Ejemplo n.º 1
0
 public override Type GetTokenType(SecurityKeyIdentifierClause clause)
 {
     return(null);
 }
Ejemplo n.º 2
0
 /// <summary>
 /// <see cref="Saml2SecurityToken.MatchesKeyIdentifierClause"/>
 /// </summary>
 /// <param name="keyIdentifierClause"></param>
 /// <returns>Returns true if there is a normal match or if the id is <see cref="EncryptedAssertionId"/></returns>
 public override bool MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
 {
     return(base.MatchesKeyIdentifierClause(keyIdentifierClause) || OioWsTrust.EncryptedAssertionId == keyIdentifierClause.Id);
 }
Ejemplo n.º 3
0
 protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key)
 {
     key = ResolveSecurityKeyCore(keyIdentifierClause, true);
     return(key != null);
 }
Ejemplo n.º 4
0
        // This method returns a security key identifier that can be used to refer to the provided security token when
        // the provided token does not appear in the message
        private SecurityKeyIdentifier GetExternalSecurityKeyIdentifier(SecurityToken t)
        {
            // If t is null, we're toast
            if (t == null)
            {
                throw new ArgumentNullException("t");
            }

            // Set skiClause to null
            SecurityKeyIdentifierClause skiClause = null;

            // Try for an encrypted key reference first...
            if (t.CanCreateKeyIdentifierClause <EncryptedKeyIdentifierClause>())
            {
                Console.WriteLine("GetExternalSecurityKeyIdentifier using EncryptedKeyIdentifierClause");
                skiClause = t.CreateKeyIdentifierClause <EncryptedKeyIdentifierClause>();
            }
            // ... kerb token reference next...
            else if (t.CanCreateKeyIdentifierClause <KerberosTicketHashKeyIdentifierClause>())
            {
                Console.WriteLine("GetExternalSecurityKeyIdentifier using KerberosTicketHashKeyIdentifierClause");
                skiClause = t.CreateKeyIdentifierClause <KerberosTicketHashKeyIdentifierClause>();
            }
            // ... X509 thumbprint next...
            else if (t.CanCreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>())
            {
                Console.WriteLine("GetExternalSecurityKeyIdentifier using X509ThumbprintKeyIdentifierClause");
                skiClause = t.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
            }
            // ... X509 raw reference next...
            else if (t.CanCreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>())
            {
                Console.WriteLine("GetExternalSecurityKeyIdentifier using X509RawDataKeyIdentifierClause");
                skiClause = t.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>();
            }
            // ... X509 SKI next...
            else if (t.CanCreateKeyIdentifierClause <X509SubjectKeyIdentifierClause>())
            {
                Console.WriteLine("GetExternalSecurityKeyIdentifier using X509SubjectKeyIdentifierClause");
                skiClause = t.CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause>();
            }
            // ... try for a binary secret...
            else if (t.CanCreateKeyIdentifierClause <BinarySecretKeyIdentifierClause>())
            {
                Console.WriteLine("GetExternalSecurityKeyIdentifier using BinarySecretKeyIdentifierClause");
                skiClause = t.CreateKeyIdentifierClause <BinarySecretKeyIdentifierClause>();
            }
            // ... then a X509IssuerSerial reference ...
            else if (t.CanCreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>())
            {
                Console.WriteLine("GetExternalSecurityKeyIdentifier using X509IssuerSerialKeyIdentifierClause");
                skiClause = t.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>();
            }
            // ... then a SAML assertion reference...
            else if (t.CanCreateKeyIdentifierClause <SamlAssertionKeyIdentifierClause>())
            {
                Console.WriteLine("GetExternalSecurityKeyIdentifier using SamlAssertionKeyIdentifierClause");
                skiClause = t.CreateKeyIdentifierClause <SamlAssertionKeyIdentifierClause>();
            }

