public void CreateIssuedTokenForSslBindingElement1()
{
IssuedSecurityTokenParameters tp =
new IssuedSecurityTokenParameters();
SymmetricSecurityBindingElement be =
SecurityBindingElement.CreateIssuedTokenForSslBindingElement(tp);
SecurityAssert.AssertSymmetricSecurityBindingElement(
SecurityAlgorithmSuite.Default,
true, // IncludeTimestamp
SecurityKeyEntropyMode.CombinedEntropy,
MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature,
MessageSecurityVersion.Default,
true, // RequireSignatureConfirmation
SecurityHeaderLayout.Strict,
// EndpointSupportingTokenParameters: endorsing, signed, signedEncrypted, signedEndorsing (by count)
1, 0, 0, 0,
// ProtectionTokenParameters
true, SecurityTokenInclusionMode.AlwaysToRecipient, SecurityTokenReferenceStyle.Internal, true,
// LocalClientSettings
true, 60, true,
be, "");
Assert.AreEqual(tp, be.EndpointSupportingTokenParameters.Endorsing [0], "EndpointParams.Endorsing[0]");
// FIXME: test ProtectionTokenParameters
}
public static Binding CreateIssuedTokenForSslNegotiatedBinding()
{
BindingElementCollection bec = new BindingElementCollection();
bec.Add(SecurityBindingElement.
CreateIssuedTokenForSslBindingElement(
new IssuedSecurityTokenParameters()));
bec.Add(new TextMessageEncodingBindingElement());
bec.Add(new HttpTransportBindingElement());
return(new CustomBinding(bec));
}
private void CreateBinding()
{
//<snippet8>
CustomBinding binding = new CustomBinding();
// The following binding exposes a DNS identity.
binding.Elements.Add(SecurityBindingElement.
CreateSecureConversationBindingElement(
SecurityBindingElement.
CreateIssuedTokenForSslBindingElement(
new IssuedSecurityTokenParameters())));
// The following element requires a UPN or SPN identity.
binding.Elements.Add(new WindowsStreamSecurityBindingElement());
binding.Elements.Add(new TcpTransportBindingElement());
//</snippet8>
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
if (isReliableSession && !this.IsSecureConversationEnabled())
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession)));
}
SecurityBindingElement result;
SecurityBindingElement oneShotSecurity;
bool isKerberosSelected = false;
bool emitBspAttributes = true;
if (isSecureTransportMode)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCredentialTypeMustBeSpecifiedForMixedMode)));
case MessageCredentialType.UserName:
oneShotSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
case MessageCredentialType.Certificate:
oneShotSecurity = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
break;
case MessageCredentialType.Windows:
oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
break;
case MessageCredentialType.IssuedToken:
oneShotSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite));
break;
default:
Fx.Assert("unknown ClientCredentialType");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
if (this.IsSecureConversationEnabled())
{
result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true);
}
else
{
result = oneShotSecurity;
}
}
else
{
if (negotiateServiceCredential)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
break;
case MessageCredentialType.UserName:
oneShotSecurity = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
break;
case MessageCredentialType.Certificate:
oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
break;
case MessageCredentialType.Windows:
oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
break;
case MessageCredentialType.IssuedToken:
oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite), true);
break;
default:
Fx.Assert("unknown ClientCredentialType");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
}
else
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
oneShotSecurity = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
break;
case MessageCredentialType.UserName:
oneShotSecurity = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
break;
case MessageCredentialType.Certificate:
oneShotSecurity = SecurityBindingElement.CreateMutualCertificateBindingElement();
break;
case MessageCredentialType.Windows:
oneShotSecurity = SecurityBindingElement.CreateKerberosBindingElement();
isKerberosSelected = true;
break;
case MessageCredentialType.IssuedToken:
oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite));
break;
default:
Fx.Assert("unknown ClientCredentialType");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
}
if (this.IsSecureConversationEnabled())
{
result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true);
}
else
{
result = oneShotSecurity;
}
}
// set the algorithm suite and issued token params if required
if (wasAlgorithmSuiteSet || (!isKerberosSelected))
{
result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite;
}
else if (isKerberosSelected)
{
result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
}
result.IncludeTimestamp = true;
oneShotSecurity.MessageSecurityVersion = version;
result.MessageSecurityVersion = version;
if (!isReliableSession)
{
