public void SetSessionTokenAuthenticator(UniqueId sessionId, SecurityTokenAuthenticator sessionTokenAuthenticator, SecurityTokenResolver sessionTokenResolver)
 {
     this.CommunicationObject.ThrowIfDisposedOrImmutable();
     this.sessionId = sessionId;
     this.sessionTokenResolver = sessionTokenResolver;
     Collection<SecurityTokenResolver> tmp = new Collection<SecurityTokenResolver>();
     tmp.Add(this.sessionTokenResolver);
     this.sessionTokenResolverList = new ReadOnlyCollection<SecurityTokenResolver>(tmp);
     this.sessionTokenAuthenticator = sessionTokenAuthenticator;
     SupportingTokenAuthenticatorSpecification spec = new SupportingTokenAuthenticatorSpecification(this.sessionTokenAuthenticator, this.sessionTokenResolver, SecurityTokenAttachmentMode.Endorsing, this.Factory.SecurityTokenParameters);
     this.sessionTokenAuthenticatorSpecificationList = new Collection<SupportingTokenAuthenticatorSpecification>();
     this.sessionTokenAuthenticatorSpecificationList.Add(spec);
 }
Beispiel #2
0
        public void SetSessionTokenAuthenticator(UniqueId sessionId, SecurityTokenAuthenticator sessionTokenAuthenticator, SecurityTokenResolver sessionTokenResolver)
        {
            this.CommunicationObject.ThrowIfDisposedOrImmutable();
            this.sessionId            = sessionId;
            this.sessionTokenResolver = sessionTokenResolver;
            Collection <SecurityTokenResolver> tmp = new Collection <SecurityTokenResolver>();

            tmp.Add(this.sessionTokenResolver);
            this.sessionTokenResolverList  = new ReadOnlyCollection <SecurityTokenResolver>(tmp);
            this.sessionTokenAuthenticator = sessionTokenAuthenticator;
            SupportingTokenAuthenticatorSpecification spec = new SupportingTokenAuthenticatorSpecification(this.sessionTokenAuthenticator, this.sessionTokenResolver, SecurityTokenAttachmentMode.Endorsing, this.Factory.SecurityTokenParameters);

            this.sessionTokenAuthenticatorSpecificationList = new Collection <SupportingTokenAuthenticatorSpecification>();
            this.sessionTokenAuthenticatorSpecificationList.Add(spec);
        }
Beispiel #3
0
 private void AddSupportingTokenAuthenticators(SupportingTokenParameters supportingTokenParameters, bool isOptional, IList <SupportingTokenAuthenticatorSpecification> authenticatorSpecList)
 {
     for (int i = 0; i < supportingTokenParameters.Endorsing.Count; ++i)
     {
         SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.Endorsing[i], SecurityTokenAttachmentMode.Endorsing);
         try
         {
             System.IdentityModel.Selectors.SecurityTokenResolver      resolver;
             System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver);
             SupportingTokenAuthenticatorSpecification authenticatorSpec             = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.Endorsing, supportingTokenParameters.Endorsing[i], isOptional);
             authenticatorSpecList.Add(authenticatorSpec);
         }
         catch (Exception e)
         {
             if (!isOptional || Fx.IsFatal(e))
             {
                 throw;
             }
         }
     }
     for (int i = 0; i < supportingTokenParameters.SignedEndorsing.Count; ++i)
     {
         SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.SignedEndorsing[i], SecurityTokenAttachmentMode.SignedEndorsing);
         try
         {
             System.IdentityModel.Selectors.SecurityTokenResolver      resolver;
             System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver);
             SupportingTokenAuthenticatorSpecification authenticatorSpec             = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.SignedEndorsing, supportingTokenParameters.SignedEndorsing[i], isOptional);
             authenticatorSpecList.Add(authenticatorSpec);
         }
         catch (Exception e)
         {
             if (!isOptional || Fx.IsFatal(e))
             {
                 throw;
             }
         }
     }
     for (int i = 0; i < supportingTokenParameters.SignedEncrypted.Count; ++i)
     {
         SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.SignedEncrypted[i], SecurityTokenAttachmentMode.SignedEncrypted);
         try
         {
             System.IdentityModel.Selectors.SecurityTokenResolver      resolver;
             System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver);
             SupportingTokenAuthenticatorSpecification authenticatorSpec             = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.SignedEncrypted, supportingTokenParameters.SignedEncrypted[i], isOptional);
             authenticatorSpecList.Add(authenticatorSpec);
         }
         catch (Exception e)
         {
             if (!isOptional || Fx.IsFatal(e))
             {
                 throw;
             }
         }
     }
     for (int i = 0; i < supportingTokenParameters.Signed.Count; ++i)
     {
         SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.Signed[i], SecurityTokenAttachmentMode.Signed);
         try
         {
             System.IdentityModel.Selectors.SecurityTokenResolver      resolver;
             System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver);
             SupportingTokenAuthenticatorSpecification authenticatorSpec             = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.Signed, supportingTokenParameters.Signed[i], isOptional);
             authenticatorSpecList.Add(authenticatorSpec);
         }
         catch (Exception e)
         {
             if (!isOptional || Fx.IsFatal(e))
             {
                 throw;
             }
         }
     }
 }
        public void Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
        {
            Fx.Assert(ReaderQuotas != null, "Reader quotas must be set before processing");
            MessageProtectionOrder actualProtectionOrder = _protectionOrder;
            bool wasProtectionOrderDowngraded            = false;