            // ... then an RSA key reference...
            else if (t.CanCreateKeyIdentifierClause <RsaKeyIdentifierClause>())
            {
                Console.WriteLine("GetExternalSecurityKeyIdentifier using RsaKeyIdentifierClause");
                skiClause = t.CreateKeyIdentifierClause <RsaKeyIdentifierClause>();
            }
            // ... then a key name reference...
            else if (t.CanCreateKeyIdentifierClause <KeyNameIdentifierClause>())
            {
                Console.WriteLine("GetExternalSecurityKeyIdentifier using KeyNameIdentifierClause");
                skiClause = t.CreateKeyIdentifierClause <KeyNameIdentifierClause>();
            }
            // ... and finally an SCT reference...
            else if (t.CanCreateKeyIdentifierClause <SecurityContextKeyIdentifierClause>())
            {
                Console.WriteLine("GetExternalSecurityKeyIdentifier using SecurityContextKeyIdentifierClause");
                skiClause = t.CreateKeyIdentifierClause <SecurityContextKeyIdentifierClause>();
            }

            // return a SecurityKeyIdentifier
            return(new SecurityKeyIdentifier(skiClause));
        }
Ejemplo n.º 5
0
        internal protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
        {
            SecurityKeyIdentifierClause result = null;

            switch (this.x509ReferenceStyle)
            {
            default:
            case X509KeyIdentifierClauseType.Any:
                if (referenceStyle == SecurityTokenReferenceStyle.External)
                {
                    X509SecurityToken x509Token = token as X509SecurityToken;
                    if (x509Token != null)
                    {
                        X509SubjectKeyIdentifierClause x509KeyIdentifierClause;
                        if (X509SubjectKeyIdentifierClause.TryCreateFrom(x509Token.Certificate, out x509KeyIdentifierClause))
                        {
                            result = x509KeyIdentifierClause;
                        }
                    }
                    else
                    {
                        X509WindowsSecurityToken windowsX509Token = token as X509WindowsSecurityToken;
                        if (windowsX509Token != null)
                        {
                            X509SubjectKeyIdentifierClause x509KeyIdentifierClause;
                            if (X509SubjectKeyIdentifierClause.TryCreateFrom(windowsX509Token.Certificate, out x509KeyIdentifierClause))
                            {
                                result = x509KeyIdentifierClause;
                            }
                        }
                    }

                    if (result == null)
                    {
                        result = token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>();
                    }
                    if (result == null)
                    {
                        result = token.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
                    }
                }
                else
                {
                    result = token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>();
                }
                break;

            case X509KeyIdentifierClauseType.Thumbprint:
                result = this.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
                break;

            case X509KeyIdentifierClauseType.SubjectKeyIdentifier:
                result = this.CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
                break;

            case X509KeyIdentifierClauseType.IssuerSerial:
                result = this.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
                break;

            case X509KeyIdentifierClauseType.RawDataKeyIdentifier:
                result = this.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
                break;
            }

            return(result);
        }
Ejemplo n.º 6
0
 protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
 {
     token = ResolveToken(keyIdentifierClause, false, true);
     return(token != null);
 }
Ejemplo n.º 7
0
        BodyWriter ProcessNegotiation(SspiNegotiationTokenAuthenticatorState negotiationState, Message incomingMessage, BinaryNegotiation incomingNego)
        {
            ISspiNegotiation sspiNegotiation = negotiationState.SspiNegotiation;

            byte[] outgoingBlob = sspiNegotiation.GetOutgoingBlob(incomingNego.GetNegotiationData(),
                                                                  SecurityUtils.GetChannelBindingFromMessage(incomingMessage),
                                                                  this.extendedProtectionPolicy);

            if (sspiNegotiation.IsValidContext == false)
            {
                throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)), incomingMessage);
            }
            // if there is no blob to send back the nego must be complete from the server side
            if (outgoingBlob == null && sspiNegotiation.IsCompleted == false)
            {
                throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.NoBinaryNegoToSend)), incomingMessage);
            }
            BinaryNegotiation outgoingBinaryNegotiation;

