Exemplo n.º 1
0
        public void SecureConvProviderGetToken()
        {
            InitiatorServiceModelSecurityTokenRequirement r =
                CreateRequirement();

            // it still requires SecurityAlgorithmSuite on GetToken().
            r.SecurityAlgorithmSuite = SecurityAlgorithmSuite.Default;
            // the actual security binding element requires
            // ProtectionTokenParameters.
            r.SecureConversationSecurityBindingElement =
                SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
            // the above requires service certificate
            BindingContext    ctx  = r.GetProperty <BindingContext> (ReqType.IssuerBindingContextProperty);
            ClientCredentials cred = new ClientCredentials();

            cred.ServiceCertificate.DefaultCertificate = cert;
            ctx.BindingParameters.Add(cred);

            // without it, identity check fails on IssuerAddress
            // (TargetAddress is used when IssuerAddress is not set)
            r.TargetAddress = new EndpointAddress(new Uri("http://localhost:8080"), new X509CertificateEndpointIdentity(cert));

            SecurityTokenProvider p =
                def_c.CreateSecurityTokenProvider(r);

            Assert.IsNotNull(p, "#1");
            // non-standard provider, it looks similar to IssuedSecurityTokenProvider.
            ((ICommunicationObject)p).Open();
            p.GetToken(TimeSpan.FromSeconds(5));
        }
Exemplo n.º 2
0
        public void CreateAnonymousForCertificateBindingElement()
        {
            SymmetricSecurityBindingElement be =
                SecurityBindingElement.CreateAnonymousForCertificateBindingElement();

            SecurityAssert.AssertSymmetricSecurityBindingElement(
                SecurityAlgorithmSuite.Default,
                true,                 // IncludeTimestamp
                SecurityKeyEntropyMode.CombinedEntropy,
                MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature,
                MessageSecurityVersion.Default,
                true,                 // RequireSignatureConfirmation
                SecurityHeaderLayout.Strict,
                // EndpointSupportingTokenParameters: endorsing, signed, signedEncrypted, signedEndorsing (by count)
                0, 0, 0, 0,
                // ProtectionTokenParameters
                true, SecurityTokenInclusionMode.Never, SecurityTokenReferenceStyle.Internal, true,
                // LocalClientSettings
                true, 60, true,

                be, "");

            // test ProtectionTokenParameters
            X509SecurityTokenParameters tp =
                be.ProtectionTokenParameters
                as X509SecurityTokenParameters;

            Assert.IsNotNull(tp, "#2-1");
            SecurityAssert.AssertSecurityTokenParameters(
                SecurityTokenInclusionMode.Never,
                SecurityTokenReferenceStyle.Internal,
                true, tp, "Protection");
            Assert.AreEqual(X509KeyIdentifierClauseType.Thumbprint, tp.X509ReferenceStyle, "#2-2");
        }
Exemplo n.º 3
0
        public static Binding CreateCustomBinding()
        {
            // <Snippet8>
            // <Snippet3>
            SymmetricSecurityBindingElement b =
                SecurityBindingElement.
                CreateAnonymousForCertificateBindingElement();
            // </Snippet3>

            // <Snippet4>
            BindingElementCollection outputBindings =
                new BindingElementCollection();

            // </Snippet4>

            // <Snippet5>
            b.DefaultAlgorithmSuite  = SecurityAlgorithmSuite.Basic128;
            b.MessageProtectionOrder =
                MessageProtectionOrder.SignBeforeEncrypt;
            b.ProtectionTokenParameters =
                new KerberosSecurityTokenParameters();
            // </Snippet5>
            // </Snippet8>

            // <Snippet6>
            outputBindings.Add(b);
            outputBindings.Add(new TextMessageEncodingBindingElement());
            outputBindings.Add(new HttpTransportBindingElement());
            // </Snippet6>

