Exemple #1
0
        // Summary:
        //  If interactive support is requested and an IssuedSecurityTokenParameters is specified this method
        //  will return an instance of an InfoCardTokenProvider.
        //  Otherwise this method defers to the base implementation.
        //
        // Parameters
        //  parameters  - The security token parameters associated with this ChannelFactory.
        //
        // Note
        //  The target and issuer information will not be available in this call
        //
        public static bool TryCreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, ClientCredentialsSecurityTokenManager clientCredentialsTokenManager, out SecurityTokenProvider provider)
        {
            if (tokenRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
            }
            if (clientCredentialsTokenManager == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("clientCredentialsTokenManager");
            }

            provider = null;

            if (!clientCredentialsTokenManager.ClientCredentials.SupportInteractive ||
                (null != clientCredentialsTokenManager.ClientCredentials.IssuedToken.LocalIssuerAddress && null != clientCredentialsTokenManager.ClientCredentials.IssuedToken.LocalIssuerBinding) ||
                !clientCredentialsTokenManager.IsIssuedSecurityTokenRequirement(tokenRequirement)
                )
            {
                //IDT.TraceDebug("ICARDTOKPROV: Non Issued SecurityToken requirement submitted to InfoCardClientCredentialsSecurityTokenManager:\n{0}", tokenRequirement);
                //IDT.TraceDebug("ICARDTOKPROV: Defering to the base class to create the token provider");
            }
            else
            {
                ChannelParameterCollection channelParameter;
                InfoCardChannelParameter   infocardChannelParameter = null;
                if (tokenRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out channelParameter))
                {
                    foreach (object obj in channelParameter)
                    {
                        if (obj is InfoCardChannelParameter)
                        {
                            infocardChannelParameter = (InfoCardChannelParameter)obj;
                            break;
                        }
                    }
                }

                if (null == infocardChannelParameter || !infocardChannelParameter.RequiresInfoCard)
                {
                    return(false);
                }

                EndpointAddress target = tokenRequirement.GetProperty <EndpointAddress>(ServiceModelSecurityTokenRequirement.TargetAddressProperty);
                IssuedSecurityTokenParameters issuedTokenParameters = tokenRequirement.GetProperty <IssuedSecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);

                Uri privacyNoticeLink;
                if (!tokenRequirement.TryGetProperty <Uri>(ServiceModelSecurityTokenRequirement.PrivacyNoticeUriProperty, out privacyNoticeLink))
                {
                    privacyNoticeLink = null;
                }

                int privacyNoticeVersion;
                if (!tokenRequirement.TryGetProperty <int>(ServiceModelSecurityTokenRequirement.PrivacyNoticeVersionProperty, out privacyNoticeVersion))
                {
                    privacyNoticeVersion = 0;
                }
                //
                // This analysis of this chain indicates that interactive support will be required
                // The InternalClientCredentials class handles that.
                //
                provider = CreateTokenProviderForNextLeg(tokenRequirement, target, issuedTokenParameters.IssuerAddress, infocardChannelParameter.RelyingPartyIssuer, clientCredentialsTokenManager, infocardChannelParameter);
            }

            return(provider != null);
        }
Exemple #2
0
        internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode,
                                                                     bool isReliableSession,
                                                                     MessageSecurityVersion version)
        {
            if ((this.IssuedKeyType == SecurityKeyType.BearerKey) &&
                (version.TrustVersion == TrustVersion.WSTrustFeb2005))
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BearerKeyIncompatibleWithWSFederationHttpBinding)));
            }

            if (isReliableSession && !this.EstablishSecurityContext)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession)));
            }

            SecurityBindingElement result;
            bool emitBspAttributes = true;
            IssuedSecurityTokenParameters issuedParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding);

            issuedParameters.IssuerMetadataAddress = this.issuerMetadataAddress;
            issuedParameters.KeyType = this.IssuedKeyType;
            if (this.IssuedKeyType == SecurityKeyType.SymmetricKey)
            {
                issuedParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength;
            }
            else
            {
                issuedParameters.KeySize = 0;
            }
            foreach (ClaimTypeRequirement c in this.claimTypeRequirements)
            {
                issuedParameters.ClaimTypeRequirements.Add(c);
            }
            foreach (XmlElement p in this.TokenRequestParameters)
            {
                issuedParameters.AdditionalRequestParameters.Add(p);
            }
            WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion,
                                                                                                version.TrustVersion,
                                                                                                version.SecureConversationVersion,
                                                                                                emitBspAttributes,
                                                                                                null, null, null);
            SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer);

            issuedParameters.AddAlgorithmParameters(this.AlgorithmSuite, versionSpecificStandardsManager, this.issuedKeyType);

            SecurityBindingElement issuedTokenSecurity;

            if (isSecureTransportMode)
            {
                issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedParameters);
            }
            else
            {
                if (negotiateServiceCredential)
                {
                    // We should have passed 'true' as RequireCancelation to be consistent with other standard bindings.
                    // However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy.
                    issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11);
                }
                else
                {
                    issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedParameters);
                }
            }

            issuedTokenSecurity.MessageSecurityVersion = version;
            issuedTokenSecurity.DefaultAlgorithmSuite  = this.AlgorithmSuite;

            if (this.EstablishSecurityContext)
            {
                result = SecurityBindingElement.CreateSecureConversationBindingElement(issuedTokenSecurity, true);
            }
            else
            {
                result = issuedTokenSecurity;
            }

            result.MessageSecurityVersion = version;
            result.DefaultAlgorithmSuite  = this.AlgorithmSuite;
            result.IncludeTimestamp       = true;

            if (!isReliableSession)
            {
                result.LocalServiceSettings.ReconnectTransportOnFailure = false;
                result.LocalClientSettings.ReconnectTransportOnFailure  = false;
            }
            else
            {
                result.LocalServiceSettings.ReconnectTransportOnFailure = true;
                result.LocalClientSettings.ReconnectTransportOnFailure  = true;
            }

            if (this.establishSecurityContext)
            {
                // issue the transition SCT for a short duration only
                issuedTokenSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime;
            }

            return(result);
        }
Exemple #3
0
        private IssuedSecurityTokenProvider CreateIssuedSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            KeyedByTypeCollection <IEndpointBehavior> localIssuerChannelBehaviors;
            MessageSecurityVersion     version;
            SecurityTokenSerializer    serializer;
            ChannelParameterCollection parameters2;

            if (initiatorRequirement.TargetAddress == null)
            {
                throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenRequirementDoesNotSpecifyTargetAddress", new object[] { initiatorRequirement }));
            }
            SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;

            if (securityBindingElement == null)
            {
                throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenProviderRequiresSecurityBindingElement", new object[] { initiatorRequirement }));
            }
            EndpointAddress issuerAddress = initiatorRequirement.IssuerAddress;
            Binding         issuerBinding = initiatorRequirement.IssuerBinding;
            bool            flag          = (issuerAddress == null) || issuerAddress.Equals(EndpointAddress.AnonymousAddress);

            if (flag)
            {
                issuerAddress = this.parent.IssuedToken.LocalIssuerAddress;
                issuerBinding = this.parent.IssuedToken.LocalIssuerBinding;
            }
            if (issuerAddress == null)
            {
                throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("StsAddressNotSet", new object[] { initiatorRequirement.TargetAddress })));
            }
            if (issuerBinding == null)
            {
                throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("StsBindingNotSet", new object[] { issuerAddress })));
            }
            Uri uri = issuerAddress.Uri;

            if (!this.parent.IssuedToken.IssuerChannelBehaviors.TryGetValue(issuerAddress.Uri, out localIssuerChannelBehaviors) && flag)
            {
                localIssuerChannelBehaviors = this.parent.IssuedToken.LocalIssuerChannelBehaviors;
            }
            IssuedSecurityTokenProvider federationTokenProvider = new IssuedSecurityTokenProvider(this.GetCredentialsHandle(initiatorRequirement))
            {
                TargetAddress = initiatorRequirement.TargetAddress
            };

            this.CopyIssuerChannelBehaviorsAndAddSecurityCredentials(federationTokenProvider, localIssuerChannelBehaviors, issuerAddress);
            federationTokenProvider.CacheIssuedTokens         = this.parent.IssuedToken.CacheIssuedTokens;
            federationTokenProvider.IdentityVerifier          = securityBindingElement.LocalClientSettings.IdentityVerifier;
            federationTokenProvider.IssuerAddress             = issuerAddress;
            federationTokenProvider.IssuerBinding             = issuerBinding;
            federationTokenProvider.KeyEntropyMode            = this.GetIssuerBindingKeyEntropyModeOrDefault(issuerBinding);
            federationTokenProvider.MaxIssuedTokenCachingTime = this.parent.IssuedToken.MaxIssuedTokenCachingTime;
            federationTokenProvider.SecurityAlgorithmSuite    = initiatorRequirement.SecurityAlgorithmSuite;
            IssuedSecurityTokenParameters property = initiatorRequirement.GetProperty <IssuedSecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);

