SecurityBindingElement CreateSecurityBindingElement() { SecurityBindingElement element; switch (Security.Mode) { case BasicHttpsSecurityMode.TransportWithMessageCredential: #if NET_2_1 throw new NotImplementedException(); #else if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) { // FIXME: pass proper security token parameters. element = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); } else { element = new AsymmetricSecurityBindingElement(); } break; #endif default: return(null); } #if !NET_2_1 element.SetKeyDerivation(false); element.SecurityHeaderLayout = SecurityHeaderLayout.Lax; #endif return(element); }
public static Binding GetIssuedTokenBindingSSL() { var textmessageEncoding = new TextMessageEncodingBindingElement(); textmessageEncoding.WriteEncoding = Encoding.UTF8; textmessageEncoding.MessageVersion = MessageVersion.Soap11WSAddressing10; var messageSecurity = new AsymmetricSecurityBindingElement(); messageSecurity.AllowSerializedSigningTokenOnReply = true; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator); messageSecurity.RecipientTokenParameters = x509SecurityParamter; messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false; var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient); initiator.RequireDerivedKeys = false; messageSecurity.InitiatorTokenParameters = initiator; messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; return(new CustomBinding( messageSecurity, textmessageEncoding, new HttpsTransportBindingElement())); }
SecurityBindingElement CreateSecurityBindingElement() { SecurityBindingElement element; switch (Security.Mode) { case BasicHttpSecurityMode.Message: if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) { throw new InvalidOperationException("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate."); } element = SecurityBindingElement.CreateMutualCertificateBindingElement( MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); break; case BasicHttpSecurityMode.TransportWithMessageCredential: if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) { // FIXME: pass proper security token parameters. element = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); } else { element = new AsymmetricSecurityBindingElement(); } break; default: return(null); } element.SetKeyDerivation(false); element.SecurityHeaderLayout = SecurityHeaderLayout.Lax; return(element); }
//<snippet1> public Binding CreateClientBinding() { AsymmetricSecurityBindingElement abe = (AsymmetricSecurityBindingElement)SecurityBindingElement. CreateMutualCertificateBindingElement( MessageSecurityVersion. WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); abe.SetKeyDerivation(false); X509SecurityTokenParameters istp = abe.InitiatorTokenParameters as X509SecurityTokenParameters; if (istp != null) { istp.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial; } X509SecurityTokenParameters rstp = abe.RecipientTokenParameters as X509SecurityTokenParameters; if (rstp != null) { rstp.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial; } HttpTransportBindingElement transport = new HttpTransportBindingElement(); return(new CustomBinding(abe, transport)); }
private SecurityBindingElement CreateSecurity() { AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement(); X509SecurityTokenParameters clientToken = new X509SecurityTokenParameters(); clientToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; clientToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; clientToken.RequireDerivedKeys = false; clientToken.ReferenceStyle = SecurityTokenReferenceStyle.Internal; security.InitiatorTokenParameters = clientToken; //Creates an _unsigned_ binary token + signature that references the other binary token. X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters(); serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; serverToken.InclusionMode = SecurityTokenInclusionMode.Never; serverToken.RequireDerivedKeys = false; serverToken.ReferenceStyle = SecurityTokenReferenceStyle.External; security.RecipientTokenParameters = serverToken; //Only to make asymetric binding work security.EndpointSupportingTokenParameters.Signed.Add(clientToken); //Create a signed binary token + signature that does _not_ references other binary token. //Later on the unsigned binary token is removed and the non referecing signature is removed. The signed token and referencing signature are linked. security.EnableUnsecuredResponse = true; security.IncludeTimestamp = true; security.SecurityHeaderLayout = SecurityHeaderLayout.Lax; security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; security.SetKeyDerivation(false); return(security); }
public void ServiceRecipientHasNoKeys() { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement(); sbe.InitiatorTokenParameters = new X509SecurityTokenParameters(); sbe.RecipientTokenParameters = new UserNameSecurityTokenParameters(); //sbe.SetKeyDerivation (false); //sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; CustomBinding binding = new CustomBinding(sbe, new HttpTransportBindingElement()); IChannelListener <IReplyChannel> l = binding.BuildChannelListener <IReplyChannel> (new Uri("http://localhost:37564"), new BindingParameterCollection()); try { l.Open(); } finally { if (l.State == CommunicationState.Opened) { l.Close(); } } }
private static SecurityBindingElement CreateSecurityBindingElement() { var messageSecurity = new AsymmetricSecurityBindingElement(); messageSecurity.AllowSerializedSigningTokenOnReply = true; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; messageSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Sha256; messageSecurity.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign; messageSecurity.LocalClientSettings.MaxClockSkew = new TimeSpan(0, 0, 1, 0); messageSecurity.LocalClientSettings.TimestampValidityDuration = new TimeSpan(0, 0, 10, 0); messageSecurity.LocalServiceSettings.MaxClockSkew = new TimeSpan(0, 0, 1, 0); messageSecurity.LocalClientSettings.TimestampValidityDuration = new TimeSpan(0, 0, 10, 0); var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator); messageSecurity.RecipientTokenParameters = x509SecurityParamter; messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false; var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient) { RequireDerivedKeys = false }; messageSecurity.InitiatorTokenParameters = initiator; return(messageSecurity); }
public void ClientInitiatorHasNoKeysCore(bool deriveKeys, MessageProtectionOrder order) { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement(); sbe.InitiatorTokenParameters = new UserNameSecurityTokenParameters(); sbe.RecipientTokenParameters = new X509SecurityTokenParameters(); sbe.SetKeyDerivation(deriveKeys); sbe.MessageProtectionOrder = order; TransportBindingElement tbe = new HandlerTransportBindingElement(delegate(Message input) { // funky, but .NET does not raise an error // until it writes the message to somewhere. // That is, it won't raise an error if this // HandlerTransportBindingElement does not // write the input message to somewhere. // It is an obvious bug. input.WriteMessage(XmlWriter.Create(TextWriter.Null)); throw new Exception(); }); CustomBinding binding = new CustomBinding(sbe, tbe); EndpointAddress address = new EndpointAddress( new Uri("stream:dummy"), new X509CertificateEndpointIdentity(cert2)); CalcProxy proxy = new CalcProxy(binding, address); proxy.ClientCredentials.UserName.UserName = "******"; proxy.Open(); // Until here the wrong parameters are not checked. proxy.Sum(1, 2); }
public void RejectInclusionModeNever() { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement(); sbe.InitiatorTokenParameters = sbe.RecipientTokenParameters = new X509SecurityTokenParameters( X509KeyIdentifierClauseType.Thumbprint, // this leads to the failure. SecurityTokenInclusionMode.Never); ServiceHost host = new ServiceHost(typeof(Foo)); HttpTransportBindingElement hbe = new HttpTransportBindingElement(); CustomBinding binding = new CustomBinding(sbe, hbe); host.AddServiceEndpoint(typeof(IFoo), binding, new Uri("http://localhost:37564")); ServiceCredentials cred = new ServiceCredentials(); cred.ServiceCertificate.Certificate = new X509Certificate2("Test/Resources/test.pfx", "mono"); cred.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; host.Description.Behaviors.Add(cred); try { host.Open(); } finally { if (host.State == CommunicationState.Opened) { host.Close(); } } }
