/**
* The execution of this behavior comes rather late.
* Anyone that inspects the service description in the meantime,
* such as for metadata generation, won't see the protection level that we want to use.
*
* One way of doing it is at when create HostFactory
*
* ServiceEndpoint endpoint = host.Description.Endpoints.Find(typeof(IService));
* OperationDescription operation = endpoint.Contract.Operations.Find("Action");
* MessageDescription message = operation.Messages.Find("http://tempuri.org/IService/ActionResponse");
* MessageHeaderDescription header = message.Headers[new XmlQualifiedName("aheader", "http://tempuri.org/")];
* header.ProtectionLevel = ProtectionLevel.Sign;
*
* **/
public void AddBindingParameters(ContractDescription contractDescription, ServiceEndpoint endpoint, BindingParameterCollection bindingParameters)
{
ChannelProtectionRequirements requirements = bindingParameters.Find<ChannelProtectionRequirements>();
XmlQualifiedName qName = new XmlQualifiedName(header, ns);
MessagePartSpecification part = new MessagePartSpecification(qName);
requirements.OutgoingSignatureParts.AddParts(part, action);
}
public void Union(MessagePartSpecification specification)
{
if (this.isReadOnly)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ObjectIsReadOnly")));
}
if (specification == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("specification");
}
this.isBodyIncluded |= specification.IsBodyIncluded;
List <XmlQualifiedName> headerTypes = specification.headerTypes;
if ((headerTypes != null) && (headerTypes.Count > 0))
{
if (this.headerTypes == null)
{
this.headerTypes = new List <XmlQualifiedName>(headerTypes.Count);
}
for (int i = 0; i < headerTypes.Count; i++)
{
XmlQualifiedName item = headerTypes[i];
this.headerTypes.Add(item);
}
}
}
private static void AddFaultProtectionRequirements(FaultDescriptionCollection faults, ChannelProtectionRequirements requirements, ProtectionLevel defaultProtectionLevel, bool addToIncoming)
{
if (faults == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("faults"));
}
if (requirements == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("requirements"));
}
foreach (FaultDescription description in faults)
{
MessagePartSpecification parts = new MessagePartSpecification();
MessagePartSpecification specification2 = new MessagePartSpecification();
ProtectionLevel level = description.HasProtectionLevel ? description.ProtectionLevel : defaultProtectionLevel;
if (level != ProtectionLevel.None)
{
parts.IsBodyIncluded = true;
if (level == ProtectionLevel.EncryptAndSign)
{
specification2.IsBodyIncluded = true;
}
}
if (addToIncoming)
{
requirements.IncomingSignatureParts.AddParts(parts, description.Action);
requirements.IncomingEncryptionParts.AddParts(specification2, description.Action);
}
else
{
requirements.OutgoingSignatureParts.AddParts(parts, description.Action);
requirements.OutgoingEncryptionParts.AddParts(specification2, description.Action);
}
}
}
public void Union(MessagePartSpecification specification)
{
if (IsReadOnly)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.ObjectIsReadOnly));
}
if (specification == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(specification));
}
_isBodyIncluded |= specification.IsBodyIncluded;
List <XmlQualifiedName> headerTypes = specification._headerTypes;
if (headerTypes != null && headerTypes.Count > 0)
{
if (_headerTypes == null)
{
_headerTypes = new List <XmlQualifiedName>(headerTypes.Count);
}
for (int i = 0; i < headerTypes.Count; i++)
{
XmlQualifiedName qname = headerTypes[i];
_headerTypes.Add(qname);
}
}
}
protected override void StartPrimarySignatureCore(SecurityToken token, SecurityKeyIdentifier keyIdentifier, MessagePartSpecification signatureParts, bool generateTargettableSignature)
{
string str3;
XmlDictionaryString str4;
SecurityAlgorithmSuite algorithmSuite = base.AlgorithmSuite;
string defaultCanonicalizationAlgorithm = algorithmSuite.DefaultCanonicalizationAlgorithm;
XmlDictionaryString defaultCanonicalizationAlgorithmDictionaryString = algorithmSuite.DefaultCanonicalizationAlgorithmDictionaryString;
if (defaultCanonicalizationAlgorithm != "http://www.w3.org/2001/10/xml-exc-c14n#")
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnsupportedCanonicalizationAlgorithm", new object[] { algorithmSuite.DefaultCanonicalizationAlgorithm })));
}
algorithmSuite.GetSignatureAlgorithmAndKey(token, out str3, out this.signatureKey, out str4);
string defaultDigestAlgorithm = algorithmSuite.DefaultDigestAlgorithm;
XmlDictionaryString defaultDigestAlgorithmDictionaryString = algorithmSuite.DefaultDigestAlgorithmDictionaryString;
this.signedInfo = new PreDigestedSignedInfo(ServiceModelDictionaryManager.Instance, defaultCanonicalizationAlgorithm, defaultCanonicalizationAlgorithmDictionaryString, defaultDigestAlgorithm, defaultDigestAlgorithmDictionaryString, str3, str4);
this.signedXml = new SignedXml(this.signedInfo, ServiceModelDictionaryManager.Instance, base.StandardsManager.SecurityTokenSerializer);
if (keyIdentifier != null)
{
this.signedXml.Signature.KeyIdentifier = keyIdentifier;
}
if (generateTargettableSignature)
{
this.signedXml.Id = base.GenerateId();
}
this.effectiveSignatureParts = signatureParts;
this.hashStream = this.signedInfo.ResourcePool.TakeHashStream(defaultDigestAlgorithm);
}
protected override void StartPrimarySignatureCore(SecurityToken token,
SecurityKeyIdentifier keyIdentifier,
MessagePartSpecification signatureParts,
bool generateTargettableSignature)
{
SecurityAlgorithmSuite suite = this.AlgorithmSuite;
string canonicalizationAlgorithm = suite.DefaultCanonicalizationAlgorithm;
XmlDictionaryString canonicalizationAlgorithmDictionaryString = suite.DefaultCanonicalizationAlgorithmDictionaryString;
if (canonicalizationAlgorithm != SecurityAlgorithms.ExclusiveC14n)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new MessageSecurityException(SR.GetString(SR.UnsupportedCanonicalizationAlgorithm, suite.DefaultCanonicalizationAlgorithm)));
}
string signatureAlgorithm;
XmlDictionaryString signatureAlgorithmDictionaryString;
suite.GetSignatureAlgorithmAndKey(token, out signatureAlgorithm, out this.signatureKey, out signatureAlgorithmDictionaryString);
string digestAlgorithm = suite.DefaultDigestAlgorithm;
XmlDictionaryString digestAlgorithmDictionaryString = suite.DefaultDigestAlgorithmDictionaryString;
this.signedInfo = new PreDigestedSignedInfo(ServiceModelDictionaryManager.Instance, canonicalizationAlgorithm, canonicalizationAlgorithmDictionaryString, digestAlgorithm, digestAlgorithmDictionaryString, signatureAlgorithm, signatureAlgorithmDictionaryString);
this.signedXml = new SignedXml(this.signedInfo, ServiceModelDictionaryManager.Instance, this.StandardsManager.SecurityTokenSerializer);
if (keyIdentifier != null)
{
this.signedXml.Signature.KeyIdentifier = keyIdentifier;
}
if (generateTargettableSignature)
{
this.signedXml.Id = GenerateId();
}
this.effectiveSignatureParts = signatureParts;
this.hashStream = this.signedInfo.ResourcePool.TakeHashStream(digestAlgorithm);
}
public bool TryGetParts(string action, bool excludeChannelScope, out MessagePartSpecification parts)
{
if (action == null)
{
action = MessageHeaders.WildcardAction;
}
parts = null;
if (this.isReadOnly)
