internal SecurityProtocolFactory(SecurityProtocolFactory factory)
: this()
{
if (factory == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("factory");
}
this.actAsInitiator = factory.actAsInitiator;
this.addTimestamp = factory.addTimestamp;
this.detectReplays = factory.detectReplays;
this.incomingAlgorithmSuite = factory.incomingAlgorithmSuite;
this.maxCachedNonces = factory.maxCachedNonces;
this.maxClockSkew = factory.maxClockSkew;
this.outgoingAlgorithmSuite = factory.outgoingAlgorithmSuite;
this.replayWindow = factory.replayWindow;
// this.channelSupportingTokenAuthenticatorSpecification = (ICollection<SupportingTokenAuthenticatorSpecification>) new Collection<SupportingTokenAuthenticatorSpecification>((IList<SupportingTokenAuthenticatorSpecification>) new List<SupportingTokenAuthenticatorSpecification>((IEnumerable<SupportingTokenAuthenticatorSpecification>) factory.channelSupportingTokenAuthenticatorSpecification));
// this.scopedSupportingTokenAuthenticatorSpecification = new Dictionary<string, ICollection<SupportingTokenAuthenticatorSpecification>>((IDictionary<string, ICollection<SupportingTokenAuthenticatorSpecification>>) factory.scopedSupportingTokenAuthenticatorSpecification);
this.standardsManager = factory.standardsManager;
// this.timestampValidityDuration = factory.timestampValidityDuration;
// this.auditLogLocation = factory.auditLogLocation;
// this.suppressAuditFailure = factory.suppressAuditFailure;
// this.serviceAuthorizationAuditLevel = factory.serviceAuthorizationAuditLevel;
// this.messageAuthenticationAuditLevel = factory.messageAuthenticationAuditLevel;
if (factory.securityBindingElement != null)
{
this.securityBindingElement = (SecurityBindingElement)factory.securityBindingElement.Clone();
}
this.securityTokenManager = factory.securityTokenManager;
this.privacyNoticeUri = factory.privacyNoticeUri;
this.privacyNoticeVersion = factory.privacyNoticeVersion;
// this.endpointFilterTable = factory.endpointFilterTable;
this.extendedProtectionPolicy = factory.extendedProtectionPolicy;
this.nonceCache = factory.nonceCache;
}
public WSSecurityOneDotOneReceiveSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
int headerIndex, MessageDirection direction)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, headerIndex, direction)
{
}
public WSSecurityOneDotZeroSendSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
MessageDirection direction)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, direction)
{
}
public WSSecurityOneDotZeroSendSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
MessageDirection direction)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, direction)
{
}
internal override SendSecurityHeader CreateSendSecurityHeader(Message message,
string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite, MessageDirection direction)
{
return(new WSSecurityOneDotOneSendSecurityHeader(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, direction));
}
public SecurityHeader(System.ServiceModel.Channels.Message message, string actor, bool mustUnderstand, bool relay, SecurityStandardsManager standardsManager, SecurityAlgorithmSuite algorithmSuite, System.ServiceModel.Description.MessageDirection transferDirection)
{
if (message == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message");
}
if (actor == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("actor");
}
if (standardsManager == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("standardsManager");
}
if (algorithmSuite == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("algorithmSuite");
}
this.message = message;
this.actor = actor;
this.mustUnderstand = mustUnderstand;
this.relay = relay;
this.standardsManager = standardsManager;
this.algorithmSuite = algorithmSuite;
this.transferDirection = transferDirection;
}
public SecurityHeader(System.ServiceModel.Channels.Message message, string actor, bool mustUnderstand, bool relay, SecurityStandardsManager standardsManager, SecurityAlgorithmSuite algorithmSuite, System.ServiceModel.Description.MessageDirection transferDirection)
{
if (message == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message");
}
if (actor == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("actor");
}
if (standardsManager == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("standardsManager");
}
if (algorithmSuite == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("algorithmSuite");
}
this.message = message;
this.actor = actor;
this.mustUnderstand = mustUnderstand;
this.relay = relay;
this.standardsManager = standardsManager;
this.algorithmSuite = algorithmSuite;
this.transferDirection = transferDirection;
}
internal SecurityProtocolFactory(SecurityProtocolFactory factory)
: this()
{
if (factory == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("factory");
}
_actAsInitiator = factory._actAsInitiator;
_addTimestamp = factory._addTimestamp;
_detectReplays = factory._detectReplays;
_incomingAlgorithmSuite = factory._incomingAlgorithmSuite;
_maxCachedNonces = factory._maxCachedNonces;
_maxClockSkew = factory._maxClockSkew;
_outgoingAlgorithmSuite = factory._outgoingAlgorithmSuite;
_replayWindow = factory._replayWindow;
_channelSupportingTokenAuthenticatorSpecification = new Collection <SupportingTokenAuthenticatorSpecification>(new List <SupportingTokenAuthenticatorSpecification>(factory._channelSupportingTokenAuthenticatorSpecification));
_scopedSupportingTokenAuthenticatorSpecification = new Dictionary <string, ICollection <SupportingTokenAuthenticatorSpecification> >(factory._scopedSupportingTokenAuthenticatorSpecification);
_standardsManager = factory._standardsManager;
_timestampValidityDuration = factory._timestampValidityDuration;
_auditLogLocation = factory._auditLogLocation;
_suppressAuditFailure = factory._suppressAuditFailure;
_serviceAuthorizationAuditLevel = factory._serviceAuthorizationAuditLevel;
_messageAuthenticationAuditLevel = factory._messageAuthenticationAuditLevel;
if (factory._securityBindingElement != null)
{
_securityBindingElement = (SecurityBindingElement)factory._securityBindingElement.Clone();
}
_securityTokenManager = factory._securityTokenManager;
_privacyNoticeUri = factory._privacyNoticeUri;
_privacyNoticeVersion = factory._privacyNoticeVersion;
_extendedProtectionPolicy = factory._extendedProtectionPolicy;
_nonceCache = factory._nonceCache;
}
protected override void StartPrimarySignatureCore(SecurityToken token,
SecurityKeyIdentifier keyIdentifier,
MessagePartSpecification signatureParts,
bool generateTargettableSignature)
{
SecurityAlgorithmSuite suite = this.AlgorithmSuite;
string canonicalizationAlgorithm = suite.DefaultCanonicalizationAlgorithm;