            // <Snippet7>
            return(new CustomBinding(outputBindings));
            // </Snippet7>
        }
Exemplo n.º 4
0
        // <Snippet2>
        // These public methods create custom bindings based on the built-in
        // authentication modes that use the static methods of
        // the System.ServiceModel.Channels.SecurityBindingElement class.
        public static Binding CreateAnonymousForCertificateBinding()
        {
            BindingElementCollection bec = new BindingElementCollection();

            bec.Add(SecurityBindingElement.
                    CreateAnonymousForCertificateBindingElement());
            bec.Add(new TextMessageEncodingBindingElement());
            bec.Add(new HttpTransportBindingElement());
            return(new CustomBinding(bec));
        }
Exemplo n.º 5
0
        internal SecurityBindingElement CreateSecurityBindingElement()
        {
            SymmetricSecurityBindingElement result;
            bool isKerberosSelected = false;

            switch (this.clientCredentialType)
            {
            case MessageCredentialType.None:
                result = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
                break;

            case MessageCredentialType.UserName:
                result = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
                break;

            case MessageCredentialType.Certificate:
                result = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement();
                break;

            case MessageCredentialType.Windows:
                result             = SecurityBindingElement.CreateKerberosBindingElement();
                isKerberosSelected = true;
                break;

            case MessageCredentialType.IssuedToken:
                result = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite));
                break;

            default:
                Fx.Assert("unknown ClientCredentialType");
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
            }

            result.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;

            // set the algorithm suite and issued token params if required
            if (wasAlgorithmSuiteSet || !isKerberosSelected)
            {
                result.DefaultAlgorithmSuite = this.AlgorithmSuite;
            }
            else if (isKerberosSelected)
            {
                result.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
            }

            result.IncludeTimestamp = false;
            result.LocalServiceSettings.DetectReplays = false;
            result.LocalClientSettings.DetectReplays  = false;

            return(result);
        }
Exemplo n.º 6
0
        internal SecurityBindingElement CreateSecurityBindingElement()
        {
            SymmetricSecurityBindingElement element;
            bool flag = false;

            switch (this.clientCredentialType)
            {
            case MessageCredentialType.None:
                element = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
                break;

            case MessageCredentialType.Windows:
                element = SecurityBindingElement.CreateKerberosBindingElement();
                flag    = true;
                break;

            case MessageCredentialType.UserName:
                element = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
                break;

            case MessageCredentialType.Certificate:
                element = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement();
                break;

            case MessageCredentialType.IssuedToken:
                element = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite));
                break;

            default:
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
            }
            element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
            if (this.wasAlgorithmSuiteSet || !flag)
            {
                element.DefaultAlgorithmSuite = this.AlgorithmSuite;
            }
            else if (flag)
            {
                element.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
            }
            element.IncludeTimestamp = false;
            element.LocalServiceSettings.DetectReplays = false;
            element.LocalClientSettings.DetectReplays  = false;
            return(element);
        }
Exemplo n.º 7
0
        internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
        {
            if (isReliableSession && !this.IsSecureConversationEnabled())
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession)));
            }

            SecurityBindingElement result;
            SecurityBindingElement oneShotSecurity;

            bool isKerberosSelected = false;
            bool emitBspAttributes  = true;

            if (isSecureTransportMode)
            {
                switch (this.clientCredentialType)
                {
                case MessageCredentialType.None:
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCredentialTypeMustBeSpecifiedForMixedMode)));

                case MessageCredentialType.UserName:
                    oneShotSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
                    break;

                case MessageCredentialType.Certificate:
                    oneShotSecurity = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
                    break;

                case MessageCredentialType.Windows:
                    oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
                    break;

                case MessageCredentialType.IssuedToken:
                    oneShotSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite));
                    break;

                default:
                    Fx.Assert("unknown ClientCredentialType");
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
                }
                if (this.IsSecureConversationEnabled())
                {
                    result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true);
                }
                else
                {
                    result = oneShotSecurity;
                }
            }
            else
            {
                if (negotiateServiceCredential)
                {
                    switch (this.clientCredentialType)
                    {
                    case MessageCredentialType.None:
                        oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
                        break;

                    case MessageCredentialType.UserName:
                        oneShotSecurity = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
                        break;

                    case MessageCredentialType.Certificate:
                        oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
                        break;

