public UserNameCertificateBinding() { //add security // var securityElement = // SecurityBindingElement.CreateUserNameForCertificateBindingElement(); var securityElement = new SymmetricSecurityBindingElement(); var x509TokenParameters = new X509SecurityTokenParameters(); // how to find certificate // this will be used by securitymanager to find the certificate when create x509security tokens //x509TokenParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint; //The token is never included in messages but is referenced. The token must be known to the recipient out of band x509TokenParameters.InclusionMode = SecurityTokenInclusionMode.Never; securityElement.ProtectionTokenParameters = x509TokenParameters; securityElement.EndpointSupportingTokenParameters. SignedEncrypted.Add(new UserNameSecurityTokenParameters()); securityElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; securityElement.RequireSignatureConfirmation = true; Elements.Add(securityElement); // Message Encoding var textEncoding = new GZipMessageEncodingBindingElement(); textEncoding.MessageVersion = MessageVersion.Soap12WSAddressing10; Elements.Add(textEncoding); // Transport Elements.Add(new HttpTransportBindingElement()); }
public static Binding ChangeMessageSecurityOptions(this Binding binding) { var customBinding = new CustomBinding(binding); var minutes15 = TimeSpan.FromMinutes(15); customBinding.ReceiveTimeout = minutes15; customBinding.SendTimeout = minutes15; var tokenParameters = new X509SecurityTokenParameters { X509ReferenceStyle = X509KeyIdentifierClauseType.Any, RequireDerivedKeys = false, InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient }; var securityBindingElement = customBinding.Elements.Find<AsymmetricSecurityBindingElement>(); securityBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; securityBindingElement.InitiatorTokenParameters = tokenParameters; securityBindingElement.LocalClientSettings.DetectReplays = false; securityBindingElement.IncludeTimestamp = false; securityBindingElement.LocalClientSettings.TimestampValidityDuration = new TimeSpan(12, 0, 0); return customBinding; }
public static void Main () { AsymmetricSecurityBindingElement sbe = new AsymmetricSecurityBindingElement (); //sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; //sbe.RequireSignatureConfirmation = true; //sbe.LocalServiceSettings.DetectReplays = false; //sbe.IncludeTimestamp = false; sbe.RecipientTokenParameters = new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); sbe.InitiatorTokenParameters = new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient); X509SecurityTokenParameters p = new X509SecurityTokenParameters (X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient); p.RequireDerivedKeys = false; //sbe.EndpointSupportingTokenParameters.Endorsing.Add (p); UserNameSecurityTokenParameters up = new UserNameSecurityTokenParameters (); sbe.EndpointSupportingTokenParameters.Signed.Add (up); sbe.SetKeyDerivation (false); sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; ServiceHost host = new ServiceHost (typeof (Foo)); HttpTransportBindingElement hbe = new HttpTransportBindingElement (); CustomBinding binding = new CustomBinding (sbe, hbe); binding.ReceiveTimeout = TimeSpan.FromSeconds (5); host.AddServiceEndpoint ("IFoo", binding, new Uri ("http://localhost:8080")); ServiceCredentials cred = new ServiceCredentials (); cred.ServiceCertificate.Certificate = new X509Certificate2 ("test.pfx", "mono"); cred.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; cred.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom; cred.UserNameAuthentication.CustomUserNamePasswordValidator = UserNamePasswordValidator.None; host.Description.Behaviors.Add (cred); host.Description.Behaviors.Find<ServiceDebugBehavior> () .IncludeExceptionDetailInFaults = true; foreach (ServiceEndpoint se in host.Description.Endpoints) se.Behaviors.Add (new StdErrInspectionBehavior ()); ServiceMetadataBehavior smb = new ServiceMetadataBehavior (); smb.HttpGetEnabled = true; smb.HttpGetUrl = new Uri ("http://localhost:8080/wsdl"); host.Description.Behaviors.Add (smb); host.Open (); Console.WriteLine ("Hit [CR] key to close ..."); Console.ReadLine (); host.Close (); }
public static Binding CreateCreditCardBinding() { HttpTransportBindingElement httpTransport = new HttpTransportBindingElement(); // the message security binding element will be configured to require a credit card // token that is encrypted with the service's certificate SymmetricSecurityBindingElement messageSecurity = new SymmetricSecurityBindingElement(); messageSecurity.EndpointSupportingTokenParameters.SignedEncrypted.Add(new CreditCardTokenParameters()); X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters(); x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.Never; messageSecurity.ProtectionTokenParameters = x509ProtectionParameters; return new CustomBinding(messageSecurity, httpTransport); }