XmlDictionaryString canonicalizationAlgorithmDictionaryString = suite.DefaultCanonicalizationAlgorithmDictionaryString;
if (canonicalizationAlgorithm != SecurityAlgorithms.ExclusiveC14n)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new MessageSecurityException(SR.GetString(SR.UnsupportedCanonicalizationAlgorithm, suite.DefaultCanonicalizationAlgorithm)));
}
string signatureAlgorithm;
XmlDictionaryString signatureAlgorithmDictionaryString;
suite.GetSignatureAlgorithmAndKey(token, out signatureAlgorithm, out this.signatureKey, out signatureAlgorithmDictionaryString);
string digestAlgorithm = suite.DefaultDigestAlgorithm;
XmlDictionaryString digestAlgorithmDictionaryString = suite.DefaultDigestAlgorithmDictionaryString;
this.signedInfo = new PreDigestedSignedInfo(ServiceModelDictionaryManager.Instance, canonicalizationAlgorithm, canonicalizationAlgorithmDictionaryString, digestAlgorithm, digestAlgorithmDictionaryString, signatureAlgorithm, signatureAlgorithmDictionaryString);
this.signedXml = new SignedXml(this.signedInfo, ServiceModelDictionaryManager.Instance, this.StandardsManager.SecurityTokenSerializer);
if (keyIdentifier != null)
{
this.signedXml.Signature.KeyIdentifier = keyIdentifier;
}
if (generateTargettableSignature)
{
this.signedXml.Id = GenerateId();
}
this.effectiveSignatureParts = signatureParts;
this.hashStream = this.signedInfo.ResourcePool.TakeHashStream(digestAlgorithm);
}
protected override ISignatureValueSecurityElement CreateSupportingSignature(SecurityToken token, SecurityKeyIdentifier identifier, ISecurityElement elementToSign)
{
string str;
XmlDictionaryString str2;
SecurityKey key;
SecurityAlgorithmSuite algorithmSuite = base.AlgorithmSuite;
algorithmSuite.GetSignatureAlgorithmAndKey(token, out str, out key, out str2);
SignedXml xml = new SignedXml(ServiceModelDictionaryManager.Instance, base.StandardsManager.SecurityTokenSerializer);
SignedInfo signedInfo = xml.Signature.SignedInfo;
signedInfo.CanonicalizationMethod = algorithmSuite.DefaultCanonicalizationAlgorithm;
signedInfo.CanonicalizationMethodDictionaryString = algorithmSuite.DefaultCanonicalizationAlgorithmDictionaryString;
signedInfo.SignatureMethod = str;
signedInfo.SignatureMethodDictionaryString = str2;
if (elementToSign.Id == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ElementToSignMustHaveId")));
}
Reference reference = new Reference(ServiceModelDictionaryManager.Instance, "#" + elementToSign.Id, elementToSign)
{
DigestMethod = algorithmSuite.DefaultDigestAlgorithm,
DigestMethodDictionaryString = algorithmSuite.DefaultDigestAlgorithmDictionaryString
};
reference.AddTransform(new ExclusiveCanonicalizationTransform());
((StandardSignedInfo)signedInfo).AddReference(reference);
xml.ComputeSignature(key);
if (identifier != null)
{
xml.Signature.KeyIdentifier = identifier;
}
return(xml);
}
public IssuedTokenWSTrustBinding(Binding issuerBinding, EndpointAddress issuerAddress, SecurityMode mode, TrustVersion version, SecurityKeyType keyType, SecurityAlgorithmSuite algorithmSuite, string tokenType, IEnumerable<ClaimTypeRequirement> claimTypeRequirements, EndpointAddress issuerMetadataAddress)
: base(mode, version)
{
this._claimTypeRequirements = new Collection<ClaimTypeRequirement>();
if ((SecurityMode.Message != mode) && (SecurityMode.TransportWithMessageCredential != mode))
{
throw new InvalidOperationException("ID3226");
}
if ((this._keyType == SecurityKeyType.BearerKey) && (version == TrustVersion.WSTrustFeb2005))
{
throw new InvalidOperationException("ID3267");
}
this._keyType = keyType;
this._algorithmSuite = algorithmSuite;
this._tokenType = tokenType;
this._issuerBinding = issuerBinding;
this._issuerAddress = issuerAddress;
this._issuerMetadataAddress = issuerMetadataAddress;
if (claimTypeRequirements != null)
{
foreach (ClaimTypeRequirement requirement in claimTypeRequirements)
{
this._claimTypeRequirements.Add(requirement);
}
}
}
protected override void StartPrimarySignatureCore(SecurityToken token, SecurityKeyIdentifier keyIdentifier, MessagePartSpecification signatureParts, bool generateTargettableSignature)
{
string str3;
XmlDictionaryString str4;
SecurityAlgorithmSuite algorithmSuite = base.AlgorithmSuite;
string defaultCanonicalizationAlgorithm = algorithmSuite.DefaultCanonicalizationAlgorithm;
XmlDictionaryString defaultCanonicalizationAlgorithmDictionaryString = algorithmSuite.DefaultCanonicalizationAlgorithmDictionaryString;
if (defaultCanonicalizationAlgorithm != "http://www.w3.org/2001/10/xml-exc-c14n#")
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnsupportedCanonicalizationAlgorithm", new object[] { algorithmSuite.DefaultCanonicalizationAlgorithm })));
}
algorithmSuite.GetSignatureAlgorithmAndKey(token, out str3, out this.signatureKey, out str4);
string defaultDigestAlgorithm = algorithmSuite.DefaultDigestAlgorithm;
XmlDictionaryString defaultDigestAlgorithmDictionaryString = algorithmSuite.DefaultDigestAlgorithmDictionaryString;
this.signedInfo = new PreDigestedSignedInfo(ServiceModelDictionaryManager.Instance, defaultCanonicalizationAlgorithm, defaultCanonicalizationAlgorithmDictionaryString, defaultDigestAlgorithm, defaultDigestAlgorithmDictionaryString, str3, str4);
this.signedXml = new SignedXml(this.signedInfo, ServiceModelDictionaryManager.Instance, base.StandardsManager.SecurityTokenSerializer);
if (keyIdentifier != null)
{
this.signedXml.Signature.KeyIdentifier = keyIdentifier;
}
if (generateTargettableSignature)
{
this.signedXml.Id = base.GenerateId();
}
this.effectiveSignatureParts = signatureParts;
this.hashStream = this.signedInfo.ResourcePool.TakeHashStream(defaultDigestAlgorithm);
}
private void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, TrustVersion trustVersion, SecurityKeyType keyType, ref IssuedSecurityTokenParameters issuedParameters)
{
issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm));
issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm));
string signatureAlgorithm = null;
string encryptionAlgorithm = null;
switch (keyType)
{
case SecurityKeyType.SymmetricKey:
signatureAlgorithm = algorithmSuite.DefaultSymmetricSignatureAlgorithm;
encryptionAlgorithm = algorithmSuite.DefaultEncryptionAlgorithm;
break;
case SecurityKeyType.AsymmetricKey:
signatureAlgorithm = algorithmSuite.DefaultAsymmetricSignatureAlgorithm;
encryptionAlgorithm = algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm;
break;
case SecurityKeyType.BearerKey:
return;
default:
throw new ArgumentOutOfRangeException("keyType");
}
issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateSignWithElement(signatureAlgorithm));
issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptWithElement(encryptionAlgorithm));
if (trustVersion != TrustVersion.WSTrustFeb2005)
{
