/// <summary>
/// Initializes a programmatically manipulatable bag of these security settings with the settings from the config file.
/// </summary>
/// <returns>The newly created security settings object.</returns>
public RelyingPartySecuritySettings CreateSecuritySettings()
{
Contract.Ensures(Contract.Result <RelyingPartySecuritySettings>() != null);
RelyingPartySecuritySettings settings = new RelyingPartySecuritySettings();
settings.RequireSsl = this.RequireSsl;
settings.RequireDirectedIdentity = this.RequireDirectedIdentity;
settings.RequireAssociation = this.RequireAssociation;
settings.MinimumRequiredOpenIdVersion = this.MinimumRequiredOpenIdVersion;
settings.MinimumHashBitLength = this.MinimumHashBitLength;
settings.MaximumHashBitLength = this.MaximumHashBitLength;
settings.PrivateSecretMaximumAge = DotNetOpenAuthSection.Messaging.PrivateSecretMaximumAge;
settings.RejectUnsolicitedAssertions = this.RejectUnsolicitedAssertions;
settings.RejectDelegatingIdentifiers = this.RejectDelegatingIdentifiers;
settings.IgnoreUnsignedExtensions = this.IgnoreUnsignedExtensions;
settings.AllowDualPurposeIdentifiers = this.AllowDualPurposeIdentifiers;
settings.AllowApproximateIdentifierDiscovery = this.AllowApproximateIdentifierDiscovery;
settings.ProtectDownlevelReplayAttacks = this.ProtectDownlevelReplayAttacks;
settings.RejectAssertionsFromUntrustedProviders = this.TrustedProviders.RejectAssertionsFromUntrustedProviders;
foreach (TrustedProviderEndpointConfigurationElement opEndpoint in this.TrustedProviders)
{
settings.TrustedProviderEndpoints.Add(opEndpoint.ProviderEndpoint);
}
return(settings);
}
/// <summary>
/// Initializes a new instance of the <see cref="ReturnToNonceBindingElement"/> class.
/// </summary>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings of the RP.</param>
internal ReturnToNonceBindingElement(INonceStore nonceStore, RelyingPartySecuritySettings securitySettings)
{
Contract.Requires <ArgumentNullException>(nonceStore != null);
Contract.Requires <ArgumentNullException>(securitySettings != null);
this.nonceStore = nonceStore;
this.securitySettings = securitySettings;
}
/// <summary>
/// Initializes a new instance of the <see cref="ExtensionsBindingElement"/> class.
/// </summary>
/// <param name="extensionFactory">The extension factory.</param>
/// <param name="securitySettings">The security settings.</param>
internal ExtensionsBindingElement(IOpenIdExtensionFactory extensionFactory, SecuritySettings securitySettings)
{
Contract.Requires <ArgumentNullException>(extensionFactory != null);
Contract.Requires <ArgumentNullException>(securitySettings != null);
this.ExtensionFactory = extensionFactory;
this.relyingPartySecuritySettings = securitySettings as RelyingPartySecuritySettings;
}
/// <summary>
/// Initializes a new instance of the <see cref="ExtensionsBindingElementRelyingParty"/> class.
/// </summary>
/// <param name="extensionFactory">The extension factory.</param>
/// <param name="securitySettings">The security settings.</param>
internal ExtensionsBindingElementRelyingParty(IOpenIdExtensionFactory extensionFactory, RelyingPartySecuritySettings securitySettings)
: base(extensionFactory, securitySettings, !securitySettings.IgnoreUnsignedExtensions)
{
Requires.NotNull(extensionFactory, "extensionFactory");
Requires.NotNull(securitySettings, "securitySettings");
this.relyingPartySecuritySettings = securitySettings;
}
/// <summary>
/// Initializes a new instance of the <see cref="ReturnToNonceBindingElement"/> class.
/// </summary>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings of the RP.</param>
internal ReturnToNonceBindingElement(INonceStore nonceStore, RelyingPartySecuritySettings securitySettings)
{
Requires.NotNull(nonceStore, "nonceStore");
Requires.NotNull(securitySettings, "securitySettings");
this.nonceStore = nonceStore;
this.securitySettings = securitySettings;
}
/// <summary>
/// Initializes a new instance of the <see cref="ExtensionsBindingElement"/> class.
/// </summary>
/// <param name="extensionFactory">The extension factory.</param>
/// <param name="securitySettings">The security settings to apply.</param>
internal ExtensionsBindingElement(IOpenIdExtensionFactory extensionFactory, RelyingPartySecuritySettings securitySettings)
{
ErrorUtilities.VerifyArgumentNotNull(extensionFactory, "extensionFactory");
ErrorUtilities.VerifyArgumentNotNull(securitySettings, "securitySettings");
this.ExtensionFactory = extensionFactory;
this.rpSecuritySettings = securitySettings;
}
public RelyingPartySecuritySettings CreateSecuritySettings()
{
RelyingPartySecuritySettings settings = new RelyingPartySecuritySettings();
settings.RequireSsl = RequireSsl;
settings.MinimumRequiredOpenIdVersion = MinimumRequiredOpenIdVersion;
settings.MinimumHashBitLength = MinimumHashBitLength;
settings.MaximumHashBitLength = MaximumHashBitLength;
return(settings);
}
/// <summary>
/// Applies a well known set of security requirements.