                    case MessageCredentialType.Windows:
                        oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
                        break;

                    case MessageCredentialType.IssuedToken:
                        oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite), true);
                        break;

                    default:
                        Fx.Assert("unknown ClientCredentialType");
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
                    }
                }
                else
                {
                    switch (this.clientCredentialType)
                    {
                    case MessageCredentialType.None:
                        oneShotSecurity = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
                        break;

                    case MessageCredentialType.UserName:
                        oneShotSecurity = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
                        break;

                    case MessageCredentialType.Certificate:
                        oneShotSecurity = SecurityBindingElement.CreateMutualCertificateBindingElement();
                        break;

                    case MessageCredentialType.Windows:
                        oneShotSecurity    = SecurityBindingElement.CreateKerberosBindingElement();
                        isKerberosSelected = true;
                        break;

                    case MessageCredentialType.IssuedToken:
                        oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite));
                        break;

                    default:
                        Fx.Assert("unknown ClientCredentialType");
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
                    }
                }
                if (this.IsSecureConversationEnabled())
                {
                    result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true);
                }
                else
                {
                    result = oneShotSecurity;
                }
            }

            // set the algorithm suite and issued token params if required
            if (wasAlgorithmSuiteSet || (!isKerberosSelected))
            {
                result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite;
            }
            else if (isKerberosSelected)
            {
                result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
            }

            result.IncludeTimestamp = true;
            oneShotSecurity.MessageSecurityVersion = version;
            result.MessageSecurityVersion          = version;
            if (!isReliableSession)
            {
                result.LocalServiceSettings.ReconnectTransportOnFailure = false;
                result.LocalClientSettings.ReconnectTransportOnFailure  = false;
            }
            else
            {
                result.LocalServiceSettings.ReconnectTransportOnFailure = true;
                result.LocalClientSettings.ReconnectTransportOnFailure  = true;
            }

            if (this.IsSecureConversationEnabled())
            {
                // issue the transition SCT for a short duration only
                oneShotSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime;
            }

            return(result);
        }
Exemplo n.º 8
0
        internal SecurityBindingElement CreateSecurityBindingElement()
        {
            SymmetricSecurityBindingElement wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;

            switch (this.clientCredentialType)
            {
            case MessageCredentialType.None:
            {
                wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
                break;
            }

            case MessageCredentialType.Windows:
            {
                Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unsupported ClientCredentialType");
                throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
            }

            case MessageCredentialType.UserName:
            {
                wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
                break;
            }

            case MessageCredentialType.Certificate:
            {
                wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement();
                break;
            }

            case MessageCredentialType.IssuedToken:
            {
                object[] objArray = new object[] { SecurityUtil.CreateSecurityStandardsManager(new object[0]), this.algorithmSuite };
                wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(SecurityUtil.IssuedSecurityTokenParameters.CreateInfoCardParameters(objArray));
                break;
            }

            default:
            {
                Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unsupported ClientCredentialType");
                throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
            }
            }
            wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
            if (this.wasAlgorithmSuiteSet)
            {
                wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.DefaultAlgorithmSuite = this.AlgorithmSuite;
            }
            wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.IncludeTimestamp = false;
            wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.LocalServiceSettings.DetectReplays = false;
            wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.LocalClientSettings.DetectReplays  = false;
            return(wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11);
        }
Exemplo n.º 9
0
        // <snippet2>
        public override BindingElementCollection CreateBindingElements()
        {
            //SecurityBindingElement sbe = bec.Find<SecurityBindingElement>();
            BindingElementCollection bec = new BindingElementCollection();
            // By default http transport is used
            SecurityBindingElement securityBinding;
            BindingElement         transport;

            switch (assertion)
            {
            case WseSecurityAssertion.UsernameOverTransport:
                transport       = new HttpsTransportBindingElement();
                securityBinding = (TransportSecurityBindingElement)SecurityBindingElement.CreateUserNameOverTransportBindingElement();
                if (establishSecurityContext == true)
                {
                    throw new InvalidOperationException("Secure Conversation is not supported for this Security Assertion Type");
                }
                if (requireSignatureConfirmation == true)
                {
                    throw new InvalidOperationException("Signature Confirmation is not supported for this Security Assertion Type");
                }
                break;

