public void SecureConvProviderGetToken()
{
InitiatorServiceModelSecurityTokenRequirement r =
CreateRequirement();
// it still requires SecurityAlgorithmSuite on GetToken().
r.SecurityAlgorithmSuite = SecurityAlgorithmSuite.Default;
// the actual security binding element requires
// ProtectionTokenParameters.
r.SecureConversationSecurityBindingElement =
SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
// the above requires service certificate
BindingContext ctx = r.GetProperty <BindingContext> (ReqType.IssuerBindingContextProperty);
ClientCredentials cred = new ClientCredentials();
cred.ServiceCertificate.DefaultCertificate = cert;
ctx.BindingParameters.Add(cred);
// without it, identity check fails on IssuerAddress
// (TargetAddress is used when IssuerAddress is not set)
r.TargetAddress = new EndpointAddress(new Uri("http://localhost:8080"), new X509CertificateEndpointIdentity(cert));
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r);
Assert.IsNotNull(p, "#1");
// non-standard provider, it looks similar to IssuedSecurityTokenProvider.
((ICommunicationObject)p).Open();
p.GetToken(TimeSpan.FromSeconds(5));
}
public void CreateAnonymousForCertificateBindingElement()
{
SymmetricSecurityBindingElement be =
SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
SecurityAssert.AssertSymmetricSecurityBindingElement(
SecurityAlgorithmSuite.Default,
true, // IncludeTimestamp
SecurityKeyEntropyMode.CombinedEntropy,
MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature,
MessageSecurityVersion.Default,
true, // RequireSignatureConfirmation
SecurityHeaderLayout.Strict,
// EndpointSupportingTokenParameters: endorsing, signed, signedEncrypted, signedEndorsing (by count)
0, 0, 0, 0,
// ProtectionTokenParameters
true, SecurityTokenInclusionMode.Never, SecurityTokenReferenceStyle.Internal, true,
// LocalClientSettings
true, 60, true,
be, "");
// test ProtectionTokenParameters
X509SecurityTokenParameters tp =
be.ProtectionTokenParameters
as X509SecurityTokenParameters;
Assert.IsNotNull(tp, "#2-1");
SecurityAssert.AssertSecurityTokenParameters(
SecurityTokenInclusionMode.Never,
SecurityTokenReferenceStyle.Internal,
true, tp, "Protection");
Assert.AreEqual(X509KeyIdentifierClauseType.Thumbprint, tp.X509ReferenceStyle, "#2-2");
}
public static Binding CreateCustomBinding()
{
// <Snippet8>
// <Snippet3>
SymmetricSecurityBindingElement b =
SecurityBindingElement.
CreateAnonymousForCertificateBindingElement();
// </Snippet3>
// <Snippet4>
BindingElementCollection outputBindings =
new BindingElementCollection();
// </Snippet4>
// <Snippet5>
b.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128;
b.MessageProtectionOrder =
MessageProtectionOrder.SignBeforeEncrypt;
b.ProtectionTokenParameters =
new KerberosSecurityTokenParameters();
// </Snippet5>
// </Snippet8>
// <Snippet6>
outputBindings.Add(b);
outputBindings.Add(new TextMessageEncodingBindingElement());
outputBindings.Add(new HttpTransportBindingElement());
// </Snippet6>
// <Snippet7>
return(new CustomBinding(outputBindings));
// </Snippet7>
}
// <Snippet2>
// These public methods create custom bindings based on the built-in
// authentication modes that use the static methods of
// the System.ServiceModel.Channels.SecurityBindingElement class.
public static Binding CreateAnonymousForCertificateBinding()
{
BindingElementCollection bec = new BindingElementCollection();
bec.Add(SecurityBindingElement.
