private SecurityBindingElement CreateSecurity()
{
AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement();
X509SecurityTokenParameters clientToken = new X509SecurityTokenParameters();
clientToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any;
clientToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
clientToken.RequireDerivedKeys = false;
clientToken.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
security.InitiatorTokenParameters = clientToken; //Creates an _unsigned_ binary token + signature that references the other binary token.
X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters();
serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any;
serverToken.InclusionMode = SecurityTokenInclusionMode.Never;
serverToken.RequireDerivedKeys = false;
serverToken.ReferenceStyle = SecurityTokenReferenceStyle.External;
security.RecipientTokenParameters = serverToken; //Only to make asymetric binding work
security.EndpointSupportingTokenParameters.Signed.Add(clientToken); //Create a signed binary token + signature that does _not_ references other binary token.
//Later on the unsigned binary token is removed and the non referecing signature is removed. The signed token and referencing signature are linked.
security.EnableUnsecuredResponse = true;
security.IncludeTimestamp = true;
security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
security.SetKeyDerivation(false);
return(security);
}
public void CreateAnonymousForCertificateBindingElement()
{
SymmetricSecurityBindingElement be =
SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
SecurityAssert.AssertSymmetricSecurityBindingElement(
SecurityAlgorithmSuite.Default,
true, // IncludeTimestamp
SecurityKeyEntropyMode.CombinedEntropy,
MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature,
MessageSecurityVersion.Default,
true, // RequireSignatureConfirmation
SecurityHeaderLayout.Strict,
// EndpointSupportingTokenParameters: endorsing, signed, signedEncrypted, signedEndorsing (by count)
0, 0, 0, 0,
// ProtectionTokenParameters
true, SecurityTokenInclusionMode.Never, SecurityTokenReferenceStyle.Internal, true,
// LocalClientSettings
true, 60, true,
be, "");
// test ProtectionTokenParameters
X509SecurityTokenParameters tp =
be.ProtectionTokenParameters
as X509SecurityTokenParameters;
Assert.IsNotNull(tp, "#2-1");
SecurityAssert.AssertSecurityTokenParameters(
SecurityTokenInclusionMode.Never,
SecurityTokenReferenceStyle.Internal,
true, tp, "Protection");
Assert.AreEqual(X509KeyIdentifierClauseType.Thumbprint, tp.X509ReferenceStyle, "#2-2");
}
static void Run()
{
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement();
sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
sbe.RequireSignatureConfirmation = true;
//sbe.IncludeTimestamp = false;
X509SecurityTokenParameters p =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
p.RequireDerivedKeys = false;
sbe.EndpointSupportingTokenParameters.Endorsing.Add(p);
sbe.ProtectionTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
//sbe.SetKeyDerivation (false);
//sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
HttpTransportBindingElement hbe =
new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(new XBE(), sbe, hbe);
X509Certificate2 cert = new X509Certificate2("test.pfx", "mono");
X509Certificate2 cert2 = cert; //new X509Certificate2 ("test2.cer");
FooProxy proxy = new FooProxy(binding,
new EndpointAddress(new Uri("http://localhost:8080"), new X509CertificateEndpointIdentity(cert2)));
//proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
proxy.ClientCredentials.ClientCertificate.Certificate = cert;
proxy.Endpoint.Behaviors.Add(new StdErrInspectionBehavior());
proxy.Open();
Console.WriteLine(proxy.Echo("TEST FOR ECHO"));
}
//<snippet1>
public static Binding CreateMultiFactorAuthenticationBinding()
{
HttpTransportBindingElement httpTransport = new HttpTransportBindingElement();
// The message security binding element will be configured to require 2 tokens:
// 1) A user name/password encrypted with the service token.
// 2) A client certificate used to sign the message.
// Instantiate a binding element that will require the user name/password token
// in the message (encrypted with the server certificate).