public void VerifyX509MessageSecurityAtService() { AsymmetricSecurityBindingElement clisbe = new AsymmetricSecurityBindingElement(); clisbe.InitiatorTokenParameters = new X509SecurityTokenParameters(); clisbe.RecipientTokenParameters = new X509SecurityTokenParameters(); AsymmetricSecurityBindingElement svcsbe = new AsymmetricSecurityBindingElement(); svcsbe.InitiatorTokenParameters = new X509SecurityTokenParameters(); svcsbe.RecipientTokenParameters = new X509SecurityTokenParameters(); CustomBinding b_req = new CustomBinding(clisbe, new HttpTransportBindingElement()); b_req.ReceiveTimeout = b_req.SendTimeout = TimeSpan.FromSeconds(10); CustomBinding b_res = new CustomBinding(svcsbe, new HttpTransportBindingElement()); b_res.ReceiveTimeout = b_res.SendTimeout = TimeSpan.FromSeconds(10); EndpointAddress remaddr = new EndpointAddress( new Uri("http://localhost:37564"), new X509CertificateEndpointIdentity(cert2)); CalcProxy proxy = null; ServiceHost host = new ServiceHost(typeof(CalcService)); host.AddServiceEndpoint(typeof(ICalc), b_res, "http://localhost:37564"); ServiceCredentials cred = new ServiceCredentials(); cred.ServiceCertificate.Certificate = cert; host.Description.Behaviors.Add(cred); try { host.Open(); proxy = new CalcProxy(b_req, remaddr); proxy.ClientCredentials.ClientCertificate.Certificate = cert; // FIXME: on WinFX, when this Begin method // is invoked before the listener setup, it // somehow works, while ours doesn't. //IAsyncResult result = proxy.BeginSum (1, 2, null, null); //Assert.AreEqual (3, proxy.EndSum (result)); Assert.AreEqual(3, proxy.Sum(1, 2)); } finally { if (host.State == CommunicationState.Opened) { host.Close(); } } }
public override Binding CreateBinding() { Binding bin; var tcpBin = new NetTcpBinding(); tcpBin.ReliableSession.InactivityTimeout = InactivityTimeout; tcpBin.MaxBufferPoolSize = MaxBufferPoolSize; tcpBin.MaxBufferSize = MaxBufferSize; tcpBin.MaxConnections = MaxConnections; tcpBin.MaxReceivedMessageSize = MaxReceivedMessageSize; tcpBin.ReaderQuotas.MaxBytesPerRead = ReaderQuotas_MaxBytesPerRead; tcpBin.ReaderQuotas.MaxStringContentLength = ReaderQuotas_MaxStringContentLength; tcpBin.ReaderQuotas.MaxArrayLength = ReaderQuotas_MaxArrayLength; tcpBin.Security.Mode = SecurityMode; tcpBin.Security.Message.ClientCredentialType = ClientCredentialType; tcpBin.TransferMode = TransferMode; ConfigureTcpBindingAction?.Invoke(tcpBin); bin = tcpBin; // Check if ClockSkew has default values (300 segundos) if (LocalClientMaxClockSkew != TimeSpan.FromMinutes(5) || LocalServiceMaxClockSkew != TimeSpan.FromMinutes(5)) { CustomBinding cusBin = new CustomBinding(tcpBin); SymmetricSecurityBindingElement symetricSecurity = cusBin.Elements.Find <SymmetricSecurityBindingElement>(); if (symetricSecurity != null) { //symetricSecurity.LocalServiceSettings.DetectReplays = false; //symetricSecurity.LocalClientSettings.DetectReplays = false; symetricSecurity.LocalServiceSettings.MaxClockSkew = LocalServiceMaxClockSkew; symetricSecurity.LocalClientSettings.MaxClockSkew = LocalClientMaxClockSkew; if (symetricSecurity.ProtectionTokenParameters is SecureConversationSecurityTokenParameters tokens) { //tokens.BootstrapSecurityBindingElement.LocalClientSettings.DetectReplays = false; //tokens.BootstrapSecurityBindingElement.LocalServiceSettings.DetectReplays = false; tokens.BootstrapSecurityBindingElement.LocalClientSettings.MaxClockSkew = LocalClientMaxClockSkew; tokens.BootstrapSecurityBindingElement.LocalServiceSettings.MaxClockSkew = LocalServiceMaxClockSkew; } } AsymmetricSecurityBindingElement asymetricSecurity = cusBin.Elements.Find <AsymmetricSecurityBindingElement>(); if (asymetricSecurity != null) { asymetricSecurity.LocalServiceSettings.MaxClockSkew = LocalServiceMaxClockSkew; asymetricSecurity.LocalClientSettings.MaxClockSkew = LocalClientMaxClockSkew; if (asymetricSecurity.InitiatorTokenParameters is SecureConversationSecurityTokenParameters tokens) { tokens.BootstrapSecurityBindingElement.LocalClientSettings.MaxClockSkew = LocalClientMaxClockSkew; tokens.BootstrapSecurityBindingElement.LocalServiceSettings.MaxClockSkew = LocalServiceMaxClockSkew; } } bin = cusBin; } bin.CloseTimeout = CloseTimeout; bin.OpenTimeout = OpenTimeout; bin.ReceiveTimeout = ReceiveTimeout; bin.SendTimeout = SendTimeout; return(bin); }
public override BindingElementCollection CreateBindingElements() { var transport = _useHttps ? new HttpsTransportBindingElement() : new HttpTransportBindingElement(); if (_maxReceivedMessageSize.HasValue) { transport.MaxReceivedMessageSize = _maxReceivedMessageSize.Value; } var encoding = new TextMessageEncodingBindingElement(); // [OIO IDWS SOAP 1.1] requires SOAP 1.2 and WS-Adressing 1.0 encoding.MessageVersion = MessageVersion.Soap12WSAddressing10; // AlwaysToInitiator is required by the [OIO IDWS SOAP 1.1] profile. This specifies that the server certificate must be embedded in the response. var recipientTokenParameters = new X509SecurityTokenParameters( X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator); var initiatorTokenParameters = new CustomizedIssuedSecurityTokenParameters( "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" ); initiatorTokenParameters.UseStrTransform = true; var asymmetric = new AsymmetricSecurityBindingElement(recipientTokenParameters, initiatorTokenParameters); // Must be true in order for client to accept embedded server certificates instead of references. This is required by the [OIO IDWS SOAP 1.1] profile. // However, the client must still specify the server certificate explicitly. // Have not figured out how the client can use the embedded server certificate and make trust to it through a CA certificate and a CN (Common Name). This way the client should not need the server certificate. asymmetric.AllowSerializedSigningTokenOnReply = true; // No need for derived keys when both parties has a certificate. Also OIO-IDWS-SOAP does not make use of derived keys. asymmetric.SetKeyDerivation(false); // Include token (encrypted assertion from NemLog-in STS) in signature asymmetric.ProtectTokens = true; // Specifies that WCF can send and receive unsecured responses to secured requests. // Concrete this means that SOAP faults are send unencrypted. [OIO IDWS SOAP 1.1] does not specify whether or not SOAP faults can be encrypted but it looks like they should not be encrypted. // If encrypted the client is not able to process the encrypted SOAP fault if client is not setup correctly. // setting EnableUnsecuredResponse to true makes normal responses unsigned and processed by the client without error. This is not what we want :) //asymmetric.EnableUnsecuredResponse = true; var elements = new BindingElementCollection(); elements.Add(asymmetric); elements.Add(encoding); elements.Add(transport); return(elements); }
public IEnumerator <SecurityTokenParameters> GetEnumerator() { foreach (SecurityTokenParameters iteratorVariable0 in this.sbe.EndpointSupportingTokenParameters.Endorsing) { if (iteratorVariable0 != null) { yield return(iteratorVariable0); } } foreach (SecurityTokenParameters iteratorVariable1 in this.sbe.EndpointSupportingTokenParameters.SignedEndorsing) { if (iteratorVariable1 == null) { continue; } yield return(iteratorVariable1); } foreach (SupportingTokenParameters iteratorVariable2 in this.sbe.OperationSupportingTokenParameters.Values) { if (iteratorVariable2 != null) { foreach (SecurityTokenParameters iteratorVariable3 in iteratorVariable2.Endorsing) { if (iteratorVariable3 == null) { continue; } yield return(iteratorVariable3); } foreach (SecurityTokenParameters iteratorVariable4 in iteratorVariable2.SignedEndorsing) { if (iteratorVariable4 == null) { continue; } yield return(iteratorVariable4); } } } if (this.sbe is SymmetricSecurityBindingElement) { SymmetricSecurityBindingElement sbe = (SymmetricSecurityBindingElement)this.sbe; if (sbe.ProtectionTokenParameters != null) { yield return(sbe.ProtectionTokenParameters); } } else if (this.sbe is AsymmetricSecurityBindingElement) { AsymmetricSecurityBindingElement iteratorVariable6 = (AsymmetricSecurityBindingElement)this.sbe; if (iteratorVariable6.RecipientTokenParameters != null) { yield return(iteratorVariable6.RecipientTokenParameters); } } }
