private string RunSoap(SecurityToken bootstrapToken)
{
// Retrieve token
IStsTokenService stsTokenService = new StsTokenServiceCache(TokenServiceConfigurationFactory.CreateConfiguration());
SecurityToken securityToken = null;
if (bootstrapToken != null)
{
securityToken = stsTokenService.GetTokenWithBootstrapToken(bootstrapToken);
}
else
{
securityToken = stsTokenService.GetToken();
}
// Call WSP with token
var client = new HelloWorldClient();
// enable revocation check if not white listed at Nets, don't do this in production!
//client.ClientCredentials.ServiceCertificate.Authentication.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck;
var channelWithIssuedToken = client.ChannelFactory.CreateChannelWithIssuedToken(securityToken);
return(channelWithIssuedToken.HelloSign("Oiosaml-net.dk TEST"));
}
public void OioWsTrustRequestExpiredTest()
{
// Arrange
IStsTokenService stsTokenService =
new StsTokenService(
TokenServiceConfigurationFactory.CreateConfiguration()
);
_fiddlerApplicationOnBeforeRequest = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
Thread.Sleep(_wait);
};
FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;
// Act
try
{
stsTokenService.GetToken();
Assert.IsTrue(false, "Expected exception was not thrown!!!");
}
catch (MessageSecurityException mse)
{
// Assert
var fe = mse.InnerException as FaultException;
Assert.IsNotNull(fe, "Expected inner fault exception");
Assert.AreEqual("An error occurred when verifying security for the message.", fe.Message);
}
}
public void OioWsTrustTokenServiceCacheGivesDifferentTokenTest()
{
// Arrange
IStsTokenService stsTokenService =
new StsTokenService(
TokenServiceConfigurationFactory.CreateConfiguration()
);
var securityToken = stsTokenService.GetToken();
Thread.Sleep(230000); // Sleep 4 minutes - 10 seconds ... 4 minutes due to default clock skew of 1 minut
// Act 1
var securityToken2 = stsTokenService.GetToken();
// Assert 1
Assert.AreEqual(securityToken, securityToken2, "Expected that tokens was the same");
// Act 2
Thread.Sleep(20000); // Sleep 20 seconds more and token should be expired.
var securityToken3 = stsTokenService.GetToken();
// Assert 2
Assert.AreNotEqual(securityToken, securityToken3, "Expected that tokens was Not the same");
}
public void DotnetWscCallJavaWspTest()
{
// Ensure that the WSP is up and running.
Thread.Sleep(30000);
var succeeded = false;
// Retrieve token
IStsTokenService stsTokenService =
new StsTokenServiceCache(
TokenServiceConfigurationFactory.CreateConfiguration()
);
var securityToken = stsTokenService.GetToken();
// Call WSP with token
var client = new HelloWorldPortTypeClient();
var channelWithIssuedToken =
client.ChannelFactory.CreateChannelWithIssuedToken(
securityToken
);
var helloWorldRequestJohn = new HelloWorldRequest("John");
succeeded =
channelWithIssuedToken
.HelloWorld(helloWorldRequestJohn)
.response.Equals("Hello John");
Assert.IsTrue(succeeded);
}
public void OioWsTrustRequestFailDueToBodyTamperingTest()
{
// Arrange
IStsTokenService stsTokenService =
new StsTokenService(
TokenServiceConfigurationFactory.CreateConfiguration()
);
_fiddlerApplicationOnBeforeRequest = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
oS.utilReplaceInRequest("<trust:Lifetime>", "<trust:Lifetime testAttribute=\"Tampered\">");
};
FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;
// Act
try
{
stsTokenService.GetToken();
Assert.IsTrue(false, "Expected exception was not thrown!!!");
}
catch (FaultException fe)
{
// Assert
Assert.AreEqual("Authentication failed", fe.Message);
}
}
static void Main(string[] args)
{
// Setup Log4Net configuration by loading it from configuration file.
// log4net is not necessary and is only being used for demonstration.
XmlConfigurator.Configure();
// To ensure that the WSP is up and running.
