();
host.Close();
}
protected override SecurityBindingElement CreateMessageSecurity()
{
if (this.Security.Mode == WSFederationHttpSecurityMode.None)
{
throw new InvalidOperationException("Only message and security is supported");
}
if (this.Security.Message.IssuedKeyType != SecurityKeyType.AsymmetricKey)
{
throw new InvalidOperationException("Only Asymmectric Keys are supported");
}
if (this.Security.Message.NegotiateServiceCredential)
{
throw new InvalidOperationException("Negocatiation of service credentials not supported");
}
if (this.Security.Message.EstablishSecurityContext)
{
throw new InvalidOperationException("Secure conversation not supported");
}
SecurityBindingElement security;
if (this.Security.Mode == WSFederationHttpSecurityMode.Message)
{
SymmetricSecurityBindingElement baseSecurity = (SymmetricSecurityBindingElement)base.CreateMessageSecurity();
AsymmetricSecurityBindingElement asecurity = new AsymmetricSecurityBindingElement();
asecurity.InitiatorTokenParameters = baseSecurity.EndpointSupportingTokenParameters.Endorsing[0];
X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters();
serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any;
serverToken.InclusionMode = SecurityTokenInclusionMode.Never;
serverToken.RequireDerivedKeys = false;
asecurity.RecipientTokenParameters = serverToken;
security = asecurity;
}
else
{
TransportSecurityBindingElement baseSecurity = (TransportSecurityBindingElement)base.CreateMessageSecurity();
TransportSecurityBindingElement tsecurity = new TransportSecurityBindingElement();
tsecurity.EndpointSupportingTokenParameters.Endorsing.Add(baseSecurity.EndpointSupportingTokenParameters.Endorsing[0]);
security = tsecurity;
}
security.EnableUnsecuredResponse = true;
security.IncludeTimestamp = true;
security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
security.SetKeyDerivation(false);
return(security);
}
public IEnumerator <SecurityTokenParameters> GetEnumerator()
{
foreach (SecurityTokenParameters stp in this.sbe.EndpointSupportingTokenParameters.Endorsing)
{
if (stp != null)
{
yield return(stp);
}
}
foreach (SecurityTokenParameters stp in this.sbe.EndpointSupportingTokenParameters.SignedEndorsing)
{
if (stp != null)
{
yield return(stp);
}
}
foreach (SupportingTokenParameters str in this.sbe.OperationSupportingTokenParameters.Values)
{
if (str != null)
{
foreach (SecurityTokenParameters stp in str.Endorsing)
{
if (stp != null)
{
yield return(stp);
}
}
foreach (SecurityTokenParameters stp in str.SignedEndorsing)
{
if (stp != null)
{
yield return(stp);
}
}
}
}
if (this.sbe is SymmetricSecurityBindingElement)
{
SymmetricSecurityBindingElement ssbe = (SymmetricSecurityBindingElement)sbe;
if (ssbe.ProtectionTokenParameters != null)
{
yield return(ssbe.ProtectionTokenParameters);
}
}
else if (this.sbe is AsymmetricSecurityBindingElement)
{
AsymmetricSecurityBindingElement asbe = (AsymmetricSecurityBindingElement)sbe;
if (asbe.RecipientTokenParameters != null)
{
yield return(asbe.RecipientTokenParameters);
}
}
}
public static SecurityToken getToken(sts.Token token)
{
var textmessageEncoding = new TextMessageEncodingBindingElement();
textmessageEncoding.WriteEncoding = Encoding.UTF8;
textmessageEncoding.MessageVersion = MessageVersion.Soap12WSAddressing10;
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
//messageSecurity.EnableUnsecuredResponse = true;
messageSecurity.IncludeTimestamp = false;
messageSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Rsa15;
messageSecurity.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
messageSecurity.LocalClientSettings.DetectReplays = false;
messageSecurity.LocalServiceSettings.DetectReplays = false;
var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters = x509SecurityParamter;
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);
initiator.RequireDerivedKeys = false;
messageSecurity.InitiatorTokenParameters = initiator;
var binding = new CustomBinding(messageSecurity, textmessageEncoding, new StrippingChannelBindingElement(), new HttpTransportBindingElement());
WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(new Uri("http://login.staging.rapidsoft.ru:80/auth/sts"), EndpointIdentity.CreateDnsIdentity("test")));
trustChannelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test");
trustChannelFactory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test");
trustChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
trustChannelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test");
trustChannelFactory.Endpoint.Contract.ProtectionLevel = ProtectionLevel.None;
trustChannelFactory.TrustVersion = System.ServiceModel.Security.TrustVersion.WSTrust13;
WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();
RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue);
rst.OnBehalfOf = new Microsoft.IdentityModel.Tokens.SecurityTokenElement(token, new Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection());
rst.KeyType = WSTrust13Constants.KeyTypes.Asymmetric;
RequestSecurityTokenResponse rstr = null;
SecurityToken SecurityToken = channel.Issue(rst, out rstr);
return(SecurityToken);
}
/// <summary>
/// Creates the custom binding.
