Exemplo n.º 1
0
        public static ClaimsIdentity CreateIdentityFromToken(this string token, X509Certificate2 certificate = null)
        {
            if (token == null)
            {
                throw new ArgumentNullException("token");
            }

            var tokenHandler = new JwtSecurityTokenHandler();

            if (certificate != null)
            {
                var x509SecurityToken    = new X509SecurityToken(certificate);
                var validationParameters = new System.IdentityModel.Tokens.TokenValidationParameters()
                {
                    ValidAudience      = Audience,
                    IssuerSigningToken = x509SecurityToken,
                    ValidIssuer        = Issuer,
                };

                System.IdentityModel.Tokens.SecurityToken validatedToken;
                var claimsPrincipal = tokenHandler.ValidateToken(token, validationParameters, out validatedToken);
                return(claimsPrincipal.Identity as ClaimsIdentity);
            }
            var jwtToken = (JwtSecurityToken)tokenHandler.ReadToken(token);

            return(new ClaimsIdentity(jwtToken.Claims, Issuer, JwtRegisteredClaimNames.UniqueName, CustomClaimTypes.Task));
        }
Exemplo n.º 2
0
        public ReadyStatus Ready()
        {
            // Dump HTTP reqquest
            System.Web.HttpContext cntx = this.Context;
            cntx.Request.SaveAs(Server.MapPath("httpdump.txt"), true);

            // Verifies that a SOAP request was received.
            SoapContext requestContext = HttpSoapContext.RequestContext;

            if (requestContext == null)
            {
                throw new
                      ApplicationException("Either a non-SOAP request was " +
                                           "received or the WSE is not properly installed for " +
                                           "the Web application hosting the XML Web service.");
            }
            X509SecurityToken theToken = GetFirstX509Token(requestContext.Security);

            ReadyStatus r = new ReadyStatus();

            r.Status      = ReadyCode.Ready;
            r.Description = DescribeReadyCode(r.Status);

            return(r);
        }
Exemplo n.º 3
0
        // Requires Nuget-package System.IdentityModel.Tokens.Jwt
        private TokenValidationParameters CreateTokenValidationParameters()
        {
            //Can be retrieved dynamically x5c from /core/.well-known/jwks
            // Depending on performance, we may want to put the x5c value in config versus making a call to get it
            // every single time a wcf service call is made.
            HttpClient _client = new HttpClient();
            // Get Json Web Key from Identity Server
            string _jwks = _client.GetStringAsync(string.Format("{0}/core/.well-known/jwks", _identityServerUrl)).Result;

            // Parse as Json Object so it can be read
            JObject _jObject = JObject.Parse(_jwks);

            // The return value is a keys array with one element
            var _x5cArray = _jObject["keys"][0]["x5c"];

            // For some reason, the xc5 is stored as an array so the first element must be used to get the xc5 value
            // from the certificate
            string _x5c = (string)_x5cArray[0];

            var rawData           = Encoding.UTF8.GetBytes(_x5c);
            var x509Certificate2  = new X509Certificate2(rawData);
            var x509SecurityToken = new X509SecurityToken(x509Certificate2);

            var parameters = new TokenValidationParameters
            {
                ValidAudience      = string.Format("{0}/resources", _identityServerUrl),
                ValidIssuer        = _identityServerUrl,
                IssuerSigningToken = x509SecurityToken
            };

            return(parameters);
        }
        /// <summary>
        /// Gets the name of the issuer.
        /// </summary>
        /// <param name="securityToken">The security token.</param>
        /// <returns></returns>
        public override string GetIssuerName(SecurityToken securityToken)
        {
            if (securityToken == null)
            {
                Tracing.Error("SimpleIssuerNameRegistry: securityToken is null");
                throw new ArgumentNullException("securityToken");
            }

            X509SecurityToken token = securityToken as X509SecurityToken;

            if (token != null)
            {
                Tracing.Information("SimpleIssuerNameRegistry: X509 SubjectName: " + token.Certificate.SubjectName.Name);
                Tracing.Information("SimpleIssuerNameRegistry: X509 Thumbprint : " + token.Certificate.Thumbprint);
                return(token.Certificate.Thumbprint);
            }

            RsaSecurityToken token2 = securityToken as RsaSecurityToken;

            if (token2 == null)
            {
                throw new SecurityTokenException(securityToken.GetType().FullName);
            }

            Tracing.Information("SimpleIssuerNameRegistry: RSA Key: " + token2.Rsa.ToXmlString(false));
            return(token2.Rsa.ToXmlString(false));
        }
Exemplo n.º 5
0
        private void CallWebService(int a, int b, string url)
        {
            // Instantiate an instance of the web service proxy
            AddNumbers  serviceProxy   = new AddNumbers();
            SoapContext requestContext = serviceProxy.RequestSoapContext;

            // Get the Asymmetric key
            X509SecurityToken token = GetEncryptionToken();

            if (token == null)
            {
                throw new ApplicationException("No security token provided.");
            }

            // Add an EncryptedData element to the security collection
            // to encrypt the request.
            requestContext.Security.Elements.Add(new EncryptedData(token));
            if (url != null)
            {
                serviceProxy.Url = url;
            }

