Added new OpenID 1.x compatibility-supporting binding elements.

This adds:
 * callback arg support
 * signed return_to to verify callback args and URL are untampered with
 * Custom nonces to protect RPs against replay attacks when working with 1.0 OPs.

5 files changed, 200 insertions, 195 deletions

diff --git a/src/DotNetOpenAuth.Test/OpenId/AuthenticationTests.cs b/src/DotNetOpenAuth.Test/OpenId/AuthenticationTests.cs
index b02cfee..ca1e5f1 100644
--- a/src/DotNetOpenAuth.Test/OpenId/AuthenticationTests.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/AuthenticationTests.cs
@@ -16,9 +16,6 @@ namespace DotNetOpenAuth.Test.OpenId {
 	using DotNetOpenAuth.OpenId.Messages;
 	using Microsoft.VisualStudio.TestTools.UnitTesting;
 
-	// TODO: make all the tests in this class test every version of the protocol.
-	//       Currently this fails because we don't have a "token"-like facility of
-	//       DotNetOpenID yet.
 	[TestClass]
 	public class AuthenticationTests : OpenIdTestBase {
 		[TestInitialize]
@@ -28,7 +25,7 @@ namespace DotNetOpenAuth.Test.OpenId {
 
 		[TestMethod]
 		public void SharedAssociationPositive() {
-			this.ParameterizedPositiveAuthenticationTest(Protocol.Default, true, true, false);
+			this.ParameterizedPositiveAuthenticationTest(true, true, false);
 		}
 
 		/// <summary>
@@ -36,17 +33,17 @@ namespace DotNetOpenAuth.Test.OpenId {
 		/// </summary>
 		[TestMethod]
 		public void SharedAssociationTampered() {
-			this.ParameterizedPositiveAuthenticationTest(Protocol.Default, true, true, true);
+			this.ParameterizedPositiveAuthenticationTest(true, true, true);
 		}
 
 		[TestMethod]
 		public void SharedAssociationNegative() {
-			this.ParameterizedPositiveAuthenticationTest(Protocol.V11, true, false, false);
+			this.ParameterizedPositiveAuthenticationTest(true, false, false);
 		}
 
 		[TestMethod]
 		public void PrivateAssociationPositive() {
-			this.ParameterizedPositiveAuthenticationTest(Protocol.Default, false, true, false);
+			this.ParameterizedPositiveAuthenticationTest(false, true, false);
 		}
 
 		/// <summary>
@@ -54,12 +51,12 @@ namespace DotNetOpenAuth.Test.OpenId {
 		/// </summary>
 		[TestMethod]
 		public void PrivateAssociationTampered() {
-			this.ParameterizedPositiveAuthenticationTest(Protocol.Default, false, true, true);
+			this.ParameterizedPositiveAuthenticationTest(false, true, true);
 		}
 
 		[TestMethod]
 		public void NoAssociationNegative() {
-			this.ParameterizedPositiveAuthenticationTest(Protocol.Default, false, false, false);
+			this.ParameterizedPositiveAuthenticationTest(false, false, false);
 		}
 
 		private void ParameterizedPositiveAuthenticationTest(bool sharedAssociation, bool positive, bool tamper) {
@@ -132,10 +129,10 @@ namespace DotNetOpenAuth.Test.OpenId {
 				coordinator.IncomingMessageFilter = message => {
 					var assertion = message as PositiveAssertionResponse;
 					if (assertion != null) {
-						// Alter the Claimed Identifier between the Provider and the Relying Party.
+						// Alter the Local Identifier between the Provider and the Relying Party.
 						// If the signature binding element does its job, this should cause the RP
 						// to throw.
-						assertion.ClaimedIdentifier = "http://victim";
+						assertion.LocalIdentifier = "http://victim";
 					}
 				};
 			}
diff --git a/src/DotNetOpenAuth.Test/OpenId/ChannelElements/ExtensionsBindingElementTests.cs b/src/DotNetOpenAuth.Test/OpenId/ChannelElements/ExtensionsBindingElementTests.cs
index 6eafb13..c7e445c 100644
--- a/src/DotNetOpenAuth.Test/OpenId/ChannelElements/ExtensionsBindingElementTests.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/ChannelElements/ExtensionsBindingElementTests.cs
@@ -85,6 +85,14 @@ namespace DotNetOpenAuth.Test.OpenId.ChannelElements {
 			Assert.AreEqual("extra", ext.Data);

 		}

 

+		/// <summary>

+		/// Verifies that unsigned extension responses (where any or all fields are unsigned) are ignored.

