private SecurityBindingElement CreateSecurity() { AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement(); X509SecurityTokenParameters clientToken = new X509SecurityTokenParameters(); clientToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; clientToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; clientToken.RequireDerivedKeys = false; clientToken.ReferenceStyle = SecurityTokenReferenceStyle.Internal; security.InitiatorTokenParameters = clientToken; //Creates an _unsigned_ binary token + signature that references the other binary token. X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters(); serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; serverToken.InclusionMode = SecurityTokenInclusionMode.Never; serverToken.RequireDerivedKeys = false; serverToken.ReferenceStyle = SecurityTokenReferenceStyle.External; security.RecipientTokenParameters = serverToken; //Only to make asymetric binding work security.EndpointSupportingTokenParameters.Signed.Add(clientToken); //Create a signed binary token + signature that does _not_ references other binary token. //Later on the unsigned binary token is removed and the non referecing signature is removed. The signed token and referencing signature are linked. security.EnableUnsecuredResponse = true; security.IncludeTimestamp = true; security.SecurityHeaderLayout = SecurityHeaderLayout.Lax; security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; security.SetKeyDerivation(false); return(security); }
public void CreateAnonymousForCertificateBindingElement() { SymmetricSecurityBindingElement be = SecurityBindingElement.CreateAnonymousForCertificateBindingElement(); SecurityAssert.AssertSymmetricSecurityBindingElement( SecurityAlgorithmSuite.Default, true, // IncludeTimestamp SecurityKeyEntropyMode.CombinedEntropy, MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature, MessageSecurityVersion.Default, true, // RequireSignatureConfirmation SecurityHeaderLayout.Strict, // EndpointSupportingTokenParameters: endorsing, signed, signedEncrypted, signedEndorsing (by count) 0, 0, 0, 0, // ProtectionTokenParameters true, SecurityTokenInclusionMode.Never, SecurityTokenReferenceStyle.Internal, true, // LocalClientSettings true, 60, true, be, ""); // test ProtectionTokenParameters X509SecurityTokenParameters tp = be.ProtectionTokenParameters as X509SecurityTokenParameters; Assert.IsNotNull(tp, "#2-1"); SecurityAssert.AssertSecurityTokenParameters( SecurityTokenInclusionMode.Never, SecurityTokenReferenceStyle.Internal, true, tp, "Protection"); Assert.AreEqual(X509KeyIdentifierClauseType.Thumbprint, tp.X509ReferenceStyle, "#2-2"); }
static void Run() { SymmetricSecurityBindingElement sbe = new SymmetricSecurityBindingElement(); sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; sbe.RequireSignatureConfirmation = true; //sbe.IncludeTimestamp = false; X509SecurityTokenParameters p = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient); p.RequireDerivedKeys = false; sbe.EndpointSupportingTokenParameters.Endorsing.Add(p); sbe.ProtectionTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); //sbe.SetKeyDerivation (false); //sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; HttpTransportBindingElement hbe = new HttpTransportBindingElement(); CustomBinding binding = new CustomBinding(new XBE(), sbe, hbe); X509Certificate2 cert = new X509Certificate2("test.pfx", "mono"); X509Certificate2 cert2 = cert; //new X509Certificate2 ("test2.cer"); FooProxy proxy = new FooProxy(binding, new EndpointAddress(new Uri("http://localhost:8080"), new X509CertificateEndpointIdentity(cert2))); //proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; proxy.ClientCredentials.ClientCertificate.Certificate = cert; proxy.Endpoint.Behaviors.Add(new StdErrInspectionBehavior()); proxy.Open(); Console.WriteLine(proxy.Echo("TEST FOR ECHO")); }
//<snippet1> public static Binding CreateMultiFactorAuthenticationBinding() { HttpTransportBindingElement httpTransport = new HttpTransportBindingElement(); // The message security binding element will be configured to require 2 tokens: // 1) A user name/password encrypted with the service token. // 2) A client certificate used to sign the message. // Instantiate a binding element that will require the user name/password token // in the message (encrypted with the server certificate). SymmetricSecurityBindingElement messageSecurity = SecurityBindingElement.CreateUserNameForCertificateBindingElement(); // Create supporting token parameters for the client X.509 certificate. X509SecurityTokenParameters clientX509SupportingTokenParameters = new X509SecurityTokenParameters(); // Specify that the supporting token is passed in the message send by the client to the service. clientX509SupportingTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; // Turn off derived keys. clientX509SupportingTokenParameters.RequireDerivedKeys = false; // Augment the binding element to require the client's X.509 certificate as an // endorsing token in the message. messageSecurity.EndpointSupportingTokenParameters.Endorsing.Add(clientX509SupportingTokenParameters); // Create a CustomBinding based on the constructed security binding element. return(new CustomBinding(messageSecurity, httpTransport)); }