SymmetricSecurityBindingElement messageSecurity = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
// Create supporting token parameters for the client X.509 certificate.
X509SecurityTokenParameters clientX509SupportingTokenParameters = new X509SecurityTokenParameters();
// Specify that the supporting token is passed in the message send by the client to the service.
clientX509SupportingTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
// Turn off derived keys.
clientX509SupportingTokenParameters.RequireDerivedKeys = false;
// Augment the binding element to require the client's X.509 certificate as an
// endorsing token in the message.
messageSecurity.EndpointSupportingTokenParameters.Endorsing.Add(clientX509SupportingTokenParameters);
// Create a CustomBinding based on the constructed security binding element.
return(new CustomBinding(messageSecurity, httpTransport));
}
// this method reverses CreateMutualCertificateBindingElement() logic
internal static bool IsCertificateOverTransportBinding(SecurityBindingElement sbe)
{
// do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings
if (!sbe.IncludeTimestamp)
{
return(false);
}
if (!(sbe is TransportSecurityBindingElement))
{
return(false);
}
SupportingTokenParameters parameters = sbe.EndpointSupportingTokenParameters;
if (parameters.Signed.Count != 0 || parameters.SignedEncrypted.Count != 0 || parameters.Endorsing.Count != 1 || parameters.SignedEndorsing.Count != 0)
{
return(false);
}
X509SecurityTokenParameters x509Parameters = parameters.Endorsing[0] as X509SecurityTokenParameters;
if (x509Parameters == null)
{
return(false);
}
if (x509Parameters.InclusionMode != SecurityTokenInclusionMode.AlwaysToRecipient)
{
return(false);
}
return(x509Parameters.X509ReferenceStyle == X509KeyIdentifierClauseType.Any || x509Parameters.X509ReferenceStyle == X509KeyIdentifierClauseType.Thumbprint);
}
public void MessageSecurityUserName()
{
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Message.NegotiateServiceCredential = false;
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Message.ClientCredentialType =
MessageCredentialType.UserName;
SymmetricSecurityBindingElement sbe =
binding.CreateBindingElements().Find <SymmetricSecurityBindingElement> ();
Assert.IsNotNull(sbe, "#1");
Assert.AreEqual(false, sbe.RequireSignatureConfirmation, "#1-2");
X509SecurityTokenParameters sp =
sbe.ProtectionTokenParameters
as X509SecurityTokenParameters;
Assert.IsNotNull(sp, "#2");
Assert.AreEqual(SecurityTokenReferenceStyle.Internal,
sp.ReferenceStyle, "#3");
Assert.AreEqual(SecurityTokenInclusionMode.Never,
sp.InclusionMode, "#4");
UserNameSecurityTokenParameters up =
sbe.EndpointSupportingTokenParameters.SignedEncrypted [0]
as UserNameSecurityTokenParameters;
Assert.AreEqual(SecurityTokenReferenceStyle.Internal,
up.ReferenceStyle, "#5");
Assert.AreEqual(SecurityTokenInclusionMode.AlwaysToRecipient,
up.InclusionMode, "#6");
}
// If any changes are made to this method, please make sure that they are
// reflected in the corresponding IsCertificateOverTransportBinding() method.