            case WseSecurityAssertion.MutualCertificate10:
                transport       = new HttpTransportBindingElement();
                securityBinding = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
                if (requireSignatureConfirmation == true)
                {
                    throw new InvalidOperationException("Signature Confirmation is not supported for this Security Assertion Type");
                }
                ((AsymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
                break;

            case WseSecurityAssertion.UsernameForCertificate:
                transport       = new HttpTransportBindingElement();
                securityBinding = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateUserNameForCertificateBindingElement();
                // We want signatureconfirmation on the bootstrap process
                // either for the application messages or for the RST/RSTR
                ((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
                ((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder       = messageProtectionOrder;
                break;

            case WseSecurityAssertion.AnonymousForCertificate:
                transport       = new HttpTransportBindingElement();
                securityBinding = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
                ((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
                ((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder       = messageProtectionOrder;
                break;

            case WseSecurityAssertion.MutualCertificate11:
                transport       = new HttpTransportBindingElement();
                securityBinding = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11);
                ((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
                ((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder       = messageProtectionOrder;
                break;

            case WseSecurityAssertion.Kerberos:
                transport       = new HttpTransportBindingElement();
                securityBinding = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateKerberosBindingElement();
                ((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
                ((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder       = messageProtectionOrder;
                break;

            default:
                throw new NotSupportedException("This supplied Wse security assertion is not supported");
            }
            //Set defaults for the security binding
            securityBinding.IncludeTimestamp = true;

            // Derived Keys
            // set the preference for derived keys before creating SecureConversationBindingElement
            securityBinding.SetKeyDerivation(requireDerivedKeys);

            //Secure Conversation
            if (establishSecurityContext == true)
            {
                SymmetricSecurityBindingElement secureconversation =
                    (SymmetricSecurityBindingElement)SymmetricSecurityBindingElement.CreateSecureConversationBindingElement(
                        securityBinding, false);
                // This is the default
                //secureconversation.DefaultProtectionLevel = ProtectionLevel.EncryptAndSign;

                //Set defaults for the secure conversation binding
                secureconversation.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
                // We do not want signature confirmation on the application level messages
                // when secure conversation is enabled.
                secureconversation.RequireSignatureConfirmation = false;
                secureconversation.MessageProtectionOrder       = messageProtectionOrder;
                secureconversation.SetKeyDerivation(requireDerivedKeys);
                securityBinding = secureconversation;
            }

            // Add the security binding to the binding collection
            bec.Add(securityBinding);

            // Add the message encoder.
            TextMessageEncodingBindingElement textelement = new TextMessageEncodingBindingElement();

            textelement.MessageVersion = MessageVersion.Soap11WSAddressingAugust2004;
            //These are the defaults required for WSE
            //textelement.MessageVersion = MessageVersion.Soap11Addressing1;
            //textelement.WriteEncoding = System.Text.Encoding.UTF8;
            bec.Add(textelement);

            // Add the transport
            bec.Add(transport);


            // return the binding elements
            return(bec);
        }
Exemplo n.º 10
0
        internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
        {
            SecurityBindingElement element;
            SecurityBindingElement element2;

            if (isReliableSession && !this.IsSecureConversationEnabled())
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecureConversationRequiredByReliableSession")));
            }
            bool flag = false;
            bool emitBspRequiredAttributes = true;

            if (!isSecureTransportMode)
            {
                if (this.negotiateServiceCredential)
                {
                    switch (this.clientCredentialType)
                    {
                    case MessageCredentialType.None:
                        element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
                        goto Label_01DA;

                    case MessageCredentialType.Windows:
                        element2 = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
                        goto Label_01DA;

                    case MessageCredentialType.UserName:
                        element2 = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
                        goto Label_01DA;

                    case MessageCredentialType.Certificate:
                        element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
                        goto Label_01DA;

