Пример #1
0
 public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
 {
     if (tokenRequirement.TokenType == SecurityTokenTypes.Saml || tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
     {
         SamlAssertion samlAssertion = this.samlClientCredentials.Assertion;
         SecurityToken securityToken = this.samlClientCredentials.ProofToken;
         if (samlAssertion == null || securityToken == null)
         {
             SecurityBindingElement securityBindingElement = null;
             SecurityAlgorithmSuite algoSuite = null;
             if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out securityBindingElement))
             {
                 algoSuite = securityBindingElement.DefaultAlgorithmSuite;
             }
             if (tokenRequirement.KeyType == SecurityKeyType.SymmetricKey)
             {
                 securityToken = SamlUtilities.CreateSymmetricProofToken(tokenRequirement.KeySize);
                 samlAssertion = SamlUtilities.CreateSymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, new X509SecurityToken(this.samlClientCredentials.ClientCertificate.Certificate), new X509SecurityToken(this.samlClientCredentials.ServiceCertificate.DefaultCertificate), (BinarySecretSecurityToken)securityToken, algoSuite);
             }
             else
             {
                 securityToken = SamlUtilities.CreateAsymmetricProofToken();
                 samlAssertion = SamlUtilities.CreateAsymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, securityToken, algoSuite);
             }
         }
         return(new SamlSecurityTokenProvider(samlAssertion, securityToken));
     }
     return(base.CreateSecurityTokenProvider(tokenRequirement));
 }
        public IssuedTokenWSTrustBinding(Binding issuerBinding, EndpointAddress issuerAddress, SecurityMode mode, TrustVersion version, SecurityKeyType keyType, SecurityAlgorithmSuite algorithmSuite, string tokenType, IEnumerable <ClaimTypeRequirement> claimTypeRequirements, EndpointAddress issuerMetadataAddress)
            : base(mode, version)
        {
            this._claimTypeRequirements = new Collection <ClaimTypeRequirement>();

            if ((SecurityMode.Message != mode) && (SecurityMode.TransportWithMessageCredential != mode))
            {
                throw new InvalidOperationException("ID3226");
            }
            if ((this._keyType == SecurityKeyType.BearerKey) && (version == TrustVersion.WSTrustFeb2005))
            {
                throw new InvalidOperationException("ID3267");
            }

            this._keyType               = keyType;
            this._algorithmSuite        = algorithmSuite;
            this._tokenType             = tokenType;
            this._issuerBinding         = issuerBinding;
            this._issuerAddress         = issuerAddress;
            this._issuerMetadataAddress = issuerMetadataAddress;

            if (claimTypeRequirements != null)
            {
                foreach (ClaimTypeRequirement requirement in claimTypeRequirements)
                {
                    this._claimTypeRequirements.Add(requirement);
                }
            }
        }
Пример #3
0
 public IssuedTokenWSTrustBinding(Binding issuerBinding, EndpointAddress issuerAddress, SecurityKeyType keyType,
                                  SecurityAlgorithmSuite algorithmSuite, string tokenType,
                                  IEnumerable <ClaimTypeRequirement> claimTypeRequirements)
     : this(issuerBinding, issuerAddress, SecurityMode.Message, TrustVersion.WSTrust13, keyType, algorithmSuite,
            tokenType, claimTypeRequirements, null)
 {
 }
Пример #4
0
        internal SecurityBindingElement(SecurityBindingElement elementToBeCloned)
            : base(elementToBeCloned)
        {
            if (elementToBeCloned == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(elementToBeCloned));
            }

            _defaultAlgorithmSuite                    = elementToBeCloned._defaultAlgorithmSuite;
            IncludeTimestamp                          = elementToBeCloned.IncludeTimestamp;
            _keyEntropyMode                           = elementToBeCloned._keyEntropyMode;
            _messageSecurityVersion                   = elementToBeCloned._messageSecurityVersion;
            _securityHeaderLayout                     = elementToBeCloned._securityHeaderLayout;
            EndpointSupportingTokenParameters         = (SupportingTokenParameters)elementToBeCloned.EndpointSupportingTokenParameters.Clone();
            OptionalEndpointSupportingTokenParameters = (SupportingTokenParameters)elementToBeCloned.OptionalEndpointSupportingTokenParameters.Clone();
            _operationSupportingTokenParameters       = new Dictionary <string, SupportingTokenParameters>();
            foreach (string key in elementToBeCloned._operationSupportingTokenParameters.Keys)
            {
                _operationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned._operationSupportingTokenParameters[key].Clone();
            }
            _optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
            foreach (string key in elementToBeCloned._optionalOperationSupportingTokenParameters.Keys)
            {
                _optionalOperationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned._optionalOperationSupportingTokenParameters[key].Clone();
            }
            LocalServiceSettings = (LocalServiceSecuritySettings)elementToBeCloned.LocalServiceSettings.Clone();
            // this.internalDuplexBindingElement = elementToBeCloned.internalDuplexBindingElement;
            MaxReceivedMessageSize           = elementToBeCloned.MaxReceivedMessageSize;
            ReaderQuotas                     = elementToBeCloned.ReaderQuotas;
            DoNotEmitTrust                   = elementToBeCloned.DoNotEmitTrust;
            AllowInsecureTransport           = elementToBeCloned.AllowInsecureTransport;
            EnableUnsecuredResponse          = elementToBeCloned.EnableUnsecuredResponse;
            SupportsExtendedProtectionPolicy = elementToBeCloned.SupportsExtendedProtectionPolicy;
            ProtectTokens                    = elementToBeCloned.ProtectTokens;
        }
        internal SecurityBindingElement(SecurityBindingElement elementToBeCloned)
            : base(elementToBeCloned)
        {
            if (elementToBeCloned == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(elementToBeCloned));
            }

