/// <summary>
/// Intercepts the request, storing the unfinished signatures.
/// </summary>
/// <param name="message"></param>
public override void InterceptRequest(InterceptorMessage message)
{
try {
Headers headers = new Headers(message);
SequenceHeader sequenceHeader = headers.SequenceHeader;
string messageId = string.Empty;
if (message.IsFault)
{
// ? nothing to do??
}
else if (sequenceHeader == null)
{
// ? nothing to do??
}
else if (sequenceHeader.IsLastMessage)
{
// ? nothing to do??
}
else
{
messageId = headers.MessageId.ToString();
UnfinishedSignatureValidationProof unfinishedSignature = new UnfinishedSignatureValidationProof(headers);
//System.Diagnostics.Debug.WriteLine("\n\n\nAdding unfinished signature - id:" + messageId + ";unfinished signature validation proof: " + unfinishedSignature.SignatureValidationProof + "\n\n\n");
this.unfinishedSignaturesValidationProofStore.Add(messageId, sequenceHeader, unfinishedSignature);
}
}
catch (Exception ex)
{
throw ex;
}
}
private void InterceptedAcknowledgementResponse(InterceptorMessage message, Headers headers)
{
lock (signatureLock)
{
SequenceAcknowledgementHeader sequenceAcknowledgementHeader = headers.SequenceAcknowledgement;
string identityName = message.Properties.Security.ServiceSecurityContext.PrimaryIdentity.Name;
int index = identityName.LastIndexOf(';');
string certificateSubject = identityName.Substring(0, index);
// Try to get the messages that have been acked in the RM session. If none exists return.
List <UnfinishedSignatureValidationProof> ackedMessages = null;
//System.Diagnostics.Debug.WriteLine("InterceptedAcknowledgementResponse sequenceID" + sequenceAcknowledgementHeader.SequenceId);
if (this.unfinishedSignaturesValidationProofStore.TryGetValueFromSequenceAcknowledgementHeader(sequenceAcknowledgementHeader, out ackedMessages))
{
// message
foreach (UnfinishedSignatureValidationProof ackedMessage in ackedMessages)
{
SignatureValidationProof signatureValidationProof = ackedMessage.SignatureValidationProof;
if (!signatureValidationProof.Completed)
{
signatureValidationProof.CompleteValidation(certificateSubject);
}
}
}
}
}
/// <summary>
/// Intercepts the response, finishing the signatures and adds it to the
/// message.
/// </summary>
/// <param name="message"></param>
public override void InterceptResponse(InterceptorMessage message)
{
try
{
//System.Diagnostics.Debug.Write("Intercepting the response - ");
Headers headers = new Headers(message);
SequenceAcknowledgementHeader sequenceAcknowledgement = headers.SequenceAcknowledgement;
if (message.IsFault)
{
}
else if (headers.SequenceHeader == null)
{
}
else if (headers.RelatesTo != null)
{
this.InterceptedMessageResponse(message, headers);
}
if (sequenceAcknowledgement != null)
{
this.InterceptedAcknowledgementResponse(message, headers);
}
}
catch (Exception ex)
{
throw ex;
}
}
private static Dictionary <string, string> GetKeywords(InterceptorMessage interceptorMessage)
{
Dictionary <string, string> keywords = new Dictionary <string, string>();
System.ServiceModel.Channels.Message wcfMessage = interceptorMessage.GetMessage();
keywords.Add("messageaction", wcfMessage.Headers.Action);
return(keywords);
}
public override void InterceptResponse(InterceptorMessage interceptorMessage)
{
try {
Console.WriteLine("{0} : Received: {1} from '{2}'", DateTime.Now, interceptorMessage.GetHeaders().Action, interceptorMessage.GetHeaders().From);
}
catch (Exception e) {
Console.WriteLine("Console.WriteLine Interceptor failed: " + e);
}
}
/// <summary>
/// Constructor that takes the interceptor message as parameter.
/// </summary>
/// <param name="message"></param>
public Headers(InterceptorMessage message)
{
MessageHeaders headers = message.GetHeaders();
_messageId = headers.MessageId;
_relatesTo = headers.RelatesTo;
_isCreateSequence = headers.Action.Contains("CreateSequence");
_isCreateSequenceResponse = headers.Action.Contains("CreateSequenceResponse");
SetHeaders(headers);
}
public override void InterceptRequest(InterceptorMessage interceptorMessage)
{
// Get the message, uncopied
Message msg = interceptorMessage.GetMessage();
// Extract headers and switch sender for receiver
_senderPartyIdentifier = ExtractHeaderValue(msg, _receiverPartyIdentifierHeaderName.Name, _receiverPartyIdentifierHeaderName.Namespace, DefaultReceiverPartyIdentifier);
_senderPartyIdentifierType = ExtractHeaderValue(msg, _receiverPartyIdentifierTypeHeaderName.Name, _receiverPartyIdentifierTypeHeaderName.Namespace, "other");
_receiverPartyIdentifier = ExtractHeaderValue(msg, _senderPartyIdentifierHeaderName.Name, _senderPartyIdentifierHeaderName.Namespace, DefaultSenderPartyIdentifier);
_receiverPartyIdentifierType = ExtractHeaderValue(msg, _senderPartyIdentifierTypeHeaderName.Name, _senderPartyIdentifierTypeHeaderName.Namespace, "other");
}
/// <summary>
/// Incepts the request and punes the input.
