// this method reverses CreateMutualCertificateBindingElement() logic
internal static bool IsUserNameOverTransportBinding(SecurityBindingElement sbe)
{
// do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings
if (!sbe.IncludeTimestamp)
{
return(false);
}
if (!(sbe is TransportSecurityBindingElement))
{
return(false);
}
SupportingTokenParameters parameters = sbe.EndpointSupportingTokenParameters;
if (parameters.Signed.Count != 0 || parameters.SignedEncrypted.Count != 1 || parameters.Endorsing.Count != 0 || parameters.SignedEndorsing.Count != 0)
{
return(false);
}
UserNameSecurityTokenParameters userNameParameters = parameters.SignedEncrypted[0] as UserNameSecurityTokenParameters;
if (userNameParameters == null)
{
return(false);
}
return(true);
}
internal SecurityBindingElement(SecurityBindingElement elementToBeCloned)
: base(elementToBeCloned)
{
if (elementToBeCloned == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("elementToBeCloned");
}
this.defaultAlgorithmSuite = elementToBeCloned.defaultAlgorithmSuite;
this.includeTimestamp = elementToBeCloned.includeTimestamp;
this.keyEntropyMode = elementToBeCloned.keyEntropyMode;
this.messageSecurityVersion = elementToBeCloned.messageSecurityVersion;
this.securityHeaderLayout = elementToBeCloned.securityHeaderLayout;
this.endpointSupportingTokenParameters = (SupportingTokenParameters)elementToBeCloned.endpointSupportingTokenParameters.Clone();
this.optionalEndpointSupportingTokenParameters = (SupportingTokenParameters)elementToBeCloned.optionalEndpointSupportingTokenParameters.Clone();
this.operationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
foreach (string key in elementToBeCloned.operationSupportingTokenParameters.Keys)
{
this.operationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned.operationSupportingTokenParameters[key].Clone();
}
this.optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
foreach (string key in elementToBeCloned.optionalOperationSupportingTokenParameters.Keys)
{
this.optionalOperationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned.optionalOperationSupportingTokenParameters[key].Clone();
}
this.localServiceSettings = (LocalServiceSecuritySettings)elementToBeCloned.localServiceSettings.Clone();
// this.internalDuplexBindingElement = elementToBeCloned.internalDuplexBindingElement;
this.maxReceivedMessageSize = elementToBeCloned.maxReceivedMessageSize;
this.readerQuotas = elementToBeCloned.readerQuotas;
this.doNotEmitTrust = elementToBeCloned.doNotEmitTrust;
this.allowInsecureTransport = elementToBeCloned.allowInsecureTransport;
this.enableUnsecuredResponse = elementToBeCloned.enableUnsecuredResponse;
this.supportsExtendedProtectionPolicy = elementToBeCloned.supportsExtendedProtectionPolicy;
this.protectTokens = elementToBeCloned.protectTokens;
}
private void ImportOperationScopeSupportingTokensPolicy(MetadataImporter importer, PolicyConversionContext policyContext, SecurityBindingElement binding)
{
foreach (OperationDescription description in policyContext.Contract.Operations)
{
string action = null;
foreach (MessageDescription description2 in description.Messages)
{
if (description2.Direction == MessageDirection.Input)
{
action = description2.Action;
break;
}
}
SupportingTokenParameters requirements = new SupportingTokenParameters();
SupportingTokenParameters optionalRequirements = new SupportingTokenParameters();
ICollection <XmlElement> operationBindingAssertions = policyContext.GetOperationBindingAssertions(description);
this.ImportSupportingTokenAssertions(importer, policyContext, operationBindingAssertions, requirements, optionalRequirements);
if (((requirements.Endorsing.Count > 0) || (requirements.Signed.Count > 0)) || ((requirements.SignedEncrypted.Count > 0) || (requirements.SignedEndorsing.Count > 0)))
{
if (action == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("CannotImportSupportingTokensForOperationWithoutRequestAction")));
}
binding.OperationSupportingTokenParameters[action] = requirements;
}
if (((optionalRequirements.Endorsing.Count > 0) || (optionalRequirements.Signed.Count > 0)) || ((optionalRequirements.SignedEncrypted.Count > 0) || (optionalRequirements.SignedEndorsing.Count > 0)))
{
if (action == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("CannotImportSupportingTokensForOperationWithoutRequestAction")));
}
binding.OptionalOperationSupportingTokenParameters[action] = optionalRequirements;
}
}
}
// this method reverses CreateMutualCertificateBindingElement() logic
internal static bool IsCertificateOverTransportBinding(SecurityBindingElement sbe)
{
// do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings
if (!sbe.IncludeTimestamp)
{
