Ejemplo n.º 1
0
        SecurityBindingElement CreateSecurityBindingElement()
        {
            SecurityBindingElement element;

            switch (Security.Mode)
            {
            case BasicHttpsSecurityMode.TransportWithMessageCredential:
#if NET_2_1
                throw new NotImplementedException();
#else
                if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
                {
                    // FIXME: pass proper security token parameters.
                    element = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
                }
                else
                {
                    element = new AsymmetricSecurityBindingElement();
                }
                break;
#endif
            default:
                return(null);
            }

#if !NET_2_1
            element.SetKeyDerivation(false);
            element.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
#endif
            return(element);
        }
Ejemplo n.º 2
0
        public static Binding GetIssuedTokenBindingSSL()
        {
            var textmessageEncoding = new TextMessageEncodingBindingElement();

            textmessageEncoding.WriteEncoding  = Encoding.UTF8;
            textmessageEncoding.MessageVersion = MessageVersion.Soap11WSAddressing10;

            var messageSecurity = new AsymmetricSecurityBindingElement();

            messageSecurity.AllowSerializedSigningTokenOnReply = true;
            messageSecurity.MessageSecurityVersion             = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);

            messageSecurity.RecipientTokenParameters = x509SecurityParamter;
            messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
            var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);

            initiator.RequireDerivedKeys             = false;
            messageSecurity.InitiatorTokenParameters = initiator;

            messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;

            return(new CustomBinding(
                       messageSecurity,
                       textmessageEncoding,
                       new HttpsTransportBindingElement()));
        }
Ejemplo n.º 3
0
        SecurityBindingElement CreateSecurityBindingElement()
        {
            SecurityBindingElement element;

            switch (Security.Mode)
            {
            case BasicHttpSecurityMode.Message:
                if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
                {
                    throw new InvalidOperationException("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate.");
                }
                element = SecurityBindingElement.CreateMutualCertificateBindingElement(
                    MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
                break;

            case BasicHttpSecurityMode.TransportWithMessageCredential:
                if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
                {
                    // FIXME: pass proper security token parameters.
                    element = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
                }
                else
                {
                    element = new AsymmetricSecurityBindingElement();
                }
                break;

            default:
                return(null);
            }

            element.SetKeyDerivation(false);
            element.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
            return(element);
        }
Ejemplo n.º 4
0
        //<snippet1>
        public Binding CreateClientBinding()
        {
            AsymmetricSecurityBindingElement abe =
                (AsymmetricSecurityBindingElement)SecurityBindingElement.
                CreateMutualCertificateBindingElement(
                    MessageSecurityVersion.
                    WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);

            abe.SetKeyDerivation(false);

            X509SecurityTokenParameters istp =
                abe.InitiatorTokenParameters as X509SecurityTokenParameters;

            if (istp != null)
            {
                istp.X509ReferenceStyle =
                    X509KeyIdentifierClauseType.IssuerSerial;
            }
            X509SecurityTokenParameters rstp =
                abe.RecipientTokenParameters as X509SecurityTokenParameters;

            if (rstp != null)
            {
                rstp.X509ReferenceStyle =
                    X509KeyIdentifierClauseType.IssuerSerial;
            }

            HttpTransportBindingElement transport =
                new HttpTransportBindingElement();

            return(new CustomBinding(abe, transport));
        }
Ejemplo n.º 5
0
        private SecurityBindingElement CreateSecurity()
        {
            AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement();

            X509SecurityTokenParameters clientToken = new X509SecurityTokenParameters();

            clientToken.X509ReferenceStyle    = X509KeyIdentifierClauseType.Any;
            clientToken.InclusionMode         = SecurityTokenInclusionMode.AlwaysToRecipient;
            clientToken.RequireDerivedKeys    = false;
            clientToken.ReferenceStyle        = SecurityTokenReferenceStyle.Internal;
            security.InitiatorTokenParameters = clientToken; //Creates an _unsigned_ binary token + signature that references the other binary token.

            X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters();

            serverToken.X509ReferenceStyle    = X509KeyIdentifierClauseType.Any;
            serverToken.InclusionMode         = SecurityTokenInclusionMode.Never;
            serverToken.RequireDerivedKeys    = false;
            serverToken.ReferenceStyle        = SecurityTokenReferenceStyle.External;
            security.RecipientTokenParameters = serverToken;                    //Only to make asymetric binding work

            security.EndpointSupportingTokenParameters.Signed.Add(clientToken); //Create a signed binary token + signature that does _not_ references other binary token.
            //Later on the unsigned binary token is removed and the non referecing signature is removed.  The signed token and referencing signature are linked.

            security.EnableUnsecuredResponse = true;
            security.IncludeTimestamp        = true;
            security.SecurityHeaderLayout    = SecurityHeaderLayout.Lax;
            security.DefaultAlgorithmSuite   = SecurityAlgorithmSuite.Basic256;
            security.MessageSecurityVersion  = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
            security.SetKeyDerivation(false);

            return(security);
        }
Ejemplo n.º 6
0
        public void ServiceRecipientHasNoKeys()
        {
            AsymmetricSecurityBindingElement sbe =
                new AsymmetricSecurityBindingElement();

            sbe.InitiatorTokenParameters =
                new X509SecurityTokenParameters();
            sbe.RecipientTokenParameters =
                new UserNameSecurityTokenParameters();
            //sbe.SetKeyDerivation (false);
            //sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
            CustomBinding binding = new CustomBinding(sbe,
                                                      new HttpTransportBindingElement());
            IChannelListener <IReplyChannel> l =
                binding.BuildChannelListener <IReplyChannel> (new Uri("http://localhost:37564"), new BindingParameterCollection());

            try {
                l.Open();
            } finally {
                if (l.State == CommunicationState.Opened)
                {
                    l.Close();
                }
            }
        }
        private static SecurityBindingElement CreateSecurityBindingElement()
        {
            var messageSecurity = new AsymmetricSecurityBindingElement();

            messageSecurity.AllowSerializedSigningTokenOnReply = true;
            messageSecurity.MessageSecurityVersion             = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            messageSecurity.DefaultAlgorithmSuite            = SecurityAlgorithmSuite.Basic128Sha256;
            messageSecurity.MessageProtectionOrder           = MessageProtectionOrder.EncryptBeforeSign;
            messageSecurity.LocalClientSettings.MaxClockSkew = new TimeSpan(0, 0, 1, 0);
            messageSecurity.LocalClientSettings.TimestampValidityDuration = new TimeSpan(0, 0, 10, 0);
            messageSecurity.LocalServiceSettings.MaxClockSkew             = new TimeSpan(0, 0, 1, 0);
            messageSecurity.LocalClientSettings.TimestampValidityDuration = new TimeSpan(0, 0, 10, 0);

            var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator);

            messageSecurity.RecipientTokenParameters = x509SecurityParamter;
            messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;

            var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient)
            {
                RequireDerivedKeys = false
            };

            messageSecurity.InitiatorTokenParameters = initiator;

            return(messageSecurity);
        }
Ejemplo n.º 8
0
        public void ClientInitiatorHasNoKeysCore(bool deriveKeys, MessageProtectionOrder order)
        {
            AsymmetricSecurityBindingElement sbe =
                new AsymmetricSecurityBindingElement();

            sbe.InitiatorTokenParameters =
                new UserNameSecurityTokenParameters();
            sbe.RecipientTokenParameters =
                new X509SecurityTokenParameters();
            sbe.SetKeyDerivation(deriveKeys);
            sbe.MessageProtectionOrder = order;
            TransportBindingElement tbe = new HandlerTransportBindingElement(delegate(Message input) {
                // funky, but .NET does not raise an error
                // until it writes the message to somewhere.
                // That is, it won't raise an error if this
                // HandlerTransportBindingElement does not
                // write the input message to somewhere.
                // It is an obvious bug.
                input.WriteMessage(XmlWriter.Create(TextWriter.Null));
                throw new Exception();
            });
            CustomBinding   binding = new CustomBinding(sbe, tbe);
            EndpointAddress address = new EndpointAddress(
                new Uri("stream:dummy"),
                new X509CertificateEndpointIdentity(cert2));
            CalcProxy proxy = new CalcProxy(binding, address);

            proxy.ClientCredentials.UserName.UserName = "******";
            proxy.Open();
            // Until here the wrong parameters are not checked.
            proxy.Sum(1, 2);
        }
Ejemplo n.º 9
0
        public void RejectInclusionModeNever()
        {
            AsymmetricSecurityBindingElement sbe =
                new AsymmetricSecurityBindingElement();

            sbe.InitiatorTokenParameters = sbe.RecipientTokenParameters =
                new X509SecurityTokenParameters(
                    X509KeyIdentifierClauseType.Thumbprint,
                    // this leads to the failure.
                    SecurityTokenInclusionMode.Never);
            ServiceHost host = new ServiceHost(typeof(Foo));
            HttpTransportBindingElement hbe =
                new HttpTransportBindingElement();
            CustomBinding binding = new CustomBinding(sbe, hbe);

            host.AddServiceEndpoint(typeof(IFoo),
                                    binding, new Uri("http://localhost:37564"));
            ServiceCredentials cred = new ServiceCredentials();

            cred.ServiceCertificate.Certificate =
                new X509Certificate2("Test/Resources/test.pfx", "mono");
            cred.ClientCertificate.Authentication.CertificateValidationMode =
                X509CertificateValidationMode.None;
            host.Description.Behaviors.Add(cred);
            try {
                host.Open();
            } finally {
                if (host.State == CommunicationState.Opened)
                {
                    host.Close();
                }
            }
        }
Ejemplo n.º 10
0
        public void VerifyX509MessageSecurityAtService()
        {
            AsymmetricSecurityBindingElement clisbe =
                new AsymmetricSecurityBindingElement();

            clisbe.InitiatorTokenParameters =
                new X509SecurityTokenParameters();
            clisbe.RecipientTokenParameters =
                new X509SecurityTokenParameters();

