public SecurityVerifiedMessage(Message messageToProcess, ReceiveSecurityHeader securityHeader)
: base(messageToProcess)
{
this.securityHeader = securityHeader;
if (securityHeader.RequireMessageProtection)
{
XmlDictionaryReader messageReader;
BufferedMessage bufferedMessage = this.InnerMessage as BufferedMessage;
if (bufferedMessage != null && this.Headers.ContainsOnlyBufferedMessageHeaders)
{
messageReader = bufferedMessage.GetMessageReader();
}
else
{
this.messageBuffer = new XmlBuffer(int.MaxValue);
XmlDictionaryWriter writer = this.messageBuffer.OpenSection(this.securityHeader.ReaderQuotas);
this.InnerMessage.WriteMessage(writer);
this.messageBuffer.CloseSection();
this.messageBuffer.Close();
messageReader = this.messageBuffer.GetReader(0);
}
MoveToSecurityHeader(messageReader, securityHeader.HeaderIndex, true);
this.cachedReaderAtSecurityHeader = messageReader;
this.state = BodyState.Buffered;
}
else
{
this.envelopeAttributes = XmlAttributeHolder.emptyArray;
this.headerAttributes = XmlAttributeHolder.emptyArray;
this.bodyAttributes = XmlAttributeHolder.emptyArray;
this.canDelegateCreateBufferedCopyToInnerMessage = true;
}
}
public SecurityVerifiedMessage(Message messageToProcess, ReceiveSecurityHeader securityHeader)
: base(messageToProcess)
{
this.securityHeader = securityHeader;
if (securityHeader.RequireMessageProtection)
{
XmlDictionaryReader messageReader;
BufferedMessage bufferedMessage = this.InnerMessage as BufferedMessage;
if (bufferedMessage != null && this.Headers.ContainsOnlyBufferedMessageHeaders)
{
messageReader = bufferedMessage.GetMessageReader();
}
else
{
this.messageBuffer = new XmlBuffer(int.MaxValue);
XmlDictionaryWriter writer = this.messageBuffer.OpenSection(this.securityHeader.ReaderQuotas);
this.InnerMessage.WriteMessage(writer);
this.messageBuffer.CloseSection();
this.messageBuffer.Close();
messageReader = this.messageBuffer.GetReader(0);
}
MoveToSecurityHeader(messageReader, securityHeader.HeaderIndex, true);
this.cachedReaderAtSecurityHeader = messageReader;
this.state = BodyState.Buffered;
}
else
{
this.envelopeAttributes = XmlAttributeHolder.emptyArray;
this.headerAttributes = XmlAttributeHolder.emptyArray;
this.bodyAttributes = XmlAttributeHolder.emptyArray;
this.canDelegateCreateBufferedCopyToInnerMessage = true;
}
}
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
{
IList <SupportingTokenAuthenticatorSpecification> list;
SessionSymmetricMessageSecurityProtocolFactory factory = this.Factory;
ReceiveSecurityHeader securityHeader = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, this.requireDerivedKeys ? this.sessionStandardsManager : null, out list);
List <SecurityToken> incomingSessionTokens = this.GetIncomingSessionTokens();
securityHeader.ConfigureSymmetricBindingClientReceiveHeader(incomingSessionTokens, this.Factory.SecurityTokenParameters);
securityHeader.EnforceDerivedKeyRequirement = message.Headers.Action != factory.StandardsManager.SecureConversationDriver.CloseResponseAction.Value;
base.ProcessSecurityHeader(securityHeader, ref message, null, timeout, correlationStates);
SecurityToken signatureToken = securityHeader.SignatureToken;
bool flag = false;
for (int i = 0; i < incomingSessionTokens.Count; i++)
{
if (object.ReferenceEquals(signatureToken, incomingSessionTokens[i]))
{
flag = true;
break;
}
}
if (!flag)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("NoSessionTokenPresentInMessage")));
}
if (factory.RequireIntegrity)
{
ReadOnlyCollection <IAuthorizationPolicy> protectionTokenPolicies = this.sessionTokenAuthenticator.ValidateToken(signatureToken);
base.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signatureToken, protectionTokenPolicies);
}
return(null);
}
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
{
SessionSymmetricMessageSecurityProtocolFactory factory = this.Factory;
IList <SupportingTokenAuthenticatorSpecification> dummyAuthenticators;
ReceiveSecurityHeader securityHeader = ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, this.requireDerivedKeys ? this.sessionStandardsManager : null, out dummyAuthenticators);
List <SecurityToken> sessionTokens = GetIncomingSessionTokens();
securityHeader.ConfigureSymmetricBindingClientReceiveHeader(sessionTokens, this.Factory.SecurityTokenParameters);
// do not enforce the key derivation requirement for CancelResponse due to WSE interop
securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != factory.StandardsManager.SecureConversationDriver.CloseResponseAction.Value);
ProcessSecurityHeader(securityHeader, ref message, null, timeout, correlationStates);
SecurityToken signingToken = securityHeader.SignatureToken;
// verify that the signing token was one of the session tokens
bool isSessionToken = false;
for (int i = 0; i < sessionTokens.Count; ++i)
{
if (Object.ReferenceEquals(signingToken, sessionTokens[i]))
{
isSessionToken = true;
break;
}
}
if (!isSessionToken)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.NoSessionTokenPresentInMessage)));
}
if (factory.RequireIntegrity)
{
ReadOnlyCollection <IAuthorizationPolicy> signingTokenPolicies = this.sessionTokenAuthenticator.ValidateToken(signingToken);
DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signingToken, signingTokenPolicies);
}
return(null);
}
protected void ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, ref Message message,
SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
{
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
securityHeader.ReplayDetectionEnabled = this.factory.DetectReplays;
securityHeader.SetTimeParameters(this.factory.NonceCache, this.factory.ReplayWindow, this.factory.MaxClockSkew);
securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), this.factory.ExtendedProtectionPolicy);
if (this.factory.AddTimestamp && securityHeader.Timestamp == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.RequiredTimestampMissingInSecurityHeader)));
}
if (requiredSigningToken != null && requiredSigningToken != securityHeader.SignatureToken)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.ReplyWasNotSignedWithRequiredSigningToken)), message);
}
if (this.DoAutomaticEncryptionMatch)
{
SecurityUtils.EnsureExpectedSymmetricMatch(securityHeader.SignatureToken, securityHeader.EncryptionToken, message);
}
if (securityHeader.MaintainSignatureConfirmationState && this.factory.ActAsInitiator)
{
