public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement) { if (tokenRequirement.TokenType == SecurityTokenTypes.Saml || tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1") { SamlAssertion samlAssertion = this.samlClientCredentials.Assertion; SecurityToken securityToken = this.samlClientCredentials.ProofToken; if (samlAssertion == null || securityToken == null) { SecurityBindingElement securityBindingElement = null; SecurityAlgorithmSuite algoSuite = null; if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out securityBindingElement)) { algoSuite = securityBindingElement.DefaultAlgorithmSuite; } if (tokenRequirement.KeyType == SecurityKeyType.SymmetricKey) { securityToken = SamlUtilities.CreateSymmetricProofToken(tokenRequirement.KeySize); samlAssertion = SamlUtilities.CreateSymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, new X509SecurityToken(this.samlClientCredentials.ClientCertificate.Certificate), new X509SecurityToken(this.samlClientCredentials.ServiceCertificate.DefaultCertificate), (BinarySecretSecurityToken)securityToken, algoSuite); } else { securityToken = SamlUtilities.CreateAsymmetricProofToken(); samlAssertion = SamlUtilities.CreateAsymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, securityToken, algoSuite); } } return(new SamlSecurityTokenProvider(samlAssertion, securityToken)); } return(base.CreateSecurityTokenProvider(tokenRequirement)); }
public IssuedTokenWSTrustBinding(Binding issuerBinding, EndpointAddress issuerAddress, SecurityMode mode, TrustVersion version, SecurityKeyType keyType, SecurityAlgorithmSuite algorithmSuite, string tokenType, IEnumerable <ClaimTypeRequirement> claimTypeRequirements, EndpointAddress issuerMetadataAddress) : base(mode, version) { this._claimTypeRequirements = new Collection <ClaimTypeRequirement>(); if ((SecurityMode.Message != mode) && (SecurityMode.TransportWithMessageCredential != mode)) { throw new InvalidOperationException("ID3226"); } if ((this._keyType == SecurityKeyType.BearerKey) && (version == TrustVersion.WSTrustFeb2005)) { throw new InvalidOperationException("ID3267"); } this._keyType = keyType; this._algorithmSuite = algorithmSuite; this._tokenType = tokenType; this._issuerBinding = issuerBinding; this._issuerAddress = issuerAddress; this._issuerMetadataAddress = issuerMetadataAddress; if (claimTypeRequirements != null) { foreach (ClaimTypeRequirement requirement in claimTypeRequirements) { this._claimTypeRequirements.Add(requirement); } } }
public IssuedTokenWSTrustBinding(Binding issuerBinding, EndpointAddress issuerAddress, SecurityKeyType keyType, SecurityAlgorithmSuite algorithmSuite, string tokenType, IEnumerable <ClaimTypeRequirement> claimTypeRequirements) : this(issuerBinding, issuerAddress, SecurityMode.Message, TrustVersion.WSTrust13, keyType, algorithmSuite, tokenType, claimTypeRequirements, null) { }
internal SecurityBindingElement(SecurityBindingElement elementToBeCloned) : base(elementToBeCloned) { if (elementToBeCloned == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(elementToBeCloned)); } _defaultAlgorithmSuite = elementToBeCloned._defaultAlgorithmSuite; IncludeTimestamp = elementToBeCloned.IncludeTimestamp; _keyEntropyMode = elementToBeCloned._keyEntropyMode; _messageSecurityVersion = elementToBeCloned._messageSecurityVersion; _securityHeaderLayout = elementToBeCloned._securityHeaderLayout; EndpointSupportingTokenParameters = (SupportingTokenParameters)elementToBeCloned.EndpointSupportingTokenParameters.Clone(); OptionalEndpointSupportingTokenParameters = (SupportingTokenParameters)elementToBeCloned.OptionalEndpointSupportingTokenParameters.Clone(); _operationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>(); foreach (string key in elementToBeCloned._operationSupportingTokenParameters.Keys) { _operationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned._operationSupportingTokenParameters[key].Clone(); } _optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>(); foreach (string key in elementToBeCloned._optionalOperationSupportingTokenParameters.Keys) { _optionalOperationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned._optionalOperationSupportingTokenParameters[key].Clone(); } LocalServiceSettings = (LocalServiceSecuritySettings)elementToBeCloned.LocalServiceSettings.Clone(); // this.internalDuplexBindingElement = elementToBeCloned.internalDuplexBindingElement; MaxReceivedMessageSize = elementToBeCloned.MaxReceivedMessageSize; ReaderQuotas = elementToBeCloned.ReaderQuotas; DoNotEmitTrust = elementToBeCloned.DoNotEmitTrust; AllowInsecureTransport = elementToBeCloned.AllowInsecureTransport; EnableUnsecuredResponse = elementToBeCloned.EnableUnsecuredResponse; SupportsExtendedProtectionPolicy = elementToBeCloned.SupportsExtendedProtectionPolicy; ProtectTokens = elementToBeCloned.ProtectTokens; }