public static void Main () { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement (); //sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; //sbe.RequireSignatureConfirmation = true; //sbe.LocalServiceSettings.DetectReplays = false; //sbe.IncludeTimestamp = false; sbe.RecipientTokenParameters = new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); sbe.InitiatorTokenParameters = new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient); X509SecurityTokenParameters p = new X509SecurityTokenParameters (X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient); p.RequireDerivedKeys = false; //sbe.EndpointSupportingTokenParameters.Endorsing.Add (p); UserNameSecurityTokenParameters up = new UserNameSecurityTokenParameters (); sbe.EndpointSupportingTokenParameters.Signed.Add (up); sbe.SetKeyDerivation (false); sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; ServiceHost host = new ServiceHost (typeof (Foo)); HttpTransportBindingElement hbe = new HttpTransportBindingElement (); CustomBinding binding = new CustomBinding (sbe, hbe); binding.ReceiveTimeout = TimeSpan.FromSeconds (5); host.AddServiceEndpoint ("IFoo", binding, new Uri ("http://localhost:8080")); ServiceCredentials cred = new ServiceCredentials (); cred.ServiceCertificate.Certificate = new X509Certificate2 ("test.pfx", "mono"); cred.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; cred.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom; cred.UserNameAuthentication.CustomUserNamePasswordValidator = UserNamePasswordValidator.None; host.Description.Behaviors.Add (cred); host.Description.Behaviors.Find<ServiceDebugBehavior> () .IncludeExceptionDetailInFaults = true; foreach (ServiceEndpoint se in host.Description.Endpoints) se.Behaviors.Add (new StdErrInspectionBehavior ()); ServiceMetadataBehavior smb = new ServiceMetadataBehavior (); smb.HttpGetEnabled = true; smb.HttpGetUrl = new Uri ("http://localhost:8080/wsdl"); host.Description.Behaviors.Add (smb); host.Open (); Console.WriteLine ("Hit [CR] key to close ..."); Console.ReadLine (); host.Close (); }
public AsymetricSecurityBE() { MessageSecurityVersion securityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; SecurityBindingElement securityBE = SecurityBindingElement.CreateMutualCertificateBindingElement(securityVersion, true); securityBE.IncludeTimestamp = true; securityBE.SetKeyDerivation(false); securityBE.SecurityHeaderLayout = SecurityHeaderLayout.Lax; securityBE.EnableUnsecuredResponse = true; m_asymSecBE = securityBE as AsymmetricSecurityBindingElement; }
public static void Main() { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement(); //sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; //sbe.RequireSignatureConfirmation = true; //sbe.LocalServiceSettings.DetectReplays = false; //sbe.IncludeTimestamp = false; sbe.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); sbe.InitiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient); X509SecurityTokenParameters p = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient); p.RequireDerivedKeys = false; //sbe.EndpointSupportingTokenParameters.Endorsing.Add (p); sbe.SetKeyDerivation(false); sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; ServiceHost host = new ServiceHost(typeof(Foo)); HttpTransportBindingElement hbe = new HttpTransportBindingElement(); CustomBinding binding = new CustomBinding(sbe, hbe); binding.ReceiveTimeout = TimeSpan.FromSeconds(5); host.AddServiceEndpoint("IFoo", binding, new Uri("http://localhost:8080")); ServiceCredentials cred = new ServiceCredentials(); cred.ServiceCertificate.Certificate = new X509Certificate2("test.pfx", "mono"); cred.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; host.Description.Behaviors.Add(cred); host.Description.Behaviors.Find <ServiceDebugBehavior> () .IncludeExceptionDetailInFaults = true; foreach (ServiceEndpoint se in host.Description.Endpoints) { se.Behaviors.Add(new StdErrInspectionBehavior()); } ServiceMetadataBehavior smb = new ServiceMetadataBehavior(); smb.HttpGetEnabled = true; smb.HttpGetUrl = new Uri("http://localhost:8080/wsdl"); host.Description.Behaviors.Add(smb); host.Open(); Console.WriteLine("Hit [CR] key to close ..."); Console.ReadLine(); host.Close(); }
protected override SecurityBindingElement CreateMessageSecurity() { if (this.Security.Mode == WSFederationHttpSecurityMode.None) { throw new InvalidOperationException("Only message and security is supported"); } if (this.Security.Message.IssuedKeyType != SecurityKeyType.AsymmetricKey) { throw new InvalidOperationException("Only Asymmectric Keys are supported"); } if (this.Security.Message.NegotiateServiceCredential) { throw new InvalidOperationException("Negocatiation of service credentials not supported"); } if (this.Security.Message.EstablishSecurityContext) { throw new InvalidOperationException("Secure conversation not supported"); } SecurityBindingElement security; if (this.Security.Mode == WSFederationHttpSecurityMode.Message) { SymmetricSecurityBindingElement baseSecurity = (SymmetricSecurityBindingElement)base.CreateMessageSecurity(); AsymmetricSecurityBindingElement asecurity = new AsymmetricSecurityBindingElement(); asecurity.InitiatorTokenParameters = baseSecurity.EndpointSupportingTokenParameters.Endorsing[0]; X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters(); serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; serverToken.InclusionMode = SecurityTokenInclusionMode.Never; serverToken.RequireDerivedKeys = false; asecurity.RecipientTokenParameters = serverToken; security = asecurity; } else { TransportSecurityBindingElement baseSecurity = (TransportSecurityBindingElement)base.CreateMessageSecurity(); TransportSecurityBindingElement tsecurity = new TransportSecurityBindingElement(); tsecurity.EndpointSupportingTokenParameters.Endorsing.Add(baseSecurity.EndpointSupportingTokenParameters.Endorsing[0]); security = tsecurity; } security.EnableUnsecuredResponse = true; security.IncludeTimestamp = true; security.SecurityHeaderLayout = SecurityHeaderLayout.Lax; security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; security.SetKeyDerivation(false); return(security); }
public IEnumerator <SecurityTokenParameters> GetEnumerator() { foreach (SecurityTokenParameters stp in this.sbe.EndpointSupportingTokenParameters.Endorsing) { if (stp != null) { yield return(stp); } } foreach (SecurityTokenParameters stp in this.sbe.EndpointSupportingTokenParameters.SignedEndorsing) { if (stp != null) { yield return(stp); } } foreach (SupportingTokenParameters str in this.sbe.OperationSupportingTokenParameters.Values) { if (str != null) { foreach (SecurityTokenParameters stp in str.Endorsing) { if (stp != null) { yield return(stp); } } foreach (SecurityTokenParameters stp in str.SignedEndorsing) { if (stp != null) { yield return(stp); } } } } if (this.sbe is SymmetricSecurityBindingElement) { SymmetricSecurityBindingElement ssbe = (SymmetricSecurityBindingElement)sbe; if (ssbe.ProtectionTokenParameters != null) { yield return(ssbe.ProtectionTokenParameters); } } else if (this.sbe is AsymmetricSecurityBindingElement) { AsymmetricSecurityBindingElement asbe = (AsymmetricSecurityBindingElement)sbe; if (asbe.RecipientTokenParameters != null) { yield return(asbe.RecipientTokenParameters); } } }
public static SecurityToken getToken(sts.Token token) { var textmessageEncoding = new TextMessageEncodingBindingElement(); textmessageEncoding.WriteEncoding = Encoding.UTF8; textmessageEncoding.MessageVersion = MessageVersion.Soap12WSAddressing10; var messageSecurity = new AsymmetricSecurityBindingElement(); messageSecurity.AllowSerializedSigningTokenOnReply = true; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; //messageSecurity.EnableUnsecuredResponse = true; messageSecurity.IncludeTimestamp = false; messageSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Rsa15; messageSecurity.SecurityHeaderLayout = SecurityHeaderLayout.Lax; messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; messageSecurity.LocalClientSettings.DetectReplays = false; messageSecurity.LocalServiceSettings.DetectReplays = false; var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator); messageSecurity.RecipientTokenParameters = x509SecurityParamter; messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false; var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient); initiator.RequireDerivedKeys = false; messageSecurity.InitiatorTokenParameters = initiator; var binding = new CustomBinding(messageSecurity, textmessageEncoding, new StrippingChannelBindingElement(), new HttpTransportBindingElement()); WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(new Uri("http://login.staging.rapidsoft.ru:80/auth/sts"), EndpointIdentity.CreateDnsIdentity("test"))); trustChannelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test"); trustChannelFactory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test"); trustChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; trustChannelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test"); trustChannelFactory.Endpoint.Contract.ProtectionLevel = ProtectionLevel.None; trustChannelFactory.TrustVersion = System.ServiceModel.Security.TrustVersion.WSTrust13; WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel(); RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue); rst.OnBehalfOf = new Microsoft.IdentityModel.Tokens.SecurityTokenElement(token, new Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection()); rst.KeyType = WSTrust13Constants.KeyTypes.Asymmetric; RequestSecurityTokenResponse rstr = null; SecurityToken SecurityToken = channel.Issue(rst, out rstr); return(SecurityToken); }