/// </summary>
/// <param name="message"></param>
public override void InterceptRequest(InterceptorMessage message)
{
try {
XmlDocument body = message.GetBody();
CompiledXslt styleSheet = LoadStyleSheet(body);
XmlDocument transformedBody = _xsltUtility.TransformXml(body, styleSheet);
message.SetBody(transformedBody);
if (_configuration.PropagateOriginalMessage)
{
OriginalBody orgBody = new OriginalBody(body);
message.AddProperty(ServerXsltTransformationBindingExtensionElement.ORIGINALBODYPROPERTYNAME, orgBody);
}
} catch (Exception ex) {
throw new XsltTransformFailedException(ex);
}
}
/// <summary>
/// Overrides the abstract method and implements the basic intercept on a
/// request.
/// </summary>
/// <param name="interceptorMessage"></param>
public override void InterceptRequest(InterceptorMessage interceptorMessage)
{
try {
X509Certificate2 certificate = interceptorMessage.Certificate;
XmlDocument xmlDocument = interceptorMessage.GetBody();
DocumentTypeConfigSearcher searcher = new DocumentTypeConfigSearcher();
DocumentTypeConfig documentType = searcher.FindUniqueDocumentType(xmlDocument);
bool authorised = _authoriser.Authorise(certificate, xmlDocument, documentType);
if (!authorised)
{
throw new NotAuthorisedException(certificate, xmlDocument, documentType);
}
} catch (NotAuthorisedException) {
throw;
} catch (Exception ex) {
throw new AuthorisationProcessFailedException(ex);
}
}
private void InterceptedMessageResponse(InterceptorMessage message, Headers headers)
{
lock (signatureLock)
{
SequenceHeader sequenceHeader = headers.SequenceHeader;
string relatesTo = headers.RelatesTo.ToString();
// Try to get the unfinished signature validation proof. If none exists return.
UnfinishedSignatureValidationProof unfinishedSignatureValidationProof = null;
if (this.unfinishedSignaturesValidationProofStore.TryGetValueFromMessageId(relatesTo, out unfinishedSignatureValidationProof))
{
// validation proof retrived
//System.Diagnostics.Debug.WriteLine("InterceptedMessageResponse relatesTo " + relatesTo);
SignatureValidationProof signatureValidationProof = unfinishedSignatureValidationProof.SignatureValidationProof;
string signatureValidationProofKey = ClientSignatureValidationProofBindingExtensionElement.SignatureValidationProofKey;
message.AddProperty(signatureValidationProofKey, signatureValidationProof);
}
}
}
public override void InterceptRequest(InterceptorMessage interceptorMessage)
{
// Get the message, uncopied
Message msg = interceptorMessage.GetMessage();
// If a property is set use that to find the header values
if (msg.Properties.ContainsKey(PartyIdentifierHeaderSettings.MessagePropertyKey))
{
PartyIdentifierHeaderSettings settings = (PartyIdentifierHeaderSettings)msg.Properties[PartyIdentifierHeaderSettings.MessagePropertyKey];
if (!string.IsNullOrEmpty(settings.SenderPartyHeaderValue))
{
_senderPartyIdentifier = settings.SenderPartyHeaderValue;
}
if (!string.IsNullOrEmpty(settings.ReceiverPartyHeaderValue))
{
_receiverPartyIdentifier = settings.ReceiverPartyHeaderValue;
}
_senderPartyIdentifierType = settings.SenderPartyKeyType;
_receiverPartyIdentifierType = settings.ReceiverPartyKeyType;
}
// Add the headers
msg.Headers.Add(MessageHeader.CreateHeader(
_senderPartyIdentifierHeaderName.Name,
_senderPartyIdentifierHeaderName.Namespace,
_senderPartyIdentifier));
msg.Headers.Add(MessageHeader.CreateHeader(
_senderPartyIdentifierTypeHeaderName.Name,
_senderPartyIdentifierTypeHeaderName.Namespace,
_senderPartyIdentifierType));
msg.Headers.Add(MessageHeader.CreateHeader(
_receiverPartyIdentifierHeaderName.Name,
_receiverPartyIdentifierHeaderName.Namespace,
_receiverPartyIdentifier));
msg.Headers.Add(MessageHeader.CreateHeader(
_receiverPartyIdentifierTypeHeaderName.Name,
_receiverPartyIdentifierTypeHeaderName.Namespace,
_receiverPartyIdentifierType));
}
/// <summary>
/// Gets request
/// </summary>
/// <param name="message">message</param>