            if (outgoingBlob != null)
            {
                outgoingBinaryNegotiation = GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob);
            }
            else
            {
                outgoingBinaryNegotiation = null;
            }
            BodyWriter replyBody;

            if (sspiNegotiation.IsCompleted)
            {
                ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = ValidateSspiNegotiation(sspiNegotiation);
                SecurityContextSecurityToken serviceToken;
                WrappedKeySecurityToken      proofToken;
                int issuedKeySize;
                IssueServiceToken(negotiationState, authorizationPolicies, out serviceToken, out proofToken, out issuedKeySize);
                negotiationState.SetServiceToken(serviceToken);

                SecurityKeyIdentifierClause externalTokenReference = this.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.External);
                SecurityKeyIdentifierClause internalTokenReference = this.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.Internal);

                RequestSecurityTokenResponse dummyRstr = new RequestSecurityTokenResponse(this.StandardsManager);
                dummyRstr.Context   = negotiationState.Context;
                dummyRstr.KeySize   = issuedKeySize;
                dummyRstr.TokenType = this.SecurityContextTokenUri;
                if (outgoingBinaryNegotiation != null)
                {
                    dummyRstr.SetBinaryNegotiation(outgoingBinaryNegotiation);
                }
                dummyRstr.RequestedUnattachedReference = externalTokenReference;
                dummyRstr.RequestedAttachedReference   = internalTokenReference;
                dummyRstr.SetLifetime(serviceToken.ValidFrom, serviceToken.ValidTo);
                if (negotiationState.AppliesTo != null)
                {
                    if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10)
                    {
                        dummyRstr.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress(
                                                                       negotiationState.AppliesTo),
                                                                   negotiationState.AppliesToSerializer);
                    }
                    else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004)
                    {
                        dummyRstr.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress(
                                                                               negotiationState.AppliesTo),
                                                                           negotiationState.AppliesToSerializer);
                    }
                    else
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                                  new ProtocolException(SR.GetString(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing)));
                    }
                }
                dummyRstr.MakeReadOnly();
                AddToDigest(negotiationState, dummyRstr, false);
                RequestSecurityTokenResponse negotiationRstr = new RequestSecurityTokenResponse(this.StandardsManager);
                negotiationRstr.RequestedSecurityToken = serviceToken;

                negotiationRstr.RequestedProofToken = proofToken;
                negotiationRstr.Context             = negotiationState.Context;
                negotiationRstr.KeySize             = issuedKeySize;
                negotiationRstr.TokenType           = this.SecurityContextTokenUri;
                if (outgoingBinaryNegotiation != null)
                {
                    negotiationRstr.SetBinaryNegotiation(outgoingBinaryNegotiation);
                }
                negotiationRstr.RequestedAttachedReference   = internalTokenReference;
                negotiationRstr.RequestedUnattachedReference = externalTokenReference;
                if (negotiationState.AppliesTo != null)
                {
                    if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10)
                    {
                        negotiationRstr.SetAppliesTo <EndpointAddress10>(
                            EndpointAddress10.FromEndpointAddress(negotiationState.AppliesTo),
                            negotiationState.AppliesToSerializer);
                    }
                    else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004)
                    {
                        negotiationRstr.SetAppliesTo <EndpointAddressAugust2004>(
                            EndpointAddressAugust2004.FromEndpointAddress(negotiationState.AppliesTo),
                            negotiationState.AppliesToSerializer);
                    }
                    else
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                                  new ProtocolException(SR.GetString(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing)));
                    }
                }
                negotiationRstr.MakeReadOnly();

                byte[] authenticator = ComputeAuthenticator(negotiationState, serviceToken.GetKeyBytes());
                RequestSecurityTokenResponse authenticatorRstr = new RequestSecurityTokenResponse(this.StandardsManager);
                authenticatorRstr.Context = negotiationState.Context;
                authenticatorRstr.SetAuthenticator(authenticator);
                authenticatorRstr.MakeReadOnly();