/// <summary> /// Creates the custom binding. /// </summary> /// <param name="isCertificate">If set to true certificate security will be used.</param> /// <returns></returns> /// <remarks></remarks> public static Binding CreateCustomBinding(bool isCertificate, bool isHttps) { BindingElement securityBinding = null; BindingElement transport = null; if (isHttps) { HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement(); transport = httpsTransport; } else { HttpTransportBindingElement httpTransport = new HttpTransportBindingElement(); transport = httpTransport; } TextMessageEncodingBindingElement messageEncoding = new TextMessageEncodingBindingElement(); if (!isCertificate) { TransportSecurityBindingElement messageSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); messageSecurity.IncludeTimestamp = false; securityBinding = messageSecurity; messageSecurity.AllowInsecureTransport = !isHttps; } else { AsymmetricSecurityBindingElement messageSecurity = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement ( MessageSecurityVersion .WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 ); messageSecurity.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign; messageSecurity.AllowInsecureTransport = !isHttps; securityBinding = messageSecurity; messageEncoding.MessageVersion = MessageVersion.Soap11; } CustomBinding result = new CustomBinding(securityBinding, messageEncoding, transport); return(result); }
/// <summary> /// Returns a custom wcf binding that will create a SOAP request /// compatible with the Simple Order API Service /// </summary> protected static CustomBinding getWCFCustomBinding(Configuration config) { //Setup custom binding with HTTPS + Body Signing CustomBinding currentBinding = new CustomBinding(); //Sign the body AsymmetricSecurityBindingElement asec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); asec.SetKeyDerivation(false); asec.IncludeTimestamp = false; asec.EnableUnsecuredResponse = true; asec.SecurityHeaderLayout = SecurityHeaderLayout.Lax; if (config.UseSignedAndEncrypted) { asec.LocalClientSettings.IdentityVerifier = new CustomeIdentityVerifier(); asec.RecipientTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.Once }; asec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt; asec.EndpointSupportingTokenParameters.SignedEncrypted.Add(new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters()); asec.SetKeyDerivation(false); } //Use custom encoder to strip unsigned timestamp in response CustomTextMessageBindingElement textBindingElement = new CustomTextMessageBindingElement(); //Setup https transport HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement(); httpsTransport.RequireClientCertificate = true; httpsTransport.AuthenticationScheme = AuthenticationSchemes.Anonymous; httpsTransport.MaxReceivedMessageSize = 2147483647; httpsTransport.UseDefaultWebProxy = false; //Setup Proxy if needed if (mProxy != null) { WebRequest.DefaultWebProxy = mProxy; httpsTransport.UseDefaultWebProxy = true; } //Bind in order (Security layer, message layer, transport layer) currentBinding.Elements.Add(asec); currentBinding.Elements.Add(textBindingElement); currentBinding.Elements.Add(httpsTransport); return(currentBinding); }
public static NCIServiceWCFClient CreateNCIServiceClient(Uri uri) { UCCProxyFactory.ClientCertificatePath = HostingEnvironment.MapPath(@"~/App_Data/isbank_test_private.pfx"); UCCProxyFactory.ServiceCertificatePath = HostingEnvironment.MapPath(@"~/App_Data/ucc_test_public.cer"); UCCProxyFactory.ClientCertificatePassword = "******"; System.Net.ServicePointManager.Expect100Continue = false; if (string.IsNullOrEmpty(ClientCertificatePath) || string.IsNullOrEmpty(ServiceCertificatePath)) { throw new InvalidOperationException("You should specify certificates path first"); } if (string.IsNullOrEmpty(ClientCertificatePassword)) { throw new InvalidOperationException("You should specify ClientCertificatePassword"); } clientCertificate = new X509Certificate2(ClientCertificatePath, ClientCertificatePassword); serviceCertificate = new X509Certificate2(ServiceCertificatePath); endpointIdentity = new X509CertificateEndpointIdentity(serviceCertificate, new X509Certificate2Collection(clientCertificate)); EndpointAddress ea = new EndpointAddress(uri, endpointIdentity); CustomBinding cb = new CustomBinding(); cb.CloseTimeout = new TimeSpan(50000000); TextMessageEncodingBindingElement messageBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8); HttpTransportBindingElement nciTransport = new HttpTransportBindingElement(); nciTransport.MaxReceivedMessageSize = 5000000; //115000000; messageBindingElement.ReaderQuotas.MaxStringContentLength = 1200000; //11200000; AsymmetricSecurityBindingElement abe = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);; abe.AllowSerializedSigningTokenOnReply = true; abe.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt; abe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Rsa15; abe.SetKeyDerivation(false); cb.Elements.Add(abe); cb.Elements.Add(messageBindingElement); cb.Elements.Add(nciTransport); NCIServiceWCFClient nciClient = new NCIServiceWCFClient(cb, ea); nciClient.ClientCredentials.ServiceCertificate.DefaultCertificate = serviceCertificate; nciClient.ClientCredentials.ClientCertificate.Certificate = clientCertificate; nciClient.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; return(nciClient); }
public static AsymmetricSecurityBindingElement CreateWusSecurityBindingElement() { //Create binding element for security AsymmetricSecurityBindingElement secBE = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10); //Explicitly accept secured answers from endpoint secBE.AllowSerializedSigningTokenOnReply = true; secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15; secBE.EnableUnsecuredResponse = true; secBE.IncludeTimestamp = true; secBE.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign; return(secBE); }
static void Main(string[] args) { //<snippet5> EndpointAddress serviceEndpoint = new EndpointAddress(new Uri("http://localhost:6060/service")); CustomBinding binding = new CustomBinding(); AsymmetricSecurityBindingElement securityBE = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement( MessageSecurityVersion. WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); // Add a custom IdentityVerifier because the service uses two certificates // (one for signing and one for encryption) and an endpoint identity that // contains a single identity claim. securityBE.LocalClientSettings.IdentityVerifier = new MyIdentityVerifier(); binding.Elements.Add(securityBE); CompositeDuplexBindingElement compositeDuplex = new CompositeDuplexBindingElement(); compositeDuplex.ClientBaseAddress = new Uri("http://localhost:6061/client"); binding.Elements.Add(compositeDuplex); binding.Elements.Add(new OneWayBindingElement()); binding.Elements.Add(new HttpTransportBindingElement()); using (ChannelFactory <IMyServiceChannel> factory = new ChannelFactory <IMyServiceChannel>(binding, serviceEndpoint)) { MyClientCredentials credentials = new MyClientCredentials(); SetupCertificates(credentials); factory.Endpoint.Behaviors.Remove(typeof(ClientCredentials)); factory.Endpoint.Behaviors.Add(credentials); IMyServiceChannel channel = factory.CreateChannel(); Console.WriteLine(channel.Hello("world")); channel.Close(); } //</snippet5> }
private static System.ServiceModel.Channels.Binding CreateBinding() { TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8); var httpTransport = new HttpTransportBindingElement(); var messageSecurity = new AsymmetricSecurityBindingElement(); messageSecurity.AllowSerializedSigningTokenOnReply = true; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator); messageSecurity.RecipientTokenParameters = x509SecurityParamter; messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false; var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient); initiator.RequireDerivedKeys = false; messageSecurity.InitiatorTokenParameters = initiator; var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, httpTransport); return customBinding; }