/// </summary>
/// <param name="isCertificate">If set to true certificate security will be used.</param>
/// <returns></returns>
/// <remarks></remarks>
public static Binding CreateCustomBinding(bool isCertificate, bool isHttps)
{
BindingElement securityBinding = null;
BindingElement transport = null;
if (isHttps)
{
HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement();
transport = httpsTransport;
}
else
{
HttpTransportBindingElement httpTransport = new HttpTransportBindingElement();
transport = httpTransport;
}
TextMessageEncodingBindingElement messageEncoding = new TextMessageEncodingBindingElement();
if (!isCertificate)
{
TransportSecurityBindingElement messageSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
messageSecurity.IncludeTimestamp = false;
securityBinding = messageSecurity;
messageSecurity.AllowInsecureTransport = !isHttps;
}
else
{
AsymmetricSecurityBindingElement messageSecurity =
(AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement
(
MessageSecurityVersion
.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
);
messageSecurity.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
messageSecurity.AllowInsecureTransport = !isHttps;
securityBinding = messageSecurity;
messageEncoding.MessageVersion = MessageVersion.Soap11;
}
CustomBinding result = new CustomBinding(securityBinding,
messageEncoding,
transport);
return(result);
}
/// <summary>
/// Returns a custom wcf binding that will create a SOAP request
/// compatible with the Simple Order API Service
/// </summary>
protected static CustomBinding getWCFCustomBinding(Configuration config)
{
//Setup custom binding with HTTPS + Body Signing
CustomBinding currentBinding = new CustomBinding();
//Sign the body
AsymmetricSecurityBindingElement asec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
asec.SetKeyDerivation(false);
asec.IncludeTimestamp = false;
asec.EnableUnsecuredResponse = true;
asec.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
if (config.UseSignedAndEncrypted)
{
asec.LocalClientSettings.IdentityVerifier = new CustomeIdentityVerifier();
asec.RecipientTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters {
InclusionMode = SecurityTokenInclusionMode.Once
};
asec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt;
asec.EndpointSupportingTokenParameters.SignedEncrypted.Add(new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters());
asec.SetKeyDerivation(false);
}
//Use custom encoder to strip unsigned timestamp in response
CustomTextMessageBindingElement textBindingElement = new CustomTextMessageBindingElement();
//Setup https transport
HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement();
httpsTransport.RequireClientCertificate = true;
httpsTransport.AuthenticationScheme = AuthenticationSchemes.Anonymous;
httpsTransport.MaxReceivedMessageSize = 2147483647;
httpsTransport.UseDefaultWebProxy = false;
//Setup Proxy if needed
if (mProxy != null)
{
WebRequest.DefaultWebProxy = mProxy;
httpsTransport.UseDefaultWebProxy = true;
}
//Bind in order (Security layer, message layer, transport layer)
currentBinding.Elements.Add(asec);
currentBinding.Elements.Add(textBindingElement);
currentBinding.Elements.Add(httpsTransport);
return(currentBinding);
}
public static NCIServiceWCFClient CreateNCIServiceClient(Uri uri)
{
UCCProxyFactory.ClientCertificatePath = HostingEnvironment.MapPath(@"~/App_Data/isbank_test_private.pfx");
UCCProxyFactory.ServiceCertificatePath = HostingEnvironment.MapPath(@"~/App_Data/ucc_test_public.cer");
UCCProxyFactory.ClientCertificatePassword = "******";
System.Net.ServicePointManager.Expect100Continue = false;
if (string.IsNullOrEmpty(ClientCertificatePath) || string.IsNullOrEmpty(ServiceCertificatePath))
{
throw new InvalidOperationException("You should specify certificates path first");
}
if (string.IsNullOrEmpty(ClientCertificatePassword))
{
throw new InvalidOperationException("You should specify ClientCertificatePassword");
}
clientCertificate = new X509Certificate2(ClientCertificatePath, ClientCertificatePassword);
serviceCertificate = new X509Certificate2(ServiceCertificatePath);
endpointIdentity = new X509CertificateEndpointIdentity(serviceCertificate, new X509Certificate2Collection(clientCertificate));
EndpointAddress ea = new EndpointAddress(uri, endpointIdentity);
CustomBinding cb = new CustomBinding();
cb.CloseTimeout = new TimeSpan(50000000);
TextMessageEncodingBindingElement messageBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8);
HttpTransportBindingElement nciTransport = new HttpTransportBindingElement();
nciTransport.MaxReceivedMessageSize = 5000000; //115000000;
messageBindingElement.ReaderQuotas.MaxStringContentLength = 1200000; //11200000;
AsymmetricSecurityBindingElement abe = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);;
abe.AllowSerializedSigningTokenOnReply = true;
abe.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt;
abe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Rsa15;
abe.SetKeyDerivation(false);
cb.Elements.Add(abe);
cb.Elements.Add(messageBindingElement);
cb.Elements.Add(nciTransport);
NCIServiceWCFClient nciClient = new NCIServiceWCFClient(cb, ea);
nciClient.ClientCredentials.ServiceCertificate.DefaultCertificate = serviceCertificate;
nciClient.ClientCredentials.ClientCertificate.Certificate = clientCertificate;
nciClient.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
return(nciClient);
}
public static AsymmetricSecurityBindingElement CreateWusSecurityBindingElement()
{
//Create binding element for security
AsymmetricSecurityBindingElement secBE = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
//Explicitly accept secured answers from endpoint
secBE.AllowSerializedSigningTokenOnReply = true;
secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
secBE.EnableUnsecuredResponse = true;
secBE.IncludeTimestamp = true;
secBE.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
return(secBE);
}
static void Main(string[] args)
{
//<snippet5>
EndpointAddress serviceEndpoint =
new EndpointAddress(new Uri("http://localhost:6060/service"));
CustomBinding binding = new CustomBinding();
AsymmetricSecurityBindingElement securityBE =
SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(
MessageSecurityVersion.
WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
// Add a custom IdentityVerifier because the service uses two certificates
// (one for signing and one for encryption) and an endpoint identity that
// contains a single identity claim.
securityBE.LocalClientSettings.IdentityVerifier = new MyIdentityVerifier();
binding.Elements.Add(securityBE);
CompositeDuplexBindingElement compositeDuplex =
new CompositeDuplexBindingElement();
compositeDuplex.ClientBaseAddress = new Uri("http://localhost:6061/client");
binding.Elements.Add(compositeDuplex);
binding.Elements.Add(new OneWayBindingElement());
binding.Elements.Add(new HttpTransportBindingElement());
using (ChannelFactory <IMyServiceChannel> factory =
new ChannelFactory <IMyServiceChannel>(binding, serviceEndpoint))
{
MyClientCredentials credentials = new MyClientCredentials();
SetupCertificates(credentials);
factory.Endpoint.Behaviors.Remove(typeof(ClientCredentials));
factory.Endpoint.Behaviors.Add(credentials);
IMyServiceChannel channel = factory.CreateChannel();
Console.WriteLine(channel.Hello("world"));
channel.Close();
}
//</snippet5>
}
private static System.ServiceModel.Channels.Binding CreateBinding()
{
TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);
var httpTransport = new HttpTransportBindingElement();
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters = x509SecurityParamter;
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);
initiator.RequireDerivedKeys = false;
messageSecurity.InitiatorTokenParameters = initiator;
var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, httpTransport);
return customBinding;
}
CreateBindingElements()
{
var list = new List <BindingElement> ();
switch (Security.Mode)
{
#if !NET_2_1
case BasicHttpSecurityMode.Message:
if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
{
throw new InvalidOperationException("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate.");
}
goto case BasicHttpSecurityMode.TransportWithMessageCredential;
case BasicHttpSecurityMode.TransportWithMessageCredential:
SecurityBindingElement sec;
if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
{
// FIXME: pass proper security token parameters.
sec = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
}
else
{
sec = new AsymmetricSecurityBindingElement();
}
list.Add(sec);
break;
#endif
}
#if NET_2_1
if (EnableHttpCookieContainer)
{
list.Add(new HttpCookieContainerBindingElement());
}
#endif
list.Add(BuildMessageEncodingBindingElement());
list.Add(GetTransport());
return(new BindingElementCollection(list.ToArray()));
}
static void Run()
{
AsymmetricSecurityBindingElement sbe =
new AsymmetricSecurityBindingElement();
//sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
//sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
//sbe.RequireSignatureConfirmation = true;
//sbe.LocalClientSettings.DetectReplays = false;
//sbe.IncludeTimestamp = false;
X509SecurityTokenParameters p =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
p.RequireDerivedKeys = false;
//sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
UserNameSecurityTokenParameters up =
new UserNameSecurityTokenParameters();
sbe.EndpointSupportingTokenParameters.Signed.Add(up);
sbe.RecipientTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
sbe.InitiatorTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
sbe.SetKeyDerivation(false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
HttpTransportBindingElement hbe =
new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(new XBE(), sbe, hbe);
X509Certificate2 cert = new X509Certificate2("test.pfx", "mono");
X509Certificate2 cert2 = new X509Certificate2("test2.pfx", "mono");
FooProxy proxy = new FooProxy(binding,
new EndpointAddress(new Uri("http://localhost:8080"), new X509CertificateEndpointIdentity(cert)));
//proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
proxy.ClientCredentials.UserName.UserName = "******";
proxy.ClientCredentials.ClientCertificate.Certificate = cert2;
proxy.Endpoint.Behaviors.Add(new StdErrInspectionBehavior());
proxy.Open();
Console.WriteLine(proxy.Echo("TEST FOR ECHO"));
}
SecurityBindingElement CreateSecurityBindingElement()
{
SecurityBindingElement element;
switch (Security.Mode)
{
case BasicHttpSecurityMode.Message:
#if NET_2_1 || XAMMAC_4_5
throw new NotImplementedException();
#else
if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
{
throw new InvalidOperationException("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate.");
}
element = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
break;
#endif
case BasicHttpSecurityMode.TransportWithMessageCredential:
#if NET_2_1 || XAMMAC_4_5
throw new NotImplementedException();
#else
if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
{
element = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
}
else
{
element = new AsymmetricSecurityBindingElement();
}
break;
#endif
default:
return(null);
}
#if !NET_2_1 && !XAMMAC_4_5
element.SetKeyDerivation(false);
element.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
#endif
return(element);
}
private CustomBinding CreatePullBinding()
{
CustomBinding pullBinding = new CustomBinding();
pullBinding.Name = "ePUAPBinding";
SecurityBindingElement sBElement = SecurityBindingElement.CreateMutualCertificateBindingElement(
MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
AsymmetricSecurityBindingElement bindingAsymetryczny = (AsymmetricSecurityBindingElement)sBElement;
bindingAsymetryczny.SetKeyDerivation(true);
bindingAsymetryczny.EnableUnsecuredResponse = false;
bindingAsymetryczny.AllowInsecureTransport = false;
bindingAsymetryczny.AllowSerializedSigningTokenOnReply = true;
bindingAsymetryczny.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic192Rsa15;
bindingAsymetryczny.IncludeTimestamp = true;
bindingAsymetryczny.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
pullBinding.Elements.Clear();
pullBinding.Elements.Add(bindingAsymetryczny);
pullBinding.Elements.Add(new TextMessageEncodingBindingElement()
{
MessageVersion = MessageVersion.CreateVersion(EnvelopeVersion.Soap11, AddressingVersion.None), WriteEncoding = new UTF8Encoding()
