/// <summary> /// Returns a custom wcf binding that will create a SOAP request /// compatible with the Simple Order API Service /// </summary> protected static CustomBinding getWCFCustomBinding(Configuration config) { //Setup custom binding with HTTPS + Body Signing CustomBinding currentBinding = new CustomBinding(); //Sign the body AsymmetricSecurityBindingElement asec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); asec.SetKeyDerivation(false); asec.IncludeTimestamp = false; asec.EnableUnsecuredResponse = true; asec.SecurityHeaderLayout = SecurityHeaderLayout.Lax; if (config.UseSignedAndEncrypted) { asec.LocalClientSettings.IdentityVerifier = new CustomeIdentityVerifier(); asec.RecipientTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.Once }; asec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt; asec.EndpointSupportingTokenParameters.SignedEncrypted.Add(new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters()); asec.SetKeyDerivation(false); } //Use custom encoder to strip unsigned timestamp in response CustomTextMessageBindingElement textBindingElement = new CustomTextMessageBindingElement(); //Setup https transport HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement(); httpsTransport.RequireClientCertificate = true; httpsTransport.AuthenticationScheme = AuthenticationSchemes.Anonymous; httpsTransport.MaxReceivedMessageSize = 2147483647; httpsTransport.UseDefaultWebProxy = false; //Setup Proxy if needed if (mProxy != null) { WebRequest.DefaultWebProxy = mProxy; httpsTransport.UseDefaultWebProxy = true; } //Bind in order (Security layer, message layer, transport layer) currentBinding.Elements.Add(asec); currentBinding.Elements.Add(textBindingElement); currentBinding.Elements.Add(httpsTransport); return(currentBinding); }
private SecurityBindingElement CreateSecurity() { AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement(); X509SecurityTokenParameters clientToken = new X509SecurityTokenParameters(); clientToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; clientToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; clientToken.RequireDerivedKeys = false; clientToken.ReferenceStyle = SecurityTokenReferenceStyle.Internal; security.InitiatorTokenParameters = clientToken; //Creates an _unsigned_ binary token + signature that references the other binary token. X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters(); serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; serverToken.InclusionMode = SecurityTokenInclusionMode.Never; serverToken.RequireDerivedKeys = false; serverToken.ReferenceStyle = SecurityTokenReferenceStyle.External; security.RecipientTokenParameters = serverToken; //Only to make asymetric binding work security.EndpointSupportingTokenParameters.Signed.Add(clientToken); //Create a signed binary token + signature that does _not_ references other binary token. //Later on the unsigned binary token is removed and the non referecing signature is removed. The signed token and referencing signature are linked. security.EnableUnsecuredResponse = true; security.IncludeTimestamp = true; security.SecurityHeaderLayout = SecurityHeaderLayout.Lax; security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; security.SetKeyDerivation(false); return(security); }
//<snippet1> public Binding CreateClientBinding() { AsymmetricSecurityBindingElement abe = (AsymmetricSecurityBindingElement)SecurityBindingElement. CreateMutualCertificateBindingElement( MessageSecurityVersion. WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); abe.SetKeyDerivation(false); X509SecurityTokenParameters istp = abe.InitiatorTokenParameters as X509SecurityTokenParameters; if (istp != null) { istp.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial; } X509SecurityTokenParameters rstp = abe.RecipientTokenParameters as X509SecurityTokenParameters; if (rstp != null) { rstp.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial; } HttpTransportBindingElement transport = new HttpTransportBindingElement(); return(new CustomBinding(abe, transport)); }
public void ClientInitiatorHasNoKeysCore(bool deriveKeys, MessageProtectionOrder order) { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement(); sbe.InitiatorTokenParameters = new UserNameSecurityTokenParameters(); sbe.RecipientTokenParameters = new X509SecurityTokenParameters(); sbe.SetKeyDerivation(deriveKeys); sbe.MessageProtectionOrder = order; TransportBindingElement tbe = new HandlerTransportBindingElement(delegate(Message input) { // funky, but .NET does not raise an error // until it writes the message to somewhere. // That is, it won't raise an error if this // HandlerTransportBindingElement does not // write the input message to somewhere. // It is an obvious bug. input.WriteMessage(XmlWriter.Create(TextWriter.Null)); throw new Exception(); }); CustomBinding binding = new CustomBinding(sbe, tbe); EndpointAddress address = new EndpointAddress( new Uri("stream:dummy"), new X509CertificateEndpointIdentity(cert2)); CalcProxy proxy = new CalcProxy(binding, address); proxy.ClientCredentials.UserName.UserName = "******"; proxy.Open(); // Until here the wrong parameters are not checked. proxy.Sum(1, 2); }