CreateBindingElements() { var list = new List <BindingElement> (); switch (Security.Mode) { #if !NET_2_1 case BasicHttpSecurityMode.Message: if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) { throw new InvalidOperationException("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate."); } goto case BasicHttpSecurityMode.TransportWithMessageCredential; case BasicHttpSecurityMode.TransportWithMessageCredential: SecurityBindingElement sec; if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) { // FIXME: pass proper security token parameters. sec = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); } else { sec = new AsymmetricSecurityBindingElement(); } list.Add(sec); break; #endif } #if NET_2_1 if (EnableHttpCookieContainer) { list.Add(new HttpCookieContainerBindingElement()); } #endif list.Add(BuildMessageEncodingBindingElement()); list.Add(GetTransport()); return(new BindingElementCollection(list.ToArray())); }
static void Run() { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement(); //sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; //sbe.RequireSignatureConfirmation = true; //sbe.LocalClientSettings.DetectReplays = false; //sbe.IncludeTimestamp = false; X509SecurityTokenParameters p = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient); p.RequireDerivedKeys = false; //sbe.EndpointSupportingTokenParameters.Endorsing.Add (p); UserNameSecurityTokenParameters up = new UserNameSecurityTokenParameters(); sbe.EndpointSupportingTokenParameters.Signed.Add(up); sbe.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); sbe.InitiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient); sbe.SetKeyDerivation(false); sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; HttpTransportBindingElement hbe = new HttpTransportBindingElement(); CustomBinding binding = new CustomBinding(new XBE(), sbe, hbe); X509Certificate2 cert = new X509Certificate2("test.pfx", "mono"); X509Certificate2 cert2 = new X509Certificate2("test2.pfx", "mono"); FooProxy proxy = new FooProxy(binding, new EndpointAddress(new Uri("http://localhost:8080"), new X509CertificateEndpointIdentity(cert))); //proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; proxy.ClientCredentials.UserName.UserName = "******"; proxy.ClientCredentials.ClientCertificate.Certificate = cert2; proxy.Endpoint.Behaviors.Add(new StdErrInspectionBehavior()); proxy.Open(); Console.WriteLine(proxy.Echo("TEST FOR ECHO")); }
SecurityBindingElement CreateSecurityBindingElement() { SecurityBindingElement element; switch (Security.Mode) { case BasicHttpSecurityMode.Message: #if NET_2_1 || XAMMAC_4_5 throw new NotImplementedException(); #else if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) { throw new InvalidOperationException("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate."); } element = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); break; #endif case BasicHttpSecurityMode.TransportWithMessageCredential: #if NET_2_1 || XAMMAC_4_5 throw new NotImplementedException(); #else if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) { element = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); } else { element = new AsymmetricSecurityBindingElement(); } break; #endif default: return(null); } #if !NET_2_1 && !XAMMAC_4_5 element.SetKeyDerivation(false); element.SecurityHeaderLayout = SecurityHeaderLayout.Lax; #endif return(element); }
private CustomBinding CreatePullBinding() { CustomBinding pullBinding = new CustomBinding(); pullBinding.Name = "ePUAPBinding"; SecurityBindingElement sBElement = SecurityBindingElement.CreateMutualCertificateBindingElement( MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10); AsymmetricSecurityBindingElement bindingAsymetryczny = (AsymmetricSecurityBindingElement)sBElement; bindingAsymetryczny.SetKeyDerivation(true); bindingAsymetryczny.EnableUnsecuredResponse = false; bindingAsymetryczny.AllowInsecureTransport = false; bindingAsymetryczny.AllowSerializedSigningTokenOnReply = true; bindingAsymetryczny.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic192Rsa15; bindingAsymetryczny.IncludeTimestamp = true; bindingAsymetryczny.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; pullBinding.Elements.Clear(); pullBinding.Elements.Add(bindingAsymetryczny); pullBinding.Elements.Add(new TextMessageEncodingBindingElement() { MessageVersion = MessageVersion.CreateVersion(EnvelopeVersion.Soap11, AddressingVersion.None), WriteEncoding = new UTF8Encoding() }); HttpsTransportBindingElement httpsbinding = new HttpsTransportBindingElement(); pullBinding.Elements.Add(httpsbinding); return(pullBinding); }
/// <summary> /// Returns a custom wcf binding that will create a SOAP request /// compatible with the Simple Order API Service /// </summary> protected static CustomBinding getWCFCustomBinding() { //Setup custom binding with HTTPS + Body Signing CustomBinding currentBinding = new CustomBinding(); //Sign the body AsymmetricSecurityBindingElement asec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); asec.SetKeyDerivation(false); asec.IncludeTimestamp = false; asec.EnableUnsecuredResponse = true; asec.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //Use custom encoder to strip unsigned timestamp in response CustomTextMessageBindingElement textBindingElement = new CustomTextMessageBindingElement(); //Setup https transport HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement(); httpsTransport.RequireClientCertificate = true; httpsTransport.AuthenticationScheme = AuthenticationSchemes.Anonymous; httpsTransport.MaxReceivedMessageSize = 2147483647; httpsTransport.UseDefaultWebProxy = false; //Setup Proxy if needed if (mProxy != null) { WebRequest.DefaultWebProxy = mProxy; httpsTransport.UseDefaultWebProxy = true; } //Bind in order (Security layer, message layer, transport layer) currentBinding.Elements.Add(asec); currentBinding.Elements.Add(textBindingElement); currentBinding.Elements.Add(httpsTransport); return(currentBinding); }
private static System.ServiceModel.Channels.Binding CreateBinding() { TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8); var httpTransport = new HttpTransportBindingElement(); var messageSecurity = new AsymmetricSecurityBindingElement(); messageSecurity.AllowSerializedSigningTokenOnReply = true; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator); messageSecurity.RecipientTokenParameters = x509SecurityParamter; messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false; var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient); initiator.RequireDerivedKeys = false; messageSecurity.InitiatorTokenParameters = initiator; var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, httpTransport); return(customBinding); }
/// <summary> /// /// </summary> /// <param name="transport"></param> /// <returns></returns> private static System.ServiceModel.Channels.Binding CreateBinding(TransportBindingElement transport) { TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8); var messageSecurity = new AsymmetricSecurityBindingElement(); messageSecurity.LocalClientSettings.IdentityVerifier = new DisabledDnsIdentityCheck(); messageSecurity.AllowSerializedSigningTokenOnReply = true; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; messageSecurity.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator); messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false; var initiator = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"); messageSecurity.ProtectTokens = true; initiator.UseStrTransform = true; initiator.KeyType = SecurityKeyType.AsymmetricKey; initiator.RequireDerivedKeys = false; messageSecurity.InitiatorTokenParameters = initiator; var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, transport); return customBinding; }
public WSSecurityBinding(bool sslLocation, X509Certificate2 serviceCertificate) { this.sslLocation = sslLocation; // Get CN from service certificate, used to set Dns Identity Claim string cn = null; foreach (string issuerPart in serviceCertificate.Issuer.Split(',')) { string[] parts = issuerPart.Split('='); if (parts[0].ToUpperInvariant().EndsWith("CN")) { cn = parts[1]; } } TextMessageEncodingBindingElement encoding = new TextMessageEncodingBindingElement(); encoding.MessageVersion = MessageVersion.Soap11; AsymmetricSecurityBindingElement securityBinding = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(); securityBinding.LocalClientSettings.IdentityVerifier = new DnsIdentityVerifier(new DnsEndpointIdentity(cn)); securityBinding.AllowSerializedSigningTokenOnReply = true; securityBinding.SecurityHeaderLayout = SecurityHeaderLayout.Lax; this.bindingElements = new BindingElementCollection(); this.bindingElements.Add(securityBinding); this.bindingElements.Add(encoding); if (this.sslLocation) { this.bindingElements.Add(new HttpsTransportBindingElement()); } else { this.bindingElements.Add(new HttpTransportBindingElement()); } }