            _defaultAlgorithmSuite                    = elementToBeCloned._defaultAlgorithmSuite;
            IncludeTimestamp                          = elementToBeCloned.IncludeTimestamp;
            _keyEntropyMode                           = elementToBeCloned._keyEntropyMode;
            _messageSecurityVersion                   = elementToBeCloned._messageSecurityVersion;
            _securityHeaderLayout                     = elementToBeCloned._securityHeaderLayout;
            EndpointSupportingTokenParameters         = elementToBeCloned.EndpointSupportingTokenParameters.Clone();
            OptionalEndpointSupportingTokenParameters = elementToBeCloned.OptionalEndpointSupportingTokenParameters.Clone();
            _operationSupportingTokenParameters       = new Dictionary <string, SupportingTokenParameters>();
            foreach (string key in elementToBeCloned._operationSupportingTokenParameters.Keys)
            {
                _operationSupportingTokenParameters[key] = elementToBeCloned._operationSupportingTokenParameters[key].Clone();
            }

            _optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
            foreach (string key in elementToBeCloned._optionalOperationSupportingTokenParameters.Keys)
            {
                _optionalOperationSupportingTokenParameters[key] = elementToBeCloned._optionalOperationSupportingTokenParameters[key].Clone();
            }

            LocalClientSettings     = elementToBeCloned.LocalClientSettings.Clone();
            MaxReceivedMessageSize  = elementToBeCloned.MaxReceivedMessageSize;
            ReaderQuotas            = elementToBeCloned.ReaderQuotas;
            EnableUnsecuredResponse = elementToBeCloned.EnableUnsecuredResponse;
        }
Пример #6
0
        EncryptedData Encrypt(XmlElement target, SymmetricAlgorithm actualKey, string ekeyId, ReferenceList refList, SecurityKeyIdentifierClause encClause, EncryptedXml exml, XmlDocument doc, string elementType)
        {
            SecurityAlgorithmSuite  suite      = security.Element.DefaultAlgorithmSuite;
            SecurityTokenSerializer serializer = security.TokenSerializer;

            byte []       encrypted = exml.EncryptData(target, actualKey, false);
            EncryptedData edata     = new EncryptedData();

            edata.Id               = GenerateId(doc);
            edata.Type             = elementType;
            edata.EncryptionMethod = new EncryptionMethod(suite.DefaultEncryptionAlgorithm);
            // FIXME: here wsse:DigestMethod should be embedded
            // inside EncryptionMethod. Since it is not possible
            // with S.S.C.Xml.EncryptionMethod, we will have to
            // build our own XML encryption classes.

            edata.CipherData.CipherValue = encrypted;

            DataReference dr = new DataReference();

            dr.Uri = "#" + edata.Id;
            refList.Add(dr);

            if (ShouldOutputEncryptedKey && !CounterParameters.RequireDerivedKeys)
            {
                edata.KeyInfo = null;
            }
            else
            {
                edata.KeyInfo = new KeyInfo();
                edata.KeyInfo.AddClause(new SecurityTokenReferenceKeyInfo(encClause, serializer, doc));
            }

            return(edata);
        }
Пример #7
0
        internal SecurityBindingElement(SecurityBindingElement elementToBeCloned)
            : base(elementToBeCloned)
        {
            if (elementToBeCloned == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("elementToBeCloned");
            }

            this.defaultAlgorithmSuite                     = elementToBeCloned.defaultAlgorithmSuite;
            this.includeTimestamp                          = elementToBeCloned.includeTimestamp;
            this.keyEntropyMode                            = elementToBeCloned.keyEntropyMode;
            this.messageSecurityVersion                    = elementToBeCloned.messageSecurityVersion;
            this.securityHeaderLayout                      = elementToBeCloned.securityHeaderLayout;
            this.endpointSupportingTokenParameters         = (SupportingTokenParameters)elementToBeCloned.endpointSupportingTokenParameters.Clone();
            this.optionalEndpointSupportingTokenParameters = (SupportingTokenParameters)elementToBeCloned.optionalEndpointSupportingTokenParameters.Clone();
            this.operationSupportingTokenParameters        = new Dictionary <string, SupportingTokenParameters>();
            foreach (string key in elementToBeCloned.operationSupportingTokenParameters.Keys)
            {
                this.operationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned.operationSupportingTokenParameters[key].Clone();
            }
            this.optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
            foreach (string key in elementToBeCloned.optionalOperationSupportingTokenParameters.Keys)
            {
                this.optionalOperationSupportingTokenParameters[key] = (SupportingTokenParameters)elementToBeCloned.optionalOperationSupportingTokenParameters[key].Clone();
            }
            this.localServiceSettings = (LocalServiceSecuritySettings)elementToBeCloned.localServiceSettings.Clone();
            // this.internalDuplexBindingElement = elementToBeCloned.internalDuplexBindingElement;
            this.maxReceivedMessageSize           = elementToBeCloned.maxReceivedMessageSize;
            this.readerQuotas                     = elementToBeCloned.readerQuotas;
            this.doNotEmitTrust                   = elementToBeCloned.doNotEmitTrust;
            this.allowInsecureTransport           = elementToBeCloned.allowInsecureTransport;
            this.enableUnsecuredResponse          = elementToBeCloned.enableUnsecuredResponse;
            this.supportsExtendedProtectionPolicy = elementToBeCloned.supportsExtendedProtectionPolicy;
            this.protectTokens                    = elementToBeCloned.protectTokens;
        }
Пример #8
0
        internal void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, SecurityKeyType issuedKeyType)
        {
            this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm));
            this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm));

