static void Run()
{
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement();
sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
sbe.RequireSignatureConfirmation = true;
sbe.LocalClientSettings.DetectReplays = false;
sbe.IncludeTimestamp = false;
X509SecurityTokenParameters p =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
p.RequireDerivedKeys = false;
//sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
sbe.ProtectionTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
sbe.SetKeyDerivation(false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
HttpTransportBindingElement hbe =
new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(new XBE(), sbe, hbe);
//X509Certificate2 cert = new X509Certificate2 ("test.pfx", "mono");
X509Certificate2 cert = new X509Certificate2("test.cer"); //, "mono");
FooProxy proxy = new FooProxy(binding,
new EndpointAddress(new Uri("http://localhost:8080"), new X509CertificateEndpointIdentity(cert)));
proxy.Endpoint.Behaviors.Add(new StdErrInspectionBehavior());
proxy.Open();
Console.WriteLine(proxy.Echo("TEST FOR ECHO"));
}
static void Run()
{
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement();
//sbe.IncludeTimestamp = false;
//sbe.LocalClientSettings.DetectReplays = false;
//X509SecurityTokenParameters p = new X509SecurityTokenParameters ();
//sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
sbe.ProtectionTokenParameters = new X509SecurityTokenParameters();
sbe.ProtectionTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
sbe.SetKeyDerivation(false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
HttpTransportBindingElement hbe =
new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(new XBE(), sbe, hbe);
X509Certificate2 cert = new X509Certificate2("test.pfx", "mono");
X509Certificate2 cert2 = cert; //new X509Certificate2 ("test2.cer");
FooProxy proxy = new FooProxy(binding,
new EndpointAddress(new Uri("http://localhost:8080"), new X509CertificateEndpointIdentity(cert2)));
//proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
proxy.ClientCredentials.ClientCertificate.Certificate = cert;
proxy.Endpoint.Behaviors.Add(new StdErrInspectionBehavior());
proxy.Open();
Console.WriteLine(proxy.Echo(Message.CreateMessage(MessageVersion.Default, "http://tempuri.org/IFoo/Echo", "Request Input text.")));
}
// based on WSHttpBinding.CreateMessageSecurity()
SecurityBindingElement CreateMessageSecurity()
{
if (Security.Mode == SecurityMode.Transport ||
Security.Mode == SecurityMode.None)
{
return(null);
}
SymmetricSecurityBindingElement element =
new SymmetricSecurityBindingElement();
element.MessageSecurityVersion = MessageSecurityVersion.Default;
element.SetKeyDerivation(false);
switch (Security.Message.ClientCredentialType)
{
case MessageCredentialType.Certificate:
element.EndpointSupportingTokenParameters.Endorsing.Add(
new X509SecurityTokenParameters());
goto default;
case MessageCredentialType.IssuedToken:
IssuedSecurityTokenParameters istp =
new IssuedSecurityTokenParameters();
// FIXME: issuer binding must be secure.
istp.IssuerBinding = new CustomBinding(
new TextMessageEncodingBindingElement(),
GetTransport());
element.EndpointSupportingTokenParameters.Endorsing.Add(istp);
goto default;
case MessageCredentialType.UserName:
element.EndpointSupportingTokenParameters.SignedEncrypted.Add(
new UserNameSecurityTokenParameters());
goto default;
case MessageCredentialType.Windows:
element.ProtectionTokenParameters =
new KerberosSecurityTokenParameters();
break;
default: // including .None
X509SecurityTokenParameters p =
new X509SecurityTokenParameters();
p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
element.ProtectionTokenParameters = p;
break;
}
return(element);
}
public static void Main()
{
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement();
sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
sbe.RequireSignatureConfirmation = true;
sbe.LocalServiceSettings.DetectReplays = false;
sbe.IncludeTimestamp = false;
sbe.ProtectionTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
X509SecurityTokenParameters p =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
p.RequireDerivedKeys = false;
//sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
sbe.SetKeyDerivation(false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
ServiceHost host = new ServiceHost(typeof(Foo));
HttpTransportBindingElement hbe =
new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(sbe, hbe);
binding.ReceiveTimeout = TimeSpan.FromSeconds(5);
host.AddServiceEndpoint("IFoo",
binding, new Uri("http://localhost:8080"));
ServiceCredentials cred = new ServiceCredentials();
cred.ServiceCertificate.Certificate =
new X509Certificate2("test.pfx", "mono");
host.Description.Behaviors.Add(cred);
host.Description.Behaviors.Find <ServiceDebugBehavior> ()
.IncludeExceptionDetailInFaults = true;
foreach (ServiceEndpoint se in host.Description.Endpoints)
{
se.Behaviors.Add(new StdErrInspectionBehavior());
}
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
smb.HttpGetUrl = new Uri("http://localhost:8080/wsdl");
host.Description.Behaviors.Add(smb);
host.Open();
Console.WriteLine("Hit [CR] key to close ...");
Console.ReadLine();
host.Close();
}
private static SecurityBindingElement CreateSecurityBindingElement()
{
SymmetricSecurityBindingElement sbe = SecurityBindingElement.CreateUserNameForSslBindingElement();
//sbe.IncludeTimestamp = false;
//sbe.LocalServiceSettings.DetectReplays = false;
sbe.ProtectionTokenParameters = new X509SecurityTokenParameters();
// This "Never" is somehow mandatory (though I wonder why ...)