CreateAnonymousForCertificateBindingElement());
bec.Add(new TextMessageEncodingBindingElement());
bec.Add(new HttpTransportBindingElement());
return(new CustomBinding(bec));
}
internal SecurityBindingElement CreateSecurityBindingElement()
{
SymmetricSecurityBindingElement result;
bool isKerberosSelected = false;
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
result = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
break;
case MessageCredentialType.UserName:
result = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
break;
case MessageCredentialType.Certificate:
result = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement();
break;
case MessageCredentialType.Windows:
result = SecurityBindingElement.CreateKerberosBindingElement();
isKerberosSelected = true;
break;
case MessageCredentialType.IssuedToken:
result = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite));
break;
default:
Fx.Assert("unknown ClientCredentialType");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
result.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
// set the algorithm suite and issued token params if required
if (wasAlgorithmSuiteSet || !isKerberosSelected)
{
result.DefaultAlgorithmSuite = this.AlgorithmSuite;
}
else if (isKerberosSelected)
{
result.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
}
result.IncludeTimestamp = false;
result.LocalServiceSettings.DetectReplays = false;
result.LocalClientSettings.DetectReplays = false;
return(result);
}
internal SecurityBindingElement CreateSecurityBindingElement()
{
SymmetricSecurityBindingElement element;
bool flag = false;
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
element = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
break;
case MessageCredentialType.Windows:
element = SecurityBindingElement.CreateKerberosBindingElement();
flag = true;
break;
case MessageCredentialType.UserName:
element = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
break;
case MessageCredentialType.Certificate:
element = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement();
break;
case MessageCredentialType.IssuedToken:
element = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite));
break;
default:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
if (this.wasAlgorithmSuiteSet || !flag)
{
element.DefaultAlgorithmSuite = this.AlgorithmSuite;
}
else if (flag)
{
element.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
}
element.IncludeTimestamp = false;
element.LocalServiceSettings.DetectReplays = false;
element.LocalClientSettings.DetectReplays = false;
return(element);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
if (isReliableSession && !this.IsSecureConversationEnabled())
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession)));
}
SecurityBindingElement result;
SecurityBindingElement oneShotSecurity;
bool isKerberosSelected = false;
bool emitBspAttributes = true;
if (isSecureTransportMode)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCredentialTypeMustBeSpecifiedForMixedMode)));
case MessageCredentialType.UserName:
oneShotSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
case MessageCredentialType.Certificate:
oneShotSecurity = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
break;
case MessageCredentialType.Windows:
oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
break;
case MessageCredentialType.IssuedToken:
oneShotSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite));
break;
default:
Fx.Assert("unknown ClientCredentialType");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
if (this.IsSecureConversationEnabled())
{
result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true);
}
else
{
result = oneShotSecurity;
}
}
else
{
if (negotiateServiceCredential)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
break;
case MessageCredentialType.UserName:
oneShotSecurity = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
break;
case MessageCredentialType.Certificate:
oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
break;
case MessageCredentialType.Windows:
oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
break;
case MessageCredentialType.IssuedToken:
oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite), true);
break;
default:
Fx.Assert("unknown ClientCredentialType");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
}
else
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
oneShotSecurity = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
break;
case MessageCredentialType.UserName:
oneShotSecurity = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
break;
case MessageCredentialType.Certificate:
oneShotSecurity = SecurityBindingElement.CreateMutualCertificateBindingElement();
break;
case MessageCredentialType.Windows:
oneShotSecurity = SecurityBindingElement.CreateKerberosBindingElement();
isKerberosSelected = true;
break;
case MessageCredentialType.IssuedToken:
oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite));
break;
default:
Fx.Assert("unknown ClientCredentialType");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
}
if (this.IsSecureConversationEnabled())
{
result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true);
}
else
{
result = oneShotSecurity;
}
}
// set the algorithm suite and issued token params if required
if (wasAlgorithmSuiteSet || (!isKerberosSelected))
{
result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite;
}
else if (isKerberosSelected)
{
result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
}
result.IncludeTimestamp = true;
oneShotSecurity.MessageSecurityVersion = version;
result.MessageSecurityVersion = version;