issuedParameters.AdditionalRequestParameters.Insert(0, CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm));
}
}
protected void ValidateKeySize(GenericXmlSecurityToken issuedToken)
{
CommunicationObject.ThrowIfClosedOrNotOpen();
ReadOnlyCollection <SecurityKey> issuedKeys = issuedToken.SecurityKeys;
if (issuedKeys != null && issuedKeys.Count == 1)
{
SymmetricSecurityKey symmetricKey = issuedKeys[0] as SymmetricSecurityKey;
if (symmetricKey != null)
{
if (SecurityAlgorithmSuite.IsSymmetricKeyLengthSupported(symmetricKey.KeySize))
{
return;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.InvalidIssuedTokenKeySize, symmetricKey.KeySize)));
}
}
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.CannotObtainIssuedTokenKeySize));
}
}
public SecurityHeader(Message message,
string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager, SecurityAlgorithmSuite algorithmSuite,
MessageDirection transferDirection)
{
if (message == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message");
}
if (actor == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("actor");
}
if (standardsManager == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("standardsManager");
}
if (algorithmSuite == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("algorithmSuite");
}
_message = message;
_actor = actor;
_mustUnderstand = mustUnderstand;
_relay = relay;
_standardsManager = standardsManager;
_algorithmSuite = algorithmSuite;
_transferDirection = transferDirection;
}
public WSSecurityOneDotOneReceiveSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
int headerIndex, MessageDirection direction)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, headerIndex, direction)
{
}
public SecurityHeader(Message message,
string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager, SecurityAlgorithmSuite algorithmSuite,
MessageDirection transferDirection)
{
if (message == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message");
}
if (actor == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("actor");
}
if (standardsManager == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("standardsManager");
}
if (algorithmSuite == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("algorithmSuite");
}
_message = message;
_actor = actor;
_mustUnderstand = mustUnderstand;
_relay = relay;
_standardsManager = standardsManager;
_algorithmSuite = algorithmSuite;
_transferDirection = transferDirection;
}
protected SendSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
MessageDirection transferDirection)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, transferDirection)
{
throw ExceptionHelper.PlatformNotSupported();
}
protected SendSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
MessageDirection transferDirection)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, transferDirection)
{
this.elementContainer = new SendSecurityHeaderElementContainer();
}
protected SendSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
MessageDirection transferDirection)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, transferDirection)
{
ElementContainer = new SendSecurityHeaderElementContainer();
}
protected SendSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
MessageDirection transferDirection)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, transferDirection)
{
throw ExceptionHelper.PlatformNotSupported();
}
internal MessageSecurityOverTcp ()
{
alg_suite = SecurityAlgorithmSuite.Default;
// This default value is *silly* but anyways
// such code that does not change this ClientCredentialType
// won't work on Mono.
client_credential_type = MessageCredentialType.Windows;
}
IssuedSecurityTokenProvider CreateIssuedProviderBase(SecurityTokenRequirement r)
{
IssuedSecurityTokenProvider p =
new IssuedSecurityTokenProvider();
p.TargetAddress = r.GetProperty <EndpointAddress> (ReqType.TargetAddressProperty);
// FIXME: use it somewhere, probably to build
// IssuerBinding. However, there is also IssuerBinding
// property. SecureConversationSecurityBindingElement
// as well.
SecurityBindingElement sbe =
r.GetProperty <SecurityBindingElement> (ReqType.SecurityBindingElementProperty);
// I doubt the binding is acquired this way ...
Binding binding;
if (!r.TryGetProperty <Binding> (ReqType.IssuerBindingProperty, out binding))
{
binding = new CustomBinding(sbe,
new TextMessageEncodingBindingElement(),
new HttpTransportBindingElement());
}
p.IssuerBinding = binding;
// not sure if it is used only for this purpose though ...
BindingContext ctx = r.GetProperty <BindingContext> (ReqType.IssuerBindingContextProperty);
foreach (IEndpointBehavior b in ctx.BindingParameters.FindAll <IEndpointBehavior> ())
{
p.IssuerChannelBehaviors.Add(b);
}
SecurityTokenVersion ver =
r.GetProperty <SecurityTokenVersion> (ReqType.MessageSecurityVersionProperty);
p.SecurityTokenSerializer =
CreateSecurityTokenSerializer(ver);
// seems like they are optional here ... (but possibly
// used later)
EndpointAddress address;
if (!r.TryGetProperty <EndpointAddress> (ReqType.IssuerAddressProperty, out address))
{
address = p.TargetAddress;
}
p.IssuerAddress = address;
// It is somehow not checked as mandatory ...
SecurityAlgorithmSuite suite = null;
r.TryGetProperty <SecurityAlgorithmSuite> (ReqType.SecurityAlgorithmSuiteProperty, out suite);
p.SecurityAlgorithmSuite = suite;
return(p);
}
public FederatedMessageSecurityOverHttp()
{
negotiateServiceCredential = DefaultNegotiateServiceCredential;
algorithmSuite = SecurityAlgorithmSuite.Default;
issuedKeyType = DefaultIssuedKeyType;
claimTypeRequirements = new Collection<ClaimTypeRequirement>();
tokenRequestParameters = new Collection<XmlElement>();
establishSecurityContext = DefaultEstablishSecurityContext;
}
protected ReceiveSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
int headerIndex,
MessageDirection direction)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, direction)
{
throw ExceptionHelper.PlatformNotSupported();
}
protected ReceiveSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
int headerIndex,
MessageDirection direction)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, direction)
{
throw ExceptionHelper.PlatformNotSupported();
}
internal MessageSecurityOverHttp ()
{
alg_suite = SecurityAlgorithmSuite.Default;
// This default value is *silly* but anyways such
// it is silly to expect that such code that does not
// change ClientCredentialType works on Mono.
client_credential_type = MessageCredentialType.Windows;
negotiate_service_credential = true;
}
public MessageSecurityOverTcp ()
{
#if !MOBILE && !XAMMAC_4_5
alg_suite = SecurityAlgorithmSuite.Default;
#endif
// This default value is *silly* but anyways
// such code that does not change this ClientCredentialType
// won't work on Mono.
