private OpenIdRelyingParty(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, IHostFactories hostFactories)
{
// If we are a smart-mode RP (supporting associations), then we MUST also be
// capable of storing nonces to prevent replay attacks.
// If we're a dumb-mode RP, then 2.0 OPs are responsible for preventing replays.
Requires.That(cryptoKeyStore == null || nonceStore != null, null, OpenIdStrings.AssociationStoreRequiresNonceStore);
this.securitySettings = OpenIdElement.Configuration.RelyingParty.SecuritySettings.CreateSecuritySettings();
this.behaviors.CollectionChanged += this.OnBehaviorsChanged;
foreach (var behavior in OpenIdElement.Configuration.RelyingParty.Behaviors.CreateInstances(false, null))
{
this.behaviors.Add(behavior);
}
// Without a nonce store, we must rely on the Provider to protect against
// replay attacks. But only 2.0+ Providers can be expected to provide
// replay protection.
if (nonceStore == null &&
this.SecuritySettings.ProtectDownlevelReplayAttacks &&
this.SecuritySettings.MinimumRequiredOpenIdVersion < ProtocolVersion.V20)
{
Logger.OpenId.Warn("Raising minimum OpenID version requirement for Providers to 2.0 to protect this stateless RP from replay attacks.");
this.SecuritySettings.MinimumRequiredOpenIdVersion = ProtocolVersion.V20;
}
this.channel = new OpenIdRelyingPartyChannel(cryptoKeyStore, nonceStore, this.SecuritySettings, hostFactories);
var associationStore = cryptoKeyStore != null ? new CryptoKeyStoreAsRelyingPartyAssociationStore(cryptoKeyStore) : null;
this.AssociationManager = new AssociationManager(this.Channel, associationStore, this.SecuritySettings);
this.discoveryServices = new IdentifierDiscoveryServices(this);
Reporting.RecordFeatureAndDependencyUse(this, cryptoKeyStore, nonceStore);
}
/// <summary>
/// Initializes a new instance of the <see cref="AsymmetricCryptoKeyStoreWrapper"/> class.
/// </summary>
/// <param name="dataStore">The data store.</param>
/// <param name="asymmetricCrypto">The asymmetric protection to apply to symmetric keys. Must include the private key.</param>
public AsymmetricCryptoKeyStoreWrapper(ICryptoKeyStore dataStore, RSACryptoServiceProvider asymmetricCrypto) {
Requires.NotNull(dataStore, "dataStore");
Requires.NotNull(asymmetricCrypto, "asymmetricCrypto");
Requires.True(!asymmetricCrypto.PublicOnly, "asymmetricCrypto");
this.dataStore = dataStore;
this.asymmetricCrypto = asymmetricCrypto;
}
/// <summary>
/// Creates a formatter capable of serializing/deserializing a refresh token.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
/// <returns>
/// A DataBag formatter. Never null.
/// </returns>
internal static IDataBagFormatter <RefreshToken> CreateFormatter(ICryptoKeyStore cryptoKeyStore)
{
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
Contract.Ensures(Contract.Result <IDataBagFormatter <RefreshToken> >() != null);
return(new UriStyleMessageFormatter <RefreshToken>(cryptoKeyStore, RefreshTokenKeyBucket, signed: true, encrypted: true));
}
public CryptoKeyProviderFactory(IConfigurationProvider config, IKmsClientFactory kmsClientFactory, ICryptoKeyStore cryptoKeyStore, ILockProvider lockProvider)
{
_config = config;
_cryptoKeyStore = cryptoKeyStore;
_lockProvider = lockProvider;
_kmsClientFactory = kmsClientFactory;
}
/// <summary>
/// Initializes a new instance of the <see cref="AsymmetricCryptoKeyStoreWrapper"/> class.
/// </summary>
/// <param name="dataStore">The data store.</param>
/// <param name="asymmetricCrypto">The asymmetric protection to apply to symmetric keys. Must include the private key.</param>
public AsymmetricCryptoKeyStoreWrapper(ICryptoKeyStore dataStore, RSACryptoServiceProvider asymmetricCrypto) {
Contract.Requires<ArgumentNullException>(dataStore != null);
Contract.Requires<ArgumentNullException>(asymmetricCrypto != null);
Contract.Requires<ArgumentException>(!asymmetricCrypto.PublicOnly);
this.dataStore = dataStore;
this.asymmetricCrypto = asymmetricCrypto;
}
/// <summary>
/// Creates the formatter used for serialization of this type.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store used when signing or encrypting.</param>
/// <param name="bucket">The bucket in which symmetric keys are stored for signing/encrypting data.</param>
/// <param name="minimumAge">The minimum age.</param>
/// <returns>
/// A formatter for serialization.