private static System.ServiceModel.Channels.Binding CreateBinding() { TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8); var httpTransport = new HttpTransportBindingElement(); var messageSecurity = new AsymmetricSecurityBindingElement(); messageSecurity.AllowSerializedSigningTokenOnReply = true; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator); messageSecurity.RecipientTokenParameters = x509SecurityParamter; messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false; var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient); initiator.RequireDerivedKeys = false; messageSecurity.InitiatorTokenParameters = initiator; var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, httpTransport); return customBinding; }
public static void Main () { Console.WriteLine ("WARNING!! This test is not configured enought to work fine on .NET either."); SymmetricSecurityBindingElement sbe = new SymmetricSecurityBindingElement (); sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; sbe.RequireSignatureConfirmation = true; //sbe.IncludeTimestamp = false; sbe.ProtectionTokenParameters = new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); X509SecurityTokenParameters p = new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient); p.RequireDerivedKeys = false; sbe.EndpointSupportingTokenParameters.Endorsing.Add (p); //sbe.SetKeyDerivation (false); //sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; ServiceHost host = new ServiceHost (typeof (Foo)); var mbe = new BinaryMessageEncodingBindingElement (); var tbe = new TcpTransportBindingElement (); CustomBinding binding = new CustomBinding (sbe, mbe, tbe); binding.ReceiveTimeout = TimeSpan.FromSeconds (5); host.AddServiceEndpoint ("IFoo", binding, new Uri ("http://localhost:8080")); ServiceCredentials cred = new ServiceCredentials (); cred.ServiceCertificate.Certificate = new X509Certificate2 ("test.pfx", "mono"); cred.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; host.Description.Behaviors.Add (cred); host.Description.Behaviors.Find<ServiceDebugBehavior> () .IncludeExceptionDetailInFaults = true; ServiceMetadataBehavior smb = new ServiceMetadataBehavior (); smb.HttpGetEnabled = true; smb.HttpGetUrl = new Uri ("http://localhost:8080/wsdl"); host.Description.Behaviors.Add (smb); host.Open (); Console.WriteLine ("Hit [CR] key to close ..."); Console.ReadLine (); host.Close (); }
public static Binding GetIssuedTokenBindingSSL() { var textmessageEncoding = new TextMessageEncodingBindingElement(); textmessageEncoding.WriteEncoding = Encoding.UTF8; textmessageEncoding.MessageVersion = MessageVersion.Soap11WSAddressing10; var messageSecurity = new AsymmetricSecurityBindingElement(); messageSecurity.AllowSerializedSigningTokenOnReply = true; messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator); messageSecurity.RecipientTokenParameters = x509SecurityParamter; messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false; var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient); initiator.RequireDerivedKeys = false; messageSecurity.InitiatorTokenParameters = initiator; messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; return new CustomBinding( messageSecurity, textmessageEncoding, new HttpsTransportBindingElement()); }
public static Binding CreateMultiFactorAuthenticationBinding() { HttpTransportBindingElement httpTransport = new HttpTransportBindingElement(); // the message security binding element will be configured to require 2 tokens: // 1) A username-password encrypted with the service token // 2) A client certificate used to sign the message // Instantiate a binding element that will require the username/password token in the message (encrypted with the server cert) SymmetricSecurityBindingElement messageSecurity = SecurityBindingElement.CreateUserNameForCertificateBindingElement(); // Create supporting token parameters for the client X509 certificate. X509SecurityTokenParameters clientX509SupportingTokenParameters = new X509SecurityTokenParameters(); // Specify that the supporting token is passed in message send by the client to the service clientX509SupportingTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; // Turn off derived keys clientX509SupportingTokenParameters.RequireDerivedKeys = false; // Augment the binding element to require the client's X509 certificate as an endorsing token in the message messageSecurity.EndpointSupportingTokenParameters.Endorsing.Add(clientX509SupportingTokenParameters); // Create a CustomBinding based on the constructed security binding element. return new CustomBinding(messageSecurity, httpTransport); }