+		/// </summary>

+		[TestMethod, Ignore]

+		public void UnsignedExtensionsAreIgnored() {

+			Assert.Inconclusive("Not yet implemented.");

+		}

+

 		private static IEnumerable<string> GetAliases(IDictionary<string, string> extraData) {

 			Regex regex = new Regex(@"^openid\.ns\.(\w+)");

 			return from key in extraData.Keys

diff --git a/src/DotNetOpenAuth.Test/OpenId/ChannelElements/OpenIdChannelTests.cs b/src/DotNetOpenAuth.Test/OpenId/ChannelElements/OpenIdChannelTests.cs
index f47dfdf..a548969 100644
--- a/src/DotNetOpenAuth.Test/OpenId/ChannelElements/OpenIdChannelTests.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/ChannelElements/OpenIdChannelTests.cs
@@ -1,102 +1,102 @@
-//-----------------------------------------------------------------------
-// <copyright file="OpenIdChannelTests.cs" company="Andrew Arnott">
-//     Copyright (c) Andrew Arnott. All rights reserved.
-// </copyright>
-//-----------------------------------------------------------------------
-
-namespace DotNetOpenAuth.Test.OpenId.ChannelElements {
-	using System;
-	using System.Collections.Generic;
-	using System.IO;
-	using System.Linq;
-	using System.Net;
-	using System.Text;
-	using DotNetOpenAuth.Messaging;
-	using DotNetOpenAuth.Messaging.Bindings;
-	using DotNetOpenAuth.Messaging.Reflection;
-	using DotNetOpenAuth.OpenId;
-	using DotNetOpenAuth.OpenId.ChannelElements;
-	using Microsoft.VisualStudio.TestTools.UnitTesting;
-
-	[TestClass]
-	public class OpenIdChannelTests : TestBase {
-		private static readonly TimeSpan maximumMessageAge = TimeSpan.FromHours(3); // good for tests, too long for production
-		private OpenIdChannel channel;
-		private OpenIdChannel_Accessor accessor;
-		private Mocks.TestWebRequestHandler webHandler;
-
-		[TestInitialize]
-		public void Setup() {
-			this.webHandler = new Mocks.TestWebRequestHandler();
-			this.channel = new OpenIdChannel(new AssociationMemoryStore<Uri>(), new NonceMemoryStore(maximumMessageAge));
-			this.accessor = OpenIdChannel_Accessor.AttachShadow(this.channel);
-			this.channel.WebRequestHandler = this.webHandler;
-		}
-
-		[TestMethod]
-		public void Ctor() {
-			// Verify that the channel stack includes the expected types.
-			// While other binding elements may be substituted for these, we'd then have
-			// to test them.  Since we're not testing them in the OpenID battery of tests,
-			// we make sure they are the standard ones so that we trust they are tested
-			// elsewhere by the testing library.
-			var replayElement = (StandardReplayProtectionBindingElement)this.channel.BindingElements.SingleOrDefault(el => el is StandardReplayProtectionBindingElement);
-			Assert.IsTrue(this.channel.BindingElements.Any(el => el is StandardExpirationBindingElement));
-			Assert.IsNotNull(replayElement);
-
-			// Verify that empty nonces are allowed, since OpenID 2.0 allows this.
-			Assert.IsTrue(replayElement.AllowZeroLengthNonce);
-		}
-
-		/// <summary>
-		/// Verifies that the channel sends direct message requests as HTTP POST requests.
-		/// </summary>
-		[TestMethod]
-		public void DirectRequestsUsePost() {
-			IDirectedProtocolMessage requestMessage = new Mocks.TestDirectedMessage(MessageTransport.Direct) {
-				Recipient = new Uri("http://host"),
-				Name = "Andrew",
-			};
-			HttpWebRequest httpRequest = this.accessor.CreateHttpRequest(requestMessage);
-			Assert.AreEqual("POST", httpRequest.Method);
-			StringAssert.Contains(this.webHandler.RequestEntityAsString, "Name=Andrew");
-		}
-
-		/// <summary>
-		/// Verifies that direct response messages are encoded using Key Value Form.
-		/// </summary>
-		/// <remarks>
-		/// The validity of the actual KVF encoding is not checked here.  We assume that the KVF encoding
-		/// class is verified elsewhere.  We're only checking that the KVF class is being used by the 
-		/// <see cref="OpenIdChannel.SendDirectMessageResponse"/> method.
-		/// </remarks>
-		[TestMethod]
-		public void DirectResponsesSentUsingKeyValueForm() {
-			IProtocolMessage message = MessagingTestBase.GetStandardTestMessage(MessagingTestBase.FieldFill.AllRequired);
-			MessageDictionary messageFields = new MessageDictionary(message);
-			byte[] expectedBytes = KeyValueFormEncoding.GetBytes(messageFields);
-			string expectedContentType = OpenIdChannel_Accessor.KeyValueFormContentType;
-
-			UserAgentResponse directResponse = this.accessor.SendDirectMessageResponse(message);
-			Assert.AreEqual(expectedContentType, directResponse.Headers[HttpResponseHeader.ContentType]);
-			byte[] actualBytes = new byte[directResponse.ResponseStream.Length];
-			directResponse.ResponseStream.Read(actualBytes, 0, actualBytes.Length);
-			Assert.IsTrue(MessagingUtilities.AreEquivalent(expectedBytes, actualBytes));
-		}
-
-		/// <summary>
-		/// Verifies that direct message responses are read in using the Key Value Form decoder.
-		/// </summary>
-		[TestMethod]
-		public void DirectResponsesReceivedAsKeyValueForm() {
-			var fields = new Dictionary<string, string> {
-				{ "var1", "value1" },
-				{ "var2", "value2" },
-			};
-			var response = new DirectWebResponse {
-				ResponseStream = new MemoryStream(KeyValueFormEncoding.GetBytes(fields)),
-			};
-			Assert.IsTrue(MessagingUtilities.AreEquivalent(fields, this.accessor.ReadFromResponseInternal(response)));
-		}
-	}
-}
+//-----------------------------------------------------------------------