});
HttpsTransportBindingElement httpsbinding = new HttpsTransportBindingElement();
pullBinding.Elements.Add(httpsbinding);
return(pullBinding);
}
/// <summary>
/// Returns a custom wcf binding that will create a SOAP request
/// compatible with the Simple Order API Service
/// </summary>
protected static CustomBinding getWCFCustomBinding()
{
//Setup custom binding with HTTPS + Body Signing
CustomBinding currentBinding = new CustomBinding();
//Sign the body
AsymmetricSecurityBindingElement asec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
asec.SetKeyDerivation(false);
asec.IncludeTimestamp = false;
asec.EnableUnsecuredResponse = true;
asec.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
//Use custom encoder to strip unsigned timestamp in response
CustomTextMessageBindingElement textBindingElement = new CustomTextMessageBindingElement();
//Setup https transport
HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement();
httpsTransport.RequireClientCertificate = true;
httpsTransport.AuthenticationScheme = AuthenticationSchemes.Anonymous;
httpsTransport.MaxReceivedMessageSize = 2147483647;
httpsTransport.UseDefaultWebProxy = false;
//Setup Proxy if needed
if (mProxy != null)
{
WebRequest.DefaultWebProxy = mProxy;
httpsTransport.UseDefaultWebProxy = true;
}
//Bind in order (Security layer, message layer, transport layer)
currentBinding.Elements.Add(asec);
currentBinding.Elements.Add(textBindingElement);
currentBinding.Elements.Add(httpsTransport);
return(currentBinding);
}
private static System.ServiceModel.Channels.Binding CreateBinding()
{
TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);
var httpTransport = new HttpTransportBindingElement();
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters = x509SecurityParamter;
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);
initiator.RequireDerivedKeys = false;
messageSecurity.InitiatorTokenParameters = initiator;
var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, httpTransport);
return(customBinding);
}
/// <summary>
///
/// </summary>
/// <param name="transport"></param>
/// <returns></returns>
private static System.ServiceModel.Channels.Binding CreateBinding(TransportBindingElement transport)
{
TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.LocalClientSettings.IdentityVerifier = new DisabledDnsIdentityCheck();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
messageSecurity.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
messageSecurity.ProtectTokens = true;
initiator.UseStrTransform = true;
initiator.KeyType = SecurityKeyType.AsymmetricKey;
initiator.RequireDerivedKeys = false;
messageSecurity.InitiatorTokenParameters = initiator;
var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, transport);
return customBinding;
}
public WSSecurityBinding(bool sslLocation, X509Certificate2 serviceCertificate)
{
this.sslLocation = sslLocation;
// Get CN from service certificate, used to set Dns Identity Claim
string cn = null;
foreach (string issuerPart in serviceCertificate.Issuer.Split(','))
{
string[] parts = issuerPart.Split('=');
if (parts[0].ToUpperInvariant().EndsWith("CN"))
{
cn = parts[1];
}
}
TextMessageEncodingBindingElement encoding = new TextMessageEncodingBindingElement();
encoding.MessageVersion = MessageVersion.Soap11;
AsymmetricSecurityBindingElement securityBinding = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement();
securityBinding.LocalClientSettings.IdentityVerifier = new DnsIdentityVerifier(new DnsEndpointIdentity(cn));
securityBinding.AllowSerializedSigningTokenOnReply = true;
securityBinding.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
this.bindingElements = new BindingElementCollection();
this.bindingElements.Add(securityBinding);
this.bindingElements.Add(encoding);
if (this.sslLocation)
{
this.bindingElements.Add(new HttpsTransportBindingElement());
}
else
{
this.bindingElements.Add(new HttpTransportBindingElement());
}
}
public static Binding GetIssuedTokenBindingSSL()
{
var textmessageEncoding = new TextMessageEncodingBindingElement();
textmessageEncoding.WriteEncoding = Encoding.UTF8;
textmessageEncoding.MessageVersion = MessageVersion.Soap11WSAddressing10;
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters = x509SecurityParamter;
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);
initiator.RequireDerivedKeys = false;
messageSecurity.InitiatorTokenParameters = initiator;
messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
return new CustomBinding(
messageSecurity,
textmessageEncoding,
new HttpsTransportBindingElement());
}
public void RejectInclusionModeNever ()
{
AsymmetricSecurityBindingElement sbe =
new AsymmetricSecurityBindingElement ();
sbe.InitiatorTokenParameters = sbe.RecipientTokenParameters =
new X509SecurityTokenParameters (
X509KeyIdentifierClauseType.Thumbprint,
// this leads to the failure.
SecurityTokenInclusionMode.Never);
ServiceHost host = new ServiceHost (typeof (Foo));
HttpTransportBindingElement hbe =
new HttpTransportBindingElement ();
CustomBinding binding = new CustomBinding (sbe, hbe);
host.AddServiceEndpoint (typeof (IFoo),
binding, new Uri ("http://localhost:" + NetworkHelpers.FindFreePort ()));
ServiceCredentials cred = new ServiceCredentials ();
cred.ServiceCertificate.Certificate =
new X509Certificate2 ("Test/Resources/test.pfx", "mono");
cred.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
host.Description.Behaviors.Add (cred);
try {
host.Open ();
} finally {
if (host.State == CommunicationState.Opened)
host.Close ();
}
}
public void ClientInitiatorHasNoKeysCore (bool deriveKeys, MessageProtectionOrder order)
{
AsymmetricSecurityBindingElement sbe =
new AsymmetricSecurityBindingElement ();
sbe.InitiatorTokenParameters =
new UserNameSecurityTokenParameters ();
sbe.RecipientTokenParameters =
new X509SecurityTokenParameters ();
sbe.SetKeyDerivation (deriveKeys);
sbe.MessageProtectionOrder = order;
TransportBindingElement tbe = new HandlerTransportBindingElement (delegate (Message input) {
// funky, but .NET does not raise an error
// until it writes the message to somewhere.