            if (this._keyType == SecurityKeyType.BearerKey)
            {
                // As the client does not have a proof token in the Bearer case
                // we don't have any specific algorithms to request for.
                return;
            }

            string signWithAlgorithm = (this._keyType == SecurityKeyType.SymmetricKey) ? algorithmSuite.DefaultSymmetricSignatureAlgorithm : algorithmSuite.DefaultAsymmetricSignatureAlgorithm;

            this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateSignWithElement(signWithAlgorithm));
            string encryptWithAlgorithm;

            if (issuedKeyType == SecurityKeyType.SymmetricKey)
            {
                encryptWithAlgorithm = algorithmSuite.DefaultEncryptionAlgorithm;
            }
            else
            {
                encryptWithAlgorithm = algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm;
            }
            this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptWithElement(encryptWithAlgorithm));

            if (standardsManager.TrustVersion != TrustVersion.WSTrustFeb2005)
            {
                this._additionalRequestParameters.Insert(0, ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm));
            }

            return;
        }
        private void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, TrustVersion trustVersion, SecurityKeyType keyType, ref IssuedSecurityTokenParameters issuedParameters)
        {
            issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm));
            issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm));
            string signatureAlgorithm  = null;
            string encryptionAlgorithm = null;

            switch (keyType)
            {
            case SecurityKeyType.SymmetricKey:
                signatureAlgorithm  = algorithmSuite.DefaultSymmetricSignatureAlgorithm;
                encryptionAlgorithm = algorithmSuite.DefaultEncryptionAlgorithm;
                break;

            case SecurityKeyType.AsymmetricKey:
                signatureAlgorithm  = algorithmSuite.DefaultAsymmetricSignatureAlgorithm;
                encryptionAlgorithm = algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm;
                break;

            case SecurityKeyType.BearerKey:
                return;

            default:
                throw new ArgumentOutOfRangeException("keyType");
            }

            issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateSignWithElement(signatureAlgorithm));
            issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptWithElement(encryptionAlgorithm));

            if (trustVersion != TrustVersion.WSTrustFeb2005)
            {
                issuedParameters.AdditionalRequestParameters.Insert(0, CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm));
            }
        }
Пример #10
0
 internal MessageSecurityOverTcp()
 {
     alg_suite = SecurityAlgorithmSuite.Default;
     // This default value is *silly* but anyways
     // such code that does not change this ClientCredentialType
     // won't work on Mono.
     client_credential_type = MessageCredentialType.Windows;
 }
    public static void Property_SecurityAlgorithmSuite_TripleDes(string propertyName, string expectedValue)
    {
        // Use reflection to get the default value of the properties provided in the inline data.
        // Verify the default values are the same as on the full framework.
        SecurityAlgorithmSuite suite = SecurityAlgorithmSuite.TripleDes;
        PropertyInfo           info  = suite.GetType().GetProperty(propertyName);

        Assert.Equal(info.GetValue(suite).ToString(), expectedValue);
    }
Пример #12
0
 internal MessageSecurityOverHttp()
 {
     alg_suite = SecurityAlgorithmSuite.Default;
     // This default value is *silly* but anyways such
     // it is silly to expect that such code that does not
     // change ClientCredentialType works on Mono.
     client_credential_type       = MessageCredentialType.Windows;
     negotiate_service_credential = true;
 }
Пример #13
0
 public FederatedMessageSecurityOverHttp()
 {
     _negotiateServiceCredential = DefaultNegotiateServiceCredential;
     _algorithmSuite             = SecurityAlgorithmSuite.Default;
     _issuedKeyType            = DefaultIssuedKeyType;
     _claimTypeRequirements    = new Collection <ClaimTypeRequirement>();
     _tokenRequestParameters   = new Collection <XmlElement>();
     _establishSecurityContext = DefaultEstablishSecurityContext;
 }
        public MessageSecurityOverTcp()
        {
#if !MOBILE && !XAMMAC_4_5
            alg_suite = SecurityAlgorithmSuite.Default;
#endif
            // This default value is *silly* but anyways
            // such code that does not change this ClientCredentialType
            // won't work on Mono.
            client_credential_type = MessageCredentialType.Windows;
        }
        private static SecurityAlgorithmSuite GetSecurityAlgorithmSuite(SecurityTokenRequirement tokenRequirement)
        {
            SecurityAlgorithmSuite result = null;
            SecurityBindingElement securityBindingElement;

            if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out securityBindingElement))
            {
                result = securityBindingElement.DefaultAlgorithmSuite;
            }
            return(result);
        }
        /// <summary>
        /// Creates the custom SecurityTokenProvider when SAML tokens are specified in the tokenRequirement
        /// </summary>
        /// <param name="tokenRequirement">A SecurityTokenRequirement  </param>
        /// <returns>The appropriate SecurityTokenProvider</returns>
        public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
        {
            // If token requirement matches SAML token return the custom SAML token provider
            if (tokenRequirement.TokenType == SecurityTokenTypes.Saml ||
                tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
            {
                // Retrieve the SAML assertion and proof token from the client credentials
                SamlAssertion assertion  = this.samlClientCredentials.Assertion;
                SecurityToken prooftoken = this.samlClientCredentials.ProofToken;