{
if (this.readOnlyNormalizedActionParts.ContainsKey(action))
{
if (excludeChannelScope)
{
parts = this.actionParts[action];
}
else
{
parts = this.readOnlyNormalizedActionParts[action];
}
}
}
else if (this.actionParts.ContainsKey(action))
{
MessagePartSpecification p = new MessagePartSpecification();
p.Union(this.actionParts[action]);
if (!excludeChannelScope)
{
p.Union(this.channelParts);
}
parts = p;
}
return(parts != null);
}
public void AddParts(MessagePartSpecification parts,
string action)
{
if (parts == null)
{
throw new ArgumentNullException("parts");
}
if (action == null)
{
throw new ArgumentNullException("action");
}
if (IsReadOnly)
{
throw new InvalidOperationException("This ScopedMessagePartSpecification is read-only.");
}
MessagePartSpecification existing;
if (table.TryGetValue(action, out existing))
{
existing.Union(parts);
}
else
{
table.Add(action, parts);
}
}
static MessagePartSpecification ExtractMessageParts(string action,
ScopedMessagePartSpecification scopedParts, bool isForSignature)
{
MessagePartSpecification parts = null;
if (scopedParts.TryGetParts(action, out parts))
{
return(parts);
}
else if (scopedParts.TryGetParts(MessageHeaders.WildcardAction, out parts))
{
return(parts);
}
// send back a fault indication that the action is unknown
SecurityVersion wss = MessageSecurityVersion.Default.SecurityVersion;
FaultCode subCode = new FaultCode(wss.InvalidSecurityFaultCode.Value, wss.HeaderNamespace.Value);
FaultCode senderCode = FaultCode.CreateSenderFaultCode(subCode);
FaultReason reason = new FaultReason(SR.GetString(SR.InvalidOrUnrecognizedAction, action), System.Globalization.CultureInfo.CurrentCulture);
MessageFault fault = MessageFault.CreateFault(senderCode, reason);
if (isForSignature)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NoSignaturePartsSpecified, action), null, fault));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NoEncryptionPartsSpecified, action), null, fault));
}
}
void VerifySoapAttributeMatchForHeader(MessageHeaderInfo info, MessagePartSpecification signatureParts, XmlDictionaryReader reader)
{
if (!signatureParts.IsHeaderIncluded(info.Name, info.Namespace))
{
return;
}
EnvelopeVersion currentVersion = this.Version.Envelope;
EnvelopeVersion otherVersion = currentVersion == EnvelopeVersion.Soap11 ? EnvelopeVersion.Soap12 : EnvelopeVersion.Soap11;
bool presentInCurrentVersion;
bool presentInOtherVersion;
presentInCurrentVersion = null != reader.GetAttribute(XD.MessageDictionary.MustUnderstand, currentVersion.DictionaryNamespace);
presentInOtherVersion = null != reader.GetAttribute(XD.MessageDictionary.MustUnderstand, otherVersion.DictionaryNamespace);
if (presentInOtherVersion && !presentInCurrentVersion)
{
throw TraceUtility.ThrowHelperError(
new MessageSecurityException(SR.GetString(
SR.InvalidAttributeInSignedHeader, info.Name, info.Namespace,
XD.MessageDictionary.MustUnderstand, otherVersion.DictionaryNamespace,
XD.MessageDictionary.MustUnderstand, currentVersion.DictionaryNamespace)), this.SecurityVerifiedMessage);
}
presentInCurrentVersion = null != reader.GetAttribute(currentVersion.DictionaryActor, currentVersion.DictionaryNamespace);
presentInOtherVersion = null != reader.GetAttribute(otherVersion.DictionaryActor, otherVersion.DictionaryNamespace);
if (presentInOtherVersion && !presentInCurrentVersion)
{
throw TraceUtility.ThrowHelperError(
new MessageSecurityException(SR.GetString(
SR.InvalidAttributeInSignedHeader, info.Name, info.Namespace,
otherVersion.DictionaryActor, otherVersion.DictionaryNamespace,
currentVersion.DictionaryActor, currentVersion.DictionaryNamespace)), this.SecurityVerifiedMessage);
}
}
private void AddParts(ref MessagePartSpecification parts1, MessagePartSpecification parts2)
{
if (parts1 == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("parts1"));
}
if (parts2 == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("parts2"));
}
if (!parts2.IsEmpty())
{
if (parts1.IsReadOnly)
{
MessagePartSpecification specification = new MessagePartSpecification();
specification.Union(parts1);
specification.Union(parts2);
parts1 = specification;
}
else
{
parts1.Union(parts2);
}
}
}
public void AddParts (MessagePartSpecification parts)
{
if (parts == null)
throw new ArgumentNullException ("parts");
if (IsReadOnly)
throw new InvalidOperationException ("This ScopedMessagePartSpecification is read-only.");
ChannelParts.Union (parts);
}
public void UnionReadOnlyPart ()
{
MessagePartSpecification s =
new MessagePartSpecification ();
s.MakeReadOnly ();
Assert.AreEqual (true, s.IsReadOnly, "#1");
s.Union (new MessagePartSpecification ());
}
internal void AddParts(MessagePartSpecification parts, XmlDictionaryString action)
{
if (action == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("action"));
}
this.AddParts(parts, action.Value);
}
public bool TryGetParts(string action, out MessagePartSpecification parts)
{
Contract.Ensures(Contract.Result <bool>() == (Contract.ValueAtReturn(out parts) != null));
parts = default(MessagePartSpecification);
return(default(bool));
}
internal void AddParts(MessagePartSpecification parts, XmlDictionaryString action)
{
if (action == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("action"));
}
AddParts(parts, action.Value);
}
public bool TryGetParts(string action, out MessagePartSpecification parts)
{
Contract.Ensures(Contract.Result<bool>() == (Contract.ValueAtReturn(out parts) != null));
parts = default(MessagePartSpecification);
return default(bool);
}
public ScopedMessagePartSpecification (
ScopedMessagePartSpecification other)
{
XmlQualifiedName [] array = new XmlQualifiedName [other.parts.HeaderTypes.Count];
other.parts.HeaderTypes.CopyTo (array, 0);
parts = new MessagePartSpecification (
other.parts.IsBodyIncluded, array);
table = new Dictionary<string,MessagePartSpecification> (other.table);
}
public ScopedMessagePartSpecification(
ScopedMessagePartSpecification other)
{
XmlQualifiedName [] array = new XmlQualifiedName [other.parts.HeaderTypes.Count];
other.parts.HeaderTypes.CopyTo(array, 0);
parts = new MessagePartSpecification(
other.parts.IsBodyIncluded, array);
table = new Dictionary <string, MessagePartSpecification> (other.table);
}
public void AddParts(MessagePartSpecification parts)
{
if (parts == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("parts"));
ThrowIfReadOnly();
_channelParts.Union(parts);
}
public void AddParts(MessagePartSpecification parts)
{
if (parts == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("parts"));
}
this.ThrowIfReadOnly();
this.channelParts.Union(parts);
}
protected override ISignatureValueSecurityElement CompletePrimarySignatureCore(SendSecurityHeaderElement[] signatureConfirmations, SecurityToken[] signedEndorsingTokens, SecurityToken[] signedTokens, SendSecurityHeaderElement[] basicTokens)
{
ISignatureValueSecurityElement signedXml;
if (this.signedXml == null)
{
return(null);
}
SecurityTimestamp timestamp = base.Timestamp;
if (timestamp != null)
{
if (timestamp.Id == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("TimestampToSignHasNoId")));
}
HashStream stream = this.TakeHashStream();
base.StandardsManager.WSUtilitySpecificationVersion.WriteTimestampCanonicalForm(stream, timestamp, this.signedInfo.ResourcePool.TakeEncodingBuffer());