public override BindingElementCollection CreateBindingElements() { var transport = _useHttps ? new HttpsTransportBindingElement() : new HttpTransportBindingElement(); if (_maxReceivedMessageSize.HasValue) { transport.MaxReceivedMessageSize = _maxReceivedMessageSize.Value; } var encoding = new TextMessageEncodingBindingElement(); // [OIO IDWS SOAP 1.1] requires SOAP 1.2 and WS-Adressing 1.0 encoding.MessageVersion = MessageVersion.Soap12WSAddressing10; // AlwaysToInitiator is required by the [OIO IDWS SOAP 1.1] profile. This specifies that the server certificate must be embedded in the response. var recipientTokenParameters = new X509SecurityTokenParameters( X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator); var initiatorTokenParameters = new CustomizedIssuedSecurityTokenParameters( "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" ); initiatorTokenParameters.UseStrTransform = true; var asymmetric = new AsymmetricSecurityBindingElement(recipientTokenParameters, initiatorTokenParameters); // Must be true in order for client to accept embedded server certificates instead of references. This is required by the [OIO IDWS SOAP 1.1] profile. // However, the client must still specify the server certificate explicitly. // Have not figured out how the client can use the embedded server certificate and make trust to it through a CA certificate and a CN (Common Name). This way the client should not need the server certificate. asymmetric.AllowSerializedSigningTokenOnReply = true; // No need for derived keys when both parties has a certificate. Also OIO-IDWS-SOAP does not make use of derived keys. asymmetric.SetKeyDerivation(false); // Include token (encrypted assertion from NemLog-in STS) in signature asymmetric.ProtectTokens = true; // Specifies that WCF can send and receive unsecured responses to secured requests. // Concrete this means that SOAP faults are send unencrypted. [OIO IDWS SOAP 1.1] does not specify whether or not SOAP faults can be encrypted but it looks like they should not be encrypted. // If encrypted the client is not able to process the encrypted SOAP fault if client is not setup correctly. // setting EnableUnsecuredResponse to true makes normal responses unsigned and processed by the client without error. This is not what we want :) //asymmetric.EnableUnsecuredResponse = true; var elements = new BindingElementCollection(); elements.Add(asymmetric); elements.Add(encoding); elements.Add(transport); return(elements); }
public static void Main() { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement(); //sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; //sbe.RequireSignatureConfirmation = true; //sbe.LocalServiceSettings.DetectReplays = false; //sbe.IncludeTimestamp = false; sbe.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); sbe.InitiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient); X509SecurityTokenParameters p = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient); p.RequireDerivedKeys = false; //sbe.EndpointSupportingTokenParameters.Endorsing.Add (p); sbe.SetKeyDerivation(false); sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; ServiceHost host = new ServiceHost(typeof(Foo)); HttpTransportBindingElement hbe = new HttpTransportBindingElement(); CustomBinding binding = new CustomBinding(sbe, hbe); binding.ReceiveTimeout = TimeSpan.FromSeconds(5); host.AddServiceEndpoint("IFoo", binding, new Uri("http://localhost:8080")); ServiceCredentials cred = new ServiceCredentials(); cred.ServiceCertificate.Certificate = new X509Certificate2("test.pfx", "mono"); cred.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; host.Description.Behaviors.Add(cred); host.Description.Behaviors.Find <ServiceDebugBehavior> () .IncludeExceptionDetailInFaults = true; foreach (ServiceEndpoint se in host.Description.Endpoints) { se.Behaviors.Add(new StdErrInspectionBehavior()); } ServiceMetadataBehavior smb = new ServiceMetadataBehavior(); smb.HttpGetEnabled = true; smb.HttpGetUrl = new Uri("http://localhost:8080/wsdl"); host.Description.Behaviors.Add(smb); host.Open(); Console.WriteLine("Hit [CR] key to close ..."); Console.ReadLine(); host.Close(); }
