public void SignaturesMatchKnownGood() {
Protocol protocol = Protocol.V20;
var settings = new ProviderSecuritySettings();
var store = new AssociationMemoryStore<AssociationRelyingPartyType>();
byte[] associationSecret = Convert.FromBase64String("rsSwv1zPWfjPRQU80hciu8FPDC+GONAMJQ/AvSo1a2M=");
Association association = HmacShaAssociation.Create("mock", associationSecret, TimeSpan.FromDays(1));
store.StoreAssociation(AssociationRelyingPartyType.Smart, association);
SigningBindingElement signer = new SigningBindingElement(store, settings);
signer.Channel = new TestChannel(this.MessageDescriptions);
IndirectSignedResponse message = new IndirectSignedResponse(protocol.Version, new Uri("http://rp"));
ITamperResistantOpenIdMessage signedMessage = message;
message.ProviderEndpoint = new Uri("http://provider");
signedMessage.UtcCreationDate = DateTime.Parse("1/1/2009");
signedMessage.AssociationHandle = association.Handle;
Assert.IsNotNull(signer.ProcessOutgoingMessage(message));
Assert.AreEqual("o9+uN7qTaUS9v0otbHTuNAtbkpBm14+es9QnNo6IHD4=", signedMessage.Signature);
}
public void SignaturesMatchKnownGood() {
Protocol protocol = Protocol.V20;
var settings = new ProviderSecuritySettings();
var cryptoStore = new MemoryCryptoKeyStore();
byte[] associationSecret = Convert.FromBase64String("rsSwv1zPWfjPRQU80hciu8FPDC+GONAMJQ/AvSo1a2M=");
string handle = "mock";
cryptoStore.StoreKey(ProviderAssociationKeyStorage.SharedAssociationBucket, handle, new CryptoKey(associationSecret, DateTime.UtcNow.AddDays(1)));
var store = new ProviderAssociationKeyStorage(cryptoStore);
SigningBindingElement signer = new SigningBindingElement(store, settings);
signer.Channel = new TestChannel(this.MessageDescriptions);
IndirectSignedResponse message = new IndirectSignedResponse(protocol.Version, new Uri("http://rp"));
ITamperResistantOpenIdMessage signedMessage = message;
message.ProviderEndpoint = new Uri("http://provider");
signedMessage.UtcCreationDate = DateTime.Parse("1/1/2009");
signedMessage.AssociationHandle = handle;
Assert.IsNotNull(signer.ProcessOutgoingMessage(message));
Assert.AreEqual("o9+uN7qTaUS9v0otbHTuNAtbkpBm14+es9QnNo6IHD4=", signedMessage.Signature);
}
public void SignedResponsesIncludeExtraDataInSignature() {
Protocol protocol = Protocol.Default;
SigningBindingElement sbe = new SigningBindingElement(new AssociationMemoryStore<AssociationRelyingPartyType>(), new ProviderSecuritySettings());
sbe.Channel = new TestChannel(this.MessageDescriptions);
IndirectSignedResponse response = new IndirectSignedResponse(protocol.Version, RPUri);
response.ReturnTo = RPUri;
response.ProviderEndpoint = OPUri;
response.ExtraData["someunsigned"] = "value";
response.ExtraData["openid.somesigned"] = "value";
Assert.IsNotNull(sbe.ProcessOutgoingMessage(response));
ITamperResistantOpenIdMessage signedResponse = (ITamperResistantOpenIdMessage)response;
// Make sure that the extra parameters are signed.
// Since the signing algorithm only allows for signing parameters that start with
// 'openid.', other parameters should not be signed.
Assert.IsNotNull(signedResponse.SignedParameterOrder);
string[] signedParameters = signedResponse.SignedParameterOrder.Split(',');
Assert.IsTrue(signedParameters.Contains("somesigned"));
Assert.IsFalse(signedParameters.Contains("someunsigned"));
}
private static IChannelBindingElement[] InitializeBindingElements <T>(IAssociationStore <T> associationStore, INonceStore nonceStore, SecuritySettings securitySettings, bool nonVerifying)
{
Contract.Requires <ArgumentNullException>(securitySettings != null);
Contract.Requires <ArgumentException>(!nonVerifying || securitySettings is RelyingPartySecuritySettings);
var rpSecuritySettings = securitySettings as RelyingPartySecuritySettings;
var opSecuritySettings = securitySettings as ProviderSecuritySettings;
ErrorUtilities.VerifyInternal(rpSecuritySettings != null || opSecuritySettings != null, "Expected an RP or OP security settings instance.");
ErrorUtilities.VerifyInternal(!nonVerifying || rpSecuritySettings != null, "Non-verifying channels can only be constructed for relying parties.");
bool isRelyingPartyRole = rpSecuritySettings != null;
var rpAssociationStore = associationStore as IAssociationStore <Uri>;
var opAssociationStore = associationStore as IAssociationStore <AssociationRelyingPartyType>;
ErrorUtilities.VerifyInternal(isRelyingPartyRole || opAssociationStore != null, "Providers MUST have an association store.");
SigningBindingElement signingElement;
if (isRelyingPartyRole)
{
signingElement = nonVerifying ? null : new SigningBindingElement(rpAssociationStore);
}
else
{
signingElement = new SigningBindingElement(opAssociationStore, opSecuritySettings);
}
var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration();
List <IChannelBindingElement> elements = new List <IChannelBindingElement>(8);
elements.Add(new ExtensionsBindingElement(extensionFactory, securitySettings));
if (isRelyingPartyRole)
{
elements.Add(new RelyingPartySecurityOptions(rpSecuritySettings));
elements.Add(new BackwardCompatibilityBindingElement());
ReturnToNonceBindingElement requestNonceElement = null;
if (associationStore != null)
{
if (nonceStore != null)
{
// There is no point in having a ReturnToNonceBindingElement without
// a ReturnToSignatureBindingElement because the nonce could be
// artificially changed without it.