+// <copyright file="OpenIdChannelTests.cs" company="Andrew Arnott">

+//     Copyright (c) Andrew Arnott. All rights reserved.

+// </copyright>

+//-----------------------------------------------------------------------

+

+namespace DotNetOpenAuth.Test.OpenId.ChannelElements {

+	using System;

+	using System.Collections.Generic;

+	using System.IO;

+	using System.Linq;

+	using System.Net;

+	using System.Text;

+	using DotNetOpenAuth.Messaging;

+	using DotNetOpenAuth.Messaging.Bindings;

+	using DotNetOpenAuth.Messaging.Reflection;

+	using DotNetOpenAuth.OpenId;

+	using DotNetOpenAuth.OpenId.ChannelElements;

+	using Microsoft.VisualStudio.TestTools.UnitTesting;

+

+	[TestClass]

+	public class OpenIdChannelTests : TestBase {

+		private static readonly TimeSpan maximumMessageAge = TimeSpan.FromHours(3); // good for tests, too long for production

+		private OpenIdChannel channel;

+		private OpenIdChannel_Accessor accessor;

+		private Mocks.TestWebRequestHandler webHandler;

+

+		[TestInitialize]

+		public void Setup() {

+			this.webHandler = new Mocks.TestWebRequestHandler();

+			this.channel = new OpenIdChannel(new AssociationMemoryStore<Uri>(), new NonceMemoryStore(maximumMessageAge), new PrivateSecretMemoryStore());

+			this.accessor = OpenIdChannel_Accessor.AttachShadow(this.channel);

+			this.channel.WebRequestHandler = this.webHandler;

+		}

+

+		[TestMethod]

+		public void Ctor() {

+			// Verify that the channel stack includes the expected types.