CheckSignatureConfirmation(securityHeader, correlationStates);
}
message = securityHeader.ProcessedMessage;
}
protected ReceiveSecurityHeader ConfigureReceiveSecurityHeader(Message message, string actor, SecurityProtocolCorrelationState[] correlationStates, SecurityStandardsManager standardsManager, out IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators)
{
System.ServiceModel.Security.MessageSecurityProtocolFactory messageSecurityProtocolFactory = this.MessageSecurityProtocolFactory;
MessageDirection transferDirection = messageSecurityProtocolFactory.ActAsInitiator ? MessageDirection.Output : MessageDirection.Input;
ReceiveSecurityHeader securityHeader = this.CreateSecurityHeader(message, actor, transferDirection, standardsManager);
string action = message.Headers.Action;
supportingAuthenticators = base.GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.factory, message, securityHeader);
if (messageSecurityProtocolFactory.RequireIntegrity || securityHeader.ExpectSignedTokens)
{
securityHeader.RequiredSignatureParts = messageSecurityProtocolFactory.GetIncomingSignatureParts(action);
}
if (messageSecurityProtocolFactory.RequireConfidentiality || securityHeader.ExpectBasicTokens)
{
securityHeader.RequiredEncryptionParts = messageSecurityProtocolFactory.GetIncomingEncryptionParts(action);
}
securityHeader.ExpectEncryption = messageSecurityProtocolFactory.RequireConfidentiality || securityHeader.ExpectBasicTokens;
securityHeader.ExpectSignature = messageSecurityProtocolFactory.RequireIntegrity || securityHeader.ExpectSignedTokens;
securityHeader.SetRequiredProtectionOrder(messageSecurityProtocolFactory.MessageProtectionOrder);
if ((messageSecurityProtocolFactory.ActAsInitiator && messageSecurityProtocolFactory.DoRequestSignatureConfirmation) && this.HasCorrelationState(correlationStates))
{
securityHeader.MaintainSignatureConfirmationState = true;
securityHeader.ExpectSignatureConfirmation = true;
return(securityHeader);
}
if (!messageSecurityProtocolFactory.ActAsInitiator && messageSecurityProtocolFactory.DoRequestSignatureConfirmation)
{
securityHeader.MaintainSignatureConfirmationState = true;
return(securityHeader);
}
securityHeader.MaintainSignatureConfirmationState = false;
return(securityHeader);
}
public ReceiveSecurityHeaderElementManager(ReceiveSecurityHeader securityHeader)
{
this.securityHeader = securityHeader;
this.elements = new ReceiveSecurityHeaderEntry[8];
if (securityHeader.RequireMessageProtection)
{
this.headerIds = new string[securityHeader.ProcessedMessage.Headers.Count];
}
}
public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
{
securityHeader.ExecuteReadingPass(reader);
securityHeader.ExecuteDerivedKeyTokenStubPass(false);
securityHeader.ExecuteSubheaderDecryptionPass();
securityHeader.ExecuteDerivedKeyTokenStubPass(true);
this.MarkElements(securityHeader.ElementManager, securityHeader.RequireMessageProtection);
securityHeader.ExecuteSignatureEncryptionProcessingPass();
}
public ReceiveSecurityHeaderElementManager(ReceiveSecurityHeader securityHeader)
{
_securityHeader = securityHeader;
_elements = new ReceiveSecurityHeaderEntry[InitialCapacity];
if (securityHeader.RequireMessageProtection)
{
_headerIds = new string[securityHeader.ProcessedMessage.Headers.Count];
}
}
public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
{
securityHeader.ExecuteReadingPass(reader);
securityHeader.ExecuteDerivedKeyTokenStubPass(false);
securityHeader.ExecuteSubheaderDecryptionPass();
securityHeader.ExecuteDerivedKeyTokenStubPass(true);
this.MarkElements(securityHeader.ElementManager, securityHeader.RequireMessageProtection);
securityHeader.ExecuteSignatureEncryptionProcessingPass();
}
protected override void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout)
{
string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor;
ReceiveSecurityHeader securityHeader = this.Factory.StandardsManager.CreateReceiveSecurityHeader(message, actor,
this.Factory.IncomingAlgorithmSuite, MessageDirection.Input);
securityHeader.RequireMessageProtection = false;
securityHeader.ReaderQuotas = this.Factory.SecurityBindingElement.ReaderQuotas;
IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.Factory, message, securityHeader);
ReadOnlyCollection <SecurityTokenResolver> mergedTokenResolvers = MergeOutOfBandResolvers(supportingAuthenticators, this.sessionTokenResolverList);
if (supportingAuthenticators != null && supportingAuthenticators.Count > 0)
{
supportingAuthenticators = new List <SupportingTokenAuthenticatorSpecification>(supportingAuthenticators);
supportingAuthenticators.Insert(0, this.sessionTokenAuthenticatorSpecificationList[0]);
}
else
{
supportingAuthenticators = this.sessionTokenAuthenticatorSpecificationList;
}
securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators);
securityHeader.ConfigureOutOfBandTokenResolver(mergedTokenResolvers);
securityHeader.ExpectEndorsingTokens = true;
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
securityHeader.ReplayDetectionEnabled = this.Factory.DetectReplays;
securityHeader.SetTimeParameters(this.Factory.NonceCache, this.Factory.ReplayWindow, this.Factory.MaxClockSkew);
// do not enforce key derivation requirement for Cancel messages due to WSE interop
securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != this.Factory.StandardsManager.SecureConversationDriver.CloseAction.Value);
securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), this.Factory.ExtendedProtectionPolicy);
if (securityHeader.Timestamp == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.RequiredTimestampMissingInSecurityHeader)));
}
bool didSessionSctEndorse = false;
if (securityHeader.EndorsingSupportingTokens != null)
{
for (int i = 0; i < securityHeader.EndorsingSupportingTokens.Count; ++i)
{
SecurityContextSecurityToken signingSct = (securityHeader.EndorsingSupportingTokens[i] as SecurityContextSecurityToken);
if (signingSct != null && signingSct.ContextId == this.sessionId)
{
didSessionSctEndorse = true;
break;
}
}
}
if (!didSessionSctEndorse)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.NoSessionTokenPresentInMessage)));
}
message = securityHeader.ProcessedMessage;
AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens,
securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
base.OnIncomingMessageVerified(message);
}