            this.GetIssuerBindingSecurityVersion(issuerBinding, property.DefaultMessageSecurityVersion, initiatorRequirement.SecurityBindingElement, out version, out serializer);
            federationTokenProvider.MessageSecurityVersion  = version;
            federationTokenProvider.SecurityTokenSerializer = serializer;
            federationTokenProvider.IssuedTokenRenewalThresholdPercentage = this.parent.IssuedToken.IssuedTokenRenewalThresholdPercentage;
            IEnumerable <XmlElement> enumerable = property.CreateRequestParameters(version, serializer);

            if (enumerable != null)
            {
                foreach (XmlElement element2 in enumerable)
                {
                    federationTokenProvider.TokenRequestParameters.Add(element2);
                }
            }
            if (initiatorRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out parameters2))
            {
                federationTokenProvider.ChannelParameters = parameters2;
            }
            return(federationTokenProvider);
        }
Exemple #4
0
        internal static bool TryCreate(SecurityBindingElement sbe, bool isReliableSession, BindingElement transportBindingElement, out MessageSecurityOverTcp messageSecurity)
        {
            MessageCredentialType         userName;
            SecurityBindingElement        element;
            IssuedSecurityTokenParameters parameters;

            messageSecurity = null;
            if (sbe == null)
            {
                return(false);
            }
            if (!sbe.IncludeTimestamp)
            {
                return(false);
            }
            if ((sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11) && (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10))
            {
                return(false);
            }
            if (sbe.SecurityHeaderLayout != SecurityHeaderLayout.Strict)
            {
                return(false);
            }
            if (!SecurityBindingElement.IsSecureConversationBinding(sbe, true, out element))
            {
                return(false);
            }
            if (element is TransportSecurityBindingElement)
            {
                if (SecurityBindingElement.IsUserNameOverTransportBinding(element))
                {
                    userName = MessageCredentialType.UserName;
                }
                else if (SecurityBindingElement.IsCertificateOverTransportBinding(element))
                {
                    userName = MessageCredentialType.Certificate;
                }
                else if (SecurityBindingElement.IsSspiNegotiationOverTransportBinding(element, true))
                {
                    userName = MessageCredentialType.Windows;
                }
                else
                {
                    if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(element, out parameters))
                    {
                        return(false);
                    }
                    if (!IssuedSecurityTokenParameters.IsInfoCardParameters(parameters, new SecurityStandardsManager(element.MessageSecurityVersion, new WSSecurityTokenSerializer(element.MessageSecurityVersion.SecurityVersion, element.MessageSecurityVersion.TrustVersion, element.MessageSecurityVersion.SecureConversationVersion, true, null, null, null))))
                    {
                        return(false);
                    }
                    userName = MessageCredentialType.IssuedToken;
                }
            }
            else if (SecurityBindingElement.IsUserNameForSslBinding(element, true))
            {
                userName = MessageCredentialType.UserName;
            }
            else if (SecurityBindingElement.IsSslNegotiationBinding(element, true, true))
            {
                userName = MessageCredentialType.Certificate;
            }
            else if (SecurityBindingElement.IsSspiNegotiationBinding(element, true))
            {
                userName = MessageCredentialType.Windows;
            }
            else if (SecurityBindingElement.IsIssuedTokenForSslBinding(element, true, out parameters))
            {
                if (!IssuedSecurityTokenParameters.IsInfoCardParameters(parameters, new SecurityStandardsManager(element.MessageSecurityVersion, new WSSecurityTokenSerializer(element.MessageSecurityVersion.SecurityVersion, element.MessageSecurityVersion.TrustVersion, element.MessageSecurityVersion.SecureConversationVersion, true, null, null, null))))
                {
                    return(false);
                }
                userName = MessageCredentialType.IssuedToken;
            }
            else if (SecurityBindingElement.IsSslNegotiationBinding(element, false, true))
            {
                userName = MessageCredentialType.None;
            }
            else
            {
                return(false);
            }
            messageSecurity = new MessageSecurityOverTcp();
            messageSecurity.ClientCredentialType = userName;
            if (userName != MessageCredentialType.IssuedToken)
            {
                messageSecurity.AlgorithmSuite = element.DefaultAlgorithmSuite;
            }
            return(true);
        }
Exemple #5
0
 CreateIssuedTokenForSslBindingElement(
     IssuedSecurityTokenParameters issuedTokenParameters)
 {
     return(CreateIssuedTokenForSslBindingElement(
                issuedTokenParameters, false));
 }
Exemple #6
0
        private async ValueTask <BodyWriter> ProcessNegotiationAsync(SspiNegotiationTokenAuthenticatorState negotiationState, Message incomingMessage, BinaryNegotiation incomingNego)
        {
            ISspiNegotiation sspiNegotiation = negotiationState.SspiNegotiation;

            byte[] outgoingBlob = sspiNegotiation.GetOutgoingBlob(incomingNego.GetNegotiationData(),
                                                                  SecurityUtils.GetChannelBindingFromMessage(incomingMessage),
                                                                  ExtendedProtectionPolicy);

            if (sspiNegotiation.IsValidContext == false)
            {
                throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.InvalidSspiNegotiation)), incomingMessage);
            }
            // if there is no blob to send back the nego must be complete from the server side
            if (outgoingBlob == null && sspiNegotiation.IsCompleted == false)
            {
                throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.NoBinaryNegoToSend)), incomingMessage);
            }
            BinaryNegotiation outgoingBinaryNegotiation;

            if (outgoingBlob != null)
            {
                outgoingBinaryNegotiation = GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob);
            }
            else
            {
                outgoingBinaryNegotiation = null;
            }
            BodyWriter replyBody;

            if (sspiNegotiation.IsCompleted)
            {
                ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = await ValidateSspiNegotiationAsync(sspiNegotiation);

                SecurityContextSecurityToken serviceToken;
                WrappedKeySecurityToken      proofToken;
                int issuedKeySize;
                IssueServiceToken(negotiationState, authorizationPolicies, out serviceToken, out proofToken, out issuedKeySize);
                negotiationState.SetServiceToken(serviceToken);

                SecurityKeyIdentifierClause externalTokenReference = IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.External);
                SecurityKeyIdentifierClause internalTokenReference = IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.Internal);

                RequestSecurityTokenResponse dummyRstr = new RequestSecurityTokenResponse(StandardsManager)
                {
                    Context   = negotiationState.Context,
                    KeySize   = issuedKeySize,
                    TokenType = SecurityContextTokenUri
                };
                if (outgoingBinaryNegotiation != null)
                {
                    dummyRstr.SetBinaryNegotiation(outgoingBinaryNegotiation);
                }
                dummyRstr.RequestedUnattachedReference = externalTokenReference;
                dummyRstr.RequestedAttachedReference   = internalTokenReference;
                dummyRstr.SetLifetime(serviceToken.ValidFrom, serviceToken.ValidTo);
                if (negotiationState.AppliesTo != null)
                {
                    if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10)
                    {
                        dummyRstr.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress(
                                                                       negotiationState.AppliesTo),
                                                                   negotiationState.AppliesToSerializer);
                    }
                    else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004)
                    {
                        dummyRstr.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress(
                                                                               negotiationState.AppliesTo),
                                                                           negotiationState.AppliesToSerializer);
                    }
                    else
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                                  new ProtocolException(SR.Format(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing)));
                    }
                }
                dummyRstr.MakeReadOnly();
                AddToDigest(negotiationState, dummyRstr, false);
                RequestSecurityTokenResponse negotiationRstr = new RequestSecurityTokenResponse(StandardsManager)
                {
                    RequestedSecurityToken = serviceToken,

                    RequestedProofToken = proofToken,
                    Context             = negotiationState.Context,
                    KeySize             = issuedKeySize,
                    TokenType           = SecurityContextTokenUri
                };
                if (outgoingBinaryNegotiation != null)
                {
                    negotiationRstr.SetBinaryNegotiation(outgoingBinaryNegotiation);
                }
                negotiationRstr.RequestedAttachedReference   = internalTokenReference;
                negotiationRstr.RequestedUnattachedReference = externalTokenReference;
                if (negotiationState.AppliesTo != null)
                {
                    if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10)
                    {
                        negotiationRstr.SetAppliesTo <EndpointAddress10>(
                            EndpointAddress10.FromEndpointAddress(negotiationState.AppliesTo),
                            negotiationState.AppliesToSerializer);
                    }
                    else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004)
                    {
                        negotiationRstr.SetAppliesTo <EndpointAddressAugust2004>(
                            EndpointAddressAugust2004.FromEndpointAddress(negotiationState.AppliesTo),
                            negotiationState.AppliesToSerializer);
                    }
                    else
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                                  new ProtocolException(SR.Format(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing)));
                    }
                }
                negotiationRstr.MakeReadOnly();

                byte[] authenticator = ComputeAuthenticator(negotiationState, serviceToken.GetKeyBytes());
                RequestSecurityTokenResponse authenticatorRstr = new RequestSecurityTokenResponse(StandardsManager)
                {
                    Context = negotiationState.Context
                };
                authenticatorRstr.SetAuthenticator(authenticator);
                authenticatorRstr.MakeReadOnly();