client_credential_type = MessageCredentialType.Windows;
}
internal static bool IsRsaSHA256(SecurityAlgorithmSuite suite)
{
if (suite == null)
{
return(false);
}
return(suite == Basic128Sha256 || suite == Basic128Sha256Rsa15 || suite == Basic192Sha256 || suite == Basic192Sha256Rsa15 ||
suite == Basic256Sha256 || suite == Basic256Sha256Rsa15 || suite == TripleDesSha256 || suite == TripleDesSha256Rsa15);
}
protected ReceiveSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
int headerIndex,
MessageDirection direction)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, direction)
{
HeaderIndex = headerIndex;
ElementManager = new ReceiveSecurityHeaderElementManager(this);
}
internal static void ValidateSymmetricKeyLength(int keyLength, SecurityAlgorithmSuite algorithmSuite)
{
if (!algorithmSuite.IsSymmetricKeyLengthSupported(keyLength))
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new ArgumentOutOfRangeException("algorithmSuite", System.ServiceModel.SR.GetString("UnsupportedKeyLength", new object[] { keyLength, algorithmSuite.ToString() })));
}
if ((keyLength % 8) != 0)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new ArgumentOutOfRangeException("algorithmSuite", System.ServiceModel.SR.GetString("KeyLengthMustBeMultipleOfEight", new object[] { keyLength })));
}
}
internal void InitializeFrom(MessageSecurityOverMsmq security)
{
if (security == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("security");
}
SetPropertyValueIfNotDefaultValue(ConfigurationStrings.ClientCredentialType, security.ClientCredentialType);
if (security.WasAlgorithmSuiteSet)
{
this.AlgorithmSuite = security.AlgorithmSuite;
}
}
internal static bool IsRsaSHA256(SecurityAlgorithmSuite suite)
{
if (suite == null)
{
return(false);
}
if ((((suite != Basic128Sha256) && (suite != Basic128Sha256Rsa15)) && ((suite != Basic192Sha256) && (suite != Basic192Sha256Rsa15))) && (((suite != Basic256Sha256) && (suite != Basic256Sha256Rsa15)) && (suite != TripleDesSha256)))
{
return(suite == TripleDesSha256Rsa15);
}
return(true);
}
public SecurityHeader(Message message,
string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager, SecurityAlgorithmSuite algorithmSuite,
MessageDirection transferDirection)
{
Message = message ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(message));
_actor = actor ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(actor));
_mustUnderstand = mustUnderstand;
_relay = relay;
StandardsManager = standardsManager ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(standardsManager));
AlgorithmSuite = algorithmSuite ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(algorithmSuite));
MessageDirection = transferDirection;
}
internal ReceiveSecurityHeader CreateReceiveSecurityHeader(Message message, string actor, SecurityAlgorithmSuite algorithmSuite, MessageDirection direction)
{
ReceiveSecurityHeader header = this.TryCreateReceiveSecurityHeader(message, actor, algorithmSuite, direction);
if (header != null)
{
return header;
}
if (string.IsNullOrEmpty(actor))
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessageNoActor")), message);
}
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessage", new object[] { actor })), message);
}
internal static void ValidateSymmetricKeyLength(int keyLength, SecurityAlgorithmSuite algorithmSuite)
{
if (!algorithmSuite.IsSymmetricKeyLengthSupported(keyLength))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new ArgumentOutOfRangeException("algorithmSuite",
SR.GetString(SR.UnsupportedKeyLength, keyLength, algorithmSuite.ToString())));
}
if (keyLength % 8 != 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new ArgumentOutOfRangeException("algorithmSuite",
SR.GetString(SR.KeyLengthMustBeMultipleOfEight, keyLength)));
}
}
internal override ReceiveSecurityHeader CreateReceiveSecurityHeader(Message message,
string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
MessageDirection direction,
int headerIndex)
{
return(new WSSecurityOneDotZeroReceiveSecurityHeader(
message,
actor, mustUnderstand, relay,
standardsManager,
algorithmSuite, headerIndex, direction));
}
internal ReceiveSecurityHeader TryCreateReceiveSecurityHeader(Message message, string actor, SecurityStandardsManager standardsManager, SecurityAlgorithmSuite algorithmSuite, MessageDirection direction)
{
int headerIndex = message.Headers.FindHeader(this.HeaderName.Value, this.HeaderNamespace.Value, new string[] { actor });
if ((headerIndex < 0) && string.IsNullOrEmpty(actor))
{
headerIndex = message.Headers.FindHeader(this.HeaderName.Value, this.HeaderNamespace.Value, message.Version.Envelope.UltimateDestinationActorValues);
}
if (headerIndex < 0)
{
return null;
}
MessageHeaderInfo info = message.Headers[headerIndex];
return this.CreateReceiveSecurityHeader(message, info.Actor, info.MustUnderstand, info.Relay, standardsManager, algorithmSuite, direction, headerIndex);
}
void InitializeAuthenticatorCommunicationObject(AuthenticatorCommunicationObject p, SecurityTokenRequirement r)
{
p.ListenUri = r.GetProperty <Uri> (ReqType.ListenUriProperty);
// FIXME: use it somewhere, probably to build
// IssuerBinding. However, there is also IssuerBinding
// property. SecureConversationSecurityBindingElement
// as well.
SecurityBindingElement sbe =
r.GetProperty <SecurityBindingElement> (ReqType.SecurityBindingElementProperty);
p.SecurityBindingElement = sbe;
/*
* // I doubt the binding is acquired this way ...
* Binding binding;
* if (!r.TryGetProperty<Binding> (ReqType.IssuerBindingProperty, out binding))
* binding = new CustomBinding (
* new TextMessageEncodingBindingElement (),
* new HttpTransportBindingElement ());
* p.IssuerBinding = binding;
*
* // not sure if it is used only for this purpose though ...
* BindingContext ctx = r.GetProperty<BindingContext> (ReqType.IssuerBindingContextProperty);
* foreach (IEndpointBehavior b in ctx.BindingParameters.FindAll<IEndpointBehavior> ())
* p.IssuerChannelBehaviors.Add (b);
*/
SecurityTokenVersion ver =
r.GetProperty <SecurityTokenVersion> (ReqType.MessageSecurityVersionProperty);
p.SecurityTokenSerializer =
CreateSecurityTokenSerializer(ver);
/*
* // seems like they are optional here ... (but possibly
* // used later)
* EndpointAddress address;
* if (!r.TryGetProperty<EndpointAddress> (ReqType.IssuerAddressProperty, out address))
* address = p.TargetAddress;
* p.IssuerAddress = address;
*/
// It is somehow not checked as mandatory ...