if (!isReliableSession)
{
result.LocalServiceSettings.ReconnectTransportOnFailure = false;
result.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
result.LocalServiceSettings.ReconnectTransportOnFailure = true;
result.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.IsSecureConversationEnabled())
{
// issue the transition SCT for a short duration only
oneShotSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime;
}
return(result);
}
internal SecurityBindingElement CreateSecurityBindingElement()
{
SymmetricSecurityBindingElement wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
{
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
break;
}
case MessageCredentialType.Windows:
{
Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unsupported ClientCredentialType");
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
case MessageCredentialType.UserName:
{
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
break;
}
case MessageCredentialType.Certificate:
{
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement();
break;
}
case MessageCredentialType.IssuedToken:
{
object[] objArray = new object[] { SecurityUtil.CreateSecurityStandardsManager(new object[0]), this.algorithmSuite };
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(SecurityUtil.IssuedSecurityTokenParameters.CreateInfoCardParameters(objArray));
break;
}
default:
{
Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unsupported ClientCredentialType");
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
}
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
if (this.wasAlgorithmSuiteSet)
{
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.DefaultAlgorithmSuite = this.AlgorithmSuite;
}
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.IncludeTimestamp = false;
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.LocalServiceSettings.DetectReplays = false;
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.LocalClientSettings.DetectReplays = false;
return(wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11);
}
// <snippet2>
public override BindingElementCollection CreateBindingElements()
{
//SecurityBindingElement sbe = bec.Find<SecurityBindingElement>();
BindingElementCollection bec = new BindingElementCollection();
// By default http transport is used
SecurityBindingElement securityBinding;
BindingElement transport;
switch (assertion)
{
case WseSecurityAssertion.UsernameOverTransport:
transport = new HttpsTransportBindingElement();
securityBinding = (TransportSecurityBindingElement)SecurityBindingElement.CreateUserNameOverTransportBindingElement();
if (establishSecurityContext == true)
{
throw new InvalidOperationException("Secure Conversation is not supported for this Security Assertion Type");
}
if (requireSignatureConfirmation == true)
{
throw new InvalidOperationException("Signature Confirmation is not supported for this Security Assertion Type");
}
break;
case WseSecurityAssertion.MutualCertificate10:
transport = new HttpTransportBindingElement();
securityBinding = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
if (requireSignatureConfirmation == true)
{
throw new InvalidOperationException("Signature Confirmation is not supported for this Security Assertion Type");
}
((AsymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
break;
case WseSecurityAssertion.UsernameForCertificate:
transport = new HttpTransportBindingElement();
securityBinding = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateUserNameForCertificateBindingElement();
// We want signatureconfirmation on the bootstrap process
// either for the application messages or for the RST/RSTR
((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
break;
case WseSecurityAssertion.AnonymousForCertificate:
transport = new HttpTransportBindingElement();
securityBinding = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
break;
case WseSecurityAssertion.MutualCertificate11:
transport = new HttpTransportBindingElement();
securityBinding = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11);
((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
break;
case WseSecurityAssertion.Kerberos:
transport = new HttpTransportBindingElement();
securityBinding = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateKerberosBindingElement();
((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
break;
default:
throw new NotSupportedException("This supplied Wse security assertion is not supported");
}
//Set defaults for the security binding
securityBinding.IncludeTimestamp = true;
// Derived Keys
// set the preference for derived keys before creating SecureConversationBindingElement
securityBinding.SetKeyDerivation(requireDerivedKeys);
//Secure Conversation
if (establishSecurityContext == true)
{
SymmetricSecurityBindingElement secureconversation =
(SymmetricSecurityBindingElement)SymmetricSecurityBindingElement.CreateSecureConversationBindingElement(
securityBinding, false);
// This is the default
//secureconversation.DefaultProtectionLevel = ProtectionLevel.EncryptAndSign;
//Set defaults for the secure conversation binding
secureconversation.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
// We do not want signature confirmation on the application level messages
// when secure conversation is enabled.
secureconversation.RequireSignatureConfirmation = false;
secureconversation.MessageProtectionOrder = messageProtectionOrder;
secureconversation.SetKeyDerivation(requireDerivedKeys);
securityBinding = secureconversation;
}
// Add the security binding to the binding collection
bec.Add(securityBinding);
// Add the message encoder.
