protected override Stream OnAcceptUpgrade(Stream stream, out SecurityMessageProperty remoteSecurity)
{
SslStream stream2 = new SslStream(stream, false, new RemoteCertificateValidationCallback(this.ValidateRemoteCertificate));
try
{
stream2.AuthenticateAsServer(this.parent.ServerCertificate, this.parent.RequireClientCertificate, SslProtocols.Default, false);
}
catch (AuthenticationException exception)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(exception.Message, exception));
}
catch (IOException exception2)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("NegotiationFailedIO", new object[] { exception2.Message }), exception2));
}
if (System.ServiceModel.Security.SecurityUtils.ShouldValidateSslCipherStrength())
{
System.ServiceModel.Security.SecurityUtils.ValidateSslCipherStrength(stream2.CipherStrength);
}
remoteSecurity = this.clientSecurity;
if (this.IsChannelBindingSupportEnabled)
{
this.channelBindingToken = ChannelBindingUtility.GetToken(stream2);
}
return stream2;
}
protected virtual void OnVerifyIncomingMessageFailure(Message message, Exception exception)
{
SecurityTraceRecordHelper.TraceVerifyIncomingMessageFailure(this, message);
if ((PerformanceCounters.PerformanceCountersEnabled && (null != this.factory.ListenUri)) && (((exception.GetType() == typeof(MessageSecurityException)) || exception.GetType().IsSubclassOf(typeof(MessageSecurityException))) || ((exception.GetType() == typeof(SecurityTokenException)) || exception.GetType().IsSubclassOf(typeof(SecurityTokenException)))))
{
PerformanceCounters.AuthenticationFailed(message, this.factory.ListenUri);
}
if (AuditLevel.Failure == (this.factory.MessageAuthenticationAuditLevel & AuditLevel.Failure))
{
try
{
string identityNamesFromContext;
SecurityMessageProperty security = message.Properties.Security;
if ((security != null) && (security.ServiceSecurityContext != null))
{
identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(security.ServiceSecurityContext.AuthorizationContext);
}
else
{
identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name;
}
SecurityAuditHelper.WriteMessageAuthenticationFailureEvent(this.factory.AuditLogLocation, this.factory.SuppressAuditFailure, message, message.Headers.To, message.Headers.Action, identityNamesFromContext, exception);
}
catch (Exception exception2)
{
if (Fx.IsFatal(exception2))
{
throw;
}
DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error);
}
}
}
protected void AddSupportingTokenSpecification(SecurityMessageProperty security, IList <SecurityToken> basicTokens, IList <SecurityToken> endorsingTokens, IList <SecurityToken> signedEndorsingTokens, IList <SecurityToken> signedTokens, IDictionary <SecurityToken, ReadOnlyCollection <IAuthorizationPolicy> > tokenPoliciesMapping)
{
AddSupportingTokenSpecification(security, basicTokens, SecurityTokenAttachmentMode.SignedEncrypted, tokenPoliciesMapping);
AddSupportingTokenSpecification(security, endorsingTokens, SecurityTokenAttachmentMode.Endorsing, tokenPoliciesMapping);
AddSupportingTokenSpecification(security, signedEndorsingTokens, SecurityTokenAttachmentMode.SignedEndorsing, tokenPoliciesMapping);
AddSupportingTokenSpecification(security, signedTokens, SecurityTokenAttachmentMode.Signed, tokenPoliciesMapping);
}
internal bool CheckAccess(EndpointAddress reference, Message message)
{
if (reference == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reference");
}
if (message == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message");
}
EndpointIdentity identity;
if (!this.TryGetIdentity(reference, out identity))
{
return(false);
}
SecurityMessageProperty securityContextProperty = null;
if (message.Properties != null)
{
securityContextProperty = message.Properties.Security;
}
if (securityContextProperty == null || securityContextProperty.ServiceSecurityContext == null)
{
return(false);
}
return(this.CheckAccess(identity, securityContextProperty.ServiceSecurityContext.AuthorizationContext));
}
public IMessageProperty CreateCopy()
{
ThrowIfDisposed();
SecurityMessageProperty result = new SecurityMessageProperty();
if (this.HasOutgoingSupportingTokens)
{
for (int i = 0; i < _outgoingSupportingTokens.Count; ++i)
{
result.OutgoingSupportingTokens.Add(_outgoingSupportingTokens[i]);
}
}
if (this.HasIncomingSupportingTokens)
{
for (int i = 0; i < _incomingSupportingTokens.Count; ++i)
{
result.IncomingSupportingTokens.Add(_incomingSupportingTokens[i]);
}
}
result._securityContext = _securityContext;
result._externalAuthorizationPolicies = _externalAuthorizationPolicies;
result._senderIdPrefix = _senderIdPrefix;
result._protectionToken = _protectionToken;
result._initiatorToken = _initiatorToken;
result._recipientToken = _recipientToken;
result._transportToken = _transportToken;
return(result);
}
public InitiatorSecureMessageDecryptor (
Message source, SecurityMessageProperty secprop, InitiatorMessageSecurityBindingSupport security)
: base (source, security)
{
this.security = security;
request_security = secprop;
}
public IMessageProperty CreateCopy()
{
this.ThrowIfDisposed();
SecurityMessageProperty property = new SecurityMessageProperty();
if (this.HasOutgoingSupportingTokens)
{
for (int i = 0; i < this.outgoingSupportingTokens.Count; i++)
{
property.OutgoingSupportingTokens.Add(this.outgoingSupportingTokens[i]);
}
}
if (this.HasIncomingSupportingTokens)
{
for (int j = 0; j < this.incomingSupportingTokens.Count; j++)
{
property.IncomingSupportingTokens.Add(this.incomingSupportingTokens[j]);
}
}
property.securityContext = this.securityContext;
property.externalAuthorizationPolicies = this.externalAuthorizationPolicies;
property.senderIdPrefix = this.senderIdPrefix;
property.protectionToken = this.protectionToken;
property.initiatorToken = this.initiatorToken;
property.recipientToken = this.recipientToken;
property.transportToken = this.transportToken;
return property;
}
public IMessageProperty CreateCopy()
{
this.ThrowIfDisposed();
SecurityMessageProperty property = new SecurityMessageProperty();
if (this.HasOutgoingSupportingTokens)
{
for (int i = 0; i < this.outgoingSupportingTokens.Count; i++)
{
property.OutgoingSupportingTokens.Add(this.outgoingSupportingTokens[i]);
}
}
if (this.HasIncomingSupportingTokens)
{
for (int j = 0; j < this.incomingSupportingTokens.Count; j++)
{
property.IncomingSupportingTokens.Add(this.incomingSupportingTokens[j]);
}
}
property.securityContext = this.securityContext;
property.externalAuthorizationPolicies = this.externalAuthorizationPolicies;
property.senderIdPrefix = this.senderIdPrefix;
property.protectionToken = this.protectionToken;
property.initiatorToken = this.initiatorToken;
property.recipientToken = this.recipientToken;
property.transportToken = this.transportToken;
return(property);
}
protected void AttachRecipientSecurityProperty(Message message, IList <SecurityToken> basicTokens, IList <SecurityToken> endorsingTokens, IList <SecurityToken> signedEndorsingTokens, IList <SecurityToken> signedTokens, Dictionary <SecurityToken, ReadOnlyCollection <IAuthorizationPolicy> > tokenPoliciesMapping)
{
SecurityMessageProperty orCreate = SecurityMessageProperty.GetOrCreate(message);
base.AddSupportingTokenSpecification(orCreate, basicTokens, endorsingTokens, signedEndorsingTokens, signedTokens, tokenPoliciesMapping);
orCreate.ServiceSecurityContext = new ServiceSecurityContext(orCreate.GetInitiatorTokenAuthorizationPolicies());
}
protected override BodyWriter GetNextOutgoingMessageBody(Message incomingMessage, AcceleratedTokenProviderState negotiationState)
{
ThrowIfFault(incomingMessage, TargetAddress);
if (incomingMessage.Headers.Action != RequestSecurityTokenResponseAction.Value)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.InvalidActionForNegotiationMessage, incomingMessage.Headers.Action)), incomingMessage);
}
// get the claims corresponding to the server
SecurityMessageProperty serverContextProperty = incomingMessage.Properties.Security;
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
if (serverContextProperty != null && serverContextProperty.ServiceSecurityContext != null)
{
authorizationPolicies = serverContextProperty.ServiceSecurityContext.AuthorizationPolicies;
}
else
{
authorizationPolicies = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
RequestSecurityTokenResponse rstr = null;
XmlDictionaryReader bodyReader = incomingMessage.GetReaderAtBodyContents();
using (bodyReader)
{
if (StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005)
{
rstr = RequestSecurityTokenResponse.CreateFrom(StandardsManager, bodyReader);
}
else if (StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrust13)
{
RequestSecurityTokenResponseCollection rstrc = StandardsManager.TrustDriver.CreateRequestSecurityTokenResponseCollection(bodyReader);
foreach (RequestSecurityTokenResponse rstrItem in rstrc.RstrCollection)
{
if (rstr != null)
{
// More than one RSTR is found. So throw an exception.