Thread.Sleep(1000);
// Retrieve token
IStsTokenService tokenService = new StsTokenServiceCache(TokenServiceConfigurationFactory.CreateConfiguration());
var securityToken = tokenService.GetToken();
// Call WSP with token
var client = new HelloWorldClient();
var channelWithIssuedToken = client.ChannelFactory.CreateChannelWithIssuedToken(securityToken);
Console.WriteLine(channelWithIssuedToken.HelloNone("Schultz")); // Even if the protection level is set to 'None' Digst.OioIdws.Wsc ensures that the body is always at least signed.
Console.WriteLine(channelWithIssuedToken.HelloSign("Schultz"));
Console.WriteLine(channelWithIssuedToken.HelloEncryptAndSign("Schultz"));
//Checking that SOAP faults can be read.SOAP faults are encrypted in Sign and EncryptAndSign mode if no special care is taken.
try
{
channelWithIssuedToken.HelloSignError("Schultz");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
Console.ReadKey();
}
static void Main(string[] args)
{
// Setup Log4Net configuration by loading it from configuration file.
// log4net is not necessary and is only being used for demonstration.
XmlConfigurator.Configure();
// To ensure that the WSP is up and running.
Thread.Sleep(1000);
// Retrieve token
IStsTokenService stsTokenService =
new StsTokenServiceCache(
TokenServiceConfigurationFactory.CreateConfiguration()
);
var securityToken = stsTokenService.GetToken();
// Call WSP with token
var client = new HelloWorldPortTypeClient();
var channelWithIssuedToken =
client.ChannelFactory.CreateChannelWithIssuedToken(
securityToken
);
var helloWorldRequestJohn = new HelloWorldRequest("John");
Console.WriteLine(
channelWithIssuedToken.HelloWorld(helloWorldRequestJohn).response
);
var helloWorldRequestJane = new HelloWorldRequest("Jane");
Console.WriteLine(
channelWithIssuedToken.HelloWorld(helloWorldRequestJane).response
);
try
{
// third call will trigger a SOAPFault
var helloWorldRequest = new HelloWorldRequest("");
Console.WriteLine(
channelWithIssuedToken.HelloWorld(helloWorldRequest).response
);
}
catch (Exception ex)
{
Console.WriteLine("Expected SOAPFault caught: " + ex.Message);
}
// Encrypted calls fails client side. However, encryption at message
// level is not required and no further investigation has been
// putted into this issue yet.
//
// Console.WriteLine(channelWithIssuedToken.HelloEncryptAndSign("Schultz"));
Console.WriteLine("Press <Enter> to stop the service.");
Console.ReadLine();
}
public void OioWsTrustRequestFailDueToTokenTamperingTest()
{
// Arrange
IStsTokenService stsTokenService =
new StsTokenService(
TokenServiceConfigurationFactory.CreateConfiguration()
);
_fiddlerApplicationOnBeforeRequest = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
// Use xml version instead of utilReplaceInRequest(...) because message id is dynamically
// For some reason there are two calls where the first call has en empty body.
if (oS.RequestBody.Length > 0)
{
var bodyAsString = Encoding.UTF8.GetString(oS.RequestBody);