TextMessageEncodingBindingElement textelement = new TextMessageEncodingBindingElement();
textelement.MessageVersion = MessageVersion.Soap11WSAddressingAugust2004;
//These are the defaults required for WSE
//textelement.MessageVersion = MessageVersion.Soap11Addressing1;
//textelement.WriteEncoding = System.Text.Encoding.UTF8;
bec.Add(textelement);
// Add the transport
bec.Add(transport);
// return the binding elements
return(bec);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
SecurityBindingElement element;
SecurityBindingElement element2;
if (isReliableSession && !this.IsSecureConversationEnabled())
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecureConversationRequiredByReliableSession")));
}
bool flag = false;
bool emitBspRequiredAttributes = true;
if (!isSecureTransportMode)
{
if (this.negotiateServiceCredential)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
goto Label_01DA;
case MessageCredentialType.Windows:
element2 = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
goto Label_01DA;
case MessageCredentialType.UserName:
element2 = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
goto Label_01DA;
case MessageCredentialType.Certificate:
element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
goto Label_01DA;
case MessageCredentialType.IssuedToken:
element2 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite), true);
goto Label_01DA;
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
element2 = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
goto Label_01DA;
case MessageCredentialType.Windows:
element2 = SecurityBindingElement.CreateKerberosBindingElement();
flag = true;
goto Label_01DA;
case MessageCredentialType.UserName:
element2 = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
goto Label_01DA;
case MessageCredentialType.Certificate:
element2 = SecurityBindingElement.CreateMutualCertificateBindingElement();
goto Label_01DA;
case MessageCredentialType.IssuedToken:
element2 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite));
goto Label_01DA;
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCredentialTypeMustBeSpecifiedForMixedMode")));
case MessageCredentialType.Windows:
element2 = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
break;
case MessageCredentialType.UserName:
element2 = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
case MessageCredentialType.Certificate:
element2 = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
break;
case MessageCredentialType.IssuedToken:
element2 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite));
break;
default:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
if (this.IsSecureConversationEnabled())
{
element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true);
}
else
{
element = element2;
}
goto Label_01EE;
Label_01DA:
if (this.IsSecureConversationEnabled())
{
element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true);
}
else
{
element = element2;
}
Label_01EE:
if (this.wasAlgorithmSuiteSet || !flag)
{
element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = this.AlgorithmSuite;
}
else if (flag)
{
element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
}
element.IncludeTimestamp = true;
element2.MessageSecurityVersion = version;
element.MessageSecurityVersion = version;
if (!isReliableSession)
{
element.LocalServiceSettings.ReconnectTransportOnFailure = false;
element.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
element.LocalServiceSettings.ReconnectTransportOnFailure = true;
element.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.IsSecureConversationEnabled())
{
element2.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime;
}
return(element);
}
protected internal virtual BindingElement CreateBindingElement(bool createTemplateOnly)
{
SecurityBindingElement result;
switch (this.AuthenticationMode)
{
case AuthenticationMode.AnonymousForCertificate:
result = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
break;
case AuthenticationMode.AnonymousForSslNegotiated:
result = SecurityBindingElement.CreateSslNegotiationBindingElement(false, this.RequireSecurityContextCancellation);
