public void MessageSecurityUserName()
{
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Message.NegotiateServiceCredential = false;
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Message.ClientCredentialType =
MessageCredentialType.UserName;
SymmetricSecurityBindingElement sbe =
binding.CreateBindingElements().Find <SymmetricSecurityBindingElement> ();
Assert.IsNotNull(sbe, "#1");
Assert.AreEqual(false, sbe.RequireSignatureConfirmation, "#1-2");
X509SecurityTokenParameters sp =
sbe.ProtectionTokenParameters
as X509SecurityTokenParameters;
Assert.IsNotNull(sp, "#2");
Assert.AreEqual(SecurityTokenReferenceStyle.Internal,
sp.ReferenceStyle, "#3");
Assert.AreEqual(SecurityTokenInclusionMode.Never,
sp.InclusionMode, "#4");
UserNameSecurityTokenParameters up =
sbe.EndpointSupportingTokenParameters.SignedEncrypted [0]
as UserNameSecurityTokenParameters;
Assert.AreEqual(SecurityTokenReferenceStyle.Internal,
up.ReferenceStyle, "#5");
Assert.AreEqual(SecurityTokenInclusionMode.AlwaysToRecipient,
up.InclusionMode, "#6");
}
public void CreateUserNameForSslBindingElement()
{
SymmetricSecurityBindingElement be =
SecurityBindingElement.CreateUserNameForSslBindingElement();
SecurityAssert.AssertSymmetricSecurityBindingElement(
SecurityAlgorithmSuite.Default,
true, // IncludeTimestamp
SecurityKeyEntropyMode.CombinedEntropy,
MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature,
MessageSecurityVersion.Default,
false, // RequireSignatureConfirmation
SecurityHeaderLayout.Strict,
// EndpointSupportingTokenParameters: endorsing, signed, signedEncrypted, signedEndorsing (by count)
0, 0, 1, 0,
// ProtectionTokenParameters
true, SecurityTokenInclusionMode.AlwaysToRecipient, SecurityTokenReferenceStyle.Internal, true,
// LocalClientSettings
true, 60, true,
be, "");
UserNameSecurityTokenParameters up =
be.EndpointSupportingTokenParameters.SignedEncrypted [0] as UserNameSecurityTokenParameters;
// FIXME: test it
// FIXME: test ProtectionTokenParameters
}
// this method reverses CreateMutualCertificateBindingElement() logic
internal static bool IsUserNameOverTransportBinding(SecurityBindingElement sbe)
{
// do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings
if (!sbe.IncludeTimestamp)
{
return(false);
}
if (!(sbe is TransportSecurityBindingElement))
{
return(false);
}
SupportingTokenParameters parameters = sbe.EndpointSupportingTokenParameters;
if (parameters.Signed.Count != 0 || parameters.SignedEncrypted.Count != 1 || parameters.Endorsing.Count != 0 || parameters.SignedEndorsing.Count != 0)
{
return(false);
}
UserNameSecurityTokenParameters userNameParameters = parameters.SignedEncrypted[0] as UserNameSecurityTokenParameters;
if (userNameParameters == null)
{
return(false);
}
return(true);
}
/// <summary>
///
/// </summary>
/// <param name="accountCredentials"></param>
/// <returns>A disposable object you should wrap in using() statement</returns>
public static DocuSignWeb.APIServiceSoap CreateApiProxy(AccountCredentials accountCredentials)
{
#if true
// the envelope is finally constructed we are ready to send it in
DocuSignWeb.APIServiceSoapClient apiService = new DocuSignWeb.APIServiceSoapClient("APIServiceSoap", accountCredentials.ApiUrl);
apiService.ClientCredentials.UserName.UserName = accountCredentials.UserName;
apiService.ClientCredentials.UserName.Password = accountCredentials.Password;
return(apiService);
#else // this is a security token configuration
// this is required for certain calls like RequestRecipientToken