public static TransportSecurityBindingElement CreateCertificateOverTransportBindingElement(MessageSecurityVersion version)
{
if (version == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(version));
}
X509KeyIdentifierClauseType x509ReferenceType;
if (version.SecurityVersion == SecurityVersion.WSSecurity10)
{
x509ReferenceType = X509KeyIdentifierClauseType.Any;
}
else
{
x509ReferenceType = X509KeyIdentifierClauseType.Thumbprint;
}
TransportSecurityBindingElement result = new TransportSecurityBindingElement();
X509SecurityTokenParameters x509Parameters = new X509SecurityTokenParameters(
x509ReferenceType,
SecurityTokenInclusionMode.AlwaysToRecipient,
false);
result.EndpointSupportingTokenParameters.Endorsing.Add(
x509Parameters
);
result.IncludeTimestamp = true;
// result.LocalClientSettings.DetectReplays = false;
result.LocalServiceSettings.DetectReplays = false;
result.MessageSecurityVersion = version;
return(result);
}
public SafeOnlineBinding()
{
HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement();
TextMessageEncodingBindingElement encoding = new TextMessageEncodingBindingElement();
encoding.MessageVersion = MessageVersion.Soap11;
TransportSecurityBindingElement securityBinding = new TransportSecurityBindingElement();
securityBinding.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
securityBinding.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Default;
securityBinding.SetKeyDerivation(false);
X509SecurityTokenParameters certToken = new X509SecurityTokenParameters();
certToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
certToken.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
certToken.RequireDerivedKeys = false;
certToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any;
securityBinding.EndpointSupportingTokenParameters.SignedEndorsing.Add(certToken);
securityBinding.LocalClientSettings.DetectReplays = false;
this.bindingElements = new BindingElementCollection();
this.bindingElements.Add(securityBinding);
this.bindingElements.Add(encoding);
this.bindingElements.Add(httpsTransport);
}
private bool DoesSecurityBindingElementContainClauseTypeofIssuerSerial(SecurityBindingElement sbe)
{
if (sbe == null)
{
return(false);
}
if (sbe is SymmetricSecurityBindingElement)
{
X509SecurityTokenParameters protectionTokenParameters = ((SymmetricSecurityBindingElement)sbe).ProtectionTokenParameters as X509SecurityTokenParameters;
if ((protectionTokenParameters != null) && (protectionTokenParameters.X509ReferenceStyle == X509KeyIdentifierClauseType.IssuerSerial))
{
return(true);
}
}
else if (sbe is AsymmetricSecurityBindingElement)
{
X509SecurityTokenParameters initiatorTokenParameters = ((AsymmetricSecurityBindingElement)sbe).InitiatorTokenParameters as X509SecurityTokenParameters;
if ((initiatorTokenParameters != null) && (initiatorTokenParameters.X509ReferenceStyle == X509KeyIdentifierClauseType.IssuerSerial))
{
return(true);
}
X509SecurityTokenParameters recipientTokenParameters = ((AsymmetricSecurityBindingElement)sbe).RecipientTokenParameters as X509SecurityTokenParameters;
if ((recipientTokenParameters != null) && (recipientTokenParameters.X509ReferenceStyle == X509KeyIdentifierClauseType.IssuerSerial))
{
return(true);
}
}
return(this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.EndpointSupportingTokenParameters.Endorsing) || (this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.EndpointSupportingTokenParameters.Signed) || (this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.EndpointSupportingTokenParameters.SignedEncrypted) || (this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.EndpointSupportingTokenParameters.SignedEndorsing) || (this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.OptionalEndpointSupportingTokenParameters.Endorsing) || (this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.OptionalEndpointSupportingTokenParameters.Signed) || (this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.OptionalEndpointSupportingTokenParameters.SignedEncrypted) || this.DoesX509TokenParametersContainClauseTypeofIssuerSerial(sbe.OptionalEndpointSupportingTokenParameters.SignedEndorsing))))))));
}
private static SecurityBindingElement CreateSecurityBindingElement()
{
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
messageSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Sha256;
messageSecurity.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
messageSecurity.LocalClientSettings.MaxClockSkew = new TimeSpan(0, 0, 1, 0);
messageSecurity.LocalClientSettings.TimestampValidityDuration = new TimeSpan(0, 0, 10, 0);
messageSecurity.LocalServiceSettings.MaxClockSkew = new TimeSpan(0, 0, 1, 0);
messageSecurity.LocalClientSettings.TimestampValidityDuration = new TimeSpan(0, 0, 10, 0);
var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters = x509SecurityParamter;
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient)
{
RequireDerivedKeys = false
};
messageSecurity.InitiatorTokenParameters = initiator;
return(messageSecurity);
}
//<snippet1>
public Binding CreateClientBinding()
{
AsymmetricSecurityBindingElement abe =
(AsymmetricSecurityBindingElement)SecurityBindingElement.