+			// While other binding elements may be substituted for these, we'd then have

+			// to test them.  Since we're not testing them in the OpenID battery of tests,

+			// we make sure they are the standard ones so that we trust they are tested

+			// elsewhere by the testing library.

+			var replayElement = (StandardReplayProtectionBindingElement)this.channel.BindingElements.SingleOrDefault(el => el is StandardReplayProtectionBindingElement);

+			Assert.IsTrue(this.channel.BindingElements.Any(el => el is StandardExpirationBindingElement));

+			Assert.IsNotNull(replayElement);

+

+			// Verify that empty nonces are allowed, since OpenID 2.0 allows this.

+			Assert.IsTrue(replayElement.AllowZeroLengthNonce);

+		}

+

+		/// <summary>

+		/// Verifies that the channel sends direct message requests as HTTP POST requests.

+		/// </summary>

+		[TestMethod]

+		public void DirectRequestsUsePost() {

+			IDirectedProtocolMessage requestMessage = new Mocks.TestDirectedMessage(MessageTransport.Direct) {

+				Recipient = new Uri("http://host"),

+				Name = "Andrew",

+			};

+			HttpWebRequest httpRequest = this.accessor.CreateHttpRequest(requestMessage);

+			Assert.AreEqual("POST", httpRequest.Method);

+			StringAssert.Contains(this.webHandler.RequestEntityAsString, "Name=Andrew");

+		}

+

+		/// <summary>

+		/// Verifies that direct response messages are encoded using Key Value Form.

+		/// </summary>

+		/// <remarks>

+		/// The validity of the actual KVF encoding is not checked here.  We assume that the KVF encoding

+		/// class is verified elsewhere.  We're only checking that the KVF class is being used by the 

+		/// <see cref="OpenIdChannel.SendDirectMessageResponse"/> method.

+		/// </remarks>

+		[TestMethod]

+		public void DirectResponsesSentUsingKeyValueForm() {

+			IProtocolMessage message = MessagingTestBase.GetStandardTestMessage(MessagingTestBase.FieldFill.AllRequired);

+			MessageDictionary messageFields = new MessageDictionary(message);

+			byte[] expectedBytes = KeyValueFormEncoding.GetBytes(messageFields);

+			string expectedContentType = OpenIdChannel_Accessor.KeyValueFormContentType;

+

+			UserAgentResponse directResponse = this.accessor.SendDirectMessageResponse(message);

+			Assert.AreEqual(expectedContentType, directResponse.Headers[HttpResponseHeader.ContentType]);

+			byte[] actualBytes = new byte[directResponse.ResponseStream.Length];

+			directResponse.ResponseStream.Read(actualBytes, 0, actualBytes.Length);

+			Assert.IsTrue(MessagingUtilities.AreEquivalent(expectedBytes, actualBytes));

+		}

+

+		/// <summary>

+		/// Verifies that direct message responses are read in using the Key Value Form decoder.

+		/// </summary>

+		[TestMethod]

+		public void DirectResponsesReceivedAsKeyValueForm() {

+			var fields = new Dictionary<string, string> {

+				{ "var1", "value1" },

+				{ "var2", "value2" },

+			};

+			var response = new DirectWebResponse {

+				ResponseStream = new MemoryStream(KeyValueFormEncoding.GetBytes(fields)),

+			};

+			Assert.IsTrue(MessagingUtilities.AreEquivalent(fields, this.accessor.ReadFromResponseInternal(response)));