                List <RequestSecurityTokenResponse> rstrList = new List <RequestSecurityTokenResponse>(2)
                {
                    negotiationRstr,
                    authenticatorRstr
                };
                replyBody = new RequestSecurityTokenResponseCollection(rstrList, StandardsManager);
            }
            else
            {
                RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(StandardsManager)
                {
                    Context = negotiationState.Context
                };
                rstr.SetBinaryNegotiation(outgoingBinaryNegotiation);
                rstr.MakeReadOnly();
                AddToDigest(negotiationState, rstr, false);
                replyBody = rstr;
            }

            return(replyBody);
        }
Exemple #7
0
        internal static bool TryCreate(SecurityBindingElement sbe, out MessageSecurityOverMsmq messageSecurity)
        {
            messageSecurity = null;
            if (sbe == null)
            {
                return(false);
            }

            SymmetricSecurityBindingElement ssbe = sbe as SymmetricSecurityBindingElement;

            if (ssbe == null)
            {
                return(false);
            }

            if (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 &&
                sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11)
            {
                return(false);
            }

            // do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings

            if (ssbe.IncludeTimestamp)
            {
                return(false);
            }

            bool isKerberosSelected = false;
            MessageCredentialType         clientCredentialType;
            IssuedSecurityTokenParameters issuedParameters;

            if (SecurityBindingElement.IsAnonymousForCertificateBinding(sbe))
            {
                clientCredentialType = MessageCredentialType.None;
            }
            else if (SecurityBindingElement.IsUserNameForCertificateBinding(sbe))
            {
                clientCredentialType = MessageCredentialType.UserName;
            }
            else if (SecurityBindingElement.IsMutualCertificateBinding(sbe))
            {
                clientCredentialType = MessageCredentialType.Certificate;
            }
            else if (SecurityBindingElement.IsKerberosBinding(sbe))
            {
                clientCredentialType = MessageCredentialType.Windows;
                isKerberosSelected   = true;
            }
            else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(sbe, out issuedParameters))
            {
                if (!IssuedSecurityTokenParameters.IsInfoCardParameters(
                        issuedParameters,
                        new SecurityStandardsManager(
                            sbe.MessageSecurityVersion,
                            new WSSecurityTokenSerializer(
                                sbe.MessageSecurityVersion.SecurityVersion,
                                sbe.MessageSecurityVersion.TrustVersion,
                                sbe.MessageSecurityVersion.SecureConversationVersion,
                                true,
                                null, null, null))))
                {
                    return(false);
                }
                clientCredentialType = MessageCredentialType.IssuedToken;
            }
            else
            {
                return(false);
            }

            messageSecurity = new MessageSecurityOverMsmq();
            messageSecurity.ClientCredentialType = clientCredentialType;
            // set the algorithm suite and issued token params if required
            if (clientCredentialType != MessageCredentialType.IssuedToken && !isKerberosSelected)
            {
                messageSecurity.AlgorithmSuite = ssbe.DefaultAlgorithmSuite;
            }
            return(true);
        }
Exemple #8
0
        private void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, TrustVersion trustVersion, SecurityKeyType keyType, ref IssuedSecurityTokenParameters issuedParameters)
        {
            issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm));
            issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm));
            string signatureAlgorithm  = null;
            string encryptionAlgorithm = null;

            switch (keyType)
            {
            case SecurityKeyType.SymmetricKey:
                signatureAlgorithm  = algorithmSuite.DefaultSymmetricSignatureAlgorithm;
                encryptionAlgorithm = algorithmSuite.DefaultEncryptionAlgorithm;
                break;

            case SecurityKeyType.AsymmetricKey:
                signatureAlgorithm  = algorithmSuite.DefaultAsymmetricSignatureAlgorithm;
                encryptionAlgorithm = algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm;
                break;

            case SecurityKeyType.BearerKey:
                return;

            default:
                throw new ArgumentOutOfRangeException("keyType");
            }

            issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateSignWithElement(signatureAlgorithm));
            issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptWithElement(encryptionAlgorithm));

            if (trustVersion != TrustVersion.WSTrustFeb2005)
            {
                issuedParameters.AdditionalRequestParameters.Insert(0, CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm));
            }
        }
Exemple #9
0
        internal static bool TryCreate <TSecurity>(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, out TSecurity messageSecurity)
            where TSecurity : MessageSecurityOverHttp
        {
            Fx.Assert(null != sbe, string.Empty);

            messageSecurity = null;

            // do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings

            if (!sbe.IncludeTimestamp)
            {
                return(false);
            }

            // Do not check MessageSecurityVersion: it maybe changed by the wrapper element and gets checked later in the SecuritySection.AreBindingsMatching()

            if (sbe.SecurityHeaderLayout != SecurityProtocolFactory.defaultSecurityHeaderLayout)
            {
                return(false);
            }

            bool negotiateServiceCredential = DefaultNegotiateServiceCredential;
            MessageCredentialType  clientCredentialType;
            SecurityAlgorithmSuite algorithmSuite = SecurityAlgorithmSuite.Default;
            bool isSecureConversation;

            SecurityBindingElement bootstrapSecurity;

            if (!SecurityBindingElement.IsSecureConversationBinding(sbe, true, out bootstrapSecurity))
            {
                isSecureConversation = false;

                bootstrapSecurity = sbe;
            }
            else
            {
                isSecureConversation = true;
            }

            if (!isSecureConversation && typeof(TSecurity).Equals(typeof(MessageSecurityOverHttp)))
            {
                return(false);
            }

            if (!isSecureConversation && isReliableSession)
            {
                return(false);
            }

            if (isSecureTransportMode && !(bootstrapSecurity is TransportSecurityBindingElement))
            {
                return(false);
            }

            IssuedSecurityTokenParameters infocardParameters;

            if (isSecureTransportMode)
            {
                if (SecurityBindingElement.IsUserNameOverTransportBinding(bootstrapSecurity))
                {
                    clientCredentialType = MessageCredentialType.UserName;
                }
                else if (SecurityBindingElement.IsCertificateOverTransportBinding(bootstrapSecurity))
                {
                    clientCredentialType = MessageCredentialType.Certificate;
                }
                else if (SecurityBindingElement.IsSspiNegotiationOverTransportBinding(bootstrapSecurity, true))
                {
                    clientCredentialType = MessageCredentialType.Windows;
                }
                else if (SecurityBindingElement.IsIssuedTokenOverTransportBinding(bootstrapSecurity, out infocardParameters))
                {
                    if (!IssuedSecurityTokenParameters.IsInfoCardParameters(
                            infocardParameters,
                            new SecurityStandardsManager(
                                sbe.MessageSecurityVersion,
                                new WSSecurityTokenSerializer(
                                    sbe.MessageSecurityVersion.SecurityVersion,
                                    sbe.MessageSecurityVersion.TrustVersion,
                                    sbe.MessageSecurityVersion.SecureConversationVersion,
                                    true,
                                    null, null, null))))
                    {
                        return(false);
                    }
                    clientCredentialType = MessageCredentialType.IssuedToken;
                }
                else
                {
                    // the standard binding does not support None client credential type in mixed mode
                    return(false);
                }
            }
            else
            {
                if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, false, true))
                {
                    negotiateServiceCredential = true;
                    clientCredentialType       = MessageCredentialType.None;
                }
                else if (SecurityBindingElement.IsUserNameForSslBinding(bootstrapSecurity, true))
                {
                    negotiateServiceCredential = true;
                    clientCredentialType       = MessageCredentialType.UserName;
                }
                else if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, true, true))
                {
                    negotiateServiceCredential = true;
                    clientCredentialType       = MessageCredentialType.Certificate;
                }
                else if (SecurityBindingElement.IsSspiNegotiationBinding(bootstrapSecurity, true))
                {
                    negotiateServiceCredential = true;
                    clientCredentialType       = MessageCredentialType.Windows;
                }
                else if (SecurityBindingElement.IsIssuedTokenForSslBinding(bootstrapSecurity, true, out infocardParameters))
                {
                    if (!IssuedSecurityTokenParameters.IsInfoCardParameters(
                            infocardParameters,
                            new SecurityStandardsManager(
                                sbe.MessageSecurityVersion,
                                new WSSecurityTokenSerializer(
                                    sbe.MessageSecurityVersion.SecurityVersion,
                                    sbe.MessageSecurityVersion.TrustVersion,
                                    sbe.MessageSecurityVersion.SecureConversationVersion,
                                    true,
                                    null, null, null))))
                    {
                        return(false);
                    }
                    negotiateServiceCredential = true;
                    clientCredentialType       = MessageCredentialType.IssuedToken;
                }
                else if (SecurityBindingElement.IsUserNameForCertificateBinding(bootstrapSecurity))
                {
                    negotiateServiceCredential = false;
                    clientCredentialType       = MessageCredentialType.UserName;
                }
                else if (SecurityBindingElement.IsMutualCertificateBinding(bootstrapSecurity))
                {
                    negotiateServiceCredential = false;
                    clientCredentialType       = MessageCredentialType.Certificate;
                }
                else if (SecurityBindingElement.IsKerberosBinding(bootstrapSecurity))
                {
                    negotiateServiceCredential = false;
                    clientCredentialType       = MessageCredentialType.Windows;
                }
                else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(bootstrapSecurity, out infocardParameters))
                {
                    if (!IssuedSecurityTokenParameters.IsInfoCardParameters(
                            infocardParameters,
                            new SecurityStandardsManager(
                                sbe.MessageSecurityVersion,
                                new WSSecurityTokenSerializer(
                                    sbe.MessageSecurityVersion.SecurityVersion,
                                    sbe.MessageSecurityVersion.TrustVersion,
                                    sbe.MessageSecurityVersion.SecureConversationVersion,
                                    true,
                                    null, null, null))))
                    {
                        return(false);
                    }
                    negotiateServiceCredential = false;
                    clientCredentialType       = MessageCredentialType.IssuedToken;
                }
                else if (SecurityBindingElement.IsAnonymousForCertificateBinding(bootstrapSecurity))
                {
                    negotiateServiceCredential = false;
                    clientCredentialType       = MessageCredentialType.None;
                }
                else
                {
                    return(false);
                }
            }

