private string RunSoap(SecurityToken bootstrapToken) { // Retrieve token IStsTokenService stsTokenService = new StsTokenServiceCache(TokenServiceConfigurationFactory.CreateConfiguration()); SecurityToken securityToken = null; if (bootstrapToken != null) { securityToken = stsTokenService.GetTokenWithBootstrapToken(bootstrapToken); } else { securityToken = stsTokenService.GetToken(); } // Call WSP with token var client = new HelloWorldClient(); // enable revocation check if not white listed at Nets, don't do this in production! //client.ClientCredentials.ServiceCertificate.Authentication.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck; var channelWithIssuedToken = client.ChannelFactory.CreateChannelWithIssuedToken(securityToken); return(channelWithIssuedToken.HelloSign("Oiosaml-net.dk TEST")); }
public void OioWsTrustRequestExpiredTest() { // Arrange IStsTokenService stsTokenService = new StsTokenService( TokenServiceConfigurationFactory.CreateConfiguration() ); _fiddlerApplicationOnBeforeRequest = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } Thread.Sleep(_wait); }; FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest; // Act try { stsTokenService.GetToken(); Assert.IsTrue(false, "Expected exception was not thrown!!!"); } catch (MessageSecurityException mse) { // Assert var fe = mse.InnerException as FaultException; Assert.IsNotNull(fe, "Expected inner fault exception"); Assert.AreEqual("An error occurred when verifying security for the message.", fe.Message); } }
public void OioWsTrustTokenServiceCacheGivesDifferentTokenTest() { // Arrange IStsTokenService stsTokenService = new StsTokenService( TokenServiceConfigurationFactory.CreateConfiguration() ); var securityToken = stsTokenService.GetToken(); Thread.Sleep(230000); // Sleep 4 minutes - 10 seconds ... 4 minutes due to default clock skew of 1 minut // Act 1 var securityToken2 = stsTokenService.GetToken(); // Assert 1 Assert.AreEqual(securityToken, securityToken2, "Expected that tokens was the same"); // Act 2 Thread.Sleep(20000); // Sleep 20 seconds more and token should be expired. var securityToken3 = stsTokenService.GetToken(); // Assert 2 Assert.AreNotEqual(securityToken, securityToken3, "Expected that tokens was Not the same"); }
public void DotnetWscCallJavaWspTest() { // Ensure that the WSP is up and running. Thread.Sleep(30000); var succeeded = false; // Retrieve token IStsTokenService stsTokenService = new StsTokenServiceCache( TokenServiceConfigurationFactory.CreateConfiguration() ); var securityToken = stsTokenService.GetToken(); // Call WSP with token var client = new HelloWorldPortTypeClient(); var channelWithIssuedToken = client.ChannelFactory.CreateChannelWithIssuedToken( securityToken ); var helloWorldRequestJohn = new HelloWorldRequest("John"); succeeded = channelWithIssuedToken .HelloWorld(helloWorldRequestJohn) .response.Equals("Hello John"); Assert.IsTrue(succeeded); }
public void OioWsTrustRequestFailDueToBodyTamperingTest() { // Arrange IStsTokenService stsTokenService = new StsTokenService( TokenServiceConfigurationFactory.CreateConfiguration() ); _fiddlerApplicationOnBeforeRequest = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } oS.utilReplaceInRequest("<trust:Lifetime>", "<trust:Lifetime testAttribute=\"Tampered\">"); }; FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest; // Act try { stsTokenService.GetToken(); Assert.IsTrue(false, "Expected exception was not thrown!!!"); } catch (FaultException fe) { // Assert Assert.AreEqual("Authentication failed", fe.Message); } }
