protected virtual SecurityBindingElement ApplyMessageSecurity(SecurityBindingElement securityBindingElement)
{
if (securityBindingElement == null)
{
throw new ArgumentNullException("securityBindingElement");
}
if (TrustVersion.WSTrustFeb2005 == _trustVersion)
{
securityBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
}
else
{
securityBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
}
if (_enableRsaProofKeys)
{
RsaSecurityTokenParameters item = new RsaSecurityTokenParameters
{
InclusionMode = SecurityTokenInclusionMode.Never,
RequireDerivedKeys = false
};
securityBindingElement.OptionalEndpointSupportingTokenParameters.Endorsing.Add(item);
}
return securityBindingElement;
}
public virtual bool TryImportWsspRsaTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)
{
parameters = null;
SecurityTokenInclusionMode inclusionMode;
Collection<Collection<XmlElement>> alternatives;
if (IsMsspAssertion(assertion, RsaTokenName)
&& TryGetIncludeTokenValue(assertion, out inclusionMode)
&& TryGetNestedPolicyAlternatives(importer, assertion, out alternatives) == false)
{
parameters = new RsaSecurityTokenParameters();
parameters.InclusionMode = inclusionMode;
}
return parameters != null;
}
public virtual XmlElement CreateWsspRsaTokenAssertion(RsaSecurityTokenParameters parameters)
{
XmlElement result = CreateMsspAssertion(RsaTokenName);
SetIncludeTokenValue(result, parameters.InclusionMode);
return result;
}
protected override BodyWriter GetFirstOutgoingMessageBody(FederatedTokenProviderState negotiationState, out MessageProperties messageProperties)
{
messageProperties = null;
RequestSecurityToken rst = new RequestSecurityToken(this.StandardsManager);
if (this.addTargetServiceAppliesTo)
{
if (this.MessageVersion.Addressing == AddressingVersion.WSAddressing10)
{
rst.SetAppliesTo <EndpointAddress10>(
EndpointAddress10.FromEndpointAddress(negotiationState.TargetAddress),
DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddress10), DataContractSerializerDefaults.MaxItemsInObjectGraph));
}
else if (this.MessageVersion.Addressing == AddressingVersion.WSAddressingAugust2004)
{
rst.SetAppliesTo <EndpointAddressAugust2004>(
EndpointAddressAugust2004.FromEndpointAddress(negotiationState.TargetAddress),
DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddressAugust2004), DataContractSerializerDefaults.MaxItemsInObjectGraph));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new ProtocolException(SR.GetString(SR.AddressingVersionNotSupported, this.MessageVersion.Addressing)));
}
}
rst.Context = negotiationState.Context;
if (!this.isKeySizePresentInRstProperties)
{
rst.KeySize = this.keySize;
}
Collection <XmlElement> newRequestProperties = new Collection <XmlElement>();
if (this.requestProperties != null)
{
for (int i = 0; i < this.requestProperties.Count; ++i)
{
newRequestProperties.Add(this.requestProperties[i]);
}
}
if (!isKeyTypePresentInRstProperties)
{
XmlElement keyTypeElement = this.StandardsManager.TrustDriver.CreateKeyTypeElement(this.keyType);
newRequestProperties.Insert(0, keyTypeElement);
}
if (this.keyType == SecurityKeyType.SymmetricKey)
{
byte[] requestorEntropy = negotiationState.GetRequestorEntropy();
rst.SetRequestorEntropy(requestorEntropy);
}
else if (this.keyType == SecurityKeyType.AsymmetricKey)
{
RsaKeyIdentifierClause rsaClause = new RsaKeyIdentifierClause(negotiationState.Rsa);
SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(rsaClause);
newRequestProperties.Add(this.StandardsManager.TrustDriver.CreateUseKeyElement(keyIdentifier, this.StandardsManager));
RsaSecurityTokenParameters rsaParameters = new RsaSecurityTokenParameters();
rsaParameters.InclusionMode = SecurityTokenInclusionMode.Never;
rsaParameters.RequireDerivedKeys = false;
SupportingTokenSpecification rsaSpec = new SupportingTokenSpecification(negotiationState.RsaSecurityToken, EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance, SecurityTokenAttachmentMode.Endorsing, rsaParameters);
messageProperties = new MessageProperties();
SecurityMessageProperty security = new SecurityMessageProperty();
security.OutgoingSupportingTokens.Add(rsaSpec);
messageProperties.Security = security;
}
if (this.keyType == SecurityKeyType.SymmetricKey && this.KeyEntropyMode == SecurityKeyEntropyMode.CombinedEntropy)
{
newRequestProperties.Add(this.StandardsManager.TrustDriver.CreateComputedKeyAlgorithmElement(this.StandardsManager.TrustDriver.ComputedKeyAlgorithm));
}
rst.RequestProperties = newRequestProperties;
rst.MakeReadOnly();
return(rst);
}