// That is, it won't raise an error if this
// HandlerTransportBindingElement does not
// write the input message to somewhere.
// It is an obvious bug.
input.WriteMessage (XmlWriter.Create (TextWriter.Null));
throw new Exception ();
});
CustomBinding binding = new CustomBinding (sbe, tbe);
EndpointAddress address = new EndpointAddress (
new Uri ("stream:dummy"),
new X509CertificateEndpointIdentity (cert2));
CalcProxy proxy = new CalcProxy (binding, address);
proxy.ClientCredentials.UserName.UserName = "******";
proxy.Open ();
// Until here the wrong parameters are not checked.
proxy.Sum (1, 2);
}
public void VerifyX509MessageSecurityAtService ()
{
AsymmetricSecurityBindingElement clisbe =
new AsymmetricSecurityBindingElement ();
clisbe.InitiatorTokenParameters =
new X509SecurityTokenParameters ();
clisbe.RecipientTokenParameters =
new X509SecurityTokenParameters ();
AsymmetricSecurityBindingElement svcsbe =
new AsymmetricSecurityBindingElement ();
svcsbe.InitiatorTokenParameters =
new X509SecurityTokenParameters ();
svcsbe.RecipientTokenParameters =
new X509SecurityTokenParameters ();
CustomBinding b_req = new CustomBinding (clisbe,
new HttpTransportBindingElement ());
b_req.ReceiveTimeout = b_req.SendTimeout = TimeSpan.FromSeconds (10);
CustomBinding b_res = new CustomBinding (svcsbe, new HttpTransportBindingElement ());
b_res.ReceiveTimeout = b_res.SendTimeout = TimeSpan.FromSeconds (10);
EndpointAddress remaddr = new EndpointAddress (
new Uri ("http://localhost:" + NetworkHelpers.FindFreePort ()),
new X509CertificateEndpointIdentity (cert2));
CalcProxy proxy = null;
ServiceHost host = new ServiceHost (typeof (CalcService));
host.AddServiceEndpoint (typeof (ICalc), b_res, "http://localhost:" + NetworkHelpers.FindFreePort ());
ServiceCredentials cred = new ServiceCredentials ();
cred.ServiceCertificate.Certificate = cert;
host.Description.Behaviors.Add (cred);
try {
host.Open ();
proxy = new CalcProxy (b_req, remaddr);
proxy.ClientCredentials.ClientCertificate.Certificate = cert;
// FIXME: on WinFX, when this Begin method
// is invoked before the listener setup, it
// somehow works, while ours doesn't.
//IAsyncResult result = proxy.BeginSum (1, 2, null, null);
//Assert.AreEqual (3, proxy.EndSum (result));
Assert.AreEqual (3, proxy.Sum (1, 2));
} finally {
if (host.State == CommunicationState.Opened)
host.Close ();
}
}
public void SetKeyDerivation ()
{
AsymmetricSecurityBindingElement be;
X509SecurityTokenParameters p, p2;
be = new AsymmetricSecurityBindingElement ();
p = new X509SecurityTokenParameters ();
p2 = new X509SecurityTokenParameters ();
be.InitiatorTokenParameters = p;
be.RecipientTokenParameters = p2;
be.SetKeyDerivation (false);
Assert.AreEqual (false, p.RequireDerivedKeys, "#1");
Assert.AreEqual (false, p2.RequireDerivedKeys, "#2");
be = new AsymmetricSecurityBindingElement ();
p = new X509SecurityTokenParameters ();
p2 = new X509SecurityTokenParameters ();
be.SetKeyDerivation (false); // set in prior - makes no sense
be.InitiatorTokenParameters = p;
be.RecipientTokenParameters = p2;
Assert.AreEqual (true, p.RequireDerivedKeys, "#3");
Assert.AreEqual (true, p2.RequireDerivedKeys, "#4");
}
public AsymmetricSecurityCapabilities (
AsymmetricSecurityBindingElement element)
{
this.element = element;
}
public void ServiceRecipientHasNoKeys ()
{
AsymmetricSecurityBindingElement sbe =
new AsymmetricSecurityBindingElement ();
sbe.InitiatorTokenParameters =
new X509SecurityTokenParameters ();
sbe.RecipientTokenParameters =
new UserNameSecurityTokenParameters ();
//sbe.SetKeyDerivation (false);
//sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
CustomBinding binding = new CustomBinding (sbe,
new HttpTransportBindingElement ());
IChannelListener<IReplyChannel> l =
binding.BuildChannelListener<IReplyChannel> (new Uri ("http://localhost:" + NetworkHelpers.FindFreePort ()), new BindingParameterCollection ());
try {
l.Open ();
} finally {
if (l.State == CommunicationState.Opened)
l.Close ();
}
}
private SecurityBindingElement CreateSecurity()
{
AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement();
X509SecurityTokenParameters clientToken = new X509SecurityTokenParameters();
clientToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any;
clientToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
clientToken.RequireDerivedKeys = false;
clientToken.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
security.InitiatorTokenParameters = clientToken; //Creates an _unsigned_ binary token + signature that references the other binary token.
