Example #1
0
        public SecurityToken GetToken(TimeSpan timeout)
        {
            WstRequestSecurityToken req = new WstRequestSecurityToken();
            BodyWriter body             = new WstRequestSecurityTokenWriter(req, SecurityTokenSerializer);
            Message    msg = Message.CreateMessage(IssuerBinding.MessageVersion, Constants.WstIssueAction, body);
            Message    res = comm.Issue(msg);

            // FIXME: provide SecurityTokenResolver (but from where?)
            using (WSTrustRequestSecurityTokenResponseReader resreader = new WSTrustRequestSecurityTokenResponseReader(null, res.GetReaderAtBodyContents(), SecurityTokenSerializer, null)) {
                WstRequestSecurityTokenResponse rstr = resreader.Read();
                if (rstr.RequestedSecurityToken != null)
                {
                    return(rstr.RequestedSecurityToken);
                }
                throw new NotImplementedException("IssuedSecurityTokenProvider did not see RequestedSecurityToken in the response.");
            }
        }
Example #2
0
        public SecurityToken GetToken(TimeSpan timeout)
        {
            TlsnegoClientSessionContext tlsctx =
                new TlsnegoClientSessionContext();
            TlsClientSession        tls = new TlsClientSession(IssuerAddress.Uri.ToString(), client_certificate, owner.Manager.ClientCredentials.ServiceCertificate.Authentication);
            WstRequestSecurityToken rst =
                new WstRequestSecurityToken();
            string contextId = rst.Context;

            // send ClientHello
            rst.BinaryExchange       = new WstBinaryExchange(Constants.WstBinaryExchangeValueTls);
            rst.BinaryExchange.Value = tls.ProcessClientHello();

            Message request = Message.CreateMessage(IssuerBinding.MessageVersion, Constants.WstIssueAction, rst);

            request.Headers.MessageId = new UniqueId();
            request.Headers.ReplyTo   = new EndpointAddress(Constants.WsaAnonymousUri);
            request.Headers.To        = TargetAddress.Uri;
            MessageBuffer buffer = request.CreateBufferedCopy(0x10000);

            tlsctx.StoreMessage(buffer.CreateMessage().GetReaderAtBodyContents());
            Message response = proxy.Issue(buffer.CreateMessage());

            // FIXME: use correct limitation
            buffer = response.CreateBufferedCopy(0x10000);
            tlsctx.StoreMessage(buffer.CreateMessage().GetReaderAtBodyContents());

            // receive ServerHello
            WSTrustRequestSecurityTokenResponseReader reader =
                new WSTrustRequestSecurityTokenResponseReader(Constants.WstTlsnegoProofTokenType, buffer.CreateMessage().GetReaderAtBodyContents(), SecurityTokenSerializer, null);

            reader.Read();
            if (reader.Value.RequestedSecurityToken != null)
            {
                return(reader.Value.RequestedSecurityToken);
            }

            tls.ProcessServerHello(reader.Value.BinaryExchange.Value);

            // send ClientKeyExchange
            WstRequestSecurityTokenResponse rstr =
                new WstRequestSecurityTokenResponse(SecurityTokenSerializer);

            rstr.Context              = reader.Value.Context;
            rstr.BinaryExchange       = new WstBinaryExchange(Constants.WstBinaryExchangeValueTls);
            rstr.BinaryExchange.Value = tls.ProcessClientKeyExchange();

            request = Message.CreateMessage(IssuerBinding.MessageVersion, Constants.WstIssueReplyAction, rstr);
            request.Headers.ReplyTo = new EndpointAddress(Constants.WsaAnonymousUri);
            request.Headers.To      = TargetAddress.Uri;

            buffer = request.CreateBufferedCopy(0x10000);
            tlsctx.StoreMessage(buffer.CreateMessage().GetReaderAtBodyContents());
//Console.WriteLine (System.Text.Encoding.UTF8.GetString (tlsctx.GetC14NResults ()));