var bodyAsXml = XDocument.Load(new StringReader(bodyAsString));
var namespaceManager = new XmlNamespaceManager(new NameTable());
namespaceManager.AddNamespace("s", "http://schemas.xmlsoap.org/soap/envelope/");
namespaceManager.AddNamespace("o",
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
var binarySecurityTokenElement =
bodyAsXml.XPathSelectElement(
"/s:Envelope/s:Header/o:Security/o:BinarySecurityToken",
namespaceManager);
// Følgende er en gammel udgave af Morten Mortensen MOCES certifikatet. Det får STS til at svare med "The request was invalid or malformed"
//binarySecurityTokenElement.Value =
// "MIIGLjCCBRagAwIBAgIEUw9wBzANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSQwIgYDVQQDDBtUUlVTVDI0MDggU3lzdGVtdGVzdCBYSVggQ0EwHhcNMTQxMTEwMTQwMTQxWhcNMTcxMTEwMTQwMTMxWjB2MQswCQYDVQQGEwJESzEqMCgGA1UECgwhw5hrb25vbWlzdHlyZWxzZW4gLy8gQ1ZSOjEwMjEzMjMxMTswFwYDVQQDDBBNb3J0ZW4gTW9ydGVuc2VuMCAGA1UEBRMZQ1ZSOjEwMjEzMjMxLVJJRDo5Mzk0NzU1MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDVoVZz4QT+WP43mTl28pM9+Jy4JtBFV4R/LP2d2xLrAUGnDXn8dkAnTn4xcDll7t1kzCceI4/0ngN/CGwMpxynBbWRhoYWk4DesR34G2XehPiAf4E8Wsup2adyDWbqUUmrbFoyVsN8XCm/O32WSH19hn9nU5zOc0K4C2d0LJRcfsMCwSlQDu7BtEAjCRxYYw3pxnRu2vvzynW7j4txVbp82aGvZnJ0Fq6fvf+99sVBpyfAgHSAmhR5A5CzjlIpW9vG1WjGG8be5OgV+WurUzN9A1bjoXRpKkG9h035KKn6fRZEjI9Ztxd1JoeVkiBQaYdH1O3OW6rXKsfPLtyiCYsCAwEAAaOCAvEwggLtMA4GA1UdDwEB/wQEAwID+DCBlwYIKwYBBQUHAQEEgYowgYcwPAYIKwYBBQUHMAGGMGh0dHA6Ly9vY3NwLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3Jlc3BvbmRlcjBHBggrBgEFBQcwAoY7aHR0cDovL20uYWlhLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QxOS1jYS5jZXIwggEgBgNVHSAEggEXMIIBEzCCAQ8GDSsGAQQBgfRRAgQGAgUwgf0wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHJBggrBgEFBQcCAjCBvDAMFgVEYW5JRDADAgEBGoGrRGFuSUQgdGVzdCBjZXJ0aWZpa2F0ZXIgZnJhIGRlbm5lIENBIHVkc3RlZGVzIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuIERhbklEIHRlc3QgY2VydGlmaWNhdGVzIGZyb20gdGhpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuMCUGA1UdEQQeMByBGmtmb2JzX3Rlc3RAbm92b25vcmRpc2suY29tMIGqBgNVHR8EgaIwgZ8wPKA6oDiGNmh0dHA6Ly9jcmwuc3lzdGVtdGVzdDE5LnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDE5LmNybDBfoF2gW6RZMFcxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJDAiBgNVBAMMG1RSVVNUMjQwOCBTeXN0ZW10ZXN0IFhJWCBDQTEOMAwGA1UEAwwFQ1JMMTYwHwYDVR0jBBgwFoAUzAJVDOSBdK8gVNURFFeckVI4f6AwHQYDVR0OBBYEFKuH3e+mCu7y3/brN7zXSkvo6MwKMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAESudYwnM/vbo5cMrUvgnpSgJUZhsQnSzLMwJTsT45OS3O+yct1ci9vPI1ExFZeAisC0bROV3tlsPuDiAVgmErgrHbrz1CmNqIxNcQvkqeL1sQtsrMSRicyILvU7Ve0N0gryR/axG+7D3U488X3oxXtJlS/9WZd33FVDnTIo7Asb+c1clqlUa/DSeBBdZ19L4DbfEkamLA96trEkH1hUTZfRXLFvYW5w8w+muaBu7eL84zzTxpGZxYM14ap+cQHuq+uczDsGDDUKc/BHUmN1UuQ0QCCxHegMHUDD8KXVsosj5wUXOLzd8WwKjPyUTxKPAI5xv9/Bim4mAA7eYc+3lXs=";
// Følgende er den nye udgave af Morten Mortensen MOCES certifikatet. Det får STS til at svare korrekt med "The request was invalid or malformed".