private SecurityBindingElement CreateSecurity() { AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement(); X509SecurityTokenParameters clientToken = new X509SecurityTokenParameters(); clientToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; clientToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; clientToken.RequireDerivedKeys = false; clientToken.ReferenceStyle = SecurityTokenReferenceStyle.Internal; security.InitiatorTokenParameters = clientToken; //Creates an _unsigned_ binary token + signature that references the other binary token. X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters(); serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any; serverToken.InclusionMode = SecurityTokenInclusionMode.Never; serverToken.RequireDerivedKeys = false; serverToken.ReferenceStyle = SecurityTokenReferenceStyle.External; security.RecipientTokenParameters = serverToken; //Only to make asymetric binding work security.EndpointSupportingTokenParameters.Signed.Add(clientToken); //Create a signed binary token + signature that does _not_ references other binary token. //Later on the unsigned binary token is removed and the non referecing signature is removed. The signed token and referencing signature are linked. security.EnableUnsecuredResponse = true; security.IncludeTimestamp = true; security.SecurityHeaderLayout = SecurityHeaderLayout.Lax; security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; security.SetKeyDerivation(false); return security; }
// It is problematic, but there is no option to disable establishing security context in this binding unlike WSHttpBinding... SecurityBindingElement CreateMessageSecurity () { if (Security.Mode == SecurityMode.Transport || Security.Mode == SecurityMode.None) return null; // FIXME: this is wrong. Could be Asymmetric, depends on Security.Message.AlgorithmSuite value. SymmetricSecurityBindingElement element = new SymmetricSecurityBindingElement (); element.MessageSecurityVersion = MessageSecurityVersion.Default; element.SetKeyDerivation (false); switch (Security.Message.ClientCredentialType) { case MessageCredentialType.Certificate: element.EndpointSupportingTokenParameters.Endorsing.Add ( new X509SecurityTokenParameters ()); goto default; case MessageCredentialType.IssuedToken: IssuedSecurityTokenParameters istp = new IssuedSecurityTokenParameters (); // FIXME: issuer binding must be secure. istp.IssuerBinding = new CustomBinding ( new TextMessageEncodingBindingElement (), GetTransport ()); element.EndpointSupportingTokenParameters.Endorsing.Add (istp); goto default; case MessageCredentialType.UserName: element.EndpointSupportingTokenParameters.SignedEncrypted.Add ( new UserNameSecurityTokenParameters ()); goto default; case MessageCredentialType.Windows: element.ProtectionTokenParameters = new KerberosSecurityTokenParameters (); break; default: // including .None X509SecurityTokenParameters p = new X509SecurityTokenParameters (); p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint; element.ProtectionTokenParameters = p; break; } // SecureConversation enabled ChannelProtectionRequirements reqs = new ChannelProtectionRequirements (); // FIXME: fill the reqs return SecurityBindingElement.CreateSecureConversationBindingElement ( // FIXME: requireCancellation element, true, reqs); }
private SecurityBindingElement CreateSecurityBindingElement() { CustomTextTraceSource ts = new CustomTextTraceSource("Common.WspCustomSecuredBinding.CreateSecurityBindingElement", "MyTraceSource", System.Diagnostics.SourceLevels.Information); AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement(); secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256; secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; secBindingElement.IncludeTimestamp = true; secBindingElement.SetKeyDerivation(false); secBindingElement.AllowSerializedSigningTokenOnReply = true; secBindingElement.RequireSignatureConfirmation = true; // SAML assertion as a signed-encrypted supporting token IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"); // Compliance with WSS SAML Token Profile 1.1 // Target .Net 3.5. Does not work with .Net 4 issuedTokenParameters.UseStrTransform = _enableStrTransform; ts.TraceInformation("issuedTokenParameters.UseStrTransform = " + issuedTokenParameters.UseStrTransform.ToString()); // Using bearer key type which means no proof key issuedTokenParameters.KeyType = SecurityKeyType.BearerKey; issuedTokenParameters.KeySize = 0; issuedTokenParameters.RequireDerivedKeys = false; issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal; //issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; // These claims are not really needed here. We are doing out of band requests! // Claims //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:SurName")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:GivenName")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:EmailAddressText")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:TelephoneNumber")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:FederationId")); // GFIPM S2S 6.4 User Authorization - Encrypted GFIPM User Assertion //secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(issuedTokenParameters); // For debug secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters); X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Thumbprint; X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(keyIdClauseType, SecurityTokenInclusionMode.AlwaysToRecipient); initiatorTokenParameters.RequireDerivedKeys = false; initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; //initiatorTokenParameters.ReferenceStyle = (SecurityTokenReferenceStyle)X509KeyIdentifierClauseType.RawDataKeyIdentifier; secBindingElement.InitiatorTokenParameters = initiatorTokenParameters; X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(keyIdClauseType, SecurityTokenInclusionMode.AlwaysToInitiator); recipientTokenParameters.RequireDerivedKeys = false; recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator; //recipientTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; secBindingElement.RecipientTokenParameters = recipientTokenParameters; secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; //Set the Custom IdentityVerifier secBindingElement.LocalClientSettings.IdentityVerifier = new Common.CustomIdentityVerifier(); ////////////////////////////////////////////////////////// return secBindingElement; }
public virtual XmlElement CreateWsspX509TokenAssertion(MetadataExporter exporter, X509SecurityTokenParameters parameters) { XmlElement result = CreateWsspAssertion(X509TokenName); SetIncludeTokenValue(result, parameters.InclusionMode); result.AppendChild( CreateWspPolicyWrapper( exporter, CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys), CreateX509ReferenceStyleAssertion(parameters.X509ReferenceStyle), CreateWsspAssertion(WssX509V3Token10Name) )); return result; }
public void SetKeyDerivation () { AsymmetricSecurityBindingElement be; X509SecurityTokenParameters p, p2; be = new AsymmetricSecurityBindingElement (); p = new X509SecurityTokenParameters (); p2 = new X509SecurityTokenParameters (); be.InitiatorTokenParameters = p; be.RecipientTokenParameters = p2; be.SetKeyDerivation (false); Assert.AreEqual (false, p.RequireDerivedKeys, "#1"); Assert.AreEqual (false, p2.RequireDerivedKeys, "#2"); be = new AsymmetricSecurityBindingElement (); p = new X509SecurityTokenParameters (); p2 = new X509SecurityTokenParameters (); be.SetKeyDerivation (false); // set in prior - makes no sense be.InitiatorTokenParameters = p; be.RecipientTokenParameters = p2; Assert.AreEqual (true, p.RequireDerivedKeys, "#3"); Assert.AreEqual (true, p2.RequireDerivedKeys, "#4"); }
private SecurityBindingElement CreateSecurityBindingElement() { SymmetricSecurityBindingElement secBindingElement = new SymmetricSecurityBindingElement(); secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Strict; // TEST //secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Rsa15; secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; secBindingElement.IncludeTimestamp = true; secBindingElement.SetKeyDerivation(false); //secBindingElement.RequireSignatureConfirmation = true; //secBindingElement.AllowInsecureTransport = true; ////////////////////////////////////////////////////////// SecurityBindingElement ssbe = (SecurityBindingElement)secBindingElement; // Set the Custom IdentityVerifier //ssbe.LocalClientSettings.IdentityVerifier = new Common.CustomIdentityVerifier(); ////////////////////////////////////////////////////////// X509SecurityTokenParameters protectTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); protectTokenParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint; //X509SecurityTokenParameters protectTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, // SecurityTokenInclusionMode.Never); protectTokenParameters.RequireDerivedKeys = false; //protectTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never; //protectTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; secBindingElement.ProtectionTokenParameters = protectTokenParameters; UserNameSecurityTokenParameters userNameToken = new UserNameSecurityTokenParameters(); userNameToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(userNameToken); //secBindingElement.EndpointSupportingTokenParameters.Signed.Add(userNameToken); //secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12; secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; return secBindingElement; }
protected X509SecurityTokenParameters (X509SecurityTokenParameters source) : base (source) { reference_style = source.reference_style; }
void SetKeyDerivationIncorrect (SecurityBindingElement be, string label) { X509SecurityTokenParameters p, p2; p = new X509SecurityTokenParameters (); p2 = new X509SecurityTokenParameters (); // setting in prior - makes no sense be.SetKeyDerivation (false); be.EndpointSupportingTokenParameters.Endorsing.Add (p); be.EndpointSupportingTokenParameters.Endorsing.Add (p2); Assert.AreEqual (true, p.RequireDerivedKeys, label + "#5"); Assert.AreEqual (true, p2.RequireDerivedKeys, label + "#6"); }