public override void InterceptRequest(InterceptorMessage message)
{
string document = message.GetBodyAsString();
this.schemaValidator.Validate(document);
}
/// <summary>
/// Certificate validator
/// </summary>
/// <param name="interceptorMessage">InterceptorMessage to validate</param>
public void Validate(InterceptorMessage interceptorMessage)
{
this.logger.Trace("Certificate validation.");
// Get the certificate from the message
X509Certificate2 certificate = null;
try
{
certificate = interceptorMessage.Certificate;
if (certificate == null)
{
throw new FailedToGetCertificateSubjectException(interceptorMessage);
}
//Check if the certificate is valid (Activated, and not expired, and from trusted root)
this.validator.Validate(certificate);
this.logger.Debug(string.Format("Certificate '{0}' has parsed the trusted validate.", certificate.SubjectName.Name));
}
catch (CertificateExpiredException ex)
{
if (certificate != null)
{
this.logger.Warn(string.Format("Certificate '{0}' is expired.", certificate.SubjectName.Name));
}
else
{
this.logger.Warn("Unknown certificate is expired.");
}
throw new InterceptorChannelWrapperException(OiosiFaultCode.Sender, OiosiInnerFaultCode.SignatureNotValidFault, ex);
}
catch (CertificateNotActiveException ex)
{
if (certificate != null)
{
this.logger.Warn(string.Format("Certificate '{0}' is not activated.", certificate.SubjectName.Name));
}
else
{
this.logger.Warn("Unknown certificate is not activated.");
}
throw new InterceptorChannelWrapperException(OiosiFaultCode.Sender, OiosiInnerFaultCode.SignatureNotValidFault, ex);
}
catch (CertificateRootNotTrustedException ex)
{
if (certificate != null)
{
this.logger.Warn(string.Format("The root certificate for certificate '{0}' is not trusted.", certificate.SubjectName.Name));
}
else
{
this.logger.Warn("The root certificate for a unknown certificate is not trusted.");
}
throw new InterceptorChannelWrapperException(OiosiFaultCode.Sender, OiosiInnerFaultCode.SignatureNotValidFault, ex);
}
catch (FailedToGetCertificateSubjectException)
{
if (certificate != null)
{
this.logger.Warn(string.Format("Subject for certificate '{0}' was not found.", certificate.SubjectName.Name));
}
else
{
this.logger.Warn("Subject for unknown certificate was not found.");
}
throw;
}
catch (Exception ex)
{
if (certificate != null)
{
this.logger.Warn(string.Format("The certificate '{0}' was rejected.", certificate.SubjectName.Name));
}
else
{
this.logger.Warn("Unknown certificate was rejected.");
}
this.logger.Debug("Security validate the foces certificate", ex);
throw new InterceptorChannelWrapperException(OiosiFaultCode.Receiver, OiosiInnerFaultCode.InternalSystemFailureFault, "The client certificate is invalid.");
}
this.logger.Trace("Security validate the foces certificate - Finish.");
}
/// <summary> /// Validating interceptors must implement this interface. interceptorMessage is the /// wrapped intercepted message from the response. Not in use in the asynchronous profile /// </summary> /// <param name="interceptorMessage">Wrapped intercepted message</param> public abstract void InterceptResponse(InterceptorMessage interceptorMessage);
/// <summary> /// Validating interceptors must implement this interface. interceptorMessage is the /// wrapped intercepted message from the request. /// </summary> /// <param name="interceptorMessage">Wrapped intercepted message</param> public abstract void InterceptRequest(InterceptorMessage interceptorMessage);
/// <summary>
/// Response schema validation is not a part of the first release.
/// </summary>
/// <param name="message"></param>
/// <returns></returns>
public override void InterceptResponse(InterceptorMessage message)
{
}
/// <summary>
/// Gets request
/// </summary>
/// <param name="message">message</param>
public override void InterceptRequest(InterceptorMessage message)
{
this.certificateValidator.Validate(message);
}
/* /// <summary>
* /// Overrides the method to validate the binding element order.
