public void SignaturesMatchKnownGood() { Protocol protocol = Protocol.V20; var settings = new ProviderSecuritySettings(); var store = new AssociationMemoryStore<AssociationRelyingPartyType>(); byte[] associationSecret = Convert.FromBase64String("rsSwv1zPWfjPRQU80hciu8FPDC+GONAMJQ/AvSo1a2M="); Association association = HmacShaAssociation.Create("mock", associationSecret, TimeSpan.FromDays(1)); store.StoreAssociation(AssociationRelyingPartyType.Smart, association); SigningBindingElement signer = new SigningBindingElement(store, settings); signer.Channel = new TestChannel(this.MessageDescriptions); IndirectSignedResponse message = new IndirectSignedResponse(protocol.Version, new Uri("http://rp")); ITamperResistantOpenIdMessage signedMessage = message; message.ProviderEndpoint = new Uri("http://provider"); signedMessage.UtcCreationDate = DateTime.Parse("1/1/2009"); signedMessage.AssociationHandle = association.Handle; Assert.IsNotNull(signer.ProcessOutgoingMessage(message)); Assert.AreEqual("o9+uN7qTaUS9v0otbHTuNAtbkpBm14+es9QnNo6IHD4=", signedMessage.Signature); }
public void SignaturesMatchKnownGood() { Protocol protocol = Protocol.V20; var settings = new ProviderSecuritySettings(); var cryptoStore = new MemoryCryptoKeyStore(); byte[] associationSecret = Convert.FromBase64String("rsSwv1zPWfjPRQU80hciu8FPDC+GONAMJQ/AvSo1a2M="); string handle = "mock"; cryptoStore.StoreKey(ProviderAssociationKeyStorage.SharedAssociationBucket, handle, new CryptoKey(associationSecret, DateTime.UtcNow.AddDays(1))); var store = new ProviderAssociationKeyStorage(cryptoStore); SigningBindingElement signer = new SigningBindingElement(store, settings); signer.Channel = new TestChannel(this.MessageDescriptions); IndirectSignedResponse message = new IndirectSignedResponse(protocol.Version, new Uri("http://rp")); ITamperResistantOpenIdMessage signedMessage = message; message.ProviderEndpoint = new Uri("http://provider"); signedMessage.UtcCreationDate = DateTime.Parse("1/1/2009"); signedMessage.AssociationHandle = handle; Assert.IsNotNull(signer.ProcessOutgoingMessage(message)); Assert.AreEqual("o9+uN7qTaUS9v0otbHTuNAtbkpBm14+es9QnNo6IHD4=", signedMessage.Signature); }
public void SignedResponsesIncludeExtraDataInSignature() { Protocol protocol = Protocol.Default; SigningBindingElement sbe = new SigningBindingElement(new AssociationMemoryStore<AssociationRelyingPartyType>(), new ProviderSecuritySettings()); sbe.Channel = new TestChannel(this.MessageDescriptions); IndirectSignedResponse response = new IndirectSignedResponse(protocol.Version, RPUri); response.ReturnTo = RPUri; response.ProviderEndpoint = OPUri; response.ExtraData["someunsigned"] = "value"; response.ExtraData["openid.somesigned"] = "value"; Assert.IsNotNull(sbe.ProcessOutgoingMessage(response)); ITamperResistantOpenIdMessage signedResponse = (ITamperResistantOpenIdMessage)response; // Make sure that the extra parameters are signed. // Since the signing algorithm only allows for signing parameters that start with // 'openid.', other parameters should not be signed. Assert.IsNotNull(signedResponse.SignedParameterOrder); string[] signedParameters = signedResponse.SignedParameterOrder.Split(','); Assert.IsTrue(signedParameters.Contains("somesigned")); Assert.IsFalse(signedParameters.Contains("someunsigned")); }
private static IChannelBindingElement[] InitializeBindingElements <T>(IAssociationStore <T> associationStore, INonceStore nonceStore, SecuritySettings securitySettings, bool nonVerifying) { Contract.Requires <ArgumentNullException>(securitySettings != null); Contract.Requires <ArgumentException>(!nonVerifying || securitySettings is RelyingPartySecuritySettings); var rpSecuritySettings = securitySettings as RelyingPartySecuritySettings; var opSecuritySettings = securitySettings as ProviderSecuritySettings; ErrorUtilities.VerifyInternal(rpSecuritySettings != null || opSecuritySettings != null, "Expected an RP or OP security settings instance."); ErrorUtilities.VerifyInternal(!nonVerifying || rpSecuritySettings != null, "Non-verifying channels can only be constructed for relying parties."); bool isRelyingPartyRole = rpSecuritySettings != null; var rpAssociationStore = associationStore as IAssociationStore <Uri>; var opAssociationStore = associationStore as IAssociationStore <AssociationRelyingPartyType>; ErrorUtilities.VerifyInternal(isRelyingPartyRole || opAssociationStore != null, "Providers MUST have an association store."); SigningBindingElement signingElement; if (isRelyingPartyRole) { signingElement = nonVerifying ? null : new SigningBindingElement(rpAssociationStore); } else { signingElement = new SigningBindingElement(opAssociationStore, opSecuritySettings); } var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration(); List <IChannelBindingElement> elements = new List <IChannelBindingElement>(8); elements.Add(new ExtensionsBindingElement(extensionFactory, securitySettings)); if (isRelyingPartyRole) { elements.Add(new RelyingPartySecurityOptions(rpSecuritySettings)); elements.Add(new BackwardCompatibilityBindingElement()); ReturnToNonceBindingElement requestNonceElement = null; if (associationStore != null) { if (nonceStore != null) { // There is no point in having a ReturnToNonceBindingElement without // a ReturnToSignatureBindingElement because the nonce could be // artificially changed without it. requestNonceElement = new ReturnToNonceBindingElement(nonceStore, rpSecuritySettings); elements.Add(requestNonceElement); } // It is important that the return_to signing element comes last // so that the nonce is included in the signature. elements.Add(new ReturnToSignatureBindingElement(rpAssociationStore, rpSecuritySettings)); } ErrorUtilities.VerifyOperation(!rpSecuritySettings.RejectUnsolicitedAssertions || requestNonceElement != null, OpenIdStrings.UnsolicitedAssertionRejectionRequiresNonceStore); } else { // Providers must always have a nonce store. ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore"); } if (nonVerifying) { elements.Add(new SkipSecurityBindingElement()); } else { if (nonceStore != null) { elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true)); } elements.Add(new StandardExpirationBindingElement()); elements.Add(signingElement); } return(elements.ToArray()); }
/// <summary> /// Initializes the binding elements. /// </summary> /// <typeparam name="T">The distinguishing factor used by the association store.</typeparam> /// <param name="associationStore">The association store.</param> /// <param name="nonceStore">The nonce store to use.</param> /// <param name="securitySettings">The security settings to apply. Must be an instance of either <see cref="RelyingPartySecuritySettings"/> or <see cref="ProviderSecuritySettings"/>.</param> /// <returns> /// An array of binding elements which may be used to construct the channel. /// </returns> private static IChannelBindingElement[] InitializeBindingElements <T>(IAssociationStore <T> associationStore, INonceStore nonceStore, SecuritySettings securitySettings) { ErrorUtilities.VerifyArgumentNotNull(securitySettings, "securitySettings"); var rpSecuritySettings = securitySettings as RelyingPartySecuritySettings; var opSecuritySettings = securitySettings as ProviderSecuritySettings; ErrorUtilities.VerifyInternal(rpSecuritySettings != null || opSecuritySettings != null, "Expected an RP or OP security settings instance."); bool isRelyingPartyRole = rpSecuritySettings != null; var rpAssociationStore = associationStore as IAssociationStore <Uri>; var opAssociationStore = associationStore as IAssociationStore <AssociationRelyingPartyType>; ErrorUtilities.VerifyInternal(isRelyingPartyRole || opAssociationStore != null, "Providers MUST have an association store."); SigningBindingElement signingElement; if (isRelyingPartyRole) { signingElement = new SigningBindingElement(rpAssociationStore); } else { signingElement = new SigningBindingElement(opAssociationStore, opSecuritySettings); } List <IChannelBindingElement> elements = new List <IChannelBindingElement>(7); if (isRelyingPartyRole) { elements.Add(new ExtensionsBindingElement(new OpenIdExtensionFactory(), rpSecuritySettings)); elements.Add(new BackwardCompatibilityBindingElement()); if (associationStore != null) { if (nonceStore != null) { // There is no point in having a ReturnToNonceBindingElement without // a ReturnToSignatureBindingElement because the nonce could be // artificially changed without it. elements.Add(new ReturnToNonceBindingElement(nonceStore)); } // It is important that the return_to signing element comes last // so that the nonce is included in the signature. elements.Add(new ReturnToSignatureBindingElement(rpAssociationStore, rpSecuritySettings)); } } else { elements.Add(new ExtensionsBindingElement(new OpenIdExtensionFactory(), opSecuritySettings)); // Providers must always have a nonce store. ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore"); } if (nonceStore != null) { elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true)); } elements.Add(new StandardExpirationBindingElement()); elements.Add(signingElement); return(elements.ToArray()); }
/// <summary> /// Initializes the binding elements. /// </summary> /// <param name="cryptoKeyStore">The OpenID Provider's crypto key store.</param> /// <param name="nonceStore">The nonce store to use.</param> /// <param name="securitySettings">The security settings to apply. Must be an instance of either <see cref="RelyingPartySecuritySettings"/> or <see cref="ProviderSecuritySettings"/>.</param> /// <returns> /// An array of binding elements which may be used to construct the channel. /// </returns> private static IChannelBindingElement[] InitializeBindingElements(IProviderAssociationStore cryptoKeyStore, INonceStore nonceStore, ProviderSecuritySettings securitySettings) { Contract.Requires<ArgumentNullException>(cryptoKeyStore != null); Contract.Requires<ArgumentNullException>(securitySettings != null); Contract.Requires<ArgumentNullException>(nonceStore != null); SigningBindingElement signingElement; signingElement = new SigningBindingElement(cryptoKeyStore, securitySettings); var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration(); List<IChannelBindingElement> elements = new List<IChannelBindingElement>(8); elements.Add(new ExtensionsBindingElement(extensionFactory, securitySettings)); elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true)); elements.Add(new StandardExpirationBindingElement()); elements.Add(signingElement); return elements.ToArray(); }