internal SecurityBindingElement(SecurityBindingElement elementToBeCloned) : base(elementToBeCloned) { if (elementToBeCloned == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(elementToBeCloned)); } _defaultAlgorithmSuite = elementToBeCloned._defaultAlgorithmSuite; IncludeTimestamp = elementToBeCloned.IncludeTimestamp; _keyEntropyMode = elementToBeCloned._keyEntropyMode; _messageSecurityVersion = elementToBeCloned._messageSecurityVersion; _securityHeaderLayout = elementToBeCloned._securityHeaderLayout; EndpointSupportingTokenParameters = elementToBeCloned.EndpointSupportingTokenParameters.Clone(); OptionalEndpointSupportingTokenParameters = elementToBeCloned.OptionalEndpointSupportingTokenParameters.Clone(); _operationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>(); foreach (string key in elementToBeCloned._operationSupportingTokenParameters.Keys) { _operationSupportingTokenParameters[key] = elementToBeCloned._operationSupportingTokenParameters[key].Clone(); } _optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>(); foreach (string key in elementToBeCloned._optionalOperationSupportingTokenParameters.Keys) { _optionalOperationSupportingTokenParameters[key] = elementToBeCloned._optionalOperationSupportingTokenParameters[key].Clone(); } LocalClientSettings = elementToBeCloned.LocalClientSettings.Clone(); MaxReceivedMessageSize = elementToBeCloned.MaxReceivedMessageSize; ReaderQuotas = elementToBeCloned.ReaderQuotas; EnableUnsecuredResponse = elementToBeCloned.EnableUnsecuredResponse; }
EncryptedData Encrypt(XmlElement target, SymmetricAlgorithm actualKey, string ekeyId, ReferenceList refList, SecurityKeyIdentifierClause encClause, EncryptedXml exml, XmlDocument doc, string elementType) { SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite; SecurityTokenSerializer serializer = security.TokenSerializer; byte [] encrypted = exml.EncryptData(target, actualKey, false); EncryptedData edata = new EncryptedData(); edata.Id = GenerateId(doc); edata.Type = elementType; edata.EncryptionMethod = new EncryptionMethod(suite.DefaultEncryptionAlgorithm); // FIXME: here wsse:DigestMethod should be embedded // inside EncryptionMethod. Since it is not possible // with S.S.C.Xml.EncryptionMethod, we will have to // build our own XML encryption classes. edata.CipherData.CipherValue = encrypted; DataReference dr = new DataReference(); dr.Uri = "#" + edata.Id; refList.Add(dr); if (ShouldOutputEncryptedKey && !CounterParameters.RequireDerivedKeys) { edata.KeyInfo = null; } else { edata.KeyInfo = new KeyInfo(); edata.KeyInfo.AddClause(new SecurityTokenReferenceKeyInfo(encClause, serializer, doc)); } return(edata); }
internal SecurityBindingElement(SecurityBindingElement elementToBeCloned) : base(elementToBeCloned) { if (elementToBeCloned == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("elementToBeCloned"); } this.defaultAlgorithmSuite = elementToBeCloned.defaultAlgorithmSuite; this.includeTimestamp = elementToBeCloned.includeTimestamp; this.keyEntropyMode = elementToBeCloned.keyEntropyMode; this.messageSecurityVersion = elementToBeCloned.messageSecurityVersion; this.securityHeaderLayout = elementToBeCloned.securityHeaderLayout; this.endpointSupportingTokenParameters = (SupportingTokenParameters)elementToBeCloned.endpointSupportingTokenParameters.Clone(); this.optionalEndpointSupportingTokenParameters = (SupportingTokenParameters)elementToBeCloned.optionalEndpointSupportingTokenParameters.Clone(); this.operationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>(); foreach (string key in elementToBeCloned.operationSupportingTokenParameters.Keys) { this.operationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned.operationSupportingTokenParameters[key].Clone(); } this.optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>(); foreach (string key in elementToBeCloned.optionalOperationSupportingTokenParameters.Keys) { this.optionalOperationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned.optionalOperationSupportingTokenParameters[key].Clone(); } this.localServiceSettings = (LocalServiceSecuritySettings)elementToBeCloned.localServiceSettings.Clone(); // this.internalDuplexBindingElement = elementToBeCloned.internalDuplexBindingElement; this.maxReceivedMessageSize = elementToBeCloned.maxReceivedMessageSize; this.readerQuotas = elementToBeCloned.readerQuotas; this.doNotEmitTrust = elementToBeCloned.doNotEmitTrust; this.allowInsecureTransport = elementToBeCloned.allowInsecureTransport; this.enableUnsecuredResponse = elementToBeCloned.enableUnsecuredResponse; this.supportsExtendedProtectionPolicy = elementToBeCloned.supportsExtendedProtectionPolicy; this.protectTokens = elementToBeCloned.protectTokens; }