this.signedInfo.AddReference(timestamp.Id, stream.FlushHashAndGetValue());
}
if ((base.ShouldSignToHeader && (this.signatureKey is AsymmetricSecurityKey)) && (base.Version.Addressing != AddressingVersion.None))
{
if (this.toHeaderHash == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("TransportSecurityRequireToHeader")));
}
this.signedInfo.AddReference(this.toHeaderId, this.toHeaderHash);
}
this.AddSignatureReference(signatureConfirmations);
if (base.RequireMessageProtection)
{
this.AddSignatureReference(signedEndorsingTokens);
this.AddSignatureReference(signedTokens);
this.AddSignatureReference(basicTokens);
}
if (this.signedInfo.ReferenceCount == 0)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NoPartsOfMessageMatchedPartsToSign")), base.Message);
}
try
{
this.signedXml.ComputeSignature(this.signatureKey);
signedXml = this.signedXml;
}
finally
{
this.hashStream = null;
this.signedInfo = null;
this.signedXml = null;
this.signatureKey = null;
this.effectiveSignatureParts = null;
}
return(signedXml);
}
public void DefaultValues ()
{
MessagePartSpecification s =
new MessagePartSpecification ();
Assert.IsFalse (s.IsBodyIncluded, "#1");
Assert.AreEqual (0, s.HeaderTypes.Count, "#2");
s = new MessagePartSpecification (new XmlQualifiedName [] {new XmlQualifiedName ("foo", "urn:foo")});
Assert.IsFalse (s.IsBodyIncluded, "#3");
Assert.AreEqual (1, s.HeaderTypes.Count, "#4");
}
public void AddParts(MessagePartSpecification parts)
{
if (parts == null)
{
throw new ArgumentNullException("parts");
}
if (IsReadOnly)
{
throw new InvalidOperationException("This ScopedMessagePartSpecification is read-only.");
}
ChannelParts.Union(parts);
}
public void AddParts(MessagePartSpecification parts, string action)
{
if (action == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("action"));
if (parts == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("parts"));
ThrowIfReadOnly();
if (!_actionParts.ContainsKey(action))
_actionParts[action] = new MessagePartSpecification();
_actionParts[action].Union(parts);
}
internal IChannelListener <TChannel> BuildNegotiationChannelListener <TChannel>(BindingContext context)
where TChannel : class, IChannel
{
SecurityCredentialsManager securityCredentials = this.IssuerBindingContext.BindingParameters.Find <SecurityCredentialsManager>();
if (securityCredentials == null)
{
securityCredentials = ServiceCredentials.CreateDefaultCredentials();
}
this.bootstrapSecurityBindingElement.ReaderQuotas = context.GetInnerProperty <XmlDictionaryReaderQuotas>();
if (this.bootstrapSecurityBindingElement.ReaderQuotas == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.EncodingBindingElementDoesNotHandleReaderQuotas)));
}
TransportBindingElement transportBindingElement = context.RemainingBindingElements.Find <TransportBindingElement>();
if (transportBindingElement != null)
{
this.bootstrapSecurityBindingElement.MaxReceivedMessageSize = transportBindingElement.MaxReceivedMessageSize;
}
SecurityProtocolFactory securityProtocolFactory = this.bootstrapSecurityBindingElement.CreateSecurityProtocolFactory <TChannel>(this.IssuerBindingContext.Clone(), securityCredentials, true, this.IssuerBindingContext.Clone());
MessageSecurityProtocolFactory soapBindingFactory = securityProtocolFactory as MessageSecurityProtocolFactory;
if (soapBindingFactory != null)
{
soapBindingFactory.ApplyConfidentiality = soapBindingFactory.ApplyIntegrity
= soapBindingFactory.RequireConfidentiality = soapBindingFactory.RequireIntegrity = true;
MessagePartSpecification bodyPart = new MessagePartSpecification(true);
soapBindingFactory.ProtectionRequirements.OutgoingSignatureParts.AddParts(bodyPart, RequestSecurityTokenResponseAction);
soapBindingFactory.ProtectionRequirements.OutgoingEncryptionParts.AddParts(bodyPart, RequestSecurityTokenResponseAction);
soapBindingFactory.ProtectionRequirements.IncomingSignatureParts.AddParts(bodyPart, RequestSecurityTokenAction);
soapBindingFactory.ProtectionRequirements.IncomingEncryptionParts.AddParts(bodyPart, RequestSecurityTokenAction);
}
SecurityChannelListener <TChannel> securityChannelListener =
new SecurityChannelListener <TChannel>(this.bootstrapSecurityBindingElement, context);
securityChannelListener.SecurityProtocolFactory = securityProtocolFactory;
// do not send back unsecured faults over composite duplex
securityChannelListener.SendUnsecuredFaults = !SecurityUtils.IsCompositeDuplexBinding(context);
ChannelBuilder channelBuilder = new ChannelBuilder(context, true);
securityChannelListener.InitializeListener(channelBuilder);
this.shouldMatchRstWithEndpointFilter = SecurityUtils.ShouldMatchRstWithEndpointFilter(this.bootstrapSecurityBindingElement);
return(securityChannelListener);
}
private static void AddHeaderProtectionRequirements(MessageHeaderDescription header, MessagePartSpecification signedParts,
MessagePartSpecification encryptedParts, ProtectionLevel defaultProtectionLevel)
{
ProtectionLevel p = header.HasProtectionLevel ? header.ProtectionLevel : defaultProtectionLevel;
if (p != ProtectionLevel.None)
{
XmlQualifiedName headerName = new XmlQualifiedName(header.Name, header.Namespace);
signedParts.HeaderTypes.Add(headerName);
if (p == ProtectionLevel.EncryptAndSign)
{
encryptedParts.HeaderTypes.Add(headerName);
}
}
}
protected override void StartPrimarySignatureCore(SecurityToken token,
SecurityKeyIdentifier keyIdentifier,
MessagePartSpecification signatureParts,
bool generateTargettableSignature)
{
SecurityAlgorithmSuite suite = AlgorithmSuite;
string canonicalizationAlgorithm = suite.DefaultCanonicalizationAlgorithm;
if (canonicalizationAlgorithm != SecurityAlgorithms.ExclusiveC14n)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new MessageSecurityException(SR.Format(SR.UnsupportedCanonicalizationAlgorithm, suite.DefaultCanonicalizationAlgorithm)));
}
string signatureAlgorithm;
XmlDictionaryString signatureAlgorithmDictionaryString;
SecurityKey signatureKey;
suite.GetSignatureAlgorithmAndKey(token, out signatureAlgorithm, out signatureKey, out signatureAlgorithmDictionaryString);
AsymmetricAlgorithm asymmetricAlgorithm = null;
GetSigningAlgorithm(signatureKey, signatureAlgorithm, out _signingKey, out asymmetricAlgorithm);
_signedXml = new SignedXml();
_signedXml.SignedInfo.CanonicalizationMethod = canonicalizationAlgorithm;
_signedXml.SignedInfo.SignatureMethod = signatureAlgorithm;
_signedXml.SigningKey = asymmetricAlgorithm;
if (keyIdentifier != null)
{
var stream = new MemoryStream();
using (var xmlWriter = XmlDictionaryWriter.CreateTextWriter(stream, Encoding.UTF8, false))
{
StandardsManager.SecurityTokenSerializer.WriteKeyIdentifier(xmlWriter, keyIdentifier);
}
stream.Position = 0;
XmlDocument doc = new XmlDocument();
doc.Load(stream);
var keyInfo = new KeyInfo();
keyInfo.LoadXml(doc.DocumentElement);
_signedXml.KeyInfo = keyInfo;
}
if (generateTargettableSignature)
{
_signedXml.Signature.Id = GenerateId();
}
_effectiveSignatureParts = signatureParts;
}
public void MakeReadOnly()
{
if (!this.isReadOnly)
{
this.readOnlyNormalizedActionParts = new Dictionary <string, MessagePartSpecification>();
foreach (string action in this.actionParts.Keys)
{
MessagePartSpecification p = new MessagePartSpecification();