protected override void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout)
{
string actor = string.Empty;
ReceiveSecurityHeader securityHeader = this.Factory.StandardsManager.CreateReceiveSecurityHeader(message, actor, this.Factory.IncomingAlgorithmSuite, MessageDirection.Input);
securityHeader.RequireMessageProtection = false;
securityHeader.ReaderQuotas = this.Factory.SecurityBindingElement.ReaderQuotas;
IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = base.GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.Factory, message, securityHeader);
ReadOnlyCollection <SecurityTokenResolver> outOfBandResolvers = base.MergeOutOfBandResolvers(supportingAuthenticators, this.sessionTokenResolverList);
if ((supportingAuthenticators != null) && (supportingAuthenticators.Count > 0))
{
supportingAuthenticators = new List <SupportingTokenAuthenticatorSpecification>(supportingAuthenticators);
supportingAuthenticators.Insert(0, this.sessionTokenAuthenticatorSpecificationList[0]);
}
else
{
supportingAuthenticators = this.sessionTokenAuthenticatorSpecificationList;
}
securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators);
securityHeader.ConfigureOutOfBandTokenResolver(outOfBandResolvers);
securityHeader.ExpectEndorsingTokens = true;
TimeoutHelper helper = new TimeoutHelper(timeout);
securityHeader.SetTimeParameters(this.Factory.NonceCache, this.Factory.ReplayWindow, this.Factory.MaxClockSkew);
securityHeader.EnforceDerivedKeyRequirement = message.Headers.Action != this.Factory.StandardsManager.SecureConversationDriver.CloseAction.Value;
securityHeader.Process(helper.RemainingTime(), System.ServiceModel.Security.SecurityUtils.GetChannelBindingFromMessage(message), this.Factory.ExtendedProtectionPolicy);
if (securityHeader.Timestamp == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("RequiredTimestampMissingInSecurityHeader")));
}
bool flag = false;
if (securityHeader.EndorsingSupportingTokens != null)
{
for (int i = 0; i < securityHeader.EndorsingSupportingTokens.Count; i++)
{
SecurityContextSecurityToken token = securityHeader.EndorsingSupportingTokens[i] as SecurityContextSecurityToken;
if ((token != null) && (token.ContextId == this.sessionId))
{
flag = true;
break;
}
}
}
if (!flag)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("NoSessionTokenPresentInMessage")));
}
message = securityHeader.ProcessedMessage;
base.AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
base.OnIncomingMessageVerified(message);
}
internal ReceiveSecurityHeader CreateReceiveSecurityHeader(Message message, string actor, SecurityAlgorithmSuite algorithmSuite, MessageDirection direction)
{
ReceiveSecurityHeader header = this.TryCreateReceiveSecurityHeader(message, actor, algorithmSuite, direction);
if (header != null)
{
return(header);
}
if (string.IsNullOrEmpty(actor))
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessageNoActor")), message);
}
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessage", new object[] { actor })), message);
}
protected ReceiveSecurityHeader CreateSecurityHeader(Message message, string actor, MessageDirection transferDirection, SecurityStandardsManager standardsManager)
{
standardsManager = standardsManager ?? this.factory.StandardsManager;
ReceiveSecurityHeader header = standardsManager.CreateReceiveSecurityHeader(message, actor, this.factory.IncomingAlgorithmSuite, transferDirection);
header.Layout = this.factory.SecurityHeaderLayout;
header.MaxReceivedMessageSize = this.factory.SecurityBindingElement.MaxReceivedMessageSize;
header.ReaderQuotas = this.factory.SecurityBindingElement.ReaderQuotas;
if (this.factory.ExpectKeyDerivation)
{
header.DerivedTokenAuthenticator = this.factory.DerivedKeyTokenAuthenticator;
}
return(header);
}
protected virtual void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout)
{
bool flag;
bool flag2;
bool flag3;
TransportSecurityProtocolFactory securityProtocolFactory = (TransportSecurityProtocolFactory)base.SecurityProtocolFactory;
string actor = string.Empty;
ReceiveSecurityHeader header = securityProtocolFactory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor, securityProtocolFactory.IncomingAlgorithmSuite, securityProtocolFactory.ActAsInitiator ? MessageDirection.Output : MessageDirection.Input);
IList <SupportingTokenAuthenticatorSpecification> supportingTokenAuthenticators = securityProtocolFactory.GetSupportingTokenAuthenticators(message.Headers.Action, out flag3, out flag, out flag2);
if (header == null)
{
bool flag4 = (flag2 || flag3) || flag;
if ((securityProtocolFactory.ActAsInitiator && (!securityProtocolFactory.AddTimestamp || securityProtocolFactory.SecurityBindingElement.EnableUnsecuredResponse)) || ((!securityProtocolFactory.ActAsInitiator && !securityProtocolFactory.AddTimestamp) && !flag4))
{
return;
}
if (string.IsNullOrEmpty(actor))
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessageNoActor")), message);
}
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessage", new object[] { actor })), message);
}
header.RequireMessageProtection = false;
header.ExpectBasicTokens = flag;
header.ExpectSignedTokens = flag3;
header.ExpectEndorsingTokens = flag2;
header.MaxReceivedMessageSize = securityProtocolFactory.SecurityBindingElement.MaxReceivedMessageSize;
header.ReaderQuotas = securityProtocolFactory.SecurityBindingElement.ReaderQuotas;
TimeoutHelper helper = new TimeoutHelper(timeout);
if (!securityProtocolFactory.ActAsInitiator)
{
header.ConfigureTransportBindingServerReceiveHeader(supportingTokenAuthenticators);
header.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(supportingTokenAuthenticators, EmptyReadOnlyCollection <SecurityTokenResolver> .Instance));
if (securityProtocolFactory.ExpectKeyDerivation)
{
header.DerivedTokenAuthenticator = securityProtocolFactory.DerivedKeyTokenAuthenticator;
}
}
header.SetTimeParameters(securityProtocolFactory.NonceCache, securityProtocolFactory.ReplayWindow, securityProtocolFactory.MaxClockSkew);
header.Process(helper.RemainingTime(), System.ServiceModel.Security.SecurityUtils.GetChannelBindingFromMessage(message), securityProtocolFactory.ExtendedProtectionPolicy);
message = header.ProcessedMessage;
if (!securityProtocolFactory.ActAsInitiator)
{
this.AttachRecipientSecurityProperty(message, header.BasicSupportingTokens, header.EndorsingSupportingTokens, header.SignedEndorsingSupportingTokens, header.SignedSupportingTokens, header.SecurityTokenAuthorizationPoliciesMapping);