// you need to get a certificate from Thawte or VeriSign first and install it
DocuSignWeb.APIServiceSoapClient apiService = new DocuSignWeb.APIServiceSoapClient("APIServiceSoap1", accountCredentials.ApiUrl);
apiService.ClientCredentials.UserName.UserName = "******" + ConfigurationManager.AppSettings["IntegratorsKey"] + "]" + ConfigurationManager.AppSettings["APIUserEmail"];
apiService.ClientCredentials.UserName.Password = ConfigurationManager.AppSettings["Password"];
//
// need to add the supporting token since DocuSign uses dual authentication for
// for critical calls
CustomBinding binding = (CustomBinding)apiService.Endpoint.Binding;
BindingElementCollection elements = binding.CreateBindingElements();
SecurityBindingElement security = elements.Find <SecurityBindingElement>();
UserNameSecurityTokenParameters tokenParameters = new UserNameSecurityTokenParameters();
tokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
tokenParameters.RequireDerivedKeys = false;
security.EndpointSupportingTokenParameters.SignedEncrypted.Add(
tokenParameters);
apiService.Endpoint.Binding = new CustomBinding(elements.ToArray());;
return(apiService);
#endif
}
CreateUserNameForSslBindingElement(bool requireCancellation)
{
SymmetricSecurityBindingElement be = new SymmetricSecurityBindingElement();
be.ProtectionTokenParameters = CreateProtectionTokenParameters(false);
UserNameSecurityTokenParameters utp =
new UserNameSecurityTokenParameters();
be.EndpointSupportingTokenParameters.SignedEncrypted.Add(utp);
return(be);
}
CreateUserNameForCertificateBindingElement()
{
SymmetricSecurityBindingElement be = new SymmetricSecurityBindingElement();
be.ProtectionTokenParameters = CreateProtectionTokenParameters(true);
UserNameSecurityTokenParameters utp =
new UserNameSecurityTokenParameters();
be.EndpointSupportingTokenParameters.SignedEncrypted.Add(utp);
return(be);
}
private SecurityBindingElement CreateSecurityBindingElement()
{
// Create an issued token parameters object.
IssuedSecurityTokenParameters issuedSecTok =
new IssuedSecurityTokenParameters();
// Create a security binding element with the parameter object.
SymmetricSecurityBindingElement secBindingEle =
SecurityBindingElement.CreateIssuedTokenBindingElement(issuedSecTok);
// Create a Kerberos token parameter object and set the inclusion
// mode to AlwaysToRecipient. Add the object as an endorsing token for
// all operations of the endpoint.
KerberosSecurityTokenParameters kstp = new KerberosSecurityTokenParameters();
kstp.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
secBindingEle.EndpointSupportingTokenParameters.Endorsing.Add(kstp);
// Create a username token parameter object and set its
// RequireDerivedKeys to false.
UserNameSecurityTokenParameters userNameParams =
new UserNameSecurityTokenParameters();
userNameParams.RequireDerivedKeys = false;
// Create a collection object for supporting tokens.
SupportingTokenParameters stp = new SupportingTokenParameters();
// Add the previously created supporting tokens.
stp.Endorsing.Add(issuedSecTok);
stp.SignedEncrypted.Add(userNameParams);
// Create a generic dictionary item, a KeyValuePair object
// that includes all supporting token parameters. Then add
// it to the dictionary for operation-scope supporting tokens.
KeyValuePair <string, SupportingTokenParameters> x =
new KeyValuePair <string, SupportingTokenParameters>("1", stp);
secBindingEle.OperationSupportingTokenParameters.Add(x);
// See all dictionary items for the supporting tokens.