* /// </summary>
* /// <typeparam name="TChannel"></typeparam>
* /// <param name="context"></param>
* /// <returns></returns>
* public override IChannelListener<TChannel> BuildChannelListener<TChannel>(BindingContext context)
* {
* BindingElementCollection bindingElements = context.Binding.Elements;
* this.stackCheck.Check(bindingElements);
* return base.BuildChannelListener<TChannel>(context);
* }*/
/// <summary>
/// Intercept requests and creates the proof of validation interception before
/// attaching it to the message.
/// </summary>
/// <param name="interceptorMessage"></param>
public override void InterceptRequest(InterceptorMessage interceptorMessage)
{
this.logger.Trace("Security validate the foces certificate.");
try
{
Headers headers = new Headers(interceptorMessage);
if (interceptorMessage.IsFault)
{
// do nothing
}
else if (headers.IsCreateSequence)
{
// do nothing
}
else if (headers.SequenceHeader == null)
{
// do nothing
}
else if (headers.SequenceHeader.IsLastMessage)
{
// do nothing
}
else
{
// Get the certificate from the message
X509Certificate2 certificate;
try
{
certificate = interceptorMessage.Certificate;
}
catch
{
throw new FailedToGetCertificateSubjectException(interceptorMessage);
}
// now we must revocate check the certificate
OcesX509Certificate ocesCertificate = new OcesX509Certificate(certificate);
RevocationResponse response = ocesCertificate.CheckRevocationStatus(revocationLookup);
if (response.Exception != null)
{
string msg;
try
{
msg = response.Exception.Message;
}
catch (Exception ex)
{
this.logger.Debug("Error finding the correct error message.", ex);
msg = "unknown";
}
this.logger.Warn(string.Format("The certificate '{0}' revocation check failed. Reason is: ", ocesCertificate.Certificate.SubjectName.Name, msg));
// some error checking the certificate
// make sure the error is of the correct type, and throw it
// note - if the original exception was not a communikation exception, it is wraped in a communikation exception
if (response.Exception is CertificateRevokedTimeoutException)
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
else if (response.Exception is CertificateRevokedException)
{
throw response.Exception;
}
else if (response.Exception is CertificateRevokedValidationFailedException)
{
throw response.Exception;
}
else if (response.Exception is CheckCertificateOcspUnexpectedException)
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
else if (response.Exception is CheckCertificateRevokedUnexpectedException)
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
else
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
}
else
{
// no exception - all good so far
switch (response.RevocationCheckStatus)
{
case RevocationCheckStatus.AllChecksPassed:
{
// all good
this.logger.Debug(string.Format("Certificate '{0}' has parsed the revocation validate.", certificate.SubjectName.Name));
SignatureValidationProof signatureValidationProof = new SignatureValidationProof(certificate.Subject);
interceptorMessage.AddProperty(ServerSignatureValidationProofBindingExtensionElement.SignatureValidationProofKey, signatureValidationProof);
break;
}
case RevocationCheckStatus.CertificateRevoked:
{
this.logger.Warn(string.Format("The certificate '{0}' is revoked.", ocesCertificate.Certificate.SubjectName.Name));
throw new CertificateRevokedException();
//break;
}
default:
{
this.logger.Warn(string.Format("The certificate '{0}' failed in revocation check - reason unknown", ocesCertificate.Certificate.SubjectName.Name));
throw new CertificateRevokedValidationFailedException("The certificate failed in revocation check - reason unknown.");
//break;
}
}
}
}
}
catch (FailedToGetCertificateSubjectException)
{
// exception is of the correct type - rethrowing it
throw;
}
/* catch (CertificateRevokedTimeoutException e)
* {
* // exception is of the correct type - rethrowing it
* throw new CertificateRevokedValidationFailedException(e);
* }*/
catch (CertificateRevokedException)
{
// exception is of the correct type - rethrowing it
throw;
}
catch (CertificateRevokedValidationFailedException)
{
// exception is of the correct type - rethrowing it
throw;
}
/* catch (CheckCertificateOcspUnexpectedException)
* {
* // exception is of the correct type - rethrowing it
* throw;
* }*/
/* catch (CheckCertificateRevokedUnexpectedException)
* {
* // exception is of the correct type - rethrowing it
* throw;
* }*/
catch (Exception ex)
{
this.logger.Debug("Security validate the foces certificate", ex);
throw new CertificateRevokedValidationFailedException(ex);
}
this.logger.Trace("Security validate the foces certificate - Finish.");
}
/// <summary>
/// Constructor that takes the interceptor message that did not contain a certificate
/// subject.
/// </summary>
/// <param name="interceptorMessage"></param>
public FailedToGetCertificateSubjectException(InterceptorMessage interceptorMessage)
: base(OiosiFaultCode.Sender, OiosiInnerFaultCode.SignatureNotValidFault, GetKeywords(interceptorMessage))
{
}
