internal static bool IsMutualCertificateBinding(System.ServiceModel.Channels.SecurityBindingElement sbe, bool p)
{
Type type = typeof(System.ServiceModel.Channels.SecurityBindingElement);
object[] objArray = new object[] { sbe, p };
return((bool)InvokeHelper.InvokeStaticMethod(type, "IsMutualCertificateBinding", objArray));
}
internal static bool IsSslNegotiationBinding(System.ServiceModel.Channels.SecurityBindingElement bootstrapSecurity, bool p, bool p_3)
{
Type type = typeof(System.ServiceModel.Channels.SecurityBindingElement);
object[] objArray = new object[] { bootstrapSecurity, p, p_3 };
return((bool)InvokeHelper.InvokeStaticMethod(type, "IsSslNegotiationBinding", objArray));
}
internal static bool AreBindingsMatching(System.ServiceModel.Channels.SecurityBindingElement securityBindingElement, System.ServiceModel.Channels.SecurityBindingElement sbe)
{
Type type = typeof(System.ServiceModel.Channels.SecurityBindingElement);
object[] objArray = new object[] { securityBindingElement, sbe };
return((bool)InvokeHelper.InvokeStaticMethod(type, "AreBindingsMatching", objArray));
}
internal static bool IsUserNameForSslBinding(System.ServiceModel.Channels.SecurityBindingElement bootstrapSecurity, bool p)
{
Type type = typeof(System.ServiceModel.Channels.SecurityBindingElement);
object[] objArray = new object[] { bootstrapSecurity, p };
return((bool)InvokeHelper.InvokeStaticMethod(type, "IsUserNameForSslBinding", objArray));
}
internal SecurityProtocolFactory(SecurityProtocolFactory factory) : this()
{
if (factory == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("factory");
}
this.actAsInitiator = factory.actAsInitiator;
this.addTimestamp = factory.addTimestamp;
this.detectReplays = factory.detectReplays;
this.incomingAlgorithmSuite = factory.incomingAlgorithmSuite;
this.maxCachedNonces = factory.maxCachedNonces;
this.maxClockSkew = factory.maxClockSkew;
this.outgoingAlgorithmSuite = factory.outgoingAlgorithmSuite;
this.replayWindow = factory.replayWindow;
this.channelSupportingTokenAuthenticatorSpecification = new Collection <SupportingTokenAuthenticatorSpecification>(new List <SupportingTokenAuthenticatorSpecification>(factory.channelSupportingTokenAuthenticatorSpecification));
this.scopedSupportingTokenAuthenticatorSpecification = new Dictionary <string, ICollection <SupportingTokenAuthenticatorSpecification> >(factory.scopedSupportingTokenAuthenticatorSpecification);
this.standardsManager = factory.standardsManager;
this.timestampValidityDuration = factory.timestampValidityDuration;
this.auditLogLocation = factory.auditLogLocation;
this.suppressAuditFailure = factory.suppressAuditFailure;
this.serviceAuthorizationAuditLevel = factory.serviceAuthorizationAuditLevel;
this.messageAuthenticationAuditLevel = factory.messageAuthenticationAuditLevel;
if (factory.securityBindingElement != null)
{
this.securityBindingElement = (System.ServiceModel.Channels.SecurityBindingElement)factory.securityBindingElement.Clone();
}
this.securityTokenManager = factory.securityTokenManager;
this.privacyNoticeUri = factory.privacyNoticeUri;
this.privacyNoticeVersion = factory.privacyNoticeVersion;
this.endpointFilterTable = factory.endpointFilterTable;
this.extendedProtectionPolicy = factory.extendedProtectionPolicy;
}
internal static bool IsCertificateOverTransportBinding(System.ServiceModel.Channels.SecurityBindingElement bootstrapSecurity)
{
Type type = typeof(System.ServiceModel.Channels.SecurityBindingElement);
object[] objArray = new object[] { bootstrapSecurity };
return((bool)InvokeHelper.InvokeStaticMethod(type, "IsCertificateOverTransportBinding", objArray));
}
internal static bool IsSecureConversationBinding(System.ServiceModel.Channels.SecurityBindingElement sbe, bool requireCancellation, out System.ServiceModel.Channels.SecurityBindingElement bootstrapSecurity)
{
object[] objArray = new object[] { sbe, requireCancellation, null };
bool flag = (bool)InvokeHelper.InvokeStaticMethod(typeof(System.ServiceModel.Channels.SecurityBindingElement), "IsSecureConversationBinding", objArray);
bootstrapSecurity = objArray[2] as System.ServiceModel.Channels.SecurityBindingElement;
return(flag);
}
internal static bool IsIssuedTokenForSslBinding(System.ServiceModel.Channels.SecurityBindingElement bootstrapSecurity, bool p, out System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters infocardParameters)
{
object[] objArray = new object[] { bootstrapSecurity, p, null };
bool flag = (bool)InvokeHelper.InvokeStaticMethod(typeof(System.ServiceModel.Channels.SecurityBindingElement), "IsIssuedTokenForSslBinding", objArray);
infocardParameters = objArray[2] as System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters;
return(flag);
}
internal SecurityBindingElement(SecurityBindingElement elementToBeCloned)
: base(elementToBeCloned)
{
if (elementToBeCloned == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("elementToBeCloned");
}
_includeTimestamp = elementToBeCloned._includeTimestamp;
_messageSecurityVersion = elementToBeCloned._messageSecurityVersion;
_securityHeaderLayout = elementToBeCloned._securityHeaderLayout;
_endpointSupportingTokenParameters = elementToBeCloned._endpointSupportingTokenParameters.Clone();
_localClientSettings = elementToBeCloned._localClientSettings.Clone();
_maxReceivedMessageSize = elementToBeCloned._maxReceivedMessageSize;
_readerQuotas = elementToBeCloned._readerQuotas;
}
void IPolicyImportExtension.ImportPolicy(MetadataImporter importer, PolicyConversionContext policyContext)
{
if (importer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("importer");
}
if (policyContext == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("policyContext");
}
WSSecurityPolicy securityPolicy;
if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out securityPolicy))
{
if ((importer.State != null) && (!importer.State.ContainsKey(MaxPolicyRedirectionsKey)))
{
importer.State.Add(MaxPolicyRedirectionsKey, this.MaxPolicyRedirections);
}
SecurityBindingElement sbe = null;
bool success = this.TryImportSymmetricSecurityBindingElement(importer, policyContext, out sbe);
if (!success)
{
success = this.TryImportAsymmetricSecurityBindingElement(importer, policyContext, out sbe);
}
if (!success)
{
success = this.TryImportTransportSecurityBindingElement(importer, policyContext, out sbe, false);
}
else
{
// We already have found and imported the message security binding element above. Hence this could be the dual mode security.