sbe.ProtectionTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
sbe.MessageSecurityVersion = MessageSecurityVersion.Default;
//sbe.RequireSignatureConfirmation = true;
//sbe.KeyEntropyMode = SecurityKeyEntropyMode.ServerEntropy;
sbe.SetKeyDerivation(false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
return(sbe);
}
public void SetKeyDerivation()
{
SymmetricSecurityBindingElement be;
X509SecurityTokenParameters p;
be = new SymmetricSecurityBindingElement();
p = new X509SecurityTokenParameters();
be.ProtectionTokenParameters = p;
be.SetKeyDerivation(false);
Assert.AreEqual(false, p.RequireDerivedKeys, "#1");
be = new SymmetricSecurityBindingElement();
p = new X509SecurityTokenParameters();
be.SetKeyDerivation(false); // set in prior - makes no sense
be.ProtectionTokenParameters = p;
Assert.AreEqual(true, p.RequireDerivedKeys, "#2");
}
public static void Main()
{
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement();
//sbe.IncludeTimestamp = false;
//sbe.LocalServiceSettings.DetectReplays = false;
sbe.ProtectionTokenParameters = new X509SecurityTokenParameters();
// This "Never" is somehow mandatory (though I wonder why ...)
sbe.ProtectionTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
sbe.SetKeyDerivation(false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
ServiceHost host = new ServiceHost(typeof(Foo));
HttpTransportBindingElement hbe =
new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(sbe, hbe);
binding.ReceiveTimeout = TimeSpan.FromSeconds(5);
host.AddServiceEndpoint("IFoo",
binding, new Uri("http://localhost:8080"));
ServiceCredentials cred = new ServiceCredentials();
cred.ServiceCertificate.Certificate =
new X509Certificate2("test.pfx", "mono");
cred.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
host.Description.Behaviors.Add(cred);
host.Description.Behaviors.Find <ServiceDebugBehavior> ()
.IncludeExceptionDetailInFaults = true;
foreach (ServiceEndpoint se in host.Description.Endpoints)
{
se.Behaviors.Add(new StdErrInspectionBehavior());
}
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
smb.HttpGetUrl = new Uri("http://localhost:8080/wsdl");
host.Description.Behaviors.Add(smb);
host.Open();
Console.WriteLine("Hit [CR] key to close ...");
Console.ReadLine();
host.Close();
}
public static void Main ()
{
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement ();
sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
sbe.RequireSignatureConfirmation = true;
sbe.LocalServiceSettings.DetectReplays = false;
sbe.IncludeTimestamp = false;
sbe.ProtectionTokenParameters =
new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
X509SecurityTokenParameters p =
new X509SecurityTokenParameters (X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
p.RequireDerivedKeys = false;
//sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
sbe.SetKeyDerivation (false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
ServiceHost host = new ServiceHost (typeof (Foo));
HttpTransportBindingElement hbe =
new HttpTransportBindingElement ();
CustomBinding binding = new CustomBinding (sbe, hbe);
binding.ReceiveTimeout = TimeSpan.FromSeconds (5);
host.AddServiceEndpoint ("IFoo",
binding, new Uri ("http://localhost:8080"));
ServiceCredentials cred = new ServiceCredentials ();
cred.ServiceCertificate.Certificate =
new X509Certificate2 ("test.pfx", "mono");
host.Description.Behaviors.Add (cred);
host.Description.Behaviors.Find<ServiceDebugBehavior> ()
.IncludeExceptionDetailInFaults = true;