break;
case AuthenticationMode.CertificateOverTransport:
result = SecurityBindingElement.CreateCertificateOverTransportBindingElement(this.MessageSecurityVersion);
break;
case AuthenticationMode.IssuedToken:
result = SecurityBindingElement.CreateIssuedTokenBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType));
break;
case AuthenticationMode.IssuedTokenForCertificate:
result = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType));
break;
case AuthenticationMode.IssuedTokenForSslNegotiated:
result = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType), this.RequireSecurityContextCancellation);
break;
case AuthenticationMode.IssuedTokenOverTransport:
result = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType));
break;
case AuthenticationMode.Kerberos:
result = SecurityBindingElement.CreateKerberosBindingElement();
break;
case AuthenticationMode.KerberosOverTransport:
result = SecurityBindingElement.CreateKerberosOverTransportBindingElement();
break;
case AuthenticationMode.MutualCertificateDuplex:
result = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(this.MessageSecurityVersion);
break;
case AuthenticationMode.MutualCertificate:
result = SecurityBindingElement.CreateMutualCertificateBindingElement(this.MessageSecurityVersion);
break;
case AuthenticationMode.MutualSslNegotiated:
result = SecurityBindingElement.CreateSslNegotiationBindingElement(true, this.RequireSecurityContextCancellation);
break;
case AuthenticationMode.SspiNegotiated:
result = SecurityBindingElement.CreateSspiNegotiationBindingElement(this.RequireSecurityContextCancellation);
break;
case AuthenticationMode.UserNameForCertificate:
result = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
break;
case AuthenticationMode.UserNameForSslNegotiated:
result = SecurityBindingElement.CreateUserNameForSslBindingElement(this.RequireSecurityContextCancellation);
break;
case AuthenticationMode.UserNameOverTransport:
result = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
case AuthenticationMode.SspiNegotiatedOverTransport:
result = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(this.RequireSecurityContextCancellation);
break;
default:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidEnumArgumentException("AuthenticationMode", (int)this.AuthenticationMode, typeof(AuthenticationMode)));
}
this.ApplyConfiguration(result);
return(result);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
SecurityBindingElement securityBindingElement;
SecurityBindingElement securityBindingElement1;
if (isReliableSession && !this.IsSecureConversationEnabled())
{
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.SecureConversationRequiredByReliableSession, new object[0])));
}
bool flag = false;
bool flag1 = true;
if (!isSecureTransportMode)
{
if (!this.negotiateServiceCredential)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
{
securityBindingElement1 = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
goto Label0;
}
case MessageCredentialType.Windows:
{
securityBindingElement1 = SecurityBindingElement.CreateKerberosBindingElement();
flag = true;
goto Label0;
}
case MessageCredentialType.UserName:
{
securityBindingElement1 = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
goto Label0;
}
case MessageCredentialType.Certificate:
{
securityBindingElement1 = SecurityBindingElement.CreateMutualCertificateBindingElement();
goto Label0;
}
case MessageCredentialType.IssuedToken:
{
securityBindingElement1 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(this.CreateInfoCardParameters(flag1));
goto Label0;
}
}
Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType");
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
else
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
{
securityBindingElement1 = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
goto Label0;
}
case MessageCredentialType.Windows:
{
securityBindingElement1 = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
goto Label0;
}
case MessageCredentialType.UserName:
{