            AsymmetricSecurityBindingElement svcsbe =
                new AsymmetricSecurityBindingElement();

            svcsbe.InitiatorTokenParameters =
                new X509SecurityTokenParameters();
            svcsbe.RecipientTokenParameters =
                new X509SecurityTokenParameters();

            CustomBinding b_req = new CustomBinding(clisbe,
                                                    new HttpTransportBindingElement());

            b_req.ReceiveTimeout = b_req.SendTimeout = TimeSpan.FromSeconds(10);

            CustomBinding b_res = new CustomBinding(svcsbe, new HttpTransportBindingElement());

            b_res.ReceiveTimeout = b_res.SendTimeout = TimeSpan.FromSeconds(10);

            EndpointAddress remaddr = new EndpointAddress(
                new Uri("http://localhost:37564"),
                new X509CertificateEndpointIdentity(cert2));
            CalcProxy   proxy = null;
            ServiceHost host  = new ServiceHost(typeof(CalcService));

            host.AddServiceEndpoint(typeof(ICalc), b_res, "http://localhost:37564");

            ServiceCredentials cred = new ServiceCredentials();

            cred.ServiceCertificate.Certificate = cert;
            host.Description.Behaviors.Add(cred);
            try {
                host.Open();

                proxy = new CalcProxy(b_req, remaddr);
                proxy.ClientCredentials.ClientCertificate.Certificate = cert;

                // FIXME: on WinFX, when this Begin method
                // is invoked before the listener setup, it
                // somehow works, while ours doesn't.
                //IAsyncResult result = proxy.BeginSum (1, 2, null, null);
                //Assert.AreEqual (3, proxy.EndSum (result));
                Assert.AreEqual(3, proxy.Sum(1, 2));
            } finally {
                if (host.State == CommunicationState.Opened)
                {
                    host.Close();
                }
            }
        }
Ejemplo n.º 11
0
            public override Binding CreateBinding()
            {
                Binding bin;
                var     tcpBin = new NetTcpBinding();

                tcpBin.ReliableSession.InactivityTimeout = InactivityTimeout;
                tcpBin.MaxBufferPoolSize                     = MaxBufferPoolSize;
                tcpBin.MaxBufferSize                         = MaxBufferSize;
                tcpBin.MaxConnections                        = MaxConnections;
                tcpBin.MaxReceivedMessageSize                = MaxReceivedMessageSize;
                tcpBin.ReaderQuotas.MaxBytesPerRead          = ReaderQuotas_MaxBytesPerRead;
                tcpBin.ReaderQuotas.MaxStringContentLength   = ReaderQuotas_MaxStringContentLength;
                tcpBin.ReaderQuotas.MaxArrayLength           = ReaderQuotas_MaxArrayLength;
                tcpBin.Security.Mode                         = SecurityMode;
                tcpBin.Security.Message.ClientCredentialType = ClientCredentialType;
                tcpBin.TransferMode = TransferMode;
                ConfigureTcpBindingAction?.Invoke(tcpBin);
                bin = tcpBin;

                // Check if ClockSkew has default values (300 segundos)
                if (LocalClientMaxClockSkew != TimeSpan.FromMinutes(5) || LocalServiceMaxClockSkew != TimeSpan.FromMinutes(5))
                {
                    CustomBinding cusBin = new CustomBinding(tcpBin);
                    SymmetricSecurityBindingElement symetricSecurity = cusBin.Elements.Find <SymmetricSecurityBindingElement>();
                    if (symetricSecurity != null)
                    {
                        //symetricSecurity.LocalServiceSettings.DetectReplays = false;
                        //symetricSecurity.LocalClientSettings.DetectReplays = false;
                        symetricSecurity.LocalServiceSettings.MaxClockSkew = LocalServiceMaxClockSkew;
                        symetricSecurity.LocalClientSettings.MaxClockSkew  = LocalClientMaxClockSkew;
                        if (symetricSecurity.ProtectionTokenParameters is SecureConversationSecurityTokenParameters tokens)
                        {
                            //tokens.BootstrapSecurityBindingElement.LocalClientSettings.DetectReplays = false;
                            //tokens.BootstrapSecurityBindingElement.LocalServiceSettings.DetectReplays = false;
                            tokens.BootstrapSecurityBindingElement.LocalClientSettings.MaxClockSkew  = LocalClientMaxClockSkew;
                            tokens.BootstrapSecurityBindingElement.LocalServiceSettings.MaxClockSkew = LocalServiceMaxClockSkew;
                        }
                    }
                    AsymmetricSecurityBindingElement asymetricSecurity = cusBin.Elements.Find <AsymmetricSecurityBindingElement>();
                    if (asymetricSecurity != null)
                    {
                        asymetricSecurity.LocalServiceSettings.MaxClockSkew = LocalServiceMaxClockSkew;
                        asymetricSecurity.LocalClientSettings.MaxClockSkew  = LocalClientMaxClockSkew;
                        if (asymetricSecurity.InitiatorTokenParameters is SecureConversationSecurityTokenParameters tokens)
                        {
                            tokens.BootstrapSecurityBindingElement.LocalClientSettings.MaxClockSkew  = LocalClientMaxClockSkew;
                            tokens.BootstrapSecurityBindingElement.LocalServiceSettings.MaxClockSkew = LocalServiceMaxClockSkew;
                        }
                    }
                    bin = cusBin;
                }
                bin.CloseTimeout   = CloseTimeout;
                bin.OpenTimeout    = OpenTimeout;
                bin.ReceiveTimeout = ReceiveTimeout;
                bin.SendTimeout    = SendTimeout;
                return(bin);
            }
Ejemplo n.º 12
0
        public override BindingElementCollection CreateBindingElements()
        {
            var transport =
                _useHttps
                    ? new HttpsTransportBindingElement()
                    : new HttpTransportBindingElement();

            if (_maxReceivedMessageSize.HasValue)
            {
                transport.MaxReceivedMessageSize =
                    _maxReceivedMessageSize.Value;
            }

            var encoding = new TextMessageEncodingBindingElement();

            // [OIO IDWS SOAP 1.1] requires SOAP 1.2 and WS-Adressing 1.0
            encoding.MessageVersion = MessageVersion.Soap12WSAddressing10;

            // AlwaysToInitiator is required by the [OIO IDWS SOAP 1.1] profile. This specifies that the server certificate must be embedded in the response.
            var recipientTokenParameters = new X509SecurityTokenParameters(
                X509KeyIdentifierClauseType.Any,
                SecurityTokenInclusionMode.AlwaysToInitiator);

            var initiatorTokenParameters =
                new CustomizedIssuedSecurityTokenParameters(
                    "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
                    );

            initiatorTokenParameters.UseStrTransform = true;

            var asymmetric = new AsymmetricSecurityBindingElement(recipientTokenParameters, initiatorTokenParameters);

            // Must be true in order for client to accept embedded server certificates instead of references. This is required by the [OIO IDWS SOAP 1.1] profile.
            // However, the client must still specify the server certificate explicitly.
            // Have not figured out how the client can use the embedded server certificate and make trust to it through a CA certificate and a CN (Common Name). This way the client should not need the server certificate.
            asymmetric.AllowSerializedSigningTokenOnReply = true;

            // No need for derived keys when both parties has a certificate. Also OIO-IDWS-SOAP does not make use of derived keys.
            asymmetric.SetKeyDerivation(false);

            // Include token (encrypted assertion from NemLog-in STS) in signature
            asymmetric.ProtectTokens = true;