CreateMutualCertificateBindingElement(
MessageSecurityVersion.
WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
abe.SetKeyDerivation(false);
X509SecurityTokenParameters istp =
abe.InitiatorTokenParameters as X509SecurityTokenParameters;
if (istp != null)
{
istp.X509ReferenceStyle =
X509KeyIdentifierClauseType.IssuerSerial;
}
X509SecurityTokenParameters rstp =
abe.RecipientTokenParameters as X509SecurityTokenParameters;
if (rstp != null)
{
rstp.X509ReferenceStyle =
X509KeyIdentifierClauseType.IssuerSerial;
}
HttpTransportBindingElement transport =
new HttpTransportBindingElement();
return(new CustomBinding(abe, transport));
}
public static Binding GetIssuedTokenBindingSSL()
{
var textmessageEncoding = new TextMessageEncodingBindingElement();
textmessageEncoding.WriteEncoding = Encoding.UTF8;
textmessageEncoding.MessageVersion = MessageVersion.Soap11WSAddressing10;
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters = x509SecurityParamter;
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);
initiator.RequireDerivedKeys = false;
messageSecurity.InitiatorTokenParameters = initiator;
messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
return(new CustomBinding(
messageSecurity,
textmessageEncoding,
new HttpsTransportBindingElement()));
}
public override BindingElementCollection CreateBindingElements()
{
var transport =
_useHttps
? new HttpsTransportBindingElement()
: new HttpTransportBindingElement();
if (_maxReceivedMessageSize.HasValue)
{
transport.MaxReceivedMessageSize =
_maxReceivedMessageSize.Value;
}
var encoding = new TextMessageEncodingBindingElement();
// [OIO IDWS SOAP 1.1] requires SOAP 1.2 and WS-Adressing 1.0
encoding.MessageVersion = MessageVersion.Soap12WSAddressing10;
// AlwaysToInitiator is required by the [OIO IDWS SOAP 1.1] profile. This specifies that the server certificate must be embedded in the response.
var recipientTokenParameters = new X509SecurityTokenParameters(
X509KeyIdentifierClauseType.Any,
SecurityTokenInclusionMode.AlwaysToInitiator);
var initiatorTokenParameters =
new CustomizedIssuedSecurityTokenParameters(
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
);
initiatorTokenParameters.UseStrTransform = true;
var asymmetric = new AsymmetricSecurityBindingElement(recipientTokenParameters, initiatorTokenParameters);
// Must be true in order for client to accept embedded server certificates instead of references. This is required by the [OIO IDWS SOAP 1.1] profile.
// However, the client must still specify the server certificate explicitly.
// Have not figured out how the client can use the embedded server certificate and make trust to it through a CA certificate and a CN (Common Name). This way the client should not need the server certificate.
asymmetric.AllowSerializedSigningTokenOnReply = true;
// No need for derived keys when both parties has a certificate. Also OIO-IDWS-SOAP does not make use of derived keys.
asymmetric.SetKeyDerivation(false);
// Include token (encrypted assertion from NemLog-in STS) in signature
asymmetric.ProtectTokens = true;
// Specifies that WCF can send and receive unsecured responses to secured requests.
// Concrete this means that SOAP faults are send unencrypted. [OIO IDWS SOAP 1.1] does not specify whether or not SOAP faults can be encrypted but it looks like they should not be encrypted.
// If encrypted the client is not able to process the encrypted SOAP fault if client is not setup correctly.