                List <RequestSecurityTokenResponse> rstrList = new List <RequestSecurityTokenResponse>(2);
                rstrList.Add(negotiationRstr);
                rstrList.Add(authenticatorRstr);
                replyBody = new RequestSecurityTokenResponseCollection(rstrList, this.StandardsManager);
            }
            else
            {
                RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(this.StandardsManager);
                rstr.Context = negotiationState.Context;
                rstr.SetBinaryNegotiation(outgoingBinaryNegotiation);
                rstr.MakeReadOnly();
                AddToDigest(negotiationState, rstr, false);
                replyBody = rstr;
            }

            return(replyBody);
        }
Ejemplo n.º 8
0
        private bool ResolvesToSigningToken(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key, out SecurityToken token)
        {
            token = null;
            key   = null;
            CertMatcher certMatcher = null;

            // for SAML tokens the highest probability are certs, with RawData first
            X509RawDataKeyIdentifierClause rawCertKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;

            if (rawCertKeyIdentifierClause != null)
            {
                certMatcher = rawCertKeyIdentifierClause.Matches;
            }
            else
            {
                X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
                if (subjectKeyIdentifierClause != null)
                {
                    certMatcher = subjectKeyIdentifierClause.Matches;
                }
                else
                {
                    X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
                    if (thumbprintKeyIdentifierClause != null)
                    {
                        certMatcher = thumbprintKeyIdentifierClause.Matches;
                    }
                    else
                    {
                        X509IssuerSerialKeyIdentifierClause issuerKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
                        if (issuerKeyIdentifierClause != null)
                        {
                            certMatcher = issuerKeyIdentifierClause.Matches;
                        }
                    }
                }
            }

            if (_validationParameters.IssuerSigningKeyResolver != null)
            {
                key = _validationParameters.IssuerSigningKeyResolver(token: _securityToken, securityToken: null, keyIdentifier: new SecurityKeyIdentifier(keyIdentifierClause), validationParameters: _validationParameters);
                if (key != null)
                {
                    this.IsKeyMatched = true;
                }
            }

            if (_validationParameters.IssuerSigningKey != null)
            {
                if (Matches(keyIdentifierClause, _validationParameters.IssuerSigningKey, certMatcher, out token))
                {
                    key = _validationParameters.IssuerSigningKey;
                    this.IsKeyMatched = true;
                }
            }

            if (_validationParameters.IssuerSigningKeys != null)
            {
                foreach (SecurityKey securityKey in _validationParameters.IssuerSigningKeys)
                {
                    if (Matches(keyIdentifierClause, securityKey, certMatcher, out token))
                    {
                        key = securityKey;
                        this.IsKeyMatched = true;
                        break;
                    }
                }
            }

            if (_validationParameters.IssuerSigningToken != null)
            {
                if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause))
                {
                    token             = _validationParameters.IssuerSigningToken;
                    key               = token.SecurityKeys[0];
                    this.IsKeyMatched = true;
                }
            }

            if (_validationParameters.IssuerSigningTokens != null)
            {
                foreach (SecurityToken issuerToken in _validationParameters.IssuerSigningTokens)
                {
                    if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause))
                    {
                        token             = issuerToken;
                        key               = token.SecurityKeys[0];
                        this.IsKeyMatched = true;
                        break;
                    }
                }
            }