            // Specifies that WCF can send and receive unsecured responses to secured requests.
            // Concrete this means that SOAP faults are send unencrypted. [OIO IDWS SOAP 1.1] does not specify whether or not SOAP faults can be encrypted but it looks like they should not be encrypted.
            // If encrypted the client is not able to process the encrypted SOAP fault if client is not setup correctly.
            // setting EnableUnsecuredResponse to true makes normal responses unsigned and processed by the client without error. This is not what we want :)
            //asymmetric.EnableUnsecuredResponse = true;

            var elements = new BindingElementCollection();

            elements.Add(asymmetric);
            elements.Add(encoding);
            elements.Add(transport);

            return(elements);
        }
 public IEnumerator <SecurityTokenParameters> GetEnumerator()
 {
     foreach (SecurityTokenParameters iteratorVariable0 in this.sbe.EndpointSupportingTokenParameters.Endorsing)
     {
         if (iteratorVariable0 != null)
         {
             yield return(iteratorVariable0);
         }
     }
     foreach (SecurityTokenParameters iteratorVariable1 in this.sbe.EndpointSupportingTokenParameters.SignedEndorsing)
     {
         if (iteratorVariable1 == null)
         {
             continue;
         }
         yield return(iteratorVariable1);
     }
     foreach (SupportingTokenParameters iteratorVariable2 in this.sbe.OperationSupportingTokenParameters.Values)
     {
         if (iteratorVariable2 != null)
         {
             foreach (SecurityTokenParameters iteratorVariable3 in iteratorVariable2.Endorsing)
             {
                 if (iteratorVariable3 == null)
                 {
                     continue;
                 }
                 yield return(iteratorVariable3);
             }
             foreach (SecurityTokenParameters iteratorVariable4 in iteratorVariable2.SignedEndorsing)
             {
                 if (iteratorVariable4 == null)
                 {
                     continue;
                 }
                 yield return(iteratorVariable4);
             }
         }
     }
     if (this.sbe is SymmetricSecurityBindingElement)
     {
         SymmetricSecurityBindingElement sbe = (SymmetricSecurityBindingElement)this.sbe;
         if (sbe.ProtectionTokenParameters != null)
         {
             yield return(sbe.ProtectionTokenParameters);
         }
     }
     else if (this.sbe is AsymmetricSecurityBindingElement)
     {
         AsymmetricSecurityBindingElement iteratorVariable6 = (AsymmetricSecurityBindingElement)this.sbe;
         if (iteratorVariable6.RecipientTokenParameters != null)
         {
             yield return(iteratorVariable6.RecipientTokenParameters);
         }
     }
 }
Ejemplo n.º 14
0
	public static void Main ()
	{
		AsymmetricSecurityBindingElement sbe =
			new AsymmetricSecurityBindingElement ();
		//sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
		//sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
		//sbe.RequireSignatureConfirmation = true;

		//sbe.LocalServiceSettings.DetectReplays = false;
		//sbe.IncludeTimestamp = false;

		sbe.RecipientTokenParameters =
			new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
		sbe.InitiatorTokenParameters = 
			new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
		X509SecurityTokenParameters p =
			new X509SecurityTokenParameters (X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
		p.RequireDerivedKeys = false;
		//sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
		UserNameSecurityTokenParameters up =
			new UserNameSecurityTokenParameters ();
		sbe.EndpointSupportingTokenParameters.Signed.Add (up);
		sbe.SetKeyDerivation (false);
		sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
		ServiceHost host = new ServiceHost (typeof (Foo));
		HttpTransportBindingElement hbe =
			new HttpTransportBindingElement ();
		CustomBinding binding = new CustomBinding (sbe, hbe);
		binding.ReceiveTimeout = TimeSpan.FromSeconds (5);
		host.AddServiceEndpoint ("IFoo",
			binding, new Uri ("http://localhost:8080"));
		ServiceCredentials cred = new ServiceCredentials ();
		cred.ServiceCertificate.Certificate =
			new X509Certificate2 ("test.pfx", "mono");
		cred.ClientCertificate.Authentication.CertificateValidationMode =
			X509CertificateValidationMode.None;
		cred.UserNameAuthentication.UserNamePasswordValidationMode =
			UserNamePasswordValidationMode.Custom;
		cred.UserNameAuthentication.CustomUserNamePasswordValidator =
			UserNamePasswordValidator.None;
		host.Description.Behaviors.Add (cred);
		host.Description.Behaviors.Find<ServiceDebugBehavior> ()
			.IncludeExceptionDetailInFaults = true;
		foreach (ServiceEndpoint se in host.Description.Endpoints)
			se.Behaviors.Add (new StdErrInspectionBehavior ());
		ServiceMetadataBehavior smb = new ServiceMetadataBehavior ();
		smb.HttpGetEnabled = true;
		smb.HttpGetUrl = new Uri ("http://localhost:8080/wsdl");
		host.Description.Behaviors.Add (smb);
		host.Open ();
		Console.WriteLine ("Hit [CR] key to close ...");
		Console.ReadLine ();
		host.Close ();
	}
Ejemplo n.º 15
0
        public AsymetricSecurityBE()
        {
            MessageSecurityVersion securityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
            SecurityBindingElement securityBE      = SecurityBindingElement.CreateMutualCertificateBindingElement(securityVersion, true);

            securityBE.IncludeTimestamp = true;
            securityBE.SetKeyDerivation(false);
            securityBE.SecurityHeaderLayout    = SecurityHeaderLayout.Lax;
            securityBE.EnableUnsecuredResponse = true;
            m_asymSecBE = securityBE as AsymmetricSecurityBindingElement;
        }
Ejemplo n.º 16
0
    public static void Main()
    {
        AsymmetricSecurityBindingElement sbe =
            new AsymmetricSecurityBindingElement();

        //sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
        //sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
        //sbe.RequireSignatureConfirmation = true;

        //sbe.LocalServiceSettings.DetectReplays = false;
        //sbe.IncludeTimestamp = false;

        sbe.RecipientTokenParameters =
            new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
        sbe.InitiatorTokenParameters =
            new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
        X509SecurityTokenParameters p =
            new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);

        p.RequireDerivedKeys = false;
        //sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
        sbe.SetKeyDerivation(false);
        sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
        ServiceHost host = new ServiceHost(typeof(Foo));
        HttpTransportBindingElement hbe =
            new HttpTransportBindingElement();
        CustomBinding binding = new CustomBinding(sbe, hbe);

        binding.ReceiveTimeout = TimeSpan.FromSeconds(5);
        host.AddServiceEndpoint("IFoo",
                                binding, new Uri("http://localhost:8080"));
        ServiceCredentials cred = new ServiceCredentials();

        cred.ServiceCertificate.Certificate =
            new X509Certificate2("test.pfx", "mono");
        cred.ClientCertificate.Authentication.CertificateValidationMode =
            X509CertificateValidationMode.None;
        host.Description.Behaviors.Add(cred);
        host.Description.Behaviors.Find <ServiceDebugBehavior> ()
        .IncludeExceptionDetailInFaults = true;
        foreach (ServiceEndpoint se in host.Description.Endpoints)
        {
            se.Behaviors.Add(new StdErrInspectionBehavior());
        }
        ServiceMetadataBehavior smb = new ServiceMetadataBehavior();

        smb.HttpGetEnabled = true;
        smb.HttpGetUrl     = new Uri("http://localhost:8080/wsdl");
        host.Description.Behaviors.Add(smb);
        host.Open();
        Console.WriteLine("Hit [CR] key to close ...");
        Console.ReadLine();
        host.Close();
    }
Ejemplo n.º 17
0
        protected override SecurityBindingElement CreateMessageSecurity()
        {
            if (this.Security.Mode == WSFederationHttpSecurityMode.None)
            {
                throw new InvalidOperationException("Only message and  security is supported");
            }
            if (this.Security.Message.IssuedKeyType != SecurityKeyType.AsymmetricKey)
            {
                throw new InvalidOperationException("Only Asymmectric Keys are supported");
            }
            if (this.Security.Message.NegotiateServiceCredential)
            {
                throw new InvalidOperationException("Negocatiation of service credentials not supported");
            }
            if (this.Security.Message.EstablishSecurityContext)
            {
                throw new InvalidOperationException("Secure conversation not supported");
            }

            SecurityBindingElement security;

            if (this.Security.Mode == WSFederationHttpSecurityMode.Message)
            {
                SymmetricSecurityBindingElement  baseSecurity = (SymmetricSecurityBindingElement)base.CreateMessageSecurity();
                AsymmetricSecurityBindingElement asecurity    = new AsymmetricSecurityBindingElement();
                asecurity.InitiatorTokenParameters = baseSecurity.EndpointSupportingTokenParameters.Endorsing[0];

                X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters();
                serverToken.X509ReferenceStyle     = X509KeyIdentifierClauseType.Any;
                serverToken.InclusionMode          = SecurityTokenInclusionMode.Never;
                serverToken.RequireDerivedKeys     = false;
                asecurity.RecipientTokenParameters = serverToken;
                security = asecurity;
            }
            else
            {
                TransportSecurityBindingElement baseSecurity = (TransportSecurityBindingElement)base.CreateMessageSecurity();
                TransportSecurityBindingElement tsecurity    = new TransportSecurityBindingElement();

                tsecurity.EndpointSupportingTokenParameters.Endorsing.Add(baseSecurity.EndpointSupportingTokenParameters.Endorsing[0]);

                security = tsecurity;
            }

            security.EnableUnsecuredResponse = true;
            security.IncludeTimestamp        = true;
            security.SecurityHeaderLayout    = SecurityHeaderLayout.Lax;
            security.DefaultAlgorithmSuite   = SecurityAlgorithmSuite.Basic256;
            security.MessageSecurityVersion  = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
            security.SetKeyDerivation(false);

            return(security);
        }
Ejemplo n.º 18
0
 public IEnumerator <SecurityTokenParameters> GetEnumerator()
 {
     foreach (SecurityTokenParameters stp in this.sbe.EndpointSupportingTokenParameters.Endorsing)
     {
         if (stp != null)
         {
             yield return(stp);
         }
     }
     foreach (SecurityTokenParameters stp in this.sbe.EndpointSupportingTokenParameters.SignedEndorsing)
     {
         if (stp != null)
         {
             yield return(stp);
         }
     }
     foreach (SupportingTokenParameters str in this.sbe.OperationSupportingTokenParameters.Values)
     {
         if (str != null)
         {
             foreach (SecurityTokenParameters stp in str.Endorsing)
             {
                 if (stp != null)
                 {
                     yield return(stp);
                 }
             }
             foreach (SecurityTokenParameters stp in str.SignedEndorsing)
             {
                 if (stp != null)
                 {
                     yield return(stp);
                 }
             }
         }
     }
     if (this.sbe is SymmetricSecurityBindingElement)
     {
         SymmetricSecurityBindingElement ssbe = (SymmetricSecurityBindingElement)sbe;
         if (ssbe.ProtectionTokenParameters != null)
         {
             yield return(ssbe.ProtectionTokenParameters);
         }
     }
     else if (this.sbe is AsymmetricSecurityBindingElement)
     {
         AsymmetricSecurityBindingElement asbe = (AsymmetricSecurityBindingElement)sbe;
         if (asbe.RecipientTokenParameters != null)
         {
             yield return(asbe.RecipientTokenParameters);
         }
     }
 }
Ejemplo n.º 19
0
        public static SecurityToken getToken(sts.Token token)
        {
            var textmessageEncoding = new TextMessageEncodingBindingElement();