return(false);
}
if (!(sbe is TransportSecurityBindingElement))
{
return(false);
}
SupportingTokenParameters parameters = sbe.EndpointSupportingTokenParameters;
if (parameters.Signed.Count != 0 || parameters.SignedEncrypted.Count != 0 || parameters.Endorsing.Count != 1 || parameters.SignedEndorsing.Count != 0)
{
return(false);
}
if (!(parameters.Endorsing[0] is X509SecurityTokenParameters x509Parameters))
{
return(false);
}
if (x509Parameters.InclusionMode != SecurityTokenInclusionMode.AlwaysToRecipient)
{
return(false);
}
return(x509Parameters.X509ReferenceStyle == X509KeyIdentifierClauseType.Any || x509Parameters.X509ReferenceStyle == X509KeyIdentifierClauseType.Thumbprint);
}
void ValidateTokensByParameters(SupportingTokenParameters supp, List <SupportingTokenInfo> tokens, bool optional)
{
ValidateTokensByParameters(supp.Endorsing, tokens, optional, SecurityTokenAttachmentMode.Endorsing);
ValidateTokensByParameters(supp.Signed, tokens, optional, SecurityTokenAttachmentMode.Signed);
ValidateTokensByParameters(supp.SignedEndorsing, tokens, optional, SecurityTokenAttachmentMode.SignedEndorsing);
ValidateTokensByParameters(supp.SignedEncrypted, tokens, optional, SecurityTokenAttachmentMode.SignedEncrypted);
}
public static void Property_Signed()
{
SupportingTokenParameters stp = new SupportingTokenParameters();
Assert.NotNull(stp.Signed);
Assert.Equal(new Collection <SecurityTokenParameters>(), stp.Signed);
}
public void DefaultItems()
{
SupportingTokenParameters p = new SupportingTokenParameters();
Assert.AreEqual(0, p.Endorsing.Count, "#1");
Assert.AreEqual(0, p.Signed.Count, "#2");
Assert.AreEqual(0, p.SignedEncrypted.Count, "#3");
Assert.AreEqual(0, p.SignedEndorsing.Count, "#4");
}
internal SecurityBindingElement()
: base()
{
_messageSecurityVersion = MessageSecurityVersion.Default;
_includeTimestamp = defaultIncludeTimestamp;
_localClientSettings = new LocalClientSecuritySettings();
_endpointSupportingTokenParameters = new SupportingTokenParameters();
_securityHeaderLayout = SecurityProtocolFactory.defaultSecurityHeaderLayout;
}
public static void AssertSupportingTokenParameters(
int endorsing, int signed, int signedEncrypted, int signedEndorsing,
SupportingTokenParameters tp, string label)
{
Assert.IsNotNull(tp, label + " IsNotNull");
Assert.AreEqual(endorsing, tp.Endorsing.Count, label + ".Endoring.Count");
Assert.AreEqual(signed, tp.Signed.Count, label + ".Signed.Count");
Assert.AreEqual(signedEncrypted, tp.SignedEncrypted.Count, label + ".SignedEncrypted.Count");
Assert.AreEqual(signedEndorsing, tp.SignedEndorsing.Count, label + ".SignedEndorsing.Count");
}
internal SecurityBindingElement()
: base()
{
_messageSecurityVersion = MessageSecurityVersion.Default;
_includeTimestamp = defaultIncludeTimestamp;
_localClientSettings = new LocalClientSecuritySettings();
_endpointSupportingTokenParameters = new SupportingTokenParameters();
_securityHeaderLayout = SecurityProtocolFactory.defaultSecurityHeaderLayout;
throw ExceptionHelper.PlatformNotSupported("SecurityBindingElement is not supported");
}
private SecurityBindingElement CreateSecurityBindingElement()
{
// Create an issued token parameters object.
IssuedSecurityTokenParameters issuedSecTok =
new IssuedSecurityTokenParameters();
// Create a security binding element with the parameter object.
SymmetricSecurityBindingElement secBindingEle =
SecurityBindingElement.CreateIssuedTokenBindingElement(issuedSecTok);
// Create a Kerberos token parameter object and set the inclusion
// mode to AlwaysToRecipient. Add the object as an endorsing token for
// all operations of the endpoint.
KerberosSecurityTokenParameters kstp = new KerberosSecurityTokenParameters();
kstp.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
secBindingEle.EndpointSupportingTokenParameters.Endorsing.Add(kstp);
// Create a username token parameter object and set its
// RequireDerivedKeys to false.
UserNameSecurityTokenParameters userNameParams =
new UserNameSecurityTokenParameters();
userNameParams.RequireDerivedKeys = false;
// Create a collection object for supporting tokens.
SupportingTokenParameters stp = new SupportingTokenParameters();
// Add the previously created supporting tokens.
stp.Endorsing.Add(issuedSecTok);
stp.SignedEncrypted.Add(userNameParams);
// Create a generic dictionary item, a KeyValuePair object
// that includes all supporting token parameters. Then add
// it to the dictionary for operation-scope supporting tokens.
KeyValuePair <string, SupportingTokenParameters> x =
new KeyValuePair <string, SupportingTokenParameters>("1", stp);
secBindingEle.OperationSupportingTokenParameters.Add(x);
// See all dictionary items for the supporting tokens.