public void GetPropertySecurityCapabilities ()
{
ISecurityCapabilities c;
RsaSecurityTokenParameters rsa =
new RsaSecurityTokenParameters ();
UserNameSecurityTokenParameters user =
new UserNameSecurityTokenParameters ();
X509SecurityTokenParameters x509 =
new X509SecurityTokenParameters ();
SecureConversationSecurityTokenParameters sc1 =
new SecureConversationSecurityTokenParameters ();
sc1.BootstrapSecurityBindingElement =
new SymmetricSecurityBindingElement (); // empty
SecureConversationSecurityTokenParameters sc2 =
new SecureConversationSecurityTokenParameters ();
sc2.BootstrapSecurityBindingElement =
new SymmetricSecurityBindingElement (x509);
SecureConversationSecurityTokenParameters sc3 =
new SecureConversationSecurityTokenParameters ();
sc3.BootstrapSecurityBindingElement =
new AsymmetricSecurityBindingElement (null, x509);
SecureConversationSecurityTokenParameters sc4 =
new SecureConversationSecurityTokenParameters ();
sc4.BootstrapSecurityBindingElement =
new AsymmetricSecurityBindingElement (x509, null);
// no parameters
c = GetSecurityCapabilities (
new SymmetricSecurityBindingElement ());
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
false, false, false, c, "#1");
// x509 parameters for both
c = GetSecurityCapabilities (
new SymmetricSecurityBindingElement (x509));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, true, c, "#2");
// no initiator parameters
c = GetSecurityCapabilities (
new AsymmetricSecurityBindingElement (x509, null));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
false, false, true, c, "#3");
// no recipient parameters
c = GetSecurityCapabilities (
new AsymmetricSecurityBindingElement (null, x509));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, false, c, "#4");
// initiator does not support identity
c = GetSecurityCapabilities (
new AsymmetricSecurityBindingElement (x509, rsa));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, false, true, c, "#5");
// recipient does not support server auth
c = GetSecurityCapabilities (
new AsymmetricSecurityBindingElement (user, x509));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, false, c, "#6");
// secureconv with no symm. bootstrap params
c = GetSecurityCapabilities (
new SymmetricSecurityBindingElement (sc1));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
false, false, false, c, "#7");
// secureconv with x509 symm. bootstrap params
c = GetSecurityCapabilities (
new SymmetricSecurityBindingElement (sc2));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, true, c, "#8");
// secureconv with x509 initiator bootstrap params
c = GetSecurityCapabilities (
new SymmetricSecurityBindingElement (sc3));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, false, c, "#9");
// secureconv with x509 recipient bootstrap params
c = GetSecurityCapabilities (
new SymmetricSecurityBindingElement (sc4));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
false, false, true, c, "#10");
// FIXME: find out such cases that returns other ProtectionLevel values.
}
protected RsaSecurityTokenParameters(RsaSecurityTokenParameters other)
: base(other)
{
this.InclusionMode = SecurityTokenInclusionMode.Never;
}
private static ServiceHost StartSTS(Type type, string stsLabel, Uri baseAddress, Uri baseMexAddress)
{
// Create the service host
Uri stsAddress = new Uri(baseAddress.AbsoluteUri + "/" + stsLabel);
ServiceHost serviceHost = new ServiceHost(type, stsAddress);
// Don't require derived keys for the issue method
ServiceEndpoint stsEndpoint = serviceHost.Description.Endpoints.Find(typeof(nl.telin.authep.sts.IWSTrustContract));
BindingElementCollection bindingElements = stsEndpoint.Binding.CreateBindingElements();
SecurityBindingElement sbe = bindingElements.Find<SecurityBindingElement>();
RsaSecurityTokenParameters rsaParams = new RsaSecurityTokenParameters();
rsaParams.InclusionMode = SecurityTokenInclusionMode.Never;
rsaParams.RequireDerivedKeys = false;
SupportingTokenParameters requirements = new SupportingTokenParameters();
requirements.Endorsing.Add(rsaParams);
sbe.OptionalOperationSupportingTokenParameters.Add(nl.telin.authep.sts.Constants.WSTrust.Actions.Issue, requirements);
stsEndpoint.Binding = new CustomBinding(bindingElements);
serviceHost.Credentials.ServiceCertificate.Certificate = SigningCertificate;
// Add an https mex listener
string mexAddress = baseMexAddress.AbsoluteUri + "/" + stsLabel + "/mex";
serviceHost.AddServiceEndpoint(ServiceMetadataBehavior.MexContractName, MetadataExchangeBindings.CreateMexHttpsBinding(), mexAddress);