            textmessageEncoding.WriteEncoding  = Encoding.UTF8;
            textmessageEncoding.MessageVersion = MessageVersion.Soap12WSAddressing10;

            var messageSecurity = new AsymmetricSecurityBindingElement();

            messageSecurity.AllowSerializedSigningTokenOnReply = true;
            messageSecurity.MessageSecurityVersion             = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            messageSecurity.MessageSecurityVersion             = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
            //messageSecurity.EnableUnsecuredResponse = true;
            messageSecurity.IncludeTimestamp                   = false;
            messageSecurity.DefaultAlgorithmSuite              = SecurityAlgorithmSuite.Basic128Rsa15;
            messageSecurity.SecurityHeaderLayout               = SecurityHeaderLayout.Lax;
            messageSecurity.MessageProtectionOrder             = MessageProtectionOrder.SignBeforeEncrypt;
            messageSecurity.LocalClientSettings.DetectReplays  = false;
            messageSecurity.LocalServiceSettings.DetectReplays = false;

            var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);

            messageSecurity.RecipientTokenParameters = x509SecurityParamter;
            messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;

            var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);

            initiator.RequireDerivedKeys             = false;
            messageSecurity.InitiatorTokenParameters = initiator;

            var binding = new CustomBinding(messageSecurity, textmessageEncoding, new StrippingChannelBindingElement(), new HttpTransportBindingElement());
            WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(new Uri("http://login.staging.rapidsoft.ru:80/auth/sts"), EndpointIdentity.CreateDnsIdentity("test")));

            trustChannelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test");
            trustChannelFactory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test");
            trustChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
            trustChannelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test");
            trustChannelFactory.Endpoint.Contract.ProtectionLevel = ProtectionLevel.None;
            trustChannelFactory.TrustVersion = System.ServiceModel.Security.TrustVersion.WSTrust13;

            WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();

            RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue);

            rst.OnBehalfOf = new Microsoft.IdentityModel.Tokens.SecurityTokenElement(token, new Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection());
            rst.KeyType    = WSTrust13Constants.KeyTypes.Asymmetric;

            RequestSecurityTokenResponse rstr = null;
            SecurityToken SecurityToken       = channel.Issue(rst, out rstr);

            return(SecurityToken);
        }
Ejemplo n.º 20
0
        /// <summary>
        /// Creates the custom binding.
        /// </summary>
        /// <param name="isCertificate">If set to true certificate security will be used.</param>
        /// <returns></returns>
        /// <remarks></remarks>
        public static Binding CreateCustomBinding(bool isCertificate, bool isHttps)
        {
            BindingElement securityBinding = null;

            BindingElement transport = null;

            if (isHttps)
            {
                HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement();
                transport = httpsTransport;
            }
            else
            {
                HttpTransportBindingElement httpTransport = new HttpTransportBindingElement();
                transport = httpTransport;
            }

            TextMessageEncodingBindingElement messageEncoding = new TextMessageEncodingBindingElement();

            if (!isCertificate)
            {
                TransportSecurityBindingElement messageSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();

                messageSecurity.IncludeTimestamp = false;

                securityBinding = messageSecurity;

                messageSecurity.AllowInsecureTransport = !isHttps;
            }
            else
            {
                AsymmetricSecurityBindingElement messageSecurity =
                    (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement
                    (
                        MessageSecurityVersion
                        .WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
                    );

                messageSecurity.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
                messageSecurity.AllowInsecureTransport = !isHttps;

                securityBinding = messageSecurity;
                messageEncoding.MessageVersion = MessageVersion.Soap11;
            }

            CustomBinding result = new CustomBinding(securityBinding,
                                                     messageEncoding,
                                                     transport);

            return(result);
        }
Ejemplo n.º 21
0
        /// <summary>
        /// Returns a custom wcf binding that will create a SOAP request
        /// compatible with the Simple Order API Service
        /// </summary>
        protected static CustomBinding getWCFCustomBinding(Configuration config)
        {
            //Setup custom binding with HTTPS + Body Signing
            CustomBinding currentBinding = new CustomBinding();

            //Sign the body
            AsymmetricSecurityBindingElement asec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);

            asec.SetKeyDerivation(false);
            asec.IncludeTimestamp        = false;
            asec.EnableUnsecuredResponse = true;
            asec.SecurityHeaderLayout    = SecurityHeaderLayout.Lax;

            if (config.UseSignedAndEncrypted)
            {
                asec.LocalClientSettings.IdentityVerifier = new CustomeIdentityVerifier();
                asec.RecipientTokenParameters             = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters {
                    InclusionMode = SecurityTokenInclusionMode.Once
                };
                asec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt;
                asec.EndpointSupportingTokenParameters.SignedEncrypted.Add(new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters());
                asec.SetKeyDerivation(false);
            }

            //Use custom encoder to strip unsigned timestamp in response
            CustomTextMessageBindingElement textBindingElement = new CustomTextMessageBindingElement();


            //Setup https transport
            HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement();

            httpsTransport.RequireClientCertificate = true;
            httpsTransport.AuthenticationScheme     = AuthenticationSchemes.Anonymous;
            httpsTransport.MaxReceivedMessageSize   = 2147483647;
            httpsTransport.UseDefaultWebProxy       = false;

            //Setup Proxy if needed
            if (mProxy != null)
            {
                WebRequest.DefaultWebProxy        = mProxy;
                httpsTransport.UseDefaultWebProxy = true;
            }


            //Bind in order (Security layer, message layer, transport layer)
            currentBinding.Elements.Add(asec);
            currentBinding.Elements.Add(textBindingElement);
            currentBinding.Elements.Add(httpsTransport);
            return(currentBinding);
        }
Ejemplo n.º 22
0
        public static NCIServiceWCFClient CreateNCIServiceClient(Uri uri)
        {
            UCCProxyFactory.ClientCertificatePath     = HostingEnvironment.MapPath(@"~/App_Data/isbank_test_private.pfx");
            UCCProxyFactory.ServiceCertificatePath    = HostingEnvironment.MapPath(@"~/App_Data/ucc_test_public.cer");
            UCCProxyFactory.ClientCertificatePassword = "******";

            System.Net.ServicePointManager.Expect100Continue = false;

            if (string.IsNullOrEmpty(ClientCertificatePath) || string.IsNullOrEmpty(ServiceCertificatePath))
            {
                throw new InvalidOperationException("You should specify certificates path first");
            }

            if (string.IsNullOrEmpty(ClientCertificatePassword))
            {
                throw new InvalidOperationException("You should specify ClientCertificatePassword");
            }

            clientCertificate  = new X509Certificate2(ClientCertificatePath, ClientCertificatePassword);
            serviceCertificate = new X509Certificate2(ServiceCertificatePath);

            endpointIdentity = new X509CertificateEndpointIdentity(serviceCertificate, new X509Certificate2Collection(clientCertificate));
            EndpointAddress ea = new EndpointAddress(uri, endpointIdentity);

            CustomBinding cb = new CustomBinding();

            cb.CloseTimeout = new TimeSpan(50000000);
            TextMessageEncodingBindingElement messageBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8);
            HttpTransportBindingElement       nciTransport          = new HttpTransportBindingElement();

            nciTransport.MaxReceivedMessageSize = 5000000;                       //115000000;
            messageBindingElement.ReaderQuotas.MaxStringContentLength = 1200000; //11200000;
            AsymmetricSecurityBindingElement abe = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);;

            abe.AllowSerializedSigningTokenOnReply = true;
            abe.MessageProtectionOrder             = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt;
            abe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Rsa15;
            abe.SetKeyDerivation(false);
            cb.Elements.Add(abe);
            cb.Elements.Add(messageBindingElement);
            cb.Elements.Add(nciTransport);
            NCIServiceWCFClient nciClient = new NCIServiceWCFClient(cb, ea);

            nciClient.ClientCredentials.ServiceCertificate.DefaultCertificate = serviceCertificate;
            nciClient.ClientCredentials.ClientCertificate.Certificate         = clientCertificate;
            nciClient.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;

            return(nciClient);
        }
Ejemplo n.º 23
0
        public static AsymmetricSecurityBindingElement CreateWusSecurityBindingElement()
        {
            //Create binding element for security
            AsymmetricSecurityBindingElement secBE = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);

            //Explicitly accept secured answers from endpoint
            secBE.AllowSerializedSigningTokenOnReply = true;

            secBE.DefaultAlgorithmSuite   = SecurityAlgorithmSuite.TripleDesRsa15;
            secBE.EnableUnsecuredResponse = true;
            secBE.IncludeTimestamp        = true;
            secBE.MessageProtectionOrder  = MessageProtectionOrder.EncryptBeforeSign;

            return(secBE);
        }
Ejemplo n.º 24
0
        static void Main(string[] args)
        {
            //<snippet5>
            EndpointAddress serviceEndpoint =
                new EndpointAddress(new Uri("http://localhost:6060/service"));