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.MoreThanOneRSTRInRSTRC));
}
rstr = rstrItem;
}
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
incomingMessage.ReadFromBodyContentsToEnd(bodyReader);
}
if (rstr.Context != negotiationState.Context)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.BadSecurityNegotiationContext), incomingMessage);
}
byte[] keyEntropy = negotiationState.GetRequestorEntropy();
GenericXmlSecurityToken serviceToken = rstr.GetIssuedToken(null, null, _keyEntropyMode, keyEntropy, SecurityContextTokenUri, authorizationPolicies, SecurityAlgorithmSuite.DefaultSymmetricKeyLength, false);
negotiationState.SetServiceToken(serviceToken);
return(null);
}
private GenericXmlSecurityToken ExtractToken(Message response, object requestState)
{
// get the claims corresponding to the server
SecurityMessageProperty serverContextProperty = response.Properties.Security;
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
if (serverContextProperty != null && serverContextProperty.ServiceSecurityContext != null)
{
authorizationPolicies = serverContextProperty.ServiceSecurityContext.AuthorizationPolicies;
}
else
{
authorizationPolicies = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
RequestSecurityTokenResponse rstr = null;
XmlDictionaryReader bodyReader = response.GetReaderAtBodyContents();
using (bodyReader)
{
if (StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005)
{
rstr = StandardsManager.TrustDriver.CreateRequestSecurityTokenResponse(bodyReader);
}
else if (StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrust13)
{
RequestSecurityTokenResponseCollection rstrc = StandardsManager.TrustDriver.CreateRequestSecurityTokenResponseCollection(bodyReader);
foreach (RequestSecurityTokenResponse rstrItem in rstrc.RstrCollection)
{
if (rstr != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.MoreThanOneRSTRInRSTRC));
}
rstr = rstrItem;
}
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
response.ReadFromBodyContentsToEnd(bodyReader);
}
byte[] requestorEntropy;
if (requestState != null)
{
requestorEntropy = (byte[])requestState;
}
else
{
requestorEntropy = null;
}
GenericXmlSecurityToken issuedToken = rstr.GetIssuedToken(null, null, KeyEntropyMode, requestorEntropy, _sctUri, authorizationPolicies, SecurityAlgorithmSuite.DefaultSymmetricKeyLength, false);
return(issuedToken);
}
// helper method for attaching the server claims in a symmetric security protocol
protected void DoIdentityCheckAndAttachInitiatorSecurityProperty(Message message, SecurityToken protectionToken, ReadOnlyCollection <IAuthorizationPolicy> protectionTokenPolicies)
{
AuthorizationContext protectionAuthContext = EnsureIncomingIdentity(message, protectionToken, protectionTokenPolicies);
SecurityMessageProperty security = SecurityMessageProperty.GetOrCreate(message);
security.ProtectionToken = new SecurityTokenSpecification(protectionToken, protectionTokenPolicies);
security.ServiceSecurityContext = new ServiceSecurityContext(protectionAuthContext, protectionTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
protected SingletonConnectionReader(IConnection connection, int offset, int size, SecurityMessageProperty security, IConnectionOrientedTransportFactorySettings transportSettings, Uri via)
{
this.connection = connection;
this.offset = offset;
this.size = size;
this.security = security;
this.transportSettings = transportSettings;
this.via = via;
}
void DoIdentityCheckAndAttachInitiatorSecurityProperty(Message message, SecurityToken initiatorToken, SecurityToken recipientToken, ReadOnlyCollection <IAuthorizationPolicy> recipientTokenPolicies)
{
AuthorizationContext recipientAuthorizationContext = base.EnsureIncomingIdentity(message, recipientToken, recipientTokenPolicies);
SecurityMessageProperty security = SecurityMessageProperty.GetOrCreate(message);
security.InitiatorToken = (initiatorToken != null) ? new SecurityTokenSpecification(initiatorToken, EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance) : null;
security.RecipientToken = new SecurityTokenSpecification(recipientToken, recipientTokenPolicies);
security.ServiceSecurityContext = new ServiceSecurityContext(recipientAuthorizationContext, recipientTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
private static void SetSecurityHeaderId(SendSecurityHeader securityHeader, Message message)
{
SecurityMessageProperty messageProperty = message.Properties.Security;
if (messageProperty != null)
{
securityHeader.IdPrefix = messageProperty.SenderIdPrefix;
}
}
private void AttachRecipientSecurityProperty(Message message, SecurityToken initiatorToken, SecurityToken recipientToken, IList <SecurityToken> basicTokens, IList <SecurityToken> endorsingTokens, IList <SecurityToken> signedEndorsingTokens, IList <SecurityToken> signedTokens, Dictionary <SecurityToken, ReadOnlyCollection <IAuthorizationPolicy> > tokenPoliciesMapping)
{
SecurityMessageProperty orCreate = SecurityMessageProperty.GetOrCreate(message);
orCreate.InitiatorToken = (initiatorToken != null) ? new SecurityTokenSpecification(initiatorToken, tokenPoliciesMapping[initiatorToken]) : null;
orCreate.RecipientToken = (recipientToken != null) ? new SecurityTokenSpecification(recipientToken, EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance) : null;
base.AddSupportingTokenSpecification(orCreate, basicTokens, endorsingTokens, signedEndorsingTokens, signedTokens, tokenPoliciesMapping);
orCreate.ServiceSecurityContext = new ServiceSecurityContext(orCreate.GetInitiatorTokenAuthorizationPolicies());
}
public SecurityTokenSpecificationEnumerable(SecurityMessageProperty securityMessageProperty)
{
if (securityMessageProperty == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("securityMessageProperty");
}
_securityMessageProperty = securityMessageProperty;
}
protected override BodyWriter GetNextOutgoingMessageBody(Message incomingMessage, AcceleratedTokenProviderState negotiationState)
{
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
IssuanceTokenProviderBase <AcceleratedTokenProviderState> .ThrowIfFault(incomingMessage, base.TargetAddress);
if (incomingMessage.Headers.Action != this.RequestSecurityTokenResponseAction.Value)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidActionForNegotiationMessage", new object[] { incomingMessage.Headers.Action })), incomingMessage);
}
SecurityMessageProperty security = incomingMessage.Properties.Security;
if ((security != null) && (security.ServiceSecurityContext != null))
{
authorizationPolicies = security.ServiceSecurityContext.AuthorizationPolicies;
}
else
{
authorizationPolicies = System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
RequestSecurityTokenResponse response = null;
XmlDictionaryReader readerAtBodyContents = incomingMessage.GetReaderAtBodyContents();
using (readerAtBodyContents)
{
if (base.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005)
{
response = RequestSecurityTokenResponse.CreateFrom(base.StandardsManager, readerAtBodyContents);
}
else
{
if (base.StandardsManager.MessageSecurityVersion.TrustVersion != TrustVersion.WSTrust13)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
foreach (RequestSecurityTokenResponse response2 in base.StandardsManager.TrustDriver.CreateRequestSecurityTokenResponseCollection(readerAtBodyContents).RstrCollection)
{
if (response != null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("MoreThanOneRSTRInRSTRC")));
}
response = response2;
}
}
incomingMessage.ReadFromBodyContentsToEnd(readerAtBodyContents);
}
if (response.Context != negotiationState.Context)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("BadSecurityNegotiationContext")), incomingMessage);
}
byte[] requestorEntropy = negotiationState.GetRequestorEntropy();
GenericXmlSecurityToken serviceToken = response.GetIssuedToken(null, null, this.keyEntropyMode, requestorEntropy, base.SecurityContextTokenUri, authorizationPolicies, base.SecurityAlgorithmSuite.DefaultSymmetricKeyLength, false);
negotiationState.SetServiceToken(serviceToken);
return(null);
}
private void AddSupportingTokenSpecification(SecurityMessageProperty security, IList <SecurityToken> tokens, SecurityTokenAttachmentMode attachmentMode, IDictionary <SecurityToken, ReadOnlyCollection <IAuthorizationPolicy> > tokenPoliciesMapping)
{
if ((tokens != null) && (tokens.Count != 0))
{
for (int i = 0; i < tokens.Count; i++)
{
security.IncomingSupportingTokens.Add(new SupportingTokenSpecification(tokens[i], tokenPoliciesMapping[tokens[i]], attachmentMode));
}
}
}
public static SecurityMessageProperty GetOrCreate(Message message)
{
SecurityMessageProperty s = message.Properties.Security;
if (s == null)
{
s = new SecurityMessageProperty();
message.Properties.Security = s;
}
return(s);
}
void AddSupportingTokenSpecification(SecurityMessageProperty security, IList <SecurityToken> tokens, SecurityTokenAttachmentMode attachmentMode, IDictionary <SecurityToken, ReadOnlyCollection <IAuthorizationPolicy> > tokenPoliciesMapping)
{
if (tokens == null || tokens.Count == 0)
{
return;
}
for (int i = 0; i < tokens.Count; ++i)
{
security.IncomingSupportingTokens.Add(new SupportingTokenSpecification(tokens[i], tokenPoliciesMapping[tokens[i]], attachmentMode));
}
}
public static void AddSupportingToken(Message message, RequestSecurityTokenResponse rstr)
{
GenericXmlSecurityToken token = rstr.GetIssuedToken(null, null, SecurityKeyEntropyMode.ServerEntropy, null, null, null);
SecurityMessageProperty property = new SecurityMessageProperty();
SupportingTokenSpecification item = new SupportingTokenSpecification(token, new List<IAuthorizationPolicy>().AsReadOnly(), SecurityTokenAttachmentMode.Endorsing, SecurityContextSecurityTokenParameters);
property.OutgoingSupportingTokens.Add(item);
message.Properties.Security = property;
if (DebugTrace.Verbose)
{
DebugTrace.Trace(TraceLevel.Verbose, "Attached supporting token {0} to register message", rstr.Context);
}
}
protected SingletonConnectionReader(IConnection connection, int offset, int size, SecurityMessageProperty security,
IConnectionOrientedTransportFactorySettings transportSettings, Uri via)
{
Contract.Assert(connection != null);
_connection = connection;
_offset = offset;
_size = size;
_security = security;
_transportSettings = transportSettings;
_via = via;
}
protected SessionConnectionReader(IConnection connection, IConnection rawConnection,
int offset, int size, SecurityMessageProperty security)
{
_offset = offset;
_size = size;
if (size > 0)
{
_buffer = connection.AsyncReadBuffer;
}
_connection = connection;
_rawConnection = rawConnection;
_security = security;
}
protected SessionConnectionReader(IConnection connection, IConnection rawConnection, int offset, int size, SecurityMessageProperty security)
{
this.offset = offset;
this.size = size;
if (size > 0)
{
this.buffer = connection.AsyncReadBuffer;
}
this.connection = connection;
this.rawConnection = rawConnection;
this.onAsyncReadComplete = new WaitCallback(this.OnAsyncReadComplete);
this.security = security;
}
private GenericXmlSecurityToken ExtractToken(Message response, object requestState)
{
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
byte[] buffer;
SecurityMessageProperty security = response.Properties.Security;
if ((security != null) && (security.ServiceSecurityContext != null))
{
authorizationPolicies = security.ServiceSecurityContext.AuthorizationPolicies;
}
else
{
authorizationPolicies = System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