            return(this.IsKeyMatched);
        }
Ejemplo n.º 9
0
 protected override bool CanWriteKeyIdentifierClauseCore(SecurityKeyIdentifierClause keyIdentifierClause)
 {
     throw new NotImplementedException();
 }
Ejemplo n.º 10
0
 protected override void WriteKeyIdentifierClauseCore(XmlWriter writer, SecurityKeyIdentifierClause keyIdentifierClause)
 {
     throw new NotImplementedException();
 }
Ejemplo n.º 11
0
 internal bool TryCreateKeyIdentifierClauseFromTokenXml(XmlElement element, SecurityTokenReferenceStyle tokenReferenceStyle, out SecurityKeyIdentifierClause securityKeyIdentifierClause)
 {
     return(this.WSSecurityTokenSerializer.TryCreateKeyIdentifierClauseFromTokenXml(element, tokenReferenceStyle, out securityKeyIdentifierClause));
 }
Ejemplo n.º 12
0
        internal protected virtual bool MatchesKeyIdentifierClause(SecurityToken token, SecurityKeyIdentifierClause keyIdentifierClause, SecurityTokenReferenceStyle referenceStyle)
        {
            if (token == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(token));
            }

            if (token is GenericXmlSecurityToken)
            {
                return(MatchesGenericXmlTokenKeyIdentifierClause(token, keyIdentifierClause, referenceStyle));
            }

            bool result;

            switch (referenceStyle)
            {
            default:
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(
                                                                              SR.Format(SR.TokenDoesNotSupportKeyIdentifierClauseCreation, token.GetType().Name, referenceStyle)));

            case SecurityTokenReferenceStyle.External:
                if (keyIdentifierClause is LocalIdKeyIdentifierClause)
                {
                    result = false;
                }
                else
                {
                    result = token.MatchesKeyIdentifierClause(keyIdentifierClause);
                }

                break;

            case SecurityTokenReferenceStyle.Internal:
                result = token.MatchesKeyIdentifierClause(keyIdentifierClause);
                break;
            }

            return(result);
        }
Ejemplo n.º 13
0
        public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
        {
            BinarySecretKeyIdentifierClause objB = keyIdentifierClause as BinarySecretKeyIdentifierClause;

            return(object.ReferenceEquals(this, objB) || ((objB != null) && objB.Matches(base.GetRawBuffer())));
        }
Ejemplo n.º 14
0
 public virtual SecurityToken CreateDerivedKeyToken(string id, string derivationAlgorithm, string label, int length, byte[] nonce, int offset, int generation, SecurityKeyIdentifierClause tokenToDeriveIdentifier, SecurityToken tokenToDerive)
 {
     return(this.derivedKeyEntry.CreateDerivedKeyToken(id, derivationAlgorithm, label, length, nonce, offset, generation, tokenToDeriveIdentifier, tokenToDerive));
 }
Ejemplo n.º 15
0
 public RequestSecurityTokenResponse(XmlElement requestSecurityTokenResponseXml, string context, string tokenType, int keySize, SecurityKeyIdentifierClause requestedAttachedReference, SecurityKeyIdentifierClause requestedUnattachedReference, bool computeKey, DateTime validFrom, DateTime validTo, bool isRequestedTokenClosed) : this(SecurityStandardsManager.DefaultInstance, requestSecurityTokenResponseXml, context, tokenType, keySize, requestedAttachedReference, requestedUnattachedReference, computeKey, validFrom, validTo, isRequestedTokenClosed, null)
 {
 }
Ejemplo n.º 16
0
 public abstract void WriteContent(XmlDictionaryWriter writer, SecurityKeyIdentifierClause clause);
Ejemplo n.º 17
0
 public RequestSecurityTokenResponse(MessageSecurityVersion messageSecurityVersion, SecurityTokenSerializer securityTokenSerializer, XmlElement requestSecurityTokenResponseXml, string context, string tokenType, int keySize, SecurityKeyIdentifierClause requestedAttachedReference, SecurityKeyIdentifierClause requestedUnattachedReference, bool computeKey, DateTime validFrom, DateTime validTo, bool isRequestedTokenClosed) : this(System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(messageSecurityVersion, securityTokenSerializer), requestSecurityTokenResponseXml, context, tokenType, keySize, requestedAttachedReference, requestedUnattachedReference, computeKey, validFrom, validTo, isRequestedTokenClosed, null)
 {
 }
Ejemplo n.º 18
0
        /// <summary>
        /// Returns a <see cref="SecurityKey"/> that matches the <see cref="SecurityKeyIdentifierClause"/>
        /// </summary>
        /// <param name="keyIdentifierClause">clause to match.</param>
        /// <param name="key">key to assign.</param>
        /// <returns>true if matched.</returns>
        protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key)
        {
            SecurityToken token = null;