            CustomBinding binding = new CustomBinding();

            AsymmetricSecurityBindingElement securityBE =
                SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(
                    MessageSecurityVersion.
                    WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);

            // Add a custom IdentityVerifier because the service uses two certificates
            // (one for signing and one for encryption) and an endpoint identity that
            // contains a single identity claim.
            securityBE.LocalClientSettings.IdentityVerifier = new MyIdentityVerifier();
            binding.Elements.Add(securityBE);

            CompositeDuplexBindingElement compositeDuplex =
                new CompositeDuplexBindingElement();

            compositeDuplex.ClientBaseAddress = new Uri("http://localhost:6061/client");
            binding.Elements.Add(compositeDuplex);

            binding.Elements.Add(new OneWayBindingElement());

            binding.Elements.Add(new HttpTransportBindingElement());

            using (ChannelFactory <IMyServiceChannel> factory =
                       new ChannelFactory <IMyServiceChannel>(binding, serviceEndpoint))
            {
                MyClientCredentials credentials = new MyClientCredentials();
                SetupCertificates(credentials);
                factory.Endpoint.Behaviors.Remove(typeof(ClientCredentials));
                factory.Endpoint.Behaviors.Add(credentials);

                IMyServiceChannel channel = factory.CreateChannel();
                Console.WriteLine(channel.Hello("world"));
                channel.Close();
            }
            //</snippet5>
        }
        private static System.ServiceModel.Channels.Binding CreateBinding()
        {
            TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);
            var httpTransport = new HttpTransportBindingElement();
            var messageSecurity = new AsymmetricSecurityBindingElement();
            messageSecurity.AllowSerializedSigningTokenOnReply = true;
            messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);
            messageSecurity.RecipientTokenParameters = x509SecurityParamter;
            messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;

            var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);
            initiator.RequireDerivedKeys = false;
            messageSecurity.InitiatorTokenParameters = initiator;

            var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, httpTransport);

            return customBinding;
        }
Ejemplo n.º 26
0
        CreateBindingElements()
        {
            var list = new List <BindingElement> ();

            switch (Security.Mode)
            {
#if !NET_2_1
            case BasicHttpSecurityMode.Message:
                if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
                {
                    throw new InvalidOperationException("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate.");
                }
                goto case BasicHttpSecurityMode.TransportWithMessageCredential;

            case BasicHttpSecurityMode.TransportWithMessageCredential:
                SecurityBindingElement sec;
                if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
                {
                    // FIXME: pass proper security token parameters.
                    sec = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
                }
                else
                {
                    sec = new AsymmetricSecurityBindingElement();
                }
                list.Add(sec);
                break;
#endif
            }

#if NET_2_1
            if (EnableHttpCookieContainer)
            {
                list.Add(new HttpCookieContainerBindingElement());
            }
#endif

            list.Add(BuildMessageEncodingBindingElement());
            list.Add(GetTransport());

            return(new BindingElementCollection(list.ToArray()));
        }
Ejemplo n.º 27
0
    static void Run()
    {
        AsymmetricSecurityBindingElement sbe =
            new AsymmetricSecurityBindingElement();
        //sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
        //sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
        //sbe.RequireSignatureConfirmation = true;

        //sbe.LocalClientSettings.DetectReplays = false;
        //sbe.IncludeTimestamp = false;

        X509SecurityTokenParameters p =
            new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);

        p.RequireDerivedKeys = false;
        //sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
        UserNameSecurityTokenParameters up =
            new UserNameSecurityTokenParameters();

        sbe.EndpointSupportingTokenParameters.Signed.Add(up);
        sbe.RecipientTokenParameters =
            new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
        sbe.InitiatorTokenParameters =
            new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
        sbe.SetKeyDerivation(false);
        sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
        HttpTransportBindingElement hbe =
            new HttpTransportBindingElement();
        CustomBinding    binding = new CustomBinding(new XBE(), sbe, hbe);
        X509Certificate2 cert    = new X509Certificate2("test.pfx", "mono");
        X509Certificate2 cert2   = new X509Certificate2("test2.pfx", "mono");
        FooProxy         proxy   = new FooProxy(binding,
                                                new EndpointAddress(new Uri("http://localhost:8080"), new X509CertificateEndpointIdentity(cert)));

        //proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
        proxy.ClientCredentials.UserName.UserName             = "******";
        proxy.ClientCredentials.ClientCertificate.Certificate = cert2;
        proxy.Endpoint.Behaviors.Add(new StdErrInspectionBehavior());
        proxy.Open();
        Console.WriteLine(proxy.Echo("TEST FOR ECHO"));
    }
Ejemplo n.º 28
0
        SecurityBindingElement CreateSecurityBindingElement()
        {
            SecurityBindingElement element;

            switch (Security.Mode)
            {
            case BasicHttpSecurityMode.Message:
                                #if NET_2_1 || XAMMAC_4_5
                throw new NotImplementedException();
#else
                if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
                {
                    throw new InvalidOperationException("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate.");
                }
                element = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
                break;
                        #endif
            case BasicHttpSecurityMode.TransportWithMessageCredential:
                                #if NET_2_1 || XAMMAC_4_5
                throw new NotImplementedException();
#else
                if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
                {
                    element = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
                }
                else
                {
                    element = new AsymmetricSecurityBindingElement();
                }
                break;
                        #endif
            default:
                return(null);
            }
                        #if !NET_2_1 && !XAMMAC_4_5
            element.SetKeyDerivation(false);
            element.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
                        #endif
            return(element);
        }
Ejemplo n.º 29
0
        private CustomBinding CreatePullBinding()
        {
            CustomBinding pullBinding = new CustomBinding();

            pullBinding.Name = "ePUAPBinding";

            SecurityBindingElement sBElement = SecurityBindingElement.CreateMutualCertificateBindingElement(
                MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);

            AsymmetricSecurityBindingElement bindingAsymetryczny = (AsymmetricSecurityBindingElement)sBElement;

            bindingAsymetryczny.SetKeyDerivation(true);

            bindingAsymetryczny.EnableUnsecuredResponse = false;

            bindingAsymetryczny.AllowInsecureTransport = false;

            bindingAsymetryczny.AllowSerializedSigningTokenOnReply = true;

            bindingAsymetryczny.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic192Rsa15;

            bindingAsymetryczny.IncludeTimestamp = true;

            bindingAsymetryczny.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;

            pullBinding.Elements.Clear();

            pullBinding.Elements.Add(bindingAsymetryczny);

            pullBinding.Elements.Add(new TextMessageEncodingBindingElement()
            {
                MessageVersion = MessageVersion.CreateVersion(EnvelopeVersion.Soap11, AddressingVersion.None), WriteEncoding = new UTF8Encoding()
            });

            HttpsTransportBindingElement httpsbinding = new HttpsTransportBindingElement();

            pullBinding.Elements.Add(httpsbinding);

            return(pullBinding);
        }
Ejemplo n.º 30
0
        /// <summary>
        /// Returns a custom wcf binding that will create a SOAP request
        /// compatible with the Simple Order API Service
        /// </summary>
        protected static CustomBinding getWCFCustomBinding()
        {
            //Setup custom binding with HTTPS + Body Signing
            CustomBinding currentBinding = new CustomBinding();

            //Sign the body
            AsymmetricSecurityBindingElement asec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);

            asec.SetKeyDerivation(false);
            asec.IncludeTimestamp        = false;
            asec.EnableUnsecuredResponse = true;
            asec.SecurityHeaderLayout    = SecurityHeaderLayout.Lax;

            //Use custom encoder to strip unsigned timestamp in response
            CustomTextMessageBindingElement textBindingElement = new CustomTextMessageBindingElement();


            //Setup https transport
            HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement();

            httpsTransport.RequireClientCertificate = true;
            httpsTransport.AuthenticationScheme     = AuthenticationSchemes.Anonymous;
            httpsTransport.MaxReceivedMessageSize   = 2147483647;
            httpsTransport.UseDefaultWebProxy       = false;

            //Setup Proxy if needed
            if (mProxy != null)
            {
                WebRequest.DefaultWebProxy        = mProxy;
                httpsTransport.UseDefaultWebProxy = true;
            }


            //Bind in order (Security layer, message layer, transport layer)
            currentBinding.Elements.Add(asec);
            currentBinding.Elements.Add(textBindingElement);
            currentBinding.Elements.Add(httpsTransport);
            return(currentBinding);
        }
        private static System.ServiceModel.Channels.Binding CreateBinding()
        {
            TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);
            var httpTransport   = new HttpTransportBindingElement();
            var messageSecurity = new AsymmetricSecurityBindingElement();

            messageSecurity.AllowSerializedSigningTokenOnReply = true;
            messageSecurity.MessageSecurityVersion             = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);

            messageSecurity.RecipientTokenParameters = x509SecurityParamter;
            messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;

            var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);

            initiator.RequireDerivedKeys             = false;
            messageSecurity.InitiatorTokenParameters = initiator;

            var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, httpTransport);

            return(customBinding);
        }
        /// <summary>
        /// 
        /// </summary>
        /// <param name="transport"></param>
        /// <returns></returns>
        private static System.ServiceModel.Channels.Binding CreateBinding(TransportBindingElement transport)
        {
            TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);

            var messageSecurity = new AsymmetricSecurityBindingElement();
            messageSecurity.LocalClientSettings.IdentityVerifier = new DisabledDnsIdentityCheck();

            messageSecurity.AllowSerializedSigningTokenOnReply = true;
            messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            messageSecurity.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator);
            messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
            var initiator = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
            messageSecurity.ProtectTokens = true;
            initiator.UseStrTransform = true;
            initiator.KeyType = SecurityKeyType.AsymmetricKey;
            initiator.RequireDerivedKeys = false;
            messageSecurity.InitiatorTokenParameters = initiator;

            var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, transport);

            return customBinding;
        }
Ejemplo n.º 33
0
        public WSSecurityBinding(bool sslLocation, X509Certificate2 serviceCertificate)
        {
            this.sslLocation = sslLocation;