            if (_protectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature)
            {
                throw ExceptionHelper.PlatformNotSupported(); // No support for message encryption
            }

            _channelBinding           = channelBinding;
            _extendedProtectionPolicy = extendedProtectionPolicy;
            _orderTracker.SetRequiredProtectionOrder(actualProtectionOrder);

            SetProcessingStarted();
            _timeoutHelper = new TimeoutHelper(timeout);
            Message        = SecurityVerifiedMessage = new SecurityVerifiedMessage(Message, this);
            XmlDictionaryReader reader = CreateSecurityHeaderReader();

            reader.MoveToStartElement();
            if (reader.IsEmptyElement)
            {
                throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.SecurityHeaderIsEmpty), Message);
            }
            if (RequireMessageProtection)
            {
                _securityElementAttributes = XmlAttributeHolder.ReadAttributes(reader);
            }
            else
            {
                _securityElementAttributes = XmlAttributeHolder.emptyArray;
            }
            reader.ReadStartElement();

            if (_primaryTokenParameters != null)
            {
                _primaryTokenTracker = new TokenTracker(null, _outOfBandPrimaryToken, _allowFirstTokenMismatch);
            }
            // universalTokenResolver is used for resolving tokens
            _universalTokenResolver = new SecurityHeaderTokenResolver(this);
            // primary token resolver is used for resolving primary signature and decryption
            _primaryTokenResolver = new SecurityHeaderTokenResolver(this);
            if (_outOfBandPrimaryToken != null)
            {
                _universalTokenResolver.Add(_outOfBandPrimaryToken, SecurityTokenReferenceStyle.External, _primaryTokenParameters);
                _primaryTokenResolver.Add(_outOfBandPrimaryToken, SecurityTokenReferenceStyle.External, _primaryTokenParameters);
            }
            else if (_outOfBandPrimaryTokenCollection != null)
            {
                for (int i = 0; i < _outOfBandPrimaryTokenCollection.Count; ++i)
                {
                    _universalTokenResolver.Add(_outOfBandPrimaryTokenCollection[i], SecurityTokenReferenceStyle.External, _primaryTokenParameters);
                    _primaryTokenResolver.Add(_outOfBandPrimaryTokenCollection[i], SecurityTokenReferenceStyle.External, _primaryTokenParameters);
                }
            }
            if (_wrappingToken != null)
            {
                _universalTokenResolver.ExpectedWrapper = _wrappingToken;
                _universalTokenResolver.ExpectedWrapperTokenParameters = _wrappingTokenParameters;
                _primaryTokenResolver.ExpectedWrapper = _wrappingToken;
                _primaryTokenResolver.ExpectedWrapperTokenParameters = _wrappingTokenParameters;
            }

            if (_outOfBandTokenResolver == null)
            {
                CombinedUniversalTokenResolver = _universalTokenResolver;
                _combinedPrimaryTokenResolver  = _primaryTokenResolver;
            }
            else
            {
                CombinedUniversalTokenResolver = new AggregateSecurityHeaderTokenResolver(_universalTokenResolver, _outOfBandTokenResolver);
                _combinedPrimaryTokenResolver  = new AggregateSecurityHeaderTokenResolver(_primaryTokenResolver, _outOfBandTokenResolver);
            }