public static void Main () { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement (); //sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; //sbe.RequireSignatureConfirmation = true; //sbe.LocalServiceSettings.DetectReplays = false; //sbe.IncludeTimestamp = false; sbe.RecipientTokenParameters = new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); sbe.InitiatorTokenParameters = new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient); X509SecurityTokenParameters p = new X509SecurityTokenParameters (X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient); p.RequireDerivedKeys = false; //sbe.EndpointSupportingTokenParameters.Endorsing.Add (p); UserNameSecurityTokenParameters up = new UserNameSecurityTokenParameters (); sbe.EndpointSupportingTokenParameters.Signed.Add (up); sbe.SetKeyDerivation (false); sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; ServiceHost host = new ServiceHost (typeof (Foo)); HttpTransportBindingElement hbe = new HttpTransportBindingElement (); CustomBinding binding = new CustomBinding (sbe, hbe); binding.ReceiveTimeout = TimeSpan.FromSeconds (5); host.AddServiceEndpoint ("IFoo", binding, new Uri ("http://localhost:8080")); ServiceCredentials cred = new ServiceCredentials (); cred.ServiceCertificate.Certificate = new X509Certificate2 ("test.pfx", "mono"); cred.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; cred.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom; cred.UserNameAuthentication.CustomUserNamePasswordValidator = UserNamePasswordValidator.None; host.Description.Behaviors.Add (cred); host.Description.Behaviors.Find<ServiceDebugBehavior> () .IncludeExceptionDetailInFaults = true; foreach (ServiceEndpoint se in host.Description.Endpoints) se.Behaviors.Add (new StdErrInspectionBehavior ()); ServiceMetadataBehavior smb = new ServiceMetadataBehavior (); smb.HttpGetEnabled = true; smb.HttpGetUrl = new Uri ("http://localhost:8080/wsdl"); host.Description.Behaviors.Add (smb); host.Open (); Console.WriteLine ("Hit [CR] key to close ..."); Console.ReadLine (); host.Close (); }
public static NCIServiceWCFClient CreateNCIServiceClient(Uri uri) { UCCProxyFactory.ClientCertificatePath = HostingEnvironment.MapPath(@"~/App_Data/isbank_test_private.pfx"); UCCProxyFactory.ServiceCertificatePath = HostingEnvironment.MapPath(@"~/App_Data/ucc_test_public.cer"); UCCProxyFactory.ClientCertificatePassword = "******"; System.Net.ServicePointManager.Expect100Continue = false; if (string.IsNullOrEmpty(ClientCertificatePath) || string.IsNullOrEmpty(ServiceCertificatePath)) { throw new InvalidOperationException("You should specify certificates path first"); } if (string.IsNullOrEmpty(ClientCertificatePassword)) { throw new InvalidOperationException("You should specify ClientCertificatePassword"); } clientCertificate = new X509Certificate2(ClientCertificatePath, ClientCertificatePassword); serviceCertificate = new X509Certificate2(ServiceCertificatePath); endpointIdentity = new X509CertificateEndpointIdentity(serviceCertificate, new X509Certificate2Collection(clientCertificate)); EndpointAddress ea = new EndpointAddress(uri, endpointIdentity); CustomBinding cb = new CustomBinding(); cb.CloseTimeout = new TimeSpan(50000000); TextMessageEncodingBindingElement messageBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8); HttpTransportBindingElement nciTransport = new HttpTransportBindingElement(); nciTransport.MaxReceivedMessageSize = 5000000; //115000000; messageBindingElement.ReaderQuotas.MaxStringContentLength = 1200000; //11200000; AsymmetricSecurityBindingElement abe = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);; abe.AllowSerializedSigningTokenOnReply = true; abe.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt; abe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Rsa15; abe.SetKeyDerivation(false); cb.Elements.Add(abe); cb.Elements.Add(messageBindingElement); cb.Elements.Add(nciTransport); NCIServiceWCFClient nciClient = new NCIServiceWCFClient(cb, ea); nciClient.ClientCredentials.ServiceCertificate.DefaultCertificate = serviceCertificate; nciClient.ClientCredentials.ClientCertificate.Certificate = clientCertificate; nciClient.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; return(nciClient); }
static void Run() { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement(); //sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; //sbe.RequireSignatureConfirmation = true; //sbe.LocalClientSettings.DetectReplays = false; //sbe.IncludeTimestamp = false; X509SecurityTokenParameters p = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient); p.RequireDerivedKeys = false; //sbe.EndpointSupportingTokenParameters.Endorsing.Add (p); UserNameSecurityTokenParameters up = new UserNameSecurityTokenParameters(); sbe.EndpointSupportingTokenParameters.Signed.Add(up); sbe.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); sbe.InitiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient); sbe.SetKeyDerivation(false); sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; HttpTransportBindingElement hbe = new HttpTransportBindingElement(); CustomBinding binding = new CustomBinding(new XBE(), sbe, hbe); X509Certificate2 cert = new X509Certificate2("test.pfx", "mono"); X509Certificate2 cert2 = new X509Certificate2("test2.pfx", "mono"); FooProxy proxy = new FooProxy(binding, new EndpointAddress(new Uri("http://localhost:8080"), new X509CertificateEndpointIdentity(cert))); //proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; proxy.ClientCredentials.UserName.UserName = "******"; proxy.ClientCredentials.ClientCertificate.Certificate = cert2; proxy.Endpoint.Behaviors.Add(new StdErrInspectionBehavior()); proxy.Open(); Console.WriteLine(proxy.Echo("TEST FOR ECHO")); }