+		}

+	}

+}

diff --git a/src/DotNetOpenAuth.Test/OpenId/OpenIdCoordinator.cs b/src/DotNetOpenAuth.Test/OpenId/OpenIdCoordinator.cs
index 4e74525..3b925a8 100644
--- a/src/DotNetOpenAuth.Test/OpenId/OpenIdCoordinator.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/OpenIdCoordinator.cs
@@ -1,47 +1,47 @@
-//-----------------------------------------------------------------------
-// <copyright file="OpenIdCoordinator.cs" company="Andrew Arnott">
-//     Copyright (c) Andrew Arnott. All rights reserved.
-// </copyright>
-//-----------------------------------------------------------------------
-
-namespace DotNetOpenAuth.Test.OpenId {
-	using System;
-	using DotNetOpenAuth.Messaging.Bindings;
-	using DotNetOpenAuth.OpenId;
-	using DotNetOpenAuth.OpenId.Provider;
-	using DotNetOpenAuth.OpenId.RelyingParty;
-	using DotNetOpenAuth.Test.Mocks;
-
-	internal class OpenIdCoordinator : CoordinatorBase<OpenIdRelyingParty, OpenIdProvider> {
-		internal OpenIdCoordinator(Action<OpenIdRelyingParty> rpAction, Action<OpenIdProvider> opAction)
-			: base(rpAction, opAction) {
-		}
-
-		internal OpenIdProvider Provider { get; set; }
-
-		internal OpenIdRelyingParty RelyingParty { get; set; }
-
-		internal override void Run() {
-			this.EnsurePartiesAreInitialized();
-			var rpCoordinatingChannel = new CoordinatingChannel(this.RelyingParty.Channel, this.IncomingMessageFilter, this.OutgoingMessageFilter);
-			var opCoordinatingChannel = new CoordinatingChannel(this.Provider.Channel, this.IncomingMessageFilter, this.OutgoingMessageFilter);
-			rpCoordinatingChannel.RemoteChannel = opCoordinatingChannel;
-			opCoordinatingChannel.RemoteChannel = rpCoordinatingChannel;
-
-			this.RelyingParty.Channel = rpCoordinatingChannel;
-			this.Provider.Channel = opCoordinatingChannel;
-
-			RunCore(this.RelyingParty, this.Provider);
-		}
-
-		private void EnsurePartiesAreInitialized() {
-			if (this.RelyingParty == null) {
-				this.RelyingParty = new OpenIdRelyingParty(new AssociationMemoryStore<Uri>(), new NonceMemoryStore(TimeSpan.FromHours(3)));
-			}
-
-			if (this.Provider == null) {
-				this.Provider = new OpenIdProvider(new AssociationMemoryStore<AssociationRelyingPartyType>(), new NonceMemoryStore(TimeSpan.FromHours(3)));
-			}
-		}
-	}
-}
+//-----------------------------------------------------------------------

+// <copyright file="OpenIdCoordinator.cs" company="Andrew Arnott">

+//     Copyright (c) Andrew Arnott. All rights reserved.

+// </copyright>

+//-----------------------------------------------------------------------

+

+namespace DotNetOpenAuth.Test.OpenId {

+	using System;

+	using DotNetOpenAuth.Messaging.Bindings;

+	using DotNetOpenAuth.OpenId;

+	using DotNetOpenAuth.OpenId.Provider;

+	using DotNetOpenAuth.OpenId.RelyingParty;

+	using DotNetOpenAuth.Test.Mocks;

+

+	internal class OpenIdCoordinator : CoordinatorBase<OpenIdRelyingParty, OpenIdProvider> {

+		internal OpenIdCoordinator(Action<OpenIdRelyingParty> rpAction, Action<OpenIdProvider> opAction)

+			: base(rpAction, opAction) {

+		}

+

+		internal OpenIdProvider Provider { get; set; }

+

+		internal OpenIdRelyingParty RelyingParty { get; set; }

+

+		internal override void Run() {

+			this.EnsurePartiesAreInitialized();

+			var rpCoordinatingChannel = new CoordinatingChannel(this.RelyingParty.Channel, this.IncomingMessageFilter, this.OutgoingMessageFilter);

+			var opCoordinatingChannel = new CoordinatingChannel(this.Provider.Channel, this.IncomingMessageFilter, this.OutgoingMessageFilter);

+			rpCoordinatingChannel.RemoteChannel = opCoordinatingChannel;

+			opCoordinatingChannel.RemoteChannel = rpCoordinatingChannel;

+

+			this.RelyingParty.Channel = rpCoordinatingChannel;

+			this.Provider.Channel = opCoordinatingChannel;

+

+			RunCore(this.RelyingParty, this.Provider);