            // Call the service
            Console.WriteLine("Calling {0}", serviceProxy.Url);
            int sum = serviceProxy.AddInt(a, b);

            // Success!
            string message = string.Format("{0} + {1} = {2}", a, b, sum);

            Console.WriteLine("Web Service returned: {0}", message);
        }
 public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
     : base(parentAssertion.ServiceActor, true)
 {
     userToken      = new UsernameToken(parentAssertion.Username.Trim(), parentAssertion.Password.Trim(), PasswordOption.SendPlainText);
     signatureToken = GetSecurityToken();
     sig            = new MessageSignature(signatureToken);
 }
Exemplo n.º 7
0
        public string DescribeReadyCode(ReadyCode code)
        {
            // Dump HTTP reqquest
            System.Web.HttpContext cntx = this.Context;
            cntx.Request.SaveAs(Server.MapPath("httpdump.txt"), true);

            // Verifies that a SOAP request was received.
            SoapContext requestContext = HttpSoapContext.RequestContext;

            if (requestContext == null)
            {
                throw new
                      ApplicationException("Either a non-SOAP request was " +
                                           "received or the WSE is not properly installed for " +
                                           "the Web application hosting the XML Web service.");
            }
            X509SecurityToken theToken = GetFirstX509Token(requestContext.Security);

            switch (code)
            {
            case ReadyCode.Ready:
                return("Systemet er klar til at modtage indberetningsklienten.");

            case ReadyCode.Error_CertificateExpired:
                return("Certifikatet er udløbet.");

            default:
            case ReadyCode.Error_Unknown:
                return("Ukendt fejl.");
            }
        }
Exemplo n.º 8
0
        private static X509SecurityToken RetrieveTokenFromStore(X509CertificateStore store, string keyIdentifier)
        {
            if (store == null)
            {
                throw new ArgumentNullException("store");
            }

            X509SecurityToken token = null;

            try
            {
                if (store.OpenRead())
                {
                    // Place the key ID of the certificate in a byte array
                    // This KeyID represents the Wse2Quickstart certificate included with the WSE 2.0 Quickstarts
                    // ClientBase64KeyId is defined in the ClientBase.AppBase class
                    X509CertificateCollection certs = store.FindCertificateByKeyIdentifier(Convert.FromBase64String(keyIdentifier));

                    if (certs.Count > 0)
                    {
                        // Get the first certificate in the collection
                        token = new X509SecurityToken(((X509Certificate)certs[0]));
                    }
                }
            }
            finally
            {
                if (store != null)
                {
                    store.Close();
                }
            }

            return(token);
        }
Exemplo n.º 9
0
 private bool TryResolveTokenFromIntrinsicKeyClause(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
 {
     token = null;
     if (keyIdentifierClause is RsaKeyIdentifierClause)
     {
         token = new RsaSecurityToken(((RsaKeyIdentifierClause)keyIdentifierClause).Rsa);
         return(true);
     }
     if (keyIdentifierClause is X509RawDataKeyIdentifierClause)
     {
         token = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData()), false);
         return(true);
     }
     if (keyIdentifierClause is EncryptedKeyIdentifierClause)
     {
         SecurityToken token2;
         EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause;
         SecurityKeyIdentifier        encryptingKeyIdentifier = keyClause.EncryptingKeyIdentifier;
         if (base.TryResolveToken(encryptingKeyIdentifier, out token2))
         {
             token = System.ServiceModel.Security.SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, token2);
             return(true);
         }
     }
     return(false);
 }
 // callback from schannel
 private bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain,
                                        SslPolicyErrors sslPolicyErrors)
 {
     if (_parent.RequireClientCertificate)
     {
         if (certificate == null)
         {
             Contract.Assert(certificate != null, "certificate MUST NOT be null");
             return(false);
         }
         // Note: add ref to handle since the caller will reset the cert after the callback return.
         X509Certificate2 certificate2 = new X509Certificate2(certificate.Handle);
         _clientCertificate = certificate2;
         try
         {
             SecurityToken token = new X509SecurityToken(certificate2, false);
             ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = _parent.ClientCertificateAuthenticator.ValidateToken(token);
             _clientSecurity = new SecurityMessageProperty();
             _clientSecurity.TransportToken         = new SecurityTokenSpecification(token, authorizationPolicies);
             _clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies);
         }
         catch (SecurityTokenException)
         {
             return(false);
         }
     }
     return(true);
 }
Exemplo n.º 11
0
        private static SigningCredentials SetSigningCredentials <T>(T contract) where T : SamlTokenContract
        {
            SigningCredentials signingCredentials;