static void Main(string[] args) { // Setup Log4Net configuration by loading it from configuration file. // log4net is not necessary and is only being used for demonstration. XmlConfigurator.Configure(); // To ensure that the WSP is up and running. Thread.Sleep(1000); // Retrieve token IStsTokenService tokenService = new StsTokenServiceCache(TokenServiceConfigurationFactory.CreateConfiguration()); var securityToken = tokenService.GetToken(); // Call WSP with token var client = new HelloWorldClient(); var channelWithIssuedToken = client.ChannelFactory.CreateChannelWithIssuedToken(securityToken); Console.WriteLine(channelWithIssuedToken.HelloNone("Schultz")); // Even if the protection level is set to 'None' Digst.OioIdws.Wsc ensures that the body is always at least signed. Console.WriteLine(channelWithIssuedToken.HelloSign("Schultz")); Console.WriteLine(channelWithIssuedToken.HelloEncryptAndSign("Schultz")); //Checking that SOAP faults can be read.SOAP faults are encrypted in Sign and EncryptAndSign mode if no special care is taken. try { channelWithIssuedToken.HelloSignError("Schultz"); } catch (Exception e) { Console.WriteLine(e.Message); } Console.ReadKey(); }
static void Main(string[] args) { // Setup Log4Net configuration by loading it from configuration file. // log4net is not necessary and is only being used for demonstration. XmlConfigurator.Configure(); // To ensure that the WSP is up and running. Thread.Sleep(1000); // Retrieve token IStsTokenService stsTokenService = new StsTokenServiceCache( TokenServiceConfigurationFactory.CreateConfiguration() ); var securityToken = stsTokenService.GetToken(); // Call WSP with token var client = new HelloWorldPortTypeClient(); var channelWithIssuedToken = client.ChannelFactory.CreateChannelWithIssuedToken( securityToken ); var helloWorldRequestJohn = new HelloWorldRequest("John"); Console.WriteLine( channelWithIssuedToken.HelloWorld(helloWorldRequestJohn).response ); var helloWorldRequestJane = new HelloWorldRequest("Jane"); Console.WriteLine( channelWithIssuedToken.HelloWorld(helloWorldRequestJane).response ); try { // third call will trigger a SOAPFault var helloWorldRequest = new HelloWorldRequest(""); Console.WriteLine( channelWithIssuedToken.HelloWorld(helloWorldRequest).response ); } catch (Exception ex) { Console.WriteLine("Expected SOAPFault caught: " + ex.Message); } // Encrypted calls fails client side. However, encryption at message // level is not required and no further investigation has been // putted into this issue yet. // // Console.WriteLine(channelWithIssuedToken.HelloEncryptAndSign("Schultz")); Console.WriteLine("Press <Enter> to stop the service."); Console.ReadLine(); }
public void OioWsTrustRequestFailDueToTokenTamperingTest() { // Arrange IStsTokenService stsTokenService = new StsTokenService( TokenServiceConfigurationFactory.CreateConfiguration() ); _fiddlerApplicationOnBeforeRequest = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } // Use xml version instead of utilReplaceInRequest(...) because message id is dynamically // For some reason there are two calls where the first call has en empty body. if (oS.RequestBody.Length > 0) { var bodyAsString = Encoding.UTF8.GetString(oS.RequestBody); var bodyAsXml = XDocument.Load(new StringReader(bodyAsString)); var namespaceManager = new XmlNamespaceManager(new NameTable()); namespaceManager.AddNamespace("s", "http://schemas.xmlsoap.org/soap/envelope/"); namespaceManager.AddNamespace("o", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"); var binarySecurityTokenElement = bodyAsXml.XPathSelectElement( "/s:Envelope/s:Header/o:Security/o:BinarySecurityToken", namespaceManager); // Følgende er en gammel