SecurityAlgorithmSuite suite = null;
r.TryGetProperty <SecurityAlgorithmSuite> (ReqType.SecurityAlgorithmSuiteProperty, out suite);
p.SecurityAlgorithmSuite = suite;
}
protected SecurityProtocolFactory()
{
this.addTimestamp = true;
this.detectReplays = true;
this.incomingAlgorithmSuite = SecurityAlgorithmSuite.Default;
this.maxCachedNonces = 0xdbba0;
this.maxClockSkew = defaultMaxClockSkew;
this.outgoingAlgorithmSuite = SecurityAlgorithmSuite.Default;
this.replayWindow = defaultReplayWindow;
this.standardsManager = SecurityStandardsManager.DefaultInstance;
this.timestampValidityDuration = defaultTimestampValidityDuration;
this.channelSupportingTokenAuthenticatorSpecification = new Collection <SupportingTokenAuthenticatorSpecification>();
this.scopedSupportingTokenAuthenticatorSpecification = new Dictionary <string, ICollection <SupportingTokenAuthenticatorSpecification> >();
this.communicationObject = new WrapperSecurityCommunicationObject(this);
}
protected override void StartPrimarySignatureCore(SecurityToken token,
SecurityKeyIdentifier keyIdentifier,
MessagePartSpecification signatureParts,
bool generateTargettableSignature)
{
SecurityAlgorithmSuite suite = AlgorithmSuite;
string canonicalizationAlgorithm = suite.DefaultCanonicalizationAlgorithm;
if (canonicalizationAlgorithm != SecurityAlgorithms.ExclusiveC14n)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new MessageSecurityException(SR.Format(SR.UnsupportedCanonicalizationAlgorithm, suite.DefaultCanonicalizationAlgorithm)));
}
string signatureAlgorithm;
XmlDictionaryString signatureAlgorithmDictionaryString;
SecurityKey signatureKey;
suite.GetSignatureAlgorithmAndKey(token, out signatureAlgorithm, out signatureKey, out signatureAlgorithmDictionaryString);
AsymmetricAlgorithm asymmetricAlgorithm = null;
GetSigningAlgorithm(signatureKey, signatureAlgorithm, out _signingKey, out asymmetricAlgorithm);
_signedXml = new SignedXml();
_signedXml.SignedInfo.CanonicalizationMethod = canonicalizationAlgorithm;
_signedXml.SignedInfo.SignatureMethod = signatureAlgorithm;
_signedXml.SigningKey = asymmetricAlgorithm;
if (keyIdentifier != null)
{
var stream = new MemoryStream();
using (var xmlWriter = XmlDictionaryWriter.CreateTextWriter(stream, Encoding.UTF8, false))
{
StandardsManager.SecurityTokenSerializer.WriteKeyIdentifier(xmlWriter, keyIdentifier);
}
stream.Position = 0;
XmlDocument doc = new XmlDocument();
doc.Load(stream);
var keyInfo = new KeyInfo();
keyInfo.LoadXml(doc.DocumentElement);
_signedXml.KeyInfo = keyInfo;
}
if (generateTargettableSignature)
{
_signedXml.Signature.Id = GenerateId();
}
_effectiveSignatureParts = signatureParts;
}
static void AssertSecurityAlgorithmSuite (
string defaultAsymmetricKeyWrapAlgorithm,
string defaultAsymmetricSignatureAlgorithm,
string defaultCanonicalizationAlgorithm,
string defaultDigestAlgorithm,
string defaultEncryptionAlgorithm,
int defaultEncryptionKeyDerivationLength,
int defaultSignatureKeyDerivationLength,
int defaultSymmetricKeyLength,
string defaultSymmetricKeyWrapAlgorithm,
string defaultSymmetricSignatureAlgorithm,
SecurityAlgorithmSuite target,
string label)
{
Assert.AreEqual (defaultAsymmetricKeyWrapAlgorithm,
target.DefaultAsymmetricKeyWrapAlgorithm,
label + ".DefaultAsymmetricKeyWrapAlgorithm");
Assert.AreEqual (defaultAsymmetricSignatureAlgorithm,
target.DefaultAsymmetricSignatureAlgorithm,
label + ".DefaultAsymmetricSignatureAlgorithm");
Assert.AreEqual (defaultCanonicalizationAlgorithm,
target.DefaultCanonicalizationAlgorithm,
label + ".DefaultCanonicalizationAlgorithm");
Assert.AreEqual (defaultDigestAlgorithm,
target.DefaultDigestAlgorithm,
label + ".DefaultDigestAlgorithm");
Assert.AreEqual (defaultEncryptionAlgorithm,
target.DefaultEncryptionAlgorithm,
label + ".DefaultEncryptionAlgorithm");
Assert.AreEqual (defaultEncryptionKeyDerivationLength,
target.DefaultEncryptionKeyDerivationLength,
label + ".DefaultEncryptionKeyDerivationLength");
Assert.AreEqual (defaultSignatureKeyDerivationLength,
target.DefaultSignatureKeyDerivationLength,
label + ".DefaultSignatureKeyDerivationLength");
Assert.AreEqual (defaultSymmetricKeyLength,
target.DefaultSymmetricKeyLength,
label + ".DefaultSymmetricKeyLength");
Assert.AreEqual (defaultSymmetricKeyWrapAlgorithm,
target.DefaultSymmetricKeyWrapAlgorithm,
label + ".DefaultSymmetricKeyWrapAlgorithm");
Assert.AreEqual (defaultSymmetricSignatureAlgorithm,
target.DefaultSymmetricSignatureAlgorithm,
label + ".DefaultSymmetricSignatureAlgorithm");
}
static SecurityAlgorithmSuite()
{
b128 = new BasicSecurityAlgorithmSuite(128, false, false);
b128r = new BasicSecurityAlgorithmSuite(128, false, true);
b128s = new BasicSecurityAlgorithmSuite(128, true, false);
b128sr = new BasicSecurityAlgorithmSuite(128, true, true);
b192 = new BasicSecurityAlgorithmSuite(192, false, false);
b192r = new BasicSecurityAlgorithmSuite(192, false, true);
b192s = new BasicSecurityAlgorithmSuite(192, true, false);
b192sr = new BasicSecurityAlgorithmSuite(192, true, true);
b256 = new BasicSecurityAlgorithmSuite(256, false, false);
b256r = new BasicSecurityAlgorithmSuite(256, false, true);
b256s = new BasicSecurityAlgorithmSuite(256, true, false);
b256sr = new BasicSecurityAlgorithmSuite(256, true, true);
tdes = new TripleDESSecurityAlgorithmSuite(false, false);
tdes_r = new TripleDESSecurityAlgorithmSuite(false, true);
tdes_s = new TripleDESSecurityAlgorithmSuite(true, false);
tdes_sr = new TripleDESSecurityAlgorithmSuite(true, true);
}
/// <summary>
/// Creates a SAML assertion based on a symmetric proof key
/// </summary>
/// <param name="claims">A ClaimSet containing the claims to be placed into the SAML assertion</param>
/// <param name="signatureToken">An X509SecurityToken that will be used to sign the SAML assertion</param>
/// <param name="encryptionToken">An X509SecurityToken that will be used to encrypt the proof key</param>
/// <param name="proofToken">A BinarySecretSecurityToken containing the proof key</param>
/// <param name="algoSuite">The algorithm suite to use when performing cryptographic operations</param>