binarySecurityTokenElement.Value =
"MIIGJzCCBQ+gAwIBAgIEVp5ySzANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSQwIgYDVQQDDBtUUlVTVDI0MDggU3lzdGVtdGVzdCBYSVggQ0EwHhcNMTYwNTE3MTE1NDM0WhcNMTkwNTE3MTE1NDE4WjB2MQswCQYDVQQGEwJESzEqMCgGA1UECgwhw5hrb25vbWlzdHlyZWxzZW4gLy8gQ1ZSOjEwMjEzMjMxMTswFwYDVQQDDBBNb3J0ZW4gTW9ydGVuc2VuMCAGA1UEBRMZQ1ZSOjEwMjEzMjMxLVJJRDo5Mzk0NzU1MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIwVzTYsKncrByNHU1M8HVHh5ZdiZAc2yQavTMFkQ0X9Wu4FGMcddH5XvnXsNHipBJ8gZh9HrIza6gujPrlZJvtQG+rhjiKhAaQbMN5yWY2E8H1Lv7aLB3bd1ShGccT/SeMJ3Lrn0xA8HedgYPlf4lYce8y20wlqe2ZBFG5664RBW3KuNapqP++XyJ0KMS5OE17Max/oOzBx4106DDXsMdMNQRtTBT0kJvAs0jiu9Wr/g9TMhM8wot+lsYMHZR8ecYbX70eQJLPI5YErjSkA5pzWO7z1SfewdQguUr71uIDjH2C1A2vIJFyPof6idpKYQJsSshQZWqLbExBr6JDtJYkCAwEAAaOCAuowggLmMA4GA1UdDwEB/wQEAwID+DCBlwYIKwYBBQUHAQEEgYowgYcwPAYIKwYBBQUHMAGGMGh0dHA6Ly9vY3NwLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3Jlc3BvbmRlcjBHBggrBgEFBQcwAoY7aHR0cDovL20uYWlhLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QxOS1jYS5jZXIwggEgBgNVHSAEggEXMIIBEzCCAQ8GDSsGAQQBgfRRAgQGAgUwgf0wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHJBggrBgEFBQcCAjCBvDAMFgVEYW5JRDADAgEBGoGrRGFuSUQgdGVzdCBjZXJ0aWZpa2F0ZXIgZnJhIGRlbm5lIENBIHVkc3RlZGVzIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuIERhbklEIHRlc3QgY2VydGlmaWNhdGVzIGZyb20gdGhpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuMB4GA1UdEQQXMBWBE0tGT0JTX1RFU1RAbm5pdC5jb20wgaoGA1UdHwSBojCBnzA8oDqgOIY2aHR0cDovL2NybC5zeXN0ZW10ZXN0MTkudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MTkuY3JsMF+gXaBbpFkwVzELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODEkMCIGA1UEAwwbVFJVU1QyNDA4IFN5c3RlbXRlc3QgWElYIENBMQ4wDAYDVQQDDAVDUkw2NDAfBgNVHSMEGDAWgBTMAlUM5IF0ryBU1REUV5yRUjh/oDAdBgNVHQ4EFgQUEWdFrMEb7hG5I2QaLQx4eevxXD8wCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAetwAPoeMMHE9zRSVcGsK3TTo6+YqORR78HXFel4Yg4j7SE3HLSHcrOYaVT/ouUcLqufEWiKRVDpZ4QShSV1hfcF3UhufKCLhMf/sNuc97e/ptOVciN76q+6jNJ+1fAtwNk+myf8lqR1r5CGCk5TDZZv64GR3Q5nhQTBG6wCCUE2vP22bDjY9h+ibfSl4eQG56rNXsDSMMnOB6Fqm9mwPXKUedF8ezHJeRAb1JQtDxkt0oy94i53EaCj6Hd6LzI4Gfq7ReorkuVJvqv+pcpPfZN9FkbbK/o62DMTw3wb+uGh/8VehGOpV05EkafClZ0lqwXpndnI+dbS6PvJpmoqElg==";
oS.RequestBody = Encoding.UTF8.GetBytes(bodyAsXml.ToString(SaveOptions.DisableFormatting));
}
};
FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;
// Act
try
{
stsTokenService.GetToken();
Assert.IsTrue(false, "Expected exception was not thrown!!!");
}
catch (FaultException fe)
{
// Assert
Assert.AreEqual("Authentication failed", fe.Message);
}
}
public void OioWsTrustRequestFailDueToHeaderSecurityTamperingTest()
{
// Arrange
IStsTokenService stsTokenService =
new StsTokenService(
TokenServiceConfigurationFactory.CreateConfiguration()
);
_fiddlerApplicationOnBeforeRequest = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
// Use xml version instead of utilReplaceInRequest(...) because message id is dynamically
// For some reason there are two calls where the first call has en empty body.