                    case MessageCredentialType.IssuedToken:
                        element2 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite), true);
                        goto Label_01DA;
                    }
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
                }
                switch (this.clientCredentialType)
                {
                case MessageCredentialType.None:
                    element2 = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
                    goto Label_01DA;

                case MessageCredentialType.Windows:
                    element2 = SecurityBindingElement.CreateKerberosBindingElement();
                    flag     = true;
                    goto Label_01DA;

                case MessageCredentialType.UserName:
                    element2 = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
                    goto Label_01DA;

                case MessageCredentialType.Certificate:
                    element2 = SecurityBindingElement.CreateMutualCertificateBindingElement();
                    goto Label_01DA;

                case MessageCredentialType.IssuedToken:
                    element2 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite));
                    goto Label_01DA;
                }
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
            }
            switch (this.clientCredentialType)
            {
            case MessageCredentialType.None:
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCredentialTypeMustBeSpecifiedForMixedMode")));

            case MessageCredentialType.Windows:
                element2 = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
                break;

            case MessageCredentialType.UserName:
                element2 = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
                break;

            case MessageCredentialType.Certificate:
                element2 = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
                break;

            case MessageCredentialType.IssuedToken:
                element2 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite));
                break;

            default:
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
            }
            if (this.IsSecureConversationEnabled())
            {
                element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true);
            }
            else
            {
                element = element2;
            }
            goto Label_01EE;
Label_01DA:
            if (this.IsSecureConversationEnabled())
            {
                element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true);
            }
            else
            {
                element = element2;
            }
Label_01EE:
            if (this.wasAlgorithmSuiteSet || !flag)
            {
                element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = this.AlgorithmSuite;
            }
            else if (flag)
            {
                element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
            }
            element.IncludeTimestamp        = true;
            element2.MessageSecurityVersion = version;
            element.MessageSecurityVersion  = version;
            if (!isReliableSession)
            {
                element.LocalServiceSettings.ReconnectTransportOnFailure = false;
                element.LocalClientSettings.ReconnectTransportOnFailure  = false;
            }
            else
            {
                element.LocalServiceSettings.ReconnectTransportOnFailure = true;
                element.LocalClientSettings.ReconnectTransportOnFailure  = true;
            }
            if (this.IsSecureConversationEnabled())
            {
                element2.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime;
            }
            return(element);
        }
Exemplo n.º 11
0
        protected internal virtual BindingElement CreateBindingElement(bool createTemplateOnly)
        {
            SecurityBindingElement result;

            switch (this.AuthenticationMode)
            {
            case AuthenticationMode.AnonymousForCertificate:
                result = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
                break;

            case AuthenticationMode.AnonymousForSslNegotiated:
                result = SecurityBindingElement.CreateSslNegotiationBindingElement(false, this.RequireSecurityContextCancellation);
                break;

            case AuthenticationMode.CertificateOverTransport:
                result = SecurityBindingElement.CreateCertificateOverTransportBindingElement(this.MessageSecurityVersion);
                break;

            case AuthenticationMode.IssuedToken:
                result = SecurityBindingElement.CreateIssuedTokenBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType));
                break;

            case AuthenticationMode.IssuedTokenForCertificate:
                result = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType));
                break;

            case AuthenticationMode.IssuedTokenForSslNegotiated:
                result = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType), this.RequireSecurityContextCancellation);
                break;

            case AuthenticationMode.IssuedTokenOverTransport:
                result = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType));
                break;

            case AuthenticationMode.Kerberos:
                result = SecurityBindingElement.CreateKerberosBindingElement();
                break;

            case AuthenticationMode.KerberosOverTransport:
                result = SecurityBindingElement.CreateKerberosOverTransportBindingElement();
                break;

            case AuthenticationMode.MutualCertificateDuplex:
                result = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(this.MessageSecurityVersion);
                break;

            case AuthenticationMode.MutualCertificate:
                result = SecurityBindingElement.CreateMutualCertificateBindingElement(this.MessageSecurityVersion);
                break;