            // Get CN from service certificate, used to set Dns Identity Claim
            string cn = null;

            foreach (string issuerPart in serviceCertificate.Issuer.Split(','))
            {
                string[] parts = issuerPart.Split('=');
                if (parts[0].ToUpperInvariant().EndsWith("CN"))
                {
                    cn = parts[1];
                }
            }

            TextMessageEncodingBindingElement encoding = new TextMessageEncodingBindingElement();

            encoding.MessageVersion = MessageVersion.Soap11;

            AsymmetricSecurityBindingElement securityBinding = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement();

            securityBinding.LocalClientSettings.IdentityVerifier = new DnsIdentityVerifier(new DnsEndpointIdentity(cn));
            securityBinding.AllowSerializedSigningTokenOnReply   = true;
            securityBinding.SecurityHeaderLayout = SecurityHeaderLayout.Lax;

            this.bindingElements = new BindingElementCollection();
            this.bindingElements.Add(securityBinding);
            this.bindingElements.Add(encoding);
            if (this.sslLocation)
            {
                this.bindingElements.Add(new HttpsTransportBindingElement());
            }
            else
            {
                this.bindingElements.Add(new HttpTransportBindingElement());
            }
        }
        public static Binding GetIssuedTokenBindingSSL()
        {
            var textmessageEncoding = new TextMessageEncodingBindingElement();
            textmessageEncoding.WriteEncoding = Encoding.UTF8;
            textmessageEncoding.MessageVersion = MessageVersion.Soap11WSAddressing10;

            var messageSecurity = new AsymmetricSecurityBindingElement();
            messageSecurity.AllowSerializedSigningTokenOnReply = true;
            messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);
            messageSecurity.RecipientTokenParameters = x509SecurityParamter;
            messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
            var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);
            initiator.RequireDerivedKeys = false;
            messageSecurity.InitiatorTokenParameters = initiator;

            messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;

            return new CustomBinding(
                messageSecurity,
                textmessageEncoding,
                new HttpsTransportBindingElement());
        }
		public void RejectInclusionModeNever ()
		{
			AsymmetricSecurityBindingElement sbe =
				new AsymmetricSecurityBindingElement ();
			sbe.InitiatorTokenParameters = sbe.RecipientTokenParameters =
				new X509SecurityTokenParameters (
					X509KeyIdentifierClauseType.Thumbprint,
					// this leads to the failure.
					SecurityTokenInclusionMode.Never);
			ServiceHost host = new ServiceHost (typeof (Foo));
			HttpTransportBindingElement hbe =
				new HttpTransportBindingElement ();
			CustomBinding binding = new CustomBinding (sbe, hbe);
			host.AddServiceEndpoint (typeof (IFoo),
				binding, new Uri ("http://localhost:" + NetworkHelpers.FindFreePort ()));
			ServiceCredentials cred = new ServiceCredentials ();
			cred.ServiceCertificate.Certificate =
				new X509Certificate2 ("Test/Resources/test.pfx", "mono");
			cred.ClientCertificate.Authentication.CertificateValidationMode =
				X509CertificateValidationMode.None;
			host.Description.Behaviors.Add (cred);
			try {
				host.Open ();
			} finally {
				if (host.State == CommunicationState.Opened)
					host.Close ();
			}
		}
		public void ClientInitiatorHasNoKeysCore (bool deriveKeys, MessageProtectionOrder order)
		{
			AsymmetricSecurityBindingElement sbe =
				new AsymmetricSecurityBindingElement ();
			sbe.InitiatorTokenParameters =
				new UserNameSecurityTokenParameters ();
			sbe.RecipientTokenParameters =
				new X509SecurityTokenParameters ();
			sbe.SetKeyDerivation (deriveKeys);
			sbe.MessageProtectionOrder = order;
			TransportBindingElement tbe = new HandlerTransportBindingElement (delegate (Message input) {
				// funky, but .NET does not raise an error
				// until it writes the message to somewhere.
				// That is, it won't raise an error if this
				// HandlerTransportBindingElement does not
				// write the input message to somewhere.
				// It is an obvious bug.
				input.WriteMessage (XmlWriter.Create (TextWriter.Null));
				throw new Exception ();
			});
			CustomBinding binding = new CustomBinding (sbe, tbe);
			EndpointAddress address = new EndpointAddress (
				new Uri ("stream:dummy"),
				new X509CertificateEndpointIdentity (cert2));
			CalcProxy proxy = new CalcProxy (binding, address);
			proxy.ClientCredentials.UserName.UserName = "******";
			proxy.Open ();
			// Until here the wrong parameters are not checked.
			proxy.Sum (1, 2);
		}
		public void VerifyX509MessageSecurityAtService ()
		{
			AsymmetricSecurityBindingElement clisbe =
				new AsymmetricSecurityBindingElement ();
			clisbe.InitiatorTokenParameters =
				new X509SecurityTokenParameters ();
			clisbe.RecipientTokenParameters =
				new X509SecurityTokenParameters ();

			AsymmetricSecurityBindingElement svcsbe =
				new AsymmetricSecurityBindingElement ();
			svcsbe.InitiatorTokenParameters =
				new X509SecurityTokenParameters ();
			svcsbe.RecipientTokenParameters =
				new X509SecurityTokenParameters ();

			CustomBinding b_req = new CustomBinding (clisbe,
				new HttpTransportBindingElement ());

			b_req.ReceiveTimeout = b_req.SendTimeout = TimeSpan.FromSeconds (10);

			CustomBinding b_res = new CustomBinding (svcsbe, new HttpTransportBindingElement ());
			b_res.ReceiveTimeout = b_res.SendTimeout = TimeSpan.FromSeconds (10);

			EndpointAddress remaddr = new EndpointAddress (
				new Uri ("http://localhost:" + NetworkHelpers.FindFreePort ()),
				new X509CertificateEndpointIdentity (cert2));
			CalcProxy proxy = null;
			ServiceHost host = new ServiceHost (typeof (CalcService));
			host.AddServiceEndpoint (typeof (ICalc), b_res, "http://localhost:" + NetworkHelpers.FindFreePort ());

			ServiceCredentials cred = new ServiceCredentials ();
			cred.ServiceCertificate.Certificate = cert;
			host.Description.Behaviors.Add (cred);
			try {
				host.Open ();

				proxy = new CalcProxy (b_req, remaddr);
				proxy.ClientCredentials.ClientCertificate.Certificate = cert;

				// FIXME: on WinFX, when this Begin method
				// is invoked before the listener setup, it
				// somehow works, while ours doesn't.
				//IAsyncResult result = proxy.BeginSum (1, 2, null, null);
				//Assert.AreEqual (3, proxy.EndSum (result));
				Assert.AreEqual (3, proxy.Sum (1, 2));
			} finally {
				if (host.State == CommunicationState.Opened)
					host.Close ();
			}
		}
		public void SetKeyDerivation ()
		{
			AsymmetricSecurityBindingElement be;
			X509SecurityTokenParameters p, p2;

			be = new AsymmetricSecurityBindingElement ();
			p = new X509SecurityTokenParameters ();
			p2 = new X509SecurityTokenParameters ();
			be.InitiatorTokenParameters = p;
			be.RecipientTokenParameters = p2;
			be.SetKeyDerivation (false);
			Assert.AreEqual (false, p.RequireDerivedKeys, "#1");
			Assert.AreEqual (false, p2.RequireDerivedKeys, "#2");

			be = new AsymmetricSecurityBindingElement ();
			p = new X509SecurityTokenParameters ();
			p2 = new X509SecurityTokenParameters ();
			be.SetKeyDerivation (false); // set in prior - makes no sense
			be.InitiatorTokenParameters = p;
			be.RecipientTokenParameters = p2;
			Assert.AreEqual (true, p.RequireDerivedKeys, "#3");
			Assert.AreEqual (true, p2.RequireDerivedKeys, "#4");
		}
Ejemplo n.º 39
0
		public AsymmetricSecurityCapabilities (
			AsymmetricSecurityBindingElement element)
		{
			this.element = element;
		}
		public void ServiceRecipientHasNoKeys ()
		{
			AsymmetricSecurityBindingElement sbe =
				new AsymmetricSecurityBindingElement ();
			sbe.InitiatorTokenParameters =
				new X509SecurityTokenParameters ();
			sbe.RecipientTokenParameters =
				new UserNameSecurityTokenParameters ();
			//sbe.SetKeyDerivation (false);
			//sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
			CustomBinding binding = new CustomBinding (sbe,
				new HttpTransportBindingElement ());
			IChannelListener<IReplyChannel> l =
				binding.BuildChannelListener<IReplyChannel> (new Uri ("http://localhost:" + NetworkHelpers.FindFreePort ()), new BindingParameterCollection ());
			try {
				l.Open ();
			} finally {
				if (l.State == CommunicationState.Opened)
					l.Close ();
			}
		}
Ejemplo n.º 41
0
        private SecurityBindingElement CreateSecurity()
        {
            AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement();

            X509SecurityTokenParameters clientToken = new X509SecurityTokenParameters();
            clientToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any;
            clientToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
            clientToken.RequireDerivedKeys = false;
            clientToken.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
            security.InitiatorTokenParameters = clientToken; //Creates an _unsigned_ binary token + signature that references the other binary token.