/// </summary>
/// <param name="securitySettings">The security settings to enhance with the requirements of this profile.</param>
/// <remarks>
/// Care should be taken to never decrease security when applying a profile.
/// Profiles should only enhance security requirements to avoid being
/// incompatible with each other.
/// </remarks>
void IRelyingPartyBehavior.ApplySecuritySettings(RelyingPartySecuritySettings securitySettings)
{
if (securitySettings.MaximumHashBitLength < 256)
{
securitySettings.MaximumHashBitLength = 256;
}
securitySettings.RequireSsl = !DisableSslRequirement;
securitySettings.RequireDirectedIdentity = true;
securitySettings.RequireAssociation = true;
securitySettings.RejectDelegatingIdentifiers = true;
securitySettings.IgnoreUnsignedExtensions = true;
securitySettings.MinimumRequiredOpenIdVersion = ProtocolVersion.V20;
}
public void AssociateRequestDeterminedBySecuritySettings()
{
Protocol protocol = Protocol.V20;
SecuritySettings securitySettings = new RelyingPartySecuritySettings();
securitySettings.MinimumHashBitLength = 160;
securitySettings.MaximumHashBitLength = 160;
ProviderEndpointDescription provider = new ProviderEndpointDescription(OPUri, protocol.Version);
Assert.AreEqual(AssociateRequestRelyingParty.Create(securitySettings, provider).AssociationType, protocol.Args.SignatureAlgorithm.HMAC_SHA1);
securitySettings.MinimumHashBitLength = 384;
securitySettings.MaximumHashBitLength = 384;
Assert.AreEqual(AssociateRequestRelyingParty.Create(securitySettings, provider).AssociationType, protocol.Args.SignatureAlgorithm.HMAC_SHA384);
}
/// <summary>
/// Initializes a programmatically manipulatable bag of these security settings with the settings from the config file.
/// </summary>
/// <returns>The newly created security settings object.</returns>
public RelyingPartySecuritySettings CreateSecuritySettings()
{
Contract.Ensures(Contract.Result <RelyingPartySecuritySettings>() != null);
RelyingPartySecuritySettings settings = new RelyingPartySecuritySettings();
settings.RequireSsl = this.RequireSsl;
settings.RequireDirectedIdentity = this.RequireDirectedIdentity;
settings.RequireAssociation = this.RequireAssociation;
settings.MinimumRequiredOpenIdVersion = this.MinimumRequiredOpenIdVersion;
settings.MinimumHashBitLength = this.MinimumHashBitLength;
settings.MaximumHashBitLength = this.MaximumHashBitLength;
settings.PrivateSecretMaximumAge = this.PrivateSecretMaximumAge;
settings.RejectUnsolicitedAssertions = this.RejectUnsolicitedAssertions;
settings.RejectDelegatingIdentifiers = this.RejectDelegatingIdentifiers;
settings.IgnoreUnsignedExtensions = this.IgnoreUnsignedExtensions;
settings.AllowDualPurposeIdentifiers = this.AllowDualPurposeIdentifiers;
return(settings);
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdChannel"/> class
/// for use by a Relying Party.
/// </summary>
/// <param name="associationStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param>
/// <param name="securitySettings">The security settings to apply.</param>
/// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param>
private OpenIdChannel(IAssociationStore <Uri> associationStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, RelyingPartySecuritySettings securitySettings, bool nonVerifying) :
this(messageTypeProvider, InitializeBindingElements(associationStore, nonceStore, securitySettings, nonVerifying))
{
Contract.Requires <ArgumentNullException>(messageTypeProvider != null);
Contract.Requires <ArgumentNullException>(securitySettings != null);
Contract.Requires <ArgumentException>(!nonVerifying || securitySettings is RelyingPartySecuritySettings);
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdChannel"/> class
/// for use by a Relying Party.
/// </summary>
/// <param name="associationStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings to apply.</param>
internal OpenIdChannel(IAssociationStore <Uri> associationStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings)
: this(associationStore, nonceStore, new OpenIdMessageFactory(), securitySettings, false)
{
Contract.Requires <ArgumentNullException>(securitySettings != null);
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdRelyingPartyChannel"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param>
/// <param name="securitySettings">The security settings to apply.</param>
/// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param>
private OpenIdRelyingPartyChannel(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, RelyingPartySecuritySettings securitySettings, bool nonVerifying) :
base(messageTypeProvider, InitializeBindingElements(cryptoKeyStore, nonceStore, securitySettings, nonVerifying))
{
Requires.NotNull(messageTypeProvider, "messageTypeProvider");
Requires.NotNull(securitySettings, "securitySettings");
Requires.True(!nonVerifying || securitySettings is RelyingPartySecuritySettings);
}
/// <summary>
/// Initializes a new instance of the <see cref="RelyingPartySecurityOptions"/> class.
