public void SignaturesMatchKnownGood() {
			Protocol protocol = Protocol.V20;
			var settings = new ProviderSecuritySettings();
			var store = new AssociationMemoryStore<AssociationRelyingPartyType>();
			byte[] associationSecret = Convert.FromBase64String("rsSwv1zPWfjPRQU80hciu8FPDC+GONAMJQ/AvSo1a2M=");
			Association association = HmacShaAssociation.Create("mock", associationSecret, TimeSpan.FromDays(1));
			store.StoreAssociation(AssociationRelyingPartyType.Smart, association);
			SigningBindingElement signer = new SigningBindingElement(store, settings);
			signer.Channel = new TestChannel(this.MessageDescriptions);

			IndirectSignedResponse message = new IndirectSignedResponse(protocol.Version, new Uri("http://rp"));
			ITamperResistantOpenIdMessage signedMessage = message;
			message.ProviderEndpoint = new Uri("http://provider");
			signedMessage.UtcCreationDate = DateTime.Parse("1/1/2009");
			signedMessage.AssociationHandle = association.Handle;
			Assert.IsNotNull(signer.ProcessOutgoingMessage(message));
			Assert.AreEqual("o9+uN7qTaUS9v0otbHTuNAtbkpBm14+es9QnNo6IHD4=", signedMessage.Signature);
		}
		public void SignaturesMatchKnownGood() {
			Protocol protocol = Protocol.V20;
			var settings = new ProviderSecuritySettings();
			var cryptoStore = new MemoryCryptoKeyStore();
			byte[] associationSecret = Convert.FromBase64String("rsSwv1zPWfjPRQU80hciu8FPDC+GONAMJQ/AvSo1a2M=");
			string handle = "mock";
			cryptoStore.StoreKey(ProviderAssociationKeyStorage.SharedAssociationBucket, handle, new CryptoKey(associationSecret, DateTime.UtcNow.AddDays(1)));

			var store = new ProviderAssociationKeyStorage(cryptoStore);
			SigningBindingElement signer = new SigningBindingElement(store, settings);
			signer.Channel = new TestChannel(this.MessageDescriptions);

			IndirectSignedResponse message = new IndirectSignedResponse(protocol.Version, new Uri("http://rp"));
			ITamperResistantOpenIdMessage signedMessage = message;
			message.ProviderEndpoint = new Uri("http://provider");
			signedMessage.UtcCreationDate = DateTime.Parse("1/1/2009");
			signedMessage.AssociationHandle = handle;
			Assert.IsNotNull(signer.ProcessOutgoingMessage(message));
			Assert.AreEqual("o9+uN7qTaUS9v0otbHTuNAtbkpBm14+es9QnNo6IHD4=", signedMessage.Signature);
		}
		public void SignedResponsesIncludeExtraDataInSignature() {
			Protocol protocol = Protocol.Default;
			SigningBindingElement sbe = new SigningBindingElement(new AssociationMemoryStore<AssociationRelyingPartyType>(), new ProviderSecuritySettings());
			sbe.Channel = new TestChannel(this.MessageDescriptions);
			IndirectSignedResponse response = new IndirectSignedResponse(protocol.Version, RPUri);
			response.ReturnTo = RPUri;
			response.ProviderEndpoint = OPUri;

			response.ExtraData["someunsigned"] = "value";
			response.ExtraData["openid.somesigned"] = "value";

			Assert.IsNotNull(sbe.ProcessOutgoingMessage(response));
			ITamperResistantOpenIdMessage signedResponse = (ITamperResistantOpenIdMessage)response;