RequestSecurityTokenResponse response2 = null;
XmlDictionaryReader readerAtBodyContents = response.GetReaderAtBodyContents();
using (readerAtBodyContents)
{
if (this.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005)
{
response2 = this.StandardsManager.TrustDriver.CreateRequestSecurityTokenResponse(readerAtBodyContents);
}
else
{
if (this.StandardsManager.MessageSecurityVersion.TrustVersion != TrustVersion.WSTrust13)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
foreach (RequestSecurityTokenResponse response3 in this.StandardsManager.TrustDriver.CreateRequestSecurityTokenResponseCollection(readerAtBodyContents).RstrCollection)
{
if (response2 != null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("MoreThanOneRSTRInRSTRC")));
}
response2 = response3;
}
}
response.ReadFromBodyContentsToEnd(readerAtBodyContents);
}
if (requestState != null)
{
buffer = (byte[])requestState;
}
else
{
buffer = null;
}
return(response2.GetIssuedToken(null, null, this.KeyEntropyMode, buffer, this.sctUri, authorizationPolicies, this.SecurityAlgorithmSuite.DefaultSymmetricKeyLength, false));
}
private void CompleteAuthenticateAsClient(IAsyncResult result)
{
try
{
this.upgradedStream = this.OnCompleteAuthenticateAsClient(result);
}
catch (AuthenticationException exception)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(exception.Message, exception));
}
catch (IOException exception2)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("NegotiationFailedIO", new object[] { exception2.Message }), exception2));
}
this.remoteSecurity = this.ValidateCreateSecurity();
}
protected virtual Message CreateRenewRequest(EndpointAddress target, SecurityToken currentSessionToken, out object requestState)
{
this.CommunicationObject.ThrowIfClosedOrNotOpen();
RequestSecurityToken rst = CreateRst(target, out requestState);
rst.RequestType = this.StandardsManager.TrustDriver.RequestTypeRenew;
rst.RenewTarget = this.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(currentSessionToken, SecurityTokenReferenceStyle.External);
rst.MakeReadOnly();
Message result = Message.CreateMessage(this.MessageVersion, ActionHeader.Create(this.RenewAction, this.MessageVersion.Addressing), rst);
SecurityMessageProperty supportingTokenProperty = new SecurityMessageProperty();
supportingTokenProperty.OutgoingSupportingTokens.Add(new SupportingTokenSpecification(currentSessionToken, EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance, SecurityTokenAttachmentMode.Endorsing, this.IssuedSecurityTokenParameters));
result.Properties.Security = supportingTokenProperty;
PrepareRequest(result);
return(result);
}
public override SecurityMessageProperty GetRemoteSecurity()
{
if (this.clientSecurity.TransportToken != null)
{
return this.clientSecurity;
}
if (this.clientCertificate != null)
{
SecurityToken token = new X509SecurityToken(this.clientCertificate);
ReadOnlyCollection<IAuthorizationPolicy> tokenPolicies = System.ServiceModel.Security.SecurityUtils.NonValidatingX509Authenticator.ValidateToken(token);
this.clientSecurity = new SecurityMessageProperty();
this.clientSecurity.TransportToken = new SecurityTokenSpecification(token, tokenPolicies);
this.clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies);
return this.clientSecurity;
}
return base.GetRemoteSecurity();
}
protected virtual Message CreateRenewRequest(EndpointAddress target, SecurityToken currentSessionToken, out object requestState)
{
base.CommunicationObject.ThrowIfClosedOrNotOpen();
RequestSecurityToken body = this.CreateRst(target, out requestState);
body.RequestType = this.StandardsManager.TrustDriver.RequestTypeRenew;
body.RenewTarget = this.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(currentSessionToken, SecurityTokenReferenceStyle.External);
body.MakeReadOnly();
Message message = Message.CreateMessage(this.MessageVersion, ActionHeader.Create(this.RenewAction, this.MessageVersion.Addressing), body);
SecurityMessageProperty property = new SecurityMessageProperty {
OutgoingSupportingTokens = { new SupportingTokenSpecification(currentSessionToken, System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance, SecurityTokenAttachmentMode.Endorsing, this.IssuedSecurityTokenParameters) }
};
message.Properties.Security = property;
this.PrepareRequest(message);
return(message);
}
protected void AttachRecipientSecurityProperty(Message message, SecurityToken protectionToken, bool isWrappedToken, IList <SecurityToken> basicTokens, IList <SecurityToken> endorsingTokens, IList <SecurityToken> signedEndorsingTokens, IList <SecurityToken> signedTokens, Dictionary <SecurityToken, ReadOnlyCollection <IAuthorizationPolicy> > tokenPoliciesMapping)
{
ReadOnlyCollection <IAuthorizationPolicy> instance;
if (isWrappedToken)
{
instance = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
else
{
instance = tokenPoliciesMapping[protectionToken];
}
SecurityMessageProperty orCreate = SecurityMessageProperty.GetOrCreate(message);
orCreate.ProtectionToken = new SecurityTokenSpecification(protectionToken, instance);
base.AddSupportingTokenSpecification(orCreate, basicTokens, endorsingTokens, signedEndorsingTokens, signedTokens, tokenPoliciesMapping);
orCreate.ServiceSecurityContext = new ServiceSecurityContext(orCreate.GetInitiatorTokenAuthorizationPolicies());
}
internal IConnection SendPreamble(IConnection connection, ref TimeoutHelper timeoutHelper,
ClientFramingDecoder decoder, out SecurityMessageProperty remoteSecurity)
{
connection.Write(Preamble, 0, Preamble.Length, true, timeoutHelper.RemainingTime());
if (_upgrade != null)
{
IStreamUpgradeChannelBindingProvider channelBindingProvider = _upgrade.GetProperty<IStreamUpgradeChannelBindingProvider>();
StreamUpgradeInitiator upgradeInitiator = _upgrade.CreateUpgradeInitiator(this.RemoteAddress, this.Via);
if (!ConnectionUpgradeHelper.InitiateUpgrade(upgradeInitiator, ref connection, decoder,
this, ref timeoutHelper))
{
ConnectionUpgradeHelper.DecodeFramingFault(decoder, connection, Via, _messageEncoder.ContentType, ref timeoutHelper);
}
#if FEATURE_CORECLR // ExtendedProtection
if (channelBindingProvider != null && channelBindingProvider.IsChannelBindingSupportEnabled)
{
_channelBindingToken = channelBindingProvider.GetChannelBinding(upgradeInitiator, ChannelBindingKind.Endpoint);
}
#endif // FEATURE_CORECLR // ExtendedProtection
remoteSecurity = StreamSecurityUpgradeInitiator.GetRemoteSecurity(upgradeInitiator);
connection.Write(ClientSingletonEncoder.PreambleEndBytes, 0,
ClientSingletonEncoder.PreambleEndBytes.Length, true, timeoutHelper.RemainingTime());
}
else
{
remoteSecurity = null;
}
// read ACK
byte[] ackBuffer = new byte[1];
int ackBytesRead = connection.Read(ackBuffer, 0, ackBuffer.Length, timeoutHelper.RemainingTime());
if (!ConnectionUpgradeHelper.ValidatePreambleResponse(ackBuffer, ackBytesRead, decoder, this.Via))
{
ConnectionUpgradeHelper.DecodeFramingFault(decoder, connection, Via, _messageEncoder.ContentType, ref timeoutHelper);
}
return connection;
}
public static SecurityMessageProperty GetOrCreate(Message message)
{
if (message == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message");
}
SecurityMessageProperty security = null;
if (message.Properties != null)
{
security = message.Properties.Security;
}
if (security == null)
{
security = new SecurityMessageProperty();
message.Properties.Security = security;
}
return(security);
}
void CompleteAuthenticateAsServer(IAsyncResult result)
{
try
{
this.upgradedStream = this.OnCompleteAuthenticateAsServer(result);
}
catch (AuthenticationException exception)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(exception.Message,
exception));
}
catch (IOException ioException)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(
SR.GetString(SR.NegotiationFailedIO, ioException.Message), ioException));
}
this.remoteSecurity = this.ValidateCreateSecurity();
}
protected virtual void OnVerifyIncomingMessageFailure(Message message, Exception exception)
{
SecurityTraceRecordHelper.TraceVerifyIncomingMessageFailure(this, message);
if (PerformanceCounters.PerformanceCountersEnabled && null != this.factory.ListenUri) //service side
{
if ((exception.GetType() == typeof(MessageSecurityException) || exception.GetType().IsSubclassOf(typeof(MessageSecurityException))) ||
(exception.GetType() == typeof(SecurityTokenException) || exception.GetType().IsSubclassOf(typeof(SecurityTokenException))))
{
PerformanceCounters.AuthenticationFailed(message, this.factory.ListenUri);
}
}
if (AuditLevel.Failure == (this.factory.MessageAuthenticationAuditLevel & AuditLevel.Failure))
{
try
{
SecurityMessageProperty security = message.Properties.Security;
string primaryIdentity;
if (security != null && security.ServiceSecurityContext != null)
{
primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(security.ServiceSecurityContext.AuthorizationContext);
}
else
{
primaryIdentity = SecurityUtils.AnonymousIdentity.Name;
}
SecurityAuditHelper.WriteMessageAuthenticationFailureEvent(this.factory.AuditLogLocation,
this.factory.SuppressAuditFailure, message, message.Headers.To, message.Headers.Action, primaryIdentity, exception);
}
#pragma warning suppress 56500
catch (Exception auditException)
{
if (Fx.IsFatal(auditException))
{
throw;
}
DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error);
}
}
}
internal void AddMessageSupportingTokens(Message message, ref IList <SupportingTokenSpecification> supportingTokens)
{
SecurityMessageProperty security = message.Properties.Security;
if ((security != null) && security.HasOutgoingSupportingTokens)
{
if (supportingTokens == null)
{
supportingTokens = new Collection <SupportingTokenSpecification>();
}
for (int i = 0; i < security.OutgoingSupportingTokens.Count; i++)
{
SupportingTokenSpecification item = security.OutgoingSupportingTokens[i];
if (item.SecurityTokenParameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("SenderSideSupportingTokensMustSpecifySecurityTokenParameters")));
}
supportingTokens.Add(item);
}
}
}
internal void AddMessageSupportingTokens(Message message, ref IList <SupportingTokenSpecification> supportingTokens)
{
SecurityMessageProperty supportingTokensProperty = message.Properties.Security;
if (supportingTokensProperty != null && supportingTokensProperty.HasOutgoingSupportingTokens)
{
if (supportingTokens == null)
{
supportingTokens = new Collection <SupportingTokenSpecification>();
}
for (int i = 0; i < supportingTokensProperty.OutgoingSupportingTokens.Count; ++i)
{
SupportingTokenSpecification spec = supportingTokensProperty.OutgoingSupportingTokens[i];
if (spec.SecurityTokenParameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.SenderSideSupportingTokensMustSpecifySecurityTokenParameters)));
}
supportingTokens.Add(spec);
}
}
}
public static SecurityMessageProperty GetOrCreate(Message message)
{
if (message == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(message));
}
SecurityMessageProperty result = null;
if (message.Properties != null)
{
result = message.Properties.Security;
}
if (result == null)
{
result = new SecurityMessageProperty();
message.Properties.Security = result;
}
return(result);
}
public Message SecureMessage ()
{
secprop = Message.Properties.Security ?? new SecurityMessageProperty ();
SecurityToken encToken =
secprop.InitiatorToken != null ? secprop.InitiatorToken.SecurityToken : security.EncryptionToken;
// FIXME: it might be still incorrect.