            // FIXME: regeneration of this instance is somehow required, but should not be.
            proxy = new WSTrustSecurityTokenServiceProxy(
                IssuerBinding, IssuerAddress);
            response = proxy.IssueReply(buffer.CreateMessage());
            // FIXME: use correct limitation
            buffer = response.CreateBufferedCopy(0x10000);

            WstRequestSecurityTokenResponseCollection coll =
                new WstRequestSecurityTokenResponseCollection();

            coll.Read(Constants.WstTlsnegoProofTokenType, buffer.CreateMessage().GetReaderAtBodyContents(), SecurityTokenSerializer, null);
            if (coll.Responses.Count != 2)
            {
                throw new SecurityNegotiationException(String.Format("Expected response is RequestSecurityTokenResponseCollection which contains two RequestSecurityTokenResponse items, but it actually contains {0} items", coll.Responses.Count));
            }

            WstRequestSecurityTokenResponse r = coll.Responses [0];

            tls.ProcessServerFinished(r.BinaryExchange.Value);
            SecurityContextSecurityToken sctSrc =
                r.RequestedSecurityToken;

#if false // FIXME: should this final RSTR included in RSTRC considered too?
            XmlDocument doc = new XmlDocument();
            doc.PreserveWhitespace = true;
            using (XmlDictionaryWriter dw = XmlDictionaryWriter.CreateDictionaryWriter(doc.CreateNavigator().AppendChild()))
            {
                if (r == null)
                {
                    throw new Exception("r");
                }
                if (dw == null)
                {
                    throw new Exception("dw");
                }
                r.WriteBodyContents(dw);
            }
            tlsctx.StoreMessage(XmlDictionaryReader.CreateDictionaryReader(new XmlNodeReader(doc)));
#endif

            // the RequestedProofToken is represented as 32 bytes
            // of TLS ApplicationData.
            // - According to WSE2 doc, it is *the* key, but not
            //   sure it also applies to WCF.
            // - WSS4J also seems to store the encryped shared key.
            // - (Important) It seems that without tls decryption,
            //   .NET fails to recover the key.
            byte [] proof = tls.ProcessApplicationData(
                (byte [])r.RequestedProofToken);
            byte [] key = proof;

            // Authenticate token.

            byte [] actual = coll.Responses [1].Authenticator;
            if (actual == null)
            {
                throw new SecurityNegotiationException("Token authenticator is expected in the RequestSecurityTokenResponse but not found.");
            }

            if (coll.Responses [0].Context != contextId)
            {
                throw new SecurityNegotiationException("The context Id does not match with that of the corresponding token authenticator.");
            }

            // H = sha1(exc14n(RST..RSTRs))
            byte [] hash     = SHA1.Create().ComputeHash(tlsctx.GetC14NResults());
            byte [] referent = tls.CreateHash(key, hash, "AUTH-HASH");
            Console.WriteLine(System.Text.Encoding.ASCII.GetString(tlsctx.GetC14NResults()));
            Console.Write("Hash: ");
            foreach (byte b in hash)
            {
                Console.Write("{0:X02} ", b);
            }
            Console.WriteLine();
            Console.Write("Referent: ");
            foreach (byte b in referent)
            {
                Console.Write("{0:X02} ", b);
            }
            Console.WriteLine();
            Console.Write("Actual: ");
            foreach (byte b in actual)
            {
                Console.Write("{0:X02} ", b);
            }
            Console.WriteLine();
            Console.Write("Proof: ");
            foreach (byte b in proof)
            {
                Console.Write("{0:X02} ", b);
            }
            Console.WriteLine();
            bool mismatch = referent.Length != actual.Length;
            if (!mismatch)
            {
                for (int i = 0; i < referent.Length; i++)
                {
                    if (referent [i] != actual [i])
                    {
                        mismatch = true;
                    }
                }
            }

            if (mismatch)
            {
                throw new SecurityNegotiationException("The CombinedHash does not match the expected value.");
            }

            return(sctSrc);
        }
        public SecurityToken GetToken(TimeSpan timeout)
        {
            bool gss = (TargetAddress.Identity == null);
            SspiClientSession sspi = new SspiClientSession();