X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters();
serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any;
serverToken.InclusionMode = SecurityTokenInclusionMode.Never;
serverToken.RequireDerivedKeys = false;
serverToken.ReferenceStyle = SecurityTokenReferenceStyle.External;
security.RecipientTokenParameters = serverToken; //Only to make asymetric binding work
security.EndpointSupportingTokenParameters.Signed.Add(clientToken); //Create a signed binary token + signature that does _not_ references other binary token.
//Later on the unsigned binary token is removed and the non referecing signature is removed. The signed token and referencing signature are linked.
security.EnableUnsecuredResponse = true;
security.IncludeTimestamp = true;
security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
security.SetKeyDerivation(false);
return security;
}
SecurityBindingElement CreateSecurityBindingElement ()
{
SecurityBindingElement element;
switch (Security.Mode) {
#if !NET_2_1
case BasicHttpSecurityMode.Message:
if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
throw new InvalidOperationException ("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate.");
element = SecurityBindingElement.CreateMutualCertificateBindingElement (
MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
break;
case BasicHttpSecurityMode.TransportWithMessageCredential:
if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
// FIXME: pass proper security token parameters.
element = SecurityBindingElement.CreateCertificateOverTransportBindingElement ();
else
element = new AsymmetricSecurityBindingElement ();
break;
#endif
default:
return null;
}
#if !NET_2_1
element.SetKeyDerivation (false);
element.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
#endif
return element;
}
public virtual bool TryImportWsspRecipientTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, AsymmetricSecurityBindingElement binding)
{
XmlElement element;
Collection<Collection<XmlElement>> collection;
bool flag = false;
if (this.TryImportWsspAssertion(assertions, "RecipientToken", out element) && this.TryGetNestedPolicyAlternatives(importer, element, out collection))
{
foreach (Collection<XmlElement> collection2 in collection)
{
SecurityTokenParameters parameters;
bool flag2;
if (this.TryImportTokenAssertion(importer, policyContext, collection2, out parameters, out flag2) && (collection2.Count == 0))
{
flag = true;
binding.RecipientTokenParameters = parameters;
return flag;
}
}
}
return flag;
}
public virtual bool TryImportWsspAsymmetricBindingAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, out AsymmetricSecurityBindingElement binding, out XmlElement assertion)
{
Collection<Collection<XmlElement>> collection;
binding = null;
if (this.TryImportWsspAssertion(assertions, "AsymmetricBinding", out assertion) && this.TryGetNestedPolicyAlternatives(importer, assertion, out collection))
{
foreach (Collection<XmlElement> collection2 in collection)
{
MessageProtectionOrder order;
binding = new AsymmetricSecurityBindingElement();
if (((this.TryImportWsspInitiatorTokenAssertion(importer, policyContext, collection2, binding) && this.TryImportWsspRecipientTokenAssertion(importer, policyContext, collection2, binding)) && (this.TryImportWsspAlgorithmSuiteAssertion(importer, collection2, binding) && this.TryImportWsspLayoutAssertion(importer, collection2, binding))) && ((this.TryImportWsspIncludeTimestampAssertion(collection2, binding) && this.TryImportMessageProtectionOrderAssertions(collection2, out order)) && (this.TryImportWsspAssertion(collection2, "OnlySignEntireHeadersAndBody", true) && (collection2.Count == 0))))
{
binding.MessageProtectionOrder = order;
break;
}
binding = null;
}
}
return (binding != null);
}
public virtual bool TryImportWsspRecipientTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, AsymmetricSecurityBindingElement binding)
{
bool result = false;
XmlElement assertion;
Collection<Collection<XmlElement>> alternatives;
if (TryImportWsspAssertion(assertions, RecipientTokenName, out assertion)
&& TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
{
foreach (Collection<XmlElement> alternative in alternatives)
{
SecurityTokenParameters tokenParameters;
bool isOptional;
if (TryImportTokenAssertion(importer, policyContext, alternative, out tokenParameters, out isOptional)
&& alternative.Count == 0)
{
result = true;
binding.RecipientTokenParameters = tokenParameters;
break;
}
}
}
return result;
}
public virtual bool TryImportWsspAsymmetricBindingAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, out AsymmetricSecurityBindingElement binding, out XmlElement assertion)
{
binding = null;
Collection<Collection<XmlElement>> alternatives;
if (TryImportWsspAssertion(assertions, AsymmetricBindingName, out assertion)
&& TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
{
foreach (Collection<XmlElement> alternative in alternatives)
{
MessageProtectionOrder order;
bool protectTokens;
binding = new AsymmetricSecurityBindingElement();
if (TryImportWsspInitiatorTokenAssertion(importer, policyContext, alternative, binding)
&& TryImportWsspRecipientTokenAssertion(importer, policyContext, alternative, binding)
&& TryImportWsspAlgorithmSuiteAssertion(importer, alternative, binding)
&& TryImportWsspLayoutAssertion(importer, alternative, binding)
&& TryImportWsspIncludeTimestampAssertion(alternative, binding)
&& TryImportMessageProtectionOrderAssertions(alternative, out order)
&& TryImportWsspProtectTokensAssertion(alternative, out protectTokens)
&& TryImportWsspAssertion(alternative, OnlySignEntireHeadersAndBodyName, true)
&& alternative.Count == 0)
{
binding.MessageProtectionOrder = order;
binding.ProtectTokens = protectTokens;
break;
}
else
{
binding = null;
}
}
}
return binding != null;
}
private SecurityBindingElement CreateWSS11SecurityBindingElement()
{
AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement();
secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
// TEST
//secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Rsa15;
secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
secBindingElement.IncludeTimestamp = true;
secBindingElement.SetKeyDerivation(false);
secBindingElement.AllowSerializedSigningTokenOnReply = true;
secBindingElement.RequireSignatureConfirmation = false;
//WS2007HttpBinding stsBinding = new WS2007HttpBinding("wssuntBinding");
//CustomBinding stsBinding = new CustomBinding("ADS-CustomSecureTransport");
// TEMPORARILY DISABLED
// .Net 3.5
//string adsAddress = "http://ha50idp:8089/ADS-STS/Issue.svc";
// .Net 4.0
string adsAddress = "https://ha50idp:8543/ADS-STS/Issue.svc";
//IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0",
// new EndpointAddress(adsAddress), stsBinding);
IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
issuedTokenParameters.UseStrTransform = false;
issuedTokenParameters.KeyType = SecurityKeyType.BearerKey;
//issuedTokenParameters.KeyType = SecurityKeyType.AsymmetricKey;
//issuedTokenParameters.KeyType = SecurityKeyType.SymmetricKey;
// 256?