Console.WriteLine("Reading Kevalue pairs");
foreach (KeyValuePair <string, SupportingTokenParameters> kvp
in secBindingEle.OperationSupportingTokenParameters)
{
Console.WriteLine("{0}: {1}", kvp.Key, kvp.Value);
}
Console.ReadLine();
return(secBindingEle);
}
public static void Main()
{
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement();
//sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
//sbe.RequireSignatureConfirmation = true;
sbe.ProtectionTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
UserNameSecurityTokenParameters p =
new UserNameSecurityTokenParameters();
p.RequireDerivedKeys = false;
sbe.EndpointSupportingTokenParameters.SignedEncrypted.Add(p);
//sbe.EndpointSupportingTokenParameters.Signed.Add (p);
ServiceHost host = new ServiceHost(typeof(Foo));
HttpTransportBindingElement hbe =
new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(sbe, hbe);
binding.ReceiveTimeout = TimeSpan.FromSeconds(5);
host.AddServiceEndpoint("IFoo",
binding, new Uri("http://localhost:8080"));
ServiceCredentials cred = new ServiceCredentials();
cred.ServiceCertificate.Certificate =
new X509Certificate2("test.pfx", "mono");
cred.UserNameAuthentication.UserNamePasswordValidationMode =
UserNamePasswordValidationMode.Custom;
cred.UserNameAuthentication.CustomUserNamePasswordValidator =
new GodUserNamePasswordValidator();
host.Description.Behaviors.Add(cred);
host.Description.Behaviors.Find <ServiceDebugBehavior> ()
.IncludeExceptionDetailInFaults = true;
foreach (ServiceEndpoint se in host.Description.Endpoints)
{
se.Behaviors.Add(new StdErrInspectionBehavior());
}
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
smb.HttpGetUrl = new Uri("http://localhost:8080/wsdl");
host.Description.Behaviors.Add(smb);
host.Open();
Console.WriteLine("Hit [CR] key to close ...");
Console.ReadLine();
host.Close();
}
static void Run()
{
AsymmetricSecurityBindingElement sbe =
new AsymmetricSecurityBindingElement();
//sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
//sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
//sbe.RequireSignatureConfirmation = true;
//sbe.LocalClientSettings.DetectReplays = false;
//sbe.IncludeTimestamp = false;
X509SecurityTokenParameters p =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
p.RequireDerivedKeys = false;
//sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
UserNameSecurityTokenParameters up =
new UserNameSecurityTokenParameters();
sbe.EndpointSupportingTokenParameters.Signed.Add(up);
sbe.RecipientTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
sbe.InitiatorTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
sbe.SetKeyDerivation(false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
HttpTransportBindingElement hbe =
new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(new XBE(), sbe, hbe);
X509Certificate2 cert = new X509Certificate2("test.pfx", "mono");
X509Certificate2 cert2 = new X509Certificate2("test2.pfx", "mono");
FooProxy proxy = new FooProxy(binding,
new EndpointAddress(new Uri("http://localhost:8080"), new X509CertificateEndpointIdentity(cert)));
//proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
proxy.ClientCredentials.UserName.UserName = "******";
proxy.ClientCredentials.ClientCertificate.Certificate = cert2;
proxy.Endpoint.Behaviors.Add(new StdErrInspectionBehavior());
proxy.Open();
Console.WriteLine(proxy.Echo("TEST FOR ECHO"));
}
public static APIServiceSoap CreateApiProxy(Account Identity, string password)
{
#if true
// the envelope is finally constructed we are ready to send it in
AccountCredentials accountCredentials = new AccountCredentials();
//If there are many accounts then the firet one is chosen for sending
accountCredentials.AccountId = Identity.AccountID;
accountCredentials.ApiUrl = "https://demo.docusign.net/api/3.0/api.asmx";
APIServiceSoapClient apiService = new APIServiceSoapClient("APIServiceSoap", accountCredentials.ApiUrl);
apiService.ClientCredentials.UserName.UserName = Identity.UserID;
apiService.ClientCredentials.UserName.Password = password;
return(apiService);
#else // this is a security token configuration
// this is required for certain calls like RequestRecipientToken
// you need to get a certificate from Thawte or VeriSign first and install it
DocuSignWeb.APIServiceSoapClient apiService = new DocuSignWeb.APIServiceSoapClient("APIServiceSoap1", accountCredentials.ApiUrl);
apiService.ClientCredentials.UserName.UserName = ConfigurationManager.AppSettings["APIUserName"];
apiService.ClientCredentials.UserName.Password = ConfigurationManager.AppSettings["Password"];
//
// need to add the supporting token since DocuSign uses dual authentication for
// for critical calls
CustomBinding binding = (CustomBinding)apiService.Endpoint.Binding;
BindingElementCollection elements = binding.CreateBindingElements();