            return(ResolvesToSigningToken(keyIdentifierClause, out key, out token));
        }
Ejemplo n.º 19
0
 internal RequestSecurityTokenResponse(SecurityStandardsManager standardsManager, XmlElement rstrXml, string context, string tokenType, int keySize, SecurityKeyIdentifierClause requestedAttachedReference, SecurityKeyIdentifierClause requestedUnattachedReference, bool computeKey, DateTime validFrom, DateTime validTo, bool isRequestedTokenClosed, XmlBuffer issuedTokenBuffer) : base(true)
 {
     this.thisLock = new object();
     if (standardsManager == null)
     {
         throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("standardsManager"));
     }
     this.standardsManager = standardsManager;
     if (rstrXml == null)
     {
         throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rstrXml");
     }
     this.rstrXml   = rstrXml;
     this.context   = context;
     this.tokenType = tokenType;
     this.keySize   = keySize;
     this.requestedAttachedReference   = requestedAttachedReference;
     this.requestedUnattachedReference = requestedUnattachedReference;
     this.computeKey             = computeKey;
     this.effectiveTime          = validFrom.ToUniversalTime();
     this.expirationTime         = validTo.ToUniversalTime();
     this.isLifetimeSet          = true;
     this.isRequestedTokenClosed = isRequestedTokenClosed;
     this.issuedTokenBuffer      = issuedTokenBuffer;
     this.isReceiver             = true;
     this.isReadOnly             = true;
 }
Ejemplo n.º 20
0
        internal SecurityToken ResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternal, bool resolveIntrinsicKeyClause)
        {
            if (keyIdentifierClause == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
            }

            SecurityToken resolvedToken = null;

            for (int i = 0; i < this.tokenCount; i++)
            {
                if (matchOnlyExternal && tokens[i].AllowedReferenceStyle != SecurityTokenReferenceStyle.External)
                {
                    continue;
                }

                SecurityToken token = tokens[i].Token;
                if (tokens[i].TokenParameters != null && tokens[i].TokenParameters.MatchesKeyIdentifierClause(token, keyIdentifierClause, tokens[i].AllowedReferenceStyle))
                {
                    resolvedToken = token;
                    break;
                }
                else if (tokens[i].TokenParameters == null)
                {
                    // match it according to the allowed reference style
                    if (tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.Internal && MatchDirectReference(token, keyIdentifierClause))
                    {
                        resolvedToken = token;
                        break;
                    }
                }
            }

            if ((resolvedToken == null) && (keyIdentifierClause is EncryptedKeyIdentifierClause))
            {
                EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause;
                SecurityKeyIdentifier        wrappingTokenReference = keyClause.EncryptingKeyIdentifier;
                SecurityToken unwrappingToken;
                if (this.expectedWrapper != null &&
                    CheckExternalWrapperMatch(wrappingTokenReference))
                {
                    unwrappingToken = this.expectedWrapper;
                }
                else
                {
                    unwrappingToken = ResolveToken(wrappingTokenReference, true, resolveIntrinsicKeyClause);
                }
                if (unwrappingToken != null)
                {
                    resolvedToken = SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, unwrappingToken);
                }
            }
            if ((resolvedToken == null) && (keyIdentifierClause is X509RawDataKeyIdentifierClause) && (!matchOnlyExternal) && (resolveIntrinsicKeyClause))
            {
                resolvedToken = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData()));
            }
            byte[] derivationNonce = keyIdentifierClause.GetDerivationNonce();
            if ((resolvedToken != null) && (derivationNonce != null))
            {
                // A Implicit Derived Key is specified. Create a derived key off of the resolve token.
                if (SecurityUtils.GetSecurityKey <SymmetricSecurityKey>(resolvedToken) == null)
                {
                    // The resolved token contains no Symmetric Security key and thus we cannot create
                    // a derived key off of it.
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.UnableToDeriveKeyFromKeyInfoClause, keyIdentifierClause, resolvedToken)));
                }