/// </returns>
internal static IDataBagFormatter <AssociationDataBag> CreateFormatter(ICryptoKeyStore cryptoKeyStore, string bucket, TimeSpan?minimumAge = null)
{
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
Requires.NotNullOrEmpty(bucket, "bucket");
Contract.Ensures(Contract.Result <IDataBagFormatter <AssociationDataBag> >() != null);
return(new BinaryDataBagFormatter <AssociationDataBag>(cryptoKeyStore, bucket, signed: true, encrypted: true, minimumAge: minimumAge));
}
public AuthorizationServerHost(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, IClientRepository clientRepository, IUserRepository userRepository)
{
_cryptoKeyStore = cryptoKeyStore;
_nonceStore = nonceStore;
_clientRepository = clientRepository;
_userRepository = userRepository;
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdRelyingPartyChannel"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param>
/// <param name="securitySettings">The security settings to apply.</param>
/// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param>
private OpenIdRelyingPartyChannel(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, RelyingPartySecuritySettings securitySettings, bool nonVerifying) :
base(messageTypeProvider, InitializeBindingElements(cryptoKeyStore, nonceStore, securitySettings, nonVerifying))
{
Requires.NotNull(messageTypeProvider, "messageTypeProvider");
Requires.NotNull(securitySettings, "securitySettings");
Requires.True(!nonVerifying || securitySettings is RelyingPartySecuritySettings);
}
/// <summary>
/// Initializes a new instance of the <see cref="AsymmetricCryptoKeyStoreWrapper"/> class.
/// </summary>
/// <param name="dataStore">The data store.</param>
/// <param name="asymmetricCrypto">The asymmetric protection to apply to symmetric keys. Must include the private key.</param>
public AsymmetricCryptoKeyStoreWrapper(ICryptoKeyStore dataStore, RSACryptoServiceProvider asymmetricCrypto)
{
Requires.NotNull(dataStore, "dataStore");
Requires.NotNull(asymmetricCrypto, "asymmetricCrypto");
Requires.True(!asymmetricCrypto.PublicOnly, "asymmetricCrypto");
this.dataStore = dataStore;
this.asymmetricCrypto = asymmetricCrypto;
}
public KmsCryptoKeyProvider(IConfigurationProvider config, IKmsClientFactory kmsClientFactory, ICryptoKeyStore cryptoKeyStore, ILockProvider lockProvider)
{
_config = config;
_cryptoKeyStore = cryptoKeyStore;
_lockProvider = lockProvider;
_kmsClientFactory = kmsClientFactory;
_globalLock = new GlobalLock(lockProvider);
}
public ExampleAuthorizationServer(ICryptoKeyStore cryptoKeyStore,
ICryptoKeyPair authServerKeys, ICryptoKeyPair dataServerKeys, IOAuth2ClientStore clientStore, IUserStore userStore) {
this.cryptoKeyStore = cryptoKeyStore;
this.authServerKeys = authServerKeys;
this.dataServerKeys = dataServerKeys;
this.clientStore = clientStore;
this.userStore = userStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="SwitchingAssociationStore"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
/// <param name="securitySettings">The security settings.</param>
internal SwitchingAssociationStore(ICryptoKeyStore cryptoKeyStore, ProviderSecuritySettings securitySettings)
{
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
Requires.NotNull(securitySettings, "securitySettings");
this.securitySettings = securitySettings;
this.associationHandleEncoder = new ProviderAssociationHandleEncoder(cryptoKeyStore);
this.associationSecretStorage = new ProviderAssociationKeyStorage(cryptoKeyStore);
}
public ExampleAuthorizationServer(ICryptoKeyStore cryptoKeyStore,
ICryptoKeyPair authServerKeys, ICryptoKeyPair dataServerKeys, IOAuth2ClientStore clientStore, IUserStore userStore)
{
this.cryptoKeyStore = cryptoKeyStore;
this.authServerKeys = authServerKeys;
this.dataServerKeys = dataServerKeys;
this.clientStore = clientStore;
this.userStore = userStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="DataBagFormatterBase<T>"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store used when signing or encrypting.</param>
/// <param name="bucket">The bucket in which symmetric keys are stored for signing/encrypting data.</param>
/// <param name="signed">A value indicating whether the data in this instance will be protected against tampering.</param>
/// <param name="encrypted">A value indicating whether the data in this instance will be protected against eavesdropping.</param>
/// <param name="compressed">A value indicating whether the data in this instance will be GZip'd.</param>
/// <param name="minimumAge">The required minimum lifespan within which this token must be decodable and verifiable; useful only when <paramref name="signed"/> and/or <paramref name="encrypted"/> is true.</param>
/// <param name="maximumAge">The maximum age of a token that can be decoded; useful only when <paramref name="decodeOnceOnly"/> is <c>true</c>.</param>
/// <param name="decodeOnceOnly">The nonce store to use to ensure that this instance is only decoded once.</param>
protected DataBagFormatterBase(ICryptoKeyStore cryptoKeyStore = null, string bucket = null, bool signed = false, bool encrypted = false, bool compressed = false, TimeSpan?minimumAge = null, TimeSpan?maximumAge = null, INonceStore decodeOnceOnly = null)
: this(signed, encrypted, compressed, maximumAge, decodeOnceOnly)
{
this.cryptoKeyStore = cryptoKeyStore;
this.cryptoKeyBucket = bucket;
if (minimumAge.HasValue)
{
this.minimumAge = minimumAge.Value;
}
}
private const int TokenLifetimeInSeconds = 24 * 60 * 60; // 24 hours
public GameApiOAuthServer(ICryptoKeyStore cryptoKeyStore,
ICryptoKeyPair authServerKeys, ICryptoKeyPair dataServerKeys,
IOAuth2ClientStore clientStore, Guid gameProviderId, int tokenLifetimeInSeconds = -1)
{
_cryptoKeyStore = cryptoKeyStore;
_authServerKeys = authServerKeys;
_dataServerKeys = dataServerKeys;
_clientStore = clientStore;
_gameProviderId = gameProviderId;
_tokenLifetime = (tokenLifetimeInSeconds >= 0) ? tokenLifetimeInSeconds : TokenLifetimeInSeconds;
}
/// <summary>
/// Initializes the binding elements.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings to apply. Must be an instance of either <see cref="RelyingPartySecuritySettings"/> or ProviderSecuritySettings.</param>
/// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param>
/// <returns>
/// An array of binding elements which may be used to construct the channel.