result.LocalServiceSettings.ReconnectTransportOnFailure = false;
result.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
result.LocalServiceSettings.ReconnectTransportOnFailure = true;
result.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.IsSecureConversationEnabled())
{
// issue the transition SCT for a short duration only
oneShotSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime;
}
return(result);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
SecurityBindingElement element;
SecurityBindingElement element3;
if ((this.IssuedKeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("BearerKeyIncompatibleWithWSFederationHttpBinding")));
}
if (isReliableSession && !this.EstablishSecurityContext)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecureConversationRequiredByReliableSession")));
}
bool emitBspRequiredAttributes = true;
IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding)
{
IssuerMetadataAddress = this.issuerMetadataAddress,
KeyType = this.IssuedKeyType
};
if (this.IssuedKeyType == SecurityKeyType.SymmetricKey)
{
issuedTokenParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength;
}
else
{
issuedTokenParameters.KeySize = 0;
}
foreach (ClaimTypeRequirement requirement in this.claimTypeRequirements)
{
issuedTokenParameters.ClaimTypeRequirements.Add(requirement);
}
foreach (XmlElement element2 in this.TokenRequestParameters)
{
issuedTokenParameters.AdditionalRequestParameters.Add(element2);
}
WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, emitBspRequiredAttributes, null, null, null);
SecurityStandardsManager standardsManager = new SecurityStandardsManager(version, tokenSerializer);
issuedTokenParameters.AddAlgorithmParameters(this.AlgorithmSuite, standardsManager, this.issuedKeyType);
if (isSecureTransportMode)
{
element3 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedTokenParameters);
}
else if (this.negotiateServiceCredential)
{
element3 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedTokenParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11);
}
else
{
element3 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedTokenParameters);
}
element3.MessageSecurityVersion = version;
element3.DefaultAlgorithmSuite = this.AlgorithmSuite;
if (this.EstablishSecurityContext)
{
element = SecurityBindingElement.CreateSecureConversationBindingElement(element3, true);
}
else
{
element = element3;
}
element.MessageSecurityVersion = version;
element.DefaultAlgorithmSuite = this.AlgorithmSuite;
element.IncludeTimestamp = true;
if (!isReliableSession)
{
element.LocalServiceSettings.ReconnectTransportOnFailure = false;
element.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
element.LocalServiceSettings.ReconnectTransportOnFailure = true;
element.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.establishSecurityContext)
{
element3.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime;
}
return(element);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
SecurityBindingElement element;
SecurityBindingElement element2;
if (isReliableSession && !this.IsSecureConversationEnabled())
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecureConversationRequiredByReliableSession")));
}
bool flag = false;
bool emitBspRequiredAttributes = true;
if (!isSecureTransportMode)
{
if (this.negotiateServiceCredential)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
goto Label_01DA;
case MessageCredentialType.Windows:
element2 = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
goto Label_01DA;
case MessageCredentialType.UserName:
element2 = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
goto Label_01DA;
case MessageCredentialType.Certificate:
element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
goto Label_01DA;
case MessageCredentialType.IssuedToken:
element2 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite), true);
goto Label_01DA;
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
element2 = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
goto Label_01DA;
case MessageCredentialType.Windows:
element2 = SecurityBindingElement.CreateKerberosBindingElement();
flag = true;
goto Label_01DA;
case MessageCredentialType.UserName:
element2 = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
goto Label_01DA;
case MessageCredentialType.Certificate:
element2 = SecurityBindingElement.CreateMutualCertificateBindingElement();
goto Label_01DA;
case MessageCredentialType.IssuedToken:
element2 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite));
goto Label_01DA;
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCredentialTypeMustBeSpecifiedForMixedMode")));
case MessageCredentialType.Windows:
element2 = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
break;
case MessageCredentialType.UserName:
element2 = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
case MessageCredentialType.Certificate:
element2 = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
break;
