Пример #1
0
        /// <summary>
        /// Initializes the binding elements.
        /// </summary>
        /// <param name="cryptoKeyStore">The crypto key store.</param>
        /// <param name="nonceStore">The nonce store to use.</param>
        /// <param name="securitySettings">The security settings to apply.  Must be an instance of either <see cref="RelyingPartySecuritySettings"/> or ProviderSecuritySettings.</param>
        /// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param>
        /// <returns>
        /// An array of binding elements which may be used to construct the channel.
        /// </returns>
        private static IChannelBindingElement[] InitializeBindingElements(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings, bool nonVerifying)
        {
            Requires.NotNull(securitySettings, "securitySettings");

            SigningBindingElement signingElement;

            signingElement = nonVerifying ? null : new RelyingPartySigningBindingElement(new CryptoKeyStoreAsRelyingPartyAssociationStore(cryptoKeyStore ?? new MemoryCryptoKeyStore()));

            var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration();

            List <IChannelBindingElement> elements = new List <IChannelBindingElement>(8);

            elements.Add(new ExtensionsBindingElementRelyingParty(extensionFactory, securitySettings));
            elements.Add(new RelyingPartySecurityOptions(securitySettings));
            elements.Add(new BackwardCompatibilityBindingElement());
            ReturnToNonceBindingElement requestNonceElement = null;

            if (cryptoKeyStore != null)
            {
                if (nonceStore != null)
                {
                    // There is no point in having a ReturnToNonceBindingElement without
                    // a ReturnToSignatureBindingElement because the nonce could be
                    // artificially changed without it.
                    requestNonceElement = new ReturnToNonceBindingElement(nonceStore, securitySettings);
                    elements.Add(requestNonceElement);
                }

                // It is important that the return_to signing element comes last
                // so that the nonce is included in the signature.
                elements.Add(new ReturnToSignatureBindingElement(cryptoKeyStore));
            }

            ErrorUtilities.VerifyOperation(!securitySettings.RejectUnsolicitedAssertions || requestNonceElement != null, OpenIdStrings.UnsolicitedAssertionRejectionRequiresNonceStore);

            if (nonVerifying)
            {
                elements.Add(new SkipSecurityBindingElement());
            }
            else
            {
                if (nonceStore != null)
                {
                    elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true));
                }

                elements.Add(new StandardExpirationBindingElement());
                elements.Add(signingElement);
            }

            return(elements.ToArray());
        }
Пример #2
0
        /// <summary>
        /// Initializes the binding elements.
        /// </summary>
        /// <param name="cryptoKeyStore">The OpenID Provider's crypto key store.</param>
        /// <param name="nonceStore">The nonce store to use.</param>
        /// <param name="securitySettings">The security settings to apply.  Must be an instance of either RelyingPartySecuritySettings or ProviderSecuritySettings.</param>
        /// <returns>
        /// An array of binding elements which may be used to construct the channel.
        /// </returns>
        private static IChannelBindingElement[] InitializeBindingElements(IProviderAssociationStore cryptoKeyStore, INonceStore nonceStore, ProviderSecuritySettings securitySettings)
        {
            Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
            Requires.NotNull(securitySettings, "securitySettings");
            Requires.NotNull(nonceStore, "nonceStore");

            SigningBindingElement signingElement;

            signingElement = new ProviderSigningBindingElement(cryptoKeyStore, securitySettings);

            var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration();

            List <IChannelBindingElement> elements = new List <IChannelBindingElement>(8);

            elements.Add(new ExtensionsBindingElement(extensionFactory, securitySettings, true));
            elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true));
            elements.Add(new StandardExpirationBindingElement());
            elements.Add(signingElement);

            return(elements.ToArray());
        }
Пример #3
0
        private static IChannelBindingElement[] InitializeBindingElements <T>(IAssociationStore <T> associationStore, INonceStore nonceStore, SecuritySettings securitySettings, bool nonVerifying)
        {
            Contract.Requires <ArgumentNullException>(securitySettings != null);
            Contract.Requires <ArgumentException>(!nonVerifying || securitySettings is RelyingPartySecuritySettings);

            var rpSecuritySettings = securitySettings as RelyingPartySecuritySettings;
            var opSecuritySettings = securitySettings as ProviderSecuritySettings;

            ErrorUtilities.VerifyInternal(rpSecuritySettings != null || opSecuritySettings != null, "Expected an RP or OP security settings instance.");
            ErrorUtilities.VerifyInternal(!nonVerifying || rpSecuritySettings != null, "Non-verifying channels can only be constructed for relying parties.");
            bool isRelyingPartyRole = rpSecuritySettings != null;

            var rpAssociationStore = associationStore as IAssociationStore <Uri>;
            var opAssociationStore = associationStore as IAssociationStore <AssociationRelyingPartyType>;

            ErrorUtilities.VerifyInternal(isRelyingPartyRole || opAssociationStore != null, "Providers MUST have an association store.");

            SigningBindingElement signingElement;

            if (isRelyingPartyRole)
            {
                signingElement = nonVerifying ? null : new SigningBindingElement(rpAssociationStore);
            }
            else
            {
                signingElement = new SigningBindingElement(opAssociationStore, opSecuritySettings);
            }

            var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration();

            List <IChannelBindingElement> elements = new List <IChannelBindingElement>(8);

            elements.Add(new ExtensionsBindingElement(extensionFactory, securitySettings));
            if (isRelyingPartyRole)
            {
                elements.Add(new RelyingPartySecurityOptions(rpSecuritySettings));
                elements.Add(new BackwardCompatibilityBindingElement());
                ReturnToNonceBindingElement requestNonceElement = null;

                if (associationStore != null)
                {
                    if (nonceStore != null)
                    {
                        // There is no point in having a ReturnToNonceBindingElement without
                        // a ReturnToSignatureBindingElement because the nonce could be
                        // artificially changed without it.
                        requestNonceElement = new ReturnToNonceBindingElement(nonceStore, rpSecuritySettings);
                        elements.Add(requestNonceElement);
                    }

                    // It is important that the return_to signing element comes last
                    // so that the nonce is included in the signature.
                    elements.Add(new ReturnToSignatureBindingElement(rpAssociationStore, rpSecuritySettings));
                }

                ErrorUtilities.VerifyOperation(!rpSecuritySettings.RejectUnsolicitedAssertions || requestNonceElement != null, OpenIdStrings.UnsolicitedAssertionRejectionRequiresNonceStore);
            }
            else
            {
                // Providers must always have a nonce store.
                ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore");
            }

            if (nonVerifying)
            {
                elements.Add(new SkipSecurityBindingElement());
            }
            else
            {
                if (nonceStore != null)
                {
                    elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true));
                }

                elements.Add(new StandardExpirationBindingElement());
                elements.Add(signingElement);
            }

            return(elements.ToArray());
        }