                // If either the assertion of proof token is null...
                if (assertion == null || prooftoken == null)
                {
                    // ...get the SecurityBindingElement and then the specified algorithm suite
                    SecurityBindingElement sbe = null;
                    SecurityAlgorithmSuite sas = null;

                    if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out sbe))
                    {
                        sas = sbe.DefaultAlgorithmSuite;
                    }

                    // If the token requirement is for a SymmetricKey based token..
                    if (tokenRequirement.KeyType == SecurityKeyType.SymmetricKey)
                    {
                        // Create a symmetric proof token
                        prooftoken = SamlUtilities.CreateSymmetricProofToken(tokenRequirement.KeySize);
                        // and a corresponding assertion based on the claims specified in the client credentials
                        assertion = SamlUtilities.CreateSymmetricKeyBasedAssertion(this.samlClientCredentials.Claims,
                                                                                   new X509SecurityToken(samlClientCredentials.ClientCertificate.Certificate),
                                                                                   new X509SecurityToken(samlClientCredentials.ServiceCertificate.DefaultCertificate),
                                                                                   (BinarySecretSecurityToken)prooftoken,
                                                                                   sas);
                    }
                    // otherwise...
                    else
                    {
                        // Create an asymmetric proof token
                        prooftoken = SamlUtilities.CreateAsymmetricProofToken();
                        // and a corresponding assertion based on the claims specified in the client credentials
                        assertion = SamlUtilities.CreateAsymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, prooftoken, sas);
                    }
                }

                // Create a SamlSecurityTokenProvider based on the assertion and proof token
                return(new SamlSecurityTokenProvider(assertion, prooftoken));
            }
            // otherwise use base implementation
            else
            {
                return(base.CreateSecurityTokenProvider(tokenRequirement));
            }
        }
 internal void InitializeFrom(MessageSecurityOverMsmq security)
 {
     if (security == null)
     {
         throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("security");
     }
     SetPropertyValueIfNotDefaultValue(ConfigurationStrings.ClientCredentialType, security.ClientCredentialType);
     if (security.WasAlgorithmSuiteSet)
     {
         this.AlgorithmSuite = security.AlgorithmSuite;
     }
 }
        void InitializeProviderCommunicationObject(ProviderCommunicationObject p, SecurityTokenRequirement r)
        {
            p.TargetAddress = r.GetProperty <EndpointAddress> (ReqType.TargetAddressProperty);

            // FIXME: use it somewhere, probably to build
            // IssuerBinding. However, there is also IssuerBinding
            // property. SecureConversationSecurityBindingElement
            // as well.
            SecurityBindingElement sbe =
                r.GetProperty <SecurityBindingElement> (ReqType.SecurityBindingElementProperty);

            // I doubt the binding is acquired this way ...
            Binding binding;

            if (!r.TryGetProperty <Binding> (ReqType.IssuerBindingProperty, out binding))
            {
                binding = new CustomBinding(
                    new TextMessageEncodingBindingElement(),
                    new HttpTransportBindingElement());
            }
            p.IssuerBinding = binding;

            // not sure if it is used only for this purpose though ...
            BindingContext ctx = r.GetProperty <BindingContext> (ReqType.IssuerBindingContextProperty);

            foreach (IEndpointBehavior b in ctx.BindingParameters.FindAll <IEndpointBehavior> ())
            {
                p.IssuerChannelBehaviors.Add(b);
            }

            SecurityTokenVersion ver =
                r.GetProperty <SecurityTokenVersion> (ReqType.MessageSecurityVersionProperty);

            p.SecurityTokenSerializer =
                CreateSecurityTokenSerializer(ver);

            // seems like they are optional here ... (but possibly
            // used later)
            EndpointAddress address;

            if (!r.TryGetProperty <EndpointAddress> (ReqType.IssuerAddressProperty, out address))
            {
                address = p.TargetAddress;
            }
            p.IssuerAddress = address;

            // It is somehow not checked as mandatory ...
            SecurityAlgorithmSuite suite = null;

            r.TryGetProperty <SecurityAlgorithmSuite> (ReqType.SecurityAlgorithmSuiteProperty, out suite);
            p.SecurityAlgorithmSuite = suite;
        }
Пример #19
0
        public static void AssertSymmetricSecurityBindingElement(
            SecurityAlgorithmSuite algorithm,
            bool includeTimestamp,
            SecurityKeyEntropyMode keyEntropyMode,
            MessageProtectionOrder messageProtectionOrder,
            MessageSecurityVersion messageSecurityVersion,
            bool requireSignatureConfirmation,
            SecurityHeaderLayout securityHeaderLayout,
            // EndpointSupportingTokenParameters
            int endorsing, int signed, int signedEncrypted, int signedEndorsing,
            // ProtectionTokenParameters
            bool hasProtectionTokenParameters,
            SecurityTokenInclusionMode protectionTokenInclusionMode,
            SecurityTokenReferenceStyle protectionTokenReferenceStyle,
            bool protectionTokenRequireDerivedKeys,
            // LocalClientSettings
            bool cacheCookies,
            int renewalThresholdPercentage,
            bool detectReplays,
            SymmetricSecurityBindingElement be, string label)
        {
            AssertSecurityBindingElement(
                algorithm,
                includeTimestamp,
                keyEntropyMode,
                messageSecurityVersion,
                securityHeaderLayout,
                // EndpointSupportingTokenParameters
                endorsing, signed, signedEncrypted, signedEndorsing,
                // LocalClientSettings
                cacheCookies,
                renewalThresholdPercentage,
                detectReplays,
                be, label);