udgave af Morten Mortensen MOCES certifikatet. Det får STS til at svare med "The request was invalid or malformed" //binarySecurityTokenElement.Value = // "MIIGLjCCBRagAwIBAgIEUw9wBzANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSQwIgYDVQQDDBtUUlVTVDI0MDggU3lzdGVtdGVzdCBYSVggQ0EwHhcNMTQxMTEwMTQwMTQxWhcNMTcxMTEwMTQwMTMxWjB2MQswCQYDVQQGEwJESzEqMCgGA1UECgwhw5hrb25vbWlzdHlyZWxzZW4gLy8gQ1ZSOjEwMjEzMjMxMTswFwYDVQQDDBBNb3J0ZW4gTW9ydGVuc2VuMCAGA1UEBRMZQ1ZSOjEwMjEzMjMxLVJJRDo5Mzk0NzU1MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDVoVZz4QT+WP43mTl28pM9+Jy4JtBFV4R/LP2d2xLrAUGnDXn8dkAnTn4xcDll7t1kzCceI4/0ngN/CGwMpxynBbWRhoYWk4DesR34G2XehPiAf4E8Wsup2adyDWbqUUmrbFoyVsN8XCm/O32WSH19hn9nU5zOc0K4C2d0LJRcfsMCwSlQDu7BtEAjCRxYYw3pxnRu2vvzynW7j4txVbp82aGvZnJ0Fq6fvf+99sVBpyfAgHSAmhR5A5CzjlIpW9vG1WjGG8be5OgV+WurUzN9A1bjoXRpKkG9h035KKn6fRZEjI9Ztxd1JoeVkiBQaYdH1O3OW6rXKsfPLtyiCYsCAwEAAaOCAvEwggLtMA4GA1UdDwEB/wQEAwID+DCBlwYIKwYBBQUHAQEEgYowgYcwPAYIKwYBBQUHMAGGMGh0dHA6Ly9vY3NwLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3Jlc3BvbmRlcjBHBggrBgEFBQcwAoY7aHR0cDovL20uYWlhLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QxOS1jYS5jZXIwggEgBgNVHSAEggEXMIIBEzCCAQ8GDSsGAQQBgfRRAgQGAgUwgf0wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHJBggrBgEFBQcCAjCBvDAMFgVEYW5JRDADAgEBGoGrRGFuSUQgdGVzdCBjZXJ0aWZpa2F0ZXIgZnJhIGRlbm5lIENBIHVkc3RlZGVzIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuIERhbklEIHRlc3QgY2VydGlmaWNhdGVzIGZyb20gdGhpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuMCUGA1UdEQQeMByBGmtmb2JzX3Rlc3RAbm92b25vcmRpc2suY29tMIGqBgNVHR8EgaIwgZ8wPKA6oDiGNmh0dHA6Ly9jcmwuc3lzdGVtdGVzdDE5LnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDE5LmNybDBfoF2gW6RZMFcxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJDAiBgNVBAMMG1RSVVNUMjQwOCBTeXN0ZW10ZXN0IFhJWCBDQTEOMAwGA1UEAwwFQ1JMMTYwHwYDVR0jBBgwFoAUzAJVDOSBdK8gVNURFFeckVI4f6AwHQYDVR0OBBYEFKuH3e+mCu7y3/brN7zXSkvo6MwKMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAESudYwnM/vbo5cMrUvgnpSgJUZhsQnSzLMwJTsT45OS3O+yct1ci9vPI1ExFZeAisC0bROV3tlsPuDiAVgmErgrHbrz1CmNqIxNcQvkqeL1sQtsrMSRicyILvU7Ve0N0gryR/axG+7D3U488X3oxXtJlS/9WZd33FVDnTIo7Asb+c1clqlUa/DSeBBdZ19L4DbfEkamLA96trEkH1hUTZfRXLFvYW5w8w+muaBu7eL84zzTxpGZxYM14ap+cQHuq+uczDsGDDUKc/BHUmN1UuQ0QCCxHegMHUDD8KXVsosj5wUXOLzd8WwKjPyUTxKPAI5xv9/Bim4mAA7eYc+3lXs="; // Følgende er den nye udgave af Morten Mortensen MOCES certifikatet. Det får STS til at svare korrekt med "The request was invalid or malformed". binarySecurityTokenElement.Value = "MIIGJzCCBQ+gAwIBAgIEVp5ySzANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSQwIgYDVQQDDBtUUlVTVDI0MDggU3lzdGVtdGVzdCBYSVggQ0EwHhcNMTYwNTE3MTE1NDM0WhcNMTkwNTE3MTE1NDE4WjB2MQswCQYDVQQGEwJESzEqMCgGA1UECgwhw5hrb25vbWlzdHlyZWxzZW4gLy8gQ1ZSOjEwMjEzMjMxMTswFwYDVQQDDBBNb3J0ZW4gTW9ydGVuc2VuMCAGA1UEBRMZQ1ZSOjEwMjEzMjMxLVJJRDo5Mzk0NzU1MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIwVzTYsKncrByNHU1M8HVHh5ZdiZAc2yQavTMFkQ0X9Wu4FGMcddH5XvnXsNHipBJ8gZh9HrIza6gujPrlZJvtQG+rhjiKhAaQbMN5yWY2E8H1Lv7aLB3bd1ShGccT/SeMJ3Lrn0xA8HedgYPlf4lYce8y20wlqe2ZBFG5664RBW3KuNapqP++XyJ0KMS5OE17Max/oOzBx4106DDXsMdMNQRtTBT0kJvAs0jiu9Wr/g9TMhM8wot+lsYMHZR8ecYbX70eQJLPI5YErjSkA5pzWO7z1SfewdQguUr71uIDjH2C1A2vIJFyPof6idpKYQJsSshQZWqLbExBr6JDtJYkCAwEAAaOCAuowggLmMA4GA1UdDwEB/wQEAwID+DCBlwYIKwYBBQUHAQEEgYowgYcwPAYIKwYBBQUHMAGGMGh0dHA6Ly9vY3NwLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3Jlc3BvbmRlcjBHBggrBgEFBQcwAoY7aHR0cDovL20uYWlhLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QxOS1jYS5jZXIwggEgBgNVHSAEggEXMIIBEzCCAQ8GDSsGAQQBgfRRAgQGAgUwgf0wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHJBggrBgEFBQcCAjCBvDAMFgVEYW