SecurityToken signToken =
Parameters == CounterParameters ? null :
security.SigningToken;
MessageProtectionOrder protectionOrder =
security.MessageProtectionOrder;
SecurityTokenSerializer serializer =
security.TokenSerializer;
SecurityBindingElement element =
security.Element;
SecurityAlgorithmSuite suite = element.DefaultAlgorithmSuite;
// FIXME: remove this hack
if (!ShouldOutputEncryptedKey)
encToken = new BinarySecretSecurityToken (secprop.EncryptionKey);
string messageId = "uuid-" + Guid.NewGuid ();
int identForMessageId = 1;
XmlDocument doc = new XmlDocument ();
doc.PreserveWhitespace = true;
UniqueId relatesTo = RelatesTo;
if (relatesTo != null)
msg.Headers.RelatesTo = relatesTo;
else // FIXME: probably it is always added when it is stateful ?
msg.Headers.MessageId = new UniqueId ("urn:" + messageId);
// FIXME: get correct ReplyTo value
if (Direction == MessageDirection.Input)
msg.Headers.ReplyTo = new EndpointAddress (Constants.WsaAnonymousUri);
if (MessageTo != null)
msg.Headers.To = MessageTo.Uri;
// wss:Security
WSSecurityMessageHeader header =
new WSSecurityMessageHeader (serializer);
msg.Headers.Add (header);
// 1. [Timestamp]
if (element.IncludeTimestamp) {
WsuTimestamp timestamp = new WsuTimestamp ();
timestamp.Id = messageId + "-" + identForMessageId++;
timestamp.Created = DateTime.Now;
// FIXME: on service side, use element.LocalServiceSettings.TimestampValidityDuration
timestamp.Expires = timestamp.Created.Add (element.LocalClientSettings.TimestampValidityDuration);
header.AddContent (timestamp);
}
XmlNamespaceManager nsmgr = new XmlNamespaceManager (doc.NameTable);
nsmgr.AddNamespace ("s", msg.Version.Envelope.Namespace);
nsmgr.AddNamespace ("o", Constants.WssNamespace);
nsmgr.AddNamespace ("u", Constants.WsuNamespace);
nsmgr.AddNamespace ("o11", Constants.Wss11Namespace);
/*WrappedKey*/SecurityToken primaryToken = null;
DerivedKeySecurityToken dkeyToken = null;
SecurityToken actualToken = null;
SecurityKeyIdentifierClause actualClause = null;
Signature sig = null;
List<DerivedKeySecurityToken> derivedKeys =
new List<DerivedKeySecurityToken> ();
SymmetricAlgorithm masterKey = new RijndaelManaged ();
masterKey.KeySize = suite.DefaultSymmetricKeyLength;
masterKey.Mode = CipherMode.CBC;
masterKey.Padding = PaddingMode.ISO10126;
SymmetricAlgorithm actualKey = masterKey;
// 2. [Encryption Token]
// SecurityTokenInclusionMode
// - Initiator or Recipient
// - done or notyet. FIXME: not implemented yet
// It also affects on key reference output
bool includeEncToken = // /* FIXME: remove this hack */Parameters is SslSecurityTokenParameters ? false :
ShouldIncludeToken (
Security.RecipientParameters.InclusionMode, false);
bool includeSigToken = // /* FIXME: remove this hack */ Parameters is SslSecurityTokenParameters ? false :
ShouldIncludeToken (
Security.InitiatorParameters.InclusionMode, false);
SecurityKeyIdentifierClause encClause = ShouldOutputEncryptedKey ?
CounterParameters.CallCreateKeyIdentifierClause (encToken, !ShouldOutputEncryptedKey ? SecurityTokenReferenceStyle.Internal : includeEncToken ? Parameters.ReferenceStyle : SecurityTokenReferenceStyle.External) : null;
MessagePartSpecification sigSpec = SignaturePart;
MessagePartSpecification encSpec = EncryptionPart;
// encryption key (possibly also used for signing)
// FIXME: get correct SymmetricAlgorithm according to the algorithm suite
if (secprop.EncryptionKey != null)
actualKey.Key = secprop.EncryptionKey;
// FIXME: remove thid hack
if (!ShouldOutputEncryptedKey)
primaryToken = RequestContext.RequestMessage.Properties.Security.ProtectionToken.SecurityToken as WrappedKeySecurityToken;
else
primaryToken =
// FIXME: remove this hack?
encToken is SecurityContextSecurityToken ? encToken :
new WrappedKeySecurityToken (messageId + "-" + identForMessageId++,
actualKey.Key,
// security.DefaultKeyWrapAlgorithm,
Parameters.InternalHasAsymmetricKey ?
suite.DefaultAsymmetricKeyWrapAlgorithm :
suite.DefaultSymmetricKeyWrapAlgorithm,
encToken,
encClause != null ? new SecurityKeyIdentifier (encClause) : null);
// If it reuses request's encryption key, do not output.
if (ShouldOutputEncryptedKey)
header.AddContent (primaryToken);
actualToken = primaryToken;
// FIXME: I doubt it is correct...
WrappedKeySecurityToken requestEncKey = ShouldOutputEncryptedKey ? null : primaryToken as WrappedKeySecurityToken;
actualClause = requestEncKey == null ? (SecurityKeyIdentifierClause)
new LocalIdKeyIdentifierClause (actualToken.Id, typeof (WrappedKeySecurityToken)) :
new InternalEncryptedKeyIdentifierClause (SHA1.Create ().ComputeHash (requestEncKey.GetWrappedKey ()));
// generate derived key if needed
if (CounterParameters.RequireDerivedKeys) {
RijndaelManaged deriv = new RijndaelManaged ();
deriv.KeySize = suite.DefaultEncryptionKeyDerivationLength;
deriv.Mode = CipherMode.CBC;
deriv.Padding = PaddingMode.ISO10126;
deriv.GenerateKey ();
dkeyToken = new DerivedKeySecurityToken (
GenerateId (doc),
null, // algorithm
actualClause,
new InMemorySymmetricSecurityKey (actualKey.Key),
null, // name
null, // generation
null, // offset
deriv.Key.Length,
null, // label
deriv.Key);
derivedKeys.Add (dkeyToken);
actualToken = dkeyToken;
actualKey.Key = ((SymmetricSecurityKey) dkeyToken.SecurityKeys [0]).GetSymmetricKey ();
actualClause = new LocalIdKeyIdentifierClause (dkeyToken.Id);
header.AddContent (dkeyToken);
}
ReferenceList refList = new ReferenceList ();
// When encrypted with DerivedKeyToken, put references
// immediately after the derived token (not inside the
// primary token).
// Similarly, when we do not output EncryptedKey,
// output ReferenceList in the same way.
if (CounterParameters.RequireDerivedKeys ||
!ShouldOutputEncryptedKey)
header.AddContent (refList);
else
((WrappedKeySecurityToken) primaryToken).ReferenceList = refList;
// [Signature Confirmation]
if (security.RequireSignatureConfirmation && secprop.ConfirmedSignatures.Count > 0)
foreach (string value in secprop.ConfirmedSignatures)
header.AddContent (new Wss11SignatureConfirmation (GenerateId (doc), value));
SupportingTokenInfoCollection tokenInfos =
Direction == MessageDirection.Input ?
security.CollectSupportingTokens (GetAction ()) :
new SupportingTokenInfoCollection (); // empty
foreach (SupportingTokenInfo tinfo in tokenInfos)
header.AddContent (tinfo.Token);
// populate DOM to sign.
XPathNavigator nav = doc.CreateNavigator ();
using (XmlWriter w = nav.AppendChild ()) {
msg.WriteMessage (w);
}
XmlElement body = doc.SelectSingleNode ("/s:Envelope/s:Body/*", nsmgr) as XmlElement;
string bodyId = null;
XmlElement secElem = null;
Collection<WSSignedXml> endorsedSignatures =
new Collection<WSSignedXml> ();
bool signatureProtection = (protectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature);
// Below are o:Security contents that are not signed...
if (includeSigToken && signToken != null)
header.AddContent (signToken);
switch (protectionOrder) {
case MessageProtectionOrder.EncryptBeforeSign:
// FIXME: implement
throw new NotImplementedException ();
case MessageProtectionOrder.SignBeforeEncrypt:
case MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature:
// sign
// see clause 8 of WS-SecurityPolicy C.2.2
WSSignedXml sxml = new WSSignedXml (doc);
SecurityTokenReferenceKeyInfo sigKeyInfo;
sig = sxml.Signature;
sig.SignedInfo.CanonicalizationMethod =
suite.DefaultCanonicalizationAlgorithm;
foreach (XmlElement elem in doc.SelectNodes ("/s:Envelope/s:Header/o:Security/u:Timestamp", nsmgr))
CreateReference (sig, elem, elem.GetAttribute ("Id", Constants.WsuNamespace));
foreach (XmlElement elem in doc.SelectNodes ("/s:Envelope/s:Header/o:Security/o11:SignatureConfirmation", nsmgr))
CreateReference (sig, elem, elem.GetAttribute ("Id", Constants.WsuNamespace));
foreach (SupportingTokenInfo tinfo in tokenInfos)
if (tinfo.Mode != SecurityTokenAttachmentMode.Endorsing) {
XmlElement el = sxml.GetIdElement (doc, tinfo.Token.Id);
CreateReference (sig, el, el.GetAttribute ("Id", Constants.WsuNamespace));
}
XmlNodeList nodes = doc.SelectNodes ("/s:Envelope/s:Header/*", nsmgr);
for (int i = 0; i < msg.Headers.Count; i++) {
MessageHeaderInfo h = msg.Headers [i];
if (h.Name == "Security" && h.Namespace == Constants.WssNamespace)
secElem = nodes [i] as XmlElement;
else if (sigSpec.HeaderTypes.Count == 0 ||
sigSpec.HeaderTypes.Contains (new XmlQualifiedName (h.Name, h.Namespace))) {
string id = GenerateId (doc);
h.Id = id;
CreateReference (sig, nodes [i] as XmlElement, id);
}
}
if (sigSpec.IsBodyIncluded) {
bodyId = GenerateId (doc);
CreateReference (sig, body.ParentNode as XmlElement, bodyId);
}
if (security.DefaultSignatureAlgorithm == SignedXml.XmlDsigHMACSHA1Url) {
// FIXME: use appropriate hash algorithm
sxml.ComputeSignature (new HMACSHA1 (actualKey.Key));
sigKeyInfo = new SecurityTokenReferenceKeyInfo (actualClause, serializer, doc);
}
else {
SecurityKeyIdentifierClause signClause =
CounterParameters.CallCreateKeyIdentifierClause (signToken, includeSigToken ? CounterParameters.ReferenceStyle : SecurityTokenReferenceStyle.External);
AsymmetricSecurityKey signKey = (AsymmetricSecurityKey) signToken.ResolveKeyIdentifierClause (signClause);
sxml.SigningKey = signKey.GetAsymmetricAlgorithm (security.DefaultSignatureAlgorithm, true);
sxml.ComputeSignature ();
sigKeyInfo = new SecurityTokenReferenceKeyInfo (signClause, serializer, doc);
}
sxml.KeyInfo = new KeyInfo ();
sxml.KeyInfo.AddClause (sigKeyInfo);
if (!signatureProtection)
header.AddContent (sig);
// endorse the signature with (signed)endorsing
// supporting tokens.
