public override bool TryImportMsspSslContextTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)
{
SecurityTokenInclusionMode mode;
parameters = null;
if (this.IsMsspAssertion(assertion, "SslContextToken") && this.TryGetIncludeTokenValue(assertion, out mode))
{
Collection <Collection <XmlElement> > collection;
if (this.TryGetNestedPolicyAlternatives(importer, assertion, out collection))
{
foreach (Collection <XmlElement> collection2 in collection)
{
bool flag;
bool flag2;
SslSecurityTokenParameters parameters2 = new SslSecurityTokenParameters();
parameters = parameters2;
if (((this.TryImportWsspRequireDerivedKeysAssertion(collection2, parameters2) && this.TryImportWsspMustNotSendCancelAssertion(collection2, out flag)) && (this.TryImportWsspMustNotSendAmendAssertion(collection2) && this.TryImportWsspMustNotSendRenewAssertion(collection2, out flag2))) && (this.TryImportMsspRequireClientCertificateAssertion(collection2, parameters2) && (collection2.Count == 0)))
{
parameters2.RequireCancellation = true;
parameters2.InclusionMode = mode;
break;
}
parameters = null;
}
}
else
{
parameters = new SslSecurityTokenParameters();
parameters.RequireDerivedKeys = false;
parameters.InclusionMode = mode;
}
}
return(parameters != null);
}
public void MessageSecurityCertificateNego()
{
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Message.ClientCredentialType =
MessageCredentialType.Certificate;
SymmetricSecurityBindingElement sbe =
binding.CreateBindingElements().Find <SymmetricSecurityBindingElement> ();
Assert.IsNotNull(sbe, "#1");
Assert.AreEqual(false, sbe.RequireSignatureConfirmation, "#1-2");
SecureConversationSecurityTokenParameters sp =
sbe.ProtectionTokenParameters
as SecureConversationSecurityTokenParameters;
Assert.IsNotNull(sp, "#2");
SymmetricSecurityBindingElement spbe =
sp.BootstrapSecurityBindingElement
as SymmetricSecurityBindingElement;
Assert.IsNotNull(spbe, "#3");
SslSecurityTokenParameters p =
spbe.ProtectionTokenParameters
as SslSecurityTokenParameters;
Assert.IsNotNull(p, "#4");
Assert.AreEqual(SecurityTokenReferenceStyle.Internal,
p.ReferenceStyle, "#5");
Assert.AreEqual(SecurityTokenInclusionMode.AlwaysToRecipient,
p.InclusionMode, "#6");
}
public void CreateSslNegotiationBindingElement()
{
SymmetricSecurityBindingElement be =
SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
SecurityAssert.AssertSymmetricSecurityBindingElement(
SecurityAlgorithmSuite.Default,
true, // IncludeTimestamp
SecurityKeyEntropyMode.CombinedEntropy,
MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature,
MessageSecurityVersion.Default,
false, // RequireSignatureConfirmation
SecurityHeaderLayout.Strict,
// EndpointSupportingTokenParameters: endorsing, signed, signedEncrypted, signedEndorsing (by count)
0, 0, 0, 0,
// ProtectionTokenParameters
true, SecurityTokenInclusionMode.AlwaysToRecipient, SecurityTokenReferenceStyle.Internal, true,
// LocalClientSettings
true, 60, true,
be, "");
// FIXME: also try different constructor arguments
// test ProtectionTokenParameters
Assert.AreEqual(typeof(SslSecurityTokenParameters), be.ProtectionTokenParameters.GetType(), "#1");
SslSecurityTokenParameters sp = be.ProtectionTokenParameters as SslSecurityTokenParameters;
Assert.AreEqual(true, sp.RequireCancellation, "#2");
Assert.AreEqual(true, sp.RequireClientCertificate, "#3");
}
public override bool TryImportMsspSslContextTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)
{
parameters = null;
SecurityTokenInclusionMode inclusionMode;
Collection <Collection <XmlElement> > alternatives;
if (IsMsspAssertion(assertion, SslContextTokenName) &&
TryGetIncludeTokenValue(assertion, out inclusionMode))
{
if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
{
foreach (Collection <XmlElement> alternative in alternatives)
{
SslSecurityTokenParameters ssl = new SslSecurityTokenParameters();
parameters = ssl;
bool requireCancellation;
bool canRenewSession;
if (TryImportWsspRequireDerivedKeysAssertion(alternative, ssl) &&
TryImportWsspMustNotSendCancelAssertion(alternative, out requireCancellation) &&
TryImportWsspMustNotSendAmendAssertion(alternative)
// We do not support Renew for spnego and sslnego. Read the
// assertion if present and ignore it.
&& TryImportWsspMustNotSendRenewAssertion(alternative, out canRenewSession) &&
TryImportMsspRequireClientCertificateAssertion(alternative, ssl) &&
alternative.Count == 0)
{
// Client always set this to true to match the standardbinding.