public static Binding GetIssuedTokenBindingSSL() { var textmessageEncoding = new TextMessageEncodingBindingElement(); textmessageEncoding.WriteEncoding = Encoding.UTF8; textmessageEncoding.MessageVersion = MessageVersion.Soap11WSAddressing10; var messageSecurity = new AsymmetricSecurityBindingElement(); messageSecurity.AllowSerializedSigningTokenOnReply = true; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator); messageSecurity.RecipientTokenParameters = x509SecurityParamter; messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false; var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient); initiator.RequireDerivedKeys = false; messageSecurity.InitiatorTokenParameters = initiator; messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; return new CustomBinding( messageSecurity, textmessageEncoding, new HttpsTransportBindingElement()); }
public void RejectInclusionModeNever () { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement (); sbe.InitiatorTokenParameters = sbe.RecipientTokenParameters = new X509SecurityTokenParameters ( X509KeyIdentifierClauseType.Thumbprint, // this leads to the failure. SecurityTokenInclusionMode.Never); ServiceHost host = new ServiceHost (typeof (Foo)); HttpTransportBindingElement hbe = new HttpTransportBindingElement (); CustomBinding binding = new CustomBinding (sbe, hbe); host.AddServiceEndpoint (typeof (IFoo), binding, new Uri ("http://localhost:" + NetworkHelpers.FindFreePort ())); ServiceCredentials cred = new ServiceCredentials (); cred.ServiceCertificate.Certificate = new X509Certificate2 ("Test/Resources/test.pfx", "mono"); cred.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; host.Description.Behaviors.Add (cred); try { host.Open (); } finally { if (host.State == CommunicationState.Opened) host.Close (); } }
public void ClientInitiatorHasNoKeysCore (bool deriveKeys, MessageProtectionOrder order) { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement (); sbe.InitiatorTokenParameters = new UserNameSecurityTokenParameters (); sbe.RecipientTokenParameters = new X509SecurityTokenParameters (); sbe.SetKeyDerivation (deriveKeys); sbe.MessageProtectionOrder = order; TransportBindingElement tbe = new HandlerTransportBindingElement (delegate (Message input) { // funky, but .NET does not raise an error // until it writes the message to somewhere. // That is, it won't raise an error if this // HandlerTransportBindingElement does not // write the input message to somewhere. // It is an obvious bug. input.WriteMessage (XmlWriter.Create (TextWriter.Null)); throw new Exception (); }); CustomBinding binding = new CustomBinding (sbe, tbe); EndpointAddress address = new EndpointAddress ( new Uri ("stream:dummy"), new X509CertificateEndpointIdentity (cert2)); CalcProxy proxy = new CalcProxy (binding, address); proxy.ClientCredentials.UserName.UserName = "******"; proxy.Open (); // Until here the wrong parameters are not checked. proxy.Sum (1, 2); }
public void VerifyX509MessageSecurityAtService () { AsymmetricSecurityBindingElement clisbe = new AsymmetricSecurityBindingElement (); clisbe.InitiatorTokenParameters = new X509SecurityTokenParameters (); clisbe.RecipientTokenParameters = new X509SecurityTokenParameters (); AsymmetricSecurityBindingElement svcsbe = new AsymmetricSecurityBindingElement (); svcsbe.InitiatorTokenParameters = new X509SecurityTokenParameters (); svcsbe.RecipientTokenParameters = new X509SecurityTokenParameters (); CustomBinding b_req = new CustomBinding (clisbe, new HttpTransportBindingElement ()); b_req.ReceiveTimeout = b_req.SendTimeout = TimeSpan.FromSeconds (10); CustomBinding b_res = new CustomBinding (svcsbe, new HttpTransportBindingElement ()); b_res.ReceiveTimeout = b_res.SendTimeout = TimeSpan.FromSeconds (10); EndpointAddress remaddr = new EndpointAddress ( new Uri ("http://localhost:" + NetworkHelpers.FindFreePort ()), new X509CertificateEndpointIdentity (cert2)); CalcProxy proxy = null; ServiceHost host = new ServiceHost (typeof (CalcService)); host.AddServiceEndpoint (typeof (ICalc), b_res, "http://localhost:" + NetworkHelpers.FindFreePort ()); ServiceCredentials cred = new ServiceCredentials (); cred.ServiceCertificate.Certificate = cert; host.Description.Behaviors.Add (cred); try { host.Open (); proxy = new CalcProxy (b_req, remaddr); proxy.ClientCredentials.ClientCertificate.Certificate = cert; // FIXME: on WinFX, when this Begin method // is invoked before the listener setup, it // somehow works, while ours doesn't. //IAsyncResult result = proxy.BeginSum (1, 2, null, null); //Assert.AreEqual (3, proxy.EndSum (result)); Assert.AreEqual (3, proxy.Sum (1, 2)); } finally { if (host.State == CommunicationState.Opened) host.Close (); } }
public void SetKeyDerivation () { AsymmetricSecurityBindingElement be; X509SecurityTokenParameters p, p2; be = new AsymmetricSecurityBindingElement (); p = new X509SecurityTokenParameters (); p2 = new X509SecurityTokenParameters (); be.InitiatorTokenParameters = p; be.RecipientTokenParameters = p2; be.SetKeyDerivation (false); Assert.AreEqual (false, p.RequireDerivedKeys, "#1"); Assert.AreEqual (false, p2.RequireDerivedKeys, "#2"); be = new AsymmetricSecurityBindingElement (); p = new X509SecurityTokenParameters (); p2 = new X509SecurityTokenParameters (); be.SetKeyDerivation (false); // set in prior - makes no sense be.InitiatorTokenParameters = p; be.RecipientTokenParameters = p2; Assert.AreEqual (true, p.RequireDerivedKeys, "#3"); Assert.AreEqual (true, p2.RequireDerivedKeys, "#4"); }
public AsymmetricSecurityCapabilities ( AsymmetricSecurityBindingElement element) { this.element = element; }
public void ServiceRecipientHasNoKeys () { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement (); sbe.InitiatorTokenParameters = new X509SecurityTokenParameters (); sbe.RecipientTokenParameters = new UserNameSecurityTokenParameters (); //sbe.SetKeyDerivation (false); //sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; CustomBinding binding = new CustomBinding (sbe, new HttpTransportBindingElement ()); IChannelListener<IReplyChannel> l = binding.BuildChannelListener<IReplyChannel> (new Uri ("http://localhost:" + NetworkHelpers.FindFreePort ()), new BindingParameterCollection ()); try { l.Open (); } finally { if (l.State == CommunicationState.Opened) l.Close (); } }
private SecurityBindingElement CreateSecurity() { AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement(); X509SecurityTokenParameters clientToken = new X509SecurityTokenParameters(); clientToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; clientToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; clientToken.RequireDerivedKeys = false; clientToken.ReferenceStyle = SecurityTokenReferenceStyle.Internal; security.InitiatorTokenParameters = clientToken; //Creates an _unsigned_ binary token + signature that references the other binary token. X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters(); serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; serverToken.InclusionMode = SecurityTokenInclusionMode.Never; serverToken.RequireDerivedKeys = false; serverToken.ReferenceStyle = SecurityTokenReferenceStyle.External; security.RecipientTokenParameters = serverToken; //Only to make asymetric binding work security.EndpointSupportingTokenParameters.Signed.Add(clientToken); //Create a signed binary token + signature that does _not_ references other binary token. //Later on the unsigned binary token is removed and the non referecing signature is removed. The signed token and referencing signature are linked. security.EnableUnsecuredResponse = true; security.IncludeTimestamp = true; security.SecurityHeaderLayout = SecurityHeaderLayout.Lax; security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; security.SetKeyDerivation(false); return security; }
SecurityBindingElement CreateSecurityBindingElement () { SecurityBindingElement element; switch (Security.Mode) { #if !NET_2_1 case BasicHttpSecurityMode.Message: if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) throw new InvalidOperationException ("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate."); element = SecurityBindingElement.CreateMutualCertificateBindingElement ( MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); break; case BasicHttpSecurityMode.TransportWithMessageCredential: if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) // FIXME: pass proper security token parameters. element = SecurityBindingElement.CreateCertificateOverTransportBindingElement (); else element = new AsymmetricSecurityBindingElement (); break; #endif default: return null; } #if !NET_2_1 element.SetKeyDerivation (false); element.SecurityHeaderLayout = SecurityHeaderLayout.Lax; #endif return element; }