/// <returns>A SAML assertion containing the passed in claims and proof key, signed by the provided signature token</returns>
public static SamlAssertion CreateSymmetricKeyBasedAssertion(ClaimSet claims, X509SecurityToken signatureToken, X509SecurityToken encryptionToken, BinarySecretSecurityToken proofToken, SecurityAlgorithmSuite algoSuite)
{
// Check various input parameters
if (claims == null)
throw new ArgumentNullException("claims");
if (claims.Count == 0)
throw new ArgumentException("Provided ClaimSet must contain at least one claim");
if (proofToken == null)
throw new ArgumentNullException("proofToken");
if (signatureToken == null)
throw new ArgumentNullException("signatureToken");
if (encryptionToken == null)
throw new ArgumentNullException("encryptionToken");
if (proofToken == null)
throw new ArgumentNullException("proofToken");
if (algoSuite == null)
throw new ArgumentNullException("algoSuite");
// Get signing key and a key identifier for same
SecurityKey signatureKey = signatureToken.SecurityKeys[0];
SecurityKeyIdentifierClause signatureSkic = signatureToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>();
SecurityKeyIdentifier signatureKeyIdentifier = new SecurityKeyIdentifier(signatureSkic);
// Get encryption key and a key identifier for same
SecurityKey encryptionKey = encryptionToken.SecurityKeys[0];
SecurityKeyIdentifierClause encryptionSkic = encryptionToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>();
SecurityKeyIdentifier encryptionKeyIdentifier = new SecurityKeyIdentifier(encryptionSkic);
// Encrypt the proof key and create a key identifier for same
byte[] proofKey = proofToken.GetKeyBytes();
byte[] encryptedSecret = new byte[proofKey.Length];
encryptedSecret = encryptionKey.EncryptKey(algoSuite.DefaultAsymmetricKeyWrapAlgorithm, proofKey);
SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(new EncryptedKeyIdentifierClause(encryptedSecret, algoSuite.DefaultAsymmetricKeyWrapAlgorithm, encryptionKeyIdentifier));
// Create the assertion
return CreateAssertion(claims, signatureKey, signatureKeyIdentifier, proofKeyIdentifier, algoSuite);
}
protected static SymmetricAlgorithm CreateDecryptionAlgorithm(SecurityToken token, string encryptionMethod, SecurityAlgorithmSuite suite)
{
if (encryptionMethod == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("EncryptionMethodMissingInEncryptedData")));
}
suite.EnsureAcceptableEncryptionAlgorithm(encryptionMethod);
SymmetricSecurityKey securityKey = System.ServiceModel.Security.SecurityUtils.GetSecurityKey<SymmetricSecurityKey>(token);
if (securityKey == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenCannotCreateSymmetricCrypto", new object[] { token })));
}
suite.EnsureAcceptableDecryptionSymmetricKeySize(securityKey, token);
SymmetricAlgorithm symmetricAlgorithm = securityKey.GetSymmetricAlgorithm(encryptionMethod);
if (symmetricAlgorithm == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToCreateSymmetricAlgorithmFromToken", new object[] { encryptionMethod })));
}
return symmetricAlgorithm;
}
/// <summary>
/// Creates a SAML assertion based on an Asymmetric proof key
/// </summary>
/// <param name="claims">A ClaimSet containing the claims to be placed into the SAML assertion</param>
/// <param name="proofToken">An RsaSecurityToken containing the proof key</param>
/// <param name="algoSuite">The algorithm suite to use when performing cryptographic operations</param>
/// <returns>A SAML assertion containing the passed in claims and proof key, signed by the proof key</returns>
public static SamlAssertion CreateAsymmetricKeyBasedAssertion(ClaimSet claims, SecurityToken proofToken, SecurityAlgorithmSuite algoSuite)
{
// Check various input parameters
if (claims == null)
throw new ArgumentNullException("claims");
if (proofToken == null)
throw new ArgumentNullException("proofToken");
if (claims.Count == 0)
throw new ArgumentException("Provided ClaimSet must contain at least one claim");
// Create key identifier for proof key
SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(proofToken.CreateKeyIdentifierClause<RsaKeyIdentifierClause>());
// Get signing key and a key identifier for same
SecurityKey signatureKey = proofToken.SecurityKeys[0];
SecurityKeyIdentifier signatureKeyIdentifier = proofKeyIdentifier;
// Create the assertion
return CreateAssertion(claims, signatureKey, signatureKeyIdentifier, proofKeyIdentifier, algoSuite);
}
internal ReceiveSecurityHeader CreateReceiveSecurityHeader(Message message,
string actor,
SecurityAlgorithmSuite algorithmSuite, MessageDirection direction)
{
ReceiveSecurityHeader header = TryCreateReceiveSecurityHeader(message, actor, algorithmSuite, direction);
if (header == null)
{
if (String.IsNullOrEmpty(actor))
{
throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToFindSecurityHeaderInMessageNoActor)), message);
}
else
{
throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToFindSecurityHeaderInMessage, actor)), message);
}
}
return(header);
}
internal SecurityProtocolFactory(SecurityProtocolFactory factory) : this()
{
if (factory == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(factory));
}
ActAsInitiator = factory.ActAsInitiator;
_addTimestamp = factory._addTimestamp;
_detectReplays = factory._detectReplays;
_incomingAlgorithmSuite = factory._incomingAlgorithmSuite;
_maxCachedNonces = factory._maxCachedNonces;
_maxClockSkew = factory._maxClockSkew;
_outgoingAlgorithmSuite = factory._outgoingAlgorithmSuite;
_replayWindow = factory._replayWindow;
_channelSupportingTokenAuthenticatorSpecification = new Collection <SupportingTokenAuthenticatorSpecification>(new List <SupportingTokenAuthenticatorSpecification>(factory._channelSupportingTokenAuthenticatorSpecification));
_standardsManager = factory._standardsManager;
_timestampValidityDuration = factory._timestampValidityDuration;
_securityBindingElement = (SecurityBindingElement)factory._securityBindingElement?.Clone();
_securityTokenManager = factory._securityTokenManager;
_nonceCache = factory._nonceCache;
}
// The security always look for Empty soap role. If not found, we will also look for Ultimate actors (next incl).