foreach (SupportingTokenInfo tinfo in tokenInfos) {
switch (tinfo.Mode) {
case SecurityTokenAttachmentMode.Endorsing:
case SecurityTokenAttachmentMode.SignedEndorsing:
if (sxml.Signature.Id == null) {
sig.Id = GenerateId (doc);
secElem.AppendChild (sxml.GetXml ());
}
WSSignedXml ssxml = new WSSignedXml (doc);
ssxml.Signature.SignedInfo.CanonicalizationMethod = suite.DefaultCanonicalizationAlgorithm;
CreateReference (ssxml.Signature, doc, sig.Id);
SecurityToken sst = tinfo.Token;
SecurityKey ssk = sst.SecurityKeys [0]; // FIXME: could be different?
SecurityKeyIdentifierClause tclause = new LocalIdKeyIdentifierClause (sst.Id); // FIXME: could be different?
if (ssk is SymmetricSecurityKey) {
SymmetricSecurityKey signKey = (SymmetricSecurityKey) ssk;
ssxml.ComputeSignature (signKey.GetKeyedHashAlgorithm (suite.DefaultSymmetricSignatureAlgorithm));
} else {
AsymmetricSecurityKey signKey = (AsymmetricSecurityKey) ssk;
ssxml.SigningKey = signKey.GetAsymmetricAlgorithm (suite.DefaultAsymmetricSignatureAlgorithm, true);
ssxml.ComputeSignature ();
}
ssxml.KeyInfo.AddClause (new SecurityTokenReferenceKeyInfo (tclause, serializer, doc));
if (!signatureProtection)
header.AddContent (ssxml.Signature);
endorsedSignatures.Add (ssxml);
break;
}
}
// encrypt
WSEncryptedXml exml = new WSEncryptedXml (doc);
EncryptedData edata = Encrypt (body, actualKey, actualToken.Id, refList, actualClause, exml, doc);
EncryptedXml.ReplaceElement (body, edata, false);
// encrypt signature
if (signatureProtection) {
XmlElement sigxml = sig.GetXml ();
edata = Encrypt (sigxml, actualKey, actualToken.Id, refList, actualClause, exml, doc);
header.AddContent (edata);
foreach (WSSignedXml ssxml in endorsedSignatures) {
sigxml = ssxml.GetXml ();
edata = Encrypt (sigxml, actualKey, actualToken.Id, refList, actualClause, exml, doc);
header.AddContent (edata);
}
if (security.RequireSignatureConfirmation) {
Collection<Wss11SignatureConfirmation> confs = header.FindAll<Wss11SignatureConfirmation> ();
int count = 0;
foreach (XmlElement elem in doc.SelectNodes ("/s:Envelope/s:Header/o:Security/o11:SignatureConfirmation", nsmgr)) {
edata = Encrypt (elem, actualKey, confs [count].Id, refList, actualClause, exml, doc);
EncryptedXml.ReplaceElement (elem, edata, false);
header.Contents.Insert (header.Contents.IndexOf (confs [count]), edata);
header.Contents.Remove (confs [count++]);
}
}
}
// encrypt Encrypted supporting tokens
foreach (SupportingTokenInfo tinfo in tokenInfos) {
if (tinfo.Mode == SecurityTokenAttachmentMode.SignedEncrypted) {
XmlElement el = exml.GetIdElement (doc, tinfo.Token.Id);
tinfo.Encrypted = Encrypt (el, actualKey, actualToken.Id, refList, actualClause, exml, doc);
EncryptedXml.ReplaceElement (el, tinfo.Encrypted, false);
header.Contents.Insert (header.Contents.IndexOf (tinfo.Token), tinfo.Encrypted);
header.Contents.Remove (tinfo.Token);
}
}
break;
}
Message ret = new WSSecurityMessage (Message.CreateMessage (msg.Version, msg.Headers.Action, new XmlNodeReader (doc.SelectSingleNode ("/s:Envelope/s:Body/*", nsmgr) as XmlElement)), bodyId);
ret.Properties.Security = (SecurityMessageProperty) secprop.CreateCopy ();
ret.Properties.Security.EncryptionKey = masterKey.Key;
// FIXME: can we support TransportToken here?
if (element is AsymmetricSecurityBindingElement) {
ret.Properties.Security.InitiatorToken = new SecurityTokenSpecification (encToken, null); // FIXME: second argument
ret.Properties.Security.InitiatorToken = new SecurityTokenSpecification (signToken, null); // FIXME: second argument
}
else
ret.Properties.Security.ProtectionToken = new SecurityTokenSpecification (primaryToken, null);
ret.Headers.Clear ();
ret.Headers.CopyHeadersFrom (msg);
// Header contents are:
// - Timestamp
// - SignatureConfirmation if required
// - EncryptionToken if included
// - derived key token for EncryptionToken
// - ReferenceList for encrypted items
// - signed supporting tokens
// - signed endorsing supporting tokens
// (i.e. Signed/SignedEncrypted/SignedEndorsing)
// - Signature Token if different from enc token.
// - derived key token for sig token if different
// - Signature for:
// - Timestamp
// - supporting tokens (regardless of
// its inclusion)
// - message parts in SignedParts
// - SignatureToken if TokenProtection
// (regardless of its inclusion)
// - Signatures for the main signature (above),
// for every endorsing token and signed
// endorsing token.
//
//MessageBuffer zzz = ret.CreateBufferedCopy (100000);
//ret = zzz.CreateMessage ();
//Console.WriteLine (zzz.CreateMessage ());
return ret;
}
public static Stream End(IAsyncResult result, out SecurityMessageProperty remoteSecurity)
{
StreamSecurityUpgradeAcceptorAsyncResult thisPtr = AsyncResult.End<StreamSecurityUpgradeAcceptorAsyncResult>(result);
remoteSecurity = thisPtr.remoteSecurity;
return thisPtr.upgradedStream;
}
protected override IAsyncResult OnBeginRequest (Message message, TimeSpan timeout, AsyncCallback callback, object state)
{
// FIXME: make it really async
Message secure = SecureMessage (message);
secprop = secure.Properties.Security;
return base.BeginRequest (secure, timeout, callback, state);
}
public static Stream End(IAsyncResult result, out SecurityMessageProperty remoteSecurity, out ChannelBinding channelBinding)
{
Stream stream = StreamSecurityUpgradeInitiatorAsyncResult.End(result, out remoteSecurity);
channelBinding = ((SslStreamSecurityUpgradeInitiator.InitiateUpgradeAsyncResult) result).channelBindingToken;
return stream;
}
private IConnection SendPreamble(IConnection connection, ref TimeoutHelper timeoutHelper, ClientFramingDecoder decoder, out SecurityMessageProperty remoteSecurity)
{
connection.Write(this.Preamble, 0, this.Preamble.Length, true, timeoutHelper.RemainingTime());
if (this.upgrade != null)
{
IStreamUpgradeChannelBindingProvider property = this.upgrade.GetProperty<IStreamUpgradeChannelBindingProvider>();
StreamUpgradeInitiator upgradeInitiator = this.upgrade.CreateUpgradeInitiator(base.RemoteAddress, base.Via);
if (!ConnectionUpgradeHelper.InitiateUpgrade(upgradeInitiator, ref connection, decoder, this, ref timeoutHelper))
{
ConnectionUpgradeHelper.DecodeFramingFault(decoder, connection, base.Via, this.messageEncoder.ContentType, ref timeoutHelper);
}
if ((property != null) && property.IsChannelBindingSupportEnabled)
{
this.channelBindingToken = property.GetChannelBinding(upgradeInitiator, ChannelBindingKind.Endpoint);
}
remoteSecurity = StreamSecurityUpgradeInitiator.GetRemoteSecurity(upgradeInitiator);
connection.Write(ClientSingletonEncoder.PreambleEndBytes, 0, ClientSingletonEncoder.PreambleEndBytes.Length, true, timeoutHelper.RemainingTime());
}
else
{
remoteSecurity = null;
}
byte[] buffer = new byte[1];
int count = connection.Read(buffer, 0, buffer.Length, timeoutHelper.RemainingTime());
if (!ConnectionUpgradeHelper.ValidatePreambleResponse(buffer, count, decoder, base.Via))
{
ConnectionUpgradeHelper.DecodeFramingFault(decoder, connection, base.Via, this.messageEncoder.ContentType, ref timeoutHelper);
}
return connection;
}
/// <summary>
/// Converts a given set of WCF IAuthorizationPolicy to WIF ClaimIdentities.