foreach (ServiceEndpoint se in host.Description.Endpoints)
se.Behaviors.Add (new StdErrInspectionBehavior ());
ServiceMetadataBehavior smb = new ServiceMetadataBehavior ();
smb.HttpGetEnabled = true;
smb.HttpGetUrl = new Uri ("http://localhost:8080/wsdl");
host.Description.Behaviors.Add (smb);
host.Open ();
Console.WriteLine ("Hit [CR] key to close ...");
Console.ReadLine ();
host.Close ();
}
private Guid CreateService(string url, string username, string password)
{
Guid sessionId;
SymmetricSecurityBindingElement sbe = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
//sbe.IncludeTimestamp = false;
//sbe.LocalClientSettings.DetectReplays = false;
sbe.ProtectionTokenParameters = new X509SecurityTokenParameters();
sbe.ProtectionTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
sbe.SetKeyDerivation(false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
HttpTransportBindingElement hbe = new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(sbe, hbe);
X509Certificate2 cert = new X509Certificate2("powershell.pfx", "mono");
if (url.IndexOf("://") == -1)
{
//Default to http connection
url = "http://" + url;
}
UriBuilder builder = new UriBuilder(url);
if (builder.Port == 80 || builder.Port == 443)
{
builder.Port = 5985;
}
WSManHttpServiceProxy proxy = new WSManHttpServiceProxy(binding,
new EndpointAddress(builder.Uri, new X509CertificateEndpointIdentity(cert)));
proxy.ClientCredentials.UserName.UserName = username;
proxy.ClientCredentials.UserName.Password = password;
proxy.Open();
sessionId = proxy.CreateSession();
proxy.SessionId = sessionId;
_services.Add(sessionId, proxy);
return(sessionId);
}
public WSManServiceHost()
{
try
{
//localhost:5985/wsman
SymmetricSecurityBindingElement sbe = SecurityBindingElement.CreateUserNameForSslBindingElement();
//sbe.IncludeTimestamp = false;
//sbe.LocalServiceSettings.DetectReplays = false;
sbe.ProtectionTokenParameters = new X509SecurityTokenParameters();
// This "Never" is somehow mandatory (though I wonder why ...)
sbe.ProtectionTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
sbe.SetKeyDerivation(false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
_host = new ServiceHost(typeof(WSManHttpService));
HttpTransportBindingElement hbe = new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(sbe, hbe);
binding.ReceiveTimeout = TimeSpan.FromSeconds(5);
_host.AddServiceEndpoint(typeof(IWSManHttpService),
binding, new Uri("http://localhost:5985/wsman"));
ServiceCredentials cred = new ServiceCredentials();
cred.ServiceCertificate.Certificate = new X509Certificate2("powershell.pfx", "mono");
cred.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
cred.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom;
cred.UserNameAuthentication.CustomUserNamePasswordValidator = new WSManUserNamePasswordValidator();
_host.Description.Behaviors.Add(cred);
_host.Description.Behaviors.Find <ServiceDebugBehavior> ()
.IncludeExceptionDetailInFaults = false;
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
smb.HttpGetUrl = new Uri("http://localhost:5985/wsman/wsdl");
_host.Description.Behaviors.Add(smb);
} catch (Exception ex) {
Console.WriteLine("Could not create service...");
Console.WriteLine(ex.Message);
}
}
public static void Main ()
{
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement ();
//sbe.IncludeTimestamp = false;
//sbe.LocalServiceSettings.DetectReplays = false;
sbe.ProtectionTokenParameters = new X509SecurityTokenParameters ();
// This "Never" is somehow mandatory (though I wonder why ...)