            // Do not check any Local* settings

            // Do not check DefaultAlgorithmSuite: is it often changed after the Security element is created, it will verified by SecuritySectionBase.AreBindingsMatching().

            if (typeof(NonDualMessageSecurityOverHttp).Equals(typeof(TSecurity)))
            {
                messageSecurity = (TSecurity)(object)new NonDualMessageSecurityOverHttp();
                ((NonDualMessageSecurityOverHttp)(object)messageSecurity).EstablishSecurityContext = isSecureConversation;
            }
            else
            {
                messageSecurity = (TSecurity)(object)new MessageSecurityOverHttp();
            }

            messageSecurity.ClientCredentialType       = clientCredentialType;
            messageSecurity.NegotiateServiceCredential = negotiateServiceCredential;
            messageSecurity.AlgorithmSuite             = sbe.DefaultAlgorithmSuite;
            return(true);
        }
Exemple #10
0
        protected override SecurityBindingElement CreateMessageSecurity()
        {
            if (Security.Mode == SecurityMode.Transport ||
                Security.Mode == SecurityMode.None)
            {
                return(null);
            }

            SymmetricSecurityBindingElement element =
                new SymmetricSecurityBindingElement();

            element.MessageSecurityVersion       = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
            element.RequireSignatureConfirmation = true;

            switch (Security.Message.ClientCredentialType)
            {
            case MessageCredentialType.Certificate:
                X509SecurityTokenParameters p =
                    new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint);
                p.RequireDerivedKeys = false;
                element.EndpointSupportingTokenParameters.Endorsing.Add(p);
                goto default;

            case MessageCredentialType.IssuedToken:
                IssuedSecurityTokenParameters istp =
                    new IssuedSecurityTokenParameters();
                // FIXME: issuer binding must be secure.
                istp.IssuerBinding = new CustomBinding(
                    new TextMessageEncodingBindingElement(),
                    GetTransport());
                element.EndpointSupportingTokenParameters.Endorsing.Add(istp);
                goto default;

            case MessageCredentialType.UserName:
                element.EndpointSupportingTokenParameters.SignedEncrypted.Add(
                    new UserNameSecurityTokenParameters());
                element.RequireSignatureConfirmation = false;
                goto default;

            case MessageCredentialType.Windows:
                if (Security.Message.NegotiateServiceCredential)
                {
                    // No SSPI on Linux though...
                    element.ProtectionTokenParameters =
                        // FIXME: fill proper parameters
                        new SspiSecurityTokenParameters();
                }
                else
                {
                    // and no Kerberos ...
                    element.ProtectionTokenParameters =
                        new KerberosSecurityTokenParameters();
                }
                break;

            default:             // including .None
                if (Security.Message.NegotiateServiceCredential)
                {
                    element.ProtectionTokenParameters =
                        // FIXME: fill proper parameters
                        new SslSecurityTokenParameters(false, true);
                }
                else
                {
                    element.ProtectionTokenParameters =
                        new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
                    element.ProtectionTokenParameters.RequireDerivedKeys = true;
                }
                break;
            }

            if (!Security.Message.EstablishSecurityContext)
            {
                return(element);
            }

            // SecureConversation enabled

            ChannelProtectionRequirements reqs =
                new ChannelProtectionRequirements();

            // FIXME: fill the reqs

            return(SecurityBindingElement.CreateSecureConversationBindingElement(
                       // FIXME: requireCancellation
                       element, true, reqs));
        }
Exemple #11
0
        /// <summary>
        /// Creates a custom binding based on an example generated from svcutil.exe
        /// </summary>
        /// <param name="exeConfigPath"></param>
        /// <returns></returns>
        /// <remarks>
        /// https://msdn.microsoft.com/en-us/library/ms731690(v=vs.110).aspx
        /// </remarks>
        public static List <CustomBinding> GetCustomBindings(string exeConfigPath)
        {
            if (string.IsNullOrWhiteSpace(exeConfigPath))
            {
                return(null);
            }

            var svcSection = Read.Config.ExeConfig.GetServiceModelSection(exeConfigPath);
            var configs    = new List <CustomBinding>();

            foreach (var section in svcSection.Bindings.CustomBinding.ConfiguredBindings.Cast <CustomBindingElement>())
            {
                var binding = new CustomBinding
                {
                    Name = section.Name,
                };
                var cfgSecurity = section[0] as SecurityElement;

                if (cfgSecurity == null)
                {
                    configs.Add(binding);
                    continue;
                }

                var mode = cfgSecurity.AuthenticationMode;
                var msgSecurityVersion   = cfgSecurity.MessageSecurityVersion;
                var issuedTokenParameter = new IssuedSecurityTokenParameters();
                if (cfgSecurity.IssuedTokenParameters.AdditionalRequestParameters != null)
                {
                    foreach (var arp in cfgSecurity.IssuedTokenParameters.AdditionalRequestParameters.Cast <XmlElementElement>())
                    {
                        issuedTokenParameter.AdditionalRequestParameters.Add(arp.XmlElement);
                    }
                }
                if (cfgSecurity.IssuedTokenParameters.Issuer?.Address != null)
                {
                    var address = cfgSecurity.IssuedTokenParameters.Issuer.Address;
                    var idElem  = cfgSecurity.IssuedTokenParameters.Issuer.Identity;

                    issuedTokenParameter.IssuerAddress = GetEnpointAddressWithIdentity(address, idElem);
                }

                if (cfgSecurity.IssuedTokenParameters.Issuer?.Binding != null)
                {
                    issuedTokenParameter.IssuerBinding = GetBindingByName(cfgSecurity.IssuedTokenParameters.Issuer.Binding);
                }

                if (cfgSecurity.IssuedTokenParameters.IssuerMetadata?.Address != null)
                {
                    var address = cfgSecurity.IssuedTokenParameters.IssuerMetadata.Address;
                    var idElem  = cfgSecurity.IssuedTokenParameters.IssuerMetadata.Identity;
                    issuedTokenParameter.IssuerMetadataAddress = GetEnpointAddressWithIdentity(address, idElem);
                }

                SecurityBindingElement securityElemnt;
                switch (mode)
                {
                case AuthenticationMode.IssuedTokenOverTransport:
                    securityElemnt =
                        SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedTokenParameter);
                    break;

                case AuthenticationMode.AnonymousForCertificate:
                    securityElemnt = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
                    break;

                case AuthenticationMode.AnonymousForSslNegotiated:
                    securityElemnt = SecurityBindingElement.CreateSslNegotiationBindingElement(false);
                    break;

                case AuthenticationMode.CertificateOverTransport:
                    securityElemnt =
                        SecurityBindingElement.CreateCertificateOverTransportBindingElement(msgSecurityVersion);
                    break;

                case AuthenticationMode.IssuedToken:
                    securityElemnt = SecurityBindingElement.CreateIssuedTokenBindingElement(issuedTokenParameter);
                    break;

                case AuthenticationMode.IssuedTokenForCertificate:
                    securityElemnt = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedTokenParameter);
                    break;

                case AuthenticationMode.IssuedTokenForSslNegotiated:
                    securityElemnt = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedTokenParameter);
                    break;

                case AuthenticationMode.Kerberos:
                    securityElemnt = SecurityBindingElement.CreateKerberosBindingElement();
                    break;

                case AuthenticationMode.KerberosOverTransport:
                    securityElemnt = SecurityBindingElement.CreateKerberosOverTransportBindingElement();
                    break;

                case AuthenticationMode.MutualCertificate:
                    securityElemnt = SecurityBindingElement.CreateMutualCertificateBindingElement(msgSecurityVersion);
                    break;

                case AuthenticationMode.MutualCertificateDuplex:
                    securityElemnt = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(msgSecurityVersion);
                    break;

                case AuthenticationMode.MutualSslNegotiated:
                    securityElemnt = SecurityBindingElement.CreateSslNegotiationBindingElement(false);
                    break;

                case AuthenticationMode.SspiNegotiated:
                    securityElemnt = SecurityBindingElement.CreateSspiNegotiationBindingElement();
                    break;

                case AuthenticationMode.SspiNegotiatedOverTransport:
                    securityElemnt = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement();
                    break;

                case AuthenticationMode.UserNameForCertificate:
                    securityElemnt = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
                    break;

                case AuthenticationMode.UserNameForSslNegotiated:
                    securityElemnt = SecurityBindingElement.CreateUserNameForSslBindingElement();
                    break;