            _allowedAuthenticators = new List <SecurityTokenAuthenticator>();
            if (_primaryTokenAuthenticator != null)
            {
                _allowedAuthenticators.Add(_primaryTokenAuthenticator);
            }
            if (DerivedTokenAuthenticator != null)
            {
                _allowedAuthenticators.Add(DerivedTokenAuthenticator);
            }
            _pendingSupportingTokenAuthenticator = null;
            int numSupportingTokensRequiringDerivation = 0;

            if (_supportingTokenAuthenticators != null && _supportingTokenAuthenticators.Count > 0)
            {
                _supportingTokenTrackers = new List <TokenTracker>(_supportingTokenAuthenticators.Count);
                for (int i = 0; i < _supportingTokenAuthenticators.Count; ++i)
                {
                    SupportingTokenAuthenticatorSpecification spec = _supportingTokenAuthenticators[i];
                    switch (spec.SecurityTokenAttachmentMode)
                    {
                    case SecurityTokenAttachmentMode.Endorsing:
                        _hasEndorsingOrSignedEndorsingSupportingTokens = true;
                        break;

                    case SecurityTokenAttachmentMode.Signed:
                        break;

                    case SecurityTokenAttachmentMode.SignedEndorsing:
                        _hasEndorsingOrSignedEndorsingSupportingTokens = true;
                        break;

                    case SecurityTokenAttachmentMode.SignedEncrypted:
                        break;
                    }

                    if ((_primaryTokenAuthenticator != null) && (_primaryTokenAuthenticator.GetType().Equals(spec.TokenAuthenticator.GetType())))
                    {
                        _pendingSupportingTokenAuthenticator = spec.TokenAuthenticator;
                    }
                    else
                    {
                        _allowedAuthenticators.Add(spec.TokenAuthenticator);
                    }
                    if (spec.TokenParameters.RequireDerivedKeys && !spec.TokenParameters.HasAsymmetricKey &&
                        (spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing || spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing))
                    {
                        ++numSupportingTokensRequiringDerivation;
                    }
                    _supportingTokenTrackers.Add(new TokenTracker(spec));
                }
            }

            if (DerivedTokenAuthenticator != null)
            {
                // we expect key derivation. Compute quotas for derived keys
                int maxKeyDerivationLengthInBits = AlgorithmSuite.DefaultEncryptionKeyDerivationLength >= AlgorithmSuite.DefaultSignatureKeyDerivationLength ?
                                                   AlgorithmSuite.DefaultEncryptionKeyDerivationLength : AlgorithmSuite.DefaultSignatureKeyDerivationLength;
                MaxDerivedKeyLength = maxKeyDerivationLengthInBits / 8;
                // the upper bound of derived keys is (1 for primary signature + 1 for encryption + supporting token signatures requiring derivation)*2
                // the multiplication by 2 is to take care of interop scenarios that may arise that require more derived keys than the lower bound.
                _maxDerivedKeys = (1 + 1 + numSupportingTokensRequiringDerivation) * 2;
            }

            SecurityHeaderElementInferenceEngine engine = SecurityHeaderElementInferenceEngine.GetInferenceEngine(Layout);

            engine.ExecuteProcessingPasses(this, reader);
            if (RequireMessageProtection)
            {
                throw ExceptionHelper.PlatformNotSupported();
            }

            EnsureDecryptionComplete();

            _signatureTracker.SetDerivationSourceIfRequired();
            _encryptionTracker.SetDerivationSourceIfRequired();
            if (EncryptionToken != null)
            {
                throw ExceptionHelper.PlatformNotSupported();
            }

            // ensure that the primary signature was signed with derived keys if required
            if (EnforceDerivedKeyRequirement)
            {
                if (SignatureToken != null)
                {
                    if (_primaryTokenParameters != null)
                    {
                        if (_primaryTokenParameters.RequireDerivedKeys && !_primaryTokenParameters.HasAsymmetricKey && !_primaryTokenTracker.IsDerivedFrom)
                        {
                            throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.PrimarySignatureWasNotSignedByDerivedKey, _primaryTokenParameters)));
                        }
                    }
                    else if (_wrappingTokenParameters != null && _wrappingTokenParameters.RequireDerivedKeys)
                    {
                        if (!_signatureTracker.IsDerivedToken)
                        {
                            throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.PrimarySignatureWasNotSignedByDerivedWrappedKey, _wrappingTokenParameters)));
                        }
                    }
                }

                // verify that the encryption is using key derivation
                if (EncryptionToken != null)
                {
                    throw ExceptionHelper.PlatformNotSupported();
                }
            }

            if (wasProtectionOrderDowngraded && (BasicSupportingTokens != null) && (BasicSupportingTokens.Count > 0))
            {
                throw ExceptionHelper.PlatformNotSupported();
            }

            // verify all supporting token parameters have their requirements met
            if (_supportingTokenTrackers != null && _supportingTokenTrackers.Count > 0)
            {
                throw ExceptionHelper.PlatformNotSupported();
            }

            if (_replayDetectionEnabled)
            {
                throw ExceptionHelper.PlatformNotSupported();
            }

            if (ExpectSignatureConfirmation)
            {
                throw ExceptionHelper.PlatformNotSupported();
            }