// Now let us see if there is HttpsTransportBinding assertion also below it .This is to avoid the
// warning messages while importing wsdl representing the message security over Https transport security scenario. See Bug:136416.
SecurityBindingElement tbe = null;
this.TryImportTransportSecurityBindingElement(importer, policyContext, out tbe, true);
}
}
}
// this method reverses CreateMutualCertificateBindingElement() logic
internal static bool IsCertificateOverTransportBinding(SecurityBindingElement sbe)
{
// do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings
if (!sbe.IncludeTimestamp)
{
return(false);
}
if (!(sbe is TransportSecurityBindingElement))
{
return(false);
}
SupportingTokenParameters parameters = sbe.EndpointSupportingTokenParameters;
if (parameters.Signed.Count != 0 || parameters.SignedEncrypted.Count != 0 || parameters.Endorsing.Count != 1 || parameters.SignedEndorsing.Count != 0)
{
return(false);
}
throw ExceptionHelper.PlatformNotSupported("SecurityBindingElement.IsCertificateOverTransportBinding is not supported.");
}
void IPolicyImportExtension.ImportPolicy(MetadataImporter importer, PolicyConversionContext policyContext)
{
WSSecurityPolicy policy;
if (importer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("importer");
}
if (policyContext == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("policyContext");
}
if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out policy))
{
if ((importer.State != null) && !importer.State.ContainsKey("MaxPolicyRedirections"))
{
importer.State.Add("MaxPolicyRedirections", this.MaxPolicyRedirections);
}
SecurityBindingElement sbe = null;
bool flag = this.TryImportSymmetricSecurityBindingElement(importer, policyContext, out sbe);
if (!flag)
{
flag = this.TryImportTransportSecurityBindingElement(importer, policyContext, out sbe);
}
if (!flag)
{
this.TryImportAsymmetricSecurityBindingElement(importer, policyContext, out sbe);
}
if (sbe != null)
{
SecurityElement element2 = new SecurityElement();
element2.InitializeFrom(sbe, false);
if (element2.HasImportFailed)
{
importer.Errors.Add(new MetadataConversionError(System.ServiceModel.SR.GetString("SecurityBindingElementCannotBeExpressedInConfig"), true));
}
}
}
}
internal SecurityBindingElement(SecurityBindingElement other)
{
alg_suite = other.alg_suite;
include_timestamp = other.include_timestamp;
key_entropy_mode = other.key_entropy_mode;
security_header_layout = other.security_header_layout;
msg_security_version = other.msg_security_version;
endpoint = other.endpoint.Clone();
opt_endpoint = other.opt_endpoint.Clone();
operation = new Dictionary <string, SupportingTokenParameters> ();
foreach (KeyValuePair <string, SupportingTokenParameters> p in other.operation)
{
operation.Add(p.Key, p.Value.Clone());
}
opt_operation = new Dictionary <string, SupportingTokenParameters> ();
foreach (KeyValuePair <string, SupportingTokenParameters> p in other.opt_operation)
{
opt_operation.Add(p.Key, p.Value.Clone());
}
client_settings = other.client_settings.Clone();
service_settings = other.service_settings.Clone();
}
/*
* /// <summary>Sets a value that indicates whether derived keys are required.</summary>
* /// <param name="requireDerivedKeys">true to indicate that derived keys are required; otherwise, false.</param>
* public override void SetKeyDerivation(bool requireDerivedKeys)
* {
* base.SetKeyDerivation(requireDerivedKeys);
* if (this.protectionTokenParameters == null)
* return;
* this.protectionTokenParameters.RequireDerivedKeys = requireDerivedKeys;
* }
*
* internal override bool IsSetKeyDerivation(bool requireDerivedKeys)
* {
* return base.IsSetKeyDerivation(requireDerivedKeys) && (this.protectionTokenParameters == null || this.protectionTokenParameters.RequireDerivedKeys == requireDerivedKeys);
* }*/
// Nothing to override
internal override SecurityProtocolFactory CreateSecurityProtocolFactory <TChannel>(BindingContext context, SecurityCredentialsManager credentialsManager, bool isForService, BindingContext issuerBindingContext)
{
if (context == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("context");
}
if (credentialsManager == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("credentialsManager");
}
if (this.ProtectionTokenParameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new InvalidOperationException(SR.GetString("SymmetricSecurityBindingElementNeedsProtectionTokenParameters", new object[1] {
(object)this.ToString()
})));
}
#if FEATURE_CORECLR
throw new NotImplementedException("SymmetricSecurityProtocolFactory not supported in .NET Core");
#else
SymmetricSecurityProtocolFactory securityProtocolFactory = new SymmetricSecurityProtocolFactory();
if (isForService)
{
this.ApplyAuditBehaviorSettings(context, (SecurityProtocolFactory)securityProtocolFactory);
}
securityProtocolFactory.SecurityTokenParameters = this.ProtectionTokenParameters.Clone();
SecurityBindingElement.SetIssuerBindingContextIfRequired(securityProtocolFactory.SecurityTokenParameters, issuerBindingContext);
securityProtocolFactory.ApplyConfidentiality = true;
securityProtocolFactory.RequireConfidentiality = true;
securityProtocolFactory.ApplyIntegrity = true;
securityProtocolFactory.RequireIntegrity = true;