p.Union(this.actionParts[action]);
p.Union(this.channelParts);
p.MakeReadOnly();
this.readOnlyNormalizedActionParts[action] = p;
}
this.isReadOnly = true;
}
}
public void MakeReadOnly()
{
if (!IsReadOnly)
{
_readOnlyNormalizedActionParts = new Dictionary <string, MessagePartSpecification>();
foreach (string action in _actionParts.Keys)
{
MessagePartSpecification p = new MessagePartSpecification();
p.Union(_actionParts[action]);
p.Union(ChannelParts);
p.MakeReadOnly();
_readOnlyNormalizedActionParts[action] = p;
}
IsReadOnly = true;
}
}
public void AddParts (MessagePartSpecification parts,
string action)
{
if (parts == null)
throw new ArgumentNullException ("parts");
if (action == null)
throw new ArgumentNullException ("action");
if (IsReadOnly)
throw new InvalidOperationException ("This ScopedMessagePartSpecification is read-only.");
MessagePartSpecification existing;
if (table.TryGetValue (action, out existing))
existing.Union (parts);
else
table.Add (action, parts);
}
public void AddParts(MessagePartSpecification parts, string action)
{
if (action == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("action"));
}
if (parts == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("parts"));
}
this.ThrowIfReadOnly();
if (!this.actionParts.ContainsKey(action))
{
this.actionParts[action] = new MessagePartSpecification();
}
this.actionParts[action].Union(parts);
}
public ScopedMessagePartSpecification(ScopedMessagePartSpecification other) : this()
{
if (other == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("other"));
}
this.channelParts.Union(other.channelParts);
if (other.actionParts != null)
{
foreach (string str in other.actionParts.Keys)
{
MessagePartSpecification specification = new MessagePartSpecification();
specification.Union(other.actionParts[str]);
this.actionParts[str] = specification;
}
}
}
public ScopedMessagePartSpecification(ScopedMessagePartSpecification other)
: this()
{
if (other == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("other"));
_channelParts.Union(other._channelParts);
if (other._actionParts != null)
{
foreach (string action in other._actionParts.Keys)
{
MessagePartSpecification p = new MessagePartSpecification();
p.Union(other._actionParts[action]);
_actionParts[action] = p;
}
}
}
public ScopedMessagePartSpecification(ScopedMessagePartSpecification other) : this()
{
if (other == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("other"));
}
this.channelParts.Union(other.channelParts);
if (other.actionParts != null)
{
foreach (string str in other.actionParts.Keys)
{
MessagePartSpecification specification = new MessagePartSpecification();
specification.Union(other.actionParts[str]);
this.actionParts[str] = specification;
}
}
}
public void Union ()
{
XmlQualifiedName q1, q2, q3;
q1 = new XmlQualifiedName ("foo");
q2 = new XmlQualifiedName ("bar");
q3 = new XmlQualifiedName ("baz");
MessagePartSpecification p1 =
new MessagePartSpecification (false, new XmlQualifiedName [] {q1, q2});
MessagePartSpecification p2 =
new MessagePartSpecification (true, new XmlQualifiedName [] {q3, q2});
p1.Union (p2);
Assert.IsTrue (p1.IsBodyIncluded, "#1");
// Sigh. It does not exclude duplicates.
Assert.AreEqual (4, p1.HeaderTypes.Count, "#1-2");
Assert.IsTrue (p1.HeaderTypes.Contains (q1), "#2");
Assert.IsTrue (p1.HeaderTypes.Contains (q2), "#3");
Assert.IsTrue (p1.HeaderTypes.Contains (q3), "#4");
}
protected void EnsureEndpointAddressDoesNotRequireEncryption(EndpointAddress target)
{
if ((this.ApplicationProtectionRequirements != null) && (this.ApplicationProtectionRequirements.OutgoingEncryptionParts != null))
{
MessagePartSpecification channelParts = this.ApplicationProtectionRequirements.OutgoingEncryptionParts.ChannelParts;
if (channelParts != null)
{
for (int i = 0; i < this.targetAddress.Headers.Count; i++)
{
AddressHeader header = target.Headers[i];
if (channelParts.IsHeaderIncluded(header.Name, header.Namespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("SecurityNegotiationCannotProtectConfidentialEndpointHeader", new object[] { target, header.Name, header.Namespace })));
}
}
}
}
}
private void VerifySoapAttributeMatchForHeader(MessageHeaderInfo info, MessagePartSpecification signatureParts, XmlDictionaryReader reader)
{
if (signatureParts.IsHeaderIncluded(info.Name, info.Namespace))
{
EnvelopeVersion envelope = base.Version.Envelope;
EnvelopeVersion version2 = (envelope == EnvelopeVersion.Soap11) ? EnvelopeVersion.Soap12 : EnvelopeVersion.Soap11;
bool flag = null != reader.GetAttribute(System.ServiceModel.XD.MessageDictionary.MustUnderstand, envelope.DictionaryNamespace);
if ((null != reader.GetAttribute(System.ServiceModel.XD.MessageDictionary.MustUnderstand, version2.DictionaryNamespace)) && !flag)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("InvalidAttributeInSignedHeader", new object[] { info.Name, info.Namespace, System.ServiceModel.XD.MessageDictionary.MustUnderstand, version2.DictionaryNamespace, System.ServiceModel.XD.MessageDictionary.MustUnderstand, envelope.DictionaryNamespace })), base.SecurityVerifiedMessage);
}
flag = null != reader.GetAttribute(envelope.DictionaryActor, envelope.DictionaryNamespace);
if ((null != reader.GetAttribute(version2.DictionaryActor, version2.DictionaryNamespace)) && !flag)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("InvalidAttributeInSignedHeader", new object[] { info.Name, info.Namespace, version2.DictionaryActor, version2.DictionaryNamespace, envelope.DictionaryActor, envelope.DictionaryNamespace })), base.SecurityVerifiedMessage);
}
}
}
public void Union(MessagePartSpecification other)
{
if (other == null)
{
throw new ArgumentNullException("other");
}
if (header_types.IsReadOnly)
{
throw new InvalidOperationException("This MessagePartSpecification is read-only.");
}
body |= other.body;
foreach (XmlQualifiedName q in other.header_types)
{
// Sigh. It could be much better here.
//if (!header_types.Contains (q))
header_types.Add(q);
}
}
private AddressingVersion(string ns, XmlDictionaryString dictionaryNs, string toStringFormat, MessagePartSpecification signedMessageParts, string anonymous, XmlDictionaryString dictionaryAnonymous, string none, string faultAction, string defaultFaultAction)
{
this.ns = ns;
this.dictionaryNs = dictionaryNs;
this.toStringFormat = toStringFormat;
this.signedMessageParts = signedMessageParts;
this.anonymous = anonymous;
this.dictionaryAnonymous = dictionaryAnonymous;
if (anonymous != null)
{
this.anonymousUri = new Uri(anonymous);
}
if (none != null)
{
this.noneUri = new Uri(none);
}
this.faultAction = faultAction;
this.defaultFaultAction = defaultFaultAction;
}
public void AddBindingParameters(ServiceEndpoint endpoint, System.ServiceModel.Channels.BindingParameterCollection bindingParameters)
{
var proReq =
bindingParameters.Remove<ChannelProtectionRequirements>();
proReq = new ChannelProtectionRequirements();
MessagePartSpecification unProtectedSpec = new MessagePartSpecification();
MessagePartSpecification protectedSpec = new MessagePartSpecification(true);
// I'm setting same protection level for all the actions.
// You could specify different protection level per action, if required.
// Also note, I haven't implemented any support for custom SOAP headers.