// this method reverses CreateMutualCertificateBindingElement() logic internal static bool IsCertificateOverTransportBinding(SecurityBindingElement sbe) { // do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings if (!sbe.IncludeTimestamp) { return(false); } if (!(sbe is TransportSecurityBindingElement)) { return(false); } SupportingTokenParameters parameters = sbe.EndpointSupportingTokenParameters; if (parameters.Signed.Count != 0 || parameters.SignedEncrypted.Count != 0 || parameters.Endorsing.Count != 1 || parameters.SignedEndorsing.Count != 0) { return(false); } X509SecurityTokenParameters x509Parameters = parameters.Endorsing[0] as X509SecurityTokenParameters; if (x509Parameters == null) { return(false); } if (x509Parameters.InclusionMode != SecurityTokenInclusionMode.AlwaysToRecipient) { return(false); } return(x509Parameters.X509ReferenceStyle == X509KeyIdentifierClauseType.Any || x509Parameters.X509ReferenceStyle == X509KeyIdentifierClauseType.Thumbprint); }
public void MessageSecurityUserName() { WSHttpBinding binding = new WSHttpBinding(); binding.Security.Message.NegotiateServiceCredential = false; binding.Security.Message.EstablishSecurityContext = false; binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName; SymmetricSecurityBindingElement sbe = binding.CreateBindingElements().Find <SymmetricSecurityBindingElement> (); Assert.IsNotNull(sbe, "#1"); Assert.AreEqual(false, sbe.RequireSignatureConfirmation, "#1-2"); X509SecurityTokenParameters sp = sbe.ProtectionTokenParameters as X509SecurityTokenParameters; Assert.IsNotNull(sp, "#2"); Assert.AreEqual(SecurityTokenReferenceStyle.Internal, sp.ReferenceStyle, "#3"); Assert.AreEqual(SecurityTokenInclusionMode.Never, sp.InclusionMode, "#4"); UserNameSecurityTokenParameters up = sbe.EndpointSupportingTokenParameters.SignedEncrypted [0] as UserNameSecurityTokenParameters; Assert.AreEqual(SecurityTokenReferenceStyle.Internal, up.ReferenceStyle, "#5"); Assert.AreEqual(SecurityTokenInclusionMode.AlwaysToRecipient, up.InclusionMode, "#6"); }
// If any changes are made to this method, please make sure that they are // reflected in the corresponding IsCertificateOverTransportBinding() method. public static TransportSecurityBindingElement CreateCertificateOverTransportBindingElement(MessageSecurityVersion version) { if (version == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(version)); } X509KeyIdentifierClauseType x509ReferenceType; if (version.SecurityVersion == SecurityVersion.WSSecurity10) { x509ReferenceType = X509KeyIdentifierClauseType.Any; } else { x509ReferenceType = X509KeyIdentifierClauseType.Thumbprint; } TransportSecurityBindingElement result = new TransportSecurityBindingElement(); X509SecurityTokenParameters x509Parameters = new X509SecurityTokenParameters( x509ReferenceType, SecurityTokenInclusionMode.AlwaysToRecipient, false); result.EndpointSupportingTokenParameters.Endorsing.Add( x509Parameters ); result.IncludeTimestamp = true; // result.LocalClientSettings.DetectReplays = false; result.LocalServiceSettings.DetectReplays = false; result.MessageSecurityVersion = version; return(result); }
public SafeOnlineBinding() { HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement(); TextMessageEncodingBindingElement encoding = new TextMessageEncodingBindingElement(); encoding.MessageVersion = MessageVersion.Soap11; TransportSecurityBindingElement securityBinding = new TransportSecurityBindingElement(); securityBinding.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; securityBinding.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Default; securityBinding.SetKeyDerivation(false); X509SecurityTokenParameters certToken = new X509SecurityTokenParameters(); certToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; certToken.ReferenceStyle = SecurityTokenReferenceStyle.Internal; certToken.RequireDerivedKeys = false; certToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; securityBinding.EndpointSupportingTokenParameters.SignedEndorsing.Add(certToken); securityBinding.LocalClientSettings.DetectReplays = false; this.bindingElements = new BindingElementCollection(); this.bindingElements.Add(securityBinding); this.bindingElements.Add(encoding); this.bindingElements.Add(httpsTransport); }