Console.WriteLine("Reading Kevalue pairs");
foreach (KeyValuePair <string, SupportingTokenParameters> kvp
in secBindingEle.OperationSupportingTokenParameters)
{
Console.WriteLine("{0}: {1}", kvp.Key, kvp.Value);
}
Console.ReadLine();
return(secBindingEle);
}
internal SecurityBindingElement()
{
DefaultAlgorithmSuite = SecurityAlgorithmSuite.Default;
MessageSecurityVersion = MessageSecurityVersion.Default;
IncludeTimestamp = true;
KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
endpoint = new SupportingTokenParameters();
operation = new Dictionary <string, SupportingTokenParameters> ();
opt_endpoint = new SupportingTokenParameters();
opt_operation = new Dictionary <string, SupportingTokenParameters> ();
client_settings = new LocalClientSecuritySettings();
service_settings = new LocalServiceSecuritySettings();
}
internal SecurityBindingElement()
: base()
{
_messageSecurityVersion = MessageSecurityVersion.Default;
_keyEntropyMode = AcceleratedTokenProvider.defaultKeyEntropyMode;
IncludeTimestamp = defaultIncludeTimestamp;
_defaultAlgorithmSuite = defaultDefaultAlgorithmSuite;
LocalClientSettings = new LocalClientSecuritySettings();
EndpointSupportingTokenParameters = new SupportingTokenParameters();
OptionalEndpointSupportingTokenParameters = new SupportingTokenParameters();
_operationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
_optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
_securityHeaderLayout = SecurityProtocolFactory.defaultSecurityHeaderLayout;
}
internal SecurityBindingElement(SecurityBindingElement elementToBeCloned)
: base(elementToBeCloned)
{
if (elementToBeCloned == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("elementToBeCloned");
}
_includeTimestamp = elementToBeCloned._includeTimestamp;
_messageSecurityVersion = elementToBeCloned._messageSecurityVersion;
_securityHeaderLayout = elementToBeCloned._securityHeaderLayout;
_endpointSupportingTokenParameters = elementToBeCloned._endpointSupportingTokenParameters.Clone();
_localClientSettings = elementToBeCloned._localClientSettings.Clone();
throw ExceptionHelper.PlatformNotSupported("SecurityBindingElement cloning not supported.");
}
private void ImportOperationScopeSupportingTokensPolicy(MetadataImporter importer, PolicyConversionContext policyContext, SecurityBindingElement binding)
{
foreach (OperationDescription operation in policyContext.Contract.Operations)
{
string requestAction = null;
foreach (MessageDescription message in operation.Messages)
{
if (message.Direction == MessageDirection.Input)
{
requestAction = message.Action;
break;
}
}
SupportingTokenParameters requirements = new SupportingTokenParameters();
SupportingTokenParameters optionalRequirements = new SupportingTokenParameters();
ICollection <XmlElement> operationBindingAssertions = policyContext.GetOperationBindingAssertions(operation);
this.ImportSupportingTokenAssertions(importer, policyContext, operationBindingAssertions, requirements, optionalRequirements);
if (requirements.Endorsing.Count > 0 ||
requirements.Signed.Count > 0 ||
requirements.SignedEncrypted.Count > 0 ||
requirements.SignedEndorsing.Count > 0)
{
if (requestAction != null)
{
binding.OperationSupportingTokenParameters[requestAction] = requirements;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SRServiceModel.CannotImportSupportingTokensForOperationWithoutRequestAction));
}
}
if (optionalRequirements.Endorsing.Count > 0 ||
optionalRequirements.Signed.Count > 0 ||
optionalRequirements.SignedEncrypted.Count > 0 ||
optionalRequirements.SignedEndorsing.Count > 0)
{
if (requestAction != null)
{
binding.OptionalOperationSupportingTokenParameters[requestAction] = optionalRequirements;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.CannotImportSupportingTokensForOperationWithoutRequestAction)));
}
}
}
}
private void GetSupportingTokensCapabilities(SupportingTokenParameters requirements, out bool supportsClientAuth, out bool supportsWindowsIdentity)
{
supportsClientAuth = false;
supportsWindowsIdentity = false;
GetSupportingTokensCapabilities(requirements.Endorsing, out bool tmpSupportsClientAuth, out bool tmpSupportsWindowsIdentity);
supportsClientAuth = supportsClientAuth || tmpSupportsClientAuth;
supportsWindowsIdentity = supportsWindowsIdentity || tmpSupportsWindowsIdentity;
GetSupportingTokensCapabilities(requirements.SignedEndorsing, out tmpSupportsClientAuth, out tmpSupportsWindowsIdentity);
supportsClientAuth = supportsClientAuth || tmpSupportsClientAuth;
supportsWindowsIdentity = supportsWindowsIdentity || tmpSupportsWindowsIdentity;
GetSupportingTokensCapabilities(requirements.SignedEncrypted, out tmpSupportsClientAuth, out tmpSupportsWindowsIdentity);
supportsClientAuth = supportsClientAuth || tmpSupportsClientAuth;