                case AuthenticationMode.UserNameOverTransport:
                    securityElemnt = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
                    break;

                default:
                    throw new NotImplementedException();
                }

                securityElemnt.AllowInsecureTransport  = cfgSecurity.AllowInsecureTransport;
                securityElemnt.DefaultAlgorithmSuite   = cfgSecurity.DefaultAlgorithmSuite;
                securityElemnt.EnableUnsecuredResponse = cfgSecurity.EnableUnsecuredResponse;
                securityElemnt.IncludeTimestamp        = cfgSecurity.IncludeTimestamp;
                securityElemnt.MessageSecurityVersion  = cfgSecurity.MessageSecurityVersion;
                securityElemnt.KeyEntropyMode          = cfgSecurity.KeyEntropyMode;
                securityElemnt.ProtectTokens           = cfgSecurity.ProtectTokens;
                securityElemnt.SecurityHeaderLayout    = cfgSecurity.SecurityHeaderLayout;
                securityElemnt.SetKeyDerivation(cfgSecurity.RequireDerivedKeys);

                binding.Elements.Add(securityElemnt);
                configs.Add(binding);
            }

            return(configs);
        }
Exemple #12
0
        internal void InitializeFrom(IssuedSecurityTokenParameters source, bool initializeNestedBindings)
        {
            if (null == source)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("source");
            }

            SetPropertyValueIfNotDefaultValue(ConfigurationStrings.KeyType, source.KeyType);
            if (source.KeySize > 0)
            {
                SetPropertyValueIfNotDefaultValue(ConfigurationStrings.KeySize, source.KeySize);
            }
            SetPropertyValueIfNotDefaultValue(ConfigurationStrings.TokenType, source.TokenType);
            SetPropertyValueIfNotDefaultValue(ConfigurationStrings.UseStrTransform, source.UseStrTransform);

            if (source.IssuerAddress != null)
            {
                this.Issuer.InitializeFrom(source.IssuerAddress);
            }

            if (source.DefaultMessageSecurityVersion != null)
            {
                SetPropertyValueIfNotDefaultValue(ConfigurationStrings.DefaultMessageSecurityVersion, source.DefaultMessageSecurityVersion);
            }

            if (source.IssuerBinding != null && initializeNestedBindings)
            {
                this.Issuer.BindingConfiguration = this.Issuer.Address.ToString();
                string bindingSectionName;
                BindingsSection.TryAdd(this.Issuer.BindingConfiguration,
                                       source.IssuerBinding,
                                       out bindingSectionName);
                this.Issuer.Binding = bindingSectionName;
            }

            if (source.IssuerMetadataAddress != null)
            {
                this.IssuerMetadata.InitializeFrom(source.IssuerMetadataAddress);
            }

            foreach (XmlElement element in source.AdditionalRequestParameters)
            {
                this.AdditionalRequestParameters.Add(new XmlElementElement(element));
            }

            foreach (ClaimTypeRequirement c in source.ClaimTypeRequirements)
            {
                this.ClaimTypeRequirements.Add(new ClaimTypeElement(c.ClaimType, c.IsOptional));
            }

            foreach (IssuedSecurityTokenParameters.AlternativeIssuerEndpoint alternativeIssuer in source.AlternativeIssuerEndpoints)
            {
                IssuedTokenParametersElement element = new IssuedTokenParametersElement();
                element.Issuer.InitializeFrom(alternativeIssuer.IssuerAddress);
                if (initializeNestedBindings)
                {
                    element.Issuer.BindingConfiguration = element.Issuer.Address.ToString();
                    string bindingSectionName;
                    BindingsSection.TryAdd(element.Issuer.BindingConfiguration,
                                           alternativeIssuer.IssuerBinding,
                                           out bindingSectionName);
                    element.Issuer.Binding = bindingSectionName;
                }
                this.OptionalIssuedTokenParameters.Add(element);
            }
        }
Exemple #13
0
        internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, BindingElement transportBindingElement)
        {
            SecurityBindingElement element2;

            if (!isSecureTransportMode)
            {
                switch (this.clientCredentialType)
                {
                case MessageCredentialType.None:
                    element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
                    goto Label_00FF;

                case MessageCredentialType.Windows:
                    element2 = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
                    goto Label_00FF;

                case MessageCredentialType.UserName:
                    element2 = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
                    goto Label_00FF;

                case MessageCredentialType.Certificate:
                    element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
                    goto Label_00FF;

                case MessageCredentialType.IssuedToken:
                    element2 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite), true);
                    goto Label_00FF;
                }
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
            }
            switch (this.clientCredentialType)
            {
            case MessageCredentialType.None:
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCredentialTypeMustBeSpecifiedForMixedMode")));

            case MessageCredentialType.Windows:
                element2 = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
                break;

            case MessageCredentialType.UserName:
                element2 = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
                break;

            case MessageCredentialType.Certificate:
                element2 = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
                break;

            case MessageCredentialType.IssuedToken:
                element2 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite));
                break;

            default:
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
            }
            SecurityBindingElement element = SecurityBindingElement.CreateSecureConversationBindingElement(element2);

            goto Label_0107;
Label_00FF:
            element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true);
Label_0107:
            element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = this.AlgorithmSuite;
            element.IncludeTimestamp      = true;
            if (!isReliableSession)
            {
                element.LocalServiceSettings.ReconnectTransportOnFailure = false;
                element.LocalClientSettings.ReconnectTransportOnFailure  = false;
            }
            else
            {
                element.LocalServiceSettings.ReconnectTransportOnFailure = true;
                element.LocalClientSettings.ReconnectTransportOnFailure  = true;
            }
            element2.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime;
            element.MessageSecurityVersion  = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
            element2.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
            return(element);
        }
Exemple #14
0
        internal static bool TryCreate(SecurityBindingElement sbe, bool isReliableSession, BindingElement transportBindingElement, out MessageSecurityOverTcp messageSecurity)
        {
            messageSecurity = null;
            if (sbe == null)
            {
                return(false);
            }

            // do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings

            if (!sbe.IncludeTimestamp)
            {
                return(false);
            }

            if (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 &&
                sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10)
            {
                return(false);
            }

            if (sbe.SecurityHeaderLayout != SecurityProtocolFactory.defaultSecurityHeaderLayout)
            {
                return(false);
            }

            MessageCredentialType clientCredentialType;

            SecurityBindingElement bootstrapSecurity;

            if (!SecurityBindingElement.IsSecureConversationBinding(sbe, true, out bootstrapSecurity))
            {
                return(false);
            }

            bool isSecureTransportMode = bootstrapSecurity is TransportSecurityBindingElement;

            IssuedSecurityTokenParameters infocardParameters;

            if (isSecureTransportMode)
            {
                if (SecurityBindingElement.IsUserNameOverTransportBinding(bootstrapSecurity))
                {
                    clientCredentialType = MessageCredentialType.UserName;
                }
                else if (SecurityBindingElement.IsCertificateOverTransportBinding(bootstrapSecurity))
                {
                    clientCredentialType = MessageCredentialType.Certificate;
                }
                else if (SecurityBindingElement.IsSspiNegotiationOverTransportBinding(bootstrapSecurity, true))
                {
                    clientCredentialType = MessageCredentialType.Windows;
                }
                else if (SecurityBindingElement.IsIssuedTokenOverTransportBinding(bootstrapSecurity, out infocardParameters))
                {
                    if (!IssuedSecurityTokenParameters.IsInfoCardParameters(
                            infocardParameters,
                            new SecurityStandardsManager(
                                bootstrapSecurity.MessageSecurityVersion,
                                new WSSecurityTokenSerializer(
                                    bootstrapSecurity.MessageSecurityVersion.SecurityVersion,
                                    bootstrapSecurity.MessageSecurityVersion.TrustVersion,
                                    bootstrapSecurity.MessageSecurityVersion.SecureConversationVersion,
                                    true,
                                    null, null, null))))
                    {
                        return(false);
                    }
                    clientCredentialType = MessageCredentialType.IssuedToken;
                }
                else
                {
                    // the standard binding does not support None client credential type in mixed mode
                    return(false);
                }
            }
            else
            {
                if (SecurityBindingElement.IsUserNameForSslBinding(bootstrapSecurity, true))
                {
                    clientCredentialType = MessageCredentialType.UserName;
                }
                else if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, true, true))
                {
                    clientCredentialType = MessageCredentialType.Certificate;
                }
                else if (SecurityBindingElement.IsSspiNegotiationBinding(bootstrapSecurity, true))
                {
                    clientCredentialType = MessageCredentialType.Windows;
                }
                else if (SecurityBindingElement.IsIssuedTokenForSslBinding(bootstrapSecurity, true, out infocardParameters))
                {
                    if (!IssuedSecurityTokenParameters.IsInfoCardParameters(
                            infocardParameters,
                            new SecurityStandardsManager(
                                bootstrapSecurity.MessageSecurityVersion,
                                new WSSecurityTokenSerializer(
                                    bootstrapSecurity.MessageSecurityVersion.SecurityVersion,
                                    bootstrapSecurity.MessageSecurityVersion.TrustVersion,
                                    bootstrapSecurity.MessageSecurityVersion.SecureConversationVersion,
                                    true,
                                    null, null, null))))
                    {
                        return(false);
                    }
                    clientCredentialType = MessageCredentialType.IssuedToken;
                }
                else if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, false, true))
                {
                    clientCredentialType = MessageCredentialType.None;
                }
                else
                {
                    return(false);
                }
            }
            messageSecurity = new MessageSecurityOverTcp();
            messageSecurity.ClientCredentialType = clientCredentialType;
            // set the algorithm suite and issued token params if required
            if (clientCredentialType != MessageCredentialType.IssuedToken)
            {
                messageSecurity.AlgorithmSuite = bootstrapSecurity.DefaultAlgorithmSuite;
            }
            return(true);
        }
Exemple #15
0
        internal SecurityBindingElement CreateSecurityBindingElement()
        {
            SymmetricSecurityBindingElement result;
            bool isKerberosSelected = false;