            case AuthenticationMode.MutualSslNegotiated:
                result = SecurityBindingElement.CreateSslNegotiationBindingElement(true, this.RequireSecurityContextCancellation);
                break;

            case AuthenticationMode.SspiNegotiated:
                result = SecurityBindingElement.CreateSspiNegotiationBindingElement(this.RequireSecurityContextCancellation);
                break;

            case AuthenticationMode.UserNameForCertificate:
                result = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
                break;

            case AuthenticationMode.UserNameForSslNegotiated:
                result = SecurityBindingElement.CreateUserNameForSslBindingElement(this.RequireSecurityContextCancellation);
                break;

            case AuthenticationMode.UserNameOverTransport:
                result = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
                break;

            case AuthenticationMode.SspiNegotiatedOverTransport:
                result = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(this.RequireSecurityContextCancellation);
                break;

            default:
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidEnumArgumentException("AuthenticationMode", (int)this.AuthenticationMode, typeof(AuthenticationMode)));
            }

            this.ApplyConfiguration(result);

            return(result);
        }
        internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
        {
            SecurityBindingElement securityBindingElement;
            SecurityBindingElement securityBindingElement1;

            if (isReliableSession && !this.IsSecureConversationEnabled())
            {
                throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.SecureConversationRequiredByReliableSession, new object[0])));
            }
            bool flag  = false;
            bool flag1 = true;

            if (!isSecureTransportMode)
            {
                if (!this.negotiateServiceCredential)
                {
                    switch (this.clientCredentialType)
                    {
                    case MessageCredentialType.None:
                    {
                        securityBindingElement1 = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
                        goto Label0;
                    }

                    case MessageCredentialType.Windows:
                    {
                        securityBindingElement1 = SecurityBindingElement.CreateKerberosBindingElement();
                        flag = true;
                        goto Label0;
                    }

                    case MessageCredentialType.UserName:
                    {
                        securityBindingElement1 = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
                        goto Label0;
                    }

                    case MessageCredentialType.Certificate:
                    {
                        securityBindingElement1 = SecurityBindingElement.CreateMutualCertificateBindingElement();
                        goto Label0;
                    }

                    case MessageCredentialType.IssuedToken:
                    {
                        securityBindingElement1 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(this.CreateInfoCardParameters(flag1));
                        goto Label0;
                    }
                    }
                    Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType");
                    throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
                }
                else
                {
                    switch (this.clientCredentialType)
                    {
                    case MessageCredentialType.None:
                    {
                        securityBindingElement1 = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
                        goto Label0;
                    }

                    case MessageCredentialType.Windows:
                    {
                        securityBindingElement1 = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
                        goto Label0;
                    }

                    case MessageCredentialType.UserName:
                    {
                        securityBindingElement1 = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
                        goto Label0;
                    }

                    case MessageCredentialType.Certificate:
                    {
                        securityBindingElement1 = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
                        goto Label0;
                    }

                    case MessageCredentialType.IssuedToken:
                    {
                        securityBindingElement1 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(this.CreateInfoCardParameters(flag1), true);
                        goto Label0;
                    }
                    }
                    Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType");
                    throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
                }
Label0:
                securityBindingElement = (!this.IsSecureConversationEnabled() ? securityBindingElement1 : SecurityBindingElement.CreateSecureConversationBindingElement(securityBindingElement1, true));
            }
            else
            {
                switch (this.clientCredentialType)
                {
                case MessageCredentialType.None:
                {
                    throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.ClientCredentialTypeMustBeSpecifiedForMixedMode, new object[0])));
                }

                case MessageCredentialType.Windows:
                {
                    securityBindingElement1 = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
                    break;
                }

                case MessageCredentialType.UserName:
                {
                    securityBindingElement1 = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
                    break;
                }

                case MessageCredentialType.Certificate:
                {
                    securityBindingElement1 = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
                    break;
                }

                case MessageCredentialType.IssuedToken:
                {
                    securityBindingElement1 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(this.CreateInfoCardParameters(flag1));
                    break;
                }