case MessageCredentialType.IssuedToken:
element2 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite));
break;
default:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
if (this.IsSecureConversationEnabled())
{
element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true);
}
else
{
element = element2;
}
goto Label_01EE;
Label_01DA:
if (this.IsSecureConversationEnabled())
{
element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true);
}
else
{
element = element2;
}
Label_01EE:
if (this.wasAlgorithmSuiteSet || !flag)
{
element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = this.AlgorithmSuite;
}
else if (flag)
{
element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
}
element.IncludeTimestamp = true;
element2.MessageSecurityVersion = version;
element.MessageSecurityVersion = version;
if (!isReliableSession)
{
element.LocalServiceSettings.ReconnectTransportOnFailure = false;
element.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
element.LocalServiceSettings.ReconnectTransportOnFailure = true;
element.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.IsSecureConversationEnabled())
{
element2.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime;
}
return(element);
}
protected internal virtual BindingElement CreateBindingElement(bool createTemplateOnly)
{
SecurityBindingElement result;
switch (this.AuthenticationMode)
{
case AuthenticationMode.AnonymousForCertificate:
result = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
break;
case AuthenticationMode.AnonymousForSslNegotiated:
result = SecurityBindingElement.CreateSslNegotiationBindingElement(false, this.RequireSecurityContextCancellation);
break;
case AuthenticationMode.CertificateOverTransport:
result = SecurityBindingElement.CreateCertificateOverTransportBindingElement(this.MessageSecurityVersion);
break;
case AuthenticationMode.IssuedToken:
result = SecurityBindingElement.CreateIssuedTokenBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType));
break;
case AuthenticationMode.IssuedTokenForCertificate:
result = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType));
break;
case AuthenticationMode.IssuedTokenForSslNegotiated:
result = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType), this.RequireSecurityContextCancellation);
break;
case AuthenticationMode.IssuedTokenOverTransport:
result = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType));
break;
case AuthenticationMode.Kerberos:
result = SecurityBindingElement.CreateKerberosBindingElement();
break;
case AuthenticationMode.KerberosOverTransport:
result = SecurityBindingElement.CreateKerberosOverTransportBindingElement();
break;
case AuthenticationMode.MutualCertificateDuplex:
result = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(this.MessageSecurityVersion);
break;
case AuthenticationMode.MutualCertificate:
result = SecurityBindingElement.CreateMutualCertificateBindingElement(this.MessageSecurityVersion);
break;
case AuthenticationMode.MutualSslNegotiated:
result = SecurityBindingElement.CreateSslNegotiationBindingElement(true, this.RequireSecurityContextCancellation);
break;
case AuthenticationMode.SspiNegotiated:
result = SecurityBindingElement.CreateSspiNegotiationBindingElement(this.RequireSecurityContextCancellation);
break;
case AuthenticationMode.UserNameForCertificate:
result = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
break;
case AuthenticationMode.UserNameForSslNegotiated:
result = SecurityBindingElement.CreateUserNameForSslBindingElement(this.RequireSecurityContextCancellation);
break;
case AuthenticationMode.UserNameOverTransport:
result = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
case AuthenticationMode.SspiNegotiatedOverTransport:
result = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(this.RequireSecurityContextCancellation);
break;
default:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidEnumArgumentException("AuthenticationMode", (int)this.AuthenticationMode, typeof(AuthenticationMode)));
}
this.ApplyConfiguration(result);
return(result);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
SecurityBindingElement securityBindingElement;
SecurityBindingElement securityBindingElement1;
if (isReliableSession && !this.IsSecureConversationEnabled())
{
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.SecureConversationRequiredByReliableSession, new object[0])));
}
bool flag = false;
bool flag1 = true;
if (!isSecureTransportMode)
{
if (!this.negotiateServiceCredential)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
{
securityBindingElement1 = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
goto Label0;
}
case MessageCredentialType.Windows:
{
securityBindingElement1 = SecurityBindingElement.CreateKerberosBindingElement();
flag = true;
goto Label0;
}
case MessageCredentialType.UserName:
{
securityBindingElement1 = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
goto Label0;
}
case MessageCredentialType.Certificate:
{
securityBindingElement1 = SecurityBindingElement.CreateMutualCertificateBindingElement();
goto Label0;
}
case MessageCredentialType.IssuedToken:
{
securityBindingElement1 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(this.CreateInfoCardParameters(flag1));
goto Label0;
}
}
Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType");
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
else
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
{
securityBindingElement1 = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
goto Label0;
}
case MessageCredentialType.Windows:
{
securityBindingElement1 = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
goto Label0;
}
case MessageCredentialType.UserName:
{
securityBindingElement1 = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
goto Label0;
}
case MessageCredentialType.Certificate:
{
securityBindingElement1 = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
goto Label0;
}
case MessageCredentialType.IssuedToken:
{
securityBindingElement1 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(this.CreateInfoCardParameters(flag1), true);
goto Label0;
}
}
Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType");
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
Label0:
securityBindingElement = (!this.IsSecureConversationEnabled() ? securityBindingElement1 : SecurityBindingElement.CreateSecureConversationBindingElement(securityBindingElement1, true));
}
else
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
{
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.ClientCredentialTypeMustBeSpecifiedForMixedMode, new object[0])));
}
case MessageCredentialType.Windows:
{
securityBindingElement1 = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
break;
}
case MessageCredentialType.UserName:
{
securityBindingElement1 = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
}
case MessageCredentialType.Certificate:
{
securityBindingElement1 = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
break;
}
case MessageCredentialType.IssuedToken:
{
securityBindingElement1 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(this.CreateInfoCardParameters(flag1));
break;
}
default:
{
Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType");
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
}
securityBindingElement = (!this.IsSecureConversationEnabled() ? securityBindingElement1 : SecurityBindingElement.CreateSecureConversationBindingElement(securityBindingElement1, true));
}
if (this.wasAlgorithmSuiteSet || !flag)
{
SecurityAlgorithmSuite algorithmSuite = this.AlgorithmSuite;
SecurityAlgorithmSuite securityAlgorithmSuite = algorithmSuite;
securityBindingElement1.DefaultAlgorithmSuite = algorithmSuite;
securityBindingElement.DefaultAlgorithmSuite = securityAlgorithmSuite;
}
else if (flag)
{
SecurityAlgorithmSuite basic128 = SecurityAlgorithmSuite.Basic128;
SecurityAlgorithmSuite securityAlgorithmSuite1 = basic128;
securityBindingElement1.DefaultAlgorithmSuite = basic128;
securityBindingElement.DefaultAlgorithmSuite = securityAlgorithmSuite1;
}
securityBindingElement.IncludeTimestamp = true;
securityBindingElement1.MessageSecurityVersion = version;
securityBindingElement.MessageSecurityVersion = version;
if (isReliableSession)
{
securityBindingElement.LocalServiceSettings.ReconnectTransportOnFailure = true;
securityBindingElement.LocalClientSettings.ReconnectTransportOnFailure = true;
}
else
{
securityBindingElement.LocalServiceSettings.ReconnectTransportOnFailure = false;
securityBindingElement.LocalClientSettings.ReconnectTransportOnFailure = false;
}
if (this.IsSecureConversationEnabled())
{
securityBindingElement1.LocalServiceSettings.IssuedCookieLifetime = TimeSpan.FromMinutes(15);
}
return(securityBindingElement);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, BindingElement transportBindingElement)
{
SecurityBindingElement result;
SecurityBindingElement oneShotSecurity;
if (isSecureTransportMode)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCredentialTypeMustBeSpecifiedForMixedMode)));
case MessageCredentialType.UserName:
oneShotSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
case MessageCredentialType.Certificate:
oneShotSecurity = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
break;
case MessageCredentialType.Windows:
oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
break;
case MessageCredentialType.IssuedToken:
oneShotSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite));
break;
default:
Fx.Assert("unknown ClientCredentialType");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity);
}
else
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
break;
case MessageCredentialType.UserName:
// require cancellation so that impersonation is possible
oneShotSecurity = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
break;
case MessageCredentialType.Certificate:
oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