            switch (this.clientCredentialType)
            {
            case MessageCredentialType.None:
                result = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
                break;

            case MessageCredentialType.UserName:
                result = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
                break;

            case MessageCredentialType.Certificate:
                result = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement();
                break;

            case MessageCredentialType.Windows:
                result             = SecurityBindingElement.CreateKerberosBindingElement();
                isKerberosSelected = true;
                break;

            case MessageCredentialType.IssuedToken:
                result = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite));
                break;

            default:
                Fx.Assert("unknown ClientCredentialType");
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
            }

            result.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;

            // set the algorithm suite and issued token params if required
            if (wasAlgorithmSuiteSet || !isKerberosSelected)
            {
                result.DefaultAlgorithmSuite = this.AlgorithmSuite;
            }
            else if (isKerberosSelected)
            {
                result.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
            }

            result.IncludeTimestamp = false;
            result.LocalServiceSettings.DetectReplays = false;
            result.LocalClientSettings.DetectReplays  = false;

            return(result);
        }
Exemple #16
0
        internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, BindingElement transportBindingElement)
        {
            SecurityBindingElement result;
            SecurityBindingElement oneShotSecurity;

            if (isSecureTransportMode)
            {
                switch (this.clientCredentialType)
                {
                case MessageCredentialType.None:
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCredentialTypeMustBeSpecifiedForMixedMode)));

                case MessageCredentialType.UserName:
                    oneShotSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
                    break;

                case MessageCredentialType.Certificate:
                    oneShotSecurity = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
                    break;

                case MessageCredentialType.Windows:
                    oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
                    break;

                case MessageCredentialType.IssuedToken:
                    oneShotSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite));
                    break;

                default:
                    Fx.Assert("unknown ClientCredentialType");
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
                }
                result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity);
            }
            else
            {
                switch (this.clientCredentialType)
                {
                case MessageCredentialType.None:
                    oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
                    break;

                case MessageCredentialType.UserName:
                    // require cancellation so that impersonation is possible
                    oneShotSecurity = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
                    break;

                case MessageCredentialType.Certificate:
                    oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
                    break;

                case MessageCredentialType.Windows:
                    // require cancellation so that impersonation is possible
                    oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
                    break;

                case MessageCredentialType.IssuedToken:
                    oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite), true);
                    break;

                default:
                    Fx.Assert("unknown ClientCredentialType");
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
                }
                result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true);
            }

            // set the algorithm suite and issued token params if required
            result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite;

            result.IncludeTimestamp = true;
            if (!isReliableSession)
            {
                result.LocalServiceSettings.ReconnectTransportOnFailure = false;
                result.LocalClientSettings.ReconnectTransportOnFailure  = false;
            }
            else
            {
                result.LocalServiceSettings.ReconnectTransportOnFailure = true;
                result.LocalClientSettings.ReconnectTransportOnFailure  = true;
            }

            // since a session is always bootstrapped, configure the transition sct to live for a short time only
            oneShotSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime;
            result.MessageSecurityVersion          = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
            oneShotSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;

            return(result);
        }
Exemple #17
0
        private static PolicyElement[] GetPolicyChain(EndpointAddress target, Binding outerBinding, IssuedSecurityTokenParameters parameters, Uri firstPrivacyNoticeLink, int firstPrivacyNoticeVersion, SecurityTokenManager clientCredentialsTokenManager)
        {
            EndpointAddress issuerAddress             = target;
            IssuedSecurityTokenParameters parameters2 = parameters;
            List <PolicyElement>          list        = new List <PolicyElement>();
            Uri  privacyNoticeLink    = firstPrivacyNoticeLink;
            int  privacyNoticeVersion = firstPrivacyNoticeVersion;
            bool isManagedIssuer      = false;

            while (parameters2 != null)
            {
                MessageSecurityVersion messageSecurityVersion = null;
                if (parameters2.IssuerBinding == null)
                {
                    messageSecurityVersion = GetBindingSecurityVersionOrDefault(outerBinding);
                }
                else
                {
                    messageSecurityVersion = GetBindingSecurityVersionOrDefault(parameters2.IssuerBinding);
                }
                list.Add(new PolicyElement(issuerAddress, parameters2.IssuerAddress, parameters2.CreateRequestParameters(messageSecurityVersion, clientCredentialsTokenManager.CreateSecurityTokenSerializer(messageSecurityVersion.SecurityTokenVersion)), privacyNoticeLink, privacyNoticeVersion, isManagedIssuer, parameters2.IssuerBinding));
                isManagedIssuer = IsReferralToManagedIssuer(parameters2.IssuerBinding);
                GetPrivacyNoticeLinkFromIssuerBinding(parameters2.IssuerBinding, out privacyNoticeLink, out privacyNoticeVersion);
                issuerAddress = parameters2.IssuerAddress;
                outerBinding  = parameters2.IssuerBinding;
                parameters2   = TryGetNextStsIssuedTokenParameters(parameters2.IssuerBinding);
            }
            if (isManagedIssuer)
            {
                list.Add(new PolicyElement(issuerAddress, null, null, privacyNoticeLink, privacyNoticeVersion, isManagedIssuer, null));
            }
            return(list.ToArray());
        }
Exemple #18
0
        // It is problematic, but there is no option to disable establishing security context in this binding unlike WSHttpBinding...
        SecurityBindingElement CreateMessageSecurity()
        {
            if (Security.Mode == SecurityMode.Transport ||
                Security.Mode == SecurityMode.None)
            {
                return(null);
            }

            // FIXME: this is wrong. Could be Asymmetric, depends on Security.Message.AlgorithmSuite value.
            SymmetricSecurityBindingElement element =
                new SymmetricSecurityBindingElement();

            element.MessageSecurityVersion = MessageSecurityVersion.Default;

            element.SetKeyDerivation(false);

            switch (Security.Message.ClientCredentialType)
            {
            case MessageCredentialType.Certificate:
                element.EndpointSupportingTokenParameters.Endorsing.Add(
                    new X509SecurityTokenParameters());
                goto default;

            case MessageCredentialType.IssuedToken:
                IssuedSecurityTokenParameters istp =
                    new IssuedSecurityTokenParameters();
                // FIXME: issuer binding must be secure.
                istp.IssuerBinding = new CustomBinding(
                    new TextMessageEncodingBindingElement(),
                    GetTransport());
                element.EndpointSupportingTokenParameters.Endorsing.Add(istp);
                goto default;

            case MessageCredentialType.UserName:
                element.EndpointSupportingTokenParameters.SignedEncrypted.Add(
                    new UserNameSecurityTokenParameters());
                goto default;

            case MessageCredentialType.Windows:
                element.ProtectionTokenParameters =
                    new KerberosSecurityTokenParameters();
                break;

            default:             // including .None
                X509SecurityTokenParameters p =
                    new X509SecurityTokenParameters();
                p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
                element.ProtectionTokenParameters = p;
                break;
            }

            // SecureConversation enabled

            ChannelProtectionRequirements reqs =
                new ChannelProtectionRequirements();