            Assert.AreEqual(messageProtectionOrder, be.MessageProtectionOrder, label + ".MessageProtectionOrder");
            Assert.AreEqual(requireSignatureConfirmation, be.RequireSignatureConfirmation, label + ".RequireSignatureConfirmation");

            if (!hasProtectionTokenParameters)
            {
                Assert.IsNull(be.ProtectionTokenParameters, label + ".ProtectionTokenParameters (null)");
            }
            else
            {
                AssertSecurityTokenParameters(
                    protectionTokenInclusionMode,
                    protectionTokenReferenceStyle,
                    protectionTokenRequireDerivedKeys,
                    be.ProtectionTokenParameters, label + ".ProtectionTokenParameters");
            }
        }
Пример #20
0
        void CreateReference(Signature sig, XmlDocument doc, string id)
        {
            SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite;

            if (id == String.Empty)
            {
                id = GenerateId(doc);
            }
            Reference r = new Reference("#" + id);

            r.AddTransform(CreateTransform(suite.DefaultCanonicalizationAlgorithm));
            r.DigestMethod = suite.DefaultDigestAlgorithm;
            sig.SignedInfo.AddReference(r);
        }
 internal SecurityBindingElement()
     : base()
 {
     _messageSecurityVersion                     = MessageSecurityVersion.Default;
     _keyEntropyMode                             = AcceleratedTokenProvider.defaultKeyEntropyMode;
     IncludeTimestamp                            = defaultIncludeTimestamp;
     _defaultAlgorithmSuite                      = defaultDefaultAlgorithmSuite;
     LocalClientSettings                         = new LocalClientSecuritySettings();
     EndpointSupportingTokenParameters           = new SupportingTokenParameters();
     OptionalEndpointSupportingTokenParameters   = new SupportingTokenParameters();
     _operationSupportingTokenParameters         = new Dictionary <string, SupportingTokenParameters>();
     _optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
     _securityHeaderLayout                       = SecurityProtocolFactory.defaultSecurityHeaderLayout;
 }
        internal SecurityBindingElement CreateMessageSecurity(bool isSecureTransportMode)
        {
            SecurityBindingElement algorithmSuite;

            if (!isSecureTransportMode)
            {
                if (this.clientCredentialType != BasicHttpMessageCredentialType.Certificate)
                {
                    throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.BasicHttpMessageSecurityRequiresCertificate, new object[0])));
                }
                algorithmSuite = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10, true);
            }
            else
            {
                MessageSecurityVersion wSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
                switch (this.clientCredentialType)
                {
                case BasicHttpMessageCredentialType.UserName:
                {
                    algorithmSuite = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
                    algorithmSuite.MessageSecurityVersion = wSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
                    algorithmSuite.DefaultAlgorithmSuite  = this.AlgorithmSuite;
                    algorithmSuite.SecurityHeaderLayout   = SecurityHeaderLayout.Lax;
                    algorithmSuite.SetKeyDerivation(false);
                    InvokeHelper.InvokeInstanceSet(algorithmSuite.GetType(), algorithmSuite, "DoNotEmitTrust", true);
                    return(algorithmSuite);
                }

                case BasicHttpMessageCredentialType.Certificate:
                {
                    algorithmSuite = SecurityBindingElement.CreateCertificateOverTransportBindingElement(wSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
                    algorithmSuite.DefaultAlgorithmSuite = this.AlgorithmSuite;
                    algorithmSuite.SecurityHeaderLayout  = SecurityHeaderLayout.Lax;
                    algorithmSuite.SetKeyDerivation(false);
                    InvokeHelper.InvokeInstanceSet(algorithmSuite.GetType(), algorithmSuite, "DoNotEmitTrust", true);
                    return(algorithmSuite);
                }
                }
                Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("Unsupported basic http message credential type");
                throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
            }
            algorithmSuite.DefaultAlgorithmSuite = this.AlgorithmSuite;
            algorithmSuite.SecurityHeaderLayout  = SecurityHeaderLayout.Lax;
            algorithmSuite.SetKeyDerivation(false);
            InvokeHelper.InvokeInstanceSet(algorithmSuite.GetType(), algorithmSuite, "DoNotEmitTrust", true);
            return(algorithmSuite);
        }
Пример #23
0
 internal SecurityBindingElement()
     : base()
 {
     _messageSecurityVersion                     = MessageSecurityVersion.Default;
     _keyEntropyMode                             = SecurityKeyEntropyMode.CombinedEntropy; // AcceleratedTokenProvider.defaultKeyEntropyMode;
     IncludeTimestamp                            = DefaultIncludeTimestamp;
     _defaultAlgorithmSuite                      = s_defaultDefaultAlgorithmSuite;
     LocalServiceSettings                        = new LocalServiceSecuritySettings();
     EndpointSupportingTokenParameters           = new SupportingTokenParameters();
     OptionalEndpointSupportingTokenParameters   = new SupportingTokenParameters();
     _operationSupportingTokenParameters         = new Dictionary <string, SupportingTokenParameters>();
     _optionalOperationSupportingTokenParameters = new Dictionary <string, SupportingTokenParameters>();
     _securityHeaderLayout                       = SecurityHeaderLayout.Strict; // SecurityProtocolFactory.defaultSecurityHeaderLayout;
     AllowInsecureTransport                      = DefaultAllowInsecureTransport;
     EnableUnsecuredResponse                     = DefaultEnableUnsecuredResponse;
     ProtectTokens = DefaultProtectTokens;
 }
Пример #24
0
        private SecurityAlgorithmSuite Parse(string value, SecurityAlgorithmSuite def)
        {
            if (value == null)
            {
                return(def);
            }