                int derivationLength = (keyIdentifierClause.DerivationLength == 0) ? DerivedKeySecurityToken.DefaultDerivedKeyLength : keyIdentifierClause.DerivationLength;
                if (derivationLength > this.securityHeader.MaxDerivedKeyLength)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.DerivedKeyLengthSpecifiedInImplicitDerivedKeyClauseTooLong, keyIdentifierClause.ToString(), derivationLength, this.securityHeader.MaxDerivedKeyLength)));
                }
                bool alreadyDerived = false;
                for (int i = 0; i < this.tokenCount; ++i)
                {
                    DerivedKeySecurityToken derivedKeyToken = this.tokens[i].Token as DerivedKeySecurityToken;
                    if (derivedKeyToken != null)
                    {
                        if ((derivedKeyToken.Length == derivationLength) &&
                            (CryptoHelper.IsEqual(derivedKeyToken.Nonce, derivationNonce)) &&
                            (derivedKeyToken.TokenToDerive.MatchesKeyIdentifierClause(keyIdentifierClause)))
                        {
                            // This is a implcit derived key for which we have already derived the
                            // token.
                            resolvedToken  = this.tokens[i].Token;
                            alreadyDerived = true;
                            break;
                        }
                    }
                }

                if (!alreadyDerived)
                {
                    string psha1Algorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.securityHeader.StandardsManager.MessageSecurityVersion.SecureConversationVersion);

                    resolvedToken = new DerivedKeySecurityToken(-1, 0, derivationLength, null, derivationNonce, resolvedToken, keyIdentifierClause, psha1Algorithm, SecurityUtils.GenerateId());
                    ((DerivedKeySecurityToken)resolvedToken).InitializeDerivedKey(derivationLength);
                    Add(resolvedToken, SecurityTokenReferenceStyle.Internal, null);
                    this.securityHeader.EnsureDerivedKeyLimitNotReached();
                }
            }

            return(resolvedToken);
        }
Ejemplo n.º 21
0
 protected abstract bool CanWriteKeyIdentifierClauseCore(SecurityKeyIdentifierClause keyIdentifierClause);
Ejemplo n.º 22
0
 internal bool TryResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternalTokens, bool resolveIntrinsicKeyClause, out SecurityToken token)
 {
     token = ResolveToken(keyIdentifierClause, matchOnlyExternalTokens, resolveIntrinsicKeyClause);
     return(token != null);
 }
Ejemplo n.º 23
0
 protected abstract void WriteKeyIdentifierClauseCore(XmlWriter writer, SecurityKeyIdentifierClause keyIdentifierClause);
Ejemplo n.º 24
0
        void ExtractSecurity()
        {
            if (security.MessageProtectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature &&
                wss_header.Find <SignedXml> () != null)
            {
                throw new MessageSecurityException("The security binding element expects that the message signature is encrypted, while it isn't.");
            }

            WrappedKeySecurityToken wk = wss_header.Find <WrappedKeySecurityToken> ();
            DerivedKeySecurityToken dk = wss_header.Find <DerivedKeySecurityToken> ();

            if (wk != null)
            {
                if (Parameters.RequireDerivedKeys && dk == null)
                {
                    throw new MessageSecurityException("DerivedKeyToken is required in this contract, but was not found in the message");
                }
            }
            else
            {
                // FIXME: this is kind of hack for symmetric reply processing.
                wk = RequestSecurity.ProtectionToken != null ? RequestSecurity.ProtectionToken.SecurityToken as WrappedKeySecurityToken : null;
            }