            if (contract.UseRsa)
            {
                var rsa = contract.SigningCertificate.PrivateKey as RSACryptoServiceProvider;
                if (rsa == null)
                {
                    throw new InvalidOperationException(
                              "Signing certificate must include private key for RSA signature.");
                }
                var rsaKey    = new RsaSecurityKey(rsa);
                var rsaClause = new RsaKeyIdentifierClause(rsa);
                var ski       = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { rsaClause });
                signingCredentials = new SigningCredentials(rsaKey,
                                                            contract.AlgorithmSuite.DefaultAsymmetricSignatureAlgorithm,
                                                            contract.AlgorithmSuite.DefaultDigestAlgorithm, ski);
            }
            else
            {
                var clause =
                    new X509SecurityToken(contract.SigningCertificate)
                    .CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>();
                var ski = new SecurityKeyIdentifier(clause);
                signingCredentials = new X509SigningCredentials(contract.SigningCertificate, ski,
                                                                contract.AlgorithmSuite.DefaultAsymmetricSignatureAlgorithm,
                                                                contract.AlgorithmSuite.DefaultDigestAlgorithm);
            }
            return(signingCredentials);
        }
        void Context_PostAuthenticateRequest(object sender, EventArgs e)
        {
            var context = ((HttpApplication)sender).Context;

            // no need to call transformation if session already exists
            if (FederatedAuthentication.SessionAuthenticationModule != null &&
                FederatedAuthentication.SessionAuthenticationModule.ContainsSessionTokenCookie(context.Request.Cookies))
            {
                return;
            }

            var transformer = FederatedAuthentication.ServiceConfiguration.ClaimsAuthenticationManager;

            if (transformer != null)
            {
                var principal = context.User as ClaimsPrincipal;

                if (context.Request.ClientCertificate.IsPresent && context.Request.ClientCertificate.IsValid)
                {
                    var cert   = new X509Certificate2(context.Request.ClientCertificate.Certificate);
                    var token  = new X509SecurityToken(cert);
                    var certId = new HttpsSecurityTokenHandler().ValidateToken(token).First();

                    principal.Identities.Add(certId);
                }

                var transformedPrincipal = transformer.Authenticate(context.Request.RawUrl, principal);

                context.User            = transformedPrincipal;
                Thread.CurrentPrincipal = transformedPrincipal;
            }
        }
Exemplo n.º 13
0
        private static bool Matches(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey key, CertMatcher certMatcher, out SecurityToken token)
        {
            token = null;
            if (certMatcher != null)
            {
                X509SecurityKey x509Key = key as X509SecurityKey;
                if (x509Key != null)
                {
                    if (certMatcher(x509Key.Certificate))
                    {
                        token = new X509SecurityToken(x509Key.Certificate);
                        return(true);
                    }
                }
                else
                {
                    X509AsymmetricSecurityKey x509AsymmKey = key as X509AsymmetricSecurityKey;
                    if (x509AsymmKey != null)
                    {
                        X509Certificate2 cert = _certFieldInfo.GetValue(x509AsymmKey) as X509Certificate2;
                        if (cert != null && certMatcher(cert))
                        {
                            token = new X509SecurityToken(cert);
                            return(true);
                        }
                    }
                }
            }

            return(false);
        }
        private Saml2Assertion CreateSamlAssertionWithSymmetricKey(BinarySecretSecurityToken proofToken)
        {
            X509SecurityToken           x509SecurityToken           = new X509SecurityToken(base.ClientCredentials.ClientCertificate.Certificate);
            X509SecurityToken           x509SecurityToken2          = new X509SecurityToken(base.ClientCredentials.ServiceCertificate.DefaultCertificate);
            SecurityKey                 signatureKey                = x509SecurityToken.SecurityKeys[0];
            SecurityKeyIdentifierClause securityKeyIdentifierClause = x509SecurityToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
            SecurityKeyIdentifier       signatureKeyIdentifier      = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[]
            {
                securityKeyIdentifierClause
            });
            SecurityKey securityKey = x509SecurityToken2.SecurityKeys[0];
            SecurityKeyIdentifierClause securityKeyIdentifierClause2 = x509SecurityToken2.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
            SecurityKeyIdentifier       encryptingKeyIdentifier      = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[]
            {
                securityKeyIdentifierClause2
            });

            byte[] keyBytes     = proofToken.GetKeyBytes();
            byte[] encryptedKey = securityKey.EncryptKey(base.SecurityAlgorithmSuite.DefaultAsymmetricKeyWrapAlgorithm, keyBytes);
            SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[]
            {
                new EncryptedKeyIdentifierClause(encryptedKey, base.SecurityAlgorithmSuite.DefaultAsymmetricKeyWrapAlgorithm, encryptingKeyIdentifier)
            });

            return(this.CreateSamlAssertion(signatureKey, signatureKeyIdentifier, proofKeyIdentifier));
        }
 public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
     : base(parentAssertion.ServiceActor, true)
 {
     userToken = new UsernameToken(parentAssertion.Username.Trim(), parentAssertion.Password.Trim(), PasswordOption.SendPlainText);
     signatureToken = GetSecurityToken();
     sig = new MessageSignature(signatureToken);
 }
Exemplo n.º 16
0
        SspiNegotiationTokenProviderState CreateTlsSspiState(X509SecurityToken token)
        {
            X509Certificate2 clientCertificate;

            if (token == null)
            {
                clientCertificate = null;
            }
            else
            {
                clientCertificate = token.Certificate;
            }
            TlsSspiNegotiation tlsNegotiation = null;