supportsWindowsIdentity = supportsWindowsIdentity || tmpSupportsWindowsIdentity;
}
internal SecurityBindingElement(SecurityBindingElement elementToBeCloned)
: base(elementToBeCloned)
{
if (elementToBeCloned == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("elementToBeCloned");
}
_includeTimestamp = elementToBeCloned._includeTimestamp;
_messageSecurityVersion = elementToBeCloned._messageSecurityVersion;
_securityHeaderLayout = elementToBeCloned._securityHeaderLayout;
_endpointSupportingTokenParameters = elementToBeCloned._endpointSupportingTokenParameters.Clone();
_localClientSettings = elementToBeCloned._localClientSettings.Clone();
_maxReceivedMessageSize = elementToBeCloned._maxReceivedMessageSize;
_readerQuotas = elementToBeCloned._readerQuotas;
}
internal SecurityBindingElement()
: base()
{
_messageSecurityVersion = MessageSecurityVersion.Default;
_keyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; // AcceleratedTokenProvider.defaultKeyEntropyMode;
IncludeTimestamp = DefaultIncludeTimestamp;
_defaultAlgorithmSuite = s_defaultDefaultAlgorithmSuite;
LocalServiceSettings = new LocalServiceSecuritySettings();
EndpointSupportingTokenParameters = new SupportingTokenParameters();
OptionalEndpointSupportingTokenParameters = new SupportingTokenParameters();
_operationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
_optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
_securityHeaderLayout = SecurityHeaderLayout.Strict; // SecurityProtocolFactory.defaultSecurityHeaderLayout;
AllowInsecureTransport = DefaultAllowInsecureTransport;
EnableUnsecuredResponse = DefaultEnableUnsecuredResponse;
ProtectTokens = DefaultProtectTokens;
}
private static ServiceHost StartSTS(Type type, string stsLabel, Uri baseAddress, Uri baseMexAddress)
{
// Create the service host
Uri stsAddress = new Uri(baseAddress.AbsoluteUri + "/" + stsLabel);
ServiceHost serviceHost = new ServiceHost(type, stsAddress);
// Don't require derived keys for the issue method
ServiceEndpoint stsEndpoint = serviceHost.Description.Endpoints.Find(typeof(nl.telin.authep.sts.IWSTrustContract));
BindingElementCollection bindingElements = stsEndpoint.Binding.CreateBindingElements();
SecurityBindingElement sbe = bindingElements.Find <SecurityBindingElement>();
RsaSecurityTokenParameters rsaParams = new RsaSecurityTokenParameters();
rsaParams.InclusionMode = SecurityTokenInclusionMode.Never;
rsaParams.RequireDerivedKeys = false;
SupportingTokenParameters requirements = new SupportingTokenParameters();
requirements.Endorsing.Add(rsaParams);
sbe.OptionalOperationSupportingTokenParameters.Add(nl.telin.authep.sts.Constants.WSTrust.Actions.Issue, requirements);
stsEndpoint.Binding = new CustomBinding(bindingElements);
serviceHost.Credentials.ServiceCertificate.Certificate = SigningCertificate;
// Add an https mex listener
string mexAddress = baseMexAddress.AbsoluteUri + "/" + stsLabel + "/mex";
serviceHost.AddServiceEndpoint(ServiceMetadataBehavior.MexContractName, MetadataExchangeBindings.CreateMexHttpsBinding(), mexAddress);
// Disable CRL
serviceHost.Credentials.IssuedTokenAuthentication.RevocationMode = X509RevocationMode.NoCheck;
// Open the service
serviceHost.Open();
// Display the endpoints
foreach (ChannelDispatcher cd in serviceHost.ChannelDispatchers)
{
foreach (EndpointDispatcher ed in cd.Endpoints)
{
Console.WriteLine("Listener = {0}, State = {1}", ed.EndpointAddress.ToString(), cd.State.ToString());
}
}
return(serviceHost);
}
private static void SetIssuerBindingContextIfRequired(SupportingTokenParameters supportingParameters, BindingContext issuerBindingContext)
{
for (int i = 0; i < supportingParameters.Endorsing.Count; ++i)
{
SetIssuerBindingContextIfRequired(supportingParameters.Endorsing[i], issuerBindingContext);
}
for (int i = 0; i < supportingParameters.SignedEndorsing.Count; ++i)
{
SetIssuerBindingContextIfRequired(supportingParameters.SignedEndorsing[i], issuerBindingContext);
}
for (int i = 0; i < supportingParameters.Signed.Count; ++i)
{
SetIssuerBindingContextIfRequired(supportingParameters.Signed[i], issuerBindingContext);
}
for (int i = 0; i < supportingParameters.SignedEncrypted.Count; ++i)
{
SetIssuerBindingContextIfRequired(supportingParameters.SignedEncrypted[i], issuerBindingContext);
}
}
public void DefaultMessageSecurity()
{
WSHttpBinding b = new WSHttpBinding();
SymmetricSecurityBindingElement sbe = b.CreateBindingElements().Find <SymmetricSecurityBindingElement> ();
Assert.IsNotNull(sbe, "#0");
SecureConversationSecurityTokenParameters p =
sbe.ProtectionTokenParameters as SecureConversationSecurityTokenParameters;
Assert.IsNotNull(p, "#1");
SymmetricSecurityBindingElement scbe =
p.BootstrapSecurityBindingElement as SymmetricSecurityBindingElement;
Assert.IsNotNull(scbe, "#1.1");
// since the default w/o SecureConv is SSPI ...