/// </summary>
/// <param name="authorizationPolicies">Set of AuthorizationPolicies to convert to IDFx.</param>
/// <param name="securityTokenHandlerCollection">The SecurityTokenHandlerCollection to use.</param>
/// <returns>ClaimsIdentityCollection</returns>
static ReadOnlyCollection <ClaimsIdentity> ConvertToIDFxIdentities(IList <IAuthorizationPolicy> authorizationPolicies,
SecurityTokenHandlerCollection securityTokenHandlerCollection)
{
if (authorizationPolicies == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authorizationPolicies");
}
if (securityTokenHandlerCollection == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("securityTokenHandlerCollection");
}
List <ClaimsIdentity> identities = new List <ClaimsIdentity>();
SecurityTokenSpecification kerberosTokenSpecification = null;
SysAuthorizationContext kerberosAuthContext = null;
if ((OperationContext.Current != null) &&
(OperationContext.Current.IncomingMessageProperties != null) &&
(OperationContext.Current.IncomingMessageProperties.Security != null))
{
SecurityMessageProperty securityMessageProperty = OperationContext.Current.IncomingMessageProperties.Security;
foreach (SecurityTokenSpecification tokenSpecification in new SecurityTokenSpecificationEnumerable(securityMessageProperty))
{
if (tokenSpecification.SecurityToken is KerberosReceiverSecurityToken)
{
kerberosTokenSpecification = tokenSpecification;
kerberosAuthContext = SysAuthorizationContext.CreateDefaultAuthorizationContext(kerberosTokenSpecification.SecurityTokenPolicies);
break;
}
}
}
bool hasKerberosTokenPolicyMatched = false;
foreach (IAuthorizationPolicy policy in authorizationPolicies)
{
bool authPolicyHandled = false;
if ((kerberosTokenSpecification != null) && !hasKerberosTokenPolicyMatched)
{
if (kerberosTokenSpecification.SecurityTokenPolicies.Contains(policy))
{
hasKerberosTokenPolicyMatched = true;
}
else
{
SysAuthorizationContext authContext = SysAuthorizationContext.CreateDefaultAuthorizationContext(new List <IAuthorizationPolicy>()
{
policy
});
// Kerberos creates only one ClaimSet. So any more ClaimSet would mean that this is not a Policy created from Kerberos.
if (authContext.ClaimSets.Count == 1)
{
bool allClaimsMatched = true;
foreach (System.IdentityModel.Claims.Claim c in authContext.ClaimSets[0])
{
if (!kerberosAuthContext.ClaimSets[0].ContainsClaim(c))
{
allClaimsMatched = false;
break;
}
}
hasKerberosTokenPolicyMatched = allClaimsMatched;
}
}
if (hasKerberosTokenPolicyMatched)
{
SecurityTokenHandler tokenHandler = securityTokenHandlerCollection[kerberosTokenSpecification.SecurityToken];
if ((tokenHandler != null) && tokenHandler.CanValidateToken)
{
identities.AddRange(tokenHandler.ValidateToken(kerberosTokenSpecification.SecurityToken));
authPolicyHandled = true;
}
}
}
if (!authPolicyHandled)
{
SysAuthorizationContext defaultAuthContext = SysAuthorizationContext.CreateDefaultAuthorizationContext(new List <IAuthorizationPolicy>()
{
policy
});
//
// Merge all ClaimSets to IClaimsIdentity.
//
identities.Add(ConvertToIDFxIdentity(defaultAuthContext.ClaimSets, securityTokenHandlerCollection.Configuration));
}
}
return(identities.AsReadOnly());
}
protected abstract Stream OnAcceptUpgrade(Stream stream, out SecurityMessageProperty remoteSecurity);
protected abstract Stream OnEndAcceptUpgrade(IAsyncResult result,
out SecurityMessageProperty remoteSecurity);
public RecipientMessageSecurityGenerator (
Message msg,
SecurityMessageProperty requestSecProp,
RecipientMessageSecurityBindingSupport security)
: base (msg, security)
{
this.security = security;
SecurityMessageProperty secprop =
(SecurityMessageProperty) requestSecProp.CreateCopy ();
msg.Properties.Security = secprop;
}
public Message SecureMessage ()
{
secprop = Message.Properties.Security ?? new SecurityMessageProperty ();
SecurityToken encToken =
secprop.InitiatorToken != null ? secprop.InitiatorToken.SecurityToken : security.EncryptionToken;
// FIXME: it might be still incorrect.
SecurityToken signToken =
Parameters == CounterParameters ? null :
security.SigningToken;
MessageProtectionOrder protectionOrder =
security.MessageProtectionOrder;
SecurityBindingElement element =
security.Element;
SecurityAlgorithmSuite suite = element.DefaultAlgorithmSuite;
string messageId = "uuid-" + Guid.NewGuid ();
int identForMessageId = 1;
XmlDocument doc = new XmlDocument ();
doc.PreserveWhitespace = true;
var action = msg.Headers.Action;
if (msg.Version.Addressing != AddressingVersion.None) {
AddAddressingToHeader (msg.Headers);
}
// wss:Security
WSSecurityMessageHeader header =
new WSSecurityMessageHeader (security.TokenSerializer);
msg.Headers.Add (header);
// 1. [Timestamp]
if (element.IncludeTimestamp) {
AddTimestampToHeader (header, messageId + "-" + identForMessageId++);
}
XmlNamespaceManager nsmgr = new XmlNamespaceManager (doc.NameTable);
nsmgr.AddNamespace ("s", msg.Version.Envelope.Namespace);
nsmgr.AddNamespace ("o", Constants.WssNamespace);
nsmgr.AddNamespace ("u", Constants.WsuNamespace);
nsmgr.AddNamespace ("o11", Constants.Wss11Namespace);
/*WrappedKey*/SecurityToken primaryToken = null;
SecurityToken actualToken = null;
SecurityKeyIdentifierClause actualClause = null;
SymmetricAlgorithm masterKey = new RijndaelManaged ();
masterKey.KeySize = suite.DefaultSymmetricKeyLength;
masterKey.Mode = CipherMode.CBC;
masterKey.Padding = PaddingMode.ISO10126;
SymmetricAlgorithm actualKey = masterKey;
// 2. [Encryption Token]
// SecurityTokenInclusionMode
// - Initiator or Recipient
// - done or notyet. FIXME: not implemented yet
// It also affects on key reference output
bool includeEncToken = // /* FIXME: remove this hack */Parameters is SslSecurityTokenParameters ? false :
ShouldIncludeToken (
Security.RecipientParameters.InclusionMode, false);
bool includeSigToken = // /* FIXME: remove this hack */ Parameters is SslSecurityTokenParameters ? false :
ShouldIncludeToken (
Security.InitiatorParameters.InclusionMode, false);
SecurityKeyIdentifierClause encClause = ShouldOutputEncryptedKey ?
CounterParameters.CallCreateKeyIdentifierClause (encToken, !ShouldOutputEncryptedKey ? SecurityTokenReferenceStyle.Internal : includeEncToken ? Parameters.ReferenceStyle : SecurityTokenReferenceStyle.External) : null;
MessagePartSpecification encSpec = EncryptionPart;
// encryption key (possibly also used for signing)
// FIXME: get correct SymmetricAlgorithm according to the algorithm suite
if (secprop.EncryptionKey != null)
actualKey.Key = secprop.EncryptionKey;
// FIXME: remove thid hack
if (!ShouldOutputEncryptedKey)
primaryToken = secprop.ProtectionToken.SecurityToken as WrappedKeySecurityToken;
else
primaryToken =
// FIXME: remove this hack?
encToken is SecurityContextSecurityToken ? encToken :
new WrappedKeySecurityToken (messageId + "-" + identForMessageId++,
actualKey.Key,
// security.DefaultKeyWrapAlgorithm,
Parameters.InternalHasAsymmetricKey ?
suite.DefaultAsymmetricKeyWrapAlgorithm :
suite.DefaultSymmetricKeyWrapAlgorithm,
encToken,
encClause != null ? new SecurityKeyIdentifier (encClause) : null);
// If it reuses request's encryption key, do not output.
if (ShouldOutputEncryptedKey)
header.AddContent (primaryToken);
actualToken = primaryToken;
// FIXME: I doubt it is correct...
WrappedKeySecurityToken requestEncKey = ShouldOutputEncryptedKey ? null : primaryToken as WrappedKeySecurityToken;
actualClause = requestEncKey == null ? (SecurityKeyIdentifierClause)
new LocalIdKeyIdentifierClause (actualToken.Id, typeof (WrappedKeySecurityToken)) :
new InternalEncryptedKeyIdentifierClause (SHA1.Create ().ComputeHash (requestEncKey.GetWrappedKey ()));
// generate derived key if needed
if (CounterParameters.RequireDerivedKeys) {
var dkeyToken = CreateDerivedKey (GenerateId (doc), actualClause, actualKey);
actualToken = dkeyToken;
actualKey.Key = ((SymmetricSecurityKey)dkeyToken.SecurityKeys [0]).GetSymmetricKey ();
actualClause = new LocalIdKeyIdentifierClause (dkeyToken.Id);
header.AddContent (dkeyToken);
}
ReferenceList refList = new ReferenceList ();
// When encrypted with DerivedKeyToken, put references
// immediately after the derived token (not inside the
// primary token).
// Similarly, when we do not output EncryptedKey,
// output ReferenceList in the same way.
if (CounterParameters.RequireDerivedKeys ||
!ShouldOutputEncryptedKey)
header.AddContent (refList);
else
((WrappedKeySecurityToken) primaryToken).ReferenceList = refList;
// [Signature Confirmation]
if (security.RequireSignatureConfirmation && secprop.ConfirmedSignatures.Count > 0)
foreach (string value in secprop.ConfirmedSignatures)
header.AddContent (new Wss11SignatureConfirmation (GenerateId (doc), value));
SupportingTokenInfoCollection tokenInfos =
Direction == MessageDirection.Input ?
security.CollectSupportingTokens (GetAction ()) :
new SupportingTokenInfoCollection (); // empty
foreach (SupportingTokenInfo tinfo in tokenInfos)
header.AddContent (tinfo.Token);
// populate DOM to sign.