            if (LocalAppContextSwitches.DisableUsingServicePointManagerSecurityProtocols)
            {
                tlsNegotiation = new TlsSspiNegotiation(String.Empty, SchProtocols.Ssl3Client | SchProtocols.TlsClient, clientCertificate);
            }
            else
            {
                var protocol = (SchProtocols)System.Net.ServicePointManager.SecurityProtocol & SchProtocols.ClientMask;
                tlsNegotiation = new TlsSspiNegotiation(String.Empty, protocol, clientCertificate);
            }
            return(new SspiNegotiationTokenProviderState(tlsNegotiation));
        }
Exemplo n.º 17
0
            static void GetTokensCallback(IAsyncResult result)
            {
                if (result.CompletedSynchronously)
                {
                    return;
                }
                CreateSspiStateAsyncResult typedResult = (CreateSspiStateAsyncResult)result.AsyncState;

                try
                {
                    SecurityToken     token       = typedResult.tlsTokenProvider.ClientTokenProvider.EndGetToken(result);
                    X509SecurityToken clientToken = TlsnegoTokenProvider.ValidateToken(token);
                    typedResult.sspiState = typedResult.tlsTokenProvider.CreateTlsSspiState(clientToken);
                    typedResult.Complete(false);
                }
                catch (Exception e)
                {
                    if (Fx.IsFatal(e))
                    {
                        throw;
                    }

                    typedResult.Complete(false, e);
                }
            }
Exemplo n.º 18
0
        protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
        {
            TlsSspiNegotiation tlsNegotiation = (TlsSspiNegotiation)sspiNegotiation;

            if (tlsNegotiation.IsValidContext == false)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)));
            }
            X509Certificate2 serverCert = tlsNegotiation.RemoteCertificate;

            if (serverCert == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.ServerCertificateNotProvided)));
            }
            ReadOnlyCollection <IAuthorizationPolicy> authzPolicies;

            if (this.ServerTokenAuthenticator != null)
            {
                X509SecurityToken certToken = new X509SecurityToken(serverCert, false);
                authzPolicies = this.ServerTokenAuthenticator.ValidateToken(certToken);
            }
            else
            {
                authzPolicies = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
            }
            return(authzPolicies);
        }
 // callback from schannel
 bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain,
                                SslPolicyErrors sslPolicyErrors)
 {
     if (parent.RequireClientCertificate)
     {
         if (certificate == null)
         {
             return(false);
         }
         // Note: add ref to handle since the caller will reset the cert after the callback return.
         X509Certificate2 certificate2 = new X509Certificate2(certificate);
         clientCertificate = certificate2;
         try
         {
             SecurityToken token = new X509SecurityToken(certificate2, false);
             ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = parent.ClientCertificateAuthenticator.ValidateToken(token);
             clientSecurity = new SecurityMessageProperty();
             clientSecurity.TransportToken         = new SecurityTokenSpecification(token, authorizationPolicies);
             clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies);
         }
         catch (SecurityTokenException e)
         {
             DiagnosticUtility.TraceHandledException(e, TraceEventType.Information);
             return(false);
         }
     }
     return(true);
 }
Exemplo n.º 20
0
        public WsTrustClientMessageInspector(ClientCredentials clientCredentials)

        {
            // Reusing the WCF tokens as there is a built-in serializer for those.

            if (clientCredentials.ClientCertificate.Certificate != null)

            {
                string tokenId = CreateElementId(SECURITY_TOKEN_ID_PREFIX);



                _certificateToken = new X509SecurityToken(

                    clientCredentials.ClientCertificate.Certificate,

                    tokenId);
            }



            if (clientCredentials.UserName.UserName != null)

            {
                string tokenId = CreateElementId(SECURITY_TOKEN_ID_PREFIX);

                _userNameToken = new UserNameSecurityToken(

                    clientCredentials.UserName.UserName,

                    clientCredentials.UserName.Password,

                    tokenId);
            }
        }
 public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
     : base(parentAssertion.ServiceActor, true)
 {
     X509Certificate2 solutionCertificate = parentAssertion.SolutionCertificate;
     solutionCertificateToken = new X509SecurityToken(solutionCertificate);
     sig = new MessageSignature(solutionCertificateToken);
 }
Exemplo n.º 22
0
        private XmlElement GetKeyIdentifierClause(X509SecurityToken certToken)

        {
            using (XmlDocumentWriterHelper documentWriterHelper = new XmlDocumentWriterHelper())

            {
                // The key is located in the same XML document, so referencing that

                // with a local key identifier.

                var keyIdentifierClause =

                    certToken.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>();

                Debug.Assert(keyIdentifierClause != null);



                _tokenSerializer.WriteKeyIdentifierClause(

                    documentWriterHelper.CreateDocumentWriter(), keyIdentifierClause);