            WstRequestSecurityToken rst =
                new WstRequestSecurityToken();

            // send MessageType1
            rst.BinaryExchange = new WstBinaryExchange(Constants.WstBinaryExchangeValueGss);
            // When the TargetAddress does not contain the endpoint
            // identity, then .net seems to use Kerberos instead of
            // raw NTLM.
            if (gss)
            {
                rst.BinaryExchange.Value = sspi.ProcessSpnegoInitialContextTokenRequest();
            }
            else
            {
                rst.BinaryExchange.Value = sspi.ProcessMessageType1();
            }

            Message request = Message.CreateMessage(IssuerBinding.MessageVersion, Constants.WstIssueAction, rst);

            request.Headers.MessageId = new UniqueId();
            request.Headers.ReplyTo   = new EndpointAddress(Constants.WsaAnonymousUri);
            request.Headers.To        = TargetAddress.Uri;
            MessageBuffer buffer = request.CreateBufferedCopy(0x10000);
//			tlsctx.StoreMessage (buffer.CreateMessage ().GetReaderAtBodyContents ());

            // receive MessageType2
            Message response = proxy.Issue(buffer.CreateMessage());

            buffer = response.CreateBufferedCopy(0x10000);
//			tlsctx.StoreMessage (buffer.CreateMessage ().GetReaderAtBodyContents ());

            WSTrustRequestSecurityTokenResponseReader reader =
                new WSTrustRequestSecurityTokenResponseReader(Constants.WstSpnegoProofTokenType, buffer.CreateMessage().GetReaderAtBodyContents(), SecurityTokenSerializer, null);

            reader.Read();

            byte [] raw = reader.Value.BinaryExchange.Value;
            if (gss)
            {
                sspi.ProcessSpnegoInitialContextTokenResponse(raw);
            }
            else
            {
                sspi.ProcessMessageType2(raw);
            }

            // send MessageType3
            WstRequestSecurityTokenResponse rstr =
                new WstRequestSecurityTokenResponse(SecurityTokenSerializer);

            rstr.Context        = reader.Value.Context;
            rstr.BinaryExchange = new WstBinaryExchange(Constants.WstBinaryExchangeValueGss);

            NetworkCredential cred = owner.Manager.ClientCredentials.Windows.ClientCredential;
            string            user = string.IsNullOrEmpty(cred.UserName) ? Environment.UserName : cred.UserName;
            string            pass = cred.Password ?? String.Empty;

            if (gss)
            {
                rstr.BinaryExchange.Value = sspi.ProcessSpnegoProcessContextToken(user, pass);
            }
            else
            {
                rstr.BinaryExchange.Value = sspi.ProcessMessageType3(user, pass);
            }

            request = Message.CreateMessage(IssuerBinding.MessageVersion, Constants.WstIssueReplyAction, rstr);
            request.Headers.MessageId = new UniqueId();
            request.Headers.ReplyTo   = new EndpointAddress(Constants.WsaAnonymousUri);
            request.Headers.To        = TargetAddress.Uri;

            buffer = request.CreateBufferedCopy(0x10000);
//			tlsctx.StoreMessage (buffer.CreateMessage ().GetReaderAtBodyContents ());

            proxy = new WSTrustSecurityTokenServiceProxy(
                IssuerBinding, IssuerAddress);
            response = proxy.IssueReply(buffer.CreateMessage());
            // FIXME: use correct limitation
            buffer = response.CreateBufferedCopy(0x10000);
            // don't store this message for ckhash (it's not part
            // of exchange)
            /* Console.WriteLine (buffer.CreateMessage ()); */


            throw new NotImplementedException();
        }