securityProtocolFactory.IdentityVerifier = this.LocalClientSettings.IdentityVerifier;
securityProtocolFactory.DoRequestSignatureConfirmation = this.RequireSignatureConfirmation;
securityProtocolFactory.MessageProtectionOrder = this.MessageProtectionOrder;
securityProtocolFactory.ProtectionRequirements.Add(SecurityBindingElement.ComputeProtectionRequirements((SecurityBindingElement)this, context.BindingParameters, context.Binding.Elements, isForService));
this.ConfigureProtocolFactory((SecurityProtocolFactory)securityProtocolFactory, credentialsManager, isForService, issuerBindingContext, (Binding)context.Binding);
return((SecurityProtocolFactory)securityProtocolFactory);
#endif
}
private static bool HasSupportingTokens(SecurityBindingElement binding)
{
if (binding.EndpointSupportingTokenParameters.Endorsing.Count > 0 ||
binding.EndpointSupportingTokenParameters.SignedEndorsing.Count > 0 ||
binding.EndpointSupportingTokenParameters.SignedEncrypted.Count > 0 ||
binding.EndpointSupportingTokenParameters.Signed.Count > 0)
{
return(true);
}
foreach (SupportingTokenParameters r in binding.OperationSupportingTokenParameters.Values)
{
if (r.Endorsing.Count > 0 ||
r.SignedEndorsing.Count > 0 ||
r.SignedEncrypted.Count > 0 ||
r.Signed.Count > 0)
{
return(true);
}
}
return(false);
}
internal SecurityBindingElement(SecurityBindingElement other)
{
security_header_layout = other.security_header_layout;
msg_security_version = other.msg_security_version;
endpoint = other.endpoint.Clone();
#if !MOBILE && !XAMMAC_4_5
alg_suite = other.alg_suite;
key_entropy_mode = other.key_entropy_mode;
opt_endpoint = other.opt_endpoint.Clone();
operation = new Dictionary <string, SupportingTokenParameters> ();
foreach (KeyValuePair <string, SupportingTokenParameters> p in other.operation)
{
operation.Add(p.Key, p.Value.Clone());
}
opt_operation = new Dictionary <string, SupportingTokenParameters> ();
foreach (KeyValuePair <string, SupportingTokenParameters> p in other.opt_operation)
{
opt_operation.Add(p.Key, p.Value.Clone());
}
service_settings = other.service_settings.Clone();
#endif
IncludeTimestamp = other.IncludeTimestamp;
LocalClientSettings = other.LocalClientSettings.Clone();
}
void IPolicyExportExtension.ExportPolicy(MetadataExporter exporter, PolicyConversionContext policyContext)
{
if (exporter == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("exporter");
}
if (policyContext == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("policyContext");
}
if (policyContext.BindingElements.Find <ITransportTokenAssertionProvider>() == null)
{
if (!this.AllowInsecureTransport)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ExportOfBindingWithTransportSecurityBindingElementAndNoTransportSecurityNotSupported)));
}
// In AllowInsecureTransport mode there is no assertion provider to export the endpoint supporting tokens. Hence we explicitly call into ExportPolicyForTransportTokenAssertionProviders.
SecurityBindingElement.ExportPolicyForTransportTokenAssertionProviders(exporter, policyContext);
}
// the ITransportTokenAssertionProvider will perform the acutal export steps.
}
internal override SecurityProtocolFactory CreateSecurityProtocolFactory <TChannel>(BindingContext context, SecurityCredentialsManager credentialsManager, bool isForService, BindingContext issuerBindingContext)
{
if (context == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("context");
}
if (credentialsManager == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("credentialsManager");
}
if (this.ProtectionTokenParameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SymmetricSecurityBindingElementNeedsProtectionTokenParameters, this.ToString())));
}
SymmetricSecurityProtocolFactory protocolFactory = new SymmetricSecurityProtocolFactory();
if (isForService)
{
base.ApplyAuditBehaviorSettings(context, protocolFactory);
}
protocolFactory.SecurityTokenParameters = (SecurityTokenParameters)this.ProtectionTokenParameters.Clone();
SetIssuerBindingContextIfRequired(protocolFactory.SecurityTokenParameters, issuerBindingContext);
protocolFactory.ApplyConfidentiality = true;
protocolFactory.RequireConfidentiality = true;
protocolFactory.ApplyIntegrity = true;
protocolFactory.RequireIntegrity = true;
protocolFactory.IdentityVerifier = this.LocalClientSettings.IdentityVerifier;
protocolFactory.DoRequestSignatureConfirmation = this.RequireSignatureConfirmation;
protocolFactory.MessageProtectionOrder = this.MessageProtectionOrder;
protocolFactory.ProtectionRequirements.Add(SecurityBindingElement.ComputeProtectionRequirements(this, context.BindingParameters, context.Binding.Elements, isForService));
base.ConfigureProtocolFactory(protocolFactory, credentialsManager, isForService, issuerBindingContext, context.Binding);
return(protocolFactory);
}
CreateSecureConversationBindingElement(SecurityBindingElement binding)
{
return(CreateSecureConversationBindingElement(binding, false));
}
CreateSecureConversationBindingElement(SecurityBindingElement bootstrapSecurity)
{
return(CreateSecureConversationBindingElement(bootstrapSecurity, false));
}
// isDualSecurityModeOnly is true if the binding has both message security and https security enabled.