}
base.OnIncomingMessageVerified(message);
}
protected ReceiveSecurityHeader ConfigureReceiveSecurityHeader(Message message, string actor, SecurityProtocolCorrelationState[] correlationStates, SecurityStandardsManager standardsManager, out IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators)
{
MessageSecurityProtocolFactory factory = this.MessageSecurityProtocolFactory;
MessageDirection direction = factory.ActAsInitiator ? MessageDirection.Output : MessageDirection.Input;
ReceiveSecurityHeader securityHeader = CreateSecurityHeader(message, actor, direction, standardsManager);
string action = message.Headers.Action;
supportingAuthenticators = GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.factory, message, securityHeader);
if (factory.RequireIntegrity || securityHeader.ExpectSignedTokens)
{
securityHeader.RequiredSignatureParts = factory.GetIncomingSignatureParts(action);
}
if (factory.RequireConfidentiality || securityHeader.ExpectBasicTokens)
{
securityHeader.RequiredEncryptionParts = factory.GetIncomingEncryptionParts(action);
}
securityHeader.ExpectEncryption = factory.RequireConfidentiality || securityHeader.ExpectBasicTokens;
securityHeader.ExpectSignature = factory.RequireIntegrity || securityHeader.ExpectSignedTokens;
securityHeader.SetRequiredProtectionOrder(factory.MessageProtectionOrder);
// On the receiving side if protectTokens is enabled
// 1. If we are service, we make sure that the client always signs the primary token( can be any token type)else we throw.
// But currently the service can sign the primary token in reply only if the primary token is an issued token
// 2. If we are client, we do not care if the service signs the primary token or not. Otherwise it will be impossible to have a wcf client /service talk to each other unless we
// either use a symmetric binding with issued tokens or asymmetric bindings with both the intiator and recipient parameters being issued tokens( later one is rare).
securityHeader.RequireSignedPrimaryToken = !factory.ActAsInitiator && factory.SecurityBindingElement.ProtectTokens;
if (factory.ActAsInitiator && factory.DoRequestSignatureConfirmation && HasCorrelationState(correlationStates))
{
securityHeader.MaintainSignatureConfirmationState = true;
securityHeader.ExpectSignatureConfirmation = true;
}
else if (!factory.ActAsInitiator && factory.DoRequestSignatureConfirmation)
{
securityHeader.MaintainSignatureConfirmationState = true;
}
else
{
securityHeader.MaintainSignatureConfirmationState = false;
}
return(securityHeader);
}
public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
{
// pass 1
securityHeader.ExecuteReadingPass(reader);
// pass 1.5
securityHeader.ExecuteDerivedKeyTokenStubPass(false);
// pass 2
securityHeader.ExecuteSubheaderDecryptionPass();
// pass 2.5
securityHeader.ExecuteDerivedKeyTokenStubPass(true);
// layout-specific inferences
MarkElements(securityHeader.ElementManager, securityHeader.RequireMessageProtection);
// pass 3
securityHeader.ExecuteSignatureEncryptionProcessingPass();
}
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
{
IList <SupportingTokenAuthenticatorSpecification> list;
SessionSymmetricMessageSecurityProtocolFactory factory = this.Factory;
ReceiveSecurityHeader securityHeader = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, this.requireDerivedKeys ? this.sessionStandardsManager : null, out list);
securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.sessionTokenAuthenticator, this.Factory.SecurityTokenParameters, list);
securityHeader.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(list, this.sessionResolverList));
securityHeader.EnforceDerivedKeyRequirement = message.Headers.Action != factory.StandardsManager.SecureConversationDriver.CloseAction.Value;
base.ProcessSecurityHeader(securityHeader, ref message, null, timeout, correlationStates);
SecurityToken signatureToken = securityHeader.SignatureToken;
SecurityContextSecurityToken token2 = signatureToken as SecurityContextSecurityToken;
if ((token2 == null) || (token2.ContextId != this.sessionId))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("NoSessionTokenPresentInMessage")));
}
base.AttachRecipientSecurityProperty(message, signatureToken, false, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
return(base.GetCorrelationState(null, securityHeader));
}
public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
{
// pass 1
securityHeader.ExecuteReadingPass(reader);
// pass 1.5
securityHeader.ExecuteDerivedKeyTokenStubPass(false);
// pass 2
securityHeader.ExecuteSubheaderDecryptionPass();
// pass 2.5
securityHeader.ExecuteDerivedKeyTokenStubPass(true);
// layout-specific inferences
MarkElements(securityHeader.ElementManager, securityHeader.RequireMessageProtection);
// pass 3
securityHeader.ExecuteSignatureEncryptionProcessingPass();
}
internal ReceiveSecurityHeader CreateReceiveSecurityHeader(Message message,
string actor,
SecurityAlgorithmSuite algorithmSuite, MessageDirection direction)
{
ReceiveSecurityHeader header = TryCreateReceiveSecurityHeader(message, actor, algorithmSuite, direction);
if (header == null)
{
if (String.IsNullOrEmpty(actor))
{
throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToFindSecurityHeaderInMessageNoActor)), message);
}
else
{
throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToFindSecurityHeaderInMessage, actor)), message);
}
}
return(header);
}
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
{
SessionSymmetricMessageSecurityProtocolFactory factory = this.Factory;
IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators;
ReceiveSecurityHeader securityHeader = ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, (this.requireDerivedKeys) ? this.sessionStandardsManager : null, out supportingAuthenticators);
securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.sessionTokenAuthenticator, this.Factory.SecurityTokenParameters, supportingAuthenticators);
securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, this.sessionResolverList));
// do not enforce key derivation requirement for Cancel messages due to WSE interop
securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != factory.StandardsManager.SecureConversationDriver.CloseAction.Value);
ProcessSecurityHeader(securityHeader, ref message, null, timeout, correlationStates);