requestNonceElement = new ReturnToNonceBindingElement(nonceStore, rpSecuritySettings);
elements.Add(requestNonceElement);
}
// It is important that the return_to signing element comes last
// so that the nonce is included in the signature.
elements.Add(new ReturnToSignatureBindingElement(rpAssociationStore, rpSecuritySettings));
}
ErrorUtilities.VerifyOperation(!rpSecuritySettings.RejectUnsolicitedAssertions || requestNonceElement != null, OpenIdStrings.UnsolicitedAssertionRejectionRequiresNonceStore);
}
else
{
// Providers must always have a nonce store.
ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore");
}
if (nonVerifying)
{
elements.Add(new SkipSecurityBindingElement());
}
else
{
if (nonceStore != null)
{
elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true));
}
elements.Add(new StandardExpirationBindingElement());
elements.Add(signingElement);
}
return(elements.ToArray());
}
/// <summary>
/// Initializes the binding elements.
/// </summary>
/// <typeparam name="T">The distinguishing factor used by the association store.</typeparam>
/// <param name="associationStore">The association store.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings to apply. Must be an instance of either <see cref="RelyingPartySecuritySettings"/> or <see cref="ProviderSecuritySettings"/>.</param>
/// <returns>
/// An array of binding elements which may be used to construct the channel.
/// </returns>
private static IChannelBindingElement[] InitializeBindingElements <T>(IAssociationStore <T> associationStore, INonceStore nonceStore, SecuritySettings securitySettings)
{
ErrorUtilities.VerifyArgumentNotNull(securitySettings, "securitySettings");
var rpSecuritySettings = securitySettings as RelyingPartySecuritySettings;
var opSecuritySettings = securitySettings as ProviderSecuritySettings;
ErrorUtilities.VerifyInternal(rpSecuritySettings != null || opSecuritySettings != null, "Expected an RP or OP security settings instance.");
bool isRelyingPartyRole = rpSecuritySettings != null;
var rpAssociationStore = associationStore as IAssociationStore <Uri>;
var opAssociationStore = associationStore as IAssociationStore <AssociationRelyingPartyType>;
ErrorUtilities.VerifyInternal(isRelyingPartyRole || opAssociationStore != null, "Providers MUST have an association store.");
SigningBindingElement signingElement;
if (isRelyingPartyRole)
{
signingElement = new SigningBindingElement(rpAssociationStore);
}
else
{
signingElement = new SigningBindingElement(opAssociationStore, opSecuritySettings);
}
List <IChannelBindingElement> elements = new List <IChannelBindingElement>(7);
if (isRelyingPartyRole)
{
elements.Add(new ExtensionsBindingElement(new OpenIdExtensionFactory(), rpSecuritySettings));
elements.Add(new BackwardCompatibilityBindingElement());
if (associationStore != null)
{
if (nonceStore != null)
{
// There is no point in having a ReturnToNonceBindingElement without
// a ReturnToSignatureBindingElement because the nonce could be
// artificially changed without it.
elements.Add(new ReturnToNonceBindingElement(nonceStore));
}
// It is important that the return_to signing element comes last
// so that the nonce is included in the signature.
elements.Add(new ReturnToSignatureBindingElement(rpAssociationStore, rpSecuritySettings));
}
}
else
{
elements.Add(new ExtensionsBindingElement(new OpenIdExtensionFactory(), opSecuritySettings));
// Providers must always have a nonce store.
ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore");
}
if (nonceStore != null)
{
elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true));
}
elements.Add(new StandardExpirationBindingElement());
elements.Add(signingElement);
return(elements.ToArray());
}
/// <summary>
/// Initializes the binding elements.
/// </summary>
/// <param name="cryptoKeyStore">The OpenID Provider's crypto key store.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings to apply. Must be an instance of either <see cref="RelyingPartySecuritySettings"/> or <see cref="ProviderSecuritySettings"/>.</param>
/// <returns>
/// An array of binding elements which may be used to construct the channel.
/// </returns>
private static IChannelBindingElement[] InitializeBindingElements(IProviderAssociationStore cryptoKeyStore, INonceStore nonceStore, ProviderSecuritySettings securitySettings) {
Contract.Requires<ArgumentNullException>(cryptoKeyStore != null);
Contract.Requires<ArgumentNullException>(securitySettings != null);
Contract.Requires<ArgumentNullException>(nonceStore != null);
SigningBindingElement signingElement;
signingElement = new SigningBindingElement(cryptoKeyStore, securitySettings);
var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration();
List<IChannelBindingElement> elements = new List<IChannelBindingElement>(8);
elements.Add(new ExtensionsBindingElement(extensionFactory, securitySettings));
elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true));
elements.Add(new StandardExpirationBindingElement());
elements.Add(signingElement);
return elements.ToArray();
}