private CustomBinding CreatePullBinding() { CustomBinding pullBinding = new CustomBinding(); pullBinding.Name = "ePUAPBinding"; SecurityBindingElement sBElement = SecurityBindingElement.CreateMutualCertificateBindingElement( MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10); AsymmetricSecurityBindingElement bindingAsymetryczny = (AsymmetricSecurityBindingElement)sBElement; bindingAsymetryczny.SetKeyDerivation(true); bindingAsymetryczny.EnableUnsecuredResponse = false; bindingAsymetryczny.AllowInsecureTransport = false; bindingAsymetryczny.AllowSerializedSigningTokenOnReply = true; bindingAsymetryczny.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic192Rsa15; bindingAsymetryczny.IncludeTimestamp = true; bindingAsymetryczny.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; pullBinding.Elements.Clear(); pullBinding.Elements.Add(bindingAsymetryczny); pullBinding.Elements.Add(new TextMessageEncodingBindingElement() { MessageVersion = MessageVersion.CreateVersion(EnvelopeVersion.Soap11, AddressingVersion.None), WriteEncoding = new UTF8Encoding() }); HttpsTransportBindingElement httpsbinding = new HttpsTransportBindingElement(); pullBinding.Elements.Add(httpsbinding); return(pullBinding); }
/// <summary> /// Returns a custom wcf binding that will create a SOAP request /// compatible with the Simple Order API Service /// </summary> protected static CustomBinding getWCFCustomBinding() { //Setup custom binding with HTTPS + Body Signing CustomBinding currentBinding = new CustomBinding(); //Sign the body AsymmetricSecurityBindingElement asec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); asec.SetKeyDerivation(false); asec.IncludeTimestamp = false; asec.EnableUnsecuredResponse = true; asec.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //Use custom encoder to strip unsigned timestamp in response CustomTextMessageBindingElement textBindingElement = new CustomTextMessageBindingElement(); //Setup https transport HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement(); httpsTransport.RequireClientCertificate = true; httpsTransport.AuthenticationScheme = AuthenticationSchemes.Anonymous; httpsTransport.MaxReceivedMessageSize = 2147483647; httpsTransport.UseDefaultWebProxy = false; //Setup Proxy if needed if (mProxy != null) { WebRequest.DefaultWebProxy = mProxy; httpsTransport.UseDefaultWebProxy = true; } //Bind in order (Security layer, message layer, transport layer) currentBinding.Elements.Add(asec); currentBinding.Elements.Add(textBindingElement); currentBinding.Elements.Add(httpsTransport); return(currentBinding); }
public void SetKeyDerivation() { AsymmetricSecurityBindingElement be; X509SecurityTokenParameters p, p2; be = new AsymmetricSecurityBindingElement(); p = new X509SecurityTokenParameters(); p2 = new X509SecurityTokenParameters(); be.InitiatorTokenParameters = p; be.RecipientTokenParameters = p2; be.SetKeyDerivation(false); Assert.AreEqual(false, p.RequireDerivedKeys, "#1"); Assert.AreEqual(false, p2.RequireDerivedKeys, "#2"); be = new AsymmetricSecurityBindingElement(); p = new X509SecurityTokenParameters(); p2 = new X509SecurityTokenParameters(); be.SetKeyDerivation(false); // set in prior - makes no sense be.InitiatorTokenParameters = p; be.RecipientTokenParameters = p2; Assert.AreEqual(true, p.RequireDerivedKeys, "#3"); Assert.AreEqual(true, p2.RequireDerivedKeys, "#4"); }
private SecurityBindingElement CreateWSS10SecurityBindingElement() { AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement(); secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax; secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; secBindingElement.IncludeTimestamp = true; secBindingElement.SetKeyDerivation(false); secBindingElement.AllowSerializedSigningTokenOnReply = true; secBindingElement.RequireSignatureConfirmation = false; X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient); initiatorTokenParameters.RequireDerivedKeys = false; initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; secBindingElement.InitiatorTokenParameters = initiatorTokenParameters; X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never); recipientTokenParameters.RequireDerivedKeys = false; recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never; secBindingElement.RecipientTokenParameters = recipientTokenParameters; //secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters); //secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(protectTokenParameters); //secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12; secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; return secBindingElement; }