sbe.ProtectionTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
sbe.SetKeyDerivation (false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
ServiceHost host = new ServiceHost (typeof (Foo));
HttpTransportBindingElement hbe =
new HttpTransportBindingElement ();
CustomBinding binding = new CustomBinding (sbe, hbe);
binding.ReceiveTimeout = TimeSpan.FromSeconds (5);
host.AddServiceEndpoint ("IFoo",
binding, new Uri ("http://localhost:8080"));
ServiceCredentials cred = new ServiceCredentials ();
cred.ServiceCertificate.Certificate =
new X509Certificate2 ("test.pfx", "mono");
cred.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
host.Description.Behaviors.Add (cred);
host.Description.Behaviors.Find<ServiceDebugBehavior> ()
.IncludeExceptionDetailInFaults = true;
foreach (ServiceEndpoint se in host.Description.Endpoints)
se.Behaviors.Add (new StdErrInspectionBehavior ());
ServiceMetadataBehavior smb = new ServiceMetadataBehavior ();
smb.HttpGetEnabled = true;
smb.HttpGetUrl = new Uri ("http://localhost:8080/wsdl");
host.Description.Behaviors.Add (smb);
host.Open ();
Console.WriteLine ("Hit [CR] key to close ...");
Console.ReadLine ();
host.Close ();
}
Binding CreateIssuerBinding(RequestSender handler, bool tokenParams)
{
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement();
if (tokenParams)
{
sbe.ProtectionTokenParameters = new X509SecurityTokenParameters();
}
sbe.LocalServiceSettings.NegotiationTimeout = TimeSpan.FromSeconds(5);
sbe.KeyEntropyMode = SecurityKeyEntropyMode.ClientEntropy;
//sbe.IncludeTimestamp = false;
//sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
// for ease of decryption, let's remove DerivedKeyToken.
sbe.SetKeyDerivation(false);
return(new CustomBinding(
// new DebugBindingElement (),
sbe,
new TextMessageEncodingBindingElement(),
new HandlerTransportBindingElement(handler)));
}
static void Run()
{
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement();
//sbe.IncludeTimestamp = false;
//sbe.LocalClientSettings.DetectReplays = false;
sbe.ProtectionTokenParameters = new X509SecurityTokenParameters();
sbe.ProtectionTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
sbe.SetKeyDerivation(false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
HttpTransportBindingElement hbe =
new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(new XBE(), sbe, hbe);
X509Certificate2 cert = new X509Certificate2("test.cer");
FooProxy proxy = new FooProxy(binding,
new EndpointAddress(new Uri("http://localhost:8080"), new X509CertificateEndpointIdentity(cert)));
proxy.Endpoint.Behaviors.Add(new StdErrInspectionBehavior());
proxy.Open();
Console.WriteLine(proxy.Echo("TEST FOR ECHO"));
}
// It is problematic, but there is no option to disable establishing security context in this binding unlike WSHttpBinding...
SecurityBindingElement CreateMessageSecurity()
{
if (Security.Mode == SecurityMode.Transport ||
Security.Mode == SecurityMode.None)
{
return(null);
}
// FIXME: this is wrong. Could be Asymmetric, depends on Security.Message.AlgorithmSuite value.
SymmetricSecurityBindingElement element =
new SymmetricSecurityBindingElement();
element.MessageSecurityVersion = MessageSecurityVersion.Default;
element.SetKeyDerivation(false);
switch (Security.Message.ClientCredentialType)
{
case MessageCredentialType.Certificate:
element.EndpointSupportingTokenParameters.Endorsing.Add(
new X509SecurityTokenParameters());
goto default;
case MessageCredentialType.IssuedToken:
IssuedSecurityTokenParameters istp =
new IssuedSecurityTokenParameters();
// FIXME: issuer binding must be secure.
istp.IssuerBinding = new CustomBinding(
new TextMessageEncodingBindingElement(),
GetTransport());
element.EndpointSupportingTokenParameters.Endorsing.Add(istp);
goto default;
case MessageCredentialType.UserName:
element.EndpointSupportingTokenParameters.SignedEncrypted.Add(
new UserNameSecurityTokenParameters());
goto default;
case MessageCredentialType.Windows:
element.ProtectionTokenParameters =
new KerberosSecurityTokenParameters();
break;
default: // including .None
X509SecurityTokenParameters p =
new X509SecurityTokenParameters();
p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
element.ProtectionTokenParameters = p;
break;
}
// SecureConversation enabled
ChannelProtectionRequirements reqs =
new ChannelProtectionRequirements();
// FIXME: fill the reqs
return(SecurityBindingElement.CreateSecureConversationBindingElement(
// FIXME: requireCancellation
element, true, reqs));
}
// It is problematic, but there is no option to disable establishing security context in this binding unlike WSHttpBinding...