/// </returns>
private static IChannelBindingElement[] InitializeBindingElements(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings, bool nonVerifying)
{
Requires.NotNull(securitySettings, "securitySettings");
SigningBindingElement signingElement;
signingElement = nonVerifying ? null : new RelyingPartySigningBindingElement(new CryptoKeyStoreAsRelyingPartyAssociationStore(cryptoKeyStore ?? new MemoryCryptoKeyStore()));
var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration();
List <IChannelBindingElement> elements = new List <IChannelBindingElement>(8);
elements.Add(new ExtensionsBindingElementRelyingParty(extensionFactory, securitySettings));
elements.Add(new RelyingPartySecurityOptions(securitySettings));
elements.Add(new BackwardCompatibilityBindingElement());
ReturnToNonceBindingElement requestNonceElement = null;
if (cryptoKeyStore != null)
{
if (nonceStore != null)
{
// There is no point in having a ReturnToNonceBindingElement without
// a ReturnToSignatureBindingElement because the nonce could be
// artificially changed without it.
requestNonceElement = new ReturnToNonceBindingElement(nonceStore, securitySettings);
elements.Add(requestNonceElement);
}
// It is important that the return_to signing element comes last
// so that the nonce is included in the signature.
elements.Add(new ReturnToSignatureBindingElement(cryptoKeyStore));
}
ErrorUtilities.VerifyOperation(!securitySettings.RejectUnsolicitedAssertions || requestNonceElement != null, OpenIdStrings.UnsolicitedAssertionRejectionRequiresNonceStore);
if (nonVerifying)
{
elements.Add(new SkipSecurityBindingElement());
}
else
{
if (nonceStore != null)
{
elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true));
}
elements.Add(new StandardExpirationBindingElement());
elements.Add(signingElement);
}
return(elements.ToArray());
}
/// <summary>
/// Initializes a new instance of the <see cref="DataBagFormatterBase<T>"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store used when signing or encrypting.</param>
/// <param name="bucket">The bucket in which symmetric keys are stored for signing/encrypting data.</param>
/// <param name="signed">A value indicating whether the data in this instance will be protected against tampering.</param>
/// <param name="encrypted">A value indicating whether the data in this instance will be protected against eavesdropping.</param>
/// <param name="compressed">A value indicating whether the data in this instance will be GZip'd.</param>
/// <param name="minimumAge">The required minimum lifespan within which this token must be decodable and verifiable; useful only when <paramref name="signed"/> and/or <paramref name="encrypted"/> is true.</param>
/// <param name="maximumAge">The maximum age of a token that can be decoded; useful only when <paramref name="decodeOnceOnly"/> is <c>true</c>.</param>
/// <param name="decodeOnceOnly">The nonce store to use to ensure that this instance is only decoded once.</param>
protected DataBagFormatterBase(ICryptoKeyStore cryptoKeyStore = null, string bucket = null, bool signed = false, bool encrypted = false, bool compressed = false, TimeSpan?minimumAge = null, TimeSpan?maximumAge = null, INonceStore decodeOnceOnly = null)
: this(signed, encrypted, compressed, maximumAge, decodeOnceOnly)
{
Requires.True(!string.IsNullOrEmpty(bucket) || cryptoKeyStore == null, null);
Requires.True(cryptoKeyStore != null || (!signed && !encrypted), null);
this.cryptoKeyStore = cryptoKeyStore;
this.cryptoKeyBucket = bucket;
if (minimumAge.HasValue)
{
this.minimumAge = minimumAge.Value;
}
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdProvider"/> class.