internal void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, SecurityKeyType issuedKeyType) { this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm)); this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm)); if (this._keyType == SecurityKeyType.BearerKey) { // As the client does not have a proof token in the Bearer case // we don't have any specific algorithms to request for. return; } string signWithAlgorithm = (this._keyType == SecurityKeyType.SymmetricKey) ? algorithmSuite.DefaultSymmetricSignatureAlgorithm : algorithmSuite.DefaultAsymmetricSignatureAlgorithm; this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateSignWithElement(signWithAlgorithm)); string encryptWithAlgorithm; if (issuedKeyType == SecurityKeyType.SymmetricKey) { encryptWithAlgorithm = algorithmSuite.DefaultEncryptionAlgorithm; } else { encryptWithAlgorithm = algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm; } this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptWithElement(encryptWithAlgorithm)); if (standardsManager.TrustVersion != TrustVersion.WSTrustFeb2005) { this._additionalRequestParameters.Insert(0, ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)); } return; }
private void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, TrustVersion trustVersion, SecurityKeyType keyType, ref IssuedSecurityTokenParameters issuedParameters) { issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm)); issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm)); string signatureAlgorithm = null; string encryptionAlgorithm = null; switch (keyType) { case SecurityKeyType.SymmetricKey: signatureAlgorithm = algorithmSuite.DefaultSymmetricSignatureAlgorithm; encryptionAlgorithm = algorithmSuite.DefaultEncryptionAlgorithm; break; case SecurityKeyType.AsymmetricKey: signatureAlgorithm = algorithmSuite.DefaultAsymmetricSignatureAlgorithm; encryptionAlgorithm = algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm; break; case SecurityKeyType.BearerKey: return; default: throw new ArgumentOutOfRangeException("keyType"); } issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateSignWithElement(signatureAlgorithm)); issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptWithElement(encryptionAlgorithm)); if (trustVersion != TrustVersion.WSTrustFeb2005) { issuedParameters.AdditionalRequestParameters.Insert(0, CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)); } }
internal MessageSecurityOverTcp() { alg_suite = SecurityAlgorithmSuite.Default; // This default value is *silly* but anyways // such code that does not change this ClientCredentialType // won't work on Mono. client_credential_type = MessageCredentialType.Windows; }
public static void Property_SecurityAlgorithmSuite_TripleDes(string propertyName, string expectedValue) { // Use reflection to get the default value of the properties provided in the inline data. // Verify the default values are the same as on the full framework. SecurityAlgorithmSuite suite = SecurityAlgorithmSuite.TripleDes; PropertyInfo info = suite.GetType().GetProperty(propertyName); Assert.Equal(info.GetValue(suite).ToString(), expectedValue); }
internal MessageSecurityOverHttp() { alg_suite = SecurityAlgorithmSuite.Default; // This default value is *silly* but anyways such // it is silly to expect that such code that does not // change ClientCredentialType works on Mono. client_credential_type = MessageCredentialType.Windows; negotiate_service_credential = true; }
public FederatedMessageSecurityOverHttp() { _negotiateServiceCredential = DefaultNegotiateServiceCredential; _algorithmSuite = SecurityAlgorithmSuite.Default; _issuedKeyType = DefaultIssuedKeyType; _claimTypeRequirements = new Collection <ClaimTypeRequirement>(); _tokenRequestParameters = new Collection <XmlElement>(); _establishSecurityContext = DefaultEstablishSecurityContext; }
public MessageSecurityOverTcp() { #if !MOBILE && !XAMMAC_4_5 alg_suite = SecurityAlgorithmSuite.Default; #endif // This default value is *silly* but anyways // such code that does not change this ClientCredentialType // won't work on Mono. client_credential_type = MessageCredentialType.Windows; }