            // FIXME: fill the reqs

            return(SecurityBindingElement.CreateSecureConversationBindingElement(
                       // FIXME: requireCancellation
                       element, true, reqs));
        }
Exemple #19
0
        internal SecurityBindingElement CreateSecurityBindingElement()
        {
            SymmetricSecurityBindingElement element;
            bool flag = false;

            switch (this.clientCredentialType)
            {
            case MessageCredentialType.None:
                element = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
                break;

            case MessageCredentialType.Windows:
                element = SecurityBindingElement.CreateKerberosBindingElement();
                flag    = true;
                break;

            case MessageCredentialType.UserName:
                element = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
                break;

            case MessageCredentialType.Certificate:
                element = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement();
                break;

            case MessageCredentialType.IssuedToken:
                element = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite));
                break;

            default:
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
            }
            element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
            if (this.wasAlgorithmSuiteSet || !flag)
            {
                element.DefaultAlgorithmSuite = this.AlgorithmSuite;
            }
            else if (flag)
            {
                element.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
            }
            element.IncludeTimestamp = false;
            element.LocalServiceSettings.DetectReplays = false;
            element.LocalClientSettings.DetectReplays  = false;
            return(element);
        }
Exemple #20
0
 CreateIssuedTokenOverTransportBindingElement(
     IssuedSecurityTokenParameters issuedTokenParameters)
 {
     throw new NotImplementedException();
 }
Exemple #21
0
        internal static bool TryCreate(SecurityBindingElement sbe, out MessageSecurityOverMsmq messageSecurity)
        {
            MessageCredentialType none;

            messageSecurity = null;
            if (sbe == null)
            {
                return(false);
            }
            SymmetricSecurityBindingElement element = sbe as SymmetricSecurityBindingElement;

            if (element == null)
            {
                return(false);
            }
            if ((sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10) && (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11))
            {
                return(false);
            }
            if (element.IncludeTimestamp)
            {
                return(false);
            }
            bool flag = false;

            if (SecurityBindingElement.IsAnonymousForCertificateBinding(sbe))
            {
                none = MessageCredentialType.None;
            }
            else if (SecurityBindingElement.IsUserNameForCertificateBinding(sbe))
            {
                none = MessageCredentialType.UserName;
            }
            else if (SecurityBindingElement.IsMutualCertificateBinding(sbe))
            {
                none = MessageCredentialType.Certificate;
            }
            else if (SecurityBindingElement.IsKerberosBinding(sbe))
            {
                none = MessageCredentialType.Windows;
                flag = true;
            }
            else
            {
                IssuedSecurityTokenParameters parameters;
                if (!SecurityBindingElement.IsIssuedTokenForCertificateBinding(sbe, out parameters))
                {
                    return(false);
                }
                if (!IssuedSecurityTokenParameters.IsInfoCardParameters(parameters, new SecurityStandardsManager(sbe.MessageSecurityVersion, new WSSecurityTokenSerializer(sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null))))
                {
                    return(false);
                }
                none = MessageCredentialType.IssuedToken;
            }
            messageSecurity = new MessageSecurityOverMsmq();
            messageSecurity.ClientCredentialType = none;
            if ((none != MessageCredentialType.IssuedToken) && !flag)
            {
                messageSecurity.AlgorithmSuite = element.DefaultAlgorithmSuite;
            }
            return(true);
        }
Exemple #22
0
        /// <summary>
        /// Extract the Issuer endpoint and configure the appropriate one
        /// </summary>
        private ServiceEndpoint FindIssuerEndpoint()
        {
            _logger.WriteDebug("FindIssuerEndpoint");
            EndpointAddress issuerMetadataAddress = null;
            EndpointAddress issuerAddress         = null;
            IssuedSecurityTokenParameters protectionTokenParameters = null;

            if (!_explicitIssuer)
            {
                //Based on the scheme dynamically extract the protection token parameters from a Property path string using reflection.
                //Writing the code requires to much casting. The paths are taken from the powershell scripts
                if (InfoShareWSBaseUri.Scheme == Uri.UriSchemeHttp)
                {
                    dynamic binding = _commonBinding;
                    protectionTokenParameters = (IssuedSecurityTokenParameters)binding.Elements[0].ProtectionTokenParameters.BootstrapSecurityBindingElement.ProtectionTokenParameters;
                }
                else
                {
                    dynamic binding = _commonBinding;
                    protectionTokenParameters = (IssuedSecurityTokenParameters)binding.Elements[0].EndpointSupportingTokenParameters.Endorsing[0].BootstrapSecurityBindingElement.EndpointSupportingTokenParameters.Endorsing[0];
                }
                issuerMetadataAddress = protectionTokenParameters.IssuerMetadataAddress;
                issuerAddress         = protectionTokenParameters.IssuerAddress;
                _logger.WriteDebug($"FindIssuerEndpoint issuerMetadataAddress[{issuerMetadataAddress}] issuerAddress[{issuerAddress}]");

                if (_stsInternalAuthentication)
                {
                    // Enable-ISHIntegrationSTSInternalAuthentication is used directing the web services to a different STS
                    // issuerMetadataAddress = new EndpointAddress(InitializeIssuerMetadataAddress);  // [Should] Once connectionconfiguration.xml/issuer/mex offers the metadata exchange address, the dirty derive code should be replaced
                    string issuerWSTrustEndpointUri         = InitializeIssuerWSTrustEndpointUri().AbsoluteUri;
                    string issuerWSTrustMetadataEndpointUri = issuerWSTrustEndpointUri.Substring(0, issuerWSTrustEndpointUri.IndexOf("issue/wstrust")) + "issue/wstrust/mex";
                    issuerMetadataAddress = new EndpointAddress(issuerWSTrustMetadataEndpointUri);
                    issuerAddress         = new EndpointAddress(issuerWSTrustEndpointUri);
                    _logger.WriteDebug($"FindIssuerEndpoint issuerMetadataAddress[{issuerMetadataAddress}] issuerAddress[{issuerAddress}]");
                }
            }
            else
            {
                issuerMetadataAddress = new EndpointAddress(_issuerWSTrustMexUri.Value);
                issuerAddress         = new EndpointAddress(_issuerWSTrustEndpointUri.Value);
                _logger.WriteDebug($"FindIssuerEndpoint issuerMetadataAddress[{issuerMetadataAddress}] issuerAddress[{issuerAddress}]");
            }

            ServiceEndpointCollection serviceEndpointCollection;

            try
            {
                // Start with the mex endpoint
                var wsdlImporter = GetWsdlImporter(issuerMetadataAddress.Uri);
                serviceEndpointCollection = wsdlImporter.ImportAllEndpoints();
            }
            catch
            {
                // Re-try with the wsdl endpoint
                var wsdlImporter = GetWsdlImporter(new Uri(issuerMetadataAddress.Uri.AbsoluteUri.Replace("/mex", "?wsdl")));
                serviceEndpointCollection = wsdlImporter.ImportAllEndpoints();
            }

            var issuerWSTrustEndpointAbsolutePath = IssuerWSTrustEndpointUri.AbsolutePath;

            _logger.WriteDebug($"FindIssuerEndpoint issuerWSTrustEndpointAbsolutePath[{issuerWSTrustEndpointAbsolutePath}]");
            ServiceEndpoint issuerServiceEndpoint = serviceEndpointCollection.FirstOrDefault(
                x => x.Address.Uri.AbsolutePath.Equals(issuerWSTrustEndpointAbsolutePath, StringComparison.OrdinalIgnoreCase));

            if (issuerServiceEndpoint == null)
            {
                throw new InvalidOperationException(String.Format("WSTrust endpoint not configured: '{0}'.", issuerWSTrustEndpointAbsolutePath));
            }

            //Update the original binding as if we would do this manually in the configuration
            if (!_explicitIssuer)
            {
                protectionTokenParameters.IssuerBinding = issuerServiceEndpoint.Binding;
                protectionTokenParameters.IssuerAddress = issuerServiceEndpoint.Address;
            }

            return(issuerServiceEndpoint);
        }
Exemple #23
0
        static PolicyElement[] GetPolicyChain(EndpointAddress target, Binding outerBinding, IssuedSecurityTokenParameters parameters, Uri firstPrivacyNoticeLink, int firstPrivacyNoticeVersion, SecurityTokenManager clientCredentialsTokenManager)
        {
            EndpointAddress nextTarget = target;
            IssuedSecurityTokenParameters nextParameters = parameters;

            List <PolicyElement> chain = new List <PolicyElement>();

            Uri  privacyNoticeLink    = firstPrivacyNoticeLink;
            int  privacyNoticeVersion = firstPrivacyNoticeVersion;
            bool isManagedIssuer      = false;


            //
            // this is the binding to the final STS in the chain. Start from here and walk the
            // chain backwards to the 1st STS in the chain
            //
            while (null != nextParameters)
            {
                MessageSecurityVersion bindingSecurityVersion = null;
                if (nextParameters.IssuerBinding == null)
                {
                    bindingSecurityVersion = GetBindingSecurityVersionOrDefault(outerBinding);
                }
                else
                {
                    bindingSecurityVersion = GetBindingSecurityVersionOrDefault(nextParameters.IssuerBinding);
                }
                chain.Add(new PolicyElement(nextTarget,
                                            nextParameters.IssuerAddress,
                                            nextParameters.CreateRequestParameters(bindingSecurityVersion, clientCredentialsTokenManager.CreateSecurityTokenSerializer(bindingSecurityVersion.SecurityTokenVersion)),
                                            privacyNoticeLink,
                                            privacyNoticeVersion,
                                            isManagedIssuer,
                                            nextParameters.IssuerBinding));

                isManagedIssuer = IsReferralToManagedIssuer(nextParameters.IssuerBinding);
                GetPrivacyNoticeLinkFromIssuerBinding(nextParameters.IssuerBinding, out privacyNoticeLink, out privacyNoticeVersion);
                nextTarget     = nextParameters.IssuerAddress;
                outerBinding   = nextParameters.IssuerBinding;
                nextParameters = TryGetNextStsIssuedTokenParameters(nextParameters.IssuerBinding);
            }