// However that can easily be added using the same mechansim.
switch (level)
{
case ProtectionLevel.None:
proReq.OutgoingSignatureParts.AddParts(unProtectedSpec, "*");
proReq.IncomingSignatureParts.AddParts(unProtectedSpec, "*");
proReq.OutgoingEncryptionParts.AddParts(unProtectedSpec, "*");
proReq.IncomingEncryptionParts.AddParts(unProtectedSpec, "*");
break;
case ProtectionLevel.Sign:
proReq.OutgoingSignatureParts.AddParts(protectedSpec, "*");
proReq.IncomingSignatureParts.AddParts(protectedSpec, "*");
proReq.OutgoingEncryptionParts.AddParts(unProtectedSpec, "*");
proReq.IncomingEncryptionParts.AddParts(unProtectedSpec, "*");
break;
case ProtectionLevel.EncryptAndSign:
proReq.OutgoingSignatureParts.AddParts(protectedSpec, "*");
proReq.IncomingSignatureParts.AddParts(protectedSpec, "*");
proReq.OutgoingEncryptionParts.AddParts(protectedSpec, "*");
proReq.IncomingEncryptionParts.AddParts(protectedSpec, "*");
break;
}
// Add our protection requirement for this endpoint into the binding params.
bindingParameters.Add(proReq);
}
public ScopedMessagePartSpecification(ScopedMessagePartSpecification other)
: this()
{
if (other == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException(nameof(other)));
}
ChannelParts.Union(other.ChannelParts);
if (other._actionParts != null)
{
foreach (string action in other._actionParts.Keys)
{
MessagePartSpecification p = new MessagePartSpecification();
p.Union(other._actionParts[action]);
_actionParts[action] = p;
}
}
}
protected override IChannelFactory <IRequestChannel> GetNegotiationChannelFactory(IChannelFactory <IRequestChannel> transportChannelFactory, ChannelBuilder channelBuilder)
{
ISecurityCapabilities securityCapabilities = this.bootstrapSecurityBindingElement.GetProperty <ISecurityCapabilities>(this.IssuerBindingContext);
SecurityCredentialsManager securityCredentials = this.IssuerBindingContext.BindingParameters.Find <SecurityCredentialsManager>();
if (securityCredentials == null)
{
securityCredentials = ClientCredentials.CreateDefaultCredentials();
}
this.bootstrapSecurityBindingElement.ReaderQuotas = this.IssuerBindingContext.GetInnerProperty <XmlDictionaryReaderQuotas>();
if (this.bootstrapSecurityBindingElement.ReaderQuotas == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.EncodingBindingElementDoesNotHandleReaderQuotas)));
}
TransportBindingElement transportBindingElement = this.IssuerBindingContext.RemainingBindingElements.Find <TransportBindingElement>();
if (transportBindingElement != null)
{
this.bootstrapSecurityBindingElement.MaxReceivedMessageSize = transportBindingElement.MaxReceivedMessageSize;
}
SecurityProtocolFactory securityProtocolFactory = this.bootstrapSecurityBindingElement.CreateSecurityProtocolFactory <IRequestChannel>(this.IssuerBindingContext.Clone(), securityCredentials, false, this.IssuerBindingContext.Clone());
MessageSecurityProtocolFactory soapBindingFactory = (securityProtocolFactory as MessageSecurityProtocolFactory);
if (soapBindingFactory != null)
{
soapBindingFactory.ApplyConfidentiality = soapBindingFactory.ApplyIntegrity
= soapBindingFactory.RequireConfidentiality = soapBindingFactory.RequireIntegrity = true;
MessagePartSpecification bodyPart = new MessagePartSpecification(true);
soapBindingFactory.ProtectionRequirements.IncomingSignatureParts.AddParts(bodyPart, RequestSecurityTokenAction);
soapBindingFactory.ProtectionRequirements.IncomingEncryptionParts.AddParts(bodyPart, RequestSecurityTokenAction);
soapBindingFactory.ProtectionRequirements.OutgoingSignatureParts.AddParts(bodyPart, RequestSecurityTokenResponseAction);
soapBindingFactory.ProtectionRequirements.OutgoingEncryptionParts.AddParts(bodyPart, RequestSecurityTokenResponseAction);
}
securityProtocolFactory.PrivacyNoticeUri = this.PrivacyNoticeUri;
securityProtocolFactory.PrivacyNoticeVersion = this.PrivacyNoticeVersion;
return(new SecurityChannelFactory <IRequestChannel>(
securityCapabilities, this.IssuerBindingContext, channelBuilder, securityProtocolFactory, transportChannelFactory));
}
internal IChannelListener <TChannel> BuildNegotiationChannelListener <TChannel>(BindingContext context) where TChannel : class, IChannel
{
SecurityCredentialsManager credentialsManager = base.IssuerBindingContext.BindingParameters.Find <SecurityCredentialsManager>();
if (credentialsManager == null)
{
credentialsManager = ServiceCredentials.CreateDefaultCredentials();
}
this.bootstrapSecurityBindingElement.ReaderQuotas = context.GetInnerProperty <XmlDictionaryReaderQuotas>();
if (this.bootstrapSecurityBindingElement.ReaderQuotas == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("EncodingBindingElementDoesNotHandleReaderQuotas")));
}
TransportBindingElement element = context.RemainingBindingElements.Find <TransportBindingElement>();
if (element != null)
{
this.bootstrapSecurityBindingElement.MaxReceivedMessageSize = element.MaxReceivedMessageSize;
}
SecurityProtocolFactory factory = this.bootstrapSecurityBindingElement.CreateSecurityProtocolFactory <TChannel>(base.IssuerBindingContext.Clone(), credentialsManager, true, base.IssuerBindingContext.Clone());
MessageSecurityProtocolFactory factory2 = factory as MessageSecurityProtocolFactory;
if (factory2 != null)
{
factory2.ApplyConfidentiality = factory2.ApplyIntegrity = factory2.RequireConfidentiality = factory2.RequireIntegrity = true;
MessagePartSpecification parts = new MessagePartSpecification(true);
factory2.ProtectionRequirements.OutgoingSignatureParts.AddParts(parts, this.RequestSecurityTokenResponseAction);
factory2.ProtectionRequirements.OutgoingEncryptionParts.AddParts(parts, this.RequestSecurityTokenResponseAction);
factory2.ProtectionRequirements.IncomingSignatureParts.AddParts(parts, this.RequestSecurityTokenAction);
factory2.ProtectionRequirements.IncomingEncryptionParts.AddParts(parts, this.RequestSecurityTokenAction);
}
SecurityChannelListener <TChannel> listener = new SecurityChannelListener <TChannel>(this.bootstrapSecurityBindingElement, context)
{
SecurityProtocolFactory = factory,
SendUnsecuredFaults = !System.ServiceModel.Security.SecurityUtils.IsCompositeDuplexBinding(context)
};
ChannelBuilder channelBuilder = new ChannelBuilder(context, true);
listener.InitializeListener(channelBuilder);
this.shouldMatchRstWithEndpointFilter = System.ServiceModel.Security.SecurityUtils.ShouldMatchRstWithEndpointFilter(this.bootstrapSecurityBindingElement);
return(listener);
}
internal static ChannelProtectionRequirements GetChannelProtectionRequirements(ProtectionLevel protectionLevel)
{
ChannelProtectionRequirements result;
if (protectionLevel == ProtectionLevel.EncryptAndSign)
{
if (encryptAndSignChannelProtectionRequirements == null)
{
MessagePartSpecification header = new MessagePartSpecification();
header.HeaderTypes.Add(new XmlQualifiedName(CallbackContextHeaderName, CallbackContextHeaderNamespace));
ChannelProtectionRequirements requirements = new ChannelProtectionRequirements();
requirements.IncomingSignatureParts.AddParts(header);
requirements.IncomingEncryptionParts.AddParts(header);
requirements.OutgoingSignatureParts.AddParts(header);
requirements.OutgoingEncryptionParts.AddParts(header);
requirements.MakeReadOnly();