private bool DoesSecurityBindingElementContainClauseTypeofIssuerSerial(SecurityBindingElement sbe) { if (sbe == null) { return(false); } if (sbe is SymmetricSecurityBindingElement) { X509SecurityTokenParameters protectionTokenParameters = ((SymmetricSecurityBindingElement)sbe).ProtectionTokenParameters as X509SecurityTokenParameters; if ((protectionTokenParameters != null) && (protectionTokenParameters.X509ReferenceStyle == X509KeyIdentifierClauseType.IssuerSerial)) { return(true); } } else if (sbe is AsymmetricSecurityBindingElement) { X509SecurityTokenParameters initiatorTokenParameters = ((AsymmetricSecurityBindingElement)sbe).InitiatorTokenParameters as X509SecurityTokenParameters; if ((initiatorTokenParameters != null) && (initiatorTokenParameters.X509ReferenceStyle == X509KeyIdentifierClauseType.IssuerSerial)) { return(true); } X509SecurityTokenParameters recipientTokenParameters = ((AsymmetricSecurityBindingElement)sbe).RecipientTokenParameters as X509SecurityTokenParameters; if ((recipientTokenParameters != null) && (recipientTokenParameters.X509ReferenceStyle == X509KeyIdentifierClauseType.IssuerSerial)) { return(true); } } return(this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.EndpointSupportingTokenParameters.Endorsing) || (this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.EndpointSupportingTokenParameters.Signed) || (this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.EndpointSupportingTokenParameters.SignedEncrypted) || (this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.EndpointSupportingTokenParameters.SignedEndorsing) || (this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.OptionalEndpointSupportingTokenParameters.Endorsing) || (this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.OptionalEndpointSupportingTokenParameters.Signed) || (this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.OptionalEndpointSupportingTokenParameters.SignedEncrypted) || this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.OptionalEndpointSupportingTokenParameters.SignedEndorsing)))))))); }
private static SecurityBindingElement CreateSecurityBindingElement() { var messageSecurity = new AsymmetricSecurityBindingElement(); messageSecurity.AllowSerializedSigningTokenOnReply = true; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; messageSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Sha256; messageSecurity.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign; messageSecurity.LocalClientSettings.MaxClockSkew = new TimeSpan(0, 0, 1, 0); messageSecurity.LocalClientSettings.TimestampValidityDuration = new TimeSpan(0, 0, 10, 0); messageSecurity.LocalServiceSettings.MaxClockSkew = new TimeSpan(0, 0, 1, 0); messageSecurity.LocalClientSettings.TimestampValidityDuration = new TimeSpan(0, 0, 10, 0); var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator); messageSecurity.RecipientTokenParameters = x509SecurityParamter; messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false; var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient) { RequireDerivedKeys = false }; messageSecurity.InitiatorTokenParameters = initiator; return(messageSecurity); }
//<snippet1> public Binding CreateClientBinding() { AsymmetricSecurityBindingElement abe = (AsymmetricSecurityBindingElement)SecurityBindingElement. CreateMutualCertificateBindingElement( MessageSecurityVersion. WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); abe.SetKeyDerivation(false); X509SecurityTokenParameters istp = abe.InitiatorTokenParameters as X509SecurityTokenParameters; if (istp != null) { istp.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial; } X509SecurityTokenParameters rstp = abe.RecipientTokenParameters as X509SecurityTokenParameters; if (rstp != null) { rstp.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial; } HttpTransportBindingElement transport = new HttpTransportBindingElement(); return(new CustomBinding(abe, transport)); }
public static Binding GetIssuedTokenBindingSSL() { var textmessageEncoding = new TextMessageEncodingBindingElement(); textmessageEncoding.WriteEncoding = Encoding.UTF8; textmessageEncoding.MessageVersion = MessageVersion.Soap11WSAddressing10; var messageSecurity = new AsymmetricSecurityBindingElement(); messageSecurity.AllowSerializedSigningTokenOnReply = true; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator); messageSecurity.RecipientTokenParameters = x509SecurityParamter; messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false; var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient); initiator.RequireDerivedKeys = false; messageSecurity.InitiatorTokenParameters = initiator; messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; return(new CustomBinding( messageSecurity, textmessageEncoding, new HttpsTransportBindingElement())); }