5JRDADAgEBGoGrRGFuSUQgdGVzdCBjZXJ0aWZpa2F0ZXIgZnJhIGRlbm5lIENBIHVkc3RlZGVzIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuIERhbklEIHRlc3QgY2VydGlmaWNhdGVzIGZyb20gdGhpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuMB4GA1UdEQQXMBWBE0tGT0JTX1RFU1RAbm5pdC5jb20wgaoGA1UdHwSBojCBnzA8oDqgOIY2aHR0cDovL2NybC5zeXN0ZW10ZXN0MTkudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MTkuY3JsMF+gXaBbpFkwVzELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODEkMCIGA1UEAwwbVFJVU1QyNDA4IFN5c3RlbXRlc3QgWElYIENBMQ4wDAYDVQQDDAVDUkw2NDAfBgNVHSMEGDAWgBTMAlUM5IF0ryBU1REUV5yRUjh/oDAdBgNVHQ4EFgQUEWdFrMEb7hG5I2QaLQx4eevxXD8wCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAetwAPoeMMHE9zRSVcGsK3TTo6+YqORR78HXFel4Yg4j7SE3HLSHcrOYaVT/ouUcLqufEWiKRVDpZ4QShSV1hfcF3UhufKCLhMf/sNuc97e/ptOVciN76q+6jNJ+1fAtwNk+myf8lqR1r5CGCk5TDZZv64GR3Q5nhQTBG6wCCUE2vP22bDjY9h+ibfSl4eQG56rNXsDSMMnOB6Fqm9mwPXKUedF8ezHJeRAb1JQtDxkt0oy94i53EaCj6Hd6LzI4Gfq7ReorkuVJvqv+pcpPfZN9FkbbK/o62DMTw3wb+uGh/8VehGOpV05EkafClZ0lqwXpndnI+dbS6PvJpmoqElg=="; oS.RequestBody = Encoding.UTF8.GetBytes(bodyAsXml.ToString(SaveOptions.DisableFormatting)); } }; FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest; // Act try { stsTokenService.GetToken(); Assert.IsTrue(false, "Expected exception was not thrown!!!"); } catch (FaultException fe) { // Assert Assert.AreEqual("Authentication failed", fe.Message); } }
public void OioWsTrustRequestFailDueToHeaderSecurityTamperingTest() { // Arrange IStsTokenService stsTokenService = new StsTokenService( TokenServiceConfigurationFactory.CreateConfiguration() ); _fiddlerApplicationOnBeforeRequest = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } // Use xml version instead of utilReplaceInRequest(...) because message id is dynamically // For some reason there are two calls where the first call has en empty body. if (oS.RequestBody.Length > 0) { var bodyAsString = Encoding.UTF8.GetString(oS.RequestBody); var bodyAsXml = XDocument.Load(new StringReader(bodyAsString)); var namespaceManager = new XmlNamespaceManager(new NameTable()); namespaceManager.AddNamespace("s", "http://schemas.xmlsoap.org/soap/envelope/"); namespaceManager.AddNamespace("o", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"); namespaceManager.AddNamespace("u", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"); var createdTimestampElement = bodyAsXml.XPathSelectElement("/s:Envelope/s:Header/o:Security/u:Timestamp/u:Created", namespaceManager); var dateTime = DateTime.Parse(createdTimestampElement.Value); var addMinutes = dateTime.AddMinutes(1); var longDateString = addMinutes.ToUniversalTime().ToString(TimeFormat); createdTimestampElement.Value = longDateString; oS.RequestBody = Encoding.UTF8.GetBytes(bodyAsXml.ToString(SaveOptions.DisableFormatting)); } }; FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest; // Act try { stsTokenService.GetToken(); Assert.IsTrue(false, "Expected exception was not thrown!!!"); } catch (FaultException fe) { // Assert Assert.AreEqual("Authentication failed", fe.Message); } }
public void TotalFlowSucessTest() { // Arrange IStsTokenService stsTokenService = new StsTokenService( TokenServiceConfigurationFactory.CreateConfiguration() ); // Act var securityToken = stsTokenService.GetToken(); // Assert Assert.IsNotNull(securityToken); }