encryptAndSignChannelProtectionRequirements = requirements;
}
result = encryptAndSignChannelProtectionRequirements;
}
else if (protectionLevel == ProtectionLevel.Sign)
{
if (signChannelProtectionRequirements == null)
{
MessagePartSpecification header = new MessagePartSpecification();
header.HeaderTypes.Add(new XmlQualifiedName(CallbackContextHeaderName, CallbackContextHeaderNamespace));
ChannelProtectionRequirements requirements = new ChannelProtectionRequirements();
requirements.IncomingSignatureParts.AddParts(header);
requirements.OutgoingSignatureParts.AddParts(header);
requirements.MakeReadOnly();
signChannelProtectionRequirements = requirements;
}
result = signChannelProtectionRequirements;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("protectionLevel"));
}
return result;
}
// helper methods
protected void EnsureEndpointAddressDoesNotRequireEncryption(EndpointAddress target)
{
if (ApplicationProtectionRequirements == null ||
ApplicationProtectionRequirements.OutgoingEncryptionParts == null)
{
return;
}
MessagePartSpecification channelEncryptionParts = ApplicationProtectionRequirements.OutgoingEncryptionParts.ChannelParts;
if (channelEncryptionParts == null)
{
return;
}
for (int i = 0; i < _targetAddress.Headers.Count; ++i)
{
AddressHeader header = target.Headers[i];
if (channelEncryptionParts.IsHeaderIncluded(header.Name, header.Namespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.SecurityNegotiationCannotProtectConfidentialEndpointHeader, target, header.Name, header.Namespace)));
}
}
}
private static MessagePartSpecification ExtractMessageParts(string action, ScopedMessagePartSpecification scopedParts, bool isForSignature)
{
MessagePartSpecification parts = (MessagePartSpecification)null;
if (scopedParts.TryGetParts(action, out parts) || scopedParts.TryGetParts("*", out parts))
{
return(parts);
}
SecurityVersion securityVersion = MessageSecurityVersion.Default.SecurityVersion;
MessageFault fault = MessageFault.CreateFault(FaultCode.CreateSenderFaultCode(new FaultCode(securityVersion.InvalidSecurityFaultCode.Value, securityVersion.HeaderNamespace.Value)), new FaultReason(SR.GetString("InvalidOrUnrecognizedAction", new object[1] {
(object)action
}), CultureInfo.CurrentCulture));
if (isForSignature)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new MessageSecurityException(SR.GetString("NoSignaturePartsSpecified", new object[1] {
(object)action
}), (Exception)null, fault));
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new MessageSecurityException(SR.GetString("NoEncryptionPartsSpecified", new object[1] {
(object)action
}), (Exception)null, fault));
}
internal static ChannelProtectionRequirements GetChannelProtectionRequirements(ProtectionLevel protectionLevel)
{
if (protectionLevel == ProtectionLevel.EncryptAndSign)
{
if (encryptAndSignChannelProtectionRequirements == null)
{
MessagePartSpecification parts = new MessagePartSpecification {
HeaderTypes = { new XmlQualifiedName("CallbackContext", "http://schemas.microsoft.com/ws/2008/02/context") }
};
ChannelProtectionRequirements requirements2 = new ChannelProtectionRequirements();
requirements2.IncomingSignatureParts.AddParts(parts);
requirements2.IncomingEncryptionParts.AddParts(parts);
requirements2.OutgoingSignatureParts.AddParts(parts);
requirements2.OutgoingEncryptionParts.AddParts(parts);
requirements2.MakeReadOnly();
encryptAndSignChannelProtectionRequirements = requirements2;
}
return encryptAndSignChannelProtectionRequirements;
}
if (protectionLevel != ProtectionLevel.Sign)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("protectionLevel"));
}
if (signChannelProtectionRequirements == null)
{
MessagePartSpecification specification2 = new MessagePartSpecification {
HeaderTypes = { new XmlQualifiedName("CallbackContext", "http://schemas.microsoft.com/ws/2008/02/context") }
};
ChannelProtectionRequirements requirements3 = new ChannelProtectionRequirements();
requirements3.IncomingSignatureParts.AddParts(specification2);
requirements3.OutgoingSignatureParts.AddParts(specification2);
requirements3.MakeReadOnly();
signChannelProtectionRequirements = requirements3;
}
return signChannelProtectionRequirements;
}
void ImportProtectionAssertions(ICollection<XmlElement> assertions, out MessagePartSpecification signedParts, out MessagePartSpecification encryptedParts)
{
XmlElement assertion;
signedParts = null;
encryptedParts = null;
WSSecurityPolicy securityPolicy;
if (WSSecurityPolicy.TryGetSecurityPolicyDriver(assertions, out securityPolicy))
{
if (!securityPolicy.TryImportWsspEncryptedPartsAssertion(assertions, out encryptedParts, out assertion)
&& assertion != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
}
if (!securityPolicy.TryImportWsspSignedPartsAssertion(assertions, out signedParts, out assertion)
&& assertion != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
}
}
if (encryptedParts == null)
{
encryptedParts = MessagePartSpecification.NoParts;
}
if (signedParts == null)
{
signedParts = MessagePartSpecification.NoParts;
}
}
protected override void StartPrimarySignatureCore(SecurityToken token,
SecurityKeyIdentifier keyIdentifier,
MessagePartSpecification signatureParts,
bool generateTargettableSignature)
{
SecurityAlgorithmSuite suite = this.AlgorithmSuite;
string canonicalizationAlgorithm = suite.DefaultCanonicalizationAlgorithm;
XmlDictionaryString canonicalizationAlgorithmDictionaryString = suite.DefaultCanonicalizationAlgorithmDictionaryString;
if (canonicalizationAlgorithm != SecurityAlgorithms.ExclusiveC14n)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new MessageSecurityException(SR.GetString(SR.UnsupportedCanonicalizationAlgorithm, suite.DefaultCanonicalizationAlgorithm)));
}
string signatureAlgorithm;
XmlDictionaryString signatureAlgorithmDictionaryString;
suite.GetSignatureAlgorithmAndKey(token, out signatureAlgorithm, out this.signatureKey, out signatureAlgorithmDictionaryString);
string digestAlgorithm = suite.DefaultDigestAlgorithm;
XmlDictionaryString digestAlgorithmDictionaryString = suite.DefaultDigestAlgorithmDictionaryString;
this.signedInfo = new PreDigestedSignedInfo(ServiceModelDictionaryManager.Instance, canonicalizationAlgorithm, canonicalizationAlgorithmDictionaryString, digestAlgorithm, digestAlgorithmDictionaryString, signatureAlgorithm, signatureAlgorithmDictionaryString);
this.signedXml = new SignedXml(this.signedInfo, ServiceModelDictionaryManager.Instance, this.StandardsManager.SecurityTokenSerializer);
if (keyIdentifier != null)
{
this.signedXml.Signature.KeyIdentifier = keyIdentifier;
}
if (generateTargettableSignature)
{
this.signedXml.Id = GenerateId();
}
this.effectiveSignatureParts = signatureParts;
this.hashStream = this.signedInfo.ResourcePool.TakeHashStream(digestAlgorithm);
}
protected override ISignatureValueSecurityElement CompletePrimarySignatureCore(
SendSecurityHeaderElement[] signatureConfirmations,
SecurityToken[] signedEndorsingTokens,
SecurityToken[] signedTokens,
SendSecurityHeaderElement[] basicTokens, bool isPrimarySignature)
{
if (this.signedXml == null)
{
return null;
}
SecurityTimestamp timestamp = this.Timestamp;
if (timestamp != null)