+		}

+

+		private void EnsurePartiesAreInitialized() {

+			if (this.RelyingParty == null) {

+				this.RelyingParty = new OpenIdRelyingParty(new AssociationMemoryStore<Uri>(), new NonceMemoryStore(TimeSpan.FromHours(3)), new PrivateSecretMemoryStore());

+			}

+

+			if (this.Provider == null) {

+				this.Provider = new OpenIdProvider(new AssociationMemoryStore<AssociationRelyingPartyType>(), new NonceMemoryStore(TimeSpan.FromHours(3)));

+			}

+		}

+	}

+}

diff --git a/src/DotNetOpenAuth.Test/OpenId/RelyingParty/OpenIdRelyingPartyTests.cs b/src/DotNetOpenAuth.Test/OpenId/RelyingParty/OpenIdRelyingPartyTests.cs
index c68ba0c..d53810a 100644
--- a/src/DotNetOpenAuth.Test/OpenId/RelyingParty/OpenIdRelyingPartyTests.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/RelyingParty/OpenIdRelyingPartyTests.cs
@@ -1,35 +1,35 @@
-//-----------------------------------------------------------------------
-// <copyright file="OpenIdRelyingPartyTests.cs" company="Andrew Arnott">
-//     Copyright (c) Andrew Arnott. All rights reserved.
-// </copyright>
-//-----------------------------------------------------------------------
-
-namespace DotNetOpenAuth.Test.OpenId.RelyingParty {
-	using System;
-	using System.Collections.Generic;
-	using System.Linq;
-	using System.Text;
-	using DotNetOpenAuth.Messaging.Bindings;
-	using DotNetOpenAuth.OpenId;
-	using DotNetOpenAuth.OpenId.RelyingParty;
-	using Microsoft.VisualStudio.TestTools.UnitTesting;
-
-	[TestClass]
-	public class OpenIdRelyingPartyTests : OpenIdTestBase {
-		[TestInitialize]
-		public override void SetUp() {
-			base.SetUp();
-		}
-
-		[TestMethod, Ignore] // ignored, pending work to make dumb mode a supported scenario.
-		public void CtorNullAssociationStore() {
-			new OpenIdRelyingParty(null, null);
-		}
-
-		[TestMethod, ExpectedException(typeof(ArgumentNullException))]
-		public void SecuritySettingsSetNull() {
-			var rp = new OpenIdRelyingParty(new AssociationMemoryStore<Uri>(), new NonceMemoryStore(TimeSpan.FromMinutes(5)));
-			rp.SecuritySettings = null;
-		}
-	}
-}
+//-----------------------------------------------------------------------

+// <copyright file="OpenIdRelyingPartyTests.cs" company="Andrew Arnott">

+//     Copyright (c) Andrew Arnott. All rights reserved.

+// </copyright>

+//-----------------------------------------------------------------------

+

+namespace DotNetOpenAuth.Test.OpenId.RelyingParty {

+	using System;

+	using System.Collections.Generic;

+	using System.Linq;

+	using System.Text;

+	using DotNetOpenAuth.Messaging.Bindings;

+	using DotNetOpenAuth.OpenId;

+	using DotNetOpenAuth.OpenId.RelyingParty;

+	using Microsoft.VisualStudio.TestTools.UnitTesting;

+

+	[TestClass]

+	public class OpenIdRelyingPartyTests : OpenIdTestBase {

+		[TestInitialize]

+		public override void SetUp() {

+			base.SetUp();

+		}

+

+		[TestMethod, Ignore] // ignored, pending work to make dumb mode a supported scenario.

+		public void CtorNullAssociationStore() {

+			new OpenIdRelyingParty(null, null, null);

+		}

+

+		[TestMethod, ExpectedException(typeof(ArgumentNullException))]

+		public void SecuritySettingsSetNull() {

+			var rp = new OpenIdRelyingParty(new AssociationMemoryStore<Uri>(), new NonceMemoryStore(TimeSpan.FromMinutes(5)), new PrivateSecretMemoryStore());

+			rp.SecuritySettings = null;

+		}

+	}

+}