if (oS.RequestBody.Length > 0)
{
var bodyAsString = Encoding.UTF8.GetString(oS.RequestBody);
var bodyAsXml = XDocument.Load(new StringReader(bodyAsString));
var namespaceManager = new XmlNamespaceManager(new NameTable());
namespaceManager.AddNamespace("s", "http://schemas.xmlsoap.org/soap/envelope/");
namespaceManager.AddNamespace("o",
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
namespaceManager.AddNamespace("u",
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
var createdTimestampElement =
bodyAsXml.XPathSelectElement("/s:Envelope/s:Header/o:Security/u:Timestamp/u:Created",
namespaceManager);
var dateTime = DateTime.Parse(createdTimestampElement.Value);
var addMinutes = dateTime.AddMinutes(1);
var longDateString = addMinutes.ToUniversalTime().ToString(TimeFormat);
createdTimestampElement.Value = longDateString;
oS.RequestBody = Encoding.UTF8.GetBytes(bodyAsXml.ToString(SaveOptions.DisableFormatting));
}
};
FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;
// Act
try
{
stsTokenService.GetToken();
Assert.IsTrue(false, "Expected exception was not thrown!!!");
}
catch (FaultException fe)
{
// Assert
Assert.AreEqual("Authentication failed", fe.Message);
}
}
public void TotalFlowSucessTest()
{
// Arrange
IStsTokenService stsTokenService =
new StsTokenService(
TokenServiceConfigurationFactory.CreateConfiguration()
);
// Act
var securityToken = stsTokenService.GetToken();
// Assert
Assert.IsNotNull(securityToken);
}
public void OioWsTrustResponseFailDueToHeaderActionTamperingTest()
{
// Arrange
IStsTokenService stsTokenService =
new StsTokenService(
TokenServiceConfigurationFactory.CreateConfiguration()
);
_fiddlerApplicationOnBeforeRequest = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
// In order to enable response tampering, buffering mode must
// be enabled; this allows FiddlerCore to permit modification of
// the response in the BeforeResponse handler rather than streaming
// the response to the client as the response comes in.
oS.bBufferResponse = true;
};
FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;
_fiddlerApplicationOnBeforeResponse = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
oS.utilReplaceInResponse("<wsa:Action", "<wsa:Action testAttribute=\"Tampered\"");
};
FiddlerApplication.BeforeResponse += _fiddlerApplicationOnBeforeResponse;
// Act
try
{
stsTokenService.GetToken();
Assert.IsTrue(false, "Expected exception was not thrown!!!");
}
catch (InvalidOperationException ioe)
{
// Assert
Assert.AreEqual("SOAP signature recieved from STS does not validate!", ioe.Message);
}
}
public void OioWsTrustTokenServiceCacheGivesTheSameTokenTest()
{
// Arrange
IStsTokenService stsTokenService =
new StsTokenServiceCache(
TokenServiceConfigurationFactory.CreateConfiguration()
);
var securityToken = stsTokenService.GetToken();
// Act
var securityToken2 = stsTokenService.GetToken();
// Assert
Assert.AreEqual(securityToken, securityToken2, "Expected that tokens was the same");
}
public void OioWsTrustRequestFailDueToReplayAttackTest()
{
// Arrange
IStsTokenService stsTokenService =
new StsTokenService(
TokenServiceConfigurationFactory.CreateConfiguration()
);
byte[] recordedRequest = null;
_fiddlerApplicationOnBeforeRequest = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
// For some reason there are two calls where the first call has en empty body.
if (oS.RequestBody.Length > 0)
{
if (recordedRequest == null)
{
// record request
recordedRequest = oS.RequestBody;
}
else
{
// Replay
oS.RequestBody = recordedRequest;
}
}
};
FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;
stsTokenService.GetToken();
// Act
try
{
stsTokenService.GetToken();
Assert.IsTrue(false, "Expected exception was not thrown!!!");
}
catch (FaultException fe)
{
// Assert
Assert.AreEqual("The specified request failed", fe.Message);
}
}
public void OioWsTrustResponseExpiredTest()
{
// Arrange
IStsTokenService stsTokenService =
new StsTokenService(
TokenServiceConfigurationFactory.CreateConfiguration()
);
_fiddlerApplicationOnBeforeRequest = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
// it not set then Thread.Sleep is ignored on the response.