protected X509SecurityTokenParameters(X509SecurityTokenParameters source) : base(source) { reference_style = source.reference_style; }
public void Validate(ServiceEndpoint endpoint) { StreamWriter file = new StreamWriter("c:\\temp\\WeatherStationService.SymmetricPolicyExtensionsBehavior - Validate.txt", true); file.WriteLine("_________________________________________"); file.WriteLine("DateTime: " + DateTime.Now.ToString()); if (endpoint != null) { file.WriteLine("EndPoint: " + endpoint.Name); if (endpoint.Behaviors != null) { foreach (IEndpointBehavior epb in endpoint.Behaviors) { file.WriteLine("EndPoint Behavior: " + epb.ToString()); } } } file.Close(); //ClientCredentials cc = new ClientCredentials(); //ClientRuntime cr = new ClientRuntime(); //cc.ApplyClientBehavior(endpoint, cr); //CustomBinding binding = new CustomBinding("CustomSecureBinding_BackendService"); CustomBinding binding = new CustomBinding(); SymmetricSecurityBindingElement secBindingElement = new SymmetricSecurityBindingElement(); //WS2007HttpBinding stsBinding = new WS2007HttpBinding("wssuntBinding"); CustomBinding stsBinding = new CustomBinding("ADS-CustomSecureTransport"); IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0", new EndpointAddress("https://ha50idp:8543/ADS-STS/Issue.svc"), stsBinding); issuedTokenParameters.KeyType = SecurityKeyType.AsymmetricKey; // 256? issuedTokenParameters.KeySize = 128; issuedTokenParameters.IssuerMetadataAddress = new EndpointAddress("https://ha50idp:8543/ADS-STS/Issue.svc/mex"); issuedTokenParameters.RequireDerivedKeys = false; issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; // X509SecurityTokenParameters protectTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); protectTokenParameters.RequireDerivedKeys = false; protectTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never; //protectTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; secBindingElement.ProtectionTokenParameters = protectTokenParameters; secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax; //secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters); secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters); secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(protectTokenParameters); secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12; binding.Elements.Add(secBindingElement); binding.Elements.Add(new MtomMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8)); //HttpsTransportBindingElement httpsBinding = new HttpsTransportBindingElement(); HttpTransportBindingElement httpsBinding = new HttpTransportBindingElement(); binding.Elements.Add(httpsBinding); endpoint.Binding = binding; }
protected override SecurityBindingElement CreateMessageSecurity () { if (Security.Mode == SecurityMode.Transport || Security.Mode == SecurityMode.None) return null; SymmetricSecurityBindingElement element = new SymmetricSecurityBindingElement (); element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; element.RequireSignatureConfirmation = true; switch (Security.Message.ClientCredentialType) { case MessageCredentialType.Certificate: X509SecurityTokenParameters p = new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint); p.RequireDerivedKeys = false; element.EndpointSupportingTokenParameters.Endorsing.Add (p); goto default; case MessageCredentialType.IssuedToken: IssuedSecurityTokenParameters istp = new IssuedSecurityTokenParameters (); // FIXME: issuer binding must be secure. istp.IssuerBinding = new CustomBinding ( new TextMessageEncodingBindingElement (), GetTransport ()); element.EndpointSupportingTokenParameters.Endorsing.Add (istp); goto default; case MessageCredentialType.UserName: element.EndpointSupportingTokenParameters.SignedEncrypted.Add ( new UserNameSecurityTokenParameters ()); element.RequireSignatureConfirmation = false; goto default; case MessageCredentialType.Windows: if (Security.Message.NegotiateServiceCredential) { // No SSPI on Linux though... element.ProtectionTokenParameters = // FIXME: fill proper parameters new SspiSecurityTokenParameters (); } else { // and no Kerberos ... element.ProtectionTokenParameters = new KerberosSecurityTokenParameters (); } break; default: // including .None if (Security.Message.NegotiateServiceCredential) { element.ProtectionTokenParameters = // FIXME: fill proper parameters new SslSecurityTokenParameters (false, true); } else { element.ProtectionTokenParameters = new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); element.ProtectionTokenParameters.RequireDerivedKeys = true; } break; } if (!Security.Message.EstablishSecurityContext) return element; // SecureConversation enabled ChannelProtectionRequirements reqs = new ChannelProtectionRequirements (); // FIXME: fill the reqs return SecurityBindingElement.CreateSecureConversationBindingElement ( // FIXME: requireCancellation element, true, reqs); }