SecurityToken signingToken = securityHeader.SignatureToken;
SecurityContextSecurityToken signingSct = (signingToken as SecurityContextSecurityToken);
if (signingSct == null || signingSct.ContextId != sessionId)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.NoSessionTokenPresentInMessage)));
}
AttachRecipientSecurityProperty(message, signingToken, false, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens,
securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
return(GetCorrelationState(null, securityHeader));
}
public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
{
securityHeader.ExecuteFullPass(reader);
}
protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates)
{
SignatureConfirmations receivedConfirmations = securityHeader.GetSentSignatureConfirmations();
SignatureConfirmations sentSignatures = null;
if (correlationStates != null)
{
for (int i = 0; i < correlationStates.Length; ++i)
{
if (correlationStates[i].SignatureConfirmations != null)
{
sentSignatures = correlationStates[i].SignatureConfirmations;
break;
}
}
}
if (sentSignatures == null)
{
if (receivedConfirmations != null && receivedConfirmations.Count > 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.FoundUnexpectedSignatureConfirmations)));
}
return;
}
bool allSignaturesConfirmed = false;
if (receivedConfirmations != null && sentSignatures.Count == receivedConfirmations.Count)
{
bool[] matchingSigIndexes = new bool[sentSignatures.Count];
for (int i = 0; i < sentSignatures.Count; ++i)
{
byte[] sentSignature;
bool wasSentSigEncrypted;
sentSignatures.GetConfirmation(i, out sentSignature, out wasSentSigEncrypted);
for (int j = 0; j < receivedConfirmations.Count; ++j)
{
byte[] receivedSignature;
bool wasReceivedSigEncrypted;
if (matchingSigIndexes[j])
{
continue;
}
receivedConfirmations.GetConfirmation(j, out receivedSignature, out wasReceivedSigEncrypted);
if ((wasReceivedSigEncrypted == wasSentSigEncrypted) && CryptoHelper.IsEqual(receivedSignature, sentSignature))
{
matchingSigIndexes[j] = true;
break;
}
}
}
int k;
for (k = 0; k < matchingSigIndexes.Length; ++k)
{
if (!matchingSigIndexes[k])
{
break;
}
}
if (k == matchingSigIndexes.Length)
{
allSignaturesConfirmed = true;
}
}
if (!allSignaturesConfirmed)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NotAllSignaturesConfirmed)));
}
}
public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
{
securityHeader.ExecuteFullPass(reader);
}
protected SecurityProtocolCorrelationState GetCorrelationState(SecurityToken correlationToken, ReceiveSecurityHeader securityHeader)
{
SecurityProtocolCorrelationState result = new SecurityProtocolCorrelationState(correlationToken);
if (securityHeader.MaintainSignatureConfirmationState && !this.factory.ActAsInitiator)
{
result.SignatureConfirmations = securityHeader.GetSentSignatureValues();
}
return result;
}
protected void ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, ref Message message,
SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
{
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
securityHeader.ReplayDetectionEnabled = this.factory.DetectReplays;
securityHeader.SetTimeParameters(this.factory.NonceCache, this.factory.ReplayWindow, this.factory.MaxClockSkew);
securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), this.factory.ExtendedProtectionPolicy);
if (this.factory.AddTimestamp && securityHeader.Timestamp == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.RequiredTimestampMissingInSecurityHeader)));
}
if (requiredSigningToken != null && requiredSigningToken != securityHeader.SignatureToken)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.ReplyWasNotSignedWithRequiredSigningToken)), message);
}
if (this.DoAutomaticEncryptionMatch)
{
SecurityUtils.EnsureExpectedSymmetricMatch(securityHeader.SignatureToken, securityHeader.EncryptionToken, message);
}
if (securityHeader.MaintainSignatureConfirmationState && this.factory.ActAsInitiator)
{
CheckSignatureConfirmation(securityHeader, correlationStates);
}
message = securityHeader.ProcessedMessage;
}
protected SecurityProtocolCorrelationState GetCorrelationState(SecurityToken correlationToken, ReceiveSecurityHeader securityHeader)
{
SecurityProtocolCorrelationState result = new SecurityProtocolCorrelationState(correlationToken);
if (securityHeader.MaintainSignatureConfirmationState && !this.factory.ActAsInitiator)
{
result.SignatureConfirmations = securityHeader.GetSentSignatureValues();
}
return(result);
}
public SecurityHeaderTokenResolver(ReceiveSecurityHeader securityHeader)
{
this.tokens = new SecurityTokenEntry[10];
this.securityHeader = securityHeader;
}
protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates)
{
SignatureConfirmations sentSignatureConfirmations = securityHeader.GetSentSignatureConfirmations();
SignatureConfirmations signatureConfirmations = null;
if (correlationStates != null)
{
for (int i = 0; i < correlationStates.Length; i++)
{
if (correlationStates[i].SignatureConfirmations != null)
{
signatureConfirmations = correlationStates[i].SignatureConfirmations;
break;
}
}
}
if (signatureConfirmations == null)
{
if ((sentSignatureConfirmations != null) && (sentSignatureConfirmations.Count > 0))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("FoundUnexpectedSignatureConfirmations")));
}
}
else
{
bool flag = false;
if ((sentSignatureConfirmations != null) && (signatureConfirmations.Count == sentSignatureConfirmations.Count))
{
bool[] flagArray = new bool[signatureConfirmations.Count];
for (int j = 0; j < signatureConfirmations.Count; j++)
{
byte[] buffer;
bool flag2;
signatureConfirmations.GetConfirmation(j, out buffer, out flag2);
for (int k = 0; k < sentSignatureConfirmations.Count; k++)
{
if (!flagArray[k])
{
byte[] buffer2;
bool flag3;
sentSignatureConfirmations.GetConfirmation(k, out buffer2, out flag3);
if ((flag3 == flag2) && CryptoHelper.IsEqual(buffer2, buffer))
{
flagArray[k] = true;
break;
}
}
}
}
int index = 0;
while (index < flagArray.Length)
{
if (!flagArray[index])
{
break;
}
index++;
}
if (index == flagArray.Length)
{
flag = true;
}
}
if (!flag)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NotAllSignaturesConfirmed")));
}
}
}
public abstract void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader);