public void OioWsTrustResponseFailDueToHeaderActionTamperingTest() { // Arrange IStsTokenService stsTokenService = new StsTokenService( TokenServiceConfigurationFactory.CreateConfiguration() ); _fiddlerApplicationOnBeforeRequest = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } // In order to enable response tampering, buffering mode must // be enabled; this allows FiddlerCore to permit modification of // the response in the BeforeResponse handler rather than streaming // the response to the client as the response comes in. oS.bBufferResponse = true; }; FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest; _fiddlerApplicationOnBeforeResponse = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } oS.utilReplaceInResponse("<wsa:Action", "<wsa:Action testAttribute=\"Tampered\""); }; FiddlerApplication.BeforeResponse += _fiddlerApplicationOnBeforeResponse; // Act try { stsTokenService.GetToken(); Assert.IsTrue(false, "Expected exception was not thrown!!!"); } catch (InvalidOperationException ioe) { // Assert Assert.AreEqual("SOAP signature recieved from STS does not validate!", ioe.Message); } }
public void OioWsTrustTokenServiceCacheGivesTheSameTokenTest() { // Arrange IStsTokenService stsTokenService = new StsTokenServiceCache( TokenServiceConfigurationFactory.CreateConfiguration() ); var securityToken = stsTokenService.GetToken(); // Act var securityToken2 = stsTokenService.GetToken(); // Assert Assert.AreEqual(securityToken, securityToken2, "Expected that tokens was the same"); }
public void OioWsTrustRequestFailDueToReplayAttackTest() { // Arrange IStsTokenService stsTokenService = new StsTokenService( TokenServiceConfigurationFactory.CreateConfiguration() ); byte[] recordedRequest = null; _fiddlerApplicationOnBeforeRequest = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } // For some reason there are two calls where the first call has en empty body. if (oS.RequestBody.Length > 0) { if (recordedRequest == null) { // record request recordedRequest = oS.RequestBody; } else { // Replay oS.RequestBody = recordedRequest; } } }; FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest; stsTokenService.GetToken(); // Act try { stsTokenService.GetToken(); Assert.IsTrue(false, "Expected exception was not thrown!!!"); } catch (FaultException fe) { // Assert Assert.AreEqual("The specified request failed", fe.Message); } }
public void OioWsTrustResponseExpiredTest() { // Arrange IStsTokenService stsTokenService = new StsTokenService( TokenServiceConfigurationFactory.CreateConfiguration() ); _fiddlerApplicationOnBeforeRequest = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } // it not set then Thread.Sleep is ignored on the response. oS.bBufferResponse = true; }; FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest; _fiddlerApplicationOnBeforeResponse = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } Thread.Sleep(_wait); }; FiddlerApplication.BeforeResponse += _fiddlerApplicationOnBeforeResponse; // Act try { stsTokenService.GetToken(); Assert.IsTrue(false, "Expected exception was not thrown!!!"); } catch (MessageSecurityException mse) { // Assert Assert.IsTrue(mse.Message.StartsWith("The security timestamp is stale because its expiration time")); } }
public void OioWsTrustRequestFailDueToHeaderMessageIdTamperingTest() { // Arrange IStsTokenService stsTokenService = new StsTokenService(TokenServiceConfigurationFactory.CreateConfiguration()); _fiddlerApplicationOnBeforeRequest = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } // Use xml version instead of utilReplaceInRequest(...) because message id is dynamically // For some reason there are two calls where the first call has en empty body. if (oS.RequestBody.Length > 0) { var bodyAsString = Encoding.UTF8.GetString(oS.RequestBody); var bodyAsXml = XDocument.Load(new StringReader(bodyAsString)); var namespaceManager = new XmlNamespaceManager(new