                default:
                {
                    Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType");
                    throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
                }
                }
                securityBindingElement = (!this.IsSecureConversationEnabled() ? securityBindingElement1 : SecurityBindingElement.CreateSecureConversationBindingElement(securityBindingElement1, true));
            }
            if (this.wasAlgorithmSuiteSet || !flag)
            {
                SecurityAlgorithmSuite algorithmSuite         = this.AlgorithmSuite;
                SecurityAlgorithmSuite securityAlgorithmSuite = algorithmSuite;
                securityBindingElement1.DefaultAlgorithmSuite = algorithmSuite;
                securityBindingElement.DefaultAlgorithmSuite  = securityAlgorithmSuite;
            }
            else if (flag)
            {
                SecurityAlgorithmSuite basic128 = SecurityAlgorithmSuite.Basic128;
                SecurityAlgorithmSuite securityAlgorithmSuite1 = basic128;
                securityBindingElement1.DefaultAlgorithmSuite = basic128;
                securityBindingElement.DefaultAlgorithmSuite  = securityAlgorithmSuite1;
            }
            securityBindingElement.IncludeTimestamp        = true;
            securityBindingElement1.MessageSecurityVersion = version;
            securityBindingElement.MessageSecurityVersion  = version;
            if (isReliableSession)
            {
                securityBindingElement.LocalServiceSettings.ReconnectTransportOnFailure = true;
                securityBindingElement.LocalClientSettings.ReconnectTransportOnFailure  = true;
            }
            else
            {
                securityBindingElement.LocalServiceSettings.ReconnectTransportOnFailure = false;
                securityBindingElement.LocalClientSettings.ReconnectTransportOnFailure  = false;
            }
            if (this.IsSecureConversationEnabled())
            {
                securityBindingElement1.LocalServiceSettings.IssuedCookieLifetime = TimeSpan.FromMinutes(15);
            }
            return(securityBindingElement);
        }
Exemplo n.º 13
0
        /// <summary>
        /// Creates a custom binding based on an example generated from svcutil.exe
        /// </summary>
        /// <param name="exeConfigPath"></param>
        /// <returns></returns>
        /// <remarks>
        /// https://msdn.microsoft.com/en-us/library/ms731690(v=vs.110).aspx
        /// </remarks>
        public static List <CustomBinding> GetCustomBindings(string exeConfigPath)
        {
            if (string.IsNullOrWhiteSpace(exeConfigPath))
            {
                return(null);
            }

            var svcSection = Read.Config.ExeConfig.GetServiceModelSection(exeConfigPath);
            var configs    = new List <CustomBinding>();

            foreach (var section in svcSection.Bindings.CustomBinding.ConfiguredBindings.Cast <CustomBindingElement>())
            {
                var binding = new CustomBinding
                {
                    Name = section.Name,
                };
                var cfgSecurity = section[0] as SecurityElement;

                if (cfgSecurity == null)
                {
                    configs.Add(binding);
                    continue;
                }

                var mode = cfgSecurity.AuthenticationMode;
                var msgSecurityVersion   = cfgSecurity.MessageSecurityVersion;
                var issuedTokenParameter = new IssuedSecurityTokenParameters();
                if (cfgSecurity.IssuedTokenParameters.AdditionalRequestParameters != null)
                {
                    foreach (var arp in cfgSecurity.IssuedTokenParameters.AdditionalRequestParameters.Cast <XmlElementElement>())
                    {
                        issuedTokenParameter.AdditionalRequestParameters.Add(arp.XmlElement);
                    }
                }
                if (cfgSecurity.IssuedTokenParameters.Issuer?.Address != null)
                {
                    var address = cfgSecurity.IssuedTokenParameters.Issuer.Address;
                    var idElem  = cfgSecurity.IssuedTokenParameters.Issuer.Identity;

                    issuedTokenParameter.IssuerAddress = GetEnpointAddressWithIdentity(address, idElem);
                }

                if (cfgSecurity.IssuedTokenParameters.Issuer?.Binding != null)
                {
                    issuedTokenParameter.IssuerBinding = GetBindingByName(cfgSecurity.IssuedTokenParameters.Issuer.Binding);
                }

                if (cfgSecurity.IssuedTokenParameters.IssuerMetadata?.Address != null)
                {
                    var address = cfgSecurity.IssuedTokenParameters.IssuerMetadata.Address;
                    var idElem  = cfgSecurity.IssuedTokenParameters.IssuerMetadata.Identity;
                    issuedTokenParameter.IssuerMetadataAddress = GetEnpointAddressWithIdentity(address, idElem);
                }