                XmlDocument xmlDocument = documentWriterHelper.ReadDocument();



                return(xmlDocument.DocumentElement);
            }
        }
 private bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
 {
     if (this.parent.RequireClientCertificate)
     {
         if (certificate == null)
         {
             if (DiagnosticUtility.ShouldTraceError)
             {
                 TraceUtility.TraceEvent(TraceEventType.Error, 0x4002d, System.ServiceModel.SR.GetString("TraceCodeSslClientCertMissing"), this);
             }
             return(false);
         }
         X509Certificate2 certificate2 = new X509Certificate2(certificate);
         this.clientCertificate = certificate2;
         try
         {
             SecurityToken token = new X509SecurityToken(certificate2, false);
             ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies = this.parent.ClientCertificateAuthenticator.ValidateToken(token);
             this.clientSecurity = new SecurityMessageProperty();
             this.clientSecurity.TransportToken         = new SecurityTokenSpecification(token, tokenPolicies);
             this.clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies);
         }
         catch (SecurityTokenException exception)
         {
             if (DiagnosticUtility.ShouldTraceInformation)
             {
                 DiagnosticUtility.ExceptionUtility.TraceHandledException(exception, TraceEventType.Information);
             }
             return(false);
         }
     }
     return(true);
 }
Exemplo n.º 24
0
        private void InitializeServiceProxy()
        {
            // Create NodalService proxy reference
            _ercotClient = new NodalService();

            // Load cert and sign SOAP message
            // clientCert = new X509Certificate2(@"C:\Projects\ErcotAPITestWS\ErcotAPITest\Cert\API_103_CERT.pfx", "a1e5i9");
            _clientCert      = new X509Certificate2(CLIENT_CERT_PATH, CLIENT_CERT_PASSWORD);
            _ercotMisApiCert = new X509Certificate2(@"C:\Projects\ErcotAPITestWS\ErcotAPITest\Cert\misapi.cer");

            _ercotClient.ClientCertificates.Add(_clientCert);
            _ercotClient.ClientCertificates.Add(_ercotMisApiCert);

            _context = _ercotClient.RequestSoapContext;
            _token   = new X509SecurityToken(_clientCert);
            _token2  = new X509SecurityToken(_ercotMisApiCert);
            //These are obsolete but necessary since they use old technology
            _context.Security.Tokens.Add(_token);
            _context.Security.Tokens.Add(_token2);
            _context.Security.Elements.Add(new MessageSignature(_token));


            //Set TLS1.2 protocol
            ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

            // Handle service reply with a callback method
            _ercotClient.MarketInfoCompleted += this.ErcotClient_MarketInfoCompleted;
        }
Exemplo n.º 25
0
        private void CallWebService(int a, int b, string url)
        {
            // Instantiate an instance of the web service proxy
            AddNumbers  serviceProxy   = new AddNumbers();
            SoapContext requestContext = serviceProxy.RequestSoapContext;

            // Get our security token
            X509SecurityToken token = GetSecurityToken();

            if (token == null)
            {
                throw new ApplicationException("No key provided for signature.");
            }

            // Add the signature element to a security section on the request
            // to sign the request
            requestContext.Security.Tokens.Add(token);
            requestContext.Security.Elements.Add(new MessageSignature(token));

            //requestContext.Timestamp.Ttl = 6000000;
            // Call the service
            if (url != null)
            {
                serviceProxy.Url = url;
            }
            Console.WriteLine("Calling {0}", serviceProxy.Url);
            int sum = serviceProxy.AddInt(a, b);

            // Success!
            string message = string.Format("{0} + {1} = {2}", a, b, sum);

            Console.WriteLine("Web Service returned: {0}", message);
        }
Exemplo n.º 26
0
        private X509SecurityToken getToken(string which)
        {
            X509SecurityToken    token = null;
            X509CertificateStore store = null;

            string serverKeyIdentifier = "bBwPfItvKp3b6TNDq+14qs58VJQ=";             //"po3h4Y4J8ITs/pW3acuRjpT8V1o=";
            string clientKeyIdentifier = "gBfo0147lM6cKnTbbMSuMVvmFY4=";             //"Gu4aD7+bYTVtmSveoPIWTRtzD3M=";

            //string serverKeyIdentifier = "po3h4Y4J8ITs/pW3acuRjpT8V1o=";
            //string clientKeyIdentifier = "Gu4aD7+bYTVtmSveoPIWTRtzD3M=";

            store = X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore);
            store.OpenRead();
            X509CertificateCollection coll;

            if (which == "server")
            {
                coll = store.FindCertificateByKeyIdentifier(Convert.FromBase64String(serverKeyIdentifier));
            }
            else
            {
                coll = store.FindCertificateByKeyIdentifier(Convert.FromBase64String(clientKeyIdentifier));
            }

            if (coll.Count > 0)
            {
                X509Certificate cert = (X509Certificate)coll[0];
                RSA             rsa  = cert.Key;
                token = new X509SecurityToken(cert);
            }
            return(token);
        }
        // callback from schannel
        private bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain,
                                               SslPolicyErrors sslPolicyErrors)
        {
            if (_parent.RequireClientCertificate)
            {
                if (certificate == null)
                {
                    return(false);
                }
                // Note: add ref to handle since the caller will reset the cert after the callback return.
                X509Certificate2 certificate2 = new X509Certificate2(certificate);
                _clientCertificate = certificate2;
                try
                {
                    SecurityToken token = new X509SecurityToken(certificate2, false);
                    ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
                    var validationValueTask = _parent.ClientCertificateAuthenticator.ValidateTokenAsync(token);
                    authorizationPolicies = validationValueTask.IsCompleted
                        ? validationValueTask.Result
                        : validationValueTask.AsTask().GetAwaiter().GetResult();