public override BindingElementCollection CreateBindingElements() { var transport = _useHttps ? new HttpsTransportBindingElement() : new HttpTransportBindingElement(); if (_maxReceivedMessageSize.HasValue) { transport.MaxReceivedMessageSize = _maxReceivedMessageSize.Value; } var encoding = new TextMessageEncodingBindingElement(); // [OIO IDWS SOAP 1.1] requires SOAP 1.2 and WS-Adressing 1.0 encoding.MessageVersion = MessageVersion.Soap12WSAddressing10; // AlwaysToInitiator is required by the [OIO IDWS SOAP 1.1] profile. This specifies that the server certificate must be embedded in the response. var recipientTokenParameters = new X509SecurityTokenParameters( X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator); var initiatorTokenParameters = new CustomizedIssuedSecurityTokenParameters( "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" ); initiatorTokenParameters.UseStrTransform = true; var asymmetric = new AsymmetricSecurityBindingElement(recipientTokenParameters, initiatorTokenParameters); // Must be true in order for client to accept embedded server certificates instead of references. This is required by the [OIO IDWS SOAP 1.1] profile. // However, the client must still specify the server certificate explicitly. // Have not figured out how the client can use the embedded server certificate and make trust to it through a CA certificate and a CN (Common Name). This way the client should not need the server certificate. asymmetric.AllowSerializedSigningTokenOnReply = true; // No need for derived keys when both parties has a certificate. Also OIO-IDWS-SOAP does not make use of derived keys. asymmetric.SetKeyDerivation(false); // Include token (encrypted assertion from NemLog-in STS) in signature asymmetric.ProtectTokens = true; // Specifies that WCF can send and receive unsecured responses to secured requests. // Concrete this means that SOAP faults are send unencrypted. [OIO IDWS SOAP 1.1] does not specify whether or not SOAP faults can be encrypted but it looks like they should not be encrypted. // If encrypted the client is not able to process the encrypted SOAP fault if client is not setup correctly. // setting EnableUnsecuredResponse to true makes normal responses unsigned and processed by the client without error. This is not what we want :) //asymmetric.EnableUnsecuredResponse = true; var elements = new BindingElementCollection(); elements.Add(asymmetric); elements.Add(encoding); elements.Add(transport); return(elements); }
public static void Main() { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement(); //sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; //sbe.RequireSignatureConfirmation = true; //sbe.LocalServiceSettings.DetectReplays = false; //sbe.IncludeTimestamp = false; sbe.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); sbe.InitiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient); X509SecurityTokenParameters p = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient); p.RequireDerivedKeys = false; //sbe.EndpointSupportingTokenParameters.Endorsing.Add (p); sbe.SetKeyDerivation(false); sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; ServiceHost host = new ServiceHost(typeof(Foo)); HttpTransportBindingElement hbe = new HttpTransportBindingElement(); CustomBinding binding = new CustomBinding(sbe, hbe); binding.ReceiveTimeout = TimeSpan.FromSeconds(5); host.AddServiceEndpoint("IFoo", binding, new Uri("http://localhost:8080")); ServiceCredentials cred = new ServiceCredentials(); cred.ServiceCertificate.Certificate = new X509Certificate2("test.pfx", "mono"); cred.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; host.Description.Behaviors.Add(cred); host.Description.Behaviors.Find <ServiceDebugBehavior> () .IncludeExceptionDetailInFaults = true; foreach (ServiceEndpoint se in host.Description.Endpoints) { se.Behaviors.Add(new StdErrInspectionBehavior()); } ServiceMetadataBehavior smb = new ServiceMetadataBehavior(); smb.HttpGetEnabled = true; smb.HttpGetUrl = new Uri("http://localhost:8080/wsdl"); host.Description.Behaviors.Add(smb); host.Open(); Console.WriteLine("Hit [CR] key to close ..."); Console.ReadLine(); host.Close(); }
private bool DoesX509TokenParametersContainClauseTypeofIssuerSerial(Collection <SecurityTokenParameters> tokenParameters) { foreach (SecurityTokenParameters parameters in tokenParameters) { X509SecurityTokenParameters parameters2 = parameters as X509SecurityTokenParameters; if ((parameters2 != null) && (parameters2.X509ReferenceStyle == X509KeyIdentifierClauseType.IssuerSerial)) { return(true); } } return(false); }