protected X509SecurityTokenParameters(X509SecurityTokenParameters other) { Contract.Requires(other != null); }
protected X509SecurityTokenParameters(X509SecurityTokenParameters other) { Contract.Requires(other != null); }
public virtual bool TryImportWsspX509TokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters) { SecurityTokenInclusionMode mode; parameters = null; if (this.IsWsspAssertion(assertion, "X509Token") && this.TryGetIncludeTokenValue(assertion, out mode)) { Collection<Collection<XmlElement>> collection; if (this.TryGetNestedPolicyAlternatives(importer, assertion, out collection)) { foreach (Collection<XmlElement> collection2 in collection) { X509SecurityTokenParameters parameters2 = new X509SecurityTokenParameters(); parameters = parameters2; if ((this.TryImportWsspRequireDerivedKeysAssertion(collection2, parameters2) && this.TryImportX509ReferenceStyleAssertion(collection2, parameters2)) && (this.TryImportWsspAssertion(collection2, "WssX509V3Token10", true) && (collection2.Count == 0))) { parameters.InclusionMode = mode; break; } parameters = null; } } else { parameters = new X509SecurityTokenParameters(); parameters.RequireDerivedKeys = false; parameters.InclusionMode = mode; } } return (parameters != null); }
void SetKeyDerivationCorrect (SecurityBindingElement be, string label) { X509SecurityTokenParameters p, p2; p = new X509SecurityTokenParameters (); p2 = new X509SecurityTokenParameters (); Assert.AreEqual (true, p.RequireDerivedKeys, label + "#1"); Assert.AreEqual (true, p2.RequireDerivedKeys, label + "#2"); be.EndpointSupportingTokenParameters.Endorsing.Add (p); be.EndpointSupportingTokenParameters.Endorsing.Add (p2); be.SetKeyDerivation (false); Assert.AreEqual (false, p.RequireDerivedKeys, label + "#3"); Assert.AreEqual (false, p2.RequireDerivedKeys, label + "#4"); }
public virtual XmlElement CreateWsspX509TokenAssertion(MetadataExporter exporter, X509SecurityTokenParameters parameters) { XmlElement tokenAssertion = this.CreateWsspAssertion("X509Token"); this.SetIncludeTokenValue(tokenAssertion, parameters.InclusionMode); tokenAssertion.AppendChild(this.CreateWspPolicyWrapper(exporter, new XmlElement[] { this.CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys), this.CreateX509ReferenceStyleAssertion(parameters.X509ReferenceStyle), this.CreateWsspAssertion("WssX509V3Token10") })); return tokenAssertion; }
public void GetPropertySecurityCapabilities () { ISecurityCapabilities c; RsaSecurityTokenParameters rsa = new RsaSecurityTokenParameters (); UserNameSecurityTokenParameters user = new UserNameSecurityTokenParameters (); X509SecurityTokenParameters x509 = new X509SecurityTokenParameters (); SecureConversationSecurityTokenParameters sc1 = new SecureConversationSecurityTokenParameters (); sc1.BootstrapSecurityBindingElement = new SymmetricSecurityBindingElement (); // empty SecureConversationSecurityTokenParameters sc2 = new SecureConversationSecurityTokenParameters (); sc2.BootstrapSecurityBindingElement = new SymmetricSecurityBindingElement (x509); SecureConversationSecurityTokenParameters sc3 = new SecureConversationSecurityTokenParameters (); sc3.BootstrapSecurityBindingElement = new AsymmetricSecurityBindingElement (null, x509); SecureConversationSecurityTokenParameters sc4 = new SecureConversationSecurityTokenParameters (); sc4.BootstrapSecurityBindingElement = new AsymmetricSecurityBindingElement (x509, null); // no parameters c = GetSecurityCapabilities ( new SymmetricSecurityBindingElement ()); AssertSecurityCapabilities ( ProtectionLevel.EncryptAndSign, ProtectionLevel.EncryptAndSign, false, false, false, c, "#1"); // x509 parameters for both c = GetSecurityCapabilities ( new SymmetricSecurityBindingElement (x509)); AssertSecurityCapabilities ( ProtectionLevel.EncryptAndSign, ProtectionLevel.EncryptAndSign, true, true, true, c, "#2"); // no initiator parameters c = GetSecurityCapabilities ( new AsymmetricSecurityBindingElement (x509, null)); AssertSecurityCapabilities ( ProtectionLevel.EncryptAndSign, ProtectionLevel.EncryptAndSign, false, false, true, c, "#3"); // no recipient parameters c = GetSecurityCapabilities ( new AsymmetricSecurityBindingElement (null, x509)); AssertSecurityCapabilities ( ProtectionLevel.EncryptAndSign, ProtectionLevel.EncryptAndSign, true, true, false, c, "#4"); // initiator does not support identity c = GetSecurityCapabilities ( new AsymmetricSecurityBindingElement (x509, rsa)); AssertSecurityCapabilities ( ProtectionLevel.EncryptAndSign, ProtectionLevel.EncryptAndSign, true, false, true, c, "#5"); // recipient does not support server auth c = GetSecurityCapabilities ( new AsymmetricSecurityBindingElement (user, x509)); AssertSecurityCapabilities ( ProtectionLevel.EncryptAndSign, ProtectionLevel.EncryptAndSign, true, true, false, c, "#6"); // secureconv with no symm. bootstrap params c = GetSecurityCapabilities ( new SymmetricSecurityBindingElement (sc1)); AssertSecurityCapabilities ( ProtectionLevel.EncryptAndSign, ProtectionLevel.EncryptAndSign, false, false, false, c, "#7"); // secureconv with x509 symm. bootstrap params c = GetSecurityCapabilities ( new SymmetricSecurityBindingElement (sc2)); AssertSecurityCapabilities ( ProtectionLevel.EncryptAndSign, ProtectionLevel.EncryptAndSign, true, true, true, c, "#8"); // secureconv with x509 initiator bootstrap params c = GetSecurityCapabilities ( new SymmetricSecurityBindingElement (sc3)); AssertSecurityCapabilities ( ProtectionLevel.EncryptAndSign, ProtectionLevel.EncryptAndSign, true, true, false, c, "#9"); // secureconv with x509 recipient bootstrap params c = GetSecurityCapabilities ( new SymmetricSecurityBindingElement (sc4)); AssertSecurityCapabilities ( ProtectionLevel.EncryptAndSign, ProtectionLevel.EncryptAndSign, false, false, true, c, "#10"); // FIXME: find out such cases that returns other ProtectionLevel values. }
private SecurityBindingElement CreateWSS11SecurityBindingElement() { AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement(); secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax; // TEST //secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Rsa15; secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; secBindingElement.IncludeTimestamp = true; secBindingElement.SetKeyDerivation(false); secBindingElement.AllowSerializedSigningTokenOnReply = true; secBindingElement.RequireSignatureConfirmation = false; //WS2007HttpBinding stsBinding = new WS2007HttpBinding("wssuntBinding"); //CustomBinding stsBinding = new CustomBinding("ADS-CustomSecureTransport"); // TEMPORARILY DISABLED // .Net 3.5 //string adsAddress = "http://ha50idp:8089/ADS-STS/Issue.svc"; // .Net 4.0 string adsAddress = "https://ha50idp:8543/ADS-STS/Issue.svc"; //IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0", // new EndpointAddress(adsAddress), stsBinding); IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"); issuedTokenParameters.UseStrTransform = false; issuedTokenParameters.KeyType = SecurityKeyType.BearerKey; //issuedTokenParameters.KeyType = SecurityKeyType.AsymmetricKey; //issuedTokenParameters.KeyType = SecurityKeyType.SymmetricKey; // 256? //issuedTokenParameters.KeySize = 256; issuedTokenParameters.KeySize = 0; // .Net 3.5 //string adsMexAddress = "http://ha50idp:8089/ADS-STS/Issue.svc/mex"; // .Net 4.0 //string adsMexAddress = "https://ha50idp:8543/ADS-STS/Issue.svc/mex"; //issuedTokenParameters.IssuerMetadataAddress = new EndpointAddress(adsMexAddress); issuedTokenParameters.RequireDerivedKeys = false; issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal; //issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; // Claims //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:SurName")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:GivenName")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:EmailAddressText")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:TelephoneNumber")); //issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:FederationId")); // THis is a test //secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(issuedTokenParameters); // This is the right one secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters); //secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(issuedTokenParameters); // need to put this in configuration //X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Any; X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.SubjectKeyIdentifier; //X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.IssuerSerial; //X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Thumbprint; X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(keyIdClauseType, SecurityTokenInclusionMode.AlwaysToRecipient); initiatorTokenParameters.RequireDerivedKeys = false; initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; initiatorTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; //initiatorTokenParameters.ReferenceStyle = (SecurityTokenReferenceStyle)X509KeyIdentifierClauseType.RawDataKeyIdentifier; secBindingElement.InitiatorTokenParameters = initiatorTokenParameters; X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(keyIdClauseType, SecurityTokenInclusionMode.Never); recipientTokenParameters.RequireDerivedKeys = false; recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never; recipientTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External; secBindingElement.RecipientTokenParameters = recipientTokenParameters; secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12; return secBindingElement; }
protected X509SecurityTokenParameters(X509SecurityTokenParameters other) : base(other) { this.x509ReferenceStyle = other.x509ReferenceStyle; }