private static SecurityAlgorithmSuite GetSecurityAlgorithmSuite(SecurityTokenRequirement tokenRequirement) { SecurityAlgorithmSuite result = null; SecurityBindingElement securityBindingElement; if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out securityBindingElement)) { result = securityBindingElement.DefaultAlgorithmSuite; } return(result); }
/// <summary> /// Creates the custom SecurityTokenProvider when SAML tokens are specified in the tokenRequirement /// </summary> /// <param name="tokenRequirement">A SecurityTokenRequirement </param> /// <returns>The appropriate SecurityTokenProvider</returns> public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement) { // If token requirement matches SAML token return the custom SAML token provider if (tokenRequirement.TokenType == SecurityTokenTypes.Saml || tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1") { // Retrieve the SAML assertion and proof token from the client credentials SamlAssertion assertion = this.samlClientCredentials.Assertion; SecurityToken prooftoken = this.samlClientCredentials.ProofToken; // If either the assertion of proof token is null... if (assertion == null || prooftoken == null) { // ...get the SecurityBindingElement and then the specified algorithm suite SecurityBindingElement sbe = null; SecurityAlgorithmSuite sas = null; if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out sbe)) { sas = sbe.DefaultAlgorithmSuite; } // If the token requirement is for a SymmetricKey based token.. if (tokenRequirement.KeyType == SecurityKeyType.SymmetricKey) { // Create a symmetric proof token prooftoken = SamlUtilities.CreateSymmetricProofToken(tokenRequirement.KeySize); // and a corresponding assertion based on the claims specified in the client credentials assertion = SamlUtilities.CreateSymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, new X509SecurityToken(samlClientCredentials.ClientCertificate.Certificate), new X509SecurityToken(samlClientCredentials.ServiceCertificate.DefaultCertificate), (BinarySecretSecurityToken)prooftoken, sas); } // otherwise... else { // Create an asymmetric proof token prooftoken = SamlUtilities.CreateAsymmetricProofToken(); // and a corresponding assertion based on the claims specified in the client credentials assertion = SamlUtilities.CreateAsymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, prooftoken, sas); } } // Create a SamlSecurityTokenProvider based on the assertion and proof token return(new SamlSecurityTokenProvider(assertion, prooftoken)); } // otherwise use base implementation else { return(base.CreateSecurityTokenProvider(tokenRequirement)); } }
internal void InitializeFrom(MessageSecurityOverMsmq security) { if (security == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("security"); } SetPropertyValueIfNotDefaultValue(ConfigurationStrings.ClientCredentialType, security.ClientCredentialType); if (security.WasAlgorithmSuiteSet) { this.AlgorithmSuite = security.AlgorithmSuite; } }
void InitializeProviderCommunicationObject(ProviderCommunicationObject p, SecurityTokenRequirement r) { p.TargetAddress = r.GetProperty <EndpointAddress> (ReqType.TargetAddressProperty); // FIXME: use it somewhere, probably to build // IssuerBinding. However, there is also IssuerBinding // property. SecureConversationSecurityBindingElement // as well. SecurityBindingElement sbe = r.GetProperty <SecurityBindingElement> (ReqType.SecurityBindingElementProperty); // I doubt the binding is acquired this way ... Binding binding; if (!r.TryGetProperty <Binding> (ReqType.IssuerBindingProperty, out binding)) { binding = new CustomBinding( new TextMessageEncodingBindingElement(), new HttpTransportBindingElement()); } p.IssuerBinding = binding; // not sure if it is used only for this purpose though ... BindingContext ctx = r.GetProperty <BindingContext> (ReqType.IssuerBindingContextProperty); foreach (IEndpointBehavior b in ctx.BindingParameters.FindAll <IEndpointBehavior> ()) { p.IssuerChannelBehaviors.Add(b); } SecurityTokenVersion ver = r.GetProperty <SecurityTokenVersion> (ReqType.MessageSecurityVersionProperty); p.SecurityTokenSerializer = CreateSecurityTokenSerializer(ver); // seems like they are optional here ... (but possibly // used later) EndpointAddress address; if (!r.TryGetProperty <EndpointAddress> (ReqType.IssuerAddressProperty, out address)) { address = p.TargetAddress; } p.IssuerAddress = address; // It is somehow not checked as mandatory ... SecurityAlgorithmSuite suite = null; r.TryGetProperty <SecurityAlgorithmSuite> (ReqType.SecurityAlgorithmSuiteProperty, out suite); p.SecurityAlgorithmSuite = suite; }