NameTable()); namespaceManager.AddNamespace("s", "http://schemas.xmlsoap.org/soap/envelope/"); namespaceManager.AddNamespace("a", "http://www.w3.org/2005/08/addressing"); var messageIdElement = bodyAsXml.XPathSelectElement("/s:Envelope/s:Header/a:MessageID", namespaceManager); messageIdElement.Value = "uuid:0e07468e-42b2-4813-b837-6c2c6122a9c9"; oS.RequestBody = Encoding.UTF8.GetBytes(bodyAsXml.ToString(SaveOptions.DisableFormatting)); } }; FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest; // Act try { stsTokenService.GetToken(); Assert.IsTrue(false, "Expected exception was not thrown!!!"); } catch (FaultException fe) { // Assert Assert.AreEqual("Authentication failed", fe.Message); } }
public static void Setup(TestContext context) { _stsTokenService = new StsTokenServiceCache(TokenServiceConfigurationFactory.CreateConfiguration()); // Check certificates if (!CertMaker.rootCertIsTrusted()) { CertMaker.trustRootCert(); } // Start proxy server (to simulate man in the middle attacks) FiddlerApplication.Startup( 8877, /* Port */ true, /* Register as System Proxy */ true, /* Decrypt SSL */ false /* Allow Remote */ ); // Start WSP _process = Process.Start(@"..\..\..\..\Examples\Digst.OioIdws.WspExample\bin\Debug\Digst.OioIdws.WspExample.exe"); }
public void OioWsTrustResponseFailDueToHeaderRelatesToTamperingTest() { // Arrange IStsTokenService stsTokenService = new StsTokenService( TokenServiceConfigurationFactory.CreateConfiguration() ); _fiddlerApplicationOnBeforeRequest = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } // In order to enable response tampering, buffering mode must // be enabled; this allows FiddlerCore to permit modification of // the response in the BeforeResponse handler rather than streaming // the response to the client as the response comes in. oS.bBufferResponse = true; }; FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest; _fiddlerApplicationOnBeforeResponse = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } // Use xml version instead of utilReplaceInRequest(...) because message id is dynamically // For some reason there are two calls where the first call has en empty body. if (oS.RequestBody.Length > 0) { var bodyAsString = Encoding.UTF8.GetString(oS.ResponseBody); var bodyAsXml = XDocument.Load(new StringReader(bodyAsString)); var namespaceManager = new XmlNamespaceManager(new NameTable()); namespaceManager.AddNamespace("s", "http://schemas.xmlsoap.org/soap/envelope/"); namespaceManager.AddNamespace("a", "http://www.w3.org/2005/08/addressing"); var relatesToIdElement = bodyAsXml.XPathSelectElement("/s:Envelope/s:Header/a:RelatesTo", namespaceManager); relatesToIdElement.Value = "urn:uuid:0e07468e-42b2-4813-b837-6c2c6122a9c9"; oS.ResponseBody = Encoding.UTF8.GetBytes(bodyAsXml.ToString(SaveOptions.DisableFormatting)); } }; FiddlerApplication.BeforeResponse += _fiddlerApplicationOnBeforeResponse; // Act try { stsTokenService.GetToken(); Assert.IsTrue(false, "Expected exception was not thrown!!!"); } catch (InvalidOperationException ioe) { // Assert Assert.AreEqual("SOAP signature recieved from STS does not validate!", ioe.Message); } }