/// </summary>
/// <param name="nonceStore">The nonce store to use. Cannot be null.</param>
/// <param name="cryptoKeyStore">The crypto key store. Cannot be null.</param>
private OpenIdProvider(INonceStore nonceStore, ICryptoKeyStore cryptoKeyStore) {
Requires.NotNull(nonceStore, "nonceStore");
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
this.SecuritySettings = OpenIdElement.Configuration.Provider.SecuritySettings.CreateSecuritySettings();
this.behaviors.CollectionChanged += this.OnBehaviorsChanged;
foreach (var behavior in OpenIdElement.Configuration.Provider.Behaviors.CreateInstances(false)) {
this.behaviors.Add(behavior);
}
this.AssociationStore = new SwitchingAssociationStore(cryptoKeyStore, this.SecuritySettings);
this.Channel = new OpenIdProviderChannel(this.AssociationStore, nonceStore, this.SecuritySettings);
this.CryptoKeyStore = cryptoKeyStore;
this.discoveryServices = new IdentifierDiscoveryServices(this);
Reporting.RecordFeatureAndDependencyUse(this, nonceStore);
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdProvider"/> class.
/// </summary>
/// <param name="nonceStore">The nonce store to use. Cannot be null.</param>
/// <param name="cryptoKeyStore">The crypto key store. Cannot be null.</param>
private OpenIdProvider(INonceStore nonceStore, ICryptoKeyStore cryptoKeyStore) {
Contract.Requires<ArgumentNullException>(nonceStore != null);
Contract.Requires<ArgumentNullException>(cryptoKeyStore != null);
Contract.Ensures(this.SecuritySettings != null);
Contract.Ensures(this.Channel != null);
this.SecuritySettings = DotNetOpenAuthSection.Configuration.OpenId.Provider.SecuritySettings.CreateSecuritySettings();
this.behaviors.CollectionChanged += this.OnBehaviorsChanged;
foreach (var behavior in DotNetOpenAuthSection.Configuration.OpenId.Provider.Behaviors.CreateInstances(false)) {
this.behaviors.Add(behavior);
}
this.AssociationStore = new SwitchingAssociationStore(cryptoKeyStore, this.SecuritySettings);
this.Channel = new OpenIdChannel(this.AssociationStore, nonceStore, this.SecuritySettings);
this.CryptoKeyStore = cryptoKeyStore;
Reporting.RecordFeatureAndDependencyUse(this, nonceStore);
}
/// <summary>
/// Initializes the binding elements.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings to apply. Must be an instance of either <see cref="RelyingPartySecuritySettings"/> or ProviderSecuritySettings.</param>
/// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param>
/// <returns>
/// An array of binding elements which may be used to construct the channel.
/// </returns>
private static IChannelBindingElement[] InitializeBindingElements(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings, bool nonVerifying) {
Requires.NotNull(securitySettings, "securitySettings");
SigningBindingElement signingElement;
signingElement = nonVerifying ? null : new RelyingPartySigningBindingElement(new CryptoKeyStoreAsRelyingPartyAssociationStore(cryptoKeyStore ?? new MemoryCryptoKeyStore()));
var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration();
List<IChannelBindingElement> elements = new List<IChannelBindingElement>(8);
elements.Add(new ExtensionsBindingElementRelyingParty(extensionFactory, securitySettings));
elements.Add(new RelyingPartySecurityOptions(securitySettings));
elements.Add(new BackwardCompatibilityBindingElement());
ReturnToNonceBindingElement requestNonceElement = null;
if (cryptoKeyStore != null) {
if (nonceStore != null) {
// There is no point in having a ReturnToNonceBindingElement without
// a ReturnToSignatureBindingElement because the nonce could be
// artificially changed without it.
requestNonceElement = new ReturnToNonceBindingElement(nonceStore, securitySettings);
elements.Add(requestNonceElement);
}
// It is important that the return_to signing element comes last
// so that the nonce is included in the signature.
elements.Add(new ReturnToSignatureBindingElement(cryptoKeyStore));
}
ErrorUtilities.VerifyOperation(!securitySettings.RejectUnsolicitedAssertions || requestNonceElement != null, OpenIdStrings.UnsolicitedAssertionRejectionRequiresNonceStore);
if (nonVerifying) {
elements.Add(new SkipSecurityBindingElement());
} else {
if (nonceStore != null) {
elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true));
}
elements.Add(new StandardExpirationBindingElement());
elements.Add(signingElement);
}
return elements.ToArray();
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdProvider" /> class.