securityBindingElement1 = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
goto Label0;
}
case MessageCredentialType.Certificate:
{
securityBindingElement1 = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
goto Label0;
}
case MessageCredentialType.IssuedToken:
{
securityBindingElement1 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(this.CreateInfoCardParameters(flag1), true);
goto Label0;
}
}
Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType");
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
Label0:
securityBindingElement = (!this.IsSecureConversationEnabled() ? securityBindingElement1 : SecurityBindingElement.CreateSecureConversationBindingElement(securityBindingElement1, true));
}
else
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
{
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.ClientCredentialTypeMustBeSpecifiedForMixedMode, new object[0])));
}
case MessageCredentialType.Windows:
{
securityBindingElement1 = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
break;
}
case MessageCredentialType.UserName:
{
securityBindingElement1 = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
}
case MessageCredentialType.Certificate:
{
securityBindingElement1 = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
break;
}
case MessageCredentialType.IssuedToken:
{
securityBindingElement1 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(this.CreateInfoCardParameters(flag1));
break;
}
default:
{
Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType");
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
}
securityBindingElement = (!this.IsSecureConversationEnabled() ? securityBindingElement1 : SecurityBindingElement.CreateSecureConversationBindingElement(securityBindingElement1, true));
}
if (this.wasAlgorithmSuiteSet || !flag)
{
SecurityAlgorithmSuite algorithmSuite = this.AlgorithmSuite;
SecurityAlgorithmSuite securityAlgorithmSuite = algorithmSuite;
securityBindingElement1.DefaultAlgorithmSuite = algorithmSuite;
securityBindingElement.DefaultAlgorithmSuite = securityAlgorithmSuite;
}
else if (flag)
{
SecurityAlgorithmSuite basic128 = SecurityAlgorithmSuite.Basic128;
SecurityAlgorithmSuite securityAlgorithmSuite1 = basic128;
securityBindingElement1.DefaultAlgorithmSuite = basic128;
securityBindingElement.DefaultAlgorithmSuite = securityAlgorithmSuite1;
}
securityBindingElement.IncludeTimestamp = true;
securityBindingElement1.MessageSecurityVersion = version;
securityBindingElement.MessageSecurityVersion = version;
if (isReliableSession)
{
securityBindingElement.LocalServiceSettings.ReconnectTransportOnFailure = true;
securityBindingElement.LocalClientSettings.ReconnectTransportOnFailure = true;
}
else
{
securityBindingElement.LocalServiceSettings.ReconnectTransportOnFailure = false;
securityBindingElement.LocalClientSettings.ReconnectTransportOnFailure = false;
}
if (this.IsSecureConversationEnabled())
{
securityBindingElement1.LocalServiceSettings.IssuedCookieLifetime = TimeSpan.FromMinutes(15);
}
return(securityBindingElement);
}
/// <summary>
/// Creates a custom binding based on an example generated from svcutil.exe
/// </summary>
/// <param name="exeConfigPath"></param>
/// <returns></returns>
/// <remarks>
/// https://msdn.microsoft.com/en-us/library/ms731690(v=vs.110).aspx
/// </remarks>
public static List <CustomBinding> GetCustomBindings(string exeConfigPath)
{
if (string.IsNullOrWhiteSpace(exeConfigPath))
{
return(null);
}
var svcSection = Read.Config.ExeConfig.GetServiceModelSection(exeConfigPath);
var configs = new List <CustomBinding>();
foreach (var section in svcSection.Bindings.CustomBinding.ConfiguredBindings.Cast <CustomBindingElement>())
{
var binding = new CustomBinding
{
Name = section.Name,
};
var cfgSecurity = section[0] as SecurityElement;
if (cfgSecurity == null)
{
configs.Add(binding);
continue;
}
var mode = cfgSecurity.AuthenticationMode;
var msgSecurityVersion = cfgSecurity.MessageSecurityVersion;
var issuedTokenParameter = new IssuedSecurityTokenParameters();
if (cfgSecurity.IssuedTokenParameters.AdditionalRequestParameters != null)
{