private bool TryImportTransportSecurityBindingElement(MetadataImporter importer, PolicyConversionContext policyContext, out SecurityBindingElement sbe, bool isDualSecurityModeOnly)
{
TransportSecurityBindingElement binding = null;
XmlElement assertion;
sbe = null;
WSSecurityPolicy securityPolicy;
if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out securityPolicy))
{
if (securityPolicy.TryImportWsspTransportBindingAssertion(importer, policyContext.GetBindingAssertions(), out binding, out assertion))
{
this.ImportEndpointScopeMessageBindingAssertions(importer, policyContext, binding);
// If it is not DualSecurityMode then it is Mixed mode. So we need to look for supporting tokens in the binding.
if (!isDualSecurityModeOnly)
{
this.ImportOperationScopeSupportingTokensPolicy(importer, policyContext, binding);
if (importer.State.ContainsKey(InSecureConversationBootstrapBindingImportMode))
{
this.ImportMessageScopeProtectionPolicy(importer, policyContext);
}
if (HasSupportingTokens(binding) || binding.IncludeTimestamp)
{
sbe = binding;
policyContext.BindingElements.Add(binding);
}
}
}
else if (assertion != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
}
}
return(binding != null);
}
private bool TryImportAsymmetricSecurityBindingElement(MetadataImporter importer, PolicyConversionContext policyContext, out SecurityBindingElement sbe)
{
AsymmetricSecurityBindingElement binding = null;
XmlElement assertion;
WSSecurityPolicy securityPolicy;
if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out securityPolicy))
{
if (securityPolicy.TryImportWsspAsymmetricBindingAssertion(importer, policyContext, policyContext.GetBindingAssertions(), out binding, out assertion))
{
this.ImportEndpointScopeMessageBindingAssertions(importer, policyContext, binding);
this.ImportOperationScopeSupportingTokensPolicy(importer, policyContext, binding);
this.ImportMessageScopeProtectionPolicy(importer, policyContext);
policyContext.BindingElements.Add(binding);
}
else if (assertion != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
}
}
sbe = binding;
return(binding != null);
}
private void ImportEndpointScopeMessageBindingAssertions(MetadataImporter importer, PolicyConversionContext policyContext, SecurityBindingElement binding)
{
XmlElement assertion = null;
this.ImportSupportingTokenAssertions(importer, policyContext, policyContext.GetBindingAssertions(), binding.EndpointSupportingTokenParameters, binding.OptionalEndpointSupportingTokenParameters);
WSSecurityPolicy securityPolicy;
if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out securityPolicy))
{
if (!securityPolicy.TryImportWsspWssAssertion(importer, policyContext.GetBindingAssertions(), binding, out assertion) &&
assertion != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
}
if (!securityPolicy.TryImportWsspTrustAssertion(importer, policyContext.GetBindingAssertions(), binding, out assertion) &&
assertion != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
}
}
//
// We don't have WSTrust assertion => it is possible we are a BasicHttpBinding
// Set the flag here so that later when we tried to compare binding element with basic http binding
// we can have an exact match.