//issuedTokenParameters.KeySize = 256;
issuedTokenParameters.KeySize = 0;
// .Net 3.5
//string adsMexAddress = "http://ha50idp:8089/ADS-STS/Issue.svc/mex";
// .Net 4.0
//string adsMexAddress = "https://ha50idp:8543/ADS-STS/Issue.svc/mex";
//issuedTokenParameters.IssuerMetadataAddress = new EndpointAddress(adsMexAddress);
issuedTokenParameters.RequireDerivedKeys = false;
issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
//issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
// Claims
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:SurName"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:GivenName"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:EmailAddressText"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:TelephoneNumber"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:FederationId"));
// THis is a test
//secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(issuedTokenParameters);
// This is the right one
secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters);
//secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(issuedTokenParameters);
// need to put this in configuration
//X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Any;
X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.SubjectKeyIdentifier;
//X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.IssuerSerial;
//X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Thumbprint;
X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
SecurityTokenInclusionMode.AlwaysToRecipient);
initiatorTokenParameters.RequireDerivedKeys = false;
initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
initiatorTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
//initiatorTokenParameters.ReferenceStyle = (SecurityTokenReferenceStyle)X509KeyIdentifierClauseType.RawDataKeyIdentifier;
secBindingElement.InitiatorTokenParameters = initiatorTokenParameters;
X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
SecurityTokenInclusionMode.Never);
recipientTokenParameters.RequireDerivedKeys = false;
recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
recipientTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
secBindingElement.RecipientTokenParameters = recipientTokenParameters;
secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
return secBindingElement;
}
private SecurityBindingElement CreateWSS10SecurityBindingElement()
{
AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement();
secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
secBindingElement.IncludeTimestamp = true;
secBindingElement.SetKeyDerivation(false);
secBindingElement.AllowSerializedSigningTokenOnReply = true;
secBindingElement.RequireSignatureConfirmation = false;
X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
SecurityTokenInclusionMode.AlwaysToRecipient);
initiatorTokenParameters.RequireDerivedKeys = false;
initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
secBindingElement.InitiatorTokenParameters = initiatorTokenParameters;
X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
SecurityTokenInclusionMode.Never);
recipientTokenParameters.RequireDerivedKeys = false;
recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
secBindingElement.RecipientTokenParameters = recipientTokenParameters;
//secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters);
//secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(protectTokenParameters);
//secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
return secBindingElement;
}
public static void AssertAsymmetricSecurityBindingElement (
SecurityAlgorithmSuite algorithm,
bool includeTimestamp,
SecurityKeyEntropyMode keyEntropyMode,
MessageProtectionOrder messageProtectionOrder,
MessageSecurityVersion messageSecurityVersion,
bool requireSignatureConfirmation,
SecurityHeaderLayout securityHeaderLayout,
// EndpointSupportingTokenParameters
int endorsing, int signed, int signedEncrypted, int signedEndorsing,
// InitiatorTokenParameters
bool hasInitiatorTokenParameters,
SecurityTokenInclusionMode initiatorTokenInclusionMode,
SecurityTokenReferenceStyle initiatorTokenReferenceStyle,
bool initiatorTokenRequireDerivedKeys,
// RecipientTokenParameters
bool hasRecipientTokenParameters,
SecurityTokenInclusionMode recipientTokenInclusionMode,
SecurityTokenReferenceStyle recipientTokenReferenceStyle,
bool recipientTokenRequireDerivedKeys,
// LocalClientSettings
bool cacheCookies,
int renewalThresholdPercentage,
bool detectReplays,
AsymmetricSecurityBindingElement be, string label)
{
AssertSecurityBindingElement (
algorithm,
includeTimestamp,
keyEntropyMode,
messageSecurityVersion,
securityHeaderLayout,
// EndpointSupportingTokenParameters
endorsing, signed, signedEncrypted, signedEndorsing,
// LocalClientSettings
cacheCookies,
renewalThresholdPercentage,
detectReplays,
be, label);
Assert.AreEqual (messageProtectionOrder, be.MessageProtectionOrder, label + ".MessageProtectionOrder");
Assert.AreEqual (requireSignatureConfirmation, be.RequireSignatureConfirmation, label + ".RequireSignatureConfirmation");
if (!hasInitiatorTokenParameters)
Assert.IsNull (be.InitiatorTokenParameters, label + ".InitiatorTokenParameters (null)");
else
AssertSecurityTokenParameters (
initiatorTokenInclusionMode,
initiatorTokenReferenceStyle,
initiatorTokenRequireDerivedKeys,
be.InitiatorTokenParameters, label + ".InitiatorTokenParameters");
if (!hasRecipientTokenParameters)
Assert.IsNull (be.RecipientTokenParameters, label + ".RecipientTokenParameters (null)");
else
AssertSecurityTokenParameters (
recipientTokenInclusionMode,
recipientTokenReferenceStyle,
recipientTokenRequireDerivedKeys,
be.RecipientTokenParameters, label + ".RecipientTokenParameters");
}
