public static MessagePartSpecification MessagePartSpecificationWsc()
{
// Liberty framework header
var libertyFrameworkQualifiedName = new XmlQualifiedName(Common.Constants.LibBas.HeaderName,
Common.Constants.LibBas.HeaderNameSpace);
// WS-Addressing headers. This logic only checks if a given header is part of the signature. It does not fail if the header is not present.
// Checking if a header is present is done in the message inspectors.
// MessageID is not automatically set in the response by WCF. Hence, a custom check is necessary to ensure that it is present and is part of the signature.
// Instead of only checking MessageID all WS-Addressing headers specified by [LIB-BAS] has been included ... just to be sure.
// Required by [LIB-BAS]
var wsAddressingMessageIdQualifiedName = new XmlQualifiedName(WsAdressing.WsAdressingMessageId,
WsAdressing.WsAdressing10NameSpace);
var wsAddressingActionQualifiedName = new XmlQualifiedName(WsAdressing.WsAdressingAction,
WsAdressing.WsAdressing10NameSpace);
var wsAddressingRelatesToQualifiedName = new XmlQualifiedName(WsAdressing.WsAdressingRelatesTo,
WsAdressing.WsAdressing10NameSpace);
var wsAddressingToQualifiedName = new XmlQualifiedName(WsAdressing.WsAdressingTo, WsAdressing.WsAdressing10NameSpace); // This one is optional according to [LIB-BAS]
var part = new MessagePartSpecification(libertyFrameworkQualifiedName, wsAddressingMessageIdQualifiedName,
wsAddressingActionQualifiedName, wsAddressingRelatesToQualifiedName, wsAddressingToQualifiedName);
// Setting IsBodyIncluded to true ensures that the body is always signed. Required by [LIB-BAS]
part.IsBodyIncluded = true;
return(part);
}
private void ImportProtectionAssertions(ICollection <XmlElement> assertions, out MessagePartSpecification signedParts, out MessagePartSpecification encryptedParts)
{
WSSecurityPolicy policy;
signedParts = null;
encryptedParts = null;
if (WSSecurityPolicy.TryGetSecurityPolicyDriver(assertions, out policy))
{
XmlElement element;
if (!policy.TryImportWsspEncryptedPartsAssertion(assertions, out encryptedParts, out element) && (element != null))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("UnsupportedSecurityPolicyAssertion", new object[] { element.OuterXml })));
}
if (!policy.TryImportWsspSignedPartsAssertion(assertions, out signedParts, out element) && (element != null))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("UnsupportedSecurityPolicyAssertion", new object[] { element.OuterXml })));
}
}
if (encryptedParts == null)
{
encryptedParts = MessagePartSpecification.NoParts;
}
if (signedParts == null)
{
signedParts = MessagePartSpecification.NoParts;
}
}
private ChannelProtectionRequirements GetProtectionRequirements()
{
if (!this.Transactions && (this.IssuedTokens == TransactionFlowOption.NotAllowed))
{
return(null);
}
ChannelProtectionRequirements requirements = new ChannelProtectionRequirements();
if (this.Transactions)
{
MessagePartSpecification specification = new MessagePartSpecification(new XmlQualifiedName[] { new XmlQualifiedName("CoordinationContext", "http://schemas.xmlsoap.org/ws/2004/10/wscoor"), new XmlQualifiedName("CoordinationContext", "http://docs.oasis-open.org/ws-tx/wscoor/2006/06"), new XmlQualifiedName("OleTxTransaction", "http://schemas.microsoft.com/ws/2006/02/tx/oletx") });
specification.MakeReadOnly();
requirements.IncomingSignatureParts.AddParts(specification);
requirements.OutgoingSignatureParts.AddParts(specification);
requirements.IncomingEncryptionParts.AddParts(specification);
requirements.OutgoingEncryptionParts.AddParts(specification);
}
if (this.IssuedTokens != TransactionFlowOption.NotAllowed)
{
MessagePartSpecification issuedTokenHeaderSpecification = GetIssuedTokenHeaderSpecification(SecurityStandardsManager.DefaultInstance);
issuedTokenHeaderSpecification.MakeReadOnly();
requirements.IncomingSignatureParts.AddParts(issuedTokenHeaderSpecification);
requirements.IncomingEncryptionParts.AddParts(issuedTokenHeaderSpecification);
requirements.OutgoingSignatureParts.AddParts(issuedTokenHeaderSpecification);
requirements.OutgoingEncryptionParts.AddParts(issuedTokenHeaderSpecification);
}
MessagePartSpecification parts = new MessagePartSpecification(true);
parts.MakeReadOnly();
requirements.OutgoingSignatureParts.AddParts(parts, "http://schemas.microsoft.com/net/2005/12/windowscommunicationfoundation/transactions/fault");
requirements.OutgoingEncryptionParts.AddParts(parts, "http://schemas.microsoft.com/net/2005/12/windowscommunicationfoundation/transactions/fault");
return(requirements);
}
public void AddBindingParameters(ServiceEndpoint endpoint, BindingParameterCollection bindingParameters)
{
ChannelProtectionRequirements requirements = bindingParameters.Find <ChannelProtectionRequirements>();
MessagePartSpecification part = new MessagePartSpecification(true);
requirements.OutgoingSignatureParts.AddParts(part);
}
private void AddParts(ref MessagePartSpecification parts1, MessagePartSpecification parts2)
{
if (parts1 == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("parts1"));
}
if (parts2 == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("parts2"));
}
if (!parts2.IsEmpty())
{
if (parts1.IsReadOnly)
{
MessagePartSpecification p = new MessagePartSpecification();
p.Union(parts1);
p.Union(parts2);
parts1 = p;
}
else
{
parts1.Union(parts2);
}
}
}
public void AddBindingParameters(ServiceEndpoint endpoint, System.ServiceModel.Channels.BindingParameterCollection bindingParameters)
{
// Sign only the header, but not the body.