            switch (value.ToLowerInvariant())
            {
            case "basic128":                return(SecurityAlgorithmSuite.Basic128);

            case "basic128rsa15":           return(SecurityAlgorithmSuite.Basic128Rsa15);

            case "basic128sha256":          return(SecurityAlgorithmSuite.Basic128Sha256);

            case "basic128sha256Rsa15":     return(SecurityAlgorithmSuite.Basic128Sha256Rsa15);

            case "basic192":                return(SecurityAlgorithmSuite.Basic192);

            case "basic192rsa15":           return(SecurityAlgorithmSuite.Basic192Rsa15);

            case "basic192sha256":          return(SecurityAlgorithmSuite.Basic192Sha256);

            case "basic192sha256rsa15":     return(SecurityAlgorithmSuite.Basic192Sha256Rsa15);

            case "basic256":                return(SecurityAlgorithmSuite.Basic256);

            case "basic256rsa15":           return(SecurityAlgorithmSuite.Basic256Rsa15);

            case "basic256sha256":          return(SecurityAlgorithmSuite.Basic256Sha256);

            case "basic256sha256rsa15":     return(SecurityAlgorithmSuite.Basic256Sha256Rsa15);

            case "default":                 return(SecurityAlgorithmSuite.Default);

            case "tripledes":               return(SecurityAlgorithmSuite.TripleDes);

            case "tripledesrsa15":          return(SecurityAlgorithmSuite.TripleDesRsa15);

            case "tripledessha256":         return(SecurityAlgorithmSuite.TripleDesSha256);

            case "tripledessha256rsa15":    return(SecurityAlgorithmSuite.TripleDesSha256Rsa15);

            default:                        throw new ArgumentException(string.Format("Unknown WCF [AlgorithmSuite]: {0}", value));
            }
        }
Пример #25
0
 static void AssertSecurityAlgorithmSuite(
     string defaultAsymmetricKeyWrapAlgorithm,
     string defaultAsymmetricSignatureAlgorithm,
     string defaultCanonicalizationAlgorithm,
     string defaultDigestAlgorithm,
     string defaultEncryptionAlgorithm,
     int defaultEncryptionKeyDerivationLength,
     int defaultSignatureKeyDerivationLength,
     int defaultSymmetricKeyLength,
     string defaultSymmetricKeyWrapAlgorithm,
     string defaultSymmetricSignatureAlgorithm,
     SecurityAlgorithmSuite target,
     string label)
 {
     Assert.AreEqual(defaultAsymmetricKeyWrapAlgorithm,
                     target.DefaultAsymmetricKeyWrapAlgorithm,
                     label + ".DefaultAsymmetricKeyWrapAlgorithm");
     Assert.AreEqual(defaultAsymmetricSignatureAlgorithm,
                     target.DefaultAsymmetricSignatureAlgorithm,
                     label + ".DefaultAsymmetricSignatureAlgorithm");
     Assert.AreEqual(defaultCanonicalizationAlgorithm,
                     target.DefaultCanonicalizationAlgorithm,
                     label + ".DefaultCanonicalizationAlgorithm");
     Assert.AreEqual(defaultDigestAlgorithm,
                     target.DefaultDigestAlgorithm,
                     label + ".DefaultDigestAlgorithm");
     Assert.AreEqual(defaultEncryptionAlgorithm,
                     target.DefaultEncryptionAlgorithm,
                     label + ".DefaultEncryptionAlgorithm");
     Assert.AreEqual(defaultEncryptionKeyDerivationLength,
                     target.DefaultEncryptionKeyDerivationLength,
                     label + ".DefaultEncryptionKeyDerivationLength");
     Assert.AreEqual(defaultSignatureKeyDerivationLength,
                     target.DefaultSignatureKeyDerivationLength,
                     label + ".DefaultSignatureKeyDerivationLength");
     Assert.AreEqual(defaultSymmetricKeyLength,
                     target.DefaultSymmetricKeyLength,
                     label + ".DefaultSymmetricKeyLength");
     Assert.AreEqual(defaultSymmetricKeyWrapAlgorithm,
                     target.DefaultSymmetricKeyWrapAlgorithm,
                     label + ".DefaultSymmetricKeyWrapAlgorithm");
     Assert.AreEqual(defaultSymmetricSignatureAlgorithm,
                     target.DefaultSymmetricSignatureAlgorithm,
                     label + ".DefaultSymmetricSignatureAlgorithm");
 }
Пример #26
0
        public void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, SecurityKeyType issuedKeyType)
        {
            this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm));
            this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm));
            if (this.keyType == SecurityKeyType.BearerKey)
            {
                return;
            }
            string signatureAlgorithm = this.keyType == SecurityKeyType.SymmetricKey ? algorithmSuite.DefaultSymmetricSignatureAlgorithm : algorithmSuite.DefaultAsymmetricSignatureAlgorithm;

            this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateSignWithElement(signatureAlgorithm));
            string encryptionAlgorithm = issuedKeyType != SecurityKeyType.SymmetricKey ? algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm : algorithmSuite.DefaultEncryptionAlgorithm;

            this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptWithElement(encryptionAlgorithm));
            if (standardsManager.TrustVersion == TrustVersion.WSTrustFeb2005)
            {
                return;
            }
            this.additionalRequestParameters.Insert(0, ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm));
        }
Пример #27
0
        public static void Snippet5()
        {
            // <Snippet5>
            BasicHttpBinding binding = new BasicHttpBinding("myBinding");

            binding.Name = "binding1";
            binding.HostNameComparisonMode = HostNameComparisonMode.StrongWildcard;
            binding.Security.Mode          = BasicHttpSecurityMode.Message;