			// Make sure that the extra parameters are signed.
			// Since the signing algorithm only allows for signing parameters that start with
			// 'openid.', other parameters should not be signed.
			Assert.IsNotNull(signedResponse.SignedParameterOrder);
			string[] signedParameters = signedResponse.SignedParameterOrder.Split(',');
			Assert.IsTrue(signedParameters.Contains("somesigned"));
			Assert.IsFalse(signedParameters.Contains("someunsigned"));
		}
Exemplo n.º 4
0
        private static IChannelBindingElement[] InitializeBindingElements <T>(IAssociationStore <T> associationStore, INonceStore nonceStore, SecuritySettings securitySettings, bool nonVerifying)
        {
            Contract.Requires <ArgumentNullException>(securitySettings != null);
            Contract.Requires <ArgumentException>(!nonVerifying || securitySettings is RelyingPartySecuritySettings);

            var rpSecuritySettings = securitySettings as RelyingPartySecuritySettings;
            var opSecuritySettings = securitySettings as ProviderSecuritySettings;

            ErrorUtilities.VerifyInternal(rpSecuritySettings != null || opSecuritySettings != null, "Expected an RP or OP security settings instance.");
            ErrorUtilities.VerifyInternal(!nonVerifying || rpSecuritySettings != null, "Non-verifying channels can only be constructed for relying parties.");
            bool isRelyingPartyRole = rpSecuritySettings != null;

            var rpAssociationStore = associationStore as IAssociationStore <Uri>;
            var opAssociationStore = associationStore as IAssociationStore <AssociationRelyingPartyType>;

            ErrorUtilities.VerifyInternal(isRelyingPartyRole || opAssociationStore != null, "Providers MUST have an association store.");

            SigningBindingElement signingElement;

            if (isRelyingPartyRole)
            {
                signingElement = nonVerifying ? null : new SigningBindingElement(rpAssociationStore);
            }
            else
            {
                signingElement = new SigningBindingElement(opAssociationStore, opSecuritySettings);
            }

            var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration();

            List <IChannelBindingElement> elements = new List <IChannelBindingElement>(8);

            elements.Add(new ExtensionsBindingElement(extensionFactory, securitySettings));
            if (isRelyingPartyRole)
            {
                elements.Add(new RelyingPartySecurityOptions(rpSecuritySettings));
                elements.Add(new BackwardCompatibilityBindingElement());
                ReturnToNonceBindingElement requestNonceElement = null;

                if (associationStore != null)
                {
                    if (nonceStore != null)
                    {
                        // There is no point in having a ReturnToNonceBindingElement without
                        // a ReturnToSignatureBindingElement because the nonce could be
                        // artificially changed without it.
                        requestNonceElement = new ReturnToNonceBindingElement(nonceStore, rpSecuritySettings);
                        elements.Add(requestNonceElement);
                    }

                    // It is important that the return_to signing element comes last
                    // so that the nonce is included in the signature.
                    elements.Add(new ReturnToSignatureBindingElement(rpAssociationStore, rpSecuritySettings));
                }

                ErrorUtilities.VerifyOperation(!rpSecuritySettings.RejectUnsolicitedAssertions || requestNonceElement != null, OpenIdStrings.UnsolicitedAssertionRejectionRequiresNonceStore);
            }
            else
            {
                // Providers must always have a nonce store.
                ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore");
            }

            if (nonVerifying)
            {
                elements.Add(new SkipSecurityBindingElement());
            }
            else
            {
                if (nonceStore != null)
                {
                    elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true));
                }

                elements.Add(new StandardExpirationBindingElement());
                elements.Add(signingElement);
            }

            return(elements.ToArray());
        }
Exemplo n.º 5
0
        /// <summary>
        /// Initializes the binding elements.
        /// </summary>
        /// <typeparam name="T">The distinguishing factor used by the association store.</typeparam>
        /// <param name="associationStore">The association store.</param>
        /// <param name="nonceStore">The nonce store to use.</param>
        /// <param name="securitySettings">The security settings to apply.  Must be an instance of either <see cref="RelyingPartySecuritySettings"/> or <see cref="ProviderSecuritySettings"/>.</param>
        /// <returns>
        /// An array of binding elements which may be used to construct the channel.
        /// </returns>
        private static IChannelBindingElement[] InitializeBindingElements <T>(IAssociationStore <T> associationStore, INonceStore nonceStore, SecuritySettings securitySettings)
        {
            ErrorUtilities.VerifyArgumentNotNull(securitySettings, "securitySettings");

            var rpSecuritySettings = securitySettings as RelyingPartySecuritySettings;
            var opSecuritySettings = securitySettings as ProviderSecuritySettings;