private SecurityBindingElement CreateWSS11SecurityBindingElement() { AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement(); secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax; // TEST //secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Rsa15; secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; secBindingElement.IncludeTimestamp = true; secBindingElement.SetKeyDerivation(false); secBindingElement.AllowSerializedSigningTokenOnReply = true; secBindingElement.RequireSignatureConfirmation = false; //WS2007HttpBinding stsBinding = new WS2007HttpBinding("wssuntBinding"); //CustomBinding stsBinding = new CustomBinding("ADS-CustomSecureTransport"); // TEMPORARILY DISABLED // .Net 3.5 //string adsAddress = "http://ha50idp:8089/ADS-STS/Issue.svc"; // .Net 4.0 string adsAddress = "https://ha50idp:8543/ADS-STS/Issue.svc"; //IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0", // new EndpointAddress(adsAddress), stsBinding); IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"); issuedTokenParameters.UseStrTransform = false; issuedTokenParameters.KeyType = SecurityKeyType.BearerKey; //issuedTokenParameters.KeyType = SecurityKeyType.AsymmetricKey; //issuedTokenParameters.KeyType = SecurityKeyType.SymmetricKey; // 256? //issuedTokenParameters.KeySize = 256; issuedTokenParameters.KeySize = 0; // .Net 3.5 //string adsMexAddress = "http://ha50idp:8089/ADS-STS/Issue.svc/mex"; // .Net 4.0 //string adsMexAddress = "https://ha50idp:8543/ADS-STS/Issue.svc/mex"; //issuedTokenParameters.IssuerMetadataAddress = new EndpointAddress(adsMexAddress); issuedTokenParameters.RequireDerivedKeys = false; issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal; //issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; // Claims //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:SurName")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:GivenName")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:EmailAddressText")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:TelephoneNumber")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:FederationId")); // THis is a test //secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(issuedTokenParameters); // This is the right one secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters); //secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(issuedTokenParameters); // need to put this in configuration //X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Any; X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.SubjectKeyIdentifier; //X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.IssuerSerial; //X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Thumbprint; X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(keyIdClauseType, SecurityTokenInclusionMode.AlwaysToRecipient); initiatorTokenParameters.RequireDerivedKeys = false; initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; initiatorTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; //initiatorTokenParameters.ReferenceStyle = (SecurityTokenReferenceStyle)X509KeyIdentifierClauseType.RawDataKeyIdentifier; secBindingElement.InitiatorTokenParameters = initiatorTokenParameters; X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(keyIdClauseType, SecurityTokenInclusionMode.Never); recipientTokenParameters.RequireDerivedKeys = false; recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never; recipientTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; secBindingElement.RecipientTokenParameters = recipientTokenParameters; secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12; return secBindingElement; }
private SecurityBindingElement CreateSecurity() { AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement(); X509SecurityTokenParameters clientToken = new X509SecurityTokenParameters(); clientToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; clientToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; clientToken.RequireDerivedKeys = false; clientToken.ReferenceStyle = SecurityTokenReferenceStyle.Internal; security.InitiatorTokenParameters = clientToken; //Creates an _unsigned_ binary token + signature that references the other binary token. X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters(); serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; serverToken.InclusionMode = SecurityTokenInclusionMode.Never; serverToken.RequireDerivedKeys = false; serverToken.ReferenceStyle = SecurityTokenReferenceStyle.External; security.RecipientTokenParameters = serverToken; //Only to make asymetric binding work security.EndpointSupportingTokenParameters.Signed.Add(clientToken); //Create a signed binary token + signature that does _not_ references other binary token. //Later on the unsigned binary token is removed and the non referecing signature is removed. The signed token and referencing signature are linked. security.EnableUnsecuredResponse = true; security.IncludeTimestamp = true; security.SecurityHeaderLayout = SecurityHeaderLayout.Lax; security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; security.SetKeyDerivation(false); return security; }