            X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters();
            serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any;
            serverToken.InclusionMode = SecurityTokenInclusionMode.Never;
            serverToken.RequireDerivedKeys = false;
            serverToken.ReferenceStyle = SecurityTokenReferenceStyle.External;
            security.RecipientTokenParameters = serverToken; //Only to make asymetric binding work

            security.EndpointSupportingTokenParameters.Signed.Add(clientToken); //Create a signed binary token + signature that does _not_ references other binary token.
            //Later on the unsigned binary token is removed and the non referecing signature is removed.  The signed token and referencing signature are linked.

            security.EnableUnsecuredResponse = true;
            security.IncludeTimestamp = true;
            security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
            security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
            security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
            security.SetKeyDerivation(false);

            return security;
        }
Ejemplo n.º 42
0
		SecurityBindingElement CreateSecurityBindingElement () 
		{
            SecurityBindingElement element;
			switch (Security.Mode) {
#if !NET_2_1
			case BasicHttpSecurityMode.Message:
				if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
					throw new InvalidOperationException ("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate.");
				element = SecurityBindingElement.CreateMutualCertificateBindingElement (
				    MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
				break;

			case BasicHttpSecurityMode.TransportWithMessageCredential:
				if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
					// FIXME: pass proper security token parameters.
					element = SecurityBindingElement.CreateCertificateOverTransportBindingElement ();
				else
					element = new AsymmetricSecurityBindingElement ();
				break;
#endif
			default: 
				return null;
			}

#if !NET_2_1
			element.SetKeyDerivation (false);
			element.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
#endif
			return element;
		}
 public virtual bool TryImportWsspRecipientTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, AsymmetricSecurityBindingElement binding)
 {
     XmlElement element;
     Collection<Collection<XmlElement>> collection;
     bool flag = false;
     if (this.TryImportWsspAssertion(assertions, "RecipientToken", out element) && this.TryGetNestedPolicyAlternatives(importer, element, out collection))
     {
         foreach (Collection<XmlElement> collection2 in collection)
         {
             SecurityTokenParameters parameters;
             bool flag2;
             if (this.TryImportTokenAssertion(importer, policyContext, collection2, out parameters, out flag2) && (collection2.Count == 0))
             {
                 flag = true;
                 binding.RecipientTokenParameters = parameters;
                 return flag;
             }
         }
     }
     return flag;
 }
 public virtual bool TryImportWsspAsymmetricBindingAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, out AsymmetricSecurityBindingElement binding, out XmlElement assertion)
 {
     Collection<Collection<XmlElement>> collection;
     binding = null;
     if (this.TryImportWsspAssertion(assertions, "AsymmetricBinding", out assertion) && this.TryGetNestedPolicyAlternatives(importer, assertion, out collection))
     {
         foreach (Collection<XmlElement> collection2 in collection)
         {
             MessageProtectionOrder order;
             binding = new AsymmetricSecurityBindingElement();
             if (((this.TryImportWsspInitiatorTokenAssertion(importer, policyContext, collection2, binding) && this.TryImportWsspRecipientTokenAssertion(importer, policyContext, collection2, binding)) && (this.TryImportWsspAlgorithmSuiteAssertion(importer, collection2, binding) && this.TryImportWsspLayoutAssertion(importer, collection2, binding))) && ((this.TryImportWsspIncludeTimestampAssertion(collection2, binding) && this.TryImportMessageProtectionOrderAssertions(collection2, out order)) && (this.TryImportWsspAssertion(collection2, "OnlySignEntireHeadersAndBody", true) && (collection2.Count == 0))))
             {
                 binding.MessageProtectionOrder = order;
                 break;
             }
             binding = null;
         }
     }
     return (binding != null);
 }
        public virtual bool TryImportWsspRecipientTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, AsymmetricSecurityBindingElement binding)
        {
            bool result = false;

            XmlElement assertion;
            Collection<Collection<XmlElement>> alternatives;
            if (TryImportWsspAssertion(assertions, RecipientTokenName, out assertion)
                && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
            {
                foreach (Collection<XmlElement> alternative in alternatives)
                {
                    SecurityTokenParameters tokenParameters;
                    bool isOptional;
                    if (TryImportTokenAssertion(importer, policyContext, alternative, out tokenParameters, out isOptional)
                        && alternative.Count == 0)
                    {
                        result = true;
                        binding.RecipientTokenParameters = tokenParameters;
                        break;
                    }
                }
            }

            return result;
        }
        public virtual bool TryImportWsspAsymmetricBindingAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, out AsymmetricSecurityBindingElement binding, out XmlElement assertion)
        {
            binding = null;

            Collection<Collection<XmlElement>> alternatives;

            if (TryImportWsspAssertion(assertions, AsymmetricBindingName, out assertion)
                && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
            {
                foreach (Collection<XmlElement> alternative in alternatives)
                {
                    MessageProtectionOrder order;
                    bool protectTokens;
                    binding = new AsymmetricSecurityBindingElement();
                    if (TryImportWsspInitiatorTokenAssertion(importer, policyContext, alternative, binding)
                        && TryImportWsspRecipientTokenAssertion(importer, policyContext, alternative, binding)
                        && TryImportWsspAlgorithmSuiteAssertion(importer, alternative, binding)
                        && TryImportWsspLayoutAssertion(importer, alternative, binding)
                        && TryImportWsspIncludeTimestampAssertion(alternative, binding)
                        && TryImportMessageProtectionOrderAssertions(alternative, out order)
                        && TryImportWsspProtectTokensAssertion(alternative, out protectTokens)
                        && TryImportWsspAssertion(alternative, OnlySignEntireHeadersAndBodyName, true)
                        && alternative.Count == 0)
                    {
                        binding.MessageProtectionOrder = order;
                        binding.ProtectTokens = protectTokens;
                        break;
                    }
                    else
                    {
                        binding = null;
                    }
                }
            }

            return binding != null;
        }
        private SecurityBindingElement CreateWSS11SecurityBindingElement()
        {
            AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement();

            secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax;

            // TEST
            //secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Rsa15;
            secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;

            secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
            secBindingElement.IncludeTimestamp = true;
            secBindingElement.SetKeyDerivation(false);
            secBindingElement.AllowSerializedSigningTokenOnReply = true;
            secBindingElement.RequireSignatureConfirmation = false;

            //WS2007HttpBinding stsBinding = new WS2007HttpBinding("wssuntBinding");
            //CustomBinding stsBinding = new CustomBinding("ADS-CustomSecureTransport");

            // TEMPORARILY DISABLED

            // .Net 3.5
            //string adsAddress = "http://ha50idp:8089/ADS-STS/Issue.svc";

            // .Net 4.0
            string adsAddress = "https://ha50idp:8543/ADS-STS/Issue.svc";

            //IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0",
            //    new EndpointAddress(adsAddress), stsBinding);

            IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");


            issuedTokenParameters.UseStrTransform = false;

            issuedTokenParameters.KeyType = SecurityKeyType.BearerKey;
            //issuedTokenParameters.KeyType = SecurityKeyType.AsymmetricKey;
            //issuedTokenParameters.KeyType = SecurityKeyType.SymmetricKey;

            // 256?
            //issuedTokenParameters.KeySize = 256;
            issuedTokenParameters.KeySize = 0;

            // .Net 3.5
            //string adsMexAddress = "http://ha50idp:8089/ADS-STS/Issue.svc/mex";

            // .Net 4.0
            //string adsMexAddress = "https://ha50idp:8543/ADS-STS/Issue.svc/mex";


            //issuedTokenParameters.IssuerMetadataAddress = new EndpointAddress(adsMexAddress);
            issuedTokenParameters.RequireDerivedKeys = false;
            issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
            issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
            //issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;

            // Claims
            //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:SurName"));
            //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:GivenName"));
            //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:EmailAddressText"));
            //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:TelephoneNumber"));
            //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:FederationId"));


            // THis is a test
            //secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(issuedTokenParameters);

            // This is the right one
            secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters);

            //secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(issuedTokenParameters);
            
            // need to put this in configuration

            //X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Any;


            X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.SubjectKeyIdentifier;

            //X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.IssuerSerial;

            //X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Thumbprint;

            X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
                SecurityTokenInclusionMode.AlwaysToRecipient);
            initiatorTokenParameters.RequireDerivedKeys = false;
            initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;

            initiatorTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
            //initiatorTokenParameters.ReferenceStyle = (SecurityTokenReferenceStyle)X509KeyIdentifierClauseType.RawDataKeyIdentifier;
            secBindingElement.InitiatorTokenParameters = initiatorTokenParameters;