SecurityBindingElement security = elements.Find <SecurityBindingElement>();
UserNameSecurityTokenParameters tokenParameters = new UserNameSecurityTokenParameters();
tokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
tokenParameters.RequireDerivedKeys = false;
security.EndpointSupportingTokenParameters.SignedEncrypted.Add(
tokenParameters);
apiService.Endpoint.Binding = new CustomBinding(elements.ToArray());;
return(apiService);
#endif
}
static void Run()
{
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement();
UserNameSecurityTokenParameters p =
new UserNameSecurityTokenParameters();
p.RequireDerivedKeys = false;
sbe.EndpointSupportingTokenParameters.SignedEncrypted.Add(p);
sbe.ProtectionTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
HttpTransportBindingElement hbe =
new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(new XBE(), sbe, hbe);
X509Certificate2 cert = new X509Certificate2("test.pfx", "mono");
FooProxy proxy = new FooProxy(binding,
new EndpointAddress(new Uri("http://localhost:8080"), new X509CertificateEndpointIdentity(cert)));
proxy.ClientCredentials.UserName.UserName = "******";
proxy.Endpoint.Behaviors.Add(new StdErrInspectionBehavior());
proxy.Open();
Console.WriteLine(proxy.Echo("TEST FOR ECHO"));
}
protected UserNameSecurityTokenParameters(UserNameSecurityTokenParameters other)
: base(other)
{
base.RequireDerivedKeys = false;
}
public void GetPropertySecurityCapabilities()
{
ISecurityCapabilities c;
RsaSecurityTokenParameters rsa =
new RsaSecurityTokenParameters();
UserNameSecurityTokenParameters user =
new UserNameSecurityTokenParameters();
X509SecurityTokenParameters x509 =
new X509SecurityTokenParameters();
SecureConversationSecurityTokenParameters sc1 =
new SecureConversationSecurityTokenParameters();
sc1.BootstrapSecurityBindingElement =
new SymmetricSecurityBindingElement(); // empty
SecureConversationSecurityTokenParameters sc2 =
new SecureConversationSecurityTokenParameters();
sc2.BootstrapSecurityBindingElement =
new SymmetricSecurityBindingElement(x509);
SecureConversationSecurityTokenParameters sc3 =
new SecureConversationSecurityTokenParameters();
sc3.BootstrapSecurityBindingElement =
new AsymmetricSecurityBindingElement(null, x509);
SecureConversationSecurityTokenParameters sc4 =
new SecureConversationSecurityTokenParameters();
sc4.BootstrapSecurityBindingElement =
new AsymmetricSecurityBindingElement(x509, null);
// no parameters
c = GetSecurityCapabilities(
new SymmetricSecurityBindingElement());
AssertSecurityCapabilities(
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
false, false, false, c, "#1");
// x509 parameters for both
c = GetSecurityCapabilities(
new SymmetricSecurityBindingElement(x509));
AssertSecurityCapabilities(
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, true, c, "#2");
// no initiator parameters
c = GetSecurityCapabilities(
new AsymmetricSecurityBindingElement(x509, null));
AssertSecurityCapabilities(
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
false, false, true, c, "#3");
// no recipient parameters
c = GetSecurityCapabilities(
new AsymmetricSecurityBindingElement(null, x509));
AssertSecurityCapabilities(
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, false, c, "#4");
// initiator does not support identity
c = GetSecurityCapabilities(
new AsymmetricSecurityBindingElement(x509, rsa));
AssertSecurityCapabilities(
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, false, true, c, "#5");
// recipient does not support server auth
c = GetSecurityCapabilities(
new AsymmetricSecurityBindingElement(user, x509));
AssertSecurityCapabilities(
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, false, c, "#6");
// secureconv with no symm. bootstrap params
c = GetSecurityCapabilities(
new SymmetricSecurityBindingElement(sc1));
AssertSecurityCapabilities(
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
false, false, false, c, "#7");
// secureconv with x509 symm. bootstrap params
c = GetSecurityCapabilities(
new SymmetricSecurityBindingElement(sc2));
AssertSecurityCapabilities(
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, true, c, "#8");
// secureconv with x509 initiator bootstrap params
c = GetSecurityCapabilities(
new SymmetricSecurityBindingElement(sc3));
AssertSecurityCapabilities(
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, false, c, "#9");
// secureconv with x509 recipient bootstrap params
c = GetSecurityCapabilities(
new SymmetricSecurityBindingElement(sc4));
AssertSecurityCapabilities(
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
false, false, true, c, "#10");
// FIXME: find out such cases that returns other ProtectionLevel values.
}
protected UserNameSecurityTokenParameters(UserNameSecurityTokenParameters other)
: base(other)
{
base.RequireDerivedKeys = false;
}