// This does not work.
//endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
//foreach (OperationDescription operation in endpoint.Contract.Operations)
//{
// MessageDescription requestMessage = operation.Messages.First(msg => msg.Direction == MessageDirection.Input);
// foreach (MessagePartDescription body in requestMessage.Body.Parts)
// {
// body.ProtectionLevel = System.Net.Security.ProtectionLevel.None;
// }
//}
bindingParameters.Remove <ChannelProtectionRequirements>();
var m = new MessagePartSpecification();
m.IsBodyIncluded = false;
var c1 = new ChannelProtectionRequirements();
c1.IncomingSignatureParts.AddParts(m, "*");
MessagePartSpecification m1 = new MessagePartSpecification();
m.IsBodyIncluded = false;
c1.IncomingEncryptionParts.AddParts(m1, "*");
bindingParameters.Add(c1);
}
private void ImportProtectionAssertions(ICollection <XmlElement> assertions, out MessagePartSpecification signedParts, out MessagePartSpecification encryptedParts)
{
XmlElement assertion;
signedParts = null;
encryptedParts = null;
WSSecurityPolicy securityPolicy;
if (WSSecurityPolicy.TryGetSecurityPolicyDriver(assertions, out securityPolicy))
{
if (!securityPolicy.TryImportWsspEncryptedPartsAssertion(assertions, out encryptedParts, out assertion) &&
assertion != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
}
if (!securityPolicy.TryImportWsspSignedPartsAssertion(assertions, out signedParts, out assertion) &&
assertion != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
}
}
if (encryptedParts == null)
{
encryptedParts = MessagePartSpecification.NoParts;
}
if (signedParts == null)
{
signedParts = MessagePartSpecification.NoParts;
}
}
public void UnionReadOnlyPart()
{
MessagePartSpecification s =
new MessagePartSpecification();
s.MakeReadOnly();
Assert.AreEqual(true, s.IsReadOnly, "#1");
s.Union(new MessagePartSpecification());
}
public void AddBindingParameters(ContractDescription contractDescription,
ServiceEndpoint endpoint,
BindingParameterCollection bindingParameters)
{
Console.WriteLine("add outgoing signature parts");
ChannelProtectionRequirements requirements = bindingParameters.Find <ChannelProtectionRequirements>();
MessagePartSpecification part = new MessagePartSpecification(true);
requirements.OutgoingSignatureParts.AddParts(part);
}
private void ApplySigningRequirements(ScopedMessagePartSpecification spec)
{
MessagePartSpecification parts = new MessagePartSpecification(new XmlQualifiedName[] { new XmlQualifiedName("PeerVia", "http://schemas.microsoft.com/net/2006/05/peer"), new XmlQualifiedName("FloodMessage", "http://schemas.microsoft.com/net/2006/05/peer"), new XmlQualifiedName("PeerTo", "http://schemas.microsoft.com/net/2006/05/peer"), new XmlQualifiedName("MessageID", "http://schemas.microsoft.com/net/2006/05/peer") });
foreach (string str in spec.Actions)
{
spec.AddParts(parts, str);
}
spec.AddParts(parts, "*");
}
private static ChannelProtectionRequirements GetProtectionRequirements(AddressingVersion addressingVersion)
{
PropertyInfo property = addressingVersion.GetType().GetProperty("SignedMessageParts", BindingFlags.Instance | BindingFlags.NonPublic);
MessagePartSpecification value = (MessagePartSpecification)property.GetValue(addressingVersion, new object[0]);
ChannelProtectionRequirements channelProtectionRequirement = new ChannelProtectionRequirements();
channelProtectionRequirement.IncomingSignatureParts.AddParts(value);
channelProtectionRequirement.OutgoingSignatureParts.AddParts(value);
return(channelProtectionRequirement);
}
private ChannelProtectionRequirements GetProtectionRequirements()
{
ChannelProtectionRequirements requirements = new ChannelProtectionRequirements();
XmlQualifiedName name = new XmlQualifiedName(XD.UtilityDictionary.UniqueEndpointHeaderName.Value, XD.UtilityDictionary.UniqueEndpointHeaderNamespace.Value);
MessagePartSpecification parts = new MessagePartSpecification(new XmlQualifiedName[] { name });
parts.MakeReadOnly();
requirements.IncomingSignatureParts.AddParts(parts);
requirements.OutgoingSignatureParts.AddParts(parts);
return(requirements);
}
internal ChannelProtectionRequirements GetProtectionRequirements(AddressingVersion addressing, ProtectionLevel defaultProtectionLevel)
{
if (addressing == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(addressing));
}
ChannelProtectionRequirements result = new ChannelProtectionRequirements();