public static void AssertSymmetricSecurityBindingElement( SecurityAlgorithmSuite algorithm, bool includeTimestamp, SecurityKeyEntropyMode keyEntropyMode, MessageProtectionOrder messageProtectionOrder, MessageSecurityVersion messageSecurityVersion, bool requireSignatureConfirmation, SecurityHeaderLayout securityHeaderLayout, // EndpointSupportingTokenParameters int endorsing, int signed, int signedEncrypted, int signedEndorsing, // ProtectionTokenParameters bool hasProtectionTokenParameters, SecurityTokenInclusionMode protectionTokenInclusionMode, SecurityTokenReferenceStyle protectionTokenReferenceStyle, bool protectionTokenRequireDerivedKeys, // LocalClientSettings bool cacheCookies, int renewalThresholdPercentage, bool detectReplays, SymmetricSecurityBindingElement be, string label) { AssertSecurityBindingElement( algorithm, includeTimestamp, keyEntropyMode, messageSecurityVersion, securityHeaderLayout, // EndpointSupportingTokenParameters endorsing, signed, signedEncrypted, signedEndorsing, // LocalClientSettings cacheCookies, renewalThresholdPercentage, detectReplays, be, label); Assert.AreEqual(messageProtectionOrder, be.MessageProtectionOrder, label + ".MessageProtectionOrder"); Assert.AreEqual(requireSignatureConfirmation, be.RequireSignatureConfirmation, label + ".RequireSignatureConfirmation"); if (!hasProtectionTokenParameters) { Assert.IsNull(be.ProtectionTokenParameters, label + ".ProtectionTokenParameters (null)"); } else { AssertSecurityTokenParameters( protectionTokenInclusionMode, protectionTokenReferenceStyle, protectionTokenRequireDerivedKeys, be.ProtectionTokenParameters, label + ".ProtectionTokenParameters"); } }
void CreateReference(Signature sig, XmlDocument doc, string id) { SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite; if (id == String.Empty) { id = GenerateId(doc); } Reference r = new Reference("#" + id); r.AddTransform(CreateTransform(suite.DefaultCanonicalizationAlgorithm)); r.DigestMethod = suite.DefaultDigestAlgorithm; sig.SignedInfo.AddReference(r); }
internal SecurityBindingElement() : base() { _messageSecurityVersion = MessageSecurityVersion.Default; _keyEntropyMode = AcceleratedTokenProvider.defaultKeyEntropyMode; IncludeTimestamp = defaultIncludeTimestamp; _defaultAlgorithmSuite = defaultDefaultAlgorithmSuite; LocalClientSettings = new LocalClientSecuritySettings(); EndpointSupportingTokenParameters = new SupportingTokenParameters(); OptionalEndpointSupportingTokenParameters = new SupportingTokenParameters(); _operationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>(); _optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>(); _securityHeaderLayout = SecurityProtocolFactory.defaultSecurityHeaderLayout; }
internal SecurityBindingElement CreateMessageSecurity(bool isSecureTransportMode) { SecurityBindingElement algorithmSuite; if (!isSecureTransportMode) { if (this.clientCredentialType != BasicHttpMessageCredentialType.Certificate) { throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.BasicHttpMessageSecurityRequiresCertificate, new object[0]))); } algorithmSuite = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10, true); } else { MessageSecurityVersion wSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; switch (this.clientCredentialType) { case BasicHttpMessageCredentialType.UserName: { algorithmSuite = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); algorithmSuite.MessageSecurityVersion = wSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; algorithmSuite.DefaultAlgorithmSuite = this.AlgorithmSuite; algorithmSuite.SecurityHeaderLayout = SecurityHeaderLayout.Lax; algorithmSuite.SetKeyDerivation(false); InvokeHelper.InvokeInstanceSet(algorithmSuite.GetType(), algorithmSuite, "DoNotEmitTrust", true); return(algorithmSuite); } case BasicHttpMessageCredentialType.Certificate: { algorithmSuite = SecurityBindingElement.CreateCertificateOverTransportBindingElement(wSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); algorithmSuite.DefaultAlgorithmSuite = this.AlgorithmSuite; algorithmSuite.SecurityHeaderLayout = SecurityHeaderLayout.Lax; algorithmSuite.SetKeyDerivation(false); InvokeHelper.InvokeInstanceSet(algorithmSuite.GetType(), algorithmSuite, "DoNotEmitTrust", true); return(algorithmSuite); } } Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("Unsupported basic http message credential type"); throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } algorithmSuite.DefaultAlgorithmSuite = this.AlgorithmSuite; algorithmSuite.SecurityHeaderLayout = SecurityHeaderLayout.Lax; algorithmSuite.SetKeyDerivation(false); InvokeHelper.InvokeInstanceSet(algorithmSuite.GetType(), algorithmSuite, "DoNotEmitTrust", true); return(algorithmSuite); }