// setting EnableUnsecuredResponse to true makes normal responses unsigned and processed by the client without error. This is not what we want :)
//asymmetric.EnableUnsecuredResponse = true;
var elements = new BindingElementCollection();
elements.Add(asymmetric);
elements.Add(encoding);
elements.Add(transport);
return(elements);
}
public static void Main()
{
AsymmetricSecurityBindingElement sbe =
new AsymmetricSecurityBindingElement();
//sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
//sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
//sbe.RequireSignatureConfirmation = true;
//sbe.LocalServiceSettings.DetectReplays = false;
//sbe.IncludeTimestamp = false;
sbe.RecipientTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
sbe.InitiatorTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
X509SecurityTokenParameters p =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
p.RequireDerivedKeys = false;
//sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
sbe.SetKeyDerivation(false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
ServiceHost host = new ServiceHost(typeof(Foo));
HttpTransportBindingElement hbe =
new HttpTransportBindingElement();
CustomBinding binding = new CustomBinding(sbe, hbe);
binding.ReceiveTimeout = TimeSpan.FromSeconds(5);
host.AddServiceEndpoint("IFoo",
binding, new Uri("http://localhost:8080"));
ServiceCredentials cred = new ServiceCredentials();
cred.ServiceCertificate.Certificate =
new X509Certificate2("test.pfx", "mono");
cred.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
host.Description.Behaviors.Add(cred);
host.Description.Behaviors.Find <ServiceDebugBehavior> ()
.IncludeExceptionDetailInFaults = true;
foreach (ServiceEndpoint se in host.Description.Endpoints)
{
se.Behaviors.Add(new StdErrInspectionBehavior());
}
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
smb.HttpGetUrl = new Uri("http://localhost:8080/wsdl");
host.Description.Behaviors.Add(smb);
host.Open();
Console.WriteLine("Hit [CR] key to close ...");
Console.ReadLine();
host.Close();
}
private bool DoesX509TokenParametersContainClauseTypeofIssuerSerial(Collection <SecurityTokenParameters> tokenParameters)
{
foreach (SecurityTokenParameters parameters in tokenParameters)
{
X509SecurityTokenParameters parameters2 = parameters as X509SecurityTokenParameters;
if ((parameters2 != null) && (parameters2.X509ReferenceStyle == X509KeyIdentifierClauseType.IssuerSerial))
{
return(true);
}
}
return(false);
}
protected override SecurityBindingElement CreateMessageSecurity()
{
if (this.Security.Mode == WSFederationHttpSecurityMode.None)
{
throw new InvalidOperationException("Only message and security is supported");
}
if (this.Security.Message.IssuedKeyType != SecurityKeyType.AsymmetricKey)
{
throw new InvalidOperationException("Only Asymmectric Keys are supported");
}
if (this.Security.Message.NegotiateServiceCredential)
{
throw new InvalidOperationException("Negocatiation of service credentials not supported");
}
if (this.Security.Message.EstablishSecurityContext)
{
throw new InvalidOperationException("Secure conversation not supported");
}
SecurityBindingElement security;
if (this.Security.Mode == WSFederationHttpSecurityMode.Message)
{
SymmetricSecurityBindingElement baseSecurity = (SymmetricSecurityBindingElement)base.CreateMessageSecurity();
AsymmetricSecurityBindingElement asecurity = new AsymmetricSecurityBindingElement();
asecurity.InitiatorTokenParameters = baseSecurity.EndpointSupportingTokenParameters.Endorsing[0];
X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters();
serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any;
serverToken.InclusionMode = SecurityTokenInclusionMode.Never;
serverToken.RequireDerivedKeys = false;
asecurity.RecipientTokenParameters = serverToken;