protected override SecurityBindingElement CreateMessageSecurity() { if (this.Security.Mode == WSFederationHttpSecurityMode.None) { throw new InvalidOperationException("Only message and security is supported"); } if (this.Security.Message.IssuedKeyType != SecurityKeyType.AsymmetricKey) { throw new InvalidOperationException("Only Asymmectric Keys are supported"); } if (this.Security.Message.NegotiateServiceCredential) { throw new InvalidOperationException("Negocatiation of service credentials not supported"); } if (this.Security.Message.EstablishSecurityContext) { throw new InvalidOperationException("Secure conversation not supported"); } SecurityBindingElement security; if (this.Security.Mode == WSFederationHttpSecurityMode.Message) { SymmetricSecurityBindingElement baseSecurity = (SymmetricSecurityBindingElement)base.CreateMessageSecurity(); AsymmetricSecurityBindingElement asecurity = new AsymmetricSecurityBindingElement(); asecurity.InitiatorTokenParameters = baseSecurity.EndpointSupportingTokenParameters.Endorsing[0]; X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters(); serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; serverToken.InclusionMode = SecurityTokenInclusionMode.Never; serverToken.RequireDerivedKeys = false; asecurity.RecipientTokenParameters = serverToken; security = asecurity; } else { TransportSecurityBindingElement baseSecurity = (TransportSecurityBindingElement)base.CreateMessageSecurity(); TransportSecurityBindingElement tsecurity = new TransportSecurityBindingElement(); tsecurity.EndpointSupportingTokenParameters.Endorsing.Add(baseSecurity.EndpointSupportingTokenParameters.Endorsing[0]); security = tsecurity; } security.EnableUnsecuredResponse = true; security.IncludeTimestamp = true; security.SecurityHeaderLayout = SecurityHeaderLayout.Lax; security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; security.SetKeyDerivation(false); return(security); }
static X509SecurityTokenParameters CreateProtectionTokenParameters(bool cert) { X509SecurityTokenParameters p = new X509SecurityTokenParameters(); p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint; if (cert) { p.InclusionMode = SecurityTokenInclusionMode.Never; } return(p); }
// based on WSHttpBinding.CreateMessageSecurity() SecurityBindingElement CreateMessageSecurity() { if (Security.Mode == SecurityMode.Transport || Security.Mode == SecurityMode.None) { return(null); } SymmetricSecurityBindingElement element = new SymmetricSecurityBindingElement(); element.MessageSecurityVersion = MessageSecurityVersion.Default; element.SetKeyDerivation(false); switch (Security.Message.ClientCredentialType) { case MessageCredentialType.Certificate: element.EndpointSupportingTokenParameters.Endorsing.Add( new X509SecurityTokenParameters()); goto default; case MessageCredentialType.IssuedToken: IssuedSecurityTokenParameters istp = new IssuedSecurityTokenParameters(); // FIXME: issuer binding must be secure. istp.IssuerBinding = new CustomBinding( new TextMessageEncodingBindingElement(), GetTransport()); element.EndpointSupportingTokenParameters.Endorsing.Add(istp); goto default; case MessageCredentialType.UserName: element.EndpointSupportingTokenParameters.SignedEncrypted.Add( new UserNameSecurityTokenParameters()); goto default; case MessageCredentialType.Windows: element.ProtectionTokenParameters = new KerberosSecurityTokenParameters(); break; default: // including .None X509SecurityTokenParameters p = new X509SecurityTokenParameters(); p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint; element.ProtectionTokenParameters = p; break; } return(element); }
public static SecurityToken getToken(sts.Token token) { var textmessageEncoding = new TextMessageEncodingBindingElement(); textmessageEncoding.WriteEncoding = Encoding.UTF8; textmessageEncoding.MessageVersion = MessageVersion.Soap12WSAddressing10; var messageSecurity = new AsymmetricSecurityBindingElement(); messageSecurity.AllowSerializedSigningTokenOnReply = true; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; //messageSecurity.EnableUnsecuredResponse = true; messageSecurity.IncludeTimestamp = false; messageSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Rsa15; messageSecurity.SecurityHeaderLayout = SecurityHeaderLayout.Lax; messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; messageSecurity.LocalClientSettings.DetectReplays = false; messageSecurity.LocalServiceSettings.DetectReplays = false; var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator); messageSecurity.RecipientTokenParameters = x509SecurityParamter; messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false; var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient); initiator.RequireDerivedKeys = false; messageSecurity.InitiatorTokenParameters = initiator; var binding = new CustomBinding(messageSecurity, textmessageEncoding, new StrippingChannelBindingElement(), new HttpTransportBindingElement()); WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(new Uri("http://login.staging.rapidsoft.ru:80/auth/sts"), EndpointIdentity.CreateDnsIdentity("test"))); trustChannelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test"); trustChannelFactory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test"); trustChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; trustChannelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test"); trustChannelFactory.Endpoint.Contract.ProtectionLevel = ProtectionLevel.None; trustChannelFactory.TrustVersion = System.ServiceModel.Security.TrustVersion.WSTrust13; WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel(); RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue); rst.OnBehalfOf = new Microsoft.IdentityModel.Tokens.SecurityTokenElement(token, new Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection()); rst.KeyType = WSTrust13Constants.KeyTypes.Asymmetric; RequestSecurityTokenResponse rstr = null; SecurityToken SecurityToken = channel.Issue(rst, out rstr); return(SecurityToken); }
public static Binding CreateDataAccessBinding() { HttpTransportBindingElement httpTransport = new HttpTransportBindingElement(); SymmetricSecurityBindingElement messageSecurity = new SymmetricSecurityBindingElement(); messageSecurity.EndpointSupportingTokenParameters.SignedEncrypted.Add(new CredentialsTokenParameters()); X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters(); x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.Never; messageSecurity.ProtectionTokenParameters = x509ProtectionParameters; return(new CustomBinding(messageSecurity, httpTransport)); }
void SetKeyDerivationIncorrect(SecurityBindingElement be, string label) { X509SecurityTokenParameters p, p2; p = new X509SecurityTokenParameters(); p2 = new X509SecurityTokenParameters(); // setting in prior - makes no sense be.SetKeyDerivation(false); be.EndpointSupportingTokenParameters.Endorsing.Add(p); be.EndpointSupportingTokenParameters.Endorsing.Add(p2); Assert.AreEqual(true, p.RequireDerivedKeys, label + "#5"); Assert.AreEqual(true, p2.RequireDerivedKeys, label + "#6"); }
void SetKeyDerivationCorrect(SecurityBindingElement be, string label) { X509SecurityTokenParameters p, p2; p = new X509SecurityTokenParameters(); p2 = new X509SecurityTokenParameters(); Assert.AreEqual(true, p.RequireDerivedKeys, label + "#1"); Assert.AreEqual(true, p2.RequireDerivedKeys, label + "#2"); be.EndpointSupportingTokenParameters.Endorsing.Add(p); be.EndpointSupportingTokenParameters.Endorsing.Add(p2); be.SetKeyDerivation(false); Assert.AreEqual(false, p.RequireDerivedKeys, label + "#3"); Assert.AreEqual(false, p2.RequireDerivedKeys, label + "#4"); }
CreateMutualCertificateBindingElement( MessageSecurityVersion version, bool allowSerializedSigningTokenOnReply) { if (version == null) { throw new ArgumentNullException("version"); } if (allowSerializedSigningTokenOnReply) { throw new NotSupportedException("allowSerializedSigningTokenOnReply is not supported"); } if (version.SecurityVersion == SecurityVersion.WSSecurity10) { var recipient = new X509SecurityTokenParameters( X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.Never); recipient.RequireDerivedKeys = false; var initiator = new X509SecurityTokenParameters( X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient); initiator.RequireDerivedKeys = false; return(new AsymmetricSecurityBindingElement(recipient, initiator) { MessageSecurityVersion = version }); } else { X509SecurityTokenParameters p = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint); p.RequireDerivedKeys = false; var sym = new SymmetricSecurityBindingElement() { MessageSecurityVersion = version, RequireSignatureConfirmation = true }; X509SecurityTokenParameters p2 = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint); p2.ReferenceStyle = SecurityTokenReferenceStyle.External; sym.ProtectionTokenParameters = p2; sym.EndpointSupportingTokenParameters.Endorsing.Add(p); return(sym); } }