            SymmetricSecurityKey wkkey = wk != null ? wk.SecurityKeys [0] as SymmetricSecurityKey : null;

            wss_header_reader.DecryptSecurity(this, wkkey, RequestSecurity != null ? RequestSecurity.EncryptionKey : null);

            // signature confirmation
            WSSignedXml sxml = wss_header.Find <WSSignedXml> ();

            if (sxml == null)
            {
                throw new MessageSecurityException("The the message signature is expected but not found.");
            }

            bool confirmed = false;

            SecurityKeyIdentifierClause sigClause = null;

            foreach (KeyInfoClause kic in sxml.KeyInfo)
            {
                SecurityTokenReferenceKeyInfo r = kic as SecurityTokenReferenceKeyInfo;
                if (r != null)
                {
                    sigClause = r.Clause;
                }
            }
            if (sigClause == null)
            {
                throw new MessageSecurityException("SecurityTokenReference was not found in dsig:Signature KeyInfo.");
            }

            SecurityToken signToken;
            SecurityKey   signKey;

            signToken = TokenResolver.ResolveToken(sigClause);
            signKey   = signToken.ResolveKeyIdentifierClause(sigClause);
            SymmetricSecurityKey symkey = signKey as SymmetricSecurityKey;

            if (symkey != null)
            {
                confirmed = sxml.CheckSignature(new HMACSHA1(symkey.GetSymmetricKey()));
                if (wk != null)
                {
                    // FIXME: authenticate token
                    sec_prop.ProtectionToken = new SecurityTokenSpecification(wk, null);
                }
            }
            else
            {
                AsymmetricAlgorithm alg = ((AsymmetricSecurityKey)signKey).GetAsymmetricAlgorithm(security.DefaultSignatureAlgorithm, false);
                confirmed = sxml.CheckSignature(alg);
                sec_prop.InitiatorToken = new SecurityTokenSpecification(
                    signToken,
                    security.TokenAuthenticator.ValidateToken(signToken));
            }
            if (!confirmed)
            {
                throw new MessageSecurityException("Message signature is invalid.");
            }

            // token authentication
            // FIXME: it might not be limited to recipient
            if (Direction == MessageDirection.Input)
            {
                ProcessSupportingTokens(sxml);
            }

            sec_prop.EncryptionKey = ((SymmetricSecurityKey)wk.SecurityKeys [0]).GetSymmetricKey();
            sec_prop.ConfirmedSignatures.Add(Convert.ToBase64String(sxml.SignatureValue));
        }
Ejemplo n.º 25
0
 public abstract void WriteKeyIdentifierClauseCore(XmlDictionaryWriter writer, SecurityKeyIdentifierClause keyIdentifierClause);
Ejemplo n.º 26
0
 protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
 {
     throw new NotImplementedException();
 }
Ejemplo n.º 27
0
 public abstract Type GetTokenType(SecurityKeyIdentifierClause clause);
Ejemplo n.º 28
0
 public override bool SupportsCore(SecurityKeyIdentifierClause clause)
 {
     return(clause is SecurityContextKeyIdentifierClause);
 }
Ejemplo n.º 29
0
 public abstract bool SupportsCore(SecurityKeyIdentifierClause clause);
Ejemplo n.º 30
0
 public virtual bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
 {
     return ReferenceEquals(this, keyIdentifierClause);
 }
Ejemplo n.º 31
0
 public virtual void ReadDerivedKeyTokenParameters(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver, out string id, out string derivationAlgorithm, out string label, out int length, out byte[] nonce, out int offset, out int generation, out SecurityKeyIdentifierClause tokenToDeriveIdentifier, out SecurityToken tokenToDerive)
 {
     this.derivedKeyEntry.ReadDerivedKeyTokenParameters(reader, tokenResolver, out id, out derivationAlgorithm, out label, out length, out nonce, out offset, out generation, out tokenToDeriveIdentifier, out tokenToDerive);
 }