security = asecurity;
}
else
{
TransportSecurityBindingElement baseSecurity = (TransportSecurityBindingElement)base.CreateMessageSecurity();
TransportSecurityBindingElement tsecurity = new TransportSecurityBindingElement();
tsecurity.EndpointSupportingTokenParameters.Endorsing.Add(baseSecurity.EndpointSupportingTokenParameters.Endorsing[0]);
security = tsecurity;
}
security.EnableUnsecuredResponse = true;
security.IncludeTimestamp = true;
security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
security.SetKeyDerivation(false);
return(security);
}
static X509SecurityTokenParameters CreateProtectionTokenParameters(bool cert)
{
X509SecurityTokenParameters p =
new X509SecurityTokenParameters();
p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
if (cert)
{
p.InclusionMode = SecurityTokenInclusionMode.Never;
}
return(p);
}
// based on WSHttpBinding.CreateMessageSecurity()
SecurityBindingElement CreateMessageSecurity()
{
if (Security.Mode == SecurityMode.Transport ||
Security.Mode == SecurityMode.None)
{
return(null);
}
SymmetricSecurityBindingElement element =
new SymmetricSecurityBindingElement();
element.MessageSecurityVersion = MessageSecurityVersion.Default;
element.SetKeyDerivation(false);
switch (Security.Message.ClientCredentialType)
{
case MessageCredentialType.Certificate:
element.EndpointSupportingTokenParameters.Endorsing.Add(
new X509SecurityTokenParameters());
goto default;
case MessageCredentialType.IssuedToken:
IssuedSecurityTokenParameters istp =
new IssuedSecurityTokenParameters();
// FIXME: issuer binding must be secure.
istp.IssuerBinding = new CustomBinding(
new TextMessageEncodingBindingElement(),
GetTransport());
element.EndpointSupportingTokenParameters.Endorsing.Add(istp);
goto default;
case MessageCredentialType.UserName:
element.EndpointSupportingTokenParameters.SignedEncrypted.Add(
new UserNameSecurityTokenParameters());
goto default;
case MessageCredentialType.Windows:
element.ProtectionTokenParameters =
new KerberosSecurityTokenParameters();
break;
default: // including .None
X509SecurityTokenParameters p =
new X509SecurityTokenParameters();
p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
element.ProtectionTokenParameters = p;
break;
}
return(element);
}
public static SecurityToken getToken(sts.Token token)
{
var textmessageEncoding = new TextMessageEncodingBindingElement();
textmessageEncoding.WriteEncoding = Encoding.UTF8;
textmessageEncoding.MessageVersion = MessageVersion.Soap12WSAddressing10;
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
//messageSecurity.EnableUnsecuredResponse = true;
messageSecurity.IncludeTimestamp = false;
messageSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Rsa15;
messageSecurity.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
messageSecurity.LocalClientSettings.DetectReplays = false;
messageSecurity.LocalServiceSettings.DetectReplays = false;
var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters = x509SecurityParamter;
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);
initiator.RequireDerivedKeys = false;
messageSecurity.InitiatorTokenParameters = initiator;
var binding = new CustomBinding(messageSecurity, textmessageEncoding, new StrippingChannelBindingElement(), new HttpTransportBindingElement());
WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(new Uri("http://login.staging.rapidsoft.ru:80/auth/sts"), EndpointIdentity.CreateDnsIdentity("test")));
trustChannelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test");
trustChannelFactory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test");
trustChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
trustChannelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByIssuerName, "test");
trustChannelFactory.Endpoint.Contract.ProtectionLevel = ProtectionLevel.None;