{
if (timestamp.Id == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.TimestampToSignHasNoId)));
}
HashStream hashStream = TakeHashStream();
this.StandardsManager.WSUtilitySpecificationVersion.WriteTimestampCanonicalForm(
hashStream, timestamp, this.signedInfo.ResourcePool.TakeEncodingBuffer());
signedInfo.AddReference(timestamp.Id, hashStream.FlushHashAndGetValue());
}
if ((this.ShouldSignToHeader) && (this.signatureKey is AsymmetricSecurityKey) && (this.Version.Addressing != AddressingVersion.None))
{
if (this.toHeaderHash != null)
signedInfo.AddReference(this.toHeaderId, this.toHeaderHash);
else
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.TransportSecurityRequireToHeader)));
}
AddSignatureReference(signatureConfirmations);
if (isPrimarySignature && this.ShouldProtectTokens)
{
AddPrimaryTokenSignatureReference(this.ElementContainer.SourceSigningToken, this.SigningTokenParameters);
}
if (this.RequireMessageProtection)
{
AddSignatureReference(signedEndorsingTokens, SecurityTokenAttachmentMode.SignedEndorsing);
AddSignatureReference(signedTokens, SecurityTokenAttachmentMode.Signed);
AddSignatureReference(basicTokens);
}
if (this.signedInfo.ReferenceCount == 0)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NoPartsOfMessageMatchedPartsToSign)), this.Message);
}
try
{
this.signedXml.ComputeSignature(this.signatureKey);
return this.signedXml;
}
finally
{
this.hashStream = null;
this.signedInfo = null;
this.signedXml = null;
this.signatureKey = null;
this.effectiveSignatureParts = null;
}
}
private static void AddFaultProtectionRequirements(FaultDescriptionCollection faults, ChannelProtectionRequirements requirements, ProtectionLevel defaultProtectionLevel, bool addToIncoming)
{
if (faults == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("faults"));
if (requirements == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("requirements"));
foreach (FaultDescription fault in faults)
{
MessagePartSpecification signedParts = new MessagePartSpecification();
MessagePartSpecification encryptedParts = new MessagePartSpecification();
ProtectionLevel p = fault.HasProtectionLevel ? fault.ProtectionLevel : defaultProtectionLevel;
if (p != ProtectionLevel.None)
{
signedParts.IsBodyIncluded = true;
if (p == ProtectionLevel.EncryptAndSign)
{
encryptedParts.IsBodyIncluded = true;
}
}
if (addToIncoming)
{
requirements.IncomingSignatureParts.AddParts(signedParts, fault.Action);
requirements.IncomingEncryptionParts.AddParts(encryptedParts, fault.Action);
}
else
{
requirements.OutgoingSignatureParts.AddParts(signedParts, fault.Action);
requirements.OutgoingEncryptionParts.AddParts(encryptedParts, fault.Action);
}
}
}
private static void AddHeaderProtectionRequirements(MessageHeaderDescription header, MessagePartSpecification signedParts,
MessagePartSpecification encryptedParts, ProtectionLevel defaultProtectionLevel)
{
ProtectionLevel p = header.HasProtectionLevel ? header.ProtectionLevel : defaultProtectionLevel;
if (p != ProtectionLevel.None)
{
XmlQualifiedName headerName = new XmlQualifiedName(header.Name, header.Namespace);
signedParts.HeaderTypes.Add(headerName);
if (p == ProtectionLevel.EncryptAndSign)
encryptedParts.HeaderTypes.Add(headerName);
}
}
public virtual MessagePartSpecification TryGetProtectedParts(XmlElement assertion)
{
MessagePartSpecification parts = new MessagePartSpecification();
foreach (XmlNode node in assertion.ChildNodes)
{
if (node.NodeType == XmlNodeType.Whitespace || node.NodeType == XmlNodeType.Comment)
{
continue;
}
else if (node is XmlElement)
{
XmlElement element = (XmlElement)node;
if (IsWsspAssertion(element, BodyName))
{
parts.IsBodyIncluded = true;
}
else if (IsWsspAssertion(element, HeaderName))
{
string name = element.GetAttribute(NameName);
string ns = element.GetAttribute(NamespaceName);
if (ns == null)
{
parts = null;
break;
}
parts.HeaderTypes.Add(new XmlQualifiedName(name, ns));
}
else
{
parts = null;
break;
}
}
else
{
parts = null;
break;
}
}
return parts;
}
public virtual XmlElement CreateWsspBootstrapPolicyAssertion(MetadataExporter exporter, SecurityBindingElement bootstrapSecurity)
{
if (bootstrapSecurity == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("bootstrapBinding");
WSSecurityPolicy sp = WSSecurityPolicy.GetSecurityPolicyDriver(bootstrapSecurity.MessageSecurityVersion);
// create complete bootstrap binding
CustomBinding bootstrapBinding = new CustomBinding(bootstrapSecurity);
if (exporter.State.ContainsKey(SecurityPolicyStrings.SecureConversationBootstrapBindingElementsBelowSecurityKey))
{
BindingElementCollection bindingElementsBelowSecurity = exporter.State[SecurityPolicyStrings.SecureConversationBootstrapBindingElementsBelowSecurityKey] as BindingElementCollection;
if (bindingElementsBelowSecurity != null)
{
foreach (BindingElement be in bindingElementsBelowSecurity)
{
bootstrapBinding.Elements.Add(be);
}
}
}
// generate policy for the "how" of security
ServiceEndpoint bootstrapEndpoint = new ServiceEndpoint(NullContract);
bootstrapEndpoint.Binding = bootstrapBinding;
PolicyConversionContext policyContext = exporter.ExportPolicy(bootstrapEndpoint);
// generate policy for the "what" of security (protection assertions)
// hard-coded requirements in V1: sign and encrypt RST and RSTR body
ChannelProtectionRequirements bootstrapProtection = new ChannelProtectionRequirements();
bootstrapProtection.IncomingEncryptionParts.AddParts(new MessagePartSpecification(true));
bootstrapProtection.OutgoingEncryptionParts.AddParts(new MessagePartSpecification(true));
bootstrapProtection.IncomingSignatureParts.AddParts(new MessagePartSpecification(true));
bootstrapProtection.OutgoingSignatureParts.AddParts(new MessagePartSpecification(true));
// add boostrap binding protection requirements (e.g. addressing headers)
ChannelProtectionRequirements cpr = bootstrapBinding.GetProperty<ChannelProtectionRequirements>(new BindingParameterCollection());
if (cpr != null)
{
bootstrapProtection.Add(cpr);
}
// extract channel-scope protection requirements and union them across request and response
MessagePartSpecification encryption = new MessagePartSpecification();
encryption.Union(bootstrapProtection.IncomingEncryptionParts.ChannelParts);
encryption.Union(bootstrapProtection.OutgoingEncryptionParts.ChannelParts);
encryption.MakeReadOnly();
MessagePartSpecification signature = new MessagePartSpecification();
signature.Union(bootstrapProtection.IncomingSignatureParts.ChannelParts);
signature.Union(bootstrapProtection.OutgoingSignatureParts.ChannelParts);
signature.MakeReadOnly();
// create final boostrap policy assertion
XmlElement nestedPolicy = CreateWspPolicyWrapper(
exporter,
sp.CreateWsspSignedPartsAssertion(signature),
sp.CreateWsspEncryptedPartsAssertion(encryption));
foreach (XmlElement e in sp.FilterWsspPolicyAssertions(policyContext.GetBindingAssertions()))
{
nestedPolicy.AppendChild(e);
}
XmlElement result = CreateWsspAssertion(BootstrapPolicyName);
result.AppendChild(nestedPolicy);
return result;
}
protected override void StartPrimarySignatureCore(SecurityToken token, SecurityKeyIdentifier keyIdentifier, MessagePartSpecification signatureParts, bool generateTargettableSignature)
