message level encryption changes for NVP and soap client

ashchand · ashchand · commit b70c0766e5dc · 2016-11-09T21:19:20.000+05:30
diff --git a/CyberSource/Client/BaseClient.cs b/CyberSource/Client/BaseClient.cs
@@ -4,6 +4,7 @@
 using System.ServiceModel;
 using System.Xml.Serialization;
 using System.ServiceModel.Channels;
+using System.ServiceModel.Security.Tokens;
 
 namespace CyberSource.Clients
 {
@@ -40,6 +41,9 @@ public abstract class BaseClient
         private const string PROXY_PASSWORD = "proxyPassword";
         private const string BASIC_AUTH = "Basic";
 
+        public const string CYBERSOURCE_PUBLIC_KEY = "CyberSource_SJC_US";
+        public const string X509_CLAIMTYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname";
+
 		static BaseClient()
 		{
 			SetupProxy();
@@ -211,6 +215,12 @@ int boolVal
                 = AppSettings.GetIntSetting(
                     merchantID, Configuration.CONNECTION_LIMIT);
 
+            // Encryption enable flag
+            boolVal
+               = AppSettings.GetBoolSetting(
+                   merchantID, Configuration.USE_SIGNED_AND_ENCRYPTED);
+            if (boolVal != -1) config.UseSignedAndEncrypted = (boolVal == 1);
+
             return (config);
         }
 
@@ -303,7 +313,7 @@ protected static void SetConnectionLimit(Configuration config)
         /// Returns a custom wcf binding that will create a SOAP request 
         /// compatible with the Simple Order API Service
         /// </summary>
-        protected static CustomBinding getWCFCustomBinding()
+        protected static CustomBinding getWCFCustomBinding(Configuration config)
         {
             //Setup custom binding with HTTPS + Body Signing 
             CustomBinding currentBinding = new CustomBinding();
@@ -315,6 +325,15 @@ protected static CustomBinding getWCFCustomBinding()
             asec.EnableUnsecuredResponse = true;
             asec.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
 
+            if (config.UseSignedAndEncrypted)
+            {
+                asec.LocalClientSettings.IdentityVerifier = new CustomeIdentityVerifier();
+                asec.RecipientTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.Once };
+                asec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt;
+                asec.EndpointSupportingTokenParameters.SignedEncrypted.Add(new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters());
+                asec.SetKeyDerivation(false);
+            }
+
             //Use custom encoder to strip unsigned timestamp in response
             CustomTextMessageBindingElement textBindingElement = new CustomTextMessageBindingElement();
 
diff --git a/CyberSource/Client/Configuration.cs b/CyberSource/Client/Configuration.cs
@@ -27,6 +27,7 @@ public class Configuration
         internal const string CONNECTION_LIMIT = "connectionLimit";
         internal const string SEND_TO_AKAMAI = "sendToAkamai";
         internal const string EFFECTIVE_SERVER_URL = "effectiveServerURL";
+        internal const string USE_SIGNED_AND_ENCRYPTED = "useSignAndEncrypted";
 
         /// <summary>
         /// Default log file name.
@@ -68,6 +69,7 @@ public class Configuration
         private bool demo = false;
         private bool sendToAkamai = true;
         private int connectionLimit = -1;
+        private bool useSignedAndEncrypted = false;
 
         private bool isSendToProductionSet = false;
 
@@ -406,5 +408,11 @@ private void CheckMerchantID()
                     "CONFIGURATION OR CODE BUG:  merchantID is missing!");
             }
         }
+
+        public bool UseSignedAndEncrypted
+        {
+            get { return useSignedAndEncrypted; }
+            set { useSignedAndEncrypted = value; }
+        }
     }
 }
diff --git a/CyberSource/Client/CyberSourceClients.csproj b/CyberSource/Client/CyberSourceClients.csproj
@@ -97,6 +97,7 @@
   <ItemGroup>
     <Reference Include="System" />
     <Reference Include="System.Configuration" />
+    <Reference Include="System.IdentityModel" />
     <Reference Include="System.Runtime.Serialization" />
     <Reference Include="System.Security" />
     <Reference Include="System.ServiceModel" />
@@ -106,6 +107,7 @@
     <Compile Include="AppSettings.cs" />
     <Compile Include="BaseClient.cs" />
     <Compile Include="Configuration.cs" />
+    <Compile Include="CustomeIdentityVerifier.cs" />
     <Compile Include="CustomTextMessageEncoder.cs" />
     <Compile Include="CustomTextMessageEncoderFactory.cs" />
     <Compile Include="CustomTextMessageEncodingBindingElement.cs" />
diff --git a/CyberSource/Client/NVPClient.cs b/CyberSource/Client/NVPClient.cs
@@ -61,18 +61,18 @@ public static Hashtable RunTransaction(
                 SetConnectionLimit(config);
 
                 //Setup custom binding with HTTPS + Body Signing 
-                CustomBinding currentBinding = getWCFCustomBinding();
+                CustomBinding currentBinding = getWCFCustomBinding(config);
 
                 //Setup endpoint Address with dns identity
                 AddressHeaderCollection headers = new AddressHeaderCollection();
                 EndpointAddress endpointAddress = new EndpointAddress(new Uri(config.EffectiveServerURL), EndpointIdentity.CreateDnsIdentity(config.EffectivePassword), headers);
 
                 //Get instance of service
                 using (proc = new NVPTransactionProcessorClient(currentBinding, endpointAddress))
-                {
-
-                    //Set protection level to sign only
-                    proc.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
+                {
+
+                    //Set protection level to sign
+                        proc.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
 