// In the future, till we support intermediary scenario, we should refactor this api to do not take actor parameter.
internal ReceiveSecurityHeader TryCreateReceiveSecurityHeader(Message message,
string actor,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite, MessageDirection direction)
{
int headerIndex = message.Headers.FindHeader(HeaderName.Value, HeaderNamespace.Value, actor);
if (headerIndex < 0 && String.IsNullOrEmpty(actor))
{
headerIndex = message.Headers.FindHeader(HeaderName.Value, HeaderNamespace.Value, message.Version.Envelope.UltimateDestinationActorValues);
}
if (headerIndex < 0)
{
return(null);
}
MessageHeaderInfo headerInfo = message.Headers[headerIndex];
return(CreateReceiveSecurityHeader(message,
headerInfo.Actor, headerInfo.MustUnderstand, headerInfo.Relay,
standardsManager, algorithmSuite,
direction, headerIndex));
}
protected static SymmetricAlgorithm CreateDecryptionAlgorithm(SecurityToken token, string encryptionMethod, SecurityAlgorithmSuite suite)
{
if (encryptionMethod == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.EncryptionMethodMissingInEncryptedData)));
}
suite.EnsureAcceptableEncryptionAlgorithm(encryptionMethod);
SymmetricSecurityKey symmetricSecurityKey = SecurityUtils.GetSecurityKey<SymmetricSecurityKey>(token);
if (symmetricSecurityKey == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.TokenCannotCreateSymmetricCrypto, token)));
}
suite.EnsureAcceptableDecryptionSymmetricKeySize(symmetricSecurityKey, token);
SymmetricAlgorithm algorithm = symmetricSecurityKey.GetSymmetricAlgorithm(encryptionMethod);
if (algorithm == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToCreateSymmetricAlgorithmFromToken, encryptionMethod)));
}
return algorithm;
}
internal void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, SecurityKeyType issuedKeyType)
{
this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm));
this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm));
if (this.keyType != SecurityKeyType.BearerKey)
{
string defaultEncryptionAlgorithm;
string signatureAlgorithm = (this.keyType == SecurityKeyType.SymmetricKey) ? algorithmSuite.DefaultSymmetricSignatureAlgorithm : algorithmSuite.DefaultAsymmetricSignatureAlgorithm;
this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateSignWithElement(signatureAlgorithm));
if (issuedKeyType == SecurityKeyType.SymmetricKey)
{
defaultEncryptionAlgorithm = algorithmSuite.DefaultEncryptionAlgorithm;
}
else
{
defaultEncryptionAlgorithm = algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm;
}
this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptWithElement(defaultEncryptionAlgorithm));
if (standardsManager.TrustVersion != TrustVersion.WSTrustFeb2005)
{
this.additionalRequestParameters.Insert(0, ((WSTrustDec2005.DriverDec2005) standardsManager.TrustDriver).CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm));
}
}
}
internal static IssuedSecurityTokenParameters CreateInfoCardParameters(SecurityStandardsManager standardsManager, SecurityAlgorithmSuite algorithm)
{
IssuedSecurityTokenParameters parameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1") {
KeyType = SecurityKeyType.AsymmetricKey
};
parameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement(wsidPPIClaim));
parameters.IssuerAddress = null;
parameters.AddAlgorithmParameters(algorithm, standardsManager, parameters.KeyType);
return parameters;
}
public virtual bool TryImportAlgorithmSuiteAssertion(ICollection<XmlElement> assertions, out SecurityAlgorithmSuite suite)
{
if (TryImportWsspAssertion(assertions, Basic256Name))
suite = SecurityAlgorithmSuite.Basic256;
else if (TryImportWsspAssertion(assertions, Basic192Name))
suite = SecurityAlgorithmSuite.Basic192;
else if (TryImportWsspAssertion(assertions, Basic128Name))
suite = SecurityAlgorithmSuite.Basic128;
else if (TryImportWsspAssertion(assertions, TripleDesName))
suite = SecurityAlgorithmSuite.TripleDes;
else if (TryImportWsspAssertion(assertions, Basic256Rsa15Name))
suite = SecurityAlgorithmSuite.Basic256Rsa15;
else if (TryImportWsspAssertion(assertions, Basic192Rsa15Name))
suite = SecurityAlgorithmSuite.Basic192Rsa15;
else if (TryImportWsspAssertion(assertions, Basic128Rsa15Name))
suite = SecurityAlgorithmSuite.Basic128Rsa15;
else if (TryImportWsspAssertion(assertions, TripleDesRsa15Name))
suite = SecurityAlgorithmSuite.TripleDesRsa15;
else if (TryImportWsspAssertion(assertions, Basic256Sha256Name))
suite = SecurityAlgorithmSuite.Basic256Sha256;
else if (TryImportWsspAssertion(assertions, Basic192Sha256Name))
suite = SecurityAlgorithmSuite.Basic192Sha256;
else if (TryImportWsspAssertion(assertions, Basic128Sha256Name))
suite = SecurityAlgorithmSuite.Basic128Sha256;
else if (TryImportWsspAssertion(assertions, TripleDesSha256Name))
suite = SecurityAlgorithmSuite.TripleDesSha256;
else if (TryImportWsspAssertion(assertions, Basic256Sha256Rsa15Name))
suite = SecurityAlgorithmSuite.Basic256Sha256Rsa15;
else if (TryImportWsspAssertion(assertions, Basic192Sha256Rsa15Name))
suite = SecurityAlgorithmSuite.Basic192Sha256Rsa15;
else if (TryImportWsspAssertion(assertions, Basic128Sha256Rsa15Name))
suite = SecurityAlgorithmSuite.Basic128Sha256Rsa15;
else if (TryImportWsspAssertion(assertions, TripleDesSha256Rsa15Name))
suite = SecurityAlgorithmSuite.TripleDesSha256Rsa15;
else
suite = null;
return suite != null;
}
public virtual XmlElement CreateAlgorithmSuiteAssertion(SecurityAlgorithmSuite suite)
{
if (suite == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("suite");
}
XmlElement result;
if (suite == SecurityAlgorithmSuite.Basic256)
result = CreateWsspAssertion(Basic256Name);
else if (suite == SecurityAlgorithmSuite.Basic192)
result = CreateWsspAssertion(Basic192Name);
else if (suite == SecurityAlgorithmSuite.Basic128)
result = CreateWsspAssertion(Basic128Name);
else if (suite == SecurityAlgorithmSuite.TripleDes)
result = CreateWsspAssertion(TripleDesName);
else if (suite == SecurityAlgorithmSuite.Basic256Rsa15)
result = CreateWsspAssertion(Basic256Rsa15Name);
else if (suite == SecurityAlgorithmSuite.Basic192Rsa15)