break;
case MessageCredentialType.Windows:
// require cancellation so that impersonation is possible
oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
break;
case MessageCredentialType.IssuedToken:
oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite), true);
break;
default:
Fx.Assert("unknown ClientCredentialType");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true);
}
// set the algorithm suite and issued token params if required
result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite;
result.IncludeTimestamp = true;
if (!isReliableSession)
{
result.LocalServiceSettings.ReconnectTransportOnFailure = false;
result.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
result.LocalServiceSettings.ReconnectTransportOnFailure = true;
result.LocalClientSettings.ReconnectTransportOnFailure = true;
}
// since a session is always bootstrapped, configure the transition sct to live for a short time only
oneShotSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime;
result.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
oneShotSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
return(result);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode,
bool isReliableSession,
MessageSecurityVersion version)
{
if ((this.IssuedKeyType == SecurityKeyType.BearerKey) &&
(version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BearerKeyIncompatibleWithWSFederationHttpBinding)));
}
if (isReliableSession && !this.EstablishSecurityContext)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession)));
}
SecurityBindingElement result;
bool emitBspAttributes = true;
IssuedSecurityTokenParameters issuedParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding);
issuedParameters.IssuerMetadataAddress = this.issuerMetadataAddress;
issuedParameters.KeyType = this.IssuedKeyType;
if (this.IssuedKeyType == SecurityKeyType.SymmetricKey)
{
issuedParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength;
}
else
{
issuedParameters.KeySize = 0;
}
foreach (ClaimTypeRequirement c in this.claimTypeRequirements)
{
issuedParameters.ClaimTypeRequirements.Add(c);
}
foreach (XmlElement p in this.TokenRequestParameters)
{
issuedParameters.AdditionalRequestParameters.Add(p);
}
WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion,
version.TrustVersion,
version.SecureConversationVersion,
emitBspAttributes,
null, null, null);
SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer);
issuedParameters.AddAlgorithmParameters(this.AlgorithmSuite, versionSpecificStandardsManager, this.issuedKeyType);
SecurityBindingElement issuedTokenSecurity;
if (isSecureTransportMode)
{
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedParameters);
}
else
{
if (negotiateServiceCredential)
{
// We should have passed 'true' as RequireCancelation to be consistent with other standard bindings.
// However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy.
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11);
}
else
{
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedParameters);
}
}
issuedTokenSecurity.MessageSecurityVersion = version;
issuedTokenSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite;
if (this.EstablishSecurityContext)
{
result = SecurityBindingElement.CreateSecureConversationBindingElement(issuedTokenSecurity, true);
}
else
{
result = issuedTokenSecurity;
}
result.MessageSecurityVersion = version;
result.DefaultAlgorithmSuite = this.AlgorithmSuite;
result.IncludeTimestamp = true;
if (!isReliableSession)
{
result.LocalServiceSettings.ReconnectTransportOnFailure = false;
result.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
result.LocalServiceSettings.ReconnectTransportOnFailure = true;
result.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.establishSecurityContext)
{
// issue the transition SCT for a short duration only
issuedTokenSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime;
}
return(result);
}
/// <summary>
/// Creates a custom binding based on an example generated from svcutil.exe
/// </summary>
/// <param name="exeConfigPath"></param>
/// <returns></returns>
/// <remarks>
/// https://msdn.microsoft.com/en-us/library/ms731690(v=vs.110).aspx
/// </remarks>
public static List <CustomBinding> GetCustomBindings(string exeConfigPath)
{
if (string.IsNullOrWhiteSpace(exeConfigPath))
{
return(null);
}
var svcSection = Read.Config.ExeConfig.GetServiceModelSection(exeConfigPath);
var configs = new List <CustomBinding>();
foreach (var section in svcSection.Bindings.CustomBinding.ConfiguredBindings.Cast <CustomBindingElement>())
{
var binding = new CustomBinding
{
Name = section.Name,
};
var cfgSecurity = section[0] as SecurityElement;
if (cfgSecurity == null)
{
configs.Add(binding);
continue;
}
var mode = cfgSecurity.AuthenticationMode;
var msgSecurityVersion = cfgSecurity.MessageSecurityVersion;
var issuedTokenParameter = new IssuedSecurityTokenParameters();
if (cfgSecurity.IssuedTokenParameters.AdditionalRequestParameters != null)