static void Main(string[] args) { // Setup Log4Net configuration by loading it from configuration file // log4net is not necessary and is only being used for demonstration XmlConfigurator.Configure(); // To ensure that the WSP is up and running. Thread.Sleep(1000); // Retrieve token IStsTokenService stsTokenService = new StsTokenServiceCache( TokenServiceConfigurationFactory.CreateConfiguration() ); var securityToken = stsTokenService.GetToken(); // Call WSP with token var hostname = "https://localhost:8443/HelloWorld/services/helloworld"; var customBinding = new Channels.CustomBinding(); var endpointAddress = new System.ServiceModel.EndpointAddress( new Uri(hostname), System.ServiceModel.EndpointIdentity.CreateDnsIdentity( //"wsp.oioidws-net.dk TEST (funktionscertifikat)" "eID JAVA test (funktionscertifikat)" ), new Channels.AddressHeader[] { } ); var asymmetric = new Channels.AsymmetricSecurityBindingElement ( new SecurityTokens.X509SecurityTokenParameters( SecurityTokens.X509KeyIdentifierClauseType.Any, SecurityTokens.SecurityTokenInclusionMode.AlwaysToInitiator ), new Soap.StrCustomization.CustomizedIssuedSecurityTokenParameters( "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" ) { UseStrTransform = true } ) { AllowSerializedSigningTokenOnReply = true, ProtectTokens = true }; asymmetric.SetKeyDerivation(false); var messageEncoding = new Channels.TextMessageEncodingBindingElement { MessageVersion = Channels.MessageVersion.Soap12WSAddressing10 }; var transport = (hostname.ToLower().StartsWith("https://")) ? new Channels.HttpsTransportBindingElement() : new Channels.HttpTransportBindingElement(); customBinding.Elements.Add(asymmetric); customBinding.Elements.Add(messageEncoding); customBinding.Elements.Add(transport); System.ServiceModel.ChannelFactory <HelloWorldPortType> factory = new System.ServiceModel.ChannelFactory <HelloWorldPortType>( customBinding, endpointAddress ); factory.Credentials.UseIdentityConfiguration = true; factory.Credentials.ServiceCertificate.SetScopedCertificate( X509Certificates.StoreLocation.LocalMachine, X509Certificates.StoreName.My, X509Certificates.X509FindType.FindByThumbprint, //"1F0830937C74B0567D6B05C07B6155059D9B10C7", "85398FCF737FB76F554C6F2422CC39D3A35EC26F", new Uri(hostname) ); factory.Endpoint.Behaviors.Add( new Soap.Behaviors.SoapClientBehavior() ); var channelWithIssuedToken = factory.CreateChannelWithIssuedToken(securityToken); var helloWorldRequestJohn = new HelloWorldRequest("John"); Console.WriteLine( channelWithIssuedToken.HelloWorld(helloWorldRequestJohn).response ); var helloWorldRequestJane = new HelloWorldRequest("Jane"); Console.WriteLine( channelWithIssuedToken.HelloWorld(helloWorldRequestJane).response ); try { // third call will trigger a SOAPFault var helloWorldRequest = new HelloWorldRequest(""); Console.WriteLine( channelWithIssuedToken.HelloWorld(helloWorldRequest).response ); } catch (Exception ex) { Console.WriteLine("Expected SOAPFault caught: " + ex.Message); } // Encrypted calls fails client side. However, encryption at message // level is not required and no further investigation has been // putted into this issue yet. // // Console.WriteLine(channelWithIssuedToken.HelloEncryptAndSign("Schultz")); Console.WriteLine("Press <Enter> to stop the service."); Console.ReadLine(); }
public void OioWsTrustResponseFailDueToReplayAttackTest() { // Arrange IStsTokenService stsTokenService = new StsTokenService( TokenServiceConfigurationFactory.CreateConfiguration() ); byte[] recordedResponse = null; _fiddlerApplicationOnBeforeRequest = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } // In order to enable response tampering, buffering mode must // be enabled; this allows FiddlerCore to permit modification of // the response in the BeforeResponse handler rather than streaming // the response to the client as the response comes in. oS.bBufferResponse = true; }; FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest; _fiddlerApplicationOnBeforeResponse = delegate(Session oS) { // Only act on requests to WSP if (StsHostName != oS.hostname) { return; } // For some reason there are two calls where