//
if (assertion == null)
{
binding.DoNotEmitTrust = true;
}
}
private void ImportOperationScopeSupportingTokensPolicy(MetadataImporter importer, PolicyConversionContext policyContext, SecurityBindingElement binding)
{
foreach (OperationDescription operation in policyContext.Contract.Operations)
{
string requestAction = null;
foreach (MessageDescription message in operation.Messages)
{
if (message.Direction == MessageDirection.Input)
{
requestAction = message.Action;
break;
}
}
SupportingTokenParameters requirements = new SupportingTokenParameters();
SupportingTokenParameters optionalRequirements = new SupportingTokenParameters();
ICollection <XmlElement> operationBindingAssertions = policyContext.GetOperationBindingAssertions(operation);
this.ImportSupportingTokenAssertions(importer, policyContext, operationBindingAssertions, requirements, optionalRequirements);
if (requirements.Endorsing.Count > 0 ||
requirements.Signed.Count > 0 ||
requirements.SignedEncrypted.Count > 0 ||
requirements.SignedEndorsing.Count > 0)
{
if (requestAction != null)
{
binding.OperationSupportingTokenParameters[requestAction] = requirements;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SRServiceModel.CannotImportSupportingTokensForOperationWithoutRequestAction));
}
}
if (optionalRequirements.Endorsing.Count > 0 ||
optionalRequirements.Signed.Count > 0 ||
optionalRequirements.SignedEncrypted.Count > 0 ||
optionalRequirements.SignedEndorsing.Count > 0)
{
if (requestAction != null)
{
binding.OptionalOperationSupportingTokenParameters[requestAction] = optionalRequirements;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.CannotImportSupportingTokensForOperationWithoutRequestAction)));
}
}
}
}
void CreateSecurityProtocolFactory()
{
SecurityProtocolFactory incomingProtocolFactory;
SecurityProtocolFactory outgoingProtocolFactory;
ChannelProtectionRequirements protectionRequirements;
lock (ThisLock)
{
if (null != securityProtocolFactory)
{
return;
}
TimeoutHelper timeoutHelper = new TimeoutHelper(ServiceDefaults.SendTimeout);
if (!enableSigning)
{
outgoingProtocolFactory = new PeerDoNothingSecurityProtocolFactory();
incomingProtocolFactory = new PeerDoNothingSecurityProtocolFactory();
}
else
{
X509Certificate2 cert = credManager.Certificate;
if (cert != null)
{
SecurityBindingElement securityBindingElement = SecurityBindingElement.CreateCertificateSignatureBindingElement();
securityBindingElement.ReaderQuotas = this.readerQuotas;
BindingParameterCollection bpc = new BindingParameterCollection();
if (protection == null)
{
protectionRequirements = new ChannelProtectionRequirements();
}
else
{
protectionRequirements = new ChannelProtectionRequirements(protection);
}
ApplySigningRequirements(protectionRequirements.IncomingSignatureParts);
ApplySigningRequirements(protectionRequirements.OutgoingSignatureParts);
bpc.Add(protectionRequirements);
bpc.Add(this.auditBehavior);
bpc.Add(credManager);
BindingContext context = new BindingContext(new CustomBinding(securityBindingElement), bpc);
outgoingProtocolFactory = securityBindingElement.CreateSecurityProtocolFactory <IOutputChannel>(context, credManager, false, null);
}
else
{
outgoingProtocolFactory = new PeerDoNothingSecurityProtocolFactory();
}
SecurityTokenResolver resolver;
X509SecurityTokenAuthenticator auth = tokenManager.CreateSecurityTokenAuthenticator(PeerSecurityCredentialsManager.PeerClientSecurityTokenManager.CreateRequirement(SecurityTokenTypes.X509Certificate, true), out resolver) as X509SecurityTokenAuthenticator;
if (auth != null)
{
SecurityBindingElement securityBindingElement = SecurityBindingElement.CreateCertificateSignatureBindingElement();
securityBindingElement.ReaderQuotas = this.readerQuotas;
BindingParameterCollection bpc = new BindingParameterCollection();
if (protection == null)
{
protectionRequirements = new ChannelProtectionRequirements();
}
else
{
protectionRequirements = new ChannelProtectionRequirements(protection);
}
ApplySigningRequirements(protectionRequirements.IncomingSignatureParts);
ApplySigningRequirements(protectionRequirements.OutgoingSignatureParts);
bpc.Add(protectionRequirements);
bpc.Add(this.auditBehavior);
bpc.Add(credManager);
BindingContext context = new BindingContext(new CustomBinding(securityBindingElement), bpc);
incomingProtocolFactory = securityBindingElement.CreateSecurityProtocolFactory <IOutputChannel>(context, credManager, true, null);
}
else
{
incomingProtocolFactory = new PeerDoNothingSecurityProtocolFactory();
}
}
DuplexSecurityProtocolFactory tempFactory = new DuplexSecurityProtocolFactory(outgoingProtocolFactory, incomingProtocolFactory);
tempFactory.Open(true, timeoutHelper.RemainingTime());
securityProtocolFactory = tempFactory;
}
}
CreateSecureConversationBindingElement(
SecurityBindingElement binding, bool requireCancellation)
{
return(CreateSecureConversationBindingElement(binding, requireCancellation, null));
}
public static SecurityBindingElement CreateSecureConversationBindingElement(SecurityBindingElement bootstrapSecurity)
{
Contract.Ensures(Contract.Result <System.ServiceModel.Channels.SecurityBindingElement>() != null);
return(default(SecurityBindingElement));
}
public Message SecureMessage()
{
secprop = Message.Properties.Security ?? new SecurityMessageProperty();
SecurityToken encToken =
secprop.InitiatorToken != null ? secprop.InitiatorToken.SecurityToken : security.EncryptionToken;
// FIXME: it might be still incorrect.
SecurityToken signToken =
Parameters == CounterParameters ? null :
security.SigningToken;
MessageProtectionOrder protectionOrder =
security.MessageProtectionOrder;
SecurityTokenSerializer serializer =
security.TokenSerializer;
SecurityBindingElement element =
security.Element;
SecurityAlgorithmSuite suite = element.DefaultAlgorithmSuite;
// FIXME: remove this hack
if (!ShouldOutputEncryptedKey)
{
encToken = new BinarySecretSecurityToken(secprop.EncryptionKey);
}
string messageId = "uuid-" + Guid.NewGuid();
int identForMessageId = 1;
XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = true;
UniqueId relatesTo = RelatesTo;
if (relatesTo != null)
{
msg.Headers.RelatesTo = relatesTo;
}
else // FIXME: probably it is always added when it is stateful ?