                    _clientSecurity = new SecurityMessageProperty
                    {
                        TransportToken         = new SecurityTokenSpecification(token, authorizationPolicies),
                        ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies)
                    };
                }
                catch (SecurityTokenException e)
                {
                    DiagnosticUtility.TraceHandledException(e, TraceEventType.Information);
                    return(false);
                }
            }
            return(true);
        }
Exemplo n.º 28
0
        // This method determines the security token that contains the key material that
        // the STS should encrypt a session key with in order
        // for the service the issued token is intended for to be able to extract that session key
        private SecurityToken GetEncryptingToken(Gudge.Samples.Security.RSTRSTR.RequestSecurityToken rst)
        {
            // If rst is null, we're toast
            if (rst == null)
            {
                throw new ArgumentNullException("rst");
            }

            // Set encryptingToken to null
            SecurityToken encryptingToken = null;

            // ... Open the LocalMachine store in My for read-only access
            X509Store store = new X509Store(StoreName.TrustedPeople, StoreLocation.LocalMachine);

            store.Open(OpenFlags.ReadOnly);

            // Find the "localhost" cert ...
            foreach (X509Certificate2 cert in store.Certificates)
            {
                if (cert.SubjectName.Name == "CN=RPKey")
                {
                    // ... and set encryptingToken to that cert
                    encryptingToken = new X509SecurityToken(cert);
                    break;
                }
            }

            // Don't forget to close the store
            store.Close();

            // return the token
            return(encryptingToken);
        }
Exemplo n.º 29
0
        // This method determines the security token that contains the key material that
        // the STS should sign the issued token with in order
        // for the service the issued token is intended for to trust that token
        private SecurityToken GetSigningToken()
        {
            // Set signingCert to null
            SecurityToken signingToken = null;

            // ... Open the LocalMachine store in My for read-only access
            X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

            store.Open(OpenFlags.ReadOnly);

            // Find the "STS" cert ...
            foreach (X509Certificate2 cert in store.Certificates)
            {
                if (cert.SubjectName.Name == "CN=IPKey")
                {
                    // ... and set signingCert to that cert
                    signingToken = new X509SecurityToken(cert);
                    break;
                }
            }

            // Don't forget to close the store
            store.Close();

            // return the token
            return(signingToken);
        }
Exemplo n.º 30
0
        public override string GetIssuerName(SecurityToken securityToken)
        {
            if (securityToken == null)
            {
                throw new ArgumentNullException("securityToken");
            }
            X509SecurityToken token = securityToken as X509SecurityToken;

            if (token != null)
            {
                string thumbprint = token.Certificate.Thumbprint;

                if (this._configuredTrustedIssuers.ContainsKey(thumbprint))
                {
                    string str2 = this._configuredTrustedIssuers[thumbprint];
                    str2 = string.IsNullOrEmpty(str2) ? token.Certificate.Subject : str2;
                    return(str2);
                }


                throw new KeyNotFoundException(string.Format("Could not find Thumbprint '{0}' in trusted issuers list : {1}  :: Char Codes {2} vs {3}", thumbprint, string.Join(",", _configuredTrustedIssuers.Keys.ToArray <string>()), SamlHelpers.ToCompositeString(thumbprint), SamlHelpers.ToCompositeString(string.Join(",", _configuredTrustedIssuers.Keys.ToArray <string>()))));
            }

            //Throw our own exception to make it easier to debug
            throw new ArgumentException("Unable to validate token issuer the provided token was not a X509SecurityToken; cant determine the thumbprint to match", "securityToken");
        }
Exemplo n.º 31
0
        protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
        {
            X509SecurityToken x509Token = (X509SecurityToken)token;

            this.validator.Validate(x509Token.Certificate);

            X509CertificateClaimSet x509ClaimSet = new X509CertificateClaimSet(x509Token.Certificate, this.cloneHandle);

            if (!this.mapToWindows)
            {
                return(SecurityUtils.CreateAuthorizationPolicies(x509ClaimSet, x509Token.ValidTo));
            }

            WindowsClaimSet windowsClaimSet;

            if (token is X509WindowsSecurityToken)
            {
                windowsClaimSet = new WindowsClaimSet(((X509WindowsSecurityToken)token).WindowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, this.cloneHandle);
            }
            else
            {
                // Ensure NT_AUTH chain policy for certificate account mapping
                X509CertificateValidator.NTAuthChainTrust.Validate(x509Token.Certificate);