result = CreateWsspAssertion(Basic192Rsa15Name);
else if (suite == SecurityAlgorithmSuite.Basic128Rsa15)
result = CreateWsspAssertion(Basic128Rsa15Name);
else if (suite == SecurityAlgorithmSuite.TripleDesRsa15)
result = CreateWsspAssertion(TripleDesRsa15Name);
else if (suite == SecurityAlgorithmSuite.Basic256Sha256)
result = CreateWsspAssertion(Basic256Sha256Name);
else if (suite == SecurityAlgorithmSuite.Basic192Sha256)
result = CreateWsspAssertion(Basic192Sha256Name);
else if (suite == SecurityAlgorithmSuite.Basic128Sha256)
result = CreateWsspAssertion(Basic128Sha256Name);
else if (suite == SecurityAlgorithmSuite.TripleDesSha256)
result = CreateWsspAssertion(TripleDesSha256Name);
else if (suite == SecurityAlgorithmSuite.Basic256Sha256Rsa15)
result = CreateWsspAssertion(Basic256Sha256Rsa15Name);
else if (suite == SecurityAlgorithmSuite.Basic192Sha256Rsa15)
result = CreateWsspAssertion(Basic192Sha256Rsa15Name);
else if (suite == SecurityAlgorithmSuite.Basic128Sha256Rsa15)
result = CreateWsspAssertion(Basic128Sha256Rsa15Name);
else if (suite == SecurityAlgorithmSuite.TripleDesSha256Rsa15)
result = CreateWsspAssertion(TripleDesSha256Rsa15Name);
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("suite"));
}
return result;
}
public virtual XmlElement CreateWsspAlgorithmSuiteAssertion(MetadataExporter exporter, SecurityAlgorithmSuite suite)
{
XmlElement result = CreateWsspAssertion(AlgorithmSuiteName);
result.AppendChild(
CreateWspPolicyWrapper(
exporter,
CreateAlgorithmSuiteAssertion(suite)
));
return result;
}
public MessageSecurityOverMsmq()
{
clientCredentialType = DefaultClientCredentialType;
algorithmSuite = SecurityAlgorithmSuite.Default;
}
internal static bool IsRsaSHA256(SecurityAlgorithmSuite suite)
{
if (suite == null)
return false;
return (suite == Basic128Sha256 || suite == Basic128Sha256Rsa15 || suite == Basic192Sha256 || suite == Basic192Sha256Rsa15 ||
suite == Basic256Sha256 || suite == Basic256Sha256Rsa15 || suite == TripleDesSha256 || suite == TripleDesSha256Rsa15);
}
internal static void ValidateSymmetricKeyLength(int keyLength, SecurityAlgorithmSuite algorithmSuite)
{
if (!algorithmSuite.IsSymmetricKeyLengthSupported(keyLength))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new ArgumentOutOfRangeException("algorithmSuite",
SR.GetString(SR.UnsupportedKeyLength, keyLength, algorithmSuite.ToString())));
}
if (keyLength % 8 != 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new ArgumentOutOfRangeException("algorithmSuite",
SR.GetString(SR.KeyLengthMustBeMultipleOfEight, keyLength)));
}
}
internal bool DoAlgorithmsMatch(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, out Collection<XmlElement> otherRequestParameters)
{
Collection<XmlElement> additionalRequestParameters;
bool flag = false;
bool flag2 = false;
bool flag3 = false;
bool flag4 = false;
bool flag5 = false;
otherRequestParameters = new Collection<XmlElement>();
bool flag6 = false;
if (((standardsManager.TrustVersion == TrustVersion.WSTrust13) && (this.AdditionalRequestParameters.Count == 1)) && ((WSTrustDec2005.DriverDec2005) standardsManager.TrustDriver).IsSecondaryParametersElement(this.AdditionalRequestParameters[0]))
{
flag6 = true;
additionalRequestParameters = new Collection<XmlElement>();
foreach (XmlElement element in this.AdditionalRequestParameters[0])
{
additionalRequestParameters.Add(element);
}
}
else
{
additionalRequestParameters = this.AdditionalRequestParameters;
}
for (int i = 0; i < additionalRequestParameters.Count; i++)
{
string str;
XmlElement element2 = additionalRequestParameters[i];
if (standardsManager.TrustDriver.IsCanonicalizationAlgorithmElement(element2, out str))
{
if (algorithmSuite.DefaultCanonicalizationAlgorithm != str)
{
return false;
}
flag4 = true;
}
else if (standardsManager.TrustDriver.IsSignWithElement(element2, out str))
{
if (((this.keyType == SecurityKeyType.SymmetricKey) && (str != algorithmSuite.DefaultSymmetricSignatureAlgorithm)) || ((this.keyType == SecurityKeyType.AsymmetricKey) && (str != algorithmSuite.DefaultAsymmetricSignatureAlgorithm)))
{
return false;
}
flag = true;
}
else if (standardsManager.TrustDriver.IsEncryptWithElement(element2, out str))
{
if (((this.keyType == SecurityKeyType.SymmetricKey) && (str != algorithmSuite.DefaultEncryptionAlgorithm)) || ((this.keyType == SecurityKeyType.AsymmetricKey) && (str != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)))
{
return false;
}
flag2 = true;
}
else if (standardsManager.TrustDriver.IsEncryptionAlgorithmElement(element2, out str))
{
if (str != algorithmSuite.DefaultEncryptionAlgorithm)
{
return false;
}
flag3 = true;
}
else if (standardsManager.TrustDriver.IsKeyWrapAlgorithmElement(element2, out str))
{
if (str != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)
{
return false;
}
flag5 = true;
}
else
{
otherRequestParameters.Add(element2);
}
}
if (flag6)
{
otherRequestParameters = this.AdditionalRequestParameters;
}
if (this.keyType == SecurityKeyType.BearerKey)
{
return true;
}
if (standardsManager.TrustVersion == TrustVersion.WSTrustFeb2005)
{
return (((flag && flag4) && flag3) && flag2);
}
return (((flag && flag4) && (flag3 && flag2)) && flag5);
}
protected static SymmetricAlgorithm CreateDecryptionAlgorithm(SecurityToken token, string encryptionMethod, SecurityAlgorithmSuite suite)
{
if (encryptionMethod == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("EncryptionMethodMissingInEncryptedData")));
}
suite.EnsureAcceptableEncryptionAlgorithm(encryptionMethod);
SymmetricSecurityKey securityKey = System.ServiceModel.Security.SecurityUtils.GetSecurityKey <SymmetricSecurityKey>(token);
if (securityKey == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenCannotCreateSymmetricCrypto", new object[] { token })));
}
suite.EnsureAcceptableDecryptionSymmetricKeySize(securityKey, token);
SymmetricAlgorithm symmetricAlgorithm = securityKey.GetSymmetricAlgorithm(encryptionMethod);
if (symmetricAlgorithm == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToCreateSymmetricAlgorithmFromToken", new object[] { encryptionMethod })));
}
return(symmetricAlgorithm);
}