{
msg.Headers.MessageId = new UniqueId("urn:" + messageId);
}
// FIXME: get correct ReplyTo value
if (Direction == MessageDirection.Input)
{
msg.Headers.Add(MessageHeader.CreateHeader("ReplyTo", msg.Version.Addressing.Namespace, EndpointAddress10.FromEndpointAddress(new EndpointAddress(Constants.WsaAnonymousUri))));
}
if (MessageTo != null)
{
msg.Headers.Add(MessageHeader.CreateHeader("To", msg.Version.Addressing.Namespace, MessageTo.Uri.AbsoluteUri, true));
}
// wss:Security
WSSecurityMessageHeader header =
new WSSecurityMessageHeader(serializer);
msg.Headers.Add(header);
// 1. [Timestamp]
if (element.IncludeTimestamp)
{
WsuTimestamp timestamp = new WsuTimestamp();
timestamp.Id = messageId + "-" + identForMessageId++;
timestamp.Created = DateTime.Now;
// FIXME: on service side, use element.LocalServiceSettings.TimestampValidityDuration
timestamp.Expires = timestamp.Created.Add(element.LocalClientSettings.TimestampValidityDuration);
header.AddContent(timestamp);
}
XmlNamespaceManager nsmgr = new XmlNamespaceManager(doc.NameTable);
nsmgr.AddNamespace("s", msg.Version.Envelope.Namespace);
nsmgr.AddNamespace("o", Constants.WssNamespace);
nsmgr.AddNamespace("u", Constants.WsuNamespace);
nsmgr.AddNamespace("o11", Constants.Wss11Namespace);
/*WrappedKey*/ SecurityToken primaryToken = null;
DerivedKeySecurityToken dkeyToken = null;
SecurityToken actualToken = null;
SecurityKeyIdentifierClause actualClause = null;
Signature sig = null;
List <DerivedKeySecurityToken> derivedKeys =
new List <DerivedKeySecurityToken> ();
SymmetricAlgorithm masterKey = new RijndaelManaged();
masterKey.KeySize = suite.DefaultSymmetricKeyLength;
masterKey.Mode = CipherMode.CBC;
masterKey.Padding = PaddingMode.ISO10126;
SymmetricAlgorithm actualKey = masterKey;
// 2. [Encryption Token]
// SecurityTokenInclusionMode
// - Initiator or Recipient
// - done or notyet. FIXME: not implemented yet
// It also affects on key reference output
bool includeEncToken = // /* FIXME: remove this hack */Parameters is SslSecurityTokenParameters ? false :
ShouldIncludeToken(
Security.RecipientParameters.InclusionMode, false);
bool includeSigToken = // /* FIXME: remove this hack */ Parameters is SslSecurityTokenParameters ? false :
ShouldIncludeToken(
Security.InitiatorParameters.InclusionMode, false);
SecurityKeyIdentifierClause encClause = ShouldOutputEncryptedKey ?
CounterParameters.CallCreateKeyIdentifierClause(encToken, !ShouldOutputEncryptedKey ? SecurityTokenReferenceStyle.Internal : includeEncToken ? Parameters.ReferenceStyle : SecurityTokenReferenceStyle.External) : null;
MessagePartSpecification sigSpec = SignaturePart;
MessagePartSpecification encSpec = EncryptionPart;
// encryption key (possibly also used for signing)
// FIXME: get correct SymmetricAlgorithm according to the algorithm suite
if (secprop.EncryptionKey != null)
{
actualKey.Key = secprop.EncryptionKey;
}
// FIXME: remove thid hack
if (!ShouldOutputEncryptedKey)
{
primaryToken = RequestContext.RequestMessage.Properties.Security.ProtectionToken.SecurityToken as WrappedKeySecurityToken;
}
else
{
primaryToken =
// FIXME: remove this hack?
encToken is SecurityContextSecurityToken ? encToken :
new WrappedKeySecurityToken(messageId + "-" + identForMessageId++,
actualKey.Key,
// security.DefaultKeyWrapAlgorithm,
Parameters.InternalHasAsymmetricKey ?
suite.DefaultAsymmetricKeyWrapAlgorithm :
suite.DefaultSymmetricKeyWrapAlgorithm,
encToken,
encClause != null ? new SecurityKeyIdentifier(encClause) : null);
}
// If it reuses request's encryption key, do not output.
if (ShouldOutputEncryptedKey)
{
header.AddContent(primaryToken);
}
actualToken = primaryToken;
// FIXME: I doubt it is correct...
WrappedKeySecurityToken requestEncKey = ShouldOutputEncryptedKey ? null : primaryToken as WrappedKeySecurityToken;
actualClause = requestEncKey == null ? (SecurityKeyIdentifierClause)
new LocalIdKeyIdentifierClause(actualToken.Id, typeof(WrappedKeySecurityToken)) :
new InternalEncryptedKeyIdentifierClause(SHA1.Create().ComputeHash(requestEncKey.GetWrappedKey()));
// generate derived key if needed
if (CounterParameters.RequireDerivedKeys)
{
RijndaelManaged deriv = new RijndaelManaged();
deriv.KeySize = suite.DefaultEncryptionKeyDerivationLength;
deriv.Mode = CipherMode.CBC;
deriv.Padding = PaddingMode.ISO10126;
deriv.GenerateKey();
dkeyToken = new DerivedKeySecurityToken(
GenerateId(doc),
null, // algorithm
actualClause,
new InMemorySymmetricSecurityKey(actualKey.Key),
null, // name
null, // generation
null, // offset
deriv.Key.Length,
null, // label
deriv.Key);
derivedKeys.Add(dkeyToken);
actualToken = dkeyToken;
actualKey.Key = ((SymmetricSecurityKey)dkeyToken.SecurityKeys [0]).GetSymmetricKey();
actualClause = new LocalIdKeyIdentifierClause(dkeyToken.Id);
header.AddContent(dkeyToken);
}
ReferenceList refList = new ReferenceList();
// When encrypted with DerivedKeyToken, put references
// immediately after the derived token (not inside the
// primary token).