/// </summary>
/// <param name="nonceStore">The nonce store to use. Cannot be null.</param>
/// <param name="cryptoKeyStore">The crypto key store. Cannot be null.</param>
/// <param name="hostFactories">The host factories.</param>
private OpenIdProvider(INonceStore nonceStore, ICryptoKeyStore cryptoKeyStore, IHostFactories hostFactories)
{
Requires.NotNull(nonceStore, "nonceStore");
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
this.SecuritySettings = OpenIdElement.Configuration.Provider.SecuritySettings.CreateSecuritySettings();
this.behaviors.CollectionChanged += this.OnBehaviorsChanged;
foreach (var behavior in OpenIdElement.Configuration.Provider.Behaviors.CreateInstances(false, null))
{
this.behaviors.Add(behavior);
}
this.AssociationStore = new SwitchingAssociationStore(cryptoKeyStore, this.SecuritySettings);
this.Channel = new OpenIdProviderChannel(this.AssociationStore, nonceStore, this.SecuritySettings, hostFactories);
this.CryptoKeyStore = cryptoKeyStore;
this.discoveryServices = new IdentifierDiscoveryServices(this);
Reporting.RecordFeatureAndDependencyUse(this, nonceStore);
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdRelyingPartyChannel"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings to apply.</param>
internal OpenIdRelyingPartyChannel(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings)
: this(cryptoKeyStore, nonceStore, new OpenIdRelyingPartyMessageFactory(), securitySettings, false)
{
Requires.NotNull(securitySettings, "securitySettings");
}
/// <summary>
/// Initializes a new instance of the <see cref="SwitchingAssociationStore"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
/// <param name="securitySettings">The security settings.</param>
internal SwitchingAssociationStore(ICryptoKeyStore cryptoKeyStore, ProviderSecuritySettings securitySettings) {
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
Requires.NotNull(securitySettings, "securitySettings");
this.securitySettings = securitySettings;
this.associationHandleEncoder = new ProviderAssociationHandleEncoder(cryptoKeyStore);
this.associationSecretStorage = new ProviderAssociationKeyStorage(cryptoKeyStore);
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdRelyingPartyChannel"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param>
/// <param name="securitySettings">The security settings to apply.</param>
/// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param>
private OpenIdRelyingPartyChannel(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, RelyingPartySecuritySettings securitySettings, bool nonVerifying) :
base(messageTypeProvider, InitializeBindingElements(cryptoKeyStore, nonceStore, securitySettings, nonVerifying)) {
Requires.NotNull(messageTypeProvider, "messageTypeProvider");
Requires.NotNull(securitySettings, "securitySettings");
Assumes.True(!nonVerifying || securitySettings is RelyingPartySecuritySettings);
}
/// <summary>
/// Initializes a new instance of the <see cref="ProviderAssociationKeyStorage"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The store where association secrets will be recorded.</param>
internal ProviderAssociationKeyStorage(ICryptoKeyStore cryptoKeyStore) {
Contract.Requires<ArgumentNullException>(cryptoKeyStore != null);
this.cryptoKeyStore = cryptoKeyStore;
}
/// <summary>
/// Creates a formatter capable of serializing/deserializing an access token.
/// </summary>
/// <param name="symmetricKeyStore">The symmetric key store.</param>
/// <returns>
/// An access token serializer.
/// </returns>
internal static IDataBagFormatter <AccessToken> CreateFormatter(ICryptoKeyStore symmetricKeyStore)
{
Requires.NotNull(symmetricKeyStore, "symmetricKeyStore");
return(new UriStyleMessageFormatter <AccessToken>(symmetricKeyStore, bucket: "AccessTokens", signed: true, encrypted: true));
}
/// <summary>
/// Creates a formatter capable of serializing/deserializing an access token.
/// </summary>
/// <param name="symmetricKeyStore">The symmetric key store.</param>
/// <returns>
/// An access token serializer.
/// </returns>
internal static IDataBagFormatter<AccessToken> CreateFormatter(ICryptoKeyStore symmetricKeyStore) {
Requires.NotNull(symmetricKeyStore, "symmetricKeyStore");
return new UriStyleMessageFormatter<AccessToken>(symmetricKeyStore, bucket: "AccessTokens", signed: true, encrypted: true);
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdChannel"/> class
/// for use by a Relying Party.
/// </summary>
/// <param name="cryptoKeyStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings to apply.</param>
internal OpenIdChannel(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings)
: this(cryptoKeyStore, nonceStore, new OpenIdMessageFactory(), securitySettings, false) {
Contract.Requires<ArgumentNullException>(securitySettings != null);
}
/// <summary>
/// Initializes a new instance of the <see cref="ProviderAssociationKeyStorage"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The store where association secrets will be recorded.</param>
internal ProviderAssociationKeyStorage(ICryptoKeyStore cryptoKeyStore) {
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
this.cryptoKeyStore = cryptoKeyStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="SwitchingAssociationStore"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
/// <param name="securitySettings">The security settings.</param>
internal SwitchingAssociationStore(ICryptoKeyStore cryptoKeyStore, ProviderSecuritySettings securitySettings) {
Contract.Requires<ArgumentNullException>(cryptoKeyStore != null);
Contract.Requires<ArgumentNullException>(securitySettings != null);
this.securitySettings = securitySettings;
this.associationHandleEncoder = new ProviderAssociationHandleEncoder(cryptoKeyStore);
this.associationSecretStorage = new ProviderAssociationKeyStorage(cryptoKeyStore);
}
/// <summary>
/// Initializes a new instance of the <see cref="StandardRelyingPartyApplicationStore"/> class.