            // <Snippet6>
            BasicHttpSecurity        security    = binding.Security;
            BasicHttpMessageSecurity msgSecurity = security.Message;
            // </Snippet6>

            // <Snippet7>
            SecurityAlgorithmSuite         sas      = msgSecurity.AlgorithmSuite;
            BasicHttpMessageCredentialType credType = msgSecurity.ClientCredentialType;

            // </Snippet7>

            Console.WriteLine("The algorithm suite used is {0}", sas.ToString());
            Console.WriteLine("The client credential type used is {0}", credType.ToString());
            // </Snippet5>
        }
Пример #28
0
        void ValidateTokensByParameters(IEnumerable <SecurityTokenParameters> plist, List <SupportingTokenInfo> tokens, bool optional, SecurityTokenAttachmentMode attachMode)
        {
            foreach (SecurityTokenParameters p in plist)
            {
                SecurityTokenResolver      r;
                SecurityTokenAuthenticator a =
                    security.CreateTokenAuthenticator(p, out r);
                SupportingTokenSpecification spec = ValidateTokensByParameters(a, r, tokens);
                if (spec == null)
                {
                    if (optional)
                    {
                        continue;
                    }
                    else
                    {
                        throw new MessageSecurityException(String.Format("No security token could be validated for authenticator '{0}' which is indicated by the '{1}' supporting token parameters", a, attachMode));
                    }
                }
                else
                {
                    // For endorsing tokens, verify corresponding signatures.
                    switch (attachMode)
                    {
                    case SecurityTokenAttachmentMode.Endorsing:
                    case SecurityTokenAttachmentMode.SignedEndorsing:
                        WSSignedXml esxml = GetSignatureForToken(spec.SecurityToken);
                        if (esxml == null)
                        {
                            throw new MessageSecurityException(String.Format("The '{1}' token '{0}' is expected to endorse the primary signature but no corresponding signature is found.", spec.SecurityToken, attachMode));
                        }

                        bool confirmed;
                        SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite;
                        foreach (SecurityTokenReferenceKeyInfo kic in esxml.KeyInfo)
                        {
                            SecurityKey          signKey = spec.SecurityToken.ResolveKeyIdentifierClause(kic.Clause);
                            SymmetricSecurityKey symkey  = signKey as SymmetricSecurityKey;
                            if (symkey != null)
                            {
                                confirmed = esxml.CheckSignature(symkey.GetKeyedHashAlgorithm(suite.DefaultSymmetricSignatureAlgorithm));
                            }
                            else
                            {
                                AsymmetricAlgorithm alg = ((AsymmetricSecurityKey)signKey).GetAsymmetricAlgorithm(suite.DefaultAsymmetricSignatureAlgorithm, false);
                                confirmed = esxml.CheckSignature(alg);
                            }
                            if (!confirmed)
                            {
                                throw new MessageSecurityException(String.Format("Signature for '{1}' token '{0}' is invalid.", spec.SecurityToken, attachMode));
                            }
                            break;
                        }

                        sec_prop.ConfirmedSignatures.Insert(0, Convert.ToBase64String(esxml.SignatureValue));
                        break;
                    }
                }

                sec_prop.IncomingSupportingTokens.Add(spec);
            }
        }
Пример #29
0
        internal static bool TryCreate <TSecurity>(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, out TSecurity messageSecurity)
            where TSecurity : MessageSecurityOverHttp
        {
            Fx.Assert(null != sbe, string.Empty);

            messageSecurity = null;

            // do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings

            if (!sbe.IncludeTimestamp)
            {
                return(false);
            }

            // Do not check MessageSecurityVersion: it maybe changed by the wrapper element and gets checked later in the SecuritySection.AreBindingsMatching()

            if (sbe.SecurityHeaderLayout != SecurityProtocolFactory.defaultSecurityHeaderLayout)
            {
                return(false);
            }

            bool negotiateServiceCredential = DefaultNegotiateServiceCredential;
            MessageCredentialType  clientCredentialType;
            SecurityAlgorithmSuite algorithmSuite = SecurityAlgorithmSuite.Default;
            bool isSecureConversation;

            SecurityBindingElement bootstrapSecurity;

            if (!SecurityBindingElement.IsSecureConversationBinding(sbe, true, out bootstrapSecurity))
            {
                isSecureConversation = false;

                bootstrapSecurity = sbe;
            }
            else
            {
                isSecureConversation = true;
            }

            if (!isSecureConversation && typeof(TSecurity).Equals(typeof(MessageSecurityOverHttp)))
            {
                return(false);
            }

            if (!isSecureConversation && isReliableSession)
            {
                return(false);
            }

            if (isSecureTransportMode && !(bootstrapSecurity is TransportSecurityBindingElement))
            {
                return(false);
            }