ProtectionLevel supportedRequestProtectionLevel = GetIndividualProperty <ISecurityCapabilities>().SupportedRequestProtectionLevel;
ProtectionLevel supportedResponseProtectionLevel = GetIndividualProperty <ISecurityCapabilities>().SupportedResponseProtectionLevel;
bool canSupportMoreThanTheDefault =
(ProtectionLevelHelper.IsStrongerOrEqual(supportedRequestProtectionLevel, defaultProtectionLevel) &&
ProtectionLevelHelper.IsStrongerOrEqual(supportedResponseProtectionLevel, defaultProtectionLevel));
if (canSupportMoreThanTheDefault)
{
MessagePartSpecification signedParts = new MessagePartSpecification();
MessagePartSpecification encryptedParts = new MessagePartSpecification();
if (defaultProtectionLevel != ProtectionLevel.None)
{
signedParts.IsBodyIncluded = true;
if (defaultProtectionLevel == ProtectionLevel.EncryptAndSign)
{
encryptedParts.IsBodyIncluded = true;
}
}
signedParts.MakeReadOnly();
encryptedParts.MakeReadOnly();
if (addressing.FaultAction != null)
{
// Addressing faults
result.IncomingSignatureParts.AddParts(signedParts, addressing.FaultAction);
result.OutgoingSignatureParts.AddParts(signedParts, addressing.FaultAction);
result.IncomingEncryptionParts.AddParts(encryptedParts, addressing.FaultAction);
result.OutgoingEncryptionParts.AddParts(encryptedParts, addressing.FaultAction);
}
if (addressing.DefaultFaultAction != null)
{
// Faults that do not specify a particular action
result.IncomingSignatureParts.AddParts(signedParts, addressing.DefaultFaultAction);
result.OutgoingSignatureParts.AddParts(signedParts, addressing.DefaultFaultAction);
result.IncomingEncryptionParts.AddParts(encryptedParts, addressing.DefaultFaultAction);
result.OutgoingEncryptionParts.AddParts(encryptedParts, addressing.DefaultFaultAction);
}
// Infrastructure faults
result.IncomingSignatureParts.AddParts(signedParts, FaultCodeConstants.Actions.NetDispatcher);
result.OutgoingSignatureParts.AddParts(signedParts, FaultCodeConstants.Actions.NetDispatcher);
result.IncomingEncryptionParts.AddParts(encryptedParts, FaultCodeConstants.Actions.NetDispatcher);
result.OutgoingEncryptionParts.AddParts(encryptedParts, FaultCodeConstants.Actions.NetDispatcher);
}
return(result);
}
ChannelProtectionRequirements GetProtectionRequirements()
{
ChannelProtectionRequirements result = new ChannelProtectionRequirements();
XmlQualifiedName refPropHeaderName = new XmlQualifiedName(XD.UtilityDictionary.UniqueEndpointHeaderName.Value,
XD.UtilityDictionary.UniqueEndpointHeaderNamespace.Value);
MessagePartSpecification headerParts = new MessagePartSpecification(refPropHeaderName);
headerParts.MakeReadOnly();
result.IncomingSignatureParts.AddParts(headerParts);
result.OutgoingSignatureParts.AddParts(headerParts);
return(result);
}
public void DefaultValues()
{
MessagePartSpecification s =
new MessagePartSpecification();
Assert.IsFalse(s.IsBodyIncluded, "#1");
Assert.AreEqual(0, s.HeaderTypes.Count, "#2");
s = new MessagePartSpecification(new XmlQualifiedName [] { new XmlQualifiedName("foo", "urn:foo") });
Assert.IsFalse(s.IsBodyIncluded, "#3");
Assert.AreEqual(1, s.HeaderTypes.Count, "#4");
}
public void AddBindingParameters(ServiceEndpoint endpoint, BindingParameterCollection bindingParameters)
{
//Find the old requirements and remove
var requirements = bindingParameters.Find <ChannelProtectionRequirements>();
bindingParameters.Remove(requirements);
//Setting the ProtectionLevel at the Service Contract
if (ProtectionSetting == "None")
{
endpoint.Contract.ProtectionLevel = ProtectionLevel.None;
}
if (ProtectionSetting == "Sign")
{
endpoint.Contract.ProtectionLevel = ProtectionLevel.Sign;
}
if (ProtectionSetting == "EncryptAndSign")
{
endpoint.Contract.ProtectionLevel = ProtectionLevel.EncryptAndSign;
}
//create a new set of requirements
requirements = new ChannelProtectionRequirements();
bindingParameters.Add(requirements);
var unprotectedBody = new MessagePartSpecification();
var protectedBody = new MessagePartSpecification(true);
switch (endpoint.Contract.ProtectionLevel)
{
case ProtectionLevel.None:
requirements.OutgoingSignatureParts.AddParts(unprotectedBody, "*");
requirements.IncomingSignatureParts.AddParts(unprotectedBody, "*");
requirements.OutgoingEncryptionParts.AddParts(unprotectedBody, "*");
requirements.IncomingEncryptionParts.AddParts(unprotectedBody, "*");
break;
case ProtectionLevel.Sign:
requirements.OutgoingSignatureParts.AddParts(protectedBody, "*");
requirements.IncomingSignatureParts.AddParts(protectedBody, "*");
requirements.OutgoingEncryptionParts.AddParts(unprotectedBody, "*");
requirements.IncomingEncryptionParts.AddParts(unprotectedBody, "*");
break;
case ProtectionLevel.EncryptAndSign:
requirements.OutgoingSignatureParts.AddParts(protectedBody, "*");
requirements.IncomingSignatureParts.AddParts(protectedBody, "*");
requirements.OutgoingEncryptionParts.AddParts(protectedBody, "*");
requirements.IncomingEncryptionParts.AddParts(protectedBody, "*");
break;
}
}
private ChannelProtectionRequirements GetProtectionRequirements()
{
ChannelProtectionRequirements requirements = new ChannelProtectionRequirements();
MessagePartSpecification signedReliabilityMessageParts = WsrmIndex.GetSignedReliabilityMessageParts(this.reliableMessagingVersion);
requirements.IncomingSignatureParts.AddParts(signedReliabilityMessageParts);
requirements.OutgoingSignatureParts.AddParts(signedReliabilityMessageParts);
if (this.reliableMessagingVersion == System.ServiceModel.ReliableMessagingVersion.WSReliableMessagingFebruary2005)
{
ScopedMessagePartSpecification signaturePart = requirements.IncomingSignatureParts;
ScopedMessagePartSpecification encryptionPart = requirements.IncomingEncryptionParts;
ProtectProtocolMessage(signaturePart, encryptionPart, "http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested");
ProtectProtocolMessage(signaturePart, encryptionPart, "http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence");
ProtectProtocolMessage(signaturePart, encryptionPart, "http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement");
ProtectProtocolMessage(signaturePart, encryptionPart, "http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage");
ProtectProtocolMessage(signaturePart, encryptionPart, "http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence");
signaturePart = requirements.OutgoingSignatureParts;
encryptionPart = requirements.OutgoingEncryptionParts;
ProtectProtocolMessage(signaturePart, encryptionPart, "http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse");
ProtectProtocolMessage(signaturePart, encryptionPart, "http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement");
ProtectProtocolMessage(signaturePart, encryptionPart, "http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage");
ProtectProtocolMessage(signaturePart, encryptionPart, "http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence");
return(requirements);
}
if (this.reliableMessagingVersion != System.ServiceModel.ReliableMessagingVersion.WSReliableMessaging11)
{
throw Fx.AssertAndThrow("Reliable messaging version not supported.");
}
ScopedMessagePartSpecification incomingSignatureParts = requirements.IncomingSignatureParts;
ScopedMessagePartSpecification incomingEncryptionParts = requirements.IncomingEncryptionParts;
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/AckRequested");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/CloseSequence");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/CloseSequenceResponse");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequence");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/fault");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/SequenceAcknowledgement");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequence");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequenceResponse");
incomingSignatureParts = requirements.OutgoingSignatureParts;
incomingEncryptionParts = requirements.OutgoingEncryptionParts;
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/AckRequested");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/CloseSequence");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/CloseSequenceResponse");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequenceResponse");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/fault");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/SequenceAcknowledgement");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequence");
ProtectProtocolMessage(incomingSignatureParts, incomingEncryptionParts, "http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequenceResponse");
return(requirements);
}
void ApplySigningRequirements(ScopedMessagePartSpecification spec)
{
//following are the headers that we add and