                SecurityBindingElement securityElemnt;
                switch (mode)
                {
                case AuthenticationMode.IssuedTokenOverTransport:
                    securityElemnt =
                        SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedTokenParameter);
                    break;

                case AuthenticationMode.AnonymousForCertificate:
                    securityElemnt = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
                    break;

                case AuthenticationMode.AnonymousForSslNegotiated:
                    securityElemnt = SecurityBindingElement.CreateSslNegotiationBindingElement(false);
                    break;

                case AuthenticationMode.CertificateOverTransport:
                    securityElemnt =
                        SecurityBindingElement.CreateCertificateOverTransportBindingElement(msgSecurityVersion);
                    break;

                case AuthenticationMode.IssuedToken:
                    securityElemnt = SecurityBindingElement.CreateIssuedTokenBindingElement(issuedTokenParameter);
                    break;

                case AuthenticationMode.IssuedTokenForCertificate:
                    securityElemnt = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedTokenParameter);
                    break;

                case AuthenticationMode.IssuedTokenForSslNegotiated:
                    securityElemnt = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedTokenParameter);
                    break;

                case AuthenticationMode.Kerberos:
                    securityElemnt = SecurityBindingElement.CreateKerberosBindingElement();
                    break;

                case AuthenticationMode.KerberosOverTransport:
                    securityElemnt = SecurityBindingElement.CreateKerberosOverTransportBindingElement();
                    break;

                case AuthenticationMode.MutualCertificate:
                    securityElemnt = SecurityBindingElement.CreateMutualCertificateBindingElement(msgSecurityVersion);
                    break;

                case AuthenticationMode.MutualCertificateDuplex:
                    securityElemnt = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(msgSecurityVersion);
                    break;

                case AuthenticationMode.MutualSslNegotiated:
                    securityElemnt = SecurityBindingElement.CreateSslNegotiationBindingElement(false);
                    break;

                case AuthenticationMode.SspiNegotiated:
                    securityElemnt = SecurityBindingElement.CreateSspiNegotiationBindingElement();
                    break;

                case AuthenticationMode.SspiNegotiatedOverTransport:
                    securityElemnt = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement();
                    break;

                case AuthenticationMode.UserNameForCertificate:
                    securityElemnt = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
                    break;

                case AuthenticationMode.UserNameForSslNegotiated:
                    securityElemnt = SecurityBindingElement.CreateUserNameForSslBindingElement();
                    break;

                case AuthenticationMode.UserNameOverTransport:
                    securityElemnt = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
                    break;

                default:
                    throw new NotImplementedException();
                }

                securityElemnt.AllowInsecureTransport  = cfgSecurity.AllowInsecureTransport;
                securityElemnt.DefaultAlgorithmSuite   = cfgSecurity.DefaultAlgorithmSuite;
                securityElemnt.EnableUnsecuredResponse = cfgSecurity.EnableUnsecuredResponse;
                securityElemnt.IncludeTimestamp        = cfgSecurity.IncludeTimestamp;
                securityElemnt.MessageSecurityVersion  = cfgSecurity.MessageSecurityVersion;
                securityElemnt.KeyEntropyMode          = cfgSecurity.KeyEntropyMode;
                securityElemnt.ProtectTokens           = cfgSecurity.ProtectTokens;
                securityElemnt.SecurityHeaderLayout    = cfgSecurity.SecurityHeaderLayout;
                securityElemnt.SetKeyDerivation(cfgSecurity.RequireDerivedKeys);

                binding.Elements.Add(securityElemnt);
                configs.Add(binding);
            }

            return(configs);
        }