public virtual XmlElement CreateWsspAsymmetricBindingAssertion(MetadataExporter exporter, PolicyConversionContext policyContext, AsymmetricSecurityBindingElement binding)
{
if (binding == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding");
}
XmlElement result = CreateWsspAssertion(AsymmetricBindingName);
result.AppendChild(
CreateWspPolicyWrapper(
exporter,
CreateWsspInitiatorTokenAssertion(exporter, binding.InitiatorTokenParameters),
CreateWsspRecipientTokenAssertion(exporter, binding.RecipientTokenParameters),
CreateWsspAlgorithmSuiteAssertion(exporter, binding.DefaultAlgorithmSuite),
CreateWsspLayoutAssertion(exporter, binding.SecurityHeaderLayout),
CreateWsspIncludeTimestampAssertion(binding.IncludeTimestamp),
CreateWsspEncryptBeforeSigningAssertion(binding.MessageProtectionOrder),
CreateWsspEncryptSignatureAssertion(policyContext, binding),
CreateWsspProtectTokensAssertion(binding),
CreateWsspAssertion(OnlySignEntireHeadersAndBodyName)
));
return result;
}
CreateBindingElements ()
{
var list = new List<BindingElement> ();
switch (Security.Mode) {
#if !NET_2_1
case BasicHttpSecurityMode.Message:
if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
throw new InvalidOperationException ("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate.");
goto case BasicHttpSecurityMode.TransportWithMessageCredential;
case BasicHttpSecurityMode.TransportWithMessageCredential:
SecurityBindingElement sec;
if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
// FIXME: pass proper security token parameters.
sec = SecurityBindingElement.CreateCertificateOverTransportBindingElement ();
else
sec = new AsymmetricSecurityBindingElement ();
list.Add (sec);
break;
#endif
}
#if NET_2_1
if (EnableHttpCookieContainer)
list.Add (new HttpCookieContainerBindingElement ());
#endif
list.Add (BuildMessageEncodingBindingElement ());
list.Add (GetTransport ());
return new BindingElementCollection (list.ToArray ());
}
SecurityBindingElement CreateSecurityBindingElement ()
{
SecurityBindingElement element;
switch (Security.Mode) {
case BasicHttpsSecurityMode.TransportWithMessageCredential:
#if NET_2_1
throw new NotImplementedException ();
#else
if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
// FIXME: pass proper security token parameters.
element = SecurityBindingElement.CreateCertificateOverTransportBindingElement ();
else
element = new AsymmetricSecurityBindingElement ();
break;
#endif
default:
return null;
}
#if !NET_2_1
element.SetKeyDerivation (false);
element.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
#endif
return element;
}
private SecurityBindingElement CreateSecurityBindingElement()
{
CustomTextTraceSource ts = new CustomTextTraceSource("Common.WspCustomSecuredBinding.CreateSecurityBindingElement",
"MyTraceSource", System.Diagnostics.SourceLevels.Information);
AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement();
secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
//secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256;
secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
secBindingElement.IncludeTimestamp = true;
secBindingElement.SetKeyDerivation(false);
secBindingElement.AllowSerializedSigningTokenOnReply = true;
secBindingElement.RequireSignatureConfirmation = true;
// SAML assertion as a signed-encrypted supporting token
IssuedSecurityTokenParameters issuedTokenParameters =
new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
// Compliance with WSS SAML Token Profile 1.1
// Target .Net 3.5. Does not work with .Net 4
issuedTokenParameters.UseStrTransform = _enableStrTransform;
ts.TraceInformation("issuedTokenParameters.UseStrTransform = " + issuedTokenParameters.UseStrTransform.ToString());
// Using bearer key type which means no proof key
issuedTokenParameters.KeyType = SecurityKeyType.BearerKey;
issuedTokenParameters.KeySize = 0;
issuedTokenParameters.RequireDerivedKeys = false;
issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
//issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
// These claims are not really needed here. We are doing out of band requests!
// Claims
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:SurName"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:GivenName"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:EmailAddressText"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:TelephoneNumber"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:FederationId"));
// GFIPM S2S 6.4 User Authorization - Encrypted GFIPM User Assertion
//secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(issuedTokenParameters);
// For debug
secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters);
X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Thumbprint;
X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
SecurityTokenInclusionMode.AlwaysToRecipient);
initiatorTokenParameters.RequireDerivedKeys = false;
initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
//initiatorTokenParameters.ReferenceStyle = (SecurityTokenReferenceStyle)X509KeyIdentifierClauseType.RawDataKeyIdentifier;
secBindingElement.InitiatorTokenParameters = initiatorTokenParameters;
X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
SecurityTokenInclusionMode.AlwaysToInitiator);
recipientTokenParameters.RequireDerivedKeys = false;
recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator;
//recipientTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
secBindingElement.RecipientTokenParameters = recipientTokenParameters;
secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
//Set the Custom IdentityVerifier
secBindingElement.LocalClientSettings.IdentityVerifier = new Common.CustomIdentityVerifier();
//////////////////////////////////////////////////////////
return secBindingElement;
}