trustChannelFactory.TrustVersion = System.ServiceModel.Security.TrustVersion.WSTrust13;
WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();
RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue);
rst.OnBehalfOf = new Microsoft.IdentityModel.Tokens.SecurityTokenElement(token, new Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection());
rst.KeyType = WSTrust13Constants.KeyTypes.Asymmetric;
RequestSecurityTokenResponse rstr = null;
SecurityToken SecurityToken = channel.Issue(rst, out rstr);
return(SecurityToken);
}
public static Binding CreateDataAccessBinding()
{
HttpTransportBindingElement httpTransport = new HttpTransportBindingElement();
SymmetricSecurityBindingElement messageSecurity = new SymmetricSecurityBindingElement();
messageSecurity.EndpointSupportingTokenParameters.SignedEncrypted.Add(new CredentialsTokenParameters());
X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();
x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.Never;
messageSecurity.ProtectionTokenParameters = x509ProtectionParameters;
return(new CustomBinding(messageSecurity, httpTransport));
}
void SetKeyDerivationIncorrect(SecurityBindingElement be, string label)
{
X509SecurityTokenParameters p, p2;
p = new X509SecurityTokenParameters();
p2 = new X509SecurityTokenParameters();
// setting in prior - makes no sense
be.SetKeyDerivation(false);
be.EndpointSupportingTokenParameters.Endorsing.Add(p);
be.EndpointSupportingTokenParameters.Endorsing.Add(p2);
Assert.AreEqual(true, p.RequireDerivedKeys, label + "#5");
Assert.AreEqual(true, p2.RequireDerivedKeys, label + "#6");
}
void SetKeyDerivationCorrect(SecurityBindingElement be, string label)
{
X509SecurityTokenParameters p, p2;
p = new X509SecurityTokenParameters();
p2 = new X509SecurityTokenParameters();
Assert.AreEqual(true, p.RequireDerivedKeys, label + "#1");
Assert.AreEqual(true, p2.RequireDerivedKeys, label + "#2");
be.EndpointSupportingTokenParameters.Endorsing.Add(p);
be.EndpointSupportingTokenParameters.Endorsing.Add(p2);
be.SetKeyDerivation(false);
Assert.AreEqual(false, p.RequireDerivedKeys, label + "#3");
Assert.AreEqual(false, p2.RequireDerivedKeys, label + "#4");
}
CreateMutualCertificateBindingElement(
MessageSecurityVersion version,
bool allowSerializedSigningTokenOnReply)
{
if (version == null)
{
throw new ArgumentNullException("version");
}
if (allowSerializedSigningTokenOnReply)
{
throw new NotSupportedException("allowSerializedSigningTokenOnReply is not supported");
}
if (version.SecurityVersion == SecurityVersion.WSSecurity10)
{
var recipient = new X509SecurityTokenParameters(
X509KeyIdentifierClauseType.Any,
SecurityTokenInclusionMode.Never);
recipient.RequireDerivedKeys = false;
var initiator = new X509SecurityTokenParameters(
X509KeyIdentifierClauseType.Any,
SecurityTokenInclusionMode.AlwaysToRecipient);
initiator.RequireDerivedKeys = false;
return(new AsymmetricSecurityBindingElement(recipient, initiator)
{
MessageSecurityVersion = version
});
}
else
{
X509SecurityTokenParameters p =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint);
p.RequireDerivedKeys = false;
var sym = new SymmetricSecurityBindingElement()
{
MessageSecurityVersion = version,
RequireSignatureConfirmation = true
};
X509SecurityTokenParameters p2 = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint);
p2.ReferenceStyle = SecurityTokenReferenceStyle.External;
sym.ProtectionTokenParameters = p2;
sym.EndpointSupportingTokenParameters.Endorsing.Add(p);
return(sym);
}
}
public static Binding CreateCreditCardBinding()
{
HttpTransportBindingElement httpTransport = new HttpTransportBindingElement();
// The message security binding element is configured to require a credit card
// token that is encrypted with the service's certificate.