            IssuedSecurityTokenParameters infocardParameters;

            if (isSecureTransportMode)
            {
                if (SecurityBindingElement.IsUserNameOverTransportBinding(bootstrapSecurity))
                {
                    clientCredentialType = MessageCredentialType.UserName;
                }
                else if (SecurityBindingElement.IsCertificateOverTransportBinding(bootstrapSecurity))
                {
                    clientCredentialType = MessageCredentialType.Certificate;
                }
                else if (SecurityBindingElement.IsSspiNegotiationOverTransportBinding(bootstrapSecurity, true))
                {
                    clientCredentialType = MessageCredentialType.Windows;
                }
                else if (SecurityBindingElement.IsIssuedTokenOverTransportBinding(bootstrapSecurity, out infocardParameters))
                {
                    if (!IssuedSecurityTokenParameters.IsInfoCardParameters(
                            infocardParameters,
                            new SecurityStandardsManager(
                                sbe.MessageSecurityVersion,
                                new WSSecurityTokenSerializer(
                                    sbe.MessageSecurityVersion.SecurityVersion,
                                    sbe.MessageSecurityVersion.TrustVersion,
                                    sbe.MessageSecurityVersion.SecureConversationVersion,
                                    true,
                                    null, null, null))))
                    {
                        return(false);
                    }
                    clientCredentialType = MessageCredentialType.IssuedToken;
                }
                else
                {
                    // the standard binding does not support None client credential type in mixed mode
                    return(false);
                }
            }
            else
            {
                if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, false, true))
                {
                    negotiateServiceCredential = true;
                    clientCredentialType       = MessageCredentialType.None;
                }
                else if (SecurityBindingElement.IsUserNameForSslBinding(bootstrapSecurity, true))
                {
                    negotiateServiceCredential = true;
                    clientCredentialType       = MessageCredentialType.UserName;
                }
                else if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, true, true))
                {
                    negotiateServiceCredential = true;
                    clientCredentialType       = MessageCredentialType.Certificate;
                }
                else if (SecurityBindingElement.IsSspiNegotiationBinding(bootstrapSecurity, true))
                {
                    negotiateServiceCredential = true;
                    clientCredentialType       = MessageCredentialType.Windows;
                }
                else if (SecurityBindingElement.IsIssuedTokenForSslBinding(bootstrapSecurity, true, out infocardParameters))
                {
                    if (!IssuedSecurityTokenParameters.IsInfoCardParameters(
                            infocardParameters,
                            new SecurityStandardsManager(
                                sbe.MessageSecurityVersion,
                                new WSSecurityTokenSerializer(
                                    sbe.MessageSecurityVersion.SecurityVersion,
                                    sbe.MessageSecurityVersion.TrustVersion,
                                    sbe.MessageSecurityVersion.SecureConversationVersion,
                                    true,
                                    null, null, null))))
                    {
                        return(false);
                    }
                    negotiateServiceCredential = true;
                    clientCredentialType       = MessageCredentialType.IssuedToken;
                }
                else if (SecurityBindingElement.IsUserNameForCertificateBinding(bootstrapSecurity))
                {
                    negotiateServiceCredential = false;
                    clientCredentialType       = MessageCredentialType.UserName;
                }
                else if (SecurityBindingElement.IsMutualCertificateBinding(bootstrapSecurity))
                {
                    negotiateServiceCredential = false;
                    clientCredentialType       = MessageCredentialType.Certificate;
                }
                else if (SecurityBindingElement.IsKerberosBinding(bootstrapSecurity))
                {
                    negotiateServiceCredential = false;
                    clientCredentialType       = MessageCredentialType.Windows;
                }
                else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(bootstrapSecurity, out infocardParameters))
                {
                    if (!IssuedSecurityTokenParameters.IsInfoCardParameters(
                            infocardParameters,
                            new SecurityStandardsManager(
                                sbe.MessageSecurityVersion,
                                new WSSecurityTokenSerializer(
                                    sbe.MessageSecurityVersion.SecurityVersion,
                                    sbe.MessageSecurityVersion.TrustVersion,
                                    sbe.MessageSecurityVersion.SecureConversationVersion,
                                    true,
                                    null, null, null))))
                    {
                        return(false);
                    }
                    negotiateServiceCredential = false;
                    clientCredentialType       = MessageCredentialType.IssuedToken;
                }
                else if (SecurityBindingElement.IsAnonymousForCertificateBinding(bootstrapSecurity))
                {
                    negotiateServiceCredential = false;
                    clientCredentialType       = MessageCredentialType.None;
                }
                else
                {
                    return(false);
                }
            }

            // Do not check any Local* settings

            // Do not check DefaultAlgorithmSuite: is it often changed after the Security element is created, it will verified by SecuritySectionBase.AreBindingsMatching().

            if (typeof(NonDualMessageSecurityOverHttp).Equals(typeof(TSecurity)))
            {
                messageSecurity = (TSecurity)(object)new NonDualMessageSecurityOverHttp();
                ((NonDualMessageSecurityOverHttp)(object)messageSecurity).EstablishSecurityContext = isSecureConversation;
            }
            else
            {
                messageSecurity = (TSecurity)(object)new MessageSecurityOverHttp();
            }

            messageSecurity.ClientCredentialType       = clientCredentialType;
            messageSecurity.NegotiateServiceCredential = negotiateServiceCredential;
            messageSecurity.AlgorithmSuite             = sbe.DefaultAlgorithmSuite;
            return(true);
        }
Пример #30
0
 public MessageSecurityOverHttp()
 {
     clientCredentialType       = DefaultClientCredentialType;
     negotiateServiceCredential = DefaultNegotiateServiceCredential;
     algorithmSuite             = SecurityAlgorithmSuite.Default;
 }