                WindowsIdentity windowsIdentity = null;
                // for Vista, LsaLogon supporting mapping cert to NTToken
                if (Environment.OSVersion.Version.Major >= SecurityUtils.WindowsVistaMajorNumber)
                {
                    windowsIdentity = KerberosCertificateLogon(x509Token.Certificate);
                }
                else
                {
                    // Downlevel, S4U over PrincipalName SubjectAltNames
                    string name = x509Token.Certificate.GetNameInfo(X509NameType.UpnName, false);
                    if (string.IsNullOrEmpty(name))
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.InvalidNtMapping,
                                                                                                                                    SecurityUtils.GetCertificateId(x509Token.Certificate))));
                    }

                    using (WindowsIdentity initialWindowsIdentity = new WindowsIdentity(name, SecurityUtils.AuthTypeCertMap))
                    {
                        // This is to make sure that the auth Type is shoved down to the class as the above constructor does not do it.
                        windowsIdentity = new WindowsIdentity(initialWindowsIdentity.Token, SecurityUtils.AuthTypeCertMap);
                    }
                }

                windowsClaimSet = new WindowsClaimSet(windowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, false);
            }
            List <ClaimSet> claimSets = new List <ClaimSet>(2);

            claimSets.Add(windowsClaimSet);
            claimSets.Add(x509ClaimSet);

            List <IAuthorizationPolicy> policies = new List <IAuthorizationPolicy>(1);

            policies.Add(new UnconditionalPolicy(claimSets.AsReadOnly(), x509Token.ValidTo));
            return(policies.AsReadOnly());
        }
Exemplo n.º 32
0
    public override string GetIssuerName(SecurityToken securityToken)
    {
        X509SecurityToken x509Token = securityToken as X509SecurityToken;

        if (x509Token != null)
        {
            // The following check is to allow only trusted issuers of the STS token
            if (String.Equals(x509Token.Certificate.SubjectName.Name, "CN=localhost"))
            {
                return(x509Token.Certificate.SubjectName.Name);
            }

            // The following check is to allow only trusted issuers for the client certificate.
            if (HttpContext.Current != null && HttpContext.Current.Request != null && HttpContext.Current.Request.ClientCertificate != null &&
                HttpContext.Current.Request.ClientCertificate.IsPresent && HttpContext.Current.Request.ClientCertificate.IsValid)
            {
                X509Certificate2 clientCertificate = new X509Certificate2(HttpContext.Current.Request.ClientCertificate.Certificate);

                // Get the issuer of the client certificate
                X509Chain chain = new X509Chain();
                chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
                chain.Build(clientCertificate);
                X509ChainElementCollection elements = chain.ChainElements;

                X509Certificate2 issuerCert = null;
                if (elements.Count > 1)
                {
                    issuerCert = elements[1].Certificate;
                }
                else
                {
                    // This is a self-issued certificate.
                    issuerCert = clientCertificate;
                }

                string issuerCertThumbprint = issuerCert.Thumbprint;

                // Reset the state of the certificate and free resources associated with it.
                for (int i = 1; i < elements.Count; ++i)
                {
                    elements[i].Certificate.Reset();
                }

                // The implementation below currently accepts all client certificates and returns the SubjectName as the issuer name. This is intended only for illustration purposes.
                // In production, consider doing additional validation based on the issuer of the client certificate to return an appropriate issuer name.
                // DO NOT use this sample code ‘as is’ in production code.

                // Ensure that the issuer of the client certificate as obtained from the transport, matches the issuer token passed in to this method.
                if (!StringComparer.Ordinal.Equals(issuerCertThumbprint, x509Token.Certificate.Thumbprint))
                {
                    throw new SecurityTokenException("Issuer of the client certificate as obtained from the transport does not match the issuer token passed in to this method.");
                }

                return(x509Token.Certificate.SubjectName.Name);
            }
        }

        throw new SecurityTokenException("Untrusted issuer.");
    }
Exemplo n.º 33
0
        public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
            : base(parentAssertion.ServiceActor, true)
        {
            String username = parentAssertion.username;
            String password = parentAssertion.password;

            userToken = new UsernameToken(username.Trim(), password.Trim(), PasswordOption.SendPlainText);
            signatureToken = GetSecurityToken("CN=TestSSSCert");
            sig = new MessageSignature(signatureToken);
        }
 public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
     : base(parentAssertion.ServiceActor, true)
 {
     if (parentAssertion.BinaryToken == null)
     {
         userToken = new UsernameToken(parentAssertion.Username.Trim(), parentAssertion.Password.Trim(), PasswordOption.SendPlainText);
         signatureToken = GetSecurityToken();
         parentAssertion.SecurityToken = signatureToken;
     }
     else
     {
         issuedToken = new IssuedToken(parentAssertion.BinaryToken);
         signatureToken = parentAssertion.SecurityToken;
         samlAssertionId = parentAssertion.BinaryToken.Attributes.GetNamedItem("ID").Value;
     }
     sig = new MessageSignature(signatureToken);
 }
 public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
     : base(parentAssertion.ServiceActor, true)
 {
     signatureToken = GetSecurityToken();
     sig = new MessageSignature(signatureToken);
 }
        /// <summary>
        /// Returns the X.509 SecurityToken that will be used to encrypt the
        /// messages.
        /// </summary>
        /// <returns>Returns </returns>
        public X509SecurityToken GetEncryptionToken()
        {
            X509SecurityToken token = null;
            //
            // The certificate for the target receiver should have been imported
            // into the "My" certificate store. This store is listed as "Personal"
            // in the Certificate Manager
            //
            X509CertificateStore store = X509CertificateStore.CurrentUserStore(X509CertificateStore.MyStore);
            bool open = store.OpenRead();