SecurityBindingElement CreateMessageSecurity ()
{
if (Security.Mode == SecurityMode.Transport ||
Security.Mode == SecurityMode.None)
return null;
// FIXME: this is wrong. Could be Asymmetric, depends on Security.Message.AlgorithmSuite value.
SymmetricSecurityBindingElement element =
new SymmetricSecurityBindingElement ();
element.MessageSecurityVersion = MessageSecurityVersion.Default;
element.SetKeyDerivation (false);
switch (Security.Message.ClientCredentialType) {
case MessageCredentialType.Certificate:
element.EndpointSupportingTokenParameters.Endorsing.Add (
new X509SecurityTokenParameters ());
goto default;
case MessageCredentialType.IssuedToken:
IssuedSecurityTokenParameters istp =
new IssuedSecurityTokenParameters ();
// FIXME: issuer binding must be secure.
istp.IssuerBinding = new CustomBinding (
new TextMessageEncodingBindingElement (),
GetTransport ());
element.EndpointSupportingTokenParameters.Endorsing.Add (istp);
goto default;
case MessageCredentialType.UserName:
element.EndpointSupportingTokenParameters.SignedEncrypted.Add (
new UserNameSecurityTokenParameters ());
goto default;
case MessageCredentialType.Windows:
element.ProtectionTokenParameters =
new KerberosSecurityTokenParameters ();
break;
default: // including .None
X509SecurityTokenParameters p =
new X509SecurityTokenParameters ();
p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
element.ProtectionTokenParameters = p;
break;
}
// SecureConversation enabled
ChannelProtectionRequirements reqs =
new ChannelProtectionRequirements ();
// FIXME: fill the reqs
return SecurityBindingElement.CreateSecureConversationBindingElement (
// FIXME: requireCancellation
element, true, reqs);
}
public void SetKeyDerivation ()
{
SymmetricSecurityBindingElement be;
X509SecurityTokenParameters p;
be = new SymmetricSecurityBindingElement ();
p = new X509SecurityTokenParameters ();
be.ProtectionTokenParameters = p;
be.SetKeyDerivation (false);
Assert.AreEqual (false, p.RequireDerivedKeys, "#1");
be = new SymmetricSecurityBindingElement ();
p = new X509SecurityTokenParameters ();
be.SetKeyDerivation (false); // set in prior - makes no sense
be.ProtectionTokenParameters = p;
Assert.AreEqual (true, p.RequireDerivedKeys, "#2");
}
// based on WSHttpBinding.CreateMessageSecurity()
SecurityBindingElement CreateMessageSecurity ()
{
if (Security.Mode == SecurityMode.Transport ||
Security.Mode == SecurityMode.None)
return null;
SymmetricSecurityBindingElement element =
new SymmetricSecurityBindingElement ();
element.MessageSecurityVersion = MessageSecurityVersion.Default;
element.SetKeyDerivation (false);
switch (Security.Message.ClientCredentialType) {
case MessageCredentialType.Certificate:
element.EndpointSupportingTokenParameters.Endorsing.Add (
new X509SecurityTokenParameters ());
goto default;
case MessageCredentialType.IssuedToken:
IssuedSecurityTokenParameters istp =
new IssuedSecurityTokenParameters ();
// FIXME: issuer binding must be secure.