Assert.IsTrue(scbe.ProtectionTokenParameters is SspiSecurityTokenParameters, "#1.2");
Assert.AreEqual(SecurityAlgorithmSuite.Default,
sbe.DefaultAlgorithmSuite, "#2");
SupportingTokenParameters s =
sbe.EndpointSupportingTokenParameters;
Assert.IsNotNull(s, "#3");
Assert.AreEqual(0, s.Endorsing.Count, "#3-1");
Assert.AreEqual(0, s.Signed.Count, "#3-2");
Assert.AreEqual(0, s.SignedEndorsing.Count, "#3-3");
Assert.AreEqual(0, s.SignedEncrypted.Count, "#3-4");
Assert.AreEqual(0, sbe.OperationSupportingTokenParameters.Count, "#4");
s = sbe.OptionalEndpointSupportingTokenParameters;
Assert.IsNotNull(s, "#5");
Assert.AreEqual(0, s.Endorsing.Count, "#5-1");
Assert.AreEqual(0, s.Signed.Count, "#5-2");
Assert.AreEqual(0, s.SignedEndorsing.Count, "#5-3");
Assert.AreEqual(0, s.SignedEncrypted.Count, "#5-4");
Assert.AreEqual(0, sbe.OptionalOperationSupportingTokenParameters.Count, "#6");
}
// this method reverses CreateMutualCertificateBindingElement() logic
internal static bool IsCertificateOverTransportBinding(SecurityBindingElement sbe)
{
// do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings
if (!sbe.IncludeTimestamp)
{
return(false);
}
if (!(sbe is TransportSecurityBindingElement))
{
return(false);
}
SupportingTokenParameters parameters = sbe.EndpointSupportingTokenParameters;
if (parameters.Signed.Count != 0 || parameters.SignedEncrypted.Count != 0 || parameters.Endorsing.Count != 1 || parameters.SignedEndorsing.Count != 0)
{
return(false);
}
throw ExceptionHelper.PlatformNotSupported("SecurityBindingElement.IsCertificateOverTransportBinding is not supported.");
}
void CollectSupportingTokensCore(
SupportingTokenInfoCollection l,
SupportingTokenParameters s,
bool required)
{
foreach (SecurityTokenParameters p in s.Signed)
{
l.Add(new SupportingTokenInfo(GetSigningToken(p), SecurityTokenAttachmentMode.Signed, required));
}
foreach (SecurityTokenParameters p in s.Endorsing)
{
l.Add(new SupportingTokenInfo(GetSigningToken(p), SecurityTokenAttachmentMode.Endorsing, required));
}
foreach (SecurityTokenParameters p in s.SignedEndorsing)
{
l.Add(new SupportingTokenInfo(GetSigningToken(p), SecurityTokenAttachmentMode.SignedEndorsing, required));
}
foreach (SecurityTokenParameters p in s.SignedEncrypted)
{
l.Add(new SupportingTokenInfo(GetSigningToken(p), SecurityTokenAttachmentMode.SignedEncrypted, required));
}
}
//<snippet7>
// This method creates a CustomBinding that includes two tokens of a given type.
//<snippet8>
public static Binding CreateCustomBinding(EndpointAddress issuerEndpointAddress1, Binding issuerBinding1, EndpointAddress issuerEndpointAddress2, Binding issuerBinding2)
{
//<snippet9>
// Create an empty BindingElementCollection to populate,
// then create a custom binding from it.
BindingElementCollection bec = new BindingElementCollection();
//</snippet9>
//<snippet10>
SecurityBindingElement sbe = SecurityBindingElement.CreateMutualCertificateBindingElement();
//</snippet10>
//<snippet11>
SupportingTokenParameters supportParams = new SupportingTokenParameters();
//</snippet11>
//<snippet12>
// Two supporting SAML tokens are being added.
supportParams.SignedEndorsing.Add(new IssuedSecurityTokenParameters("samlTokenType", issuerEndpointAddress1, issuerBinding1));
supportParams.SignedEndorsing.Add(new IssuedSecurityTokenParameters("samlTokenType", issuerEndpointAddress2, issuerBinding2));
//</snippet12>
//<snippet13>
((SymmetricSecurityBindingElement)sbe).OperationSupportingTokenParameters.Add("*", supportParams);
//</snippet13>
//<snippet14>
bec.Add(sbe);
bec.Add(new TextMessageEncodingBindingElement());
bec.Add(new HttpTransportBindingElement());
//</snippet14>
//<snippet15>
// Create a CustomBinding and return it; otherwise, return null.
return(new CustomBinding(bec));
//</snippet15>
}
internal static bool AreBindingsMatching(SecurityBindingElement b1, SecurityBindingElement b2, bool exactMessageSecurityVersion)
{
if (b1 == null || b2 == null)
{
return(b1 == b2);
}
if (b1.GetType() != b2.GetType())
{
return(false);
}
if (b1.MessageSecurityVersion != b2.MessageSecurityVersion)
{
// exactMessageSecurityVersion meant that BSP mismatch could be ignored
if (exactMessageSecurityVersion)
{
return(false);
}
if (b1.MessageSecurityVersion.SecurityVersion != b2.MessageSecurityVersion.SecurityVersion ||
b1.MessageSecurityVersion.TrustVersion != b2.MessageSecurityVersion.TrustVersion ||
b1.MessageSecurityVersion.SecureConversationVersion != b2.MessageSecurityVersion.SecureConversationVersion ||
b1.MessageSecurityVersion.SecurityPolicyVersion != b2.MessageSecurityVersion.SecurityPolicyVersion)
{
return(false);
}
}
if (b1.SecurityHeaderLayout != b2.SecurityHeaderLayout)
{
return(false);
}
if (b1.DefaultAlgorithmSuite != b2.DefaultAlgorithmSuite)
{
return(false);
}
if (b1.IncludeTimestamp != b2.IncludeTimestamp)
{
return(false);
}