SymmetricSecurityBindingElement messageSecurity = new SymmetricSecurityBindingElement();
messageSecurity.EndpointSupportingTokenParameters.SignedEncrypted.Add(new CreditCardTokenParameters());
X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();
x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.Never;
messageSecurity.ProtectionTokenParameters = x509ProtectionParameters;
return(new CustomBinding(messageSecurity, httpTransport));
}
bool DoesX509TokenParametersContainClauseTypeofIssuerSerial(Collection <SecurityTokenParameters> tokenParameters)
{
foreach (SecurityTokenParameters tokenParameter in tokenParameters)
{
X509SecurityTokenParameters x509TokenParameter = tokenParameter as X509SecurityTokenParameters;
if (x509TokenParameter != null)
{
if (x509TokenParameter.X509ReferenceStyle == X509KeyIdentifierClauseType.IssuerSerial)
{
return(true);
}
}
}
return(false);
}
public static void Main()
{
Console.WriteLine("WARNING!! This test is not configured enought to work fine on .NET either.");
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement();
sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
sbe.RequireSignatureConfirmation = true;
//sbe.IncludeTimestamp = false;
sbe.ProtectionTokenParameters =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
X509SecurityTokenParameters p =
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
p.RequireDerivedKeys = false;
sbe.EndpointSupportingTokenParameters.Endorsing.Add(p);
//sbe.SetKeyDerivation (false);
//sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
ServiceHost host = new ServiceHost(typeof(Foo));
var mbe = new BinaryMessageEncodingBindingElement();
var tbe = new TcpTransportBindingElement();
CustomBinding binding = new CustomBinding(sbe, mbe, tbe);
binding.ReceiveTimeout = TimeSpan.FromSeconds(5);
host.AddServiceEndpoint("IFoo",
binding, new Uri("http://localhost:8080"));
ServiceCredentials cred = new ServiceCredentials();
cred.ServiceCertificate.Certificate =
new X509Certificate2("test.pfx", "mono");
cred.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
host.Description.Behaviors.Add(cred);
host.Description.Behaviors.Find <ServiceDebugBehavior> ()
.IncludeExceptionDetailInFaults = true;
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
smb.HttpGetUrl = new Uri("http://localhost:8080/wsdl");
host.Description.Behaviors.Add(smb);
host.Open();
Console.WriteLine("Hit [CR] key to close ...");
Console.ReadLine();
host.Close();
}
public Binding CreateHttpsBinding()
{
var httpTransport = new HttpsTransportBindingElement
{
MaxReceivedMessageSize = 10000000
};
var messageSecurity = new SymmetricSecurityBindingElement();
var x509ProtectionParameters = new X509SecurityTokenParameters
{
InclusionMode = SecurityTokenInclusionMode.Never
};
messageSecurity.ProtectionTokenParameters = x509ProtectionParameters;
return(new CustomBinding(messageSecurity, httpTransport));
}
public void SetKeyDerivation()
{
SymmetricSecurityBindingElement be;
X509SecurityTokenParameters p;
be = new SymmetricSecurityBindingElement();
p = new X509SecurityTokenParameters();
be.ProtectionTokenParameters = p;
be.SetKeyDerivation(false);
Assert.AreEqual(false, p.RequireDerivedKeys, "#1");
be = new SymmetricSecurityBindingElement();
p = new X509SecurityTokenParameters();
be.SetKeyDerivation(false); // set in prior - makes no sense
be.ProtectionTokenParameters = p;
Assert.AreEqual(true, p.RequireDerivedKeys, "#2");
}
public Binding CreateBinding()
{
var httpTransport = new HttpTransportBindingElement
{
MaxReceivedMessageSize = 10000000
};
var messageSecurity = new SymmetricSecurityBindingElement();
messageSecurity.EndpointSupportingTokenParameters.SignedEncrypted.Add(new ConnectTokenParameters());
var x509ProtectionParameters = new X509SecurityTokenParameters
{
InclusionMode = SecurityTokenInclusionMode.Never
};
messageSecurity.ProtectionTokenParameters = x509ProtectionParameters;
return(new CustomBinding(messageSecurity, httpTransport));
}
private static System.ServiceModel.Channels.Binding CreateBinding()
{
TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);
var httpTransport = new HttpTransportBindingElement();
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters = x509SecurityParamter;
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);
initiator.RequireDerivedKeys = false;
messageSecurity.InitiatorTokenParameters = initiator;
var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, httpTransport);
return(customBinding);
}