{
foreach (var arp in cfgSecurity.IssuedTokenParameters.AdditionalRequestParameters.Cast <XmlElementElement>())
{
issuedTokenParameter.AdditionalRequestParameters.Add(arp.XmlElement);
}
}
if (cfgSecurity.IssuedTokenParameters.Issuer?.Address != null)
{
var address = cfgSecurity.IssuedTokenParameters.Issuer.Address;
var idElem = cfgSecurity.IssuedTokenParameters.Issuer.Identity;
issuedTokenParameter.IssuerAddress = GetEnpointAddressWithIdentity(address, idElem);
}
if (cfgSecurity.IssuedTokenParameters.Issuer?.Binding != null)
{
issuedTokenParameter.IssuerBinding = GetBindingByName(cfgSecurity.IssuedTokenParameters.Issuer.Binding);
}
if (cfgSecurity.IssuedTokenParameters.IssuerMetadata?.Address != null)
{
var address = cfgSecurity.IssuedTokenParameters.IssuerMetadata.Address;
var idElem = cfgSecurity.IssuedTokenParameters.IssuerMetadata.Identity;
issuedTokenParameter.IssuerMetadataAddress = GetEnpointAddressWithIdentity(address, idElem);
}
SecurityBindingElement securityElemnt;
switch (mode)
{
case AuthenticationMode.IssuedTokenOverTransport:
securityElemnt =
SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedTokenParameter);
break;
case AuthenticationMode.AnonymousForCertificate:
securityElemnt = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
break;
case AuthenticationMode.AnonymousForSslNegotiated:
securityElemnt = SecurityBindingElement.CreateSslNegotiationBindingElement(false);
break;
case AuthenticationMode.CertificateOverTransport:
securityElemnt =
SecurityBindingElement.CreateCertificateOverTransportBindingElement(msgSecurityVersion);
break;
case AuthenticationMode.IssuedToken:
securityElemnt = SecurityBindingElement.CreateIssuedTokenBindingElement(issuedTokenParameter);
break;
case AuthenticationMode.IssuedTokenForCertificate:
securityElemnt = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedTokenParameter);
break;
case AuthenticationMode.IssuedTokenForSslNegotiated:
securityElemnt = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedTokenParameter);
break;
case AuthenticationMode.Kerberos:
securityElemnt = SecurityBindingElement.CreateKerberosBindingElement();
break;
case AuthenticationMode.KerberosOverTransport:
securityElemnt = SecurityBindingElement.CreateKerberosOverTransportBindingElement();
break;
case AuthenticationMode.MutualCertificate:
securityElemnt = SecurityBindingElement.CreateMutualCertificateBindingElement(msgSecurityVersion);
break;
case AuthenticationMode.MutualCertificateDuplex:
securityElemnt = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(msgSecurityVersion);
break;
case AuthenticationMode.MutualSslNegotiated:
securityElemnt = SecurityBindingElement.CreateSslNegotiationBindingElement(false);
break;
case AuthenticationMode.SspiNegotiated:
securityElemnt = SecurityBindingElement.CreateSspiNegotiationBindingElement();
break;
case AuthenticationMode.SspiNegotiatedOverTransport:
securityElemnt = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement();
break;
case AuthenticationMode.UserNameForCertificate:
securityElemnt = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
break;
case AuthenticationMode.UserNameForSslNegotiated:
securityElemnt = SecurityBindingElement.CreateUserNameForSslBindingElement();
break;
case AuthenticationMode.UserNameOverTransport:
securityElemnt = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
default:
throw new NotImplementedException();
}
securityElemnt.AllowInsecureTransport = cfgSecurity.AllowInsecureTransport;
securityElemnt.DefaultAlgorithmSuite = cfgSecurity.DefaultAlgorithmSuite;
securityElemnt.EnableUnsecuredResponse = cfgSecurity.EnableUnsecuredResponse;
securityElemnt.IncludeTimestamp = cfgSecurity.IncludeTimestamp;
securityElemnt.MessageSecurityVersion = cfgSecurity.MessageSecurityVersion;
securityElemnt.KeyEntropyMode = cfgSecurity.KeyEntropyMode;
securityElemnt.ProtectTokens = cfgSecurity.ProtectTokens;
securityElemnt.SecurityHeaderLayout = cfgSecurity.SecurityHeaderLayout;
securityElemnt.SetKeyDerivation(cfgSecurity.RequireDerivedKeys);
binding.Elements.Add(securityElemnt);
configs.Add(binding);
}
return(configs);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, BindingElement transportBindingElement)
{
SecurityBindingElement element2;
if (!isSecureTransportMode)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
goto Label_00FF;
case MessageCredentialType.Windows:
element2 = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
goto Label_00FF;
case MessageCredentialType.UserName:
element2 = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
goto Label_00FF;
case MessageCredentialType.Certificate:
element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
goto Label_00FF;
case MessageCredentialType.IssuedToken:
element2 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite), true);
goto Label_00FF;
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCredentialTypeMustBeSpecifiedForMixedMode")));
case MessageCredentialType.Windows:
element2 = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
break;
case MessageCredentialType.UserName:
element2 = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
case MessageCredentialType.Certificate:
element2 = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
break;
case MessageCredentialType.IssuedToken:
element2 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite));
break;
default:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
SecurityBindingElement element = SecurityBindingElement.CreateSecureConversationBindingElement(element2);
goto Label_0107;
Label_00FF:
element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true);
Label_0107:
element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = this.AlgorithmSuite;
element.IncludeTimestamp = true;
if (!isReliableSession)
{
element.LocalServiceSettings.ReconnectTransportOnFailure = false;
element.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
element.LocalServiceSettings.ReconnectTransportOnFailure = true;
element.LocalClientSettings.ReconnectTransportOnFailure = true;
}
element2.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime;
element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
element2.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
return(element);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession)
{
SecurityBindingElement wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
SecurityBindingElement securityBindingElement;
if (!isSecureTransportMode)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
{
securityBindingElement = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
break;
}
case MessageCredentialType.Windows:
{
securityBindingElement = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
break;
}
case MessageCredentialType.UserName:
{
securityBindingElement = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
break;
}
case MessageCredentialType.Certificate:
{
securityBindingElement = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
break;
}
case MessageCredentialType.IssuedToken:
{
object[] objArray = new object[] { SecurityUtil.CreateSecurityStandardsManager(new object[0]), this.algorithmSuite };
securityBindingElement = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(SecurityUtil.IssuedSecurityTokenParameters.CreateInfoCardParameters(objArray), true);
break;
}
default:
{
Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType");
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
}
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 = SecurityBindingElement.CreateSecureConversationBindingElement(securityBindingElement, true);
}
else
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
{
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.ClientCredentialTypeMustBeSpecifiedForMixedMode, new object[0])));
}
case MessageCredentialType.Windows:
{
securityBindingElement = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
break;
}
case MessageCredentialType.UserName:
{
securityBindingElement = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
}
case MessageCredentialType.Certificate:
{
securityBindingElement = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
break;
}
case MessageCredentialType.IssuedToken:
{
object[] objArray1 = new object[] { SecurityUtil.CreateSecurityStandardsManager(new object[0]), this.algorithmSuite };
securityBindingElement = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(SecurityUtil.IssuedSecurityTokenParameters.CreateInfoCardParameters(objArray1));
break;
}
default:
{
Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType");
throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
}
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 = SecurityBindingElement.CreateSecureConversationBindingElement(securityBindingElement);
}
SecurityAlgorithmSuite algorithmSuite = this.AlgorithmSuite;
SecurityAlgorithmSuite securityAlgorithmSuite = algorithmSuite;
securityBindingElement.DefaultAlgorithmSuite = algorithmSuite;
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.DefaultAlgorithmSuite = securityAlgorithmSuite;
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.IncludeTimestamp = true;
if (isReliableSession)
{
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.LocalServiceSettings.ReconnectTransportOnFailure = true;
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.LocalClientSettings.ReconnectTransportOnFailure = true;
}
else
{
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.LocalServiceSettings.ReconnectTransportOnFailure = false;
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.LocalClientSettings.ReconnectTransportOnFailure = false;
}
securityBindingElement.LocalServiceSettings.IssuedCookieLifetime = TimeSpan.FromMinutes(15);
wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
securityBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
return(wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11);
}