if (b1.SecurityHeaderLayout != b2.SecurityHeaderLayout)
{
return(false);
}
if (b1.KeyEntropyMode != b2.KeyEntropyMode)
{
return(false);
}
if (!AreTokenParameterCollectionsMatching(b1.EndpointSupportingTokenParameters.Endorsing, b2.EndpointSupportingTokenParameters.Endorsing, exactMessageSecurityVersion))
{
return(false);
}
if (!AreTokenParameterCollectionsMatching(b1.EndpointSupportingTokenParameters.SignedEncrypted, b2.EndpointSupportingTokenParameters.SignedEncrypted, exactMessageSecurityVersion))
{
return(false);
}
if (!AreTokenParameterCollectionsMatching(b1.EndpointSupportingTokenParameters.Signed, b2.EndpointSupportingTokenParameters.Signed, exactMessageSecurityVersion))
{
return(false);
}
if (!AreTokenParameterCollectionsMatching(b1.EndpointSupportingTokenParameters.SignedEndorsing, b2.EndpointSupportingTokenParameters.SignedEndorsing, exactMessageSecurityVersion))
{
return(false);
}
if (b1.OperationSupportingTokenParameters.Count != b2.OperationSupportingTokenParameters.Count)
{
return(false);
}
foreach (KeyValuePair <string, SupportingTokenParameters> operation1 in b1.OperationSupportingTokenParameters)
{
if (!b2.OperationSupportingTokenParameters.ContainsKey(operation1.Key))
{
return(false);
}
SupportingTokenParameters stp2 = b2.OperationSupportingTokenParameters[operation1.Key];
if (!AreTokenParameterCollectionsMatching(operation1.Value.Endorsing, stp2.Endorsing, exactMessageSecurityVersion))
{
return(false);
}
if (!AreTokenParameterCollectionsMatching(operation1.Value.SignedEncrypted, stp2.SignedEncrypted, exactMessageSecurityVersion))
{
return(false);
}
if (!AreTokenParameterCollectionsMatching(operation1.Value.Signed, stp2.Signed, exactMessageSecurityVersion))
{
return(false);
}
if (!AreTokenParameterCollectionsMatching(operation1.Value.SignedEndorsing, stp2.SignedEndorsing, exactMessageSecurityVersion))
{
return(false);
}
}
SymmetricSecurityBindingElement ssbe1 = b1 as SymmetricSecurityBindingElement;
if (ssbe1 != null)
{
SymmetricSecurityBindingElement ssbe2 = (SymmetricSecurityBindingElement)b2;
if (ssbe1.MessageProtectionOrder != ssbe2.MessageProtectionOrder)
{
return(false);
}
if (!AreTokenParametersMatching(ssbe1.ProtectionTokenParameters, ssbe2.ProtectionTokenParameters, false, exactMessageSecurityVersion))
{
return(false);
}
}
AsymmetricSecurityBindingElement asbe1 = b1 as AsymmetricSecurityBindingElement;
if (asbe1 != null)
{
AsymmetricSecurityBindingElement asbe2 = (AsymmetricSecurityBindingElement)b2;
if (asbe1.MessageProtectionOrder != asbe2.MessageProtectionOrder)
{
return(false);
}
if (asbe1.RequireSignatureConfirmation != asbe2.RequireSignatureConfirmation)
{
return(false);
}
if (!AreTokenParametersMatching(asbe1.InitiatorTokenParameters, asbe2.InitiatorTokenParameters, true, exactMessageSecurityVersion) ||
!AreTokenParametersMatching(asbe1.RecipientTokenParameters, asbe2.RecipientTokenParameters, true, exactMessageSecurityVersion))
{
return(false);
}
}
return(true);
}
private void ImportSupportingTokenAssertions(MetadataImporter importer, PolicyConversionContext policyContext, ICollection <XmlElement> assertions, SupportingTokenParameters requirements, SupportingTokenParameters optionalRequirements)
{
WSSecurityPolicy securityPolicy;
if (WSSecurityPolicy.TryGetSecurityPolicyDriver(assertions, out securityPolicy))
{
securityPolicy.TryImportWsspSupportingTokensAssertion(
importer,
policyContext,
assertions,
requirements.Signed,
requirements.SignedEncrypted,
requirements.Endorsing,
requirements.SignedEndorsing,
optionalRequirements.Signed,
optionalRequirements.SignedEncrypted,
optionalRequirements.Endorsing,
optionalRequirements.SignedEndorsing);
}
}
private static ServiceHost CreateServiceHost(Type component)
{
ServiceHost sh = new ServiceHost(component);
sh.Open();
Console.WriteLine("Endpoint Listeners:");
Console.WriteLine("----------------");
foreach (ChannelDispatcher cd in sh.ChannelDispatchers)
{
foreach (EndpointDispatcher epd in cd.Endpoints)
{
Console.Write(epd.EndpointAddress.Uri.AbsoluteUri);
ConsoleColor origCol = Console.ForegroundColor;
ServiceEndpoint servend = sh.Description.Endpoints.Find(epd.EndpointAddress.Uri);
if (servend != null)
{
Console.WriteLine("\tPhysical listeningURI: " + servend.ListenUri.AbsoluteUri);
Console.ForegroundColor = ConsoleColor.DarkYellow;
BindingElementCollection bec = servend.Binding.CreateBindingElements();
foreach (BindingElement be in bec)
{
Console.WriteLine("\t" + be.GetType().ToString());
SymmetricSecurityBindingElement symBe = be as SymmetricSecurityBindingElement;
AsymmetricSecurityBindingElement asymBe = be as AsymmetricSecurityBindingElement;
TransportSecurityBindingElement transBe = be as TransportSecurityBindingElement;
if (symBe != null)
{
Console.WriteLine("\t\t" + symBe.ProtectionTokenParameters.GetType().ToString());
}
if (asymBe != null)
{