XPathNavigator nav = doc.CreateNavigator ();
using (XmlWriter w = nav.AppendChild ()) {
msg.WriteMessage (w);
}
XmlElement body = doc.SelectSingleNode ("/s:Envelope/s:Body/*", nsmgr) as XmlElement;
string bodyId = null;
Collection<WSSignedXml> endorsedSignatures =
new Collection<WSSignedXml> ();
bool signatureProtection = (protectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature);
// Below are o:Security contents that are not signed...
if (includeSigToken && signToken != null)
header.AddContent (signToken);
switch (protectionOrder) {
case MessageProtectionOrder.EncryptBeforeSign:
// FIXME: implement
throw new NotImplementedException ();
case MessageProtectionOrder.SignBeforeEncrypt:
case MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature:
var sig = CreateSignature (doc, body, nsmgr, tokenInfos,
actualClause, actualKey, signToken, includeSigToken,
signatureProtection, header, endorsedSignatures,
ref bodyId);
// encrypt
WSEncryptedXml exml = new WSEncryptedXml (doc);
EncryptedData edata = Encrypt (body, actualKey, actualToken.Id, refList, actualClause, exml, doc, EncryptedXml.XmlEncElementContentUrl);
EncryptedXml.ReplaceElement (body, edata, false);
// encrypt signature
if (signatureProtection) {
XmlElement sigxml = sig.GetXml ();
edata = Encrypt (sigxml, actualKey, actualToken.Id, refList, actualClause, exml, doc, EncryptedXml.XmlEncElementUrl);
header.AddContent (edata);
foreach (WSSignedXml ssxml in endorsedSignatures) {
sigxml = ssxml.GetXml ();
edata = Encrypt (sigxml, actualKey, actualToken.Id, refList, actualClause, exml, doc, EncryptedXml.XmlEncElementUrl);
header.AddContent (edata);
}
if (security.RequireSignatureConfirmation) {
Collection<Wss11SignatureConfirmation> confs = header.FindAll<Wss11SignatureConfirmation> ();
int count = 0;
foreach (XmlElement elem in doc.SelectNodes ("/s:Envelope/s:Header/o:Security/o11:SignatureConfirmation", nsmgr)) {
edata = Encrypt (elem, actualKey, confs [count].Id, refList, actualClause, exml, doc, EncryptedXml.XmlEncElementUrl);
EncryptedXml.ReplaceElement (elem, edata, false);
header.Contents.Insert (header.Contents.IndexOf (confs [count]), edata);
header.Contents.Remove (confs [count++]);
}
}
}
// encrypt Encrypted supporting tokens
foreach (SupportingTokenInfo tinfo in tokenInfos) {
if (tinfo.Mode == SecurityTokenAttachmentMode.SignedEncrypted) {
XmlElement el = exml.GetIdElement (doc, tinfo.Token.Id);
tinfo.Encrypted = Encrypt (el, actualKey, actualToken.Id, refList, actualClause, exml, doc, EncryptedXml.XmlEncElementUrl);
EncryptedXml.ReplaceElement (el, tinfo.Encrypted, false);
header.Contents.Insert (header.Contents.IndexOf (tinfo.Token), tinfo.Encrypted);
header.Contents.Remove (tinfo.Token);
}
}
break;
}
Message ret = new WSSecurityMessage (Message.CreateMessage (msg.Version, action, new XmlNodeReader (doc.SelectSingleNode ("/s:Envelope/s:Body/*", nsmgr) as XmlElement)), bodyId);
ret.Properties.Security = (SecurityMessageProperty) secprop.CreateCopy ();
ret.Properties.Security.EncryptionKey = masterKey.Key;
// FIXME: can we support TransportToken here?
if (element is AsymmetricSecurityBindingElement) {
ret.Properties.Security.InitiatorToken = new SecurityTokenSpecification (encToken, null); // FIXME: second argument
ret.Properties.Security.InitiatorToken = new SecurityTokenSpecification (signToken, null); // FIXME: second argument
}
else
ret.Properties.Security.ProtectionToken = new SecurityTokenSpecification (primaryToken, null);
ret.Headers.Clear ();
ret.Headers.CopyHeadersFrom (msg);
// Header contents are:
// - Timestamp
// - SignatureConfirmation if required
// - EncryptionToken if included
// - derived key token for EncryptionToken
// - ReferenceList for encrypted items
// - signed supporting tokens
// - signed endorsing supporting tokens
// (i.e. Signed/SignedEncrypted/SignedEndorsing)
// - Signature Token if different from enc token.
// - derived key token for sig token if different
// - Signature for:
// - Timestamp
// - supporting tokens (regardless of
// its inclusion)
// - message parts in SignedParts
// - SignatureToken if TokenProtection
// (regardless of its inclusion)
// - Signatures for the main signature (above),
// for every endorsing token and signed
// endorsing token.
//
//MessageBuffer zzz = ret.CreateBufferedCopy (100000);
//ret = zzz.CreateMessage ();
//Console.WriteLine (zzz.CreateMessage ());
return ret;
}
protected override BodyWriter ProcessRequestSecurityToken(Message request, RequestSecurityToken requestSecurityToken, out NegotiationTokenAuthenticatorState negotiationState)
{
if (request == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("request");
}
if (requestSecurityToken == null)
{
throw TraceUtility.ThrowHelperArgumentNull("requestSecurityToken", request);
}
try
{
if (requestSecurityToken.RequestType != null && requestSecurityToken.RequestType != this.StandardsManager.TrustDriver.RequestTypeIssue)
{
throw TraceUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidRstRequestType, requestSecurityToken.RequestType)), request);
}
if (requestSecurityToken.TokenType != null && requestSecurityToken.TokenType != this.SecurityContextTokenUri)
{
throw TraceUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.CannotIssueRstTokenType, requestSecurityToken.TokenType)), request);
}
EndpointAddress appliesTo;
DataContractSerializer appliesToSerializer;
string appliesToName;
string appliesToNamespace;
requestSecurityToken.GetAppliesToQName(out appliesToName, out appliesToNamespace);
if (appliesToName == AddressingStrings.EndpointReference && appliesToNamespace == request.Version.Addressing.Namespace)
{
if (request.Version.Addressing == AddressingVersion.WSAddressing10)
{
appliesToSerializer = DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddress10), DataContractSerializerDefaults.MaxItemsInObjectGraph);
appliesTo = requestSecurityToken.GetAppliesTo <EndpointAddress10>(appliesToSerializer).ToEndpointAddress();
}
else if (request.Version.Addressing == AddressingVersion.WSAddressingAugust2004)
{
appliesToSerializer = DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddressAugust2004), DataContractSerializerDefaults.MaxItemsInObjectGraph);
appliesTo = requestSecurityToken.GetAppliesTo <EndpointAddressAugust2004>(appliesToSerializer).ToEndpointAddress();
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new ProtocolException(SR.GetString(SR.AddressingVersionNotSupported, request.Version.Addressing)));
}
}
else
{
appliesTo = null;
appliesToSerializer = null;
}
if (this.shouldMatchRstWithEndpointFilter)
{
SecurityUtils.MatchRstWithEndpointFilter(request, this.EndpointFilterTable, this.ListenUri);
}
int issuedKeySize;
byte[] issuerEntropy;
byte[] proofKey;
SecurityToken proofToken;
WSTrust.Driver.ProcessRstAndIssueKey(requestSecurityToken, null, this.KeyEntropyMode, this.SecurityAlgorithmSuite,
out issuedKeySize, out issuerEntropy, out proofKey, out proofToken);
UniqueId contextId = SecurityUtils.GenerateUniqueId();
string id = SecurityUtils.GenerateId();
DateTime effectiveTime = DateTime.UtcNow;
DateTime expirationTime = TimeoutHelper.Add(effectiveTime, this.ServiceTokenLifetime);
// ensure that a SecurityContext is present in the message
SecurityMessageProperty securityProperty = request.Properties.Security;
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
if (securityProperty != null)
{
authorizationPolicies = SecuritySessionSecurityTokenAuthenticator.CreateSecureConversationPolicies(securityProperty, expirationTime);
}
else
{
authorizationPolicies = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
SecurityContextSecurityToken serviceToken = this.IssueSecurityContextToken(contextId, id, proofKey, effectiveTime, expirationTime, authorizationPolicies,
this.EncryptStateInServiceToken);
if (this.preserveBootstrapTokens)
{
serviceToken.BootstrapMessageProperty = (securityProperty == null) ? null : (SecurityMessageProperty)securityProperty.CreateCopy();
SecurityUtils.ErasePasswordInUsernameTokenIfPresent(serviceToken.BootstrapMessageProperty);
}
RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(this.StandardsManager);
rstr.Context = requestSecurityToken.Context;
rstr.KeySize = issuedKeySize;
rstr.RequestedUnattachedReference = this.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.External);
rstr.RequestedAttachedReference = this.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.Internal);
rstr.TokenType = this.SecurityContextTokenUri;
rstr.RequestedSecurityToken = serviceToken;
if (issuerEntropy != null)
{
rstr.SetIssuerEntropy(issuerEntropy);
rstr.ComputeKey = true;
}
if (proofToken != null)
{
rstr.RequestedProofToken = proofToken;
}
if (appliesTo != null)
{
if (request.Version.Addressing == AddressingVersion.WSAddressing10)
{
rstr.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress(appliesTo), appliesToSerializer);
}
else if (request.Version.Addressing == AddressingVersion.WSAddressingAugust2004)
{
rstr.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress(appliesTo), appliesToSerializer);
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new ProtocolException(SR.GetString(SR.AddressingVersionNotSupported, request.Version.Addressing)));
}
}
rstr.MakeReadOnly();
negotiationState = new NegotiationTokenAuthenticatorState();
negotiationState.SetServiceToken(serviceToken);
if (this.StandardsManager.MessageSecurityVersion.SecureConversationVersion == SecureConversationVersion.WSSecureConversationFeb2005)
{
return(rstr);
}
else if (this.StandardsManager.MessageSecurityVersion.SecureConversationVersion == SecureConversationVersion.WSSecureConversation13)
{
List <RequestSecurityTokenResponse> rstrList = new List <RequestSecurityTokenResponse>(1);
rstrList.Add(rstr);
RequestSecurityTokenResponseCollection rstrCollection = new RequestSecurityTokenResponseCollection(rstrList, this.StandardsManager);
return(rstrCollection);
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
}
finally
{
SecuritySessionSecurityTokenAuthenticator.RemoveCachedTokensIfRequired(request.Properties.Security);
}
}
protected override BodyWriter ProcessRequestSecurityToken(Message request, RequestSecurityToken requestSecurityToken, out NegotiationTokenAuthenticatorState negotiationState)
{
BodyWriter writer;
if (request == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("request");
}
if (requestSecurityToken == null)
{
throw TraceUtility.ThrowHelperArgumentNull("requestSecurityToken", request);
}
try
{
EndpointAddress address;
DataContractSerializer serializer;
string str;
