private static bool AreTokensEqual(SecurityToken outOfBandToken, SecurityToken replyToken)
{
if ((outOfBandToken is X509SecurityToken) && (replyToken is X509SecurityToken))
{
byte[] certHash = ((X509SecurityToken)outOfBandToken).Certificate.GetCertHash();
byte[] b = ((X509SecurityToken)replyToken).Certificate.GetCertHash();
return(CryptoHelper.IsEqual(certHash, b));
}
return(false);
}
private bool IsMatch(DerivedKeySecurityTokenCache cachedToken, string id, int generation, int offset, int length, string label, byte[] nonce, SecurityToken tokenToDerive, string derivationAlgorithm)
{
if ((((cachedToken.Generation != generation) || (cachedToken.Offset != offset)) || ((cachedToken.Length != length) || !(cachedToken.Label == label))) || !(cachedToken.KeyDerivationAlgorithm == derivationAlgorithm))
{
return(false);
}
if (!cachedToken.IsSourceKeyEqual(tokenToDerive))
{
return(false);
}
return(CryptoHelper.IsEqual(cachedToken.Nonce, nonce) && (cachedToken.SecurityKeys != null));
}
public bool IsSourceKeyEqual(SecurityToken token)
{
if (token.SecurityKeys.Count != 1)
{
return(false);
}
SymmetricSecurityKey key = token.SecurityKeys[0] as SymmetricSecurityKey;
if (key == null)
{
return(false);
}
return(CryptoHelper.IsEqual(this.keyToDerive, key.GetSymmetricKey()));
}
bool IsMatch(DerivedKeySecurityTokenCache cachedToken, string id, int generation, int offset, int length,
string label, byte[] nonce, SecurityToken tokenToDerive, string derivationAlgorithm)
{
if ((cachedToken.Generation == generation) &&
(cachedToken.Offset == offset) &&
(cachedToken.Length == length) &&
(cachedToken.Label == label) &&
(cachedToken.KeyDerivationAlgorithm == derivationAlgorithm))
{
if (!cachedToken.IsSourceKeyEqual(tokenToDerive))
{
return(false);
}
// since derived key token keys are delay initialized during security processing, it may be possible
// that the cached derived key token does not have its keys initialized as yet. If so return false for
// the match so that the framework doesnt try to reference a null key.
return(CryptoHelper.IsEqual(cachedToken.Nonce, nonce) && (cachedToken.SecurityKeys != null));
}
else
{
return(false);
}
}
protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates)
{
SignatureConfirmations receivedConfirmations = securityHeader.GetSentSignatureConfirmations();
SignatureConfirmations sentSignatures = null;
if (correlationStates != null)
{
for (int i = 0; i < correlationStates.Length; ++i)
{
if (correlationStates[i].SignatureConfirmations != null)
{
sentSignatures = correlationStates[i].SignatureConfirmations;
break;
}
}
}
if (sentSignatures == null)
{
if (receivedConfirmations != null && receivedConfirmations.Count > 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.FoundUnexpectedSignatureConfirmations)));
}
return;
}
bool allSignaturesConfirmed = false;
if (receivedConfirmations != null && sentSignatures.Count == receivedConfirmations.Count)
{
bool[] matchingSigIndexes = new bool[sentSignatures.Count];
for (int i = 0; i < sentSignatures.Count; ++i)
{
byte[] sentSignature;
bool wasSentSigEncrypted;
sentSignatures.GetConfirmation(i, out sentSignature, out wasSentSigEncrypted);
for (int j = 0; j < receivedConfirmations.Count; ++j)
{
byte[] receivedSignature;
bool wasReceivedSigEncrypted;
if (matchingSigIndexes[j])
{
continue;
}
receivedConfirmations.GetConfirmation(j, out receivedSignature, out wasReceivedSigEncrypted);
if ((wasReceivedSigEncrypted == wasSentSigEncrypted) && CryptoHelper.IsEqual(receivedSignature, sentSignature))