X509SecurityTokenParameters initParms = asymBe.InitiatorTokenParameters as X509SecurityTokenParameters;
X509SecurityTokenParameters recParms = asymBe.RecipientTokenParameters as X509SecurityTokenParameters;
if (initParms != null)
{
Console.WriteLine("\t\tInitiator Security Token Parmeter type");
Console.WriteLine("\t\t\t" + initParms.GetType().ToString() + Environment.NewLine + "\t\t\tInclusionMode: " + initParms.InclusionMode.ToString());
}
if (recParms != null)
{
Console.WriteLine("\t\tRecipient Security Token Parmeter type");
Console.WriteLine("\t\t\t" + recParms.GetType().ToString() + Environment.NewLine + "\t\t\tInclusionMode: " + recParms.InclusionMode.ToString());
}
}
if (transBe != null)
{
SupportingTokenParameters supTokParms = transBe.EndpointSupportingTokenParameters;
if (supTokParms.Endorsing.Count > 0)
{
ShowSecurityTokenParmeters(supTokParms.Endorsing, "Endorsing");
}
}
}
}
Console.ForegroundColor = origCol;
Console.WriteLine();
}
}
return(sh);
}
public static void AssertSecurityBindingElement(
SecurityAlgorithmSuite algorithm,
bool includeTimestamp,
SecurityKeyEntropyMode keyEntropyMode,
MessageSecurityVersion messageSecurityVersion,
SecurityHeaderLayout securityHeaderLayout,
// EndpointSupportingTokenParameters
int endorsing, int signed, int signedEncrypted, int signedEndorsing,
// LocalClientSettings
bool cacheCookies,
int renewalThresholdPercentage,
bool detectReplays,
SecurityBindingElement be, string label)
{
Assert.AreEqual(algorithm, be.DefaultAlgorithmSuite, label + ".DefaultAlgorithmSuite");
Assert.AreEqual(includeTimestamp, be.IncludeTimestamp, label + ".KeyEntropyMode");
Assert.AreEqual(keyEntropyMode,
be.KeyEntropyMode, label + "#3");
Assert.AreEqual(messageSecurityVersion,
be.MessageSecurityVersion, label + ".MessageSecurityVersion");
Assert.AreEqual(securityHeaderLayout,
be.SecurityHeaderLayout, label + ".SecurityHeaderLayout");
// FIXME: they should be extracted step by step...
// EndpointSupportingTokenParameters
SupportingTokenParameters tp = be.EndpointSupportingTokenParameters;
AssertSupportingTokenParameters(
endorsing, signed, signedEncrypted, signedEndorsing,
tp, label + ".Endpoint");
// OptionalEndpointSupportingTokenParameters
tp = be.OptionalEndpointSupportingTokenParameters;
Assert.IsNotNull(tp, label + "#3-0");
Assert.AreEqual(0, tp.Endorsing.Count, label + "#3-1");
Assert.AreEqual(0, tp.Signed.Count, label + "#3-2");
Assert.AreEqual(0, tp.SignedEncrypted.Count, label + "#3-3");
Assert.AreEqual(0, tp.SignedEndorsing.Count, label + "#3-4");
// OperationSupportingTokenParameters
IDictionary <string, SupportingTokenParameters> oper = be.OperationSupportingTokenParameters;
Assert.IsNotNull(oper, label + "#4-1");
Assert.AreEqual(0, oper.Count, label + "#4-2");
// OptionalOperationSupportingTokenParameters
oper = be.OptionalOperationSupportingTokenParameters;
Assert.IsNotNull(oper, label + "#5-1");
Assert.AreEqual(0, oper.Count, label + "#5-2");
// LocalClientSettings
LocalClientSecuritySettings lc =
be.LocalClientSettings;
AssertLocalClientSecuritySettings(
cacheCookies,
renewalThresholdPercentage,
detectReplays,
lc, "");
// FIXME: IdentityVerifier
Assert.AreEqual(TimeSpan.FromMinutes(5), lc.MaxClockSkew, label + "#7-5");
Assert.AreEqual(TimeSpan.MaxValue, lc.MaxCookieCachingTime, label + "#7-6");
Assert.AreEqual(true, lc.ReconnectTransportOnFailure, label + "#7-7");
Assert.AreEqual(900000, lc.ReplayCacheSize, label + "#7-8");
Assert.AreEqual(TimeSpan.FromMinutes(5), lc.ReplayWindow, label + "#7-9");
Assert.AreEqual(TimeSpan.FromHours(10), lc.SessionKeyRenewalInterval, label + "#7-10");
Assert.AreEqual(TimeSpan.FromMinutes(5), lc.SessionKeyRolloverInterval, label + "#7-11");
Assert.AreEqual(TimeSpan.FromMinutes(5), lc.TimestampValidityDuration, label + "#7-12");
// FIXME: LocalServiceSettings
}
private void AddSupportingTokenAuthenticators(SupportingTokenParameters supportingTokenParameters, bool isOptional, IList <SupportingTokenAuthenticatorSpecification> authenticatorSpecList)
{
for (int i = 0; i < supportingTokenParameters.Endorsing.Count; ++i)
{
SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.Endorsing[i], SecurityTokenAttachmentMode.Endorsing);
try
{
System.IdentityModel.Selectors.SecurityTokenResolver resolver;
System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver);
SupportingTokenAuthenticatorSpecification authenticatorSpec = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.Endorsing, supportingTokenParameters.Endorsing[i], isOptional);
authenticatorSpecList.Add(authenticatorSpec);
}
catch (Exception e)
{
if (!isOptional || Fx.IsFatal(e))
{
throw;
}
}
}
for (int i = 0; i < supportingTokenParameters.SignedEndorsing.Count; ++i)
{
SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.SignedEndorsing[i], SecurityTokenAttachmentMode.SignedEndorsing);
try
{