            MarkHeaderAsUnderstood();
        }
        protected TokenTracker GetSupportingTokenTracker(SecurityTokenAuthenticator tokenAuthenticator, out SupportingTokenAuthenticatorSpecification spec)
        {
            spec = null;
            if (_supportingTokenAuthenticators == null)
            {
                return(null);
            }

            for (int i = 0; i < _supportingTokenAuthenticators.Count; ++i)
            {
                if (_supportingTokenAuthenticators[i].TokenAuthenticator == tokenAuthenticator)
                {
                    spec = _supportingTokenAuthenticators[i];
                    return(_supportingTokenTrackers[i]);
                }
            }
            return(null);
        }
 public TokenTracker(SupportingTokenAuthenticatorSpecification spec, SecurityToken token, bool allowFirstTokenMismatch)
 {
     this.spec = spec;
     Token     = token;
     _allowFirstTokenMismatch = allowFirstTokenMismatch;
 }
 public TokenTracker(SupportingTokenAuthenticatorSpecification spec)
     : this(spec, null, false)
 {
 }
 private void AddSupportingTokenAuthenticators(SupportingTokenParameters supportingTokenParameters, bool isOptional, IList <SupportingTokenAuthenticatorSpecification> authenticatorSpecList)
 {
     for (int i = 0; i < supportingTokenParameters.Endorsing.Count; i++)
     {
         SecurityTokenRequirement tokenRequirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.Endorsing[i], SecurityTokenAttachmentMode.Endorsing);
         try
         {
             SecurityTokenResolver resolver;
             SupportingTokenAuthenticatorSpecification item = new SupportingTokenAuthenticatorSpecification(this.SecurityTokenManager.CreateSecurityTokenAuthenticator(tokenRequirement, out resolver), resolver, SecurityTokenAttachmentMode.Endorsing, supportingTokenParameters.Endorsing[i], isOptional);
             authenticatorSpecList.Add(item);
         }
         catch (Exception exception)
         {
             if (!isOptional || Fx.IsFatal(exception))
             {
                 throw;
             }
         }
     }
     for (int j = 0; j < supportingTokenParameters.SignedEndorsing.Count; j++)
     {
         SecurityTokenRequirement requirement2 = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.SignedEndorsing[j], SecurityTokenAttachmentMode.SignedEndorsing);
         try
         {
             SecurityTokenResolver resolver2;
             SupportingTokenAuthenticatorSpecification specification2 = new SupportingTokenAuthenticatorSpecification(this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement2, out resolver2), resolver2, SecurityTokenAttachmentMode.SignedEndorsing, supportingTokenParameters.SignedEndorsing[j], isOptional);
             authenticatorSpecList.Add(specification2);
         }
         catch (Exception exception2)
         {
             if (!isOptional || Fx.IsFatal(exception2))
             {
                 throw;
             }
         }
     }
     for (int k = 0; k < supportingTokenParameters.SignedEncrypted.Count; k++)
     {
         SecurityTokenRequirement requirement3 = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.SignedEncrypted[k], SecurityTokenAttachmentMode.SignedEncrypted);
         try
         {
             SecurityTokenResolver resolver3;
             SupportingTokenAuthenticatorSpecification specification3 = new SupportingTokenAuthenticatorSpecification(this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement3, out resolver3), resolver3, SecurityTokenAttachmentMode.SignedEncrypted, supportingTokenParameters.SignedEncrypted[k], isOptional);
             authenticatorSpecList.Add(specification3);
         }
         catch (Exception exception3)
         {
             if (!isOptional || Fx.IsFatal(exception3))
             {
                 throw;
             }
         }
     }
     for (int m = 0; m < supportingTokenParameters.Signed.Count; m++)
     {
         SecurityTokenRequirement requirement4 = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.Signed[m], SecurityTokenAttachmentMode.Signed);
         try
         {
             SecurityTokenResolver resolver4;
             SupportingTokenAuthenticatorSpecification specification4 = new SupportingTokenAuthenticatorSpecification(this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement4, out resolver4), resolver4, SecurityTokenAttachmentMode.Signed, supportingTokenParameters.Signed[m], isOptional);
             authenticatorSpecList.Add(specification4);
         }
         catch (Exception exception4)
         {
             if (!isOptional || Fx.IsFatal(exception4))
             {
                 throw;
             }
         }
     }
 }
 public TokenTracker(SupportingTokenAuthenticatorSpecification spec, SecurityToken token, bool allowFirstTokenMismatch)
 {
     this.spec = spec;
     this.token = token;
     this.allowFirstTokenMismatch = allowFirstTokenMismatch;
 }
 public TokenTracker(SupportingTokenAuthenticatorSpecification spec) : this(spec, null, false)
 {
 }