public virtual bool TryImportWsspRecipientTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, AsymmetricSecurityBindingElement binding) { XmlElement element; Collection<Collection<XmlElement>> collection; bool flag = false; if (this.TryImportWsspAssertion(assertions, "RecipientToken", out element) && this.TryGetNestedPolicyAlternatives(importer, element, out collection)) { foreach (Collection<XmlElement> collection2 in collection) { SecurityTokenParameters parameters; bool flag2; if (this.TryImportTokenAssertion(importer, policyContext, collection2, out parameters, out flag2) && (collection2.Count == 0)) { flag = true; binding.RecipientTokenParameters = parameters; return flag; } } } return flag; }
public virtual bool TryImportWsspAsymmetricBindingAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, out AsymmetricSecurityBindingElement binding, out XmlElement assertion) { Collection<Collection<XmlElement>> collection; binding = null; if (this.TryImportWsspAssertion(assertions, "AsymmetricBinding", out assertion) && this.TryGetNestedPolicyAlternatives(importer, assertion, out collection)) { foreach (Collection<XmlElement> collection2 in collection) { MessageProtectionOrder order; binding = new AsymmetricSecurityBindingElement(); if (((this.TryImportWsspInitiatorTokenAssertion(importer, policyContext, collection2, binding) && this.TryImportWsspRecipientTokenAssertion(importer, policyContext, collection2, binding)) && (this.TryImportWsspAlgorithmSuiteAssertion(importer, collection2, binding) && this.TryImportWsspLayoutAssertion(importer, collection2, binding))) && ((this.TryImportWsspIncludeTimestampAssertion(collection2, binding) && this.TryImportMessageProtectionOrderAssertions(collection2, out order)) && (this.TryImportWsspAssertion(collection2, "OnlySignEntireHeadersAndBody", true) && (collection2.Count == 0)))) { binding.MessageProtectionOrder = order; break; } binding = null; } } return (binding != null); }
public virtual bool TryImportWsspRecipientTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, AsymmetricSecurityBindingElement binding) { bool result = false; XmlElement assertion; Collection<Collection<XmlElement>> alternatives; if (TryImportWsspAssertion(assertions, RecipientTokenName, out assertion) && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) { foreach (Collection<XmlElement> alternative in alternatives) { SecurityTokenParameters tokenParameters; bool isOptional; if (TryImportTokenAssertion(importer, policyContext, alternative, out tokenParameters, out isOptional) && alternative.Count == 0) { result = true; binding.RecipientTokenParameters = tokenParameters; break; } } } return result; }
public virtual bool TryImportWsspAsymmetricBindingAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, out AsymmetricSecurityBindingElement binding, out XmlElement assertion) { binding = null; Collection<Collection<XmlElement>> alternatives; if (TryImportWsspAssertion(assertions, AsymmetricBindingName, out assertion) && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) { foreach (Collection<XmlElement> alternative in alternatives) { MessageProtectionOrder order; bool protectTokens; binding = new AsymmetricSecurityBindingElement(); if (TryImportWsspInitiatorTokenAssertion(importer, policyContext, alternative, binding) && TryImportWsspRecipientTokenAssertion(importer, policyContext, alternative, binding) && TryImportWsspAlgorithmSuiteAssertion(importer, alternative, binding) && TryImportWsspLayoutAssertion(importer, alternative, binding) && TryImportWsspIncludeTimestampAssertion(alternative, binding) && TryImportMessageProtectionOrderAssertions(alternative, out order) && TryImportWsspProtectTokensAssertion(alternative, out protectTokens) && TryImportWsspAssertion(alternative, OnlySignEntireHeadersAndBodyName, true) && alternative.Count == 0) { binding.MessageProtectionOrder = order; binding.ProtectTokens = protectTokens; break; } else { binding = null; } } } return binding != null; }
private SecurityBindingElement CreateWSS11SecurityBindingElement() { AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement(); secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax; // TEST //secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Rsa15; secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; secBindingElement.IncludeTimestamp = true; secBindingElement.SetKeyDerivation(false); secBindingElement.AllowSerializedSigningTokenOnReply = true; secBindingElement.RequireSignatureConfirmation = false; //WS2007HttpBinding stsBinding = new WS2007HttpBinding("wssuntBinding"); //CustomBinding stsBinding = new CustomBinding("ADS-CustomSecureTransport"); // TEMPORARILY DISABLED // .Net 3.5 //string adsAddress = "http://ha50idp:8089/ADS-STS/Issue.svc"; // .Net 4.0 string adsAddress = "https://ha50idp:8543/ADS-STS/Issue.svc"; //IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0", // new EndpointAddress(adsAddress), stsBinding); IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"); issuedTokenParameters.UseStrTransform = false; issuedTokenParameters.KeyType = SecurityKeyType.BearerKey; //issuedTokenParameters.KeyType = SecurityKeyType.AsymmetricKey; //issuedTokenParameters.KeyType = SecurityKeyType.SymmetricKey; // 256? //issuedTokenParameters.KeySize = 256; issuedTokenParameters.KeySize = 0; // .Net 3.5 //string adsMexAddress = "http://ha50idp:8089/ADS-STS/Issue.svc/mex"; // .Net 4.0 //string adsMexAddress = "https://ha50idp:8543/ADS-STS/Issue.svc/mex"; //issuedTokenParameters.IssuerMetadataAddress = new EndpointAddress(adsMexAddress); issuedTokenParameters.RequireDerivedKeys = false; issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal; //issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; // Claims //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:SurName")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:GivenName")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:EmailAddressText")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:TelephoneNumber")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:FederationId")); // THis is a test //secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(issuedTokenParameters); // This is the right one secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters); //secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(issuedTokenParameters); // need to put this in configuration //X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Any; X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.SubjectKeyIdentifier; //X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.IssuerSerial; //X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Thumbprint; X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(keyIdClauseType, SecurityTokenInclusionMode.AlwaysToRecipient); initiatorTokenParameters.RequireDerivedKeys = false; initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; initiatorTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; //initiatorTokenParameters.ReferenceStyle = (SecurityTokenReferenceStyle)X509KeyIdentifierClauseType.RawDataKeyIdentifier; secBindingElement.InitiatorTokenParameters = initiatorTokenParameters; X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(keyIdClauseType, SecurityTokenInclusionMode.Never); recipientTokenParameters.RequireDerivedKeys = false; recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never; recipientTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; secBindingElement.RecipientTokenParameters = recipientTokenParameters; secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12; return secBindingElement; }