private SecurityBindingElement CreateWSS10SecurityBindingElement() { AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement(); secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax; secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; secBindingElement.IncludeTimestamp = true; secBindingElement.SetKeyDerivation(false); secBindingElement.AllowSerializedSigningTokenOnReply = true; secBindingElement.RequireSignatureConfirmation = false; X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient); initiatorTokenParameters.RequireDerivedKeys = false; initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; secBindingElement.InitiatorTokenParameters = initiatorTokenParameters; X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never); recipientTokenParameters.RequireDerivedKeys = false; recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never; secBindingElement.RecipientTokenParameters = recipientTokenParameters; //secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters); //secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(protectTokenParameters); //secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12; secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; return secBindingElement; }
protected X509SecurityTokenParameters(X509SecurityTokenParameters other) : base(other) { this.x509ReferenceStyle = other.x509ReferenceStyle; }
// based on WSHttpBinding.CreateMessageSecurity() SecurityBindingElement CreateMessageSecurity () { if (Security.Mode == SecurityMode.Transport || Security.Mode == SecurityMode.None) return null; SymmetricSecurityBindingElement element = new SymmetricSecurityBindingElement (); element.MessageSecurityVersion = MessageSecurityVersion.Default; element.SetKeyDerivation (false); switch (Security.Message.ClientCredentialType) { case MessageCredentialType.Certificate: element.EndpointSupportingTokenParameters.Endorsing.Add ( new X509SecurityTokenParameters ()); goto default; case MessageCredentialType.IssuedToken: IssuedSecurityTokenParameters istp = new IssuedSecurityTokenParameters (); // FIXME: issuer binding must be secure. istp.IssuerBinding = new CustomBinding ( new TextMessageEncodingBindingElement (), GetTransport ()); element.EndpointSupportingTokenParameters.Endorsing.Add (istp); goto default; case MessageCredentialType.UserName: element.EndpointSupportingTokenParameters.SignedEncrypted.Add ( new UserNameSecurityTokenParameters ()); goto default; case MessageCredentialType.Windows: element.ProtectionTokenParameters = new KerberosSecurityTokenParameters (); break; default: // including .None X509SecurityTokenParameters p = new X509SecurityTokenParameters (); p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint; element.ProtectionTokenParameters = p; break; } return element; }
public virtual bool TryImportX509ReferenceStyleAssertion(ICollection<XmlElement> assertions, X509SecurityTokenParameters parameters) { if (TryImportWsspAssertion(assertions, RequireIssuerSerialReferenceName)) { parameters.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial; } else if (TryImportWsspAssertion(assertions, RequireKeyIdentifierReferenceName)) { parameters.X509ReferenceStyle = X509KeyIdentifierClauseType.SubjectKeyIdentifier; } else if (TryImportWsspAssertion(assertions, RequireThumbprintReferenceName)) { parameters.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint; } return true; }
public void SetKeyDerivation () { SymmetricSecurityBindingElement be; X509SecurityTokenParameters p; be = new SymmetricSecurityBindingElement (); p = new X509SecurityTokenParameters (); be.ProtectionTokenParameters = p; be.SetKeyDerivation (false); Assert.AreEqual (false, p.RequireDerivedKeys, "#1"); be = new SymmetricSecurityBindingElement (); p = new X509SecurityTokenParameters (); be.SetKeyDerivation (false); // set in prior - makes no sense be.ProtectionTokenParameters = p; Assert.AreEqual (true, p.RequireDerivedKeys, "#2"); }
public virtual bool TryImportWsspX509TokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters) { parameters = null; SecurityTokenInclusionMode inclusionMode; Collection<Collection<XmlElement>> alternatives; if (IsWsspAssertion(assertion, X509TokenName) && TryGetIncludeTokenValue(assertion, out inclusionMode)) { if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) { foreach (Collection<XmlElement> alternative in alternatives) { X509SecurityTokenParameters x509 = new X509SecurityTokenParameters(); parameters = x509; if (TryImportWsspRequireDerivedKeysAssertion(alternative, x509) && TryImportX509ReferenceStyleAssertion(alternative, x509) && TryImportWsspAssertion(alternative, WssX509V3Token10Name, true) && alternative.Count == 0) { parameters.InclusionMode = inclusionMode; break; } else { parameters = null; } } } else { parameters = new X509SecurityTokenParameters(); parameters.RequireDerivedKeys = false; parameters.InclusionMode = inclusionMode; } } return parameters != null; }
protected X509SecurityTokenParameters(X509SecurityTokenParameters other) : base(other) { reference_style = other.reference_style; }