            ErrorUtilities.VerifyInternal(rpSecuritySettings != null || opSecuritySettings != null, "Expected an RP or OP security settings instance.");
            bool isRelyingPartyRole = rpSecuritySettings != null;

            var rpAssociationStore = associationStore as IAssociationStore <Uri>;
            var opAssociationStore = associationStore as IAssociationStore <AssociationRelyingPartyType>;

            ErrorUtilities.VerifyInternal(isRelyingPartyRole || opAssociationStore != null, "Providers MUST have an association store.");

            SigningBindingElement signingElement;

            if (isRelyingPartyRole)
            {
                signingElement = new SigningBindingElement(rpAssociationStore);
            }
            else
            {
                signingElement = new SigningBindingElement(opAssociationStore, opSecuritySettings);
            }

            List <IChannelBindingElement> elements = new List <IChannelBindingElement>(7);

            if (isRelyingPartyRole)
            {
                elements.Add(new ExtensionsBindingElement(new OpenIdExtensionFactory(), rpSecuritySettings));
                elements.Add(new BackwardCompatibilityBindingElement());

                if (associationStore != null)
                {
                    if (nonceStore != null)
                    {
                        // There is no point in having a ReturnToNonceBindingElement without
                        // a ReturnToSignatureBindingElement because the nonce could be
                        // artificially changed without it.
                        elements.Add(new ReturnToNonceBindingElement(nonceStore));
                    }

                    // It is important that the return_to signing element comes last
                    // so that the nonce is included in the signature.
                    elements.Add(new ReturnToSignatureBindingElement(rpAssociationStore, rpSecuritySettings));
                }
            }
            else
            {
                elements.Add(new ExtensionsBindingElement(new OpenIdExtensionFactory(), opSecuritySettings));

                // Providers must always have a nonce store.
                ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore");
            }

            if (nonceStore != null)
            {
                elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true));
            }

            elements.Add(new StandardExpirationBindingElement());
            elements.Add(signingElement);

            return(elements.ToArray());
        }
Exemplo n.º 6
0
		/// <summary>
		/// Initializes the binding elements.
		/// </summary>
		/// <param name="cryptoKeyStore">The OpenID Provider's crypto key store.</param>
		/// <param name="nonceStore">The nonce store to use.</param>
		/// <param name="securitySettings">The security settings to apply.  Must be an instance of either <see cref="RelyingPartySecuritySettings"/> or <see cref="ProviderSecuritySettings"/>.</param>
		/// <returns>
		/// An array of binding elements which may be used to construct the channel.
		/// </returns>
		private static IChannelBindingElement[] InitializeBindingElements(IProviderAssociationStore cryptoKeyStore, INonceStore nonceStore, ProviderSecuritySettings securitySettings) {
			Contract.Requires<ArgumentNullException>(cryptoKeyStore != null);
			Contract.Requires<ArgumentNullException>(securitySettings != null);
			Contract.Requires<ArgumentNullException>(nonceStore != null);

			SigningBindingElement signingElement;
			signingElement = new SigningBindingElement(cryptoKeyStore, securitySettings);

			var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration();

			List<IChannelBindingElement> elements = new List<IChannelBindingElement>(8);
			elements.Add(new ExtensionsBindingElement(extensionFactory, securitySettings));
			elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true));
			elements.Add(new StandardExpirationBindingElement());
			elements.Add(signingElement);

			return elements.ToArray();
		}