private SecurityBindingElement CreateWSS10SecurityBindingElement() { AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement(); secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax; secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; secBindingElement.IncludeTimestamp = true; secBindingElement.SetKeyDerivation(false); secBindingElement.AllowSerializedSigningTokenOnReply = true; secBindingElement.RequireSignatureConfirmation = false; X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient); initiatorTokenParameters.RequireDerivedKeys = false; initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; secBindingElement.InitiatorTokenParameters = initiatorTokenParameters; X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never); recipientTokenParameters.RequireDerivedKeys = false; recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never; secBindingElement.RecipientTokenParameters = recipientTokenParameters; //secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters); //secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(protectTokenParameters); //secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12; secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; return secBindingElement; }
public static void AssertAsymmetricSecurityBindingElement ( SecurityAlgorithmSuite algorithm, bool includeTimestamp, SecurityKeyEntropyMode keyEntropyMode, MessageProtectionOrder messageProtectionOrder, MessageSecurityVersion messageSecurityVersion, bool requireSignatureConfirmation, SecurityHeaderLayout securityHeaderLayout, // EndpointSupportingTokenParameters int endorsing, int signed, int signedEncrypted, int signedEndorsing, // InitiatorTokenParameters bool hasInitiatorTokenParameters, SecurityTokenInclusionMode initiatorTokenInclusionMode, SecurityTokenReferenceStyle initiatorTokenReferenceStyle, bool initiatorTokenRequireDerivedKeys, // RecipientTokenParameters bool hasRecipientTokenParameters, SecurityTokenInclusionMode recipientTokenInclusionMode, SecurityTokenReferenceStyle recipientTokenReferenceStyle, bool recipientTokenRequireDerivedKeys, // LocalClientSettings bool cacheCookies, int renewalThresholdPercentage, bool detectReplays, AsymmetricSecurityBindingElement be, string label) { AssertSecurityBindingElement ( algorithm, includeTimestamp, keyEntropyMode, messageSecurityVersion, securityHeaderLayout, // EndpointSupportingTokenParameters endorsing, signed, signedEncrypted, signedEndorsing, // LocalClientSettings cacheCookies, renewalThresholdPercentage, detectReplays, be, label); Assert.AreEqual (messageProtectionOrder, be.MessageProtectionOrder, label + ".MessageProtectionOrder"); Assert.AreEqual (requireSignatureConfirmation, be.RequireSignatureConfirmation, label + ".RequireSignatureConfirmation"); if (!hasInitiatorTokenParameters) Assert.IsNull (be.InitiatorTokenParameters, label + ".InitiatorTokenParameters (null)"); else AssertSecurityTokenParameters ( initiatorTokenInclusionMode, initiatorTokenReferenceStyle, initiatorTokenRequireDerivedKeys, be.InitiatorTokenParameters, label + ".InitiatorTokenParameters"); if (!hasRecipientTokenParameters) Assert.IsNull (be.RecipientTokenParameters, label + ".RecipientTokenParameters (null)"); else AssertSecurityTokenParameters ( recipientTokenInclusionMode, recipientTokenReferenceStyle, recipientTokenRequireDerivedKeys, be.RecipientTokenParameters, label + ".RecipientTokenParameters"); }
public virtual XmlElement CreateWsspAsymmetricBindingAssertion(MetadataExporter exporter, PolicyConversionContext policyContext, AsymmetricSecurityBindingElement binding) { if (binding == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding"); } XmlElement result = CreateWsspAssertion(AsymmetricBindingName); result.AppendChild( CreateWspPolicyWrapper( exporter, CreateWsspInitiatorTokenAssertion(exporter, binding.InitiatorTokenParameters), CreateWsspRecipientTokenAssertion(exporter, binding.RecipientTokenParameters), CreateWsspAlgorithmSuiteAssertion(exporter, binding.DefaultAlgorithmSuite), CreateWsspLayoutAssertion(exporter, binding.SecurityHeaderLayout), CreateWsspIncludeTimestampAssertion(binding.IncludeTimestamp), CreateWsspEncryptBeforeSigningAssertion(binding.MessageProtectionOrder), CreateWsspEncryptSignatureAssertion(policyContext, binding), CreateWsspProtectTokensAssertion(binding), CreateWsspAssertion(OnlySignEntireHeadersAndBodyName) )); return result; }
CreateBindingElements () { var list = new List<BindingElement> (); switch (Security.Mode) { #if !NET_2_1 case BasicHttpSecurityMode.Message: if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) throw new InvalidOperationException ("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate."); goto case BasicHttpSecurityMode.TransportWithMessageCredential; case BasicHttpSecurityMode.TransportWithMessageCredential: SecurityBindingElement sec; if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) // FIXME: pass proper security token parameters. sec = SecurityBindingElement.CreateCertificateOverTransportBindingElement (); else sec = new AsymmetricSecurityBindingElement (); list.Add (sec); break; #endif } #if NET_2_1 if (EnableHttpCookieContainer) list.Add (new HttpCookieContainerBindingElement ()); #endif list.Add (BuildMessageEncodingBindingElement ()); list.Add (GetTransport ()); return new BindingElementCollection (list.ToArray ()); }
SecurityBindingElement CreateSecurityBindingElement () { SecurityBindingElement element; switch (Security.Mode) { case BasicHttpsSecurityMode.TransportWithMessageCredential: #if NET_2_1 throw new NotImplementedException (); #else if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) // FIXME: pass proper security token parameters. element = SecurityBindingElement.CreateCertificateOverTransportBindingElement (); else element = new AsymmetricSecurityBindingElement (); break; #endif default: return null; } #if !NET_2_1 element.SetKeyDerivation (false); element.SecurityHeaderLayout = SecurityHeaderLayout.Lax; #endif return element; }
private SecurityBindingElement CreateSecurityBindingElement() { CustomTextTraceSource ts = new CustomTextTraceSource("Common.WspCustomSecuredBinding.CreateSecurityBindingElement", "MyTraceSource", System.Diagnostics.SourceLevels.Information); AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement(); secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256; secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; secBindingElement.IncludeTimestamp = true; secBindingElement.SetKeyDerivation(false); secBindingElement.AllowSerializedSigningTokenOnReply = true; secBindingElement.RequireSignatureConfirmation = true; // SAML assertion as a signed-encrypted supporting token IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"); // Compliance with WSS SAML Token Profile 1.1 // Target .Net 3.5. Does not work with .Net 4 issuedTokenParameters.UseStrTransform = _enableStrTransform; ts.TraceInformation("issuedTokenParameters.UseStrTransform = " + issuedTokenParameters.UseStrTransform.ToString()); // Using bearer key type which means no proof key issuedTokenParameters.KeyType = SecurityKeyType.BearerKey; issuedTokenParameters.KeySize = 0; issuedTokenParameters.RequireDerivedKeys = false; issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal; //issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; // These claims are not really needed here. We are doing out of band requests! // Claims //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:SurName")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:GivenName")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:EmailAddressText")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:TelephoneNumber")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:FederationId")); // GFIPM S2S 6.4 User Authorization - Encrypted GFIPM User Assertion //secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(issuedTokenParameters); // For debug secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters); X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Thumbprint; X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(keyIdClauseType, SecurityTokenInclusionMode.AlwaysToRecipient); initiatorTokenParameters.RequireDerivedKeys = false; initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; //initiatorTokenParameters.ReferenceStyle = (SecurityTokenReferenceStyle)X509KeyIdentifierClauseType.RawDataKeyIdentifier; secBindingElement.InitiatorTokenParameters = initiatorTokenParameters; X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(keyIdClauseType, SecurityTokenInclusionMode.AlwaysToInitiator); recipientTokenParameters.RequireDerivedKeys = false; recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator; //recipientTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; secBindingElement.RecipientTokenParameters = recipientTokenParameters; secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; //Set the Custom IdentityVerifier secBindingElement.LocalClientSettings.IdentityVerifier = new Common.CustomIdentityVerifier(); ////////////////////////////////////////////////////////// return secBindingElement; }