// Disable CRL
serviceHost.Credentials.IssuedTokenAuthentication.RevocationMode = X509RevocationMode.NoCheck;
// Open the service
serviceHost.Open();
// Display the endpoints
foreach (ChannelDispatcher cd in serviceHost.ChannelDispatchers)
{
foreach (EndpointDispatcher ed in cd.Endpoints)
{
Console.WriteLine("Listener = {0}, State = {1}", ed.EndpointAddress.ToString(), cd.State.ToString());
}
}
return serviceHost;
}
public virtual XmlElement CreateWsspRsaTokenAssertion(RsaSecurityTokenParameters parameters)
{
XmlElement tokenAssertion = this.CreateMsspAssertion("RsaToken");
this.SetIncludeTokenValue(tokenAssertion, parameters.InclusionMode);
return tokenAssertion;
}
public virtual bool TryImportWsspRsaTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)
{
SecurityTokenInclusionMode mode;
Collection<Collection<XmlElement>> collection;
parameters = null;
if ((this.IsMsspAssertion(assertion, "RsaToken") && this.TryGetIncludeTokenValue(assertion, out mode)) && !this.TryGetNestedPolicyAlternatives(importer, assertion, out collection))
{
parameters = new RsaSecurityTokenParameters();
parameters.InclusionMode = mode;
}
return (parameters != null);
}
protected RsaSecurityTokenParameters(RsaSecurityTokenParameters source)
: base(source)
{
}
protected RsaSecurityTokenParameters(RsaSecurityTokenParameters other)
{
}
protected RsaSecurityTokenParameters(RsaSecurityTokenParameters other)
{
}
protected override BodyWriter GetFirstOutgoingMessageBody(IssuedSecurityTokenProvider.FederatedTokenProviderState negotiationState, out MessageProperties messageProperties)
{
messageProperties = null;
RequestSecurityToken token = new RequestSecurityToken(base.StandardsManager);
if (this.addTargetServiceAppliesTo)
{
if (this.MessageVersion.Addressing != AddressingVersion.WSAddressing10)
{
if (this.MessageVersion.Addressing != AddressingVersion.WSAddressingAugust2004)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("AddressingVersionNotSupported", new object[] { this.MessageVersion.Addressing })));
}
token.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress(negotiationState.TargetAddress), DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddressAugust2004), 0x10000));
}
else
{
token.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress(negotiationState.TargetAddress), DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddress10), 0x10000));
}
}
token.Context = negotiationState.Context;
if (!this.isKeySizePresentInRstProperties)
{
token.KeySize = this.keySize;
}
Collection <XmlElement> collection = new Collection <XmlElement>();
if (this.requestProperties != null)
{
for (int i = 0; i < this.requestProperties.Count; i++)
{
collection.Add(this.requestProperties[i]);
}
}
if (!this.isKeyTypePresentInRstProperties)
{
XmlElement item = base.StandardsManager.TrustDriver.CreateKeyTypeElement(this.keyType);
collection.Insert(0, item);
}
if (this.keyType == SecurityKeyType.SymmetricKey)
{
byte[] requestorEntropy = negotiationState.GetRequestorEntropy();
token.SetRequestorEntropy(requestorEntropy);
}
else if (this.keyType == SecurityKeyType.AsymmetricKey)
{
RsaKeyIdentifierClause clause = new RsaKeyIdentifierClause(negotiationState.Rsa);
SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { clause });
collection.Add(base.StandardsManager.TrustDriver.CreateUseKeyElement(keyIdentifier, base.StandardsManager));
RsaSecurityTokenParameters tokenParameters = new RsaSecurityTokenParameters {
InclusionMode = SecurityTokenInclusionMode.Never,
RequireDerivedKeys = false
};
SupportingTokenSpecification specification = new SupportingTokenSpecification(negotiationState.RsaSecurityToken, System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance, SecurityTokenAttachmentMode.Endorsing, tokenParameters);
messageProperties = new MessageProperties();
SecurityMessageProperty property = new SecurityMessageProperty {
OutgoingSupportingTokens = { specification }
};
messageProperties.Security = property;
}
if ((this.keyType == SecurityKeyType.SymmetricKey) && (this.KeyEntropyMode == SecurityKeyEntropyMode.CombinedEntropy))
{
collection.Add(base.StandardsManager.TrustDriver.CreateComputedKeyAlgorithmElement(base.StandardsManager.TrustDriver.ComputedKeyAlgorithm));
}
token.RequestProperties = collection;
token.MakeReadOnly();
return(token);
}
protected RsaSecurityTokenParameters (RsaSecurityTokenParameters source)
: base (source)
{
}
protected RsaSecurityTokenParameters(RsaSecurityTokenParameters other) : base(other)
{
base.InclusionMode = SecurityTokenInclusionMode.Never;
}