// Similarly, when we do not output EncryptedKey,
// output ReferenceList in the same way.
if (CounterParameters.RequireDerivedKeys ||
!ShouldOutputEncryptedKey)
{
header.AddContent(refList);
}
else
{
((WrappedKeySecurityToken)primaryToken).ReferenceList = refList;
}
// [Signature Confirmation]
if (security.RequireSignatureConfirmation && secprop.ConfirmedSignatures.Count > 0)
{
foreach (string value in secprop.ConfirmedSignatures)
{
header.AddContent(new Wss11SignatureConfirmation(GenerateId(doc), value));
}
}
SupportingTokenInfoCollection tokenInfos =
Direction == MessageDirection.Input ?
security.CollectSupportingTokens(GetAction()) :
new SupportingTokenInfoCollection(); // empty
foreach (SupportingTokenInfo tinfo in tokenInfos)
{
header.AddContent(tinfo.Token);
}
// populate DOM to sign.
XPathNavigator nav = doc.CreateNavigator();
using (XmlWriter w = nav.AppendChild()) {
msg.WriteMessage(w);
}
XmlElement body = doc.SelectSingleNode("/s:Envelope/s:Body/*", nsmgr) as XmlElement;
string bodyId = null;
XmlElement secElem = null;
Collection <WSSignedXml> endorsedSignatures =
new Collection <WSSignedXml> ();
bool signatureProtection = (protectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature);
// Below are o:Security contents that are not signed...
if (includeSigToken && signToken != null)
{
header.AddContent(signToken);
}
switch (protectionOrder)
{
case MessageProtectionOrder.EncryptBeforeSign:
// FIXME: implement
throw new NotImplementedException();
case MessageProtectionOrder.SignBeforeEncrypt:
case MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature:
// sign
// see clause 8 of WS-SecurityPolicy C.2.2
WSSignedXml sxml = new WSSignedXml(doc);
SecurityTokenReferenceKeyInfo sigKeyInfo;
sig = sxml.Signature;
sig.SignedInfo.CanonicalizationMethod =
suite.DefaultCanonicalizationAlgorithm;
foreach (XmlElement elem in doc.SelectNodes("/s:Envelope/s:Header/o:Security/u:Timestamp", nsmgr))
{
CreateReference(sig, elem, elem.GetAttribute("Id", Constants.WsuNamespace));
}
foreach (XmlElement elem in doc.SelectNodes("/s:Envelope/s:Header/o:Security/o11:SignatureConfirmation", nsmgr))
{
CreateReference(sig, elem, elem.GetAttribute("Id", Constants.WsuNamespace));
}
foreach (SupportingTokenInfo tinfo in tokenInfos)
{
if (tinfo.Mode != SecurityTokenAttachmentMode.Endorsing)
{
XmlElement el = sxml.GetIdElement(doc, tinfo.Token.Id);
CreateReference(sig, el, el.GetAttribute("Id", Constants.WsuNamespace));
}
}
XmlNodeList nodes = doc.SelectNodes("/s:Envelope/s:Header/*", nsmgr);
for (int i = 0; i < msg.Headers.Count; i++)
{
MessageHeaderInfo h = msg.Headers [i];
if (h.Name == "Security" && h.Namespace == Constants.WssNamespace)
{
secElem = nodes [i] as XmlElement;
}
else if (sigSpec.HeaderTypes.Count == 0 ||
sigSpec.HeaderTypes.Contains(new XmlQualifiedName(h.Name, h.Namespace)))
{
string id = GenerateId(doc);
h.Id = id;
CreateReference(sig, nodes [i] as XmlElement, id);
}
}
if (sigSpec.IsBodyIncluded)
{
bodyId = GenerateId(doc);
CreateReference(sig, body.ParentNode as XmlElement, bodyId);
}
if (security.DefaultSignatureAlgorithm == SignedXml.XmlDsigHMACSHA1Url)
{
// FIXME: use appropriate hash algorithm
sxml.ComputeSignature(new HMACSHA1(actualKey.Key));
sigKeyInfo = new SecurityTokenReferenceKeyInfo(actualClause, serializer, doc);
}
else
{
SecurityKeyIdentifierClause signClause =
CounterParameters.CallCreateKeyIdentifierClause(signToken, includeSigToken ? CounterParameters.ReferenceStyle : SecurityTokenReferenceStyle.External);
AsymmetricSecurityKey signKey = (AsymmetricSecurityKey)signToken.ResolveKeyIdentifierClause(signClause);
sxml.SigningKey = signKey.GetAsymmetricAlgorithm(security.DefaultSignatureAlgorithm, true);
sxml.ComputeSignature();
sigKeyInfo = new SecurityTokenReferenceKeyInfo(signClause, serializer, doc);
}
sxml.KeyInfo = new KeyInfo();
sxml.KeyInfo.AddClause(sigKeyInfo);
if (!signatureProtection)
{
header.AddContent(sig);
}
// endorse the signature with (signed)endorsing
// supporting tokens.
foreach (SupportingTokenInfo tinfo in tokenInfos)
{
switch (tinfo.Mode)
{
case SecurityTokenAttachmentMode.Endorsing:
case SecurityTokenAttachmentMode.SignedEndorsing:
if (sxml.Signature.Id == null)
{
sig.Id = GenerateId(doc);
secElem.AppendChild(sxml.GetXml());
}
WSSignedXml ssxml = new WSSignedXml(doc);
ssxml.Signature.SignedInfo.CanonicalizationMethod = suite.DefaultCanonicalizationAlgorithm;
CreateReference(ssxml.Signature, doc, sig.Id);
SecurityToken sst = tinfo.Token;
SecurityKey ssk = sst.SecurityKeys [0]; // FIXME: could be different?