protected IList<SupportingTokenAuthenticatorSpecification> GetSupportingTokenAuthenticatorsAndSetExpectationFlags(System.ServiceModel.Security.SecurityProtocolFactory factory, Message message, ReceiveSecurityHeader securityHeader)
{
bool flag;
bool flag2;
bool flag3;
if (factory.ActAsInitiator)
{
return null;
}
if (message == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message");
}
IList<SupportingTokenAuthenticatorSpecification> list = factory.GetSupportingTokenAuthenticators(message.Headers.Action, out flag2, out flag, out flag3);
securityHeader.ExpectBasicTokens = flag;
securityHeader.ExpectEndorsingTokens = flag3;
securityHeader.ExpectSignedTokens = flag2;
return list;
}
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
{
AsymmetricSecurityProtocolFactory factory = this.Factory;
IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators;
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
ReceiveSecurityHeader securityHeader = ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out supportingAuthenticators);
SecurityToken requiredReplySigningToken = null;
if (factory.ActAsInitiator)
{
SecurityToken encryptionToken = null;
SecurityToken receiverToken = null;
if (factory.RequireIntegrity)
{
receiverToken = GetToken(this.initiatorAsymmetricTokenProvider, null, timeoutHelper.RemainingTime());
requiredReplySigningToken = receiverToken;
}
if (factory.RequireConfidentiality)
{
encryptionToken = GetCorrelationToken(correlationStates);
if (!SecurityUtils.HasSymmetricSecurityKey(encryptionToken))
{
securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;
}
}
SecurityTokenAuthenticator primaryTokenAuthenticator;
if (factory.AllowSerializedSigningTokenOnReply)
{
primaryTokenAuthenticator = this.initiatorAsymmetricTokenAuthenticator;
requiredReplySigningToken = null;
}
else
{
primaryTokenAuthenticator = null;
}
securityHeader.ConfigureAsymmetricBindingClientReceiveHeader(receiverToken,
factory.AsymmetricTokenParameters, encryptionToken, factory.CryptoTokenParameters,
primaryTokenAuthenticator);
}
else
{
SecurityToken wrappingToken;
if (this.Factory.RecipientAsymmetricTokenProvider != null && this.Factory.RequireConfidentiality)
{
wrappingToken = GetToken(factory.RecipientAsymmetricTokenProvider, null, timeoutHelper.RemainingTime());
}
else
{
wrappingToken = null;
}
securityHeader.ConfigureAsymmetricBindingServerReceiveHeader(this.Factory.RecipientCryptoTokenAuthenticator,
this.Factory.CryptoTokenParameters, wrappingToken, this.Factory.AsymmetricTokenParameters, supportingAuthenticators);
securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;
securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, this.Factory.RecipientOutOfBandTokenResolverList));
}
ProcessSecurityHeader(securityHeader, ref message, requiredReplySigningToken, timeoutHelper.RemainingTime(), correlationStates);
SecurityToken signingToken = securityHeader.SignatureToken;
SecurityToken encryptingToken = securityHeader.EncryptionToken;
if (factory.RequireIntegrity)
{
if (factory.ActAsInitiator)
{
ReadOnlyCollection <IAuthorizationPolicy> signingTokenPolicies = this.initiatorAsymmetricTokenAuthenticator.ValidateToken(signingToken);
EnsureNonWrappedToken(signingToken, message);
DoIdentityCheckAndAttachInitiatorSecurityProperty(message, encryptingToken, signingToken, signingTokenPolicies);
}
else
{
EnsureNonWrappedToken(signingToken, message);
AttachRecipientSecurityProperty(message, signingToken, encryptingToken, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens,
securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
}
}
return(GetCorrelationState(signingToken, securityHeader));
}
protected IList<SupportingTokenAuthenticatorSpecification> GetSupportingTokenAuthenticatorsAndSetExpectationFlags(SecurityProtocolFactory factory, Message message,
ReceiveSecurityHeader securityHeader)
{
if (factory.ActAsInitiator)
{
return null;
}
if (message == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message");
}
bool expectBasicTokens;
bool expectSignedTokens;
bool expectEndorsingTokens;
IList<SupportingTokenAuthenticatorSpecification> authenticators = factory.GetSupportingTokenAuthenticators(message.Headers.Action,
out expectSignedTokens, out expectBasicTokens, out expectEndorsingTokens);
securityHeader.ExpectBasicTokens = expectBasicTokens;
securityHeader.ExpectEndorsingTokens = expectEndorsingTokens;
securityHeader.ExpectSignedTokens = expectSignedTokens;
return authenticators;
}
protected virtual void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout)
{
TransportSecurityProtocolFactory factory = (TransportSecurityProtocolFactory)this.SecurityProtocolFactory;
string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor;
ReceiveSecurityHeader securityHeader = factory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor,
factory.IncomingAlgorithmSuite, (factory.ActAsInitiator) ? MessageDirection.Output : MessageDirection.Input);
bool expectBasicTokens;
bool expectEndorsingTokens;
bool expectSignedTokens;
IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = factory.GetSupportingTokenAuthenticators(message.Headers.Action,
out expectSignedTokens, out expectBasicTokens, out expectEndorsingTokens);
if (securityHeader == null)
{
bool expectSupportingTokens = expectEndorsingTokens || expectSignedTokens || expectBasicTokens;
if ((factory.ActAsInitiator && (!factory.AddTimestamp || factory.SecurityBindingElement.EnableUnsecuredResponse)) ||
(!factory.ActAsInitiator && !factory.AddTimestamp && !expectSupportingTokens))
{
return;
}
else
{
if (String.IsNullOrEmpty(actor))
{
throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToFindSecurityHeaderInMessageNoActor)), message);
}
else
{
throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToFindSecurityHeaderInMessage, actor)), message);
}
}
}
securityHeader.RequireMessageProtection = false;
securityHeader.ExpectBasicTokens = expectBasicTokens;
securityHeader.ExpectSignedTokens = expectSignedTokens;
securityHeader.ExpectEndorsingTokens = expectEndorsingTokens;
securityHeader.MaxReceivedMessageSize = factory.SecurityBindingElement.MaxReceivedMessageSize;
securityHeader.ReaderQuotas = factory.SecurityBindingElement.ReaderQuotas;
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
if (!factory.ActAsInitiator)
{
securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators);
securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, EmptyReadOnlyCollection <SecurityTokenResolver> .Instance));