{
string str3;
XmlDictionaryString str4;
SecurityAlgorithmSuite algorithmSuite = base.AlgorithmSuite;
string defaultCanonicalizationAlgorithm = algorithmSuite.DefaultCanonicalizationAlgorithm;
XmlDictionaryString defaultCanonicalizationAlgorithmDictionaryString = algorithmSuite.DefaultCanonicalizationAlgorithmDictionaryString;
if (defaultCanonicalizationAlgorithm != "http://www.w3.org/2001/10/xml-exc-c14n#")
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnsupportedCanonicalizationAlgorithm", new object[] { algorithmSuite.DefaultCanonicalizationAlgorithm })));
}
algorithmSuite.GetSignatureAlgorithmAndKey(token, out str3, out this.signatureKey, out str4);
string defaultDigestAlgorithm = algorithmSuite.DefaultDigestAlgorithm;
XmlDictionaryString defaultDigestAlgorithmDictionaryString = algorithmSuite.DefaultDigestAlgorithmDictionaryString;
this.signedInfo = new PreDigestedSignedInfo(ServiceModelDictionaryManager.Instance, defaultCanonicalizationAlgorithm, defaultCanonicalizationAlgorithmDictionaryString, defaultDigestAlgorithm, defaultDigestAlgorithmDictionaryString, str3, str4);
this.signedXml = new SignedXml(this.signedInfo, ServiceModelDictionaryManager.Instance, base.StandardsManager.SecurityTokenSerializer);
if (keyIdentifier != null)
{
this.signedXml.Signature.KeyIdentifier = keyIdentifier;
}
if (generateTargettableSignature)
{
this.signedXml.Id = base.GenerateId();
}
this.effectiveSignatureParts = signatureParts;
this.hashStream = this.signedInfo.ResourcePool.TakeHashStream(defaultDigestAlgorithm);
}
public virtual XmlElement CreateWsspEncryptedPartsAssertion(MessagePartSpecification parts)
{
if (parts == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parts");
}
XmlElement result;
if (parts.IsEmpty())
{
result = null;
}
else
{
result = CreateWsspAssertion(EncryptedPartsName);
if (parts.IsBodyIncluded)
{
result.AppendChild(CreateWsspAssertion(BodyName));
}
foreach (XmlQualifiedName header in parts.HeaderTypes)
{
result.AppendChild(CreateWsspHeaderAssertion(header));
}
}
return result;
}
private static MessagePartSpecification UnionMessagePartSpecifications(ScopedMessagePartSpecification actionParts)
{
MessagePartSpecification result = new MessagePartSpecification(false);
foreach (string action in actionParts.Actions)
{
MessagePartSpecification parts;
if (actionParts.TryGetParts(action, out parts))
{
if (parts.IsBodyIncluded)
{
result.IsBodyIncluded = true;
}
foreach (XmlQualifiedName headerType in parts.HeaderTypes)
{
if (!result.IsHeaderIncluded(headerType.Name, headerType.Namespace))
{
result.HeaderTypes.Add(headerType);
}
}
}
}
return result;
}
public virtual bool TryImportWsspSignedPartsAssertion(ICollection<XmlElement> assertions, out MessagePartSpecification parts, out XmlElement assertion)
{
if (TryImportWsspAssertion(assertions, SignedPartsName, out assertion))
{
parts = TryGetProtectedParts(assertion);
}
else
{
parts = null;
}
return parts != null;
}
internal static ChannelProtectionRequirements CreateFromContract(ContractDescription contract, ProtectionLevel defaultRequestProtectionLevel, ProtectionLevel defaultResponseProtectionLevel, bool isForClient)
{
if (contract == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("contract"));
ChannelProtectionRequirements requirements = new ChannelProtectionRequirements();
ProtectionLevel contractScopeDefaultRequestProtectionLevel;
ProtectionLevel contractScopeDefaultResponseProtectionLevel;
if (contract.HasProtectionLevel)
{
contractScopeDefaultRequestProtectionLevel = contract.ProtectionLevel;
contractScopeDefaultResponseProtectionLevel = contract.ProtectionLevel;
}
else
{
contractScopeDefaultRequestProtectionLevel = defaultRequestProtectionLevel;
contractScopeDefaultResponseProtectionLevel = defaultResponseProtectionLevel;
}
foreach (OperationDescription operation in contract.Operations)
{
ProtectionLevel operationScopeDefaultRequestProtectionLevel;
ProtectionLevel operationScopeDefaultResponseProtectionLevel;
operationScopeDefaultRequestProtectionLevel = contractScopeDefaultRequestProtectionLevel;
operationScopeDefaultResponseProtectionLevel = contractScopeDefaultResponseProtectionLevel;
foreach (MessageDescription message in operation.Messages)
{
ProtectionLevel messageScopeDefaultProtectionLevel;
if (message.HasProtectionLevel)
{
messageScopeDefaultProtectionLevel = message.ProtectionLevel;
}
else if (message.Direction == MessageDirection.Input)
{
messageScopeDefaultProtectionLevel = operationScopeDefaultRequestProtectionLevel;
}
else
{
messageScopeDefaultProtectionLevel = operationScopeDefaultResponseProtectionLevel;
}
MessagePartSpecification signedParts = new MessagePartSpecification();
MessagePartSpecification encryptedParts = new MessagePartSpecification();
// determine header protection requirements for message
foreach (MessageHeaderDescription header in message.Headers)
{
AddHeaderProtectionRequirements(header, signedParts, encryptedParts, messageScopeDefaultProtectionLevel);
}
// determine body protection requirements for message
ProtectionLevel bodyProtectionLevel;
if (message.Body.Parts.Count > 0)
{
// initialize the body protection level to none. all the body parts will be
// unioned to get the effective body protection level
bodyProtectionLevel = ProtectionLevel.None;
}
else if (message.Body.ReturnValue != null)
{
if (!(message.Body.ReturnValue.GetType().Equals(typeof(MessagePartDescription))))
{
Fx.Assert("Only body return values are supported currently");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.OnlyBodyReturnValuesSupported));
}
MessagePartDescription desc = message.Body.ReturnValue;
bodyProtectionLevel = desc.HasProtectionLevel ? desc.ProtectionLevel : messageScopeDefaultProtectionLevel;
}
else
{
bodyProtectionLevel = messageScopeDefaultProtectionLevel;
}
// determine body protection requirements for message
if (message.Body.Parts.Count > 0)
{
foreach (MessagePartDescription body in message.Body.Parts)
{
ProtectionLevel partProtectionLevel = body.HasProtectionLevel ? body.ProtectionLevel : messageScopeDefaultProtectionLevel;
bodyProtectionLevel = ProtectionLevelHelper.Max(bodyProtectionLevel, partProtectionLevel);
if (bodyProtectionLevel == ProtectionLevel.EncryptAndSign)
break;
}
}
if (bodyProtectionLevel != ProtectionLevel.None)
{
signedParts.IsBodyIncluded = true;
if (bodyProtectionLevel == ProtectionLevel.EncryptAndSign)
encryptedParts.IsBodyIncluded = true;
}
// add requirements for message
if (message.Direction == MessageDirection.Input)
{
requirements.IncomingSignatureParts.AddParts(signedParts, message.Action);
requirements.IncomingEncryptionParts.AddParts(encryptedParts, message.Action);
}
else
{
requirements.OutgoingSignatureParts.AddParts(signedParts, message.Action);
requirements.OutgoingEncryptionParts.AddParts(encryptedParts, message.Action);
}
}
if (operation.Faults != null)
{
if (operation.IsServerInitiated())
{
AddFaultProtectionRequirements(operation.Faults, requirements, operationScopeDefaultRequestProtectionLevel, true);
}
else
{
AddFaultProtectionRequirements(operation.Faults, requirements, operationScopeDefaultResponseProtectionLevel, false);
}
}
}
return requirements;
}