istp.IssuerBinding = new CustomBinding (
new TextMessageEncodingBindingElement (),
GetTransport ());
element.EndpointSupportingTokenParameters.Endorsing.Add (istp);
goto default;
case MessageCredentialType.UserName:
element.EndpointSupportingTokenParameters.SignedEncrypted.Add (
new UserNameSecurityTokenParameters ());
goto default;
case MessageCredentialType.Windows:
element.ProtectionTokenParameters =
new KerberosSecurityTokenParameters ();
break;
default: // including .None
X509SecurityTokenParameters p =
new X509SecurityTokenParameters ();
p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
element.ProtectionTokenParameters = p;
break;
}
return element;
}
private SecurityBindingElement CreateSecurityBindingElement()
{
SymmetricSecurityBindingElement secBindingElement = new SymmetricSecurityBindingElement();
secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
// TEST
//secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Rsa15;
secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
secBindingElement.IncludeTimestamp = true;
secBindingElement.SetKeyDerivation(false);
//secBindingElement.RequireSignatureConfirmation = true;
//secBindingElement.AllowInsecureTransport = true;
//////////////////////////////////////////////////////////
SecurityBindingElement ssbe = (SecurityBindingElement)secBindingElement;
// Set the Custom IdentityVerifier
//ssbe.LocalClientSettings.IdentityVerifier = new Common.CustomIdentityVerifier();
//////////////////////////////////////////////////////////
X509SecurityTokenParameters protectTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint,
SecurityTokenInclusionMode.Never);
protectTokenParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
//X509SecurityTokenParameters protectTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
// SecurityTokenInclusionMode.Never);
protectTokenParameters.RequireDerivedKeys = false;
//protectTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
//protectTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
secBindingElement.ProtectionTokenParameters = protectTokenParameters;
UserNameSecurityTokenParameters userNameToken = new UserNameSecurityTokenParameters();
userNameToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(userNameToken);
//secBindingElement.EndpointSupportingTokenParameters.Signed.Add(userNameToken);
//secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
return secBindingElement;
}
Binding CreateIssuerBinding (RequestSender handler, bool tokenParams)
{
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement ();
if (tokenParams)
sbe.ProtectionTokenParameters = new X509SecurityTokenParameters ();
sbe.LocalServiceSettings.NegotiationTimeout = TimeSpan.FromSeconds (5);
sbe.KeyEntropyMode = SecurityKeyEntropyMode.ClientEntropy;
//sbe.IncludeTimestamp = false;
//sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
// for ease of decryption, let's remove DerivedKeyToken.
sbe.SetKeyDerivation (false);
return new CustomBinding (
// new DebugBindingElement (),
sbe,
new TextMessageEncodingBindingElement (),
new HandlerTransportBindingElement (handler));
}
/// <summary>
/// Initializes the binding.
/// </summary>
/// <param name="namespaceUris">The namespace uris.</param>
/// <param name="factory">The factory.</param>
/// <param name="configuration">The configuration.</param>
/// <param name="description">The description.</param>
public UaSoapXmlBinding(
NamespaceTable namespaceUris,
EncodeableFactory factory,
EndpointConfiguration configuration,
EndpointDescription description)
:
base(namespaceUris, factory, configuration)
{
if (description != null && description.SecurityMode != MessageSecurityMode.None)
{
SymmetricSecurityBindingElement bootstrap = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement();
bootstrap.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature;
bootstrap.DefaultAlgorithmSuite = SecurityPolicies.ToSecurityAlgorithmSuite(description.SecurityPolicyUri);
bootstrap.IncludeTimestamp = true;
bootstrap.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
bootstrap.RequireSignatureConfirmation = false;
bootstrap.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
bootstrap.SetKeyDerivation(true);
m_security = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateSecureConversationBindingElement(bootstrap, true);
m_security.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
m_security.DefaultAlgorithmSuite = SecurityPolicies.ToSecurityAlgorithmSuite(description.SecurityPolicyUri);
m_security.IncludeTimestamp = true;
m_security.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
m_security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
m_security.RequireSignatureConfirmation = false;
m_security.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
m_security.SetKeyDerivation(true);
}
m_encoding = new TextMessageEncodingBindingElement(MessageVersion.Soap12WSAddressing10, Encoding.UTF8);
// WCF does not distinguish between arrays and byte string.