/// </summary>
/// <param name="securitySettings">The security settings.</param>
internal RelyingPartySecurityOptions(RelyingPartySecuritySettings securitySettings)
{
this.securitySettings = securitySettings;
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdChannel"/> class
/// for use by a Relying Party.
/// </summary>
/// <param name="associationStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param>
/// <param name="securitySettings">The security settings to apply.</param>
private OpenIdChannel(IAssociationStore <Uri> associationStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, RelyingPartySecuritySettings securitySettings) :
this(messageTypeProvider, InitializeBindingElements(associationStore, nonceStore, securitySettings))
{
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdChannel"/> class
/// for use by a Relying Party.
/// </summary>
/// <param name="associationStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings to apply.</param>
internal OpenIdChannel(IAssociationStore <Uri> associationStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings)
: this(associationStore, nonceStore, new OpenIdMessageFactory(), securitySettings)
{
}
/// <summary>
/// Applies a well known set of security requirements to a default set of security settings.
/// </summary>
/// <param name="securitySettings">The security settings to enhance with the requirements of this profile.</param>
/// <remarks>
/// Care should be taken to never decrease security when applying a profile.
/// Profiles should only enhance security requirements to avoid being
/// incompatible with each other.
/// </remarks>
void IRelyingPartyBehavior.ApplySecuritySettings(RelyingPartySecuritySettings securitySettings)
{
}
/// <summary>
/// Initializes a new instance of the <see cref="ReturnToSignatureBindingElement"/> class.
/// </summary>
/// <param name="secretStore">The secret store from which to retrieve the secret used for signing.</param>
/// <param name="securitySettings">The security settings.</param>
internal ReturnToSignatureBindingElement(IAssociationStore <Uri> secretStore, RelyingPartySecuritySettings securitySettings)
{
Contract.Requires <ArgumentNullException>(secretStore != null);
this.secretManager = new PrivateSecretManager(securitySettings, secretStore);
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdRelyingPartyChannel"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings to apply.</param>
internal OpenIdRelyingPartyChannel(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings)
: this(cryptoKeyStore, nonceStore, new OpenIdRelyingPartyMessageFactory(), securitySettings, false)
{
Requires.NotNull(securitySettings, "securitySettings");
}
public override void SetUp()
{
base.SetUp();
this.settings = new RelyingPartySecuritySettings();
}
/// <summary>
/// Initializes the binding elements.
/// </summary>
/// <param name="cryptoKeyStore">The crypto key store.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings to apply. Must be an instance of either <see cref="RelyingPartySecuritySettings"/> or ProviderSecuritySettings.</param>
/// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param>
/// <returns>
/// An array of binding elements which may be used to construct the channel.
/// </returns>
private static IChannelBindingElement[] InitializeBindingElements(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings, bool nonVerifying)
{
Requires.NotNull(securitySettings, "securitySettings");
SigningBindingElement signingElement;
signingElement = nonVerifying ? null : new RelyingPartySigningBindingElement(new CryptoKeyStoreAsRelyingPartyAssociationStore(cryptoKeyStore ?? new MemoryCryptoKeyStore()));
var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration();
List <IChannelBindingElement> elements = new List <IChannelBindingElement>(8);
elements.Add(new ExtensionsBindingElementRelyingParty(extensionFactory, securitySettings));
elements.Add(new RelyingPartySecurityOptions(securitySettings));
elements.Add(new BackwardCompatibilityBindingElement());
ReturnToNonceBindingElement requestNonceElement = null;
if (cryptoKeyStore != null)
{
if (nonceStore != null)
{
// There is no point in having a ReturnToNonceBindingElement without
// a ReturnToSignatureBindingElement because the nonce could be
// artificially changed without it.
requestNonceElement = new ReturnToNonceBindingElement(nonceStore, securitySettings);
elements.Add(requestNonceElement);
}
// It is important that the return_to signing element comes last
// so that the nonce is included in the signature.
elements.Add(new ReturnToSignatureBindingElement(cryptoKeyStore));
}
ErrorUtilities.VerifyOperation(!securitySettings.RejectUnsolicitedAssertions || requestNonceElement != null, OpenIdStrings.UnsolicitedAssertionRejectionRequiresNonceStore);
if (nonVerifying)
{
elements.Add(new SkipSecurityBindingElement());
}
else
{
if (nonceStore != null)
{
elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true));
}
elements.Add(new StandardExpirationBindingElement());
elements.Add(signingElement);
}
return(elements.ToArray());
}
/// <summary>
/// Initializes a new instance of the <see cref="ReturnToSignatureBindingElement"/> class.
/// </summary>
/// <param name="secretStore">The secret store from which to retrieve the secret used for signing.</param>
/// <param name="securitySettings">The security settings.</param>
internal ReturnToSignatureBindingElement(IAssociationStore <Uri> secretStore, RelyingPartySecuritySettings securitySettings)
{
ErrorUtilities.VerifyArgumentNotNull(secretStore, "secretStore");
this.secretManager = new PrivateSecretManager(securitySettings, secretStore);
}