foreach (var arp in cfgSecurity.IssuedTokenParameters.AdditionalRequestParameters.Cast <XmlElementElement>())
{
issuedTokenParameter.AdditionalRequestParameters.Add(arp.XmlElement);
}
}
if (cfgSecurity.IssuedTokenParameters.Issuer?.Address != null)
{
var address = cfgSecurity.IssuedTokenParameters.Issuer.Address;
var idElem = cfgSecurity.IssuedTokenParameters.Issuer.Identity;
issuedTokenParameter.IssuerAddress = GetEnpointAddressWithIdentity(address, idElem);
}
if (cfgSecurity.IssuedTokenParameters.Issuer?.Binding != null)
{
issuedTokenParameter.IssuerBinding = GetBindingByName(cfgSecurity.IssuedTokenParameters.Issuer.Binding);
}
if (cfgSecurity.IssuedTokenParameters.IssuerMetadata?.Address != null)
{
var address = cfgSecurity.IssuedTokenParameters.IssuerMetadata.Address;
var idElem = cfgSecurity.IssuedTokenParameters.IssuerMetadata.Identity;
issuedTokenParameter.IssuerMetadataAddress = GetEnpointAddressWithIdentity(address, idElem);
}
SecurityBindingElement securityElemnt;
switch (mode)
{
case AuthenticationMode.IssuedTokenOverTransport:
securityElemnt =
SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedTokenParameter);
break;
case AuthenticationMode.AnonymousForCertificate:
securityElemnt = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
break;
case AuthenticationMode.AnonymousForSslNegotiated:
securityElemnt = SecurityBindingElement.CreateSslNegotiationBindingElement(false);
break;
case AuthenticationMode.CertificateOverTransport:
securityElemnt =
SecurityBindingElement.CreateCertificateOverTransportBindingElement(msgSecurityVersion);
break;
case AuthenticationMode.IssuedToken:
securityElemnt = SecurityBindingElement.CreateIssuedTokenBindingElement(issuedTokenParameter);
break;
case AuthenticationMode.IssuedTokenForCertificate:
securityElemnt = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedTokenParameter);
break;
case AuthenticationMode.IssuedTokenForSslNegotiated:
securityElemnt = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedTokenParameter);
break;
case AuthenticationMode.Kerberos:
securityElemnt = SecurityBindingElement.CreateKerberosBindingElement();
break;
case AuthenticationMode.KerberosOverTransport:
securityElemnt = SecurityBindingElement.CreateKerberosOverTransportBindingElement();
break;
case AuthenticationMode.MutualCertificate:
securityElemnt = SecurityBindingElement.CreateMutualCertificateBindingElement(msgSecurityVersion);
break;
case AuthenticationMode.MutualCertificateDuplex:
securityElemnt = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(msgSecurityVersion);
break;
case AuthenticationMode.MutualSslNegotiated:
securityElemnt = SecurityBindingElement.CreateSslNegotiationBindingElement(false);
break;
case AuthenticationMode.SspiNegotiated:
securityElemnt = SecurityBindingElement.CreateSspiNegotiationBindingElement();
break;
case AuthenticationMode.SspiNegotiatedOverTransport:
securityElemnt = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement();
break;
case AuthenticationMode.UserNameForCertificate:
securityElemnt = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
break;
case AuthenticationMode.UserNameForSslNegotiated:
securityElemnt = SecurityBindingElement.CreateUserNameForSslBindingElement();
break;
case AuthenticationMode.UserNameOverTransport:
securityElemnt = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
default:
throw new NotImplementedException();
}
securityElemnt.AllowInsecureTransport = cfgSecurity.AllowInsecureTransport;
securityElemnt.DefaultAlgorithmSuite = cfgSecurity.DefaultAlgorithmSuite;
securityElemnt.EnableUnsecuredResponse = cfgSecurity.EnableUnsecuredResponse;
securityElemnt.IncludeTimestamp = cfgSecurity.IncludeTimestamp;
securityElemnt.MessageSecurityVersion = cfgSecurity.MessageSecurityVersion;
securityElemnt.KeyEntropyMode = cfgSecurity.KeyEntropyMode;
securityElemnt.ProtectTokens = cfgSecurity.ProtectTokens;
securityElemnt.SecurityHeaderLayout = cfgSecurity.SecurityHeaderLayout;
securityElemnt.SetKeyDerivation(cfgSecurity.RequireDerivedKeys);
binding.Elements.Add(securityElemnt);
configs.Add(binding);
}
return(configs);
}