/// </summary>
public StandardRelyingPartyApplicationStore() {
this.nonceStore = new NonceMemoryStore(OpenIdElement.Configuration.MaxAuthenticationTime);
this.keyStore = new MemoryCryptoKeyStore();
}
public static IDataBagFormatter <AccessToken> CreateFormatter(ICryptoKeyStore symmetricKeyStore)
{
return(new UriStyleMessageFormatter <AccessToken>(symmetricKeyStore, bucket: "AccessTokens", signed: true, encrypted: true));
}
/// <summary>
/// Initializes a new instance of the <see cref="CryptoKeyStoreAsRelyingPartyAssociationStore"/> class.
/// </summary>
/// <param name="keyStore">The key store.</param>
internal CryptoKeyStoreAsRelyingPartyAssociationStore(ICryptoKeyStore keyStore)
{
Requires.NotNull(keyStore, "keyStore");
Contract.Ensures(this.keyStore == keyStore);
this.keyStore = keyStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdChannel"/> class
/// for use by a Relying Party.
/// </summary>
/// <param name="cryptoKeyStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param>
/// <param name="securitySettings">The security settings to apply.</param>
/// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param>
private OpenIdChannel(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, RelyingPartySecuritySettings securitySettings, bool nonVerifying) :
this(messageTypeProvider, InitializeBindingElements(cryptoKeyStore, nonceStore, securitySettings, nonVerifying)) {
Contract.Requires<ArgumentNullException>(messageTypeProvider != null);
Contract.Requires<ArgumentNullException>(securitySettings != null);
Contract.Requires<ArgumentException>(!nonVerifying || securitySettings is RelyingPartySecuritySettings);
}
/// <summary>
/// Initializes a new instance of the <see cref="StandardProviderApplicationStore"/> class.
/// </summary>
public StandardProviderApplicationStore()
{
this.nonceStore = new NonceMemoryStore(OpenIdElement.Configuration.MaxAuthenticationTime);
this.cryptoKeyStore = new MemoryCryptoKeyStore();
}
/// <summary>
/// Initializes a new instance of the <see cref="ProviderAssociationHandleEncoder"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
public ProviderAssociationHandleEncoder(ICryptoKeyStore cryptoKeyStore) {
Contract.Requires<ArgumentNullException>(cryptoKeyStore != null);
this.cryptoKeyStore = cryptoKeyStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="ProviderAssociationKeyStorage"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The store where association secrets will be recorded.</param>
internal ProviderAssociationKeyStorage(ICryptoKeyStore cryptoKeyStore)
{
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
this.cryptoKeyStore = cryptoKeyStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="StandardAccessTokenAnalyzer" /> class.
/// </summary>
/// <param name="symmetricKeyStore">The symmetric key store.</param>
public StandardAccessTokenAnalyzer(ICryptoKeyStore symmetricKeyStore)
{
Requires.NotNull(symmetricKeyStore, "symmetricKeyStore");
this.SymmetricKeyStore = symmetricKeyStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="ReturnToSignatureBindingElement"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
internal ReturnToSignatureBindingElement(ICryptoKeyStore cryptoKeyStore) {
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
this.cryptoKeyStore = cryptoKeyStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="UriStyleMessageFormatter<T>"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store used when signing or encrypting.</param>
/// <param name="bucket">The bucket in which symmetric keys are stored for signing/encrypting data.</param>
/// <param name="signed">A value indicating whether the data in this instance will be protected against tampering.</param>
/// <param name="encrypted">A value indicating whether the data in this instance will be protected against eavesdropping.</param>
/// <param name="compressed">A value indicating whether the data in this instance will be GZip'd.</param>
/// <param name="minimumAge">The minimum age.</param>
/// <param name="maximumAge">The maximum age of a token that can be decoded; useful only when <paramref name="decodeOnceOnly"/> is <c>true</c>.</param>
/// <param name="decodeOnceOnly">The nonce store to use to ensure that this instance is only decoded once.</param>
protected internal UriStyleMessageFormatter(ICryptoKeyStore cryptoKeyStore = null, string bucket = null, bool signed = false, bool encrypted = false, bool compressed = false, TimeSpan?minimumAge = null, TimeSpan?maximumAge = null, INonceStore decodeOnceOnly = null)
: base(cryptoKeyStore, bucket, signed, encrypted, compressed, minimumAge, maximumAge, decodeOnceOnly)
{
}
/// <summary>
/// Creates the formatter used for serialization of this type.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store used when signing or encrypting.</param>
/// <param name="bucket">The bucket in which symmetric keys are stored for signing/encrypting data.</param>
/// <param name="minimumAge">The minimum age.</param>
/// <returns>
/// A formatter for serialization.