internal SecurityBindingElement() : base() { _messageSecurityVersion = MessageSecurityVersion.Default; _keyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; // AcceleratedTokenProvider.defaultKeyEntropyMode; IncludeTimestamp = DefaultIncludeTimestamp; _defaultAlgorithmSuite = s_defaultDefaultAlgorithmSuite; LocalServiceSettings = new LocalServiceSecuritySettings(); EndpointSupportingTokenParameters = new SupportingTokenParameters(); OptionalEndpointSupportingTokenParameters = new SupportingTokenParameters(); _operationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>(); _optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>(); _securityHeaderLayout = SecurityHeaderLayout.Strict; // SecurityProtocolFactory.defaultSecurityHeaderLayout; AllowInsecureTransport = DefaultAllowInsecureTransport; EnableUnsecuredResponse = DefaultEnableUnsecuredResponse; ProtectTokens = DefaultProtectTokens; }
private SecurityAlgorithmSuite Parse(string value, SecurityAlgorithmSuite def) { if (value == null) { return(def); } switch (value.ToLowerInvariant()) { case "basic128": return(SecurityAlgorithmSuite.Basic128); case "basic128rsa15": return(SecurityAlgorithmSuite.Basic128Rsa15); case "basic128sha256": return(SecurityAlgorithmSuite.Basic128Sha256); case "basic128sha256Rsa15": return(SecurityAlgorithmSuite.Basic128Sha256Rsa15); case "basic192": return(SecurityAlgorithmSuite.Basic192); case "basic192rsa15": return(SecurityAlgorithmSuite.Basic192Rsa15); case "basic192sha256": return(SecurityAlgorithmSuite.Basic192Sha256); case "basic192sha256rsa15": return(SecurityAlgorithmSuite.Basic192Sha256Rsa15); case "basic256": return(SecurityAlgorithmSuite.Basic256); case "basic256rsa15": return(SecurityAlgorithmSuite.Basic256Rsa15); case "basic256sha256": return(SecurityAlgorithmSuite.Basic256Sha256); case "basic256sha256rsa15": return(SecurityAlgorithmSuite.Basic256Sha256Rsa15); case "default": return(SecurityAlgorithmSuite.Default); case "tripledes": return(SecurityAlgorithmSuite.TripleDes); case "tripledesrsa15": return(SecurityAlgorithmSuite.TripleDesRsa15); case "tripledessha256": return(SecurityAlgorithmSuite.TripleDesSha256); case "tripledessha256rsa15": return(SecurityAlgorithmSuite.TripleDesSha256Rsa15); default: throw new ArgumentException(string.Format("Unknown WCF [AlgorithmSuite]: {0}", value)); } }
static void AssertSecurityAlgorithmSuite( string defaultAsymmetricKeyWrapAlgorithm, string defaultAsymmetricSignatureAlgorithm, string defaultCanonicalizationAlgorithm, string defaultDigestAlgorithm, string defaultEncryptionAlgorithm, int defaultEncryptionKeyDerivationLength, int defaultSignatureKeyDerivationLength, int defaultSymmetricKeyLength, string defaultSymmetricKeyWrapAlgorithm, string defaultSymmetricSignatureAlgorithm, SecurityAlgorithmSuite target, string label) { Assert.AreEqual(defaultAsymmetricKeyWrapAlgorithm, target.DefaultAsymmetricKeyWrapAlgorithm, label + ".DefaultAsymmetricKeyWrapAlgorithm"); Assert.AreEqual(defaultAsymmetricSignatureAlgorithm, target.DefaultAsymmetricSignatureAlgorithm, label + ".DefaultAsymmetricSignatureAlgorithm"); Assert.AreEqual(defaultCanonicalizationAlgorithm, target.DefaultCanonicalizationAlgorithm, label + ".DefaultCanonicalizationAlgorithm"); Assert.AreEqual(defaultDigestAlgorithm, target.DefaultDigestAlgorithm, label + ".DefaultDigestAlgorithm"); Assert.AreEqual(defaultEncryptionAlgorithm, target.DefaultEncryptionAlgorithm, label + ".DefaultEncryptionAlgorithm"); Assert.AreEqual(defaultEncryptionKeyDerivationLength, target.DefaultEncryptionKeyDerivationLength, label + ".DefaultEncryptionKeyDerivationLength"); Assert.AreEqual(defaultSignatureKeyDerivationLength, target.DefaultSignatureKeyDerivationLength, label + ".DefaultSignatureKeyDerivationLength"); Assert.AreEqual(defaultSymmetricKeyLength, target.DefaultSymmetricKeyLength, label + ".DefaultSymmetricKeyLength"); Assert.AreEqual(defaultSymmetricKeyWrapAlgorithm, target.DefaultSymmetricKeyWrapAlgorithm, label + ".DefaultSymmetricKeyWrapAlgorithm"); Assert.AreEqual(defaultSymmetricSignatureAlgorithm, target.DefaultSymmetricSignatureAlgorithm, label + ".DefaultSymmetricSignatureAlgorithm"); }