the first call has en empty body. if (oS.RequestBody.Length > 0) { if (recordedResponse == null) { // record request recordedResponse = oS.ResponseBody; } else { // Replay oS.ResponseBody = recordedResponse; } } }; FiddlerApplication.BeforeResponse += _fiddlerApplicationOnBeforeResponse; stsTokenService.GetToken(); // Act try { stsTokenService.GetToken(); Assert.IsTrue(false, "Expected exception was not thrown!!!"); } catch (InvalidOperationException ioe) { // Assert Assert.IsTrue(ioe.Message.StartsWith("Replay attack detected. Response message id:"), "Replay attack not detected!"); } }
static void Main(string[] args) { // Setup Log4Net configuration by loading it from configuration file // log4net is not necessary and is only being used for demonstration XmlConfigurator.Configure(); // To ensure that the WSP is up and running. Thread.Sleep(1000); // Retrieve token IStsTokenService stsTokenService = new StsTokenServiceCache( TokenServiceConfigurationFactory.CreateConfiguration() ); var securityToken = stsTokenService.GetToken(); // Call WSP with token var hostname = "https://Digst.OioIdws.Wsp:9090/HelloWorld"; var customBinding = new Channels.CustomBinding(); var endpointAddress = new System.ServiceModel.EndpointAddress( new Uri(hostname), System.ServiceModel.EndpointIdentity.CreateDnsIdentity( "wsp.oioidws-net.dk TEST (funktionscertifikat)" ), new Channels.AddressHeader[] { } ); var asymmetric = new Channels.AsymmetricSecurityBindingElement ( new SecurityTokens.X509SecurityTokenParameters( SecurityTokens.X509KeyIdentifierClauseType.Any, SecurityTokens.SecurityTokenInclusionMode.AlwaysToInitiator ), new Soap.StrCustomization.CustomizedIssuedSecurityTokenParameters( "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" ) { UseStrTransform = true } ) { AllowSerializedSigningTokenOnReply = true, ProtectTokens = true }; asymmetric.SetKeyDerivation(false); var messageEncoding = new Channels.TextMessageEncodingBindingElement { MessageVersion = Channels.MessageVersion.Soap12WSAddressing10 }; var transport = (hostname.ToLower().StartsWith("https://")) ? new Channels.HttpsTransportBindingElement() : new Channels.HttpTransportBindingElement(); customBinding.Elements.Add(asymmetric); customBinding.Elements.Add(messageEncoding); customBinding.Elements.Add(transport); System.ServiceModel.ChannelFactory <IHelloWorld> factory = new System.ServiceModel.ChannelFactory <IHelloWorld>( customBinding, endpointAddress ); factory.Credentials.UseIdentityConfiguration = true; factory.Credentials.ServiceCertificate.SetScopedCertificate( X509Certificates.StoreLocation.LocalMachine, X509Certificates.StoreName.My, X509Certificates.X509FindType.FindByThumbprint, "1F0830937C74B0567D6B05C07B6155059D9B10C7", new Uri(hostname) ); factory.Endpoint.Behaviors.Add( new Soap.Behaviors.SoapClientBehavior() ); var channelWithIssuedToken = factory.CreateChannelWithIssuedToken(securityToken); Console.WriteLine(channelWithIssuedToken.HelloNone("Schultz")); Console.WriteLine(channelWithIssuedToken.HelloSign("Schultz")); Console.WriteLine(channelWithIssuedToken.HelloEncryptAndSign("Schultz")); // Checking that SOAP faults can be read. SOAP faults are encrypted // in Sign and EncryptAndSign mode if no special care is taken. try { channelWithIssuedToken.HelloSignError("Schultz"); } catch (Exception e) { Console.WriteLine(e.Message); } // Checking that SOAP faults can be read when only being signed. // SOAP faults are only signed if special care is taken. try { channelWithIssuedToken.HelloSignErrorNotEncrypted("Schultz"); } catch (Exception e) { Console.WriteLine(e.Message); } Console.ReadLine(); }