public void SetKeyDerivation () { AsymmetricSecurityBindingElement be; X509SecurityTokenParameters p, p2; be = new AsymmetricSecurityBindingElement (); p = new X509SecurityTokenParameters (); p2 = new X509SecurityTokenParameters (); be.InitiatorTokenParameters = p; be.RecipientTokenParameters = p2; be.SetKeyDerivation (false); Assert.AreEqual (false, p.RequireDerivedKeys, "#1"); Assert.AreEqual (false, p2.RequireDerivedKeys, "#2"); be = new AsymmetricSecurityBindingElement (); p = new X509SecurityTokenParameters (); p2 = new X509SecurityTokenParameters (); be.SetKeyDerivation (false); // set in prior - makes no sense be.InitiatorTokenParameters = p; be.RecipientTokenParameters = p2; Assert.AreEqual (true, p.RequireDerivedKeys, "#3"); Assert.AreEqual (true, p2.RequireDerivedKeys, "#4"); }
public void ClientInitiatorHasNoKeysCore (bool deriveKeys, MessageProtectionOrder order) { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement (); sbe.InitiatorTokenParameters = new UserNameSecurityTokenParameters (); sbe.RecipientTokenParameters = new X509SecurityTokenParameters (); sbe.SetKeyDerivation (deriveKeys); sbe.MessageProtectionOrder = order; TransportBindingElement tbe = new HandlerTransportBindingElement (delegate (Message input) { // funky, but .NET does not raise an error // until it writes the message to somewhere. // That is, it won't raise an error if this // HandlerTransportBindingElement does not // write the input message to somewhere. // It is an obvious bug. input.WriteMessage (XmlWriter.Create (TextWriter.Null)); throw new Exception (); }); CustomBinding binding = new CustomBinding (sbe, tbe); EndpointAddress address = new EndpointAddress ( new Uri ("stream:dummy"), new X509CertificateEndpointIdentity (cert2)); CalcProxy proxy = new CalcProxy (binding, address); proxy.ClientCredentials.UserName.UserName = "******"; proxy.Open (); // Until here the wrong parameters are not checked. proxy.Sum (1, 2); }
private SecurityBindingElement CreateSecurityBindingElement() { CustomTextTraceSource ts = new CustomTextTraceSource("Common.WspCustomSecuredBinding.CreateSecurityBindingElement", "MyTraceSource", System.Diagnostics.SourceLevels.Information); AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement(); secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256; secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; secBindingElement.IncludeTimestamp = true; secBindingElement.SetKeyDerivation(false); secBindingElement.AllowSerializedSigningTokenOnReply = true; secBindingElement.RequireSignatureConfirmation = true; // SAML assertion as a signed-encrypted supporting token IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"); // Compliance with WSS SAML Token Profile 1.1 // Target .Net 3.5. Does not work with .Net 4 issuedTokenParameters.UseStrTransform = _enableStrTransform; ts.TraceInformation("issuedTokenParameters.UseStrTransform = " + issuedTokenParameters.UseStrTransform.ToString()); // Using bearer key type which means no proof key issuedTokenParameters.KeyType = SecurityKeyType.BearerKey; issuedTokenParameters.KeySize = 0; issuedTokenParameters.RequireDerivedKeys = false; issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal; //issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; // These claims are not really needed here. We are doing out of band requests! // Claims //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:SurName")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:GivenName")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:EmailAddressText")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:TelephoneNumber")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:FederationId")); // GFIPM S2S 6.4 User Authorization - Encrypted GFIPM User Assertion //secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(issuedTokenParameters); // For debug secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters); X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Thumbprint; X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(keyIdClauseType, SecurityTokenInclusionMode.AlwaysToRecipient); initiatorTokenParameters.RequireDerivedKeys = false; initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; //initiatorTokenParameters.ReferenceStyle = (SecurityTokenReferenceStyle)X509KeyIdentifierClauseType.RawDataKeyIdentifier; secBindingElement.InitiatorTokenParameters = initiatorTokenParameters; X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(keyIdClauseType, SecurityTokenInclusionMode.AlwaysToInitiator); recipientTokenParameters.RequireDerivedKeys = false; recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator; //recipientTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; secBindingElement.RecipientTokenParameters = recipientTokenParameters; secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; //Set the Custom IdentityVerifier secBindingElement.LocalClientSettings.IdentityVerifier = new Common.CustomIdentityVerifier(); ////////////////////////////////////////////////////////// return secBindingElement; }