if (factory.ExpectKeyDerivation)
{
securityHeader.DerivedTokenAuthenticator = factory.DerivedKeyTokenAuthenticator;
}
}
securityHeader.ReplayDetectionEnabled = factory.DetectReplays;
securityHeader.SetTimeParameters(factory.NonceCache, factory.ReplayWindow, factory.MaxClockSkew);
securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), factory.ExtendedProtectionPolicy);
message = securityHeader.ProcessedMessage;
if (!factory.ActAsInitiator)
{
AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens,
securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
}
base.OnIncomingMessageVerified(message);
}
public SecurityHeaderTokenResolver(ReceiveSecurityHeader securityHeader)
{
this.tokens = new SecurityTokenEntry[InitialTokenArraySize];
this.securityHeader = securityHeader;
}
public SecurityHeaderTokenResolver(ReceiveSecurityHeader securityHeader)
{
this.tokens = new SecurityTokenEntry[InitialTokenArraySize];
this.securityHeader = securityHeader;
}
public abstract void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader);
public SecurityHeaderTokenResolver(ReceiveSecurityHeader securityHeader)
{
this.tokens = new SecurityTokenEntry[10];
this.securityHeader = securityHeader;
}
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
{
IList <SupportingTokenAuthenticatorSpecification> list;
AsymmetricSecurityProtocolFactory factory = this.Factory;
TimeoutHelper helper = new TimeoutHelper(timeout);
ReceiveSecurityHeader securityHeader = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out list);
SecurityToken requiredSigningToken = null;
if (factory.ActAsInitiator)
{
SecurityTokenAuthenticator initiatorAsymmetricTokenAuthenticator;
SecurityToken token = null;
SecurityToken primaryToken = null;
if (factory.RequireIntegrity)
{
primaryToken = SecurityProtocol.GetToken(this.initiatorAsymmetricTokenProvider, null, helper.RemainingTime());
requiredSigningToken = primaryToken;
}
if (factory.RequireConfidentiality)
{
token = base.GetCorrelationToken(correlationStates);
if (!System.ServiceModel.Security.SecurityUtils.HasSymmetricSecurityKey(token))
{
securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;
}
}
if (factory.AllowSerializedSigningTokenOnReply)
{
initiatorAsymmetricTokenAuthenticator = this.initiatorAsymmetricTokenAuthenticator;
requiredSigningToken = null;
}
else
{
initiatorAsymmetricTokenAuthenticator = null;
}
securityHeader.ConfigureAsymmetricBindingClientReceiveHeader(primaryToken, factory.AsymmetricTokenParameters, token, factory.CryptoTokenParameters, initiatorAsymmetricTokenAuthenticator);
}
else
{
SecurityToken token4;
if ((this.Factory.RecipientAsymmetricTokenProvider != null) && this.Factory.RequireConfidentiality)
{
token4 = SecurityProtocol.GetToken(factory.RecipientAsymmetricTokenProvider, null, helper.RemainingTime());
}
else
{
token4 = null;
}
securityHeader.ConfigureAsymmetricBindingServerReceiveHeader(this.Factory.RecipientCryptoTokenAuthenticator, this.Factory.CryptoTokenParameters, token4, this.Factory.AsymmetricTokenParameters, list);
securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;
securityHeader.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(list, this.Factory.RecipientOutOfBandTokenResolverList));
}
base.ProcessSecurityHeader(securityHeader, ref message, requiredSigningToken, helper.RemainingTime(), correlationStates);
SecurityToken signatureToken = securityHeader.SignatureToken;
SecurityToken encryptionToken = securityHeader.EncryptionToken;
if (factory.RequireIntegrity)
{
if (factory.ActAsInitiator)
{
ReadOnlyCollection <IAuthorizationPolicy> recipientTokenPolicies = this.initiatorAsymmetricTokenAuthenticator.ValidateToken(signatureToken);
MessageSecurityProtocol.EnsureNonWrappedToken(signatureToken, message);
this.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, encryptionToken, signatureToken, recipientTokenPolicies);
}
else
{
MessageSecurityProtocol.EnsureNonWrappedToken(signatureToken, message);
this.AttachRecipientSecurityProperty(message, signatureToken, encryptionToken, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
}
}
return(base.GetCorrelationState(signatureToken, securityHeader));
}
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
{
SymmetricSecurityProtocolFactory factory = this.Factory;
IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators;
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
ReceiveSecurityHeader securityHeader = ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out supportingAuthenticators);
SecurityToken requiredReplySigningToken = null;
if (this.Factory.ActAsInitiator)
{
// set the outofband protection token
SecurityTokenParameters outOfBandTokenParameters;
SecurityToken outOfBandToken = GetCorrelationToken(correlationStates, out outOfBandTokenParameters);
securityHeader.ConfigureSymmetricBindingClientReceiveHeader(outOfBandToken, outOfBandTokenParameters);
requiredReplySigningToken = outOfBandToken;
}
else
{
if (factory.RecipientSymmetricTokenAuthenticator != null)
{
securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.Factory.RecipientSymmetricTokenAuthenticator, this.Factory.SecurityTokenParameters, supportingAuthenticators);
}
else
{
securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.Factory.RecipientAsymmetricTokenProvider.GetToken(timeoutHelper.RemainingTime()), this.Factory.SecurityTokenParameters, supportingAuthenticators);
securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;
}
securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, this.Factory.RecipientOutOfBandTokenResolverList));
}
ProcessSecurityHeader(securityHeader, ref message, requiredReplySigningToken, timeoutHelper.RemainingTime(), correlationStates);
SecurityToken signingToken = securityHeader.SignatureToken;
if (factory.RequireIntegrity)
{
if (factory.SecurityTokenParameters.HasAsymmetricKey)
{
// enforce that the signing token is a wrapped key token
EnsureWrappedToken(signingToken, message);
}
else
{
EnsureNonWrappedToken(signingToken, message);
}
if (factory.ActAsInitiator)
{
if (!factory.SecurityTokenParameters.HasAsymmetricKey)
{
ReadOnlyCollection <IAuthorizationPolicy> signingTokenPolicies = this.initiatorTokenAuthenticator.ValidateToken(signingToken);
DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signingToken, signingTokenPolicies);
}
else
{