int maxArrayLength = configuration.MaxArrayLength;
if (configuration.MaxArrayLength < configuration.MaxByteStringLength)
{
maxArrayLength = configuration.MaxByteStringLength;
}
m_encoding.ReaderQuotas.MaxArrayLength = maxArrayLength;
m_encoding.ReaderQuotas.MaxStringContentLength = configuration.MaxStringLength;
m_encoding.ReaderQuotas.MaxBytesPerRead = Int32.MaxValue;
m_encoding.ReaderQuotas.MaxDepth = Int32.MaxValue;
m_encoding.ReaderQuotas.MaxNameTableCharCount = Int32.MaxValue;
m_transport = new HttpTransportBindingElement();
m_transport.AllowCookies = false;
m_transport.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
m_transport.BypassProxyOnLocal = true;
m_transport.HostNameComparisonMode = HostNameComparisonMode.StrongWildcard;
m_transport.KeepAliveEnabled = true;
m_transport.ManualAddressing = false;
m_transport.MaxBufferPoolSize = Int32.MaxValue;
m_transport.MaxBufferSize = configuration.MaxMessageSize;
m_transport.MaxReceivedMessageSize = configuration.MaxMessageSize;
m_transport.TransferMode = TransferMode.Buffered;
m_transport.UseDefaultWebProxy = false;
}
// <snippet2>
public override BindingElementCollection CreateBindingElements()
{
//SecurityBindingElement sbe = bec.Find<SecurityBindingElement>();
BindingElementCollection bec = new BindingElementCollection();
// By default http transport is used
SecurityBindingElement securityBinding;
BindingElement transport;
switch (assertion)
{
case WseSecurityAssertion.UsernameOverTransport:
transport = new HttpsTransportBindingElement();
securityBinding = (TransportSecurityBindingElement)SecurityBindingElement.CreateUserNameOverTransportBindingElement();
if (establishSecurityContext == true)
{
throw new InvalidOperationException("Secure Conversation is not supported for this Security Assertion Type");
}
if (requireSignatureConfirmation == true)
{
throw new InvalidOperationException("Signature Confirmation is not supported for this Security Assertion Type");
}
break;
case WseSecurityAssertion.MutualCertificate10:
transport = new HttpTransportBindingElement();
securityBinding = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
if (requireSignatureConfirmation == true)
{
throw new InvalidOperationException("Signature Confirmation is not supported for this Security Assertion Type");
}
((AsymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
break;
case WseSecurityAssertion.UsernameForCertificate:
transport = new HttpTransportBindingElement();
securityBinding = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateUserNameForCertificateBindingElement();
// We want signatureconfirmation on the bootstrap process
// either for the application messages or for the RST/RSTR
((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
break;
case WseSecurityAssertion.AnonymousForCertificate:
transport = new HttpTransportBindingElement();
securityBinding = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
break;
case WseSecurityAssertion.MutualCertificate11:
transport = new HttpTransportBindingElement();
securityBinding = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11);
((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
break;
case WseSecurityAssertion.Kerberos:
transport = new HttpTransportBindingElement();
securityBinding = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateKerberosBindingElement();
((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
break;
default:
throw new NotSupportedException("This supplied Wse security assertion is not supported");
}
//Set defaults for the security binding
securityBinding.IncludeTimestamp = true;
// Derived Keys
// set the preference for derived keys before creating SecureConversationBindingElement
securityBinding.SetKeyDerivation(requireDerivedKeys);
//Secure Conversation
if (establishSecurityContext == true)
{
SymmetricSecurityBindingElement secureconversation =
(SymmetricSecurityBindingElement)SymmetricSecurityBindingElement.CreateSecureConversationBindingElement(
securityBinding, false);
// This is the default
//secureconversation.DefaultProtectionLevel = ProtectionLevel.EncryptAndSign;
//Set defaults for the secure conversation binding
secureconversation.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
// We do not want signature confirmation on the application level messages
// when secure conversation is enabled.
secureconversation.RequireSignatureConfirmation = false;
secureconversation.MessageProtectionOrder = messageProtectionOrder;
secureconversation.SetKeyDerivation(requireDerivedKeys);
securityBinding = secureconversation;
}
// Add the security binding to the binding collection
bec.Add(securityBinding);
// Add the message encoder.
TextMessageEncodingBindingElement textelement = new TextMessageEncodingBindingElement();
textelement.MessageVersion = MessageVersion.Soap11WSAddressingAugust2004;
//These are the defaults required for WSE
//textelement.MessageVersion = MessageVersion.Soap11Addressing1;
//textelement.WriteEncoding = System.Text.Encoding.UTF8;
bec.Add(textelement);
// Add the transport
bec.Add(transport);
// return the binding elements
return(bec);
}