oS.bBufferResponse = true;
};
FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;
_fiddlerApplicationOnBeforeResponse = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
Thread.Sleep(_wait);
};
FiddlerApplication.BeforeResponse += _fiddlerApplicationOnBeforeResponse;
// Act
try
{
stsTokenService.GetToken();
Assert.IsTrue(false, "Expected exception was not thrown!!!");
}
catch (MessageSecurityException mse)
{
// Assert
Assert.IsTrue(mse.Message.StartsWith("The security timestamp is stale because its expiration time"));
}
}
public void OioWsTrustRequestFailDueToHeaderMessageIdTamperingTest()
{
// Arrange
IStsTokenService stsTokenService = new StsTokenService(TokenServiceConfigurationFactory.CreateConfiguration());
_fiddlerApplicationOnBeforeRequest = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
// Use xml version instead of utilReplaceInRequest(...) because message id is dynamically
// For some reason there are two calls where the first call has en empty body.
if (oS.RequestBody.Length > 0)
{
var bodyAsString = Encoding.UTF8.GetString(oS.RequestBody);
var bodyAsXml = XDocument.Load(new StringReader(bodyAsString));
var namespaceManager = new XmlNamespaceManager(new NameTable());
namespaceManager.AddNamespace("s", "http://schemas.xmlsoap.org/soap/envelope/");
namespaceManager.AddNamespace("a", "http://www.w3.org/2005/08/addressing");
var messageIdElement = bodyAsXml.XPathSelectElement("/s:Envelope/s:Header/a:MessageID",
namespaceManager);
messageIdElement.Value = "uuid:0e07468e-42b2-4813-b837-6c2c6122a9c9";
oS.RequestBody = Encoding.UTF8.GetBytes(bodyAsXml.ToString(SaveOptions.DisableFormatting));
}
};
FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;
// Act
try
{
stsTokenService.GetToken();
Assert.IsTrue(false, "Expected exception was not thrown!!!");
}
catch (FaultException fe)
{
// Assert
Assert.AreEqual("Authentication failed", fe.Message);
}
}
public static void Setup(TestContext context)
{
_stsTokenService = new StsTokenServiceCache(TokenServiceConfigurationFactory.CreateConfiguration());
// Check certificates
if (!CertMaker.rootCertIsTrusted())
{
CertMaker.trustRootCert();
}
// Start proxy server (to simulate man in the middle attacks)
FiddlerApplication.Startup(
8877, /* Port */
true, /* Register as System Proxy */
true, /* Decrypt SSL */
false /* Allow Remote */
);
// Start WSP
_process = Process.Start(@"..\..\..\..\Examples\Digst.OioIdws.WspExample\bin\Debug\Digst.OioIdws.WspExample.exe");
}
public void OioWsTrustResponseFailDueToHeaderRelatesToTamperingTest()
{
// Arrange
IStsTokenService stsTokenService =
new StsTokenService(
TokenServiceConfigurationFactory.CreateConfiguration()
);
_fiddlerApplicationOnBeforeRequest = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
// In order to enable response tampering, buffering mode must
// be enabled; this allows FiddlerCore to permit modification of
// the response in the BeforeResponse handler rather than streaming
// the response to the client as the response comes in.
oS.bBufferResponse = true;
};
FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;
_fiddlerApplicationOnBeforeResponse = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
// Use xml version instead of utilReplaceInRequest(...) because message id is dynamically
// For some reason there are two calls where the first call has en empty body.
if (oS.RequestBody.Length > 0)
{
var bodyAsString = Encoding.UTF8.GetString(oS.ResponseBody);
var bodyAsXml = XDocument.Load(new StringReader(bodyAsString));
var namespaceManager = new XmlNamespaceManager(new NameTable());
namespaceManager.AddNamespace("s", "http://schemas.xmlsoap.org/soap/envelope/");
namespaceManager.AddNamespace("a", "http://www.w3.org/2005/08/addressing");
var relatesToIdElement = bodyAsXml.XPathSelectElement("/s:Envelope/s:Header/a:RelatesTo",
namespaceManager);
relatesToIdElement.Value = "urn:uuid:0e07468e-42b2-4813-b837-6c2c6122a9c9";
oS.ResponseBody = Encoding.UTF8.GetBytes(bodyAsXml.ToString(SaveOptions.DisableFormatting));
}
};
FiddlerApplication.BeforeResponse += _fiddlerApplicationOnBeforeResponse;
// Act
try
{
stsTokenService.GetToken();
Assert.IsTrue(false, "Expected exception was not thrown!!!");
}
catch (InvalidOperationException ioe)
{
// Assert
Assert.AreEqual("SOAP signature recieved from STS does not validate!", ioe.Message);
}
}
static void Main(string[] args)
{
// Setup Log4Net configuration by loading it from configuration file
// log4net is not necessary and is only being used for demonstration
XmlConfigurator.Configure();
// To ensure that the WSP is up and running.