public void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, SecurityKeyType issuedKeyType) { this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm)); this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm)); if (this.keyType == SecurityKeyType.BearerKey) { return; } string signatureAlgorithm = this.keyType == SecurityKeyType.SymmetricKey ? algorithmSuite.DefaultSymmetricSignatureAlgorithm : algorithmSuite.DefaultAsymmetricSignatureAlgorithm; this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateSignWithElement(signatureAlgorithm)); string encryptionAlgorithm = issuedKeyType != SecurityKeyType.SymmetricKey ? algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm : algorithmSuite.DefaultEncryptionAlgorithm; this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptWithElement(encryptionAlgorithm)); if (standardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) { return; } this.additionalRequestParameters.Insert(0, ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)); }
public static void Snippet5() { // <Snippet5> BasicHttpBinding binding = new BasicHttpBinding("myBinding"); binding.Name = "binding1"; binding.HostNameComparisonMode = HostNameComparisonMode.StrongWildcard; binding.Security.Mode = BasicHttpSecurityMode.Message; // <Snippet6> BasicHttpSecurity security = binding.Security; BasicHttpMessageSecurity msgSecurity = security.Message; // </Snippet6> // <Snippet7> SecurityAlgorithmSuite sas = msgSecurity.AlgorithmSuite; BasicHttpMessageCredentialType credType = msgSecurity.ClientCredentialType; // </Snippet7> Console.WriteLine("The algorithm suite used is {0}", sas.ToString()); Console.WriteLine("The client credential type used is {0}", credType.ToString()); // </Snippet5> }
void ValidateTokensByParameters(IEnumerable <SecurityTokenParameters> plist, List <SupportingTokenInfo> tokens, bool optional, SecurityTokenAttachmentMode attachMode) { foreach (SecurityTokenParameters p in plist) { SecurityTokenResolver r; SecurityTokenAuthenticator a = security.CreateTokenAuthenticator(p, out r); SupportingTokenSpecification spec = ValidateTokensByParameters(a, r, tokens); if (spec == null) { if (optional) { continue; } else { throw new MessageSecurityException(String.Format("No security token could be validated for authenticator '{0}' which is indicated by the '{1}' supporting token parameters", a, attachMode)); } } else { // For endorsing tokens, verify corresponding signatures. switch (attachMode) { case SecurityTokenAttachmentMode.Endorsing: case SecurityTokenAttachmentMode.SignedEndorsing: WSSignedXml esxml = GetSignatureForToken(spec.SecurityToken); if (esxml == null) { throw new MessageSecurityException(String.Format("The '{1}' token '{0}' is expected to endorse the primary signature but no corresponding signature is found.", spec.SecurityToken, attachMode)); } bool confirmed; SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite; foreach (SecurityTokenReferenceKeyInfo kic in esxml.KeyInfo) { SecurityKey signKey = spec.SecurityToken.ResolveKeyIdentifierClause(kic.Clause); SymmetricSecurityKey symkey = signKey as SymmetricSecurityKey; if (symkey != null) { confirmed = esxml.CheckSignature(symkey.GetKeyedHashAlgorithm(suite.DefaultSymmetricSignatureAlgorithm)); } else { AsymmetricAlgorithm alg = ((AsymmetricSecurityKey)signKey).GetAsymmetricAlgorithm(suite.DefaultAsymmetricSignatureAlgorithm, false); confirmed = esxml.CheckSignature(alg); } if (!confirmed) { throw new MessageSecurityException(String.Format("Signature for '{1}' token '{0}' is invalid.", spec.SecurityToken, attachMode)); } break; } sec_prop.ConfirmedSignatures.Insert(0, Convert.ToBase64String(esxml.SignatureValue)); break; } } sec_prop.IncomingSupportingTokens.Add(spec); } }
internal static bool TryCreate <TSecurity>(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, out TSecurity messageSecurity) where TSecurity : MessageSecurityOverHttp { Fx.Assert(null != sbe, string.Empty); messageSecurity = null; // do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings if (!sbe.IncludeTimestamp) { return(false); } // Do not check MessageSecurityVersion: it maybe changed by the wrapper element and gets checked later in the SecuritySection.AreBindingsMatching() if (sbe.SecurityHeaderLayout != SecurityProtocolFactory.defaultSecurityHeaderLayout) { return(false); } bool negotiateServiceCredential = DefaultNegotiateServiceCredential; MessageCredentialType clientCredentialType; SecurityAlgorithmSuite algorithmSuite = SecurityAlgorithmSuite.Default; bool isSecureConversation; SecurityBindingElement bootstrapSecurity; if (!SecurityBindingElement.IsSecureConversationBinding(sbe, true, out bootstrapSecurity)) { isSecureConversation = false; bootstrapSecurity = sbe; } else { isSecureConversation = true; } if (!isSecureConversation && typeof(TSecurity).Equals(typeof(MessageSecurityOverHttp))) { return(false); } if (!isSecureConversation && isReliableSession) { return(false); } if (isSecureTransportMode && !