System.IdentityModel.Selectors.SecurityTokenResolver resolver;
System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver);
SupportingTokenAuthenticatorSpecification authenticatorSpec = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.SignedEndorsing, supportingTokenParameters.SignedEndorsing[i], isOptional);
authenticatorSpecList.Add(authenticatorSpec);
}
catch (Exception e)
{
if (!isOptional || Fx.IsFatal(e))
{
throw;
}
}
}
for (int i = 0; i < supportingTokenParameters.SignedEncrypted.Count; ++i)
{
SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.SignedEncrypted[i], SecurityTokenAttachmentMode.SignedEncrypted);
try
{
System.IdentityModel.Selectors.SecurityTokenResolver resolver;
System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver);
SupportingTokenAuthenticatorSpecification authenticatorSpec = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.SignedEncrypted, supportingTokenParameters.SignedEncrypted[i], isOptional);
authenticatorSpecList.Add(authenticatorSpec);
}
catch (Exception e)
{
if (!isOptional || Fx.IsFatal(e))
{
throw;
}
}
}
for (int i = 0; i < supportingTokenParameters.Signed.Count; ++i)
{
SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.Signed[i], SecurityTokenAttachmentMode.Signed);
try
{
System.IdentityModel.Selectors.SecurityTokenResolver resolver;
System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver);
SupportingTokenAuthenticatorSpecification authenticatorSpec = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.Signed, supportingTokenParameters.Signed[i], isOptional);
authenticatorSpecList.Add(authenticatorSpec);
}
catch (Exception e)
{
if (!isOptional || Fx.IsFatal(e))
{
throw;
}
}
}
}
private void AddSupportingTokenProviders(SupportingTokenParameters supportingTokenParameters, bool isOptional, IList <SupportingTokenProviderSpecification> providerSpecList)
{
for (int i = 0; i < supportingTokenParameters.Endorsing.Count; ++i)
{
SecurityTokenRequirement requirement = CreateInitiatorSecurityTokenRequirement(supportingTokenParameters.Endorsing[i], SecurityTokenAttachmentMode.Endorsing);
try
{
if (isOptional)
{
requirement.IsOptionalToken = true;
}
SecurityTokenProvider provider = SecurityProtocolFactory.SecurityTokenManager.CreateSecurityTokenProvider(requirement);
if (provider == null)
{
continue;
}
SupportingTokenProviderSpecification providerSpec = new SupportingTokenProviderSpecification(provider, SecurityTokenAttachmentMode.Endorsing, supportingTokenParameters.Endorsing[i]);
providerSpecList.Add(providerSpec);
}
catch (Exception e)
{
if (!isOptional || Fx.IsFatal(e))
{
throw;
}
}
}
for (int i = 0; i < supportingTokenParameters.SignedEndorsing.Count; ++i)
{
SecurityTokenRequirement requirement = CreateInitiatorSecurityTokenRequirement(supportingTokenParameters.SignedEndorsing[i], SecurityTokenAttachmentMode.SignedEndorsing);
try
{
if (isOptional)
{
requirement.IsOptionalToken = true;
}
SecurityTokenProvider provider = SecurityProtocolFactory.SecurityTokenManager.CreateSecurityTokenProvider(requirement);
if (provider == null)
{
continue;
}
SupportingTokenProviderSpecification providerSpec = new SupportingTokenProviderSpecification(provider, SecurityTokenAttachmentMode.SignedEndorsing, supportingTokenParameters.SignedEndorsing[i]);
providerSpecList.Add(providerSpec);
}
catch (Exception e)
{
if (!isOptional || Fx.IsFatal(e))
{
throw;
}
}
}
for (int i = 0; i < supportingTokenParameters.SignedEncrypted.Count; ++i)
{
SecurityTokenRequirement requirement = CreateInitiatorSecurityTokenRequirement(supportingTokenParameters.SignedEncrypted[i], SecurityTokenAttachmentMode.SignedEncrypted);
try
{
if (isOptional)
{
requirement.IsOptionalToken = true;
}
SecurityTokenProvider provider = SecurityProtocolFactory.SecurityTokenManager.CreateSecurityTokenProvider(requirement);
if (provider == null)
{
continue;
}
SupportingTokenProviderSpecification providerSpec = new SupportingTokenProviderSpecification(provider, SecurityTokenAttachmentMode.SignedEncrypted, supportingTokenParameters.SignedEncrypted[i]);
providerSpecList.Add(providerSpec);
}
catch (Exception e)
{
if (!isOptional || Fx.IsFatal(e))
{
throw;
}
}
}
for (int i = 0; i < supportingTokenParameters.Signed.Count; ++i)
{
SecurityTokenRequirement requirement = CreateInitiatorSecurityTokenRequirement(supportingTokenParameters.Signed[i], SecurityTokenAttachmentMode.Signed);
try
{
if (isOptional)
{
requirement.IsOptionalToken = true;
}
SecurityTokenProvider provider = SecurityProtocolFactory.SecurityTokenManager.CreateSecurityTokenProvider(requirement);
if (provider == null)
{
continue;
}
SupportingTokenProviderSpecification providerSpec = new SupportingTokenProviderSpecification(provider, SecurityTokenAttachmentMode.Signed, supportingTokenParameters.Signed[i]);
providerSpecList.Add(providerSpec);
}
catch (Exception e)
{
if (!isOptional || Fx.IsFatal(e))
{
throw;
}
}
}
}