// This setting on client has no effect for spnego and sslnego.
ssl.RequireCancellation = true;
ssl.InclusionMode = inclusionMode;
break;
}
else
{
parameters = null;
}
}
}
else
{
parameters = new SslSecurityTokenParameters();
parameters.RequireDerivedKeys = false;
parameters.InclusionMode = inclusionMode;
}
}
return(parameters != null);
}
public void MessageSecurityNoSecureConversation()
{
WSHttpBinding b = new WSHttpBinding();
b.Security.Message.EstablishSecurityContext = false;
SymmetricSecurityBindingElement sbe = b.CreateBindingElements().Find <SymmetricSecurityBindingElement> ();
Assert.IsNotNull(sbe, "#0");
Assert.AreEqual(
typeof(SspiSecurityTokenParameters),
sbe.ProtectionTokenParameters.GetType(), "#1");
// no worthy to check SSPI security as we never support it.
b.Security.Message.ClientCredentialType = MessageCredentialType.None;
sbe = b.CreateBindingElements().Find <SymmetricSecurityBindingElement> ();
SslSecurityTokenParameters ssltp =
sbe.ProtectionTokenParameters
as SslSecurityTokenParameters;
Assert.IsNotNull(ssltp, "#2-1");
Assert.AreEqual(true, ssltp.RequireCancellation, "#2-2");
Assert.AreEqual(false, ssltp.RequireClientCertificate, "#2-3");
b.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
sbe = b.CreateBindingElements().Find <SymmetricSecurityBindingElement> ();
ssltp = sbe.ProtectionTokenParameters as SslSecurityTokenParameters;
Assert.IsNotNull(ssltp, "#3-1");
// No NegotiateServiceCredential modes ...
b.Security.Message.NegotiateServiceCredential = false;
b.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
sbe = b.CreateBindingElements().Find <SymmetricSecurityBindingElement> ();
KerberosSecurityTokenParameters ktp =
sbe.ProtectionTokenParameters
as KerberosSecurityTokenParameters;
Assert.IsNotNull(ktp, "#4-1");
// no worthy of testing windows-only Kerberos stuff
b.Security.Message.ClientCredentialType = MessageCredentialType.None;
sbe = b.CreateBindingElements().Find <SymmetricSecurityBindingElement> ();
X509SecurityTokenParameters x509tp =
sbe.ProtectionTokenParameters
as X509SecurityTokenParameters;
Assert.IsNotNull(x509tp, "#5-1");
Assert.AreEqual(X509KeyIdentifierClauseType.Thumbprint, x509tp.X509ReferenceStyle, "#5-2");
Assert.AreEqual(SecurityTokenInclusionMode.Never, x509tp.InclusionMode, "#5-3");
b.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
sbe = b.CreateBindingElements().Find <SymmetricSecurityBindingElement> ();
Assert.AreEqual(1, sbe.EndpointSupportingTokenParameters.Endorsing.Count, "#6-0");
x509tp = sbe.EndpointSupportingTokenParameters.Endorsing [0] as X509SecurityTokenParameters;
Assert.IsNotNull(x509tp, "#6-1");
Assert.AreEqual(X509KeyIdentifierClauseType.Thumbprint, x509tp.X509ReferenceStyle, "#6-2");
Assert.AreEqual(SecurityTokenInclusionMode.AlwaysToRecipient, x509tp.InclusionMode, "#6-3");
Assert.AreEqual(false, x509tp.RequireDerivedKeys, "#6-4");
x509tp = sbe.ProtectionTokenParameters as X509SecurityTokenParameters;
Assert.IsNotNull(x509tp, "#7-1");
Assert.AreEqual(X509KeyIdentifierClauseType.Thumbprint, x509tp.X509ReferenceStyle, "#7-2");
Assert.AreEqual(SecurityTokenInclusionMode.Never, x509tp.InclusionMode, "#7-3");
Assert.AreEqual(true, x509tp.RequireDerivedKeys, "#7-4");
Assert.AreEqual(true, sbe.RequireSignatureConfirmation, "#8");
}
public override XmlElement CreateMsspSslContextTokenAssertion(MetadataExporter exporter, SslSecurityTokenParameters parameters)
{
XmlElement tokenAssertion = this.CreateMsspAssertion("SslContextToken");
this.SetIncludeTokenValue(tokenAssertion, parameters.InclusionMode);
tokenAssertion.AppendChild(this.CreateWspPolicyWrapper(exporter, new XmlElement[] { this.CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys), this.CreateWsspMustNotSendCancelAssertion(false), this.CreateMsspRequireClientCertificateAssertion(parameters.RequireClientCertificate), this.CreateWsspMustNotSendAmendAssertion(), this.CreateWsspMustNotSendRenewAssertion() }));
return(tokenAssertion);
}
public override XmlElement CreateMsspSslContextTokenAssertion(MetadataExporter exporter, SslSecurityTokenParameters parameters)
{
XmlElement result = CreateMsspAssertion(SslContextTokenName);
SetIncludeTokenValue(result, parameters.InclusionMode);
result.AppendChild(
CreateWspPolicyWrapper(
exporter,
CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys),
// Always emit <sp:MustNotSendCancel/> for spnego and sslnego
CreateWsspMustNotSendCancelAssertion(false),
CreateMsspRequireClientCertificateAssertion(parameters.RequireClientCertificate),
CreateWsspMustNotSendAmendAssertion(),
CreateWsspMustNotSendRenewAssertion()
));
return(result);
}