SecurityKeyIdentifierClause tclause = new LocalIdKeyIdentifierClause(sst.Id); // FIXME: could be different?
if (ssk is SymmetricSecurityKey)
{
SymmetricSecurityKey signKey = (SymmetricSecurityKey)ssk;
ssxml.ComputeSignature(signKey.GetKeyedHashAlgorithm(suite.DefaultSymmetricSignatureAlgorithm));
}
else
{
AsymmetricSecurityKey signKey = (AsymmetricSecurityKey)ssk;
ssxml.SigningKey = signKey.GetAsymmetricAlgorithm(suite.DefaultAsymmetricSignatureAlgorithm, true);
ssxml.ComputeSignature();
}
ssxml.KeyInfo.AddClause(new SecurityTokenReferenceKeyInfo(tclause, serializer, doc));
if (!signatureProtection)
{
header.AddContent(ssxml.Signature);
}
endorsedSignatures.Add(ssxml);
break;
}
}
// encrypt
WSEncryptedXml exml = new WSEncryptedXml(doc);
EncryptedData edata = Encrypt(body, actualKey, actualToken.Id, refList, actualClause, exml, doc);
EncryptedXml.ReplaceElement(body, edata, false);
// encrypt signature
if (signatureProtection)
{
XmlElement sigxml = sig.GetXml();
edata = Encrypt(sigxml, actualKey, actualToken.Id, refList, actualClause, exml, doc);
header.AddContent(edata);
foreach (WSSignedXml ssxml in endorsedSignatures)
{
sigxml = ssxml.GetXml();
edata = Encrypt(sigxml, actualKey, actualToken.Id, refList, actualClause, exml, doc);
header.AddContent(edata);
}
if (security.RequireSignatureConfirmation)
{
Collection <Wss11SignatureConfirmation> confs = header.FindAll <Wss11SignatureConfirmation> ();
int count = 0;
foreach (XmlElement elem in doc.SelectNodes("/s:Envelope/s:Header/o:Security/o11:SignatureConfirmation", nsmgr))
{
edata = Encrypt(elem, actualKey, confs [count].Id, refList, actualClause, exml, doc);
EncryptedXml.ReplaceElement(elem, edata, false);
header.Contents.Insert(header.Contents.IndexOf(confs [count]), edata);
header.Contents.Remove(confs [count++]);
}
}
}
// encrypt Encrypted supporting tokens
foreach (SupportingTokenInfo tinfo in tokenInfos)
{
if (tinfo.Mode == SecurityTokenAttachmentMode.SignedEncrypted)
{
XmlElement el = exml.GetIdElement(doc, tinfo.Token.Id);
tinfo.Encrypted = Encrypt(el, actualKey, actualToken.Id, refList, actualClause, exml, doc);
EncryptedXml.ReplaceElement(el, tinfo.Encrypted, false);
header.Contents.Insert(header.Contents.IndexOf(tinfo.Token), tinfo.Encrypted);
header.Contents.Remove(tinfo.Token);
}
}
break;
}
Message ret = Message.CreateMessage(msg.Version, msg.Headers.Action, new XmlNodeReader(doc.SelectSingleNode("/s:Envelope/s:Body/*", nsmgr) as XmlElement));
ret.Properties.Security = (SecurityMessageProperty)secprop.CreateCopy();
ret.Properties.Security.EncryptionKey = masterKey.Key;
ret.BodyId = bodyId;
// FIXME: can we support TransportToken here?
if (element is AsymmetricSecurityBindingElement)
{
ret.Properties.Security.InitiatorToken = new SecurityTokenSpecification(encToken, null); // FIXME: second argument
ret.Properties.Security.InitiatorToken = new SecurityTokenSpecification(signToken, null); // FIXME: second argument
}
else
{
ret.Properties.Security.ProtectionToken = new SecurityTokenSpecification(primaryToken, null);
}
ret.Headers.Clear();
ret.Headers.CopyHeadersFrom(msg);
// Header contents are:
// - Timestamp
// - SignatureConfirmation if required
// - EncryptionToken if included
// - derived key token for EncryptionToken
// - ReferenceList for encrypted items
// - signed supporting tokens
// - signed endorsing supporting tokens
// (i.e. Signed/SignedEncrypted/SignedEndorsing)
// - Signature Token if different from enc token.
// - derived key token for sig token if different
// - Signature for:
// - Timestamp
// - supporting tokens (regardless of
// its inclusion)
// - message parts in SignedParts
// - SignatureToken if TokenProtection
// (regardless of its inclusion)
// - Signatures for the main signature (above),
// for every endorsing token and signed
// endorsing token.
//
//MessageBuffer zzz = ret.CreateBufferedCopy (100000);
//ret = zzz.CreateMessage ();
//Console.WriteLine (zzz.CreateMessage ());
return(ret);
}
static public SecurityBindingElement CreateSecureConversationBindingElement(SecurityBindingElement bootstrapSecurity)
{
return(CreateSecureConversationBindingElement(bootstrapSecurity, SecureConversationSecurityTokenParameters.defaultRequireCancellation, null));
}
static public SecurityBindingElement CreateSecureConversationBindingElement(SecurityBindingElement bootstrapSecurity, bool requireCancellation)
{
return(CreateSecureConversationBindingElement(bootstrapSecurity, requireCancellation, null));
}