public static Binding CreateCreditCardBinding() { HttpTransportBindingElement httpTransport = new HttpTransportBindingElement(); // The message security binding element is configured to require a credit card // token that is encrypted with the service's certificate. SymmetricSecurityBindingElement messageSecurity = new SymmetricSecurityBindingElement(); messageSecurity.EndpointSupportingTokenParameters.SignedEncrypted.Add(new CreditCardTokenParameters()); X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters(); x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.Never; messageSecurity.ProtectionTokenParameters = x509ProtectionParameters; return(new CustomBinding(messageSecurity, httpTransport)); }
bool DoesX509TokenParametersContainClauseTypeofIssuerSerial(Collection <SecurityTokenParameters> tokenParameters) { foreach (SecurityTokenParameters tokenParameter in tokenParameters) { X509SecurityTokenParameters x509TokenParameter = tokenParameter as X509SecurityTokenParameters; if (x509TokenParameter != null) { if (x509TokenParameter.X509ReferenceStyle == X509KeyIdentifierClauseType.IssuerSerial) { return(true); } } } return(false); }
public static void Main() { Console.WriteLine("WARNING!! This test is not configured enought to work fine on .NET either."); SymmetricSecurityBindingElement sbe = new SymmetricSecurityBindingElement(); sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; sbe.RequireSignatureConfirmation = true; //sbe.IncludeTimestamp = false; sbe.ProtectionTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); X509SecurityTokenParameters p = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient); p.RequireDerivedKeys = false; sbe.EndpointSupportingTokenParameters.Endorsing.Add(p); //sbe.SetKeyDerivation (false); //sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; ServiceHost host = new ServiceHost(typeof(Foo)); var mbe = new BinaryMessageEncodingBindingElement(); var tbe = new TcpTransportBindingElement(); CustomBinding binding = new CustomBinding(sbe, mbe, tbe); binding.ReceiveTimeout = TimeSpan.FromSeconds(5); host.AddServiceEndpoint("IFoo", binding, new Uri("http://localhost:8080")); ServiceCredentials cred = new ServiceCredentials(); cred.ServiceCertificate.Certificate = new X509Certificate2("test.pfx", "mono"); cred.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; host.Description.Behaviors.Add(cred); host.Description.Behaviors.Find <ServiceDebugBehavior> () .IncludeExceptionDetailInFaults = true; ServiceMetadataBehavior smb = new ServiceMetadataBehavior(); smb.HttpGetEnabled = true; smb.HttpGetUrl = new Uri("http://localhost:8080/wsdl"); host.Description.Behaviors.Add(smb); host.Open(); Console.WriteLine("Hit [CR] key to close ..."); Console.ReadLine(); host.Close(); }
public Binding CreateHttpsBinding() { var httpTransport = new HttpsTransportBindingElement { MaxReceivedMessageSize = 10000000 }; var messageSecurity = new SymmetricSecurityBindingElement(); var x509ProtectionParameters = new X509SecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.Never }; messageSecurity.ProtectionTokenParameters = x509ProtectionParameters; return(new CustomBinding(messageSecurity, httpTransport)); }
public void SetKeyDerivation() { SymmetricSecurityBindingElement be; X509SecurityTokenParameters p; be = new SymmetricSecurityBindingElement(); p = new X509SecurityTokenParameters(); be.ProtectionTokenParameters = p; be.SetKeyDerivation(false); Assert.AreEqual(false, p.RequireDerivedKeys, "#1"); be = new SymmetricSecurityBindingElement(); p = new X509SecurityTokenParameters(); be.SetKeyDerivation(false); // set in prior - makes no sense be.ProtectionTokenParameters = p; Assert.AreEqual(true, p.RequireDerivedKeys, "#2"); }
public Binding CreateBinding() { var httpTransport = new HttpTransportBindingElement { MaxReceivedMessageSize = 10000000 }; var messageSecurity = new SymmetricSecurityBindingElement(); messageSecurity.EndpointSupportingTokenParameters.SignedEncrypted.Add(new ConnectTokenParameters()); var x509ProtectionParameters = new X509SecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.Never }; messageSecurity.ProtectionTokenParameters = x509ProtectionParameters; return(new CustomBinding(messageSecurity, httpTransport)); }
private static System.ServiceModel.Channels.Binding CreateBinding() { TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8); var httpTransport = new HttpTransportBindingElement(); var messageSecurity = new AsymmetricSecurityBindingElement(); messageSecurity.AllowSerializedSigningTokenOnReply = true; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator); messageSecurity.RecipientTokenParameters = x509SecurityParamter; messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false; var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient); initiator.RequireDerivedKeys = false; messageSecurity.InitiatorTokenParameters = initiator; var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, httpTransport); return(customBinding); }