string str2;
int num;
byte[] buffer;
byte[] buffer2;
SecurityToken token;
ReadOnlyCollection <IAuthorizationPolicy> instance;
if ((requestSecurityToken.RequestType != null) && (requestSecurityToken.RequestType != base.StandardsManager.TrustDriver.RequestTypeIssue))
{
throw TraceUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidRstRequestType", new object[] { requestSecurityToken.RequestType })), request);
}
if ((requestSecurityToken.TokenType != null) && (requestSecurityToken.TokenType != base.SecurityContextTokenUri))
{
throw TraceUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("CannotIssueRstTokenType", new object[] { requestSecurityToken.TokenType })), request);
}
requestSecurityToken.GetAppliesToQName(out str, out str2);
if ((str == "EndpointReference") && (str2 == request.Version.Addressing.Namespace))
{
if (request.Version.Addressing != AddressingVersion.WSAddressing10)
{
if (request.Version.Addressing != AddressingVersion.WSAddressingAugust2004)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("AddressingVersionNotSupported", new object[] { request.Version.Addressing })));
}
serializer = DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddressAugust2004), 0x10000);
address = requestSecurityToken.GetAppliesTo <EndpointAddressAugust2004>(serializer).ToEndpointAddress();
}
else
{
serializer = DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddress10), 0x10000);
address = requestSecurityToken.GetAppliesTo <EndpointAddress10>(serializer).ToEndpointAddress();
}
}
else
{
address = null;
serializer = null;
}
if (this.shouldMatchRstWithEndpointFilter)
{
System.ServiceModel.Security.SecurityUtils.MatchRstWithEndpointFilter(request, base.EndpointFilterTable, base.ListenUri);
}
WSTrust.Driver.ProcessRstAndIssueKey(requestSecurityToken, null, this.KeyEntropyMode, base.SecurityAlgorithmSuite, out num, out buffer, out buffer2, out token);
UniqueId contextId = System.ServiceModel.Security.SecurityUtils.GenerateUniqueId();
string id = System.ServiceModel.Security.SecurityUtils.GenerateId();
DateTime utcNow = DateTime.UtcNow;
DateTime expirationTime = TimeoutHelper.Add(utcNow, base.ServiceTokenLifetime);
SecurityMessageProperty security = request.Properties.Security;
if (security != null)
{
instance = SecuritySessionSecurityTokenAuthenticator.CreateSecureConversationPolicies(security, expirationTime);
}
else
{
instance = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
SecurityContextSecurityToken token2 = base.IssueSecurityContextToken(contextId, id, buffer2, utcNow, expirationTime, instance, base.EncryptStateInServiceToken);
if (this.preserveBootstrapTokens)
{
token2.BootstrapMessageProperty = (security == null) ? null : ((SecurityMessageProperty)security.CreateCopy());
System.ServiceModel.Security.SecurityUtils.ErasePasswordInUsernameTokenIfPresent(token2.BootstrapMessageProperty);
}
RequestSecurityTokenResponse response = new RequestSecurityTokenResponse(base.StandardsManager)
{
Context = requestSecurityToken.Context,
KeySize = num,
RequestedUnattachedReference = base.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(token2, SecurityTokenReferenceStyle.External),
RequestedAttachedReference = base.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(token2, SecurityTokenReferenceStyle.Internal),
TokenType = base.SecurityContextTokenUri,
RequestedSecurityToken = token2
};
if (buffer != null)
{
response.SetIssuerEntropy(buffer);
response.ComputeKey = true;
}
if (token != null)
{
response.RequestedProofToken = token;
}
if (address != null)
{
if (request.Version.Addressing != AddressingVersion.WSAddressing10)
{
if (request.Version.Addressing != AddressingVersion.WSAddressingAugust2004)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("AddressingVersionNotSupported", new object[] { request.Version.Addressing })));
}
response.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress(address), serializer);
}
else
{
response.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress(address), serializer);
}
}
response.MakeReadOnly();
negotiationState = new NegotiationTokenAuthenticatorState();
negotiationState.SetServiceToken(token2);
if (base.StandardsManager.MessageSecurityVersion.SecureConversationVersion == SecureConversationVersion.WSSecureConversationFeb2005)
{
return(response);
}
if (base.StandardsManager.MessageSecurityVersion.SecureConversationVersion != SecureConversationVersion.WSSecureConversation13)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
RequestSecurityTokenResponseCollection responses = new RequestSecurityTokenResponseCollection(new List <RequestSecurityTokenResponse>(1)
{
response
}, base.StandardsManager);
writer = responses;
}
finally
{
SecuritySessionSecurityTokenAuthenticator.RemoveCachedTokensIfRequired(request.Properties.Security);
}
return(writer);
}
public static IConnection End(IAsyncResult result, out SecurityMessageProperty remoteSecurity)
{
SendPreambleAsyncResult thisPtr = AsyncResult.End<SendPreambleAsyncResult>(result);
remoteSecurity = thisPtr.remoteSecurity;
return thisPtr.connection;
}
public static IConnection End(IAsyncResult result, out SecurityMessageProperty remoteSecurity)
{
StreamedFramingRequestChannel.StreamedConnectionPoolHelper.SendPreambleAsyncResult result2 = AsyncResult.End<StreamedFramingRequestChannel.StreamedConnectionPoolHelper.SendPreambleAsyncResult>(result);
remoteSecurity = result2.remoteSecurity;
return result2.connection;
}
protected override Stream OnEndInitiateUpgrade(IAsyncResult result, out SecurityMessageProperty remoteSecurity)
{
return InitiateUpgradeAsyncResult.End(result, out remoteSecurity, out this.channelBindingToken);
}
private bool HandleUpgrade(IAsyncResult result)
{
this.connection = ConnectionUpgradeHelper.EndInitiateUpgrade(result);
if ((this.channelBindingProvider != null) && this.channelBindingProvider.IsChannelBindingSupportEnabled)
{
this.channel.channelBindingToken = this.channelBindingProvider.GetChannelBinding(this.upgradeInitiator, ChannelBindingKind.Endpoint);
}
this.remoteSecurity = StreamSecurityUpgradeInitiator.GetRemoteSecurity(this.upgradeInitiator);
this.upgradeInitiator = null;
if (onWritePreambleEnd == null)
{
onWritePreambleEnd = Fx.ThunkCallback(new AsyncCallback(StreamedFramingRequestChannel.StreamedConnectionPoolHelper.SendPreambleAsyncResult.OnWritePreambleEnd));
}
IAsyncResult result2 = this.connection.BeginWrite(ClientSingletonEncoder.PreambleEndBytes, 0, ClientSingletonEncoder.PreambleEndBytes.Length, true, this.timeoutHelper.RemainingTime(), onWritePreambleEnd, this);
if (!result2.CompletedSynchronously)
{
return false;
}
this.connection.EndWrite(result2);
return this.ReadPreambleAck();
}
protected override Stream OnInitiateUpgrade(Stream stream, out SecurityMessageProperty remoteSecurity)
{
X509CertificateCollection clientCertificates = null;
LocalCertificateSelectionCallback userCertificateSelectionCallback = null;
if (this.clientToken != null)
{
clientCertificates = new X509CertificateCollection();
clientCertificates.Add(this.clientToken.Certificate);
userCertificateSelectionCallback = ClientCertificateSelectionCallback;
}
SslStream stream2 = new SslStream(stream, false, new RemoteCertificateValidationCallback(this.ValidateRemoteCertificate), userCertificateSelectionCallback);
try
{
stream2.AuthenticateAsClient(string.Empty, clientCertificates, SslProtocols.Default, false);
}
catch (SecurityTokenValidationException exception)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(exception.Message, exception));
}
catch (AuthenticationException exception2)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(exception2.Message, exception2));
}
catch (IOException exception3)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("NegotiationFailedIO", new object[] { exception3.Message }), exception3));
}
if (System.ServiceModel.Security.SecurityUtils.ShouldValidateSslCipherStrength())
{
System.ServiceModel.Security.SecurityUtils.ValidateSslCipherStrength(stream2.CipherStrength);
}
remoteSecurity = this.serverSecurity;
if (this.IsChannelBindingSupportEnabled)
{
this.channelBindingToken = ChannelBindingUtility.GetToken(stream2);
}
return stream2;
}
public static SecurityMessageProperty GetOrCreate(Message message)
{
if (message == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message");
}
SecurityMessageProperty security = null;
if (message.Properties != null)
{
security = message.Properties.Security;
}
if (security == null)
{
security = new SecurityMessageProperty();
message.Properties.Security = security;
}
return security;
}
private bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 certificate2 = new X509Certificate2(certificate);
SecurityToken token = new X509SecurityToken(certificate2, false);
ReadOnlyCollection<IAuthorizationPolicy> tokenPolicies = this.serverCertificateAuthenticator.ValidateToken(token);
this.serverSecurity = new SecurityMessageProperty();
this.serverSecurity.TransportToken = new SecurityTokenSpecification(token, tokenPolicies);
this.serverSecurity.ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies);
AuthorizationContext authorizationContext = this.serverSecurity.ServiceSecurityContext.AuthorizationContext;
this.parent.IdentityVerifier.EnsureOutgoingIdentity(base.RemoteAddress, base.Via, authorizationContext);
return true;
}
bool HandleUpgrade(IAsyncResult result)
{
connection = ConnectionUpgradeHelper.EndInitiateUpgrade(result);
if (this.channelBindingProvider != null && this.channelBindingProvider.IsChannelBindingSupportEnabled)
{
this.channel.channelBindingToken = this.channelBindingProvider.GetChannelBinding(this.upgradeInitiator, ChannelBindingKind.Endpoint);
}
this.remoteSecurity = StreamSecurityUpgradeInitiator.GetRemoteSecurity(this.upgradeInitiator);
this.upgradeInitiator = null; // we're done with the initiator
if (onWritePreambleEnd == null)
{
onWritePreambleEnd = Fx.ThunkCallback(new WaitCallback(OnWritePreambleEnd));
}
AsyncCompletionResult writePreambleResult = connection.BeginWrite(
ClientSingletonEncoder.PreambleEndBytes, 0, ClientSingletonEncoder.PreambleEndBytes.Length, true,
timeoutHelper.RemainingTime(), onWritePreambleEnd, this);
if (writePreambleResult == AsyncCompletionResult.Queued)
{
return false;
}
connection.EndWrite();
return ReadPreambleAck();
}
Message ProcessReply (Message message, SecurityMessageProperty secprop)
{
// FIXME: provide correct parameters
return message.IsFault ? message : new InitiatorSecureMessageDecryptor (message, secprop, security).DecryptMessage ();
}