            X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
                SecurityTokenInclusionMode.Never);
            recipientTokenParameters.RequireDerivedKeys = false;
            recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
            recipientTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
            secBindingElement.RecipientTokenParameters = recipientTokenParameters;


            secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;

            return secBindingElement;
        }
        private SecurityBindingElement CreateWSS10SecurityBindingElement()
        {
            AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement();

            secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax;

            secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
            secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
            secBindingElement.IncludeTimestamp = true;
            secBindingElement.SetKeyDerivation(false);
            secBindingElement.AllowSerializedSigningTokenOnReply = true;
            secBindingElement.RequireSignatureConfirmation = false;

            X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
                SecurityTokenInclusionMode.AlwaysToRecipient);
            initiatorTokenParameters.RequireDerivedKeys = false;
            initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
            secBindingElement.InitiatorTokenParameters = initiatorTokenParameters;

            X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
                SecurityTokenInclusionMode.Never);
            recipientTokenParameters.RequireDerivedKeys = false;
            recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
            secBindingElement.RecipientTokenParameters = recipientTokenParameters;

            //secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters);
            //secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(protectTokenParameters);

            //secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
            secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;

            return secBindingElement;
        }
Ejemplo n.º 49
0
		public static void AssertAsymmetricSecurityBindingElement (
			SecurityAlgorithmSuite algorithm,
			bool includeTimestamp,
			SecurityKeyEntropyMode keyEntropyMode,
			MessageProtectionOrder messageProtectionOrder,
			MessageSecurityVersion messageSecurityVersion,
			bool requireSignatureConfirmation,
			SecurityHeaderLayout securityHeaderLayout,
			// EndpointSupportingTokenParameters
			int endorsing, int signed, int signedEncrypted, int signedEndorsing,
			// InitiatorTokenParameters
			bool hasInitiatorTokenParameters,
			SecurityTokenInclusionMode initiatorTokenInclusionMode,
			SecurityTokenReferenceStyle initiatorTokenReferenceStyle,
			bool initiatorTokenRequireDerivedKeys,
			// RecipientTokenParameters
			bool hasRecipientTokenParameters,
			SecurityTokenInclusionMode recipientTokenInclusionMode,
			SecurityTokenReferenceStyle recipientTokenReferenceStyle,
			bool recipientTokenRequireDerivedKeys,
			// LocalClientSettings
			bool cacheCookies,
			int renewalThresholdPercentage,
			bool detectReplays,
			AsymmetricSecurityBindingElement be, string label)
		{
			AssertSecurityBindingElement (
				algorithm,
				includeTimestamp,
				keyEntropyMode,
				messageSecurityVersion,
				securityHeaderLayout,
				// EndpointSupportingTokenParameters
				endorsing, signed, signedEncrypted, signedEndorsing,
				// LocalClientSettings
				cacheCookies,
				renewalThresholdPercentage,
				detectReplays,
				be, label);

			Assert.AreEqual (messageProtectionOrder, be.MessageProtectionOrder, label + ".MessageProtectionOrder");
			Assert.AreEqual (requireSignatureConfirmation, be.RequireSignatureConfirmation, label + ".RequireSignatureConfirmation");

			if (!hasInitiatorTokenParameters)
				Assert.IsNull (be.InitiatorTokenParameters, label + ".InitiatorTokenParameters (null)");
			else
				AssertSecurityTokenParameters (
					initiatorTokenInclusionMode,
					initiatorTokenReferenceStyle,
					initiatorTokenRequireDerivedKeys,
					be.InitiatorTokenParameters, label + ".InitiatorTokenParameters");
			if (!hasRecipientTokenParameters)
				Assert.IsNull (be.RecipientTokenParameters, label + ".RecipientTokenParameters (null)");
			else
				AssertSecurityTokenParameters (
					recipientTokenInclusionMode,
					recipientTokenReferenceStyle,
					recipientTokenRequireDerivedKeys,
					be.RecipientTokenParameters, label + ".RecipientTokenParameters");
		}
        public virtual XmlElement CreateWsspAsymmetricBindingAssertion(MetadataExporter exporter, PolicyConversionContext policyContext, AsymmetricSecurityBindingElement binding)
        {
            if (binding == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding");
            }

            XmlElement result = CreateWsspAssertion(AsymmetricBindingName);
            result.AppendChild(
                CreateWspPolicyWrapper(
                    exporter,
                    CreateWsspInitiatorTokenAssertion(exporter, binding.InitiatorTokenParameters),
                    CreateWsspRecipientTokenAssertion(exporter, binding.RecipientTokenParameters),
                    CreateWsspAlgorithmSuiteAssertion(exporter, binding.DefaultAlgorithmSuite),
                    CreateWsspLayoutAssertion(exporter, binding.SecurityHeaderLayout),
                    CreateWsspIncludeTimestampAssertion(binding.IncludeTimestamp),
                    CreateWsspEncryptBeforeSigningAssertion(binding.MessageProtectionOrder),
                    CreateWsspEncryptSignatureAssertion(policyContext, binding),
                    CreateWsspProtectTokensAssertion(binding),
                    CreateWsspAssertion(OnlySignEntireHeadersAndBodyName)
            ));

            return result;
        }
Ejemplo n.º 51
0
			CreateBindingElements ()
		{
			var list = new List<BindingElement> ();
			switch (Security.Mode) {
#if !NET_2_1
			case BasicHttpSecurityMode.Message:
				if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
					throw new InvalidOperationException ("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate.");
				goto case BasicHttpSecurityMode.TransportWithMessageCredential;
			case BasicHttpSecurityMode.TransportWithMessageCredential:
				SecurityBindingElement sec;
				if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
					// FIXME: pass proper security token parameters.
					sec = SecurityBindingElement.CreateCertificateOverTransportBindingElement ();
				else
					sec = new AsymmetricSecurityBindingElement ();
				list.Add (sec);
				break;
#endif
			}

#if NET_2_1
			if (EnableHttpCookieContainer)
				list.Add (new HttpCookieContainerBindingElement ());
#endif

			list.Add (BuildMessageEncodingBindingElement ());
			list.Add (GetTransport ());

			return new BindingElementCollection (list.ToArray ());
		}
Ejemplo n.º 52
0
		SecurityBindingElement CreateSecurityBindingElement () 
		{
			SecurityBindingElement element;
			switch (Security.Mode) {
			case BasicHttpsSecurityMode.TransportWithMessageCredential:
#if NET_2_1
				throw new NotImplementedException ();
#else
				if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate)
					// FIXME: pass proper security token parameters.
					element = SecurityBindingElement.CreateCertificateOverTransportBindingElement ();
				else
					element = new AsymmetricSecurityBindingElement ();
				break;
#endif
			default: 
				return null;
			}
			
#if !NET_2_1
			element.SetKeyDerivation (false);
			element.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
#endif
			return element;
		}
        private SecurityBindingElement CreateSecurityBindingElement()
        {
            CustomTextTraceSource ts = new CustomTextTraceSource("Common.WspCustomSecuredBinding.CreateSecurityBindingElement",
                "MyTraceSource", System.Diagnostics.SourceLevels.Information);

            AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement();

            secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax;

            //secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
            secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256;

            secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
            secBindingElement.IncludeTimestamp = true;
            secBindingElement.SetKeyDerivation(false);
            secBindingElement.AllowSerializedSigningTokenOnReply = true;

            secBindingElement.RequireSignatureConfirmation = true;

            // SAML assertion as a signed-encrypted supporting token
            IssuedSecurityTokenParameters issuedTokenParameters =
                new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");

            // Compliance with WSS SAML Token Profile 1.1
            // Target .Net 3.5. Does not work with .Net 4
            issuedTokenParameters.UseStrTransform = _enableStrTransform;
            ts.TraceInformation("issuedTokenParameters.UseStrTransform = " + issuedTokenParameters.UseStrTransform.ToString());

            // Using bearer key type which means no proof key
            issuedTokenParameters.KeyType = SecurityKeyType.BearerKey;
            issuedTokenParameters.KeySize = 0;


            issuedTokenParameters.RequireDerivedKeys = false;
            issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
            issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
            //issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;

            // These claims are not really needed here. We are doing out of band requests!
            // Claims
            //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:SurName"));
            //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:GivenName"));
            //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:EmailAddressText"));
            //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:TelephoneNumber"));
            //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:FederationId"));


            // GFIPM S2S 6.4 User Authorization - Encrypted GFIPM User Assertion
            //secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(issuedTokenParameters);

            // For debug
            secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters);

            X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Thumbprint;

            X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
                SecurityTokenInclusionMode.AlwaysToRecipient);
            initiatorTokenParameters.RequireDerivedKeys = false;
            initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;

            //initiatorTokenParameters.ReferenceStyle = (SecurityTokenReferenceStyle)X509KeyIdentifierClauseType.RawDataKeyIdentifier;
            secBindingElement.InitiatorTokenParameters = initiatorTokenParameters;

            X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
                SecurityTokenInclusionMode.AlwaysToInitiator);
            recipientTokenParameters.RequireDerivedKeys = false;
            recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator;
            //recipientTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
            secBindingElement.RecipientTokenParameters = recipientTokenParameters;

            secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;

            //Set the Custom IdentityVerifier
            secBindingElement.LocalClientSettings.IdentityVerifier = new Common.CustomIdentityVerifier();
            //////////////////////////////////////////////////////////
            
            return secBindingElement;
        }