Thread.Sleep(1000);
// Retrieve token
IStsTokenService stsTokenService =
new StsTokenServiceCache(
TokenServiceConfigurationFactory.CreateConfiguration()
);
var securityToken = stsTokenService.GetToken();
// Call WSP with token
var hostname = "https://localhost:8443/HelloWorld/services/helloworld";
var customBinding = new Channels.CustomBinding();
var endpointAddress = new System.ServiceModel.EndpointAddress(
new Uri(hostname),
System.ServiceModel.EndpointIdentity.CreateDnsIdentity(
//"wsp.oioidws-net.dk TEST (funktionscertifikat)"
"eID JAVA test (funktionscertifikat)"
),
new Channels.AddressHeader[] { }
);
var asymmetric =
new Channels.AsymmetricSecurityBindingElement
(
new SecurityTokens.X509SecurityTokenParameters(
SecurityTokens.X509KeyIdentifierClauseType.Any,
SecurityTokens.SecurityTokenInclusionMode.AlwaysToInitiator
),
new Soap.StrCustomization.CustomizedIssuedSecurityTokenParameters(
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
)
{
UseStrTransform = true
}
)
{
AllowSerializedSigningTokenOnReply = true,
ProtectTokens = true
};
asymmetric.SetKeyDerivation(false);
var messageEncoding =
new Channels.TextMessageEncodingBindingElement
{
MessageVersion =
Channels.MessageVersion.Soap12WSAddressing10
};
var transport =
(hostname.ToLower().StartsWith("https://"))
? new Channels.HttpsTransportBindingElement()
: new Channels.HttpTransportBindingElement();
customBinding.Elements.Add(asymmetric);
customBinding.Elements.Add(messageEncoding);
customBinding.Elements.Add(transport);
System.ServiceModel.ChannelFactory <HelloWorldPortType> factory =
new System.ServiceModel.ChannelFactory <HelloWorldPortType>(
customBinding, endpointAddress
);
factory.Credentials.UseIdentityConfiguration = true;
factory.Credentials.ServiceCertificate.SetScopedCertificate(
X509Certificates.StoreLocation.LocalMachine,
X509Certificates.StoreName.My,
X509Certificates.X509FindType.FindByThumbprint,
//"1F0830937C74B0567D6B05C07B6155059D9B10C7",
"85398FCF737FB76F554C6F2422CC39D3A35EC26F",
new Uri(hostname)
);
factory.Endpoint.Behaviors.Add(
new Soap.Behaviors.SoapClientBehavior()
);
var channelWithIssuedToken =
factory.CreateChannelWithIssuedToken(securityToken);
var helloWorldRequestJohn = new HelloWorldRequest("John");
Console.WriteLine(
channelWithIssuedToken.HelloWorld(helloWorldRequestJohn).response
);
var helloWorldRequestJane = new HelloWorldRequest("Jane");
Console.WriteLine(
channelWithIssuedToken.HelloWorld(helloWorldRequestJane).response
);
try
{
// third call will trigger a SOAPFault
var helloWorldRequest = new HelloWorldRequest("");
Console.WriteLine(
channelWithIssuedToken.HelloWorld(helloWorldRequest).response
);
}
catch (Exception ex)
{
Console.WriteLine("Expected SOAPFault caught: " + ex.Message);
}
// Encrypted calls fails client side. However, encryption at message
// level is not required and no further investigation has been
// putted into this issue yet.
//
// Console.WriteLine(channelWithIssuedToken.HelloEncryptAndSign("Schultz"));
Console.WriteLine("Press <Enter> to stop the service.");
Console.ReadLine();
}
public void OioWsTrustResponseFailDueToReplayAttackTest()
{
// Arrange
IStsTokenService stsTokenService =
new StsTokenService(
TokenServiceConfigurationFactory.CreateConfiguration()
);
byte[] recordedResponse = null;
_fiddlerApplicationOnBeforeRequest = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
// In order to enable response tampering, buffering mode must
// be enabled; this allows FiddlerCore to permit modification of
// the response in the BeforeResponse handler rather than streaming
// the response to the client as the response comes in.