SecurityToken wrappingToken = (signingToken as WrappedKeySecurityToken).WrappingToken;
ReadOnlyCollection <IAuthorizationPolicy> wrappingTokenPolicies = this.initiatorTokenAuthenticator.ValidateToken(wrappingToken);
DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signingToken, wrappingTokenPolicies);
}
}
else
{
AttachRecipientSecurityProperty(message, signingToken, this.Factory.SecurityTokenParameters.HasAsymmetricKey, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens,
securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
}
}
return(GetCorrelationState(signingToken, securityHeader));
}
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
{
IList <SupportingTokenAuthenticatorSpecification> list;
SymmetricSecurityProtocolFactory factory = this.Factory;
TimeoutHelper helper = new TimeoutHelper(timeout);
ReceiveSecurityHeader securityHeader = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out list);
SecurityToken requiredSigningToken = null;
if (this.Factory.ActAsInitiator)
{
SecurityTokenParameters parameters;
SecurityToken correlationToken = this.GetCorrelationToken(correlationStates, out parameters);
securityHeader.ConfigureSymmetricBindingClientReceiveHeader(correlationToken, parameters);
requiredSigningToken = correlationToken;
}
else
{
if (factory.RecipientSymmetricTokenAuthenticator != null)
{
securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.Factory.RecipientSymmetricTokenAuthenticator, this.Factory.SecurityTokenParameters, list);
}
else
{
securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.Factory.RecipientAsymmetricTokenProvider.GetToken(helper.RemainingTime()), this.Factory.SecurityTokenParameters, list);
securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;
}
securityHeader.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(list, this.Factory.RecipientOutOfBandTokenResolverList));
}
base.ProcessSecurityHeader(securityHeader, ref message, requiredSigningToken, helper.RemainingTime(), correlationStates);
SecurityToken signatureToken = securityHeader.SignatureToken;
if (factory.RequireIntegrity)
{
if (factory.SecurityTokenParameters.HasAsymmetricKey)
{
this.EnsureWrappedToken(signatureToken, message);
}
else
{
MessageSecurityProtocol.EnsureNonWrappedToken(signatureToken, message);
}
if (factory.ActAsInitiator)
{
if (!factory.SecurityTokenParameters.HasAsymmetricKey)
{
ReadOnlyCollection <IAuthorizationPolicy> protectionTokenPolicies = this.initiatorTokenAuthenticator.ValidateToken(signatureToken);
base.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signatureToken, protectionTokenPolicies);
}
else
{
SecurityToken wrappingToken = (signatureToken as WrappedKeySecurityToken).WrappingToken;
ReadOnlyCollection <IAuthorizationPolicy> onlys2 = this.initiatorTokenAuthenticator.ValidateToken(wrappingToken);
base.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signatureToken, onlys2);
}
}
else
{
base.AttachRecipientSecurityProperty(message, signatureToken, this.Factory.SecurityTokenParameters.HasAsymmetricKey, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
}
}
return(base.GetCorrelationState(signatureToken, securityHeader));
}
protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates)
{
SignatureConfirmations receivedConfirmations = securityHeader.GetSentSignatureConfirmations();
SignatureConfirmations sentSignatures = null;
if (correlationStates != null)
{
for (int i = 0; i < correlationStates.Length; ++i)
{
if (correlationStates[i].SignatureConfirmations != null)
{
sentSignatures = correlationStates[i].SignatureConfirmations;
break;
}
}
}
if (sentSignatures == null)
{
if (receivedConfirmations != null && receivedConfirmations.Count > 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.FoundUnexpectedSignatureConfirmations)));
}
return;
}
bool allSignaturesConfirmed = false;
if (receivedConfirmations != null && sentSignatures.Count == receivedConfirmations.Count)
{
bool[] matchingSigIndexes = new bool[sentSignatures.Count];
for (int i = 0; i < sentSignatures.Count; ++i)
{
byte[] sentSignature;
bool wasSentSigEncrypted;
sentSignatures.GetConfirmation(i, out sentSignature, out wasSentSigEncrypted);
for (int j = 0; j < receivedConfirmations.Count; ++j)
{
byte[] receivedSignature;
bool wasReceivedSigEncrypted;
if (matchingSigIndexes[j])
{
continue;
}
receivedConfirmations.GetConfirmation(j, out receivedSignature, out wasReceivedSigEncrypted);
if ((wasReceivedSigEncrypted == wasSentSigEncrypted) && CryptoHelper.IsEqual(receivedSignature, sentSignature))
{
matchingSigIndexes[j] = true;
break;
}
}
}
int k;
for (k = 0; k < matchingSigIndexes.Length; ++k)
{
if (!matchingSigIndexes[k])
{
break;
}
}
if (k == matchingSigIndexes.Length)
{
allSignaturesConfirmed = true;
}
}
if (!allSignaturesConfirmed)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NotAllSignaturesConfirmed)));
}
}
protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates)
{
SignatureConfirmations sentSignatureConfirmations = securityHeader.GetSentSignatureConfirmations();
SignatureConfirmations signatureConfirmations = null;
if (correlationStates != null)
{
for (int i = 0; i < correlationStates.Length; i++)
{
if (correlationStates[i].SignatureConfirmations != null)
{
signatureConfirmations = correlationStates[i].SignatureConfirmations;
break;
}
}
}
if (signatureConfirmations == null)
{
if ((sentSignatureConfirmations != null) && (sentSignatureConfirmations.Count > 0))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("FoundUnexpectedSignatureConfirmations")));
}
}
else
{
bool flag = false;
if ((sentSignatureConfirmations != null) && (signatureConfirmations.Count == sentSignatureConfirmations.Count))
{
bool[] flagArray = new bool[signatureConfirmations.Count];
for (int j = 0; j < signatureConfirmations.Count; j++)
{
byte[] buffer;
bool flag2;
signatureConfirmations.GetConfirmation(j, out buffer, out flag2);
for (int k = 0; k < sentSignatureConfirmations.Count; k++)
{
if (!flagArray[k])
{
byte[] buffer2;
bool flag3;
sentSignatureConfirmations.GetConfirmation(k, out buffer2, out flag3);
if ((flag3 == flag2) && CryptoHelper.IsEqual(buffer2, buffer))
{
flagArray[k] = true;
break;
}
}
}
}
int index = 0;
while (index < flagArray.Length)
{
if (!flagArray[index])
{
break;
}
index++;
}
if (index == flagArray.Length)
{
flag = true;
}
}
if (!flag)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NotAllSignaturesConfirmed")));
}
}
}