            try
            {
                //
                // Open a dialog to allow user to select the certificate to use
                //
                StoreDialog dialog = new StoreDialog(store);
                X509Certificate cert = dialog.SelectCertificate(IntPtr.Zero, "Select Certificate", "Choose a Certificate below for encrypting.");
                if (cert == null)
                {
                    throw new ApplicationException("You chose not to select an X509 certificate for encrypting your messages.");
                }
                else if (!cert.SupportsDataEncryption)
                {
                    throw new ApplicationException("The certificate must support key encipherment.");
                }
                else
                {
                    token = new X509SecurityToken(cert);
                }
            }
            finally
            {
                if (store != null) { store.Close(); }
            }

            return token;
        }
Exemplo n.º 37
0
        /// <summary>
        ///  This method is used to extract the security token from certificate 
        /// </summary>
        /// <param name="subjectName">string</param>   
        internal static X509SecurityToken GetSecurityToken(string subjectName)
        {
            X509SecurityToken securityToken = null;
            X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

            X509Certificate2 certToBeAdded = new X509Certificate2(ValidateTokenSample.Properties.Resources._1234);
            store = new X509Store(StoreName.TrustedPeople, StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadWrite);
            store.Add(certToBeAdded);

            store.Open(OpenFlags.ReadOnly);
            try
            {
                X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, subjectName, false);
                X509Certificate2 cert;
                if (certs.Count == 1)
                {
                    cert = certs[0];
                    securityToken = new X509SecurityToken(cert);
                }
                else
                {
                    securityToken = null;
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex.ToString());
            }
            finally
            {
                if (store != null)
                    store.Close();
            }
            return securityToken;
        }
Exemplo n.º 38
0
        private X509SecurityToken getToken(string which)
        {
            X509SecurityToken token = null;
            X509CertificateStore store = null;

            string serverKeyIdentifier = "bBwPfItvKp3b6TNDq+14qs58VJQ="; //"po3h4Y4J8ITs/pW3acuRjpT8V1o=";
            string clientKeyIdentifier = "gBfo0147lM6cKnTbbMSuMVvmFY4="; //"Gu4aD7+bYTVtmSveoPIWTRtzD3M=";

            //string serverKeyIdentifier = "po3h4Y4J8ITs/pW3acuRjpT8V1o=";
            //string clientKeyIdentifier = "Gu4aD7+bYTVtmSveoPIWTRtzD3M=";

            store = X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore);
            store.OpenRead();
            X509CertificateCollection coll;

            if (which == "server") {
                coll = store.FindCertificateByKeyIdentifier(Convert.FromBase64String(serverKeyIdentifier));
            } else {
                coll = store.FindCertificateByKeyIdentifier(Convert.FromBase64String(clientKeyIdentifier));
            }

            if (coll.Count > 0) {
                X509Certificate cert = (X509Certificate) coll[0];
                RSA rsa = cert.Key;
                token = new X509SecurityToken(cert);
            }
            return token;
        }
      private static X509SecurityToken RetrieveTokenFromStore (X509CertificateStore store, string keyIdentifier) 
	{
	  if (store == null)
	    throw new ArgumentNullException ("store");
	  X509SecurityToken token = null;
	  try 
	    {
	      if (store.OpenRead ())
		{
		  // Place the key ID of the certificate in a byte array
		  // This KeyID represents the Wse2Quickstart certificate included with the WSE 2.0 Quickstarts
		  // ClientBase64KeyId is defined in the ClientBase.AppBase class
		  X509CertificateCollection certs =
		      store.FindCertificateByKeyIdentifier (Convert.FromBase64String (keyIdentifier));
		  if (certs.Count > 0)

		    {
		      // Get the first certificate in the collection
		      token = new X509SecurityToken (((X509Certificate) certs[0]));
		    }
		}
	    }
	  finally 
	    {
	      if (store != null)
		store.Close ();
	    }
	  return token;
	}
Exemplo n.º 40
0
      /// <summary>
      /// Gets the security token for signing messages.
      /// </summary>
      /// <returns>Returns </returns>
      public X509SecurityToken GetSecurityToken()
	{
	  X509SecurityToken securityToken;
	  //
	  // open the current user's certificate store
	  //
	  X509CertificateStore store = X509CertificateStore.CurrentUserStore(X509CertificateStore.MyStore);
	  bool open = store.OpenRead();

	  try
	    {
	      //
	      // Open a dialog to allow user to select the certificate to use
	      //
	      StoreDialog dialog = new StoreDialog(store);
	      X509Certificate cert = dialog.SelectCertificate(IntPtr.Zero, "Select Certificate", "Choose a Certificate below for signing.");
	      if (cert == null)
		{
		  throw new ApplicationException("You chose not to select an X509 certificate for signing your messages.");
		}
	      else if (!cert.SupportsDigitalSignature)
		{
		  throw new ApplicationException("The certificate must support digital signatures and have a private key available.");
		}
	      else
		{
		  securityToken = new X509SecurityToken(cert);
		}
	    }
	  finally
	    {
	      if (store != null) { store.Close(); }
	    }
	  return securityToken;
	}