            //
            // Add the last element for the MCIP case
            //
            if (isManagedIssuer)
            {
                chain.Add(new PolicyElement(nextTarget,
                                            null,
                                            null,
                                            privacyNoticeLink,
                                            privacyNoticeVersion,
                                            isManagedIssuer,
                                            null));
            }
            return(chain.ToArray());
        }
Exemple #24
0
        internal static bool TryCreate <TSecurity>(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, out TSecurity messageSecurity) where TSecurity : MessageSecurityOverHttp
        {
            MessageCredentialType userName;
            bool flag2;
            SecurityBindingElement        element;
            IssuedSecurityTokenParameters parameters;

            messageSecurity = default(TSecurity);
            if (!sbe.IncludeTimestamp)
            {
                return(false);
            }
            if (sbe.SecurityHeaderLayout != SecurityHeaderLayout.Strict)
            {
                return(false);
            }
            bool flag = true;
            SecurityAlgorithmSuite suite1 = SecurityAlgorithmSuite.Default;

            if (!SecurityBindingElement.IsSecureConversationBinding(sbe, true, out element))
            {
                flag2   = false;
                element = sbe;
            }
            else
            {
                flag2 = true;
            }
            if (!flag2 && typeof(TSecurity).Equals(typeof(MessageSecurityOverHttp)))
            {
                return(false);
            }
            if (!flag2 && isReliableSession)
            {
                return(false);
            }
            if (isSecureTransportMode && !(element is TransportSecurityBindingElement))
            {
                return(false);
            }
            if (isSecureTransportMode)
            {
                if (SecurityBindingElement.IsUserNameOverTransportBinding(element))
                {
                    userName = MessageCredentialType.UserName;
                }
                else if (SecurityBindingElement.IsCertificateOverTransportBinding(element))
                {
                    userName = MessageCredentialType.Certificate;
                }
                else if (SecurityBindingElement.IsSspiNegotiationOverTransportBinding(element, true))
                {
                    userName = MessageCredentialType.Windows;
                }
                else
                {
                    if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(element, out parameters))
                    {
                        return(false);
                    }
                    if (!IssuedSecurityTokenParameters.IsInfoCardParameters(parameters, new SecurityStandardsManager(sbe.MessageSecurityVersion, new WSSecurityTokenSerializer(sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null))))
                    {
                        return(false);
                    }
                    userName = MessageCredentialType.IssuedToken;
                }
            }
            else if (SecurityBindingElement.IsSslNegotiationBinding(element, false, true))
            {
                flag     = true;
                userName = MessageCredentialType.None;
            }
            else if (SecurityBindingElement.IsUserNameForSslBinding(element, true))
            {
                flag     = true;
                userName = MessageCredentialType.UserName;
            }
            else if (SecurityBindingElement.IsSslNegotiationBinding(element, true, true))
            {
                flag     = true;
                userName = MessageCredentialType.Certificate;
            }
            else if (SecurityBindingElement.IsSspiNegotiationBinding(element, true))
            {
                flag     = true;
                userName = MessageCredentialType.Windows;
            }
            else if (SecurityBindingElement.IsIssuedTokenForSslBinding(element, true, out parameters))
            {
                if (!IssuedSecurityTokenParameters.IsInfoCardParameters(parameters, new SecurityStandardsManager(sbe.MessageSecurityVersion, new WSSecurityTokenSerializer(sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null))))
                {
                    return(false);
                }
                flag     = true;
                userName = MessageCredentialType.IssuedToken;
            }
            else if (SecurityBindingElement.IsUserNameForCertificateBinding(element))
            {
                flag     = false;
                userName = MessageCredentialType.UserName;
            }
            else if (SecurityBindingElement.IsMutualCertificateBinding(element))
            {
                flag     = false;
                userName = MessageCredentialType.Certificate;
            }
            else if (SecurityBindingElement.IsKerberosBinding(element))
            {
                flag     = false;
                userName = MessageCredentialType.Windows;
            }
            else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(element, out parameters))
            {
                if (!IssuedSecurityTokenParameters.IsInfoCardParameters(parameters, new SecurityStandardsManager(sbe.MessageSecurityVersion, new WSSecurityTokenSerializer(sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null))))
                {
                    return(false);
                }
                flag     = false;
                userName = MessageCredentialType.IssuedToken;
            }
            else if (SecurityBindingElement.IsAnonymousForCertificateBinding(element))
            {
                flag     = false;
                userName = MessageCredentialType.None;
            }
            else
            {
                return(false);
            }
            if (typeof(NonDualMessageSecurityOverHttp).Equals(typeof(TSecurity)))
            {
                messageSecurity = (TSecurity) new NonDualMessageSecurityOverHttp();
                ((NonDualMessageSecurityOverHttp)((TSecurity)messageSecurity)).EstablishSecurityContext = flag2;
            }
            else
            {
                messageSecurity = (TSecurity) new MessageSecurityOverHttp();
            }
            messageSecurity.ClientCredentialType       = userName;
            messageSecurity.NegotiateServiceCredential = flag;
            messageSecurity.AlgorithmSuite             = sbe.DefaultAlgorithmSuite;
            return(true);
        }
Exemple #25
0
        IssuedSecurityTokenProvider CreateIssuedSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement, FederatedClientCredentialsParameters actAsOnBehalfOfParameters)
        {
            if (initiatorRequirement.TargetAddress == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement));
            }
            SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;

            if (securityBindingElement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenProviderRequiresSecurityBindingElement, initiatorRequirement));
            }

            EndpointAddress issuerAddress = initiatorRequirement.IssuerAddress;
            Binding         issuerBinding = initiatorRequirement.IssuerBinding;

            //
            // If the issuer address is indeed anonymous or null, we will try the local issuer
            //
            bool isLocalIssuer = (issuerAddress == null || issuerAddress.Equals(EndpointAddress.AnonymousAddress));

            if (isLocalIssuer)
            {
                issuerAddress = parent.IssuedToken.LocalIssuerAddress;
                issuerBinding = parent.IssuedToken.LocalIssuerBinding;
            }
            if (issuerAddress == null)
            {
                // if issuer address is still null then the user forgot to specify the local issuer
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.StsAddressNotSet, initiatorRequirement.TargetAddress)));
            }
            if (issuerBinding == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.StsBindingNotSet, issuerAddress)));
            }

            Uri issuerUri = issuerAddress.Uri;
            KeyedByTypeCollection <IEndpointBehavior> issuerChannelBehaviors;

            if (!parent.IssuedToken.IssuerChannelBehaviors.TryGetValue(issuerAddress.Uri, out issuerChannelBehaviors) && isLocalIssuer)
            {
                issuerChannelBehaviors = parent.IssuedToken.LocalIssuerChannelBehaviors;
            }

            IssuedSecurityTokenProvider federationTokenProvider = new IssuedSecurityTokenProvider(GetCredentialsHandle(initiatorRequirement));

            federationTokenProvider.TokenHandlerCollectionManager = this.parent.SecurityTokenHandlerCollectionManager;
            federationTokenProvider.TargetAddress = initiatorRequirement.TargetAddress;
            CopyIssuerChannelBehaviorsAndAddSecurityCredentials(federationTokenProvider, issuerChannelBehaviors, issuerAddress);
            federationTokenProvider.CacheIssuedTokens         = parent.IssuedToken.CacheIssuedTokens;
            federationTokenProvider.IdentityVerifier          = securityBindingElement.LocalClientSettings.IdentityVerifier;
            federationTokenProvider.IssuerAddress             = issuerAddress;
            federationTokenProvider.IssuerBinding             = issuerBinding;
            federationTokenProvider.KeyEntropyMode            = GetIssuerBindingKeyEntropyModeOrDefault(issuerBinding);
            federationTokenProvider.MaxIssuedTokenCachingTime = parent.IssuedToken.MaxIssuedTokenCachingTime;
            federationTokenProvider.SecurityAlgorithmSuite    = initiatorRequirement.SecurityAlgorithmSuite;
            MessageSecurityVersion        issuerSecurityVersion;
            SecurityTokenSerializer       issuerSecurityTokenSerializer;
            IssuedSecurityTokenParameters issuedTokenParameters = initiatorRequirement.GetProperty <IssuedSecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);

            GetIssuerBindingSecurityVersion(issuerBinding, issuedTokenParameters.DefaultMessageSecurityVersion, initiatorRequirement.SecurityBindingElement, out issuerSecurityVersion, out issuerSecurityTokenSerializer);
            federationTokenProvider.MessageSecurityVersion  = issuerSecurityVersion;
            federationTokenProvider.SecurityTokenSerializer = issuerSecurityTokenSerializer;
            federationTokenProvider.IssuedTokenRenewalThresholdPercentage = parent.IssuedToken.IssuedTokenRenewalThresholdPercentage;

            IEnumerable <XmlElement> tokenRequestParameters = issuedTokenParameters.CreateRequestParameters(issuerSecurityVersion, issuerSecurityTokenSerializer);

            if (tokenRequestParameters != null)
            {
                foreach (XmlElement requestParameter in tokenRequestParameters)
                {
                    federationTokenProvider.TokenRequestParameters.Add(requestParameter);
                }
            }
            ChannelParameterCollection channelParameters;

            if (initiatorRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out channelParameters))
            {
                federationTokenProvider.ChannelParameters = channelParameters;
            }

            federationTokenProvider.SetupActAsOnBehalfOfParameters(actAsOnBehalfOfParameters);
            return(federationTokenProvider);
        }