(bootstrapSecurity is TransportSecurityBindingElement)) { return(false); } IssuedSecurityTokenParameters infocardParameters; if (isSecureTransportMode) { if (SecurityBindingElement.IsUserNameOverTransportBinding(bootstrapSecurity)) { clientCredentialType = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsCertificateOverTransportBinding(bootstrapSecurity)) { clientCredentialType = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsSspiNegotiationOverTransportBinding(bootstrapSecurity, true)) { clientCredentialType = MessageCredentialType.Windows; } else if (SecurityBindingElement.IsIssuedTokenOverTransportBinding(bootstrapSecurity, out infocardParameters)) { if (!IssuedSecurityTokenParameters.IsInfoCardParameters( infocardParameters, new SecurityStandardsManager( sbe.MessageSecurityVersion, new WSSecurityTokenSerializer( sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } clientCredentialType = MessageCredentialType.IssuedToken; } else { // the standard binding does not support None client credential type in mixed mode return(false); } } else { if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, false, true)) { negotiateServiceCredential = true; clientCredentialType = MessageCredentialType.None; } else if (SecurityBindingElement.IsUserNameForSslBinding(bootstrapSecurity, true)) { negotiateServiceCredential = true; clientCredentialType = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, true, true)) { negotiateServiceCredential = true; clientCredentialType = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsSspiNegotiationBinding(bootstrapSecurity, true)) { negotiateServiceCredential = true; clientCredentialType = MessageCredentialType.Windows; } else if (SecurityBindingElement.IsIssuedTokenForSslBinding(bootstrapSecurity, true, out infocardParameters)) { if (!IssuedSecurityTokenParameters.IsInfoCardParameters( infocardParameters, new SecurityStandardsManager( sbe.MessageSecurityVersion, new WSSecurityTokenSerializer( sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } negotiateServiceCredential = true; clientCredentialType = MessageCredentialType.IssuedToken; } else if (SecurityBindingElement.IsUserNameForCertificateBinding(bootstrapSecurity)) { negotiateServiceCredential = false; clientCredentialType = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsMutualCertificateBinding(bootstrapSecurity)) { negotiateServiceCredential = false; clientCredentialType = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsKerberosBinding(bootstrapSecurity)) { negotiateServiceCredential = false; clientCredentialType = MessageCredentialType.Windows; } else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(bootstrapSecurity, out infocardParameters)) { if (!IssuedSecurityTokenParameters.IsInfoCardParameters( infocardParameters, new SecurityStandardsManager( sbe.MessageSecurityVersion, new WSSecurityTokenSerializer( sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } negotiateServiceCredential = false; clientCredentialType = MessageCredentialType.IssuedToken; } else if (SecurityBindingElement.IsAnonymousForCertificateBinding(bootstrapSecurity)) { negotiateServiceCredential = false; clientCredentialType = MessageCredentialType.None; } else { return(false); } } // Do not check any Local* settings // Do not check DefaultAlgorithmSuite: is it often changed after the Security element is created, it will verified by SecuritySectionBase.AreBindingsMatching(). if (typeof(NonDualMessageSecurityOverHttp).Equals(typeof(TSecurity))) { messageSecurity = (TSecurity)(object)new NonDualMessageSecurityOverHttp(); ((NonDualMessageSecurityOverHttp)(object)messageSecurity).EstablishSecurityContext = isSecureConversation; } else { messageSecurity = (TSecurity)(object)new MessageSecurityOverHttp(); } messageSecurity.ClientCredentialType = clientCredentialType; messageSecurity.NegotiateServiceCredential = negotiateServiceCredential; messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite; return(true); }
public MessageSecurityOverHttp() { clientCredentialType = DefaultClientCredentialType; negotiateServiceCredential = DefaultNegotiateServiceCredential; algorithmSuite = SecurityAlgorithmSuite.Default; }