oS.bBufferResponse = true;
};
FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;
_fiddlerApplicationOnBeforeResponse = delegate(Session oS)
{
// Only act on requests to WSP
if (StsHostName != oS.hostname)
{
return;
}
// For some reason there are two calls where the first call has en empty body.
if (oS.RequestBody.Length > 0)
{
if (recordedResponse == null)
{
// record request
recordedResponse = oS.ResponseBody;
}
else
{
// Replay
oS.ResponseBody = recordedResponse;
}
}
};
FiddlerApplication.BeforeResponse += _fiddlerApplicationOnBeforeResponse;
stsTokenService.GetToken();
// Act
try
{
stsTokenService.GetToken();
Assert.IsTrue(false, "Expected exception was not thrown!!!");
}
catch (InvalidOperationException ioe)
{
// Assert
Assert.IsTrue(ioe.Message.StartsWith("Replay attack detected. Response message id:"), "Replay attack not detected!");
}
}
static void Main(string[] args)
{
// Setup Log4Net configuration by loading it from configuration file
// log4net is not necessary and is only being used for demonstration
XmlConfigurator.Configure();
// To ensure that the WSP is up and running.
Thread.Sleep(1000);
// Retrieve token
IStsTokenService stsTokenService =
new StsTokenServiceCache(
TokenServiceConfigurationFactory.CreateConfiguration()
);
var securityToken = stsTokenService.GetToken();
// Call WSP with token
var hostname = "https://Digst.OioIdws.Wsp:9090/HelloWorld";
var customBinding = new Channels.CustomBinding();
var endpointAddress = new System.ServiceModel.EndpointAddress(
new Uri(hostname),
System.ServiceModel.EndpointIdentity.CreateDnsIdentity(
"wsp.oioidws-net.dk TEST (funktionscertifikat)"
),
new Channels.AddressHeader[] { }
);
var asymmetric =
new Channels.AsymmetricSecurityBindingElement
(
new SecurityTokens.X509SecurityTokenParameters(
SecurityTokens.X509KeyIdentifierClauseType.Any,
SecurityTokens.SecurityTokenInclusionMode.AlwaysToInitiator
),
new Soap.StrCustomization.CustomizedIssuedSecurityTokenParameters(
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
)
{
UseStrTransform = true
}
)
{
AllowSerializedSigningTokenOnReply = true,
ProtectTokens = true
};
asymmetric.SetKeyDerivation(false);
var messageEncoding =
new Channels.TextMessageEncodingBindingElement
{
MessageVersion =
Channels.MessageVersion.Soap12WSAddressing10
};
var transport =
(hostname.ToLower().StartsWith("https://"))
? new Channels.HttpsTransportBindingElement()
: new Channels.HttpTransportBindingElement();
customBinding.Elements.Add(asymmetric);
customBinding.Elements.Add(messageEncoding);
customBinding.Elements.Add(transport);
System.ServiceModel.ChannelFactory <IHelloWorld> factory =
new System.ServiceModel.ChannelFactory <IHelloWorld>(
customBinding, endpointAddress
);
factory.Credentials.UseIdentityConfiguration = true;
factory.Credentials.ServiceCertificate.SetScopedCertificate(
X509Certificates.StoreLocation.LocalMachine,
X509Certificates.StoreName.My,
X509Certificates.X509FindType.FindByThumbprint,
"1F0830937C74B0567D6B05C07B6155059D9B10C7",
new Uri(hostname)
);
factory.Endpoint.Behaviors.Add(
new Soap.Behaviors.SoapClientBehavior()
);
var channelWithIssuedToken =
factory.CreateChannelWithIssuedToken(securityToken);
Console.WriteLine(channelWithIssuedToken.HelloNone("Schultz"));
Console.WriteLine(channelWithIssuedToken.HelloSign("Schultz"));
Console.WriteLine(channelWithIssuedToken.HelloEncryptAndSign("Schultz"));
// Checking that SOAP faults can be read. SOAP faults are encrypted
// in Sign and EncryptAndSign mode if no special care is taken.
try
{
channelWithIssuedToken.HelloSignError("Schultz");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
// Checking that SOAP faults can be read when only being signed.
// SOAP faults are only signed if special care is taken.
try
{
channelWithIssuedToken.HelloSignErrorNotEncrypted("Schultz");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
Console.ReadLine();
}