                     // set the timeout
                     TimeSpan timeOut = new TimeSpan(0, 0, 0, config.Timeout, 0);
@@ -96,6 +96,21 @@ public static Hashtable RunTransaction(
                             proc.ClientCredentials.ServiceCertificate.DefaultCertificate = cert1;
                             break;
                         }
+                    }
+
+                    if (config.UseSignedAndEncrypted)
+                    {
+                        foreach (X509Certificate2 cert2 in collection)
+                        {
+                            //Console.WriteLine(cert1.Subject);
+                            if (cert2.Subject.Contains(CYBERSOURCE_PUBLIC_KEY))
+                            {
+                                //Set protection level to sign & encrypt only
+                                proc.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;
+                                proc.ClientCredentials.ServiceCertificate.DefaultCertificate = cert2;
+                                break;
+                            }
+                        }
                     }
 
                     if (logger != null)
diff --git a/CyberSource/Client/SoapClient.cs b/CyberSource/Client/SoapClient.cs
@@ -58,10 +58,10 @@ public static ReplyMessage RunTransaction(
                 DetermineEffectiveMerchantID(ref config, requestMessage);
                 SetVersionInformation(requestMessage);
                 logger = PrepareLog(config);
-                SetConnectionLimit(config);
-
-
-                CustomBinding currentBinding = getWCFCustomBinding();
+                SetConnectionLimit(config);
+
+
+                CustomBinding currentBinding = getWCFCustomBinding(config);
 
 
                 //Setup endpoint Address with dns identity
@@ -71,7 +71,7 @@ public static ReplyMessage RunTransaction(
                 //Get instance of service
                 using( proc = new TransactionProcessorClient(currentBinding, endpointAddress)){
                 
-                    //Set protection level to sign only
+                    //Set protection level to sign & encrypt only
                     proc.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
 
                     // set the timeout
@@ -96,6 +96,21 @@ public static ReplyMessage RunTransaction(
                             proc.ClientCredentials.ServiceCertificate.DefaultCertificate = cert1;
                             break;
                         }
+                    }
+
+                    if (config.UseSignedAndEncrypted)
+                    {
+                        foreach (X509Certificate2 cert2 in collection)
+                        {
+                            //Console.WriteLine(cert1.Subject);
+                            if (cert2.Subject.Contains(CYBERSOURCE_PUBLIC_KEY))
+                            {
+                                //Set protection level to sign & encrypt only
+                                proc.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;
+                                proc.ClientCredentials.ServiceCertificate.DefaultCertificate = cert2;
+                                break;
+                            }
+                        }
                     }
 
                     // send request now
diff --git a/CyberSourceSamples/src/nvp/app.config b/CyberSourceSamples/src/nvp/app.config
@@ -20,6 +20,10 @@
     <add key="cybs.enableLog" value="false"/>
     <add key="cybs.logDirectory" value="Log Directory"/>
 
+	<!-- Below flag control encryption of request body. If set to true then request body
+	will be both signed and encrypted else only signing will be done -->
+	<add key="cybs.useSignAndEncrypted" value="false"/>
+	
     <!-- DO NOT INCLUDE THIS PROPERTY IN YOUR OWN APPLICATIONS! -->
     <add key="cybs.demo" value="true"/>
 
diff --git a/CyberSourceSamples/src/soap/app.config b/CyberSourceSamples/src/soap/app.config
@@ -58,6 +58,10 @@
         <!-- an issue.                                                      -->
 		<add key="cybs.enableLog" value="false"/>
 		<add key="cybs.logDirectory" value="Log directory"/>
+		
+		<!-- Below flag control encryption of request body. If set to true then request body
+			will be both signed and encrypted else only signing will be done -->
+		<add key="cybs.useSignAndEncrypted" value="false"/>
     
         <!-- DO NOT INCLUDE THIS PROPERTY IN YOUR OWN APPLICATIONS! -->
         <add key="cybs.demo" value="true"/>
diff --git a/app.config b/app.config
@@ -10,6 +10,8 @@
     <!-- an issue.                                                      -->
     <add key="cybs.enableLog" value="false"/>
     <add key="cybs.logDirectory" value="your_log_dir(baseDir\simapi-c-n.n.n\logs)"/>
+	
+	<add key="cybs.useSignAndEncrypted" value="false"/>
 
     <!-- Please refer to the Connection Limit section in the README for -->
     <!-- details on this setting and alternate ways to set the          -->

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ public class Configuration`
`27`	`27`	`internal const string CONNECTION_LIMIT = "connectionLimit";`
`28`	`28`	`internal const string SEND_TO_AKAMAI = "sendToAkamai";`
`29`	`29`	`internal const string EFFECTIVE_SERVER_URL = "effectiveServerURL";`
	`30`	`+ internal const string USE_SIGNED_AND_ENCRYPTED = "useSignAndEncrypted";`
`30`	`31`
`31`	`32`	`/// <summary>`
`32`	`33`	`/// Default log file name.`
`@@ -68,6 +69,7 @@ public class Configuration`
`68`	`69`	`private bool demo = false;`
`69`	`70`	`private bool sendToAkamai = true;`
`70`	`71`	`private int connectionLimit = -1;`
	`72`	`+ private bool useSignedAndEncrypted = false;`
`71`	`73`
`72`	`74`	`private bool isSendToProductionSet = false;`
`73`	`75`
`@@ -406,5 +408,11 @@ private void CheckMerchantID()`
`406`	`408`	`"CONFIGURATION OR CODE BUG: merchantID is missing!");`
`407`	`409`	`}`
`408`	`410`	`}`
	`411`	`+`
	`412`	`+ public bool UseSignedAndEncrypted`
	`413`	`+ {`
	`414`	`+ get { return useSignedAndEncrypted; }`
	`415`	`+ set { useSignedAndEncrypted = value; }`
	`416`	`+ }`
`409`	`417`	`}`
`410`	`418`	`}`