{
matchingSigIndexes[j] = true;
break;
}
}
}
int k;
for (k = 0; k < matchingSigIndexes.Length; ++k)
{
if (!matchingSigIndexes[k])
{
break;
}
}
if (k == matchingSigIndexes.Length)
{
allSignaturesConfirmed = true;
}
}
if (!allSignaturesConfirmed)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NotAllSignaturesConfirmed)));
}
}
internal SecurityToken ResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternal, bool resolveIntrinsicKeyClause)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
SecurityToken resolvedToken = null;
for (int i = 0; i < this.tokenCount; i++)
{
if (matchOnlyExternal && tokens[i].AllowedReferenceStyle != SecurityTokenReferenceStyle.External)
{
continue;
}
SecurityToken token = tokens[i].Token;
if (tokens[i].TokenParameters != null && tokens[i].TokenParameters.MatchesKeyIdentifierClause(token, keyIdentifierClause, tokens[i].AllowedReferenceStyle))
{
resolvedToken = token;
break;
}
else if (tokens[i].TokenParameters == null)
{
// match it according to the allowed reference style
if (tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.Internal && MatchDirectReference(token, keyIdentifierClause))
{
resolvedToken = token;
break;
}
}
}
if ((resolvedToken == null) && (keyIdentifierClause is EncryptedKeyIdentifierClause))
{
EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause;
SecurityKeyIdentifier wrappingTokenReference = keyClause.EncryptingKeyIdentifier;
SecurityToken unwrappingToken;
if (this.expectedWrapper != null &&
CheckExternalWrapperMatch(wrappingTokenReference))
{
unwrappingToken = this.expectedWrapper;
}
else
{
unwrappingToken = ResolveToken(wrappingTokenReference, true, resolveIntrinsicKeyClause);
}
if (unwrappingToken != null)
{
resolvedToken = SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, unwrappingToken);
}
}
if ((resolvedToken == null) && (keyIdentifierClause is X509RawDataKeyIdentifierClause) && (!matchOnlyExternal) && (resolveIntrinsicKeyClause))
{
resolvedToken = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData()));
}
byte[] derivationNonce = keyIdentifierClause.GetDerivationNonce();
if ((resolvedToken != null) && (derivationNonce != null))
{
// A Implicit Derived Key is specified. Create a derived key off of the resolve token.
if (SecurityUtils.GetSecurityKey <SymmetricSecurityKey>(resolvedToken) == null)
{
// The resolved token contains no Symmetric Security key and thus we cannot create
// a derived key off of it.
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.UnableToDeriveKeyFromKeyInfoClause, keyIdentifierClause, resolvedToken)));
}
int derivationLength = (keyIdentifierClause.DerivationLength == 0) ? DerivedKeySecurityToken.DefaultDerivedKeyLength : keyIdentifierClause.DerivationLength;
if (derivationLength > this.securityHeader.MaxDerivedKeyLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.DerivedKeyLengthSpecifiedInImplicitDerivedKeyClauseTooLong, keyIdentifierClause.ToString(), derivationLength, this.securityHeader.MaxDerivedKeyLength)));
}
bool alreadyDerived = false;
for (int i = 0; i < this.tokenCount; ++i)
{
DerivedKeySecurityToken derivedKeyToken = this.tokens[i].Token as DerivedKeySecurityToken;
if (derivedKeyToken != null)
{
if ((derivedKeyToken.Length == derivationLength) &&
(CryptoHelper.IsEqual(derivedKeyToken.Nonce, derivationNonce)) &&
(derivedKeyToken.TokenToDerive.MatchesKeyIdentifierClause(keyIdentifierClause)))
{
// This is a implcit derived key for which we have already derived the
// token.
resolvedToken = this.tokens[i].Token;
alreadyDerived = true;
break;
}
}
}
if (!alreadyDerived)
{
string psha1Algorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.securityHeader.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
resolvedToken = new DerivedKeySecurityToken(-1, 0, derivationLength, null, derivationNonce, resolvedToken, keyIdentifierClause, psha1Algorithm, SecurityUtils.GenerateId());
((DerivedKeySecurityToken)resolvedToken).InitializeDerivedKey(derivationLength);
Add(resolvedToken, SecurityTokenReferenceStyle.Internal, null);
this.securityHeader.EnsureDerivedKeyLimitNotReached();
}
}
return(resolvedToken);
}
protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates)
{
SignatureConfirmations sentSignatureConfirmations = securityHeader.GetSentSignatureConfirmations();
SignatureConfirmations signatureConfirmations = null;
if (correlationStates != null)
{
for (int i = 0; i < correlationStates.Length; i++)
{
if (correlationStates[i].SignatureConfirmations != null)
{
signatureConfirmations = correlationStates[i].SignatureConfirmations;
break;
}
}
}
if (signatureConfirmations == null)
{
if ((sentSignatureConfirmations != null) && (sentSignatureConfirmations.Count > 0))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("FoundUnexpectedSignatureConfirmations")));
}
}
else
{
bool flag = false;
if ((sentSignatureConfirmations != null) && (signatureConfirmations.Count == sentSignatureConfirmations.Count))
{
bool[] flagArray = new bool[signatureConfirmations.Count];
for (int j = 0; j < signatureConfirmations.Count; j++)
{
byte[] buffer;
bool flag2;
signatureConfirmations.GetConfirmation(j, out buffer, out flag2);
for (int k = 0; k < sentSignatureConfirmations.Count; k++)
{
if (!flagArray[k])
{
byte[] buffer2;
bool flag3;
sentSignatureConfirmations.GetConfirmation(k, out buffer2, out flag3);
if ((flag3 == flag2) && CryptoHelper.IsEqual(buffer2, buffer))
{
flagArray[k] = true;
break;
}
}
}
}
int index = 0;
while (index < flagArray.Length)
{
if (!flagArray[index])
{
break;
}
index++;
}
if (index == flagArray.Length)
{
flag = true;
}
}
if (!flag)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NotAllSignaturesConfirmed")));
}
}
}
internal SecurityToken ResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternal, bool resolveIntrinsicKeyClause)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
SecurityToken token = null;
for (int i = 0; i < this.tokenCount; i++)
{
if (!matchOnlyExternal || (this.tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.External))
{
SecurityToken token2 = this.tokens[i].Token;
if ((this.tokens[i].TokenParameters != null) && this.tokens[i].TokenParameters.MatchesKeyIdentifierClause(token2, keyIdentifierClause, this.tokens[i].AllowedReferenceStyle))
{
token = token2;
break;
}
if (((this.tokens[i].TokenParameters == null) && (this.tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.Internal)) && this.MatchDirectReference(token2, keyIdentifierClause))
{
token = token2;
break;
}
}
}
if ((token == null) && (keyIdentifierClause is EncryptedKeyIdentifierClause))
{
SecurityToken expectedWrapper;
EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause;
SecurityKeyIdentifier encryptingKeyIdentifier = keyClause.EncryptingKeyIdentifier;
if ((this.expectedWrapper != null) && this.CheckExternalWrapperMatch(encryptingKeyIdentifier))
{
expectedWrapper = this.expectedWrapper;
}
else
{
expectedWrapper = this.ResolveToken(encryptingKeyIdentifier, true, resolveIntrinsicKeyClause);
}
if (expectedWrapper != null)
{
token = System.ServiceModel.Security.SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, expectedWrapper);
}
}
if (((token == null) && (keyIdentifierClause is X509RawDataKeyIdentifierClause)) && (!matchOnlyExternal && resolveIntrinsicKeyClause))
{
token = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData()));
}
byte[] derivationNonce = keyIdentifierClause.GetDerivationNonce();
if ((token != null) && (derivationNonce != null))
{
if (System.ServiceModel.Security.SecurityUtils.GetSecurityKey <SymmetricSecurityKey>(token) == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToDeriveKeyFromKeyInfoClause", new object[] { keyIdentifierClause, token })));
}
int length = (keyIdentifierClause.DerivationLength == 0) ? 0x20 : keyIdentifierClause.DerivationLength;
if (length > this.securityHeader.MaxDerivedKeyLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("DerivedKeyLengthSpecifiedInImplicitDerivedKeyClauseTooLong", new object[] { keyIdentifierClause.ToString(), length, this.securityHeader.MaxDerivedKeyLength })));
}
bool flag = false;
for (int j = 0; j < this.tokenCount; j++)
{
DerivedKeySecurityToken token4 = this.tokens[j].Token as DerivedKeySecurityToken;
if (((token4 != null) && (token4.Length == length)) && (CryptoHelper.IsEqual(token4.Nonce, derivationNonce) && token4.TokenToDerive.MatchesKeyIdentifierClause(keyIdentifierClause)))
{
token = this.tokens[j].Token;
flag = true;
break;
}
}
if (!flag)
{
string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(this.securityHeader.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
token = new DerivedKeySecurityToken(-1, 0, length, null, derivationNonce, token, keyIdentifierClause, keyDerivationAlgorithm, System.ServiceModel.Security.SecurityUtils.GenerateId());
((DerivedKeySecurityToken)token).InitializeDerivedKey(length);
this.Add(token, SecurityTokenReferenceStyle.Internal, null);
this.securityHeader.EnsureDerivedKeyLimitNotReached();
}
}
return(token);
}