/// </returns>
internal static IDataBagFormatter<AssociationDataBag> CreateFormatter(ICryptoKeyStore cryptoKeyStore, string bucket, TimeSpan? minimumAge = null) {
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
Requires.NotNullOrEmpty(bucket, "bucket");
Contract.Ensures(Contract.Result<IDataBagFormatter<AssociationDataBag>>() != null);
return new BinaryDataBagFormatter<AssociationDataBag>(cryptoKeyStore, bucket, signed: true, encrypted: true, minimumAge: minimumAge);
}
/// <summary>
/// Initializes a new instance of the <see cref="BinaryDataBagFormatter<T>"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store used when signing or encrypting.</param>
/// <param name="bucket">The bucket in which symmetric keys are stored for signing/encrypting data.</param>
/// <param name="signed">A value indicating whether the data in this instance will be protected against tampering.</param>
/// <param name="encrypted">A value indicating whether the data in this instance will be protected against eavesdropping.</param>
/// <param name="compressed">A value indicating whether the data in this instance will be GZip'd.</param>
/// <param name="minimumAge">The minimum age.</param>
/// <param name="maximumAge">The maximum age of a token that can be decoded; useful only when <paramref name="decodeOnceOnly"/> is <c>true</c>.</param>
/// <param name="decodeOnceOnly">The nonce store to use to ensure that this instance is only decoded once.</param>
protected internal BinaryDataBagFormatter(ICryptoKeyStore cryptoKeyStore = null, string bucket = null, bool signed = false, bool encrypted = false, bool compressed = false, TimeSpan?minimumAge = null, TimeSpan?maximumAge = null, INonceStore decodeOnceOnly = null)
: base(cryptoKeyStore, bucket, signed, encrypted, compressed, minimumAge, maximumAge, decodeOnceOnly)
{
Requires.True((cryptoKeyStore != null && bucket != null) || (!signed && !encrypted), null);
}
/// <summary>
/// Initializes a new instance of the <see cref="MemoryCryptoKeyAndNonceStore"/> class.
/// </summary>
/// <param name="maximumMessageAge">The maximum time to live of a message that might carry a nonce.</param>
public MemoryCryptoKeyAndNonceStore(TimeSpan maximumMessageAge)
{
this.nonceStore = new MemoryNonceStore(maximumMessageAge);
this.cryptoKeyStore = new MemoryCryptoKeyStore();
}
/// <summary>
/// Initializes a new instance of the <see cref="MemoryCryptoKeyAndNonceStore"/> class.
/// </summary>
/// <param name="maximumMessageAge">The maximum time to live of a message that might carry a nonce.</param>
public MemoryCryptoKeyAndNonceStore(TimeSpan maximumMessageAge) {
this.nonceStore = new MemoryNonceStore(maximumMessageAge);
this.cryptoKeyStore = new MemoryCryptoKeyStore();
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdRelyingPartyChannel"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings to apply.</param>
internal OpenIdRelyingPartyChannel(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings)
: this(cryptoKeyStore, nonceStore, new OpenIdRelyingPartyMessageFactory(), securitySettings, false) {
Requires.NotNull(securitySettings, "securitySettings");
}
/// <summary>
/// Creates the formatter used for serialization of this type.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store used when signing or encrypting.</param>
/// <param name="bucket">The bucket in which symmetric keys are stored for signing/encrypting data.</param>
/// <param name="minimumAge">The minimum age.</param>
/// <returns>
/// A formatter for serialization.
/// </returns>
internal static IDataBagFormatter<AssociationDataBag> CreateFormatter(ICryptoKeyStore cryptoKeyStore, string bucket, TimeSpan? minimumAge = null) {
Contract.Requires<ArgumentNullException>(cryptoKeyStore != null);
Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(bucket));
Contract.Ensures(Contract.Result<IDataBagFormatter<AssociationDataBag>>() != null);
return new BinaryDataBagFormatter<AssociationDataBag>(cryptoKeyStore, bucket, signed: true, encrypted: true, minimumAge: minimumAge);
}
/// <summary>
/// Initializes a new instance of the <see cref="UriStyleMessageFormatter<T>"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store used when signing or encrypting.</param>
/// <param name="bucket">The bucket in which symmetric keys are stored for signing/encrypting data.</param>
/// <param name="signed">A value indicating whether the data in this instance will be protected against tampering.</param>
/// <param name="encrypted">A value indicating whether the data in this instance will be protected against eavesdropping.</param>
/// <param name="compressed">A value indicating whether the data in this instance will be GZip'd.</param>
/// <param name="minimumAge">The minimum age.</param>
/// <param name="maximumAge">The maximum age of a token that can be decoded; useful only when <paramref name="decodeOnceOnly"/> is <c>true</c>.</param>
/// <param name="decodeOnceOnly">The nonce store to use to ensure that this instance is only decoded once.</param>
protected internal UriStyleMessageFormatter(ICryptoKeyStore cryptoKeyStore = null, string bucket = null, bool signed = false, bool encrypted = false, bool compressed = false, TimeSpan?minimumAge = null, TimeSpan?maximumAge = null, INonceStore decodeOnceOnly = null)
: base(cryptoKeyStore, bucket, signed, encrypted, compressed, minimumAge, maximumAge, decodeOnceOnly)
{
Requires.That((cryptoKeyStore != null && !string.IsNullOrEmpty(bucket)) || (!signed && !encrypted), null, "Signing or encryption requires a cryptoKeyStore and bucket.");
}
/// <summary>
/// Creates a formatter capable of serializing/deserializing a refresh token.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
/// <returns>
/// A DataBag formatter. Never null.
/// </returns>
internal static IDataBagFormatter<RefreshToken> CreateFormatter(ICryptoKeyStore cryptoKeyStore) {
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
return new UriStyleMessageFormatter<RefreshToken>(cryptoKeyStore, RefreshTokenKeyBucket, signed: true, encrypted: true);
}
/// <summary>
/// Creates a formatter capable of serializing/deserializing a refresh token.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
/// <returns>
/// A DataBag formatter. Never null.
/// </returns>
internal static IDataBagFormatter<RefreshToken> CreateFormatter(ICryptoKeyStore cryptoKeyStore) {
Contract.Requires<ArgumentNullException>(cryptoKeyStore != null);
Contract.Ensures(Contract.Result<IDataBagFormatter<RefreshToken>>() != null);
return new UriStyleMessageFormatter<RefreshToken>(cryptoKeyStore, RefreshTokenKeyBucket, signed: true, encrypted: true);
}
/// <summary>
/// Initializes a new instance of the <see cref="StandardAccessTokenAnalyzer"/> class.
/// </summary>
public StandardAccessTokenAnalyzer(ICryptoKeyStore symmetricKeyStore) {
Requires.NotNull(symmetricKeyStore, "symmetricKeyStore");
this.SymmetricKeyStore = symmetricKeyStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="ProviderAssociationHandleEncoder"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
public ProviderAssociationHandleEncoder(ICryptoKeyStore cryptoKeyStore)
{
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
this.cryptoKeyStore = cryptoKeyStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="ReturnToSignatureBindingElement"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
internal ReturnToSignatureBindingElement(ICryptoKeyStore cryptoKeyStore)
{
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
this.cryptoKeyStore = cryptoKeyStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="CryptoKeyStoreAsRelyingPartyAssociationStore"/> class.
/// </summary>
/// <param name="keyStore">The key store.</param>
internal CryptoKeyStoreAsRelyingPartyAssociationStore(ICryptoKeyStore keyStore) {
Requires.NotNull(keyStore, "keyStore");
Contract.Ensures(this.keyStore == keyStore);
this.keyStore = keyStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="ReturnToSignatureBindingElement"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
internal ReturnToSignatureBindingElement(ICryptoKeyStore cryptoKeyStore) {
Contract.Requires<ArgumentNullException>(cryptoKeyStore != null);
this.cryptoKeyStore = cryptoKeyStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="StandardRelyingPartyApplicationStore"/> class.
/// </summary>
public StandardRelyingPartyApplicationStore()
{
this.nonceStore = new NonceMemoryStore(OpenIdElement.Configuration.MaxAuthenticationTime);
this.keyStore = new MemoryCryptoKeyStore();
}
/// <summary>
/// Initializes a new instance of the <see cref="ProviderAssociationHandleEncoder"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
public ProviderAssociationHandleEncoder(ICryptoKeyStore cryptoKeyStore) {
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
this.cryptoKeyStore = cryptoKeyStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="StandardProviderApplicationStore"/> class.
/// </summary>
public StandardProviderApplicationStore() {
this.nonceStore = new NonceMemoryStore(DotNetOpenAuthSection.Configuration.OpenId.MaxAuthenticationTime);
this.cryptoKeyStore = new MemoryCryptoKeyStore();
}
/// <summary>
/// Initializes a new instance of the <see cref="StandardProviderApplicationStore"/> class.
/// </summary>
public StandardProviderApplicationStore() {
this.nonceStore = new NonceMemoryStore(OpenIdElement.Configuration.MaxAuthenticationTime);
this.cryptoKeyStore = new MemoryCryptoKeyStore();
}
public NoAuthAuthorizationServer(ICryptoKeyStore cryptoStore, INonceStore nonceStore)
{
CryptoKeyStore = cryptoStore;
NonceStore = nonceStore;
}
public static IDataBagFormatter <RefreshToken> CreateFormatter(ICryptoKeyStore cryptoKeyStore)
{
return(new UriStyleMessageFormatter <RefreshToken>(cryptoKeyStore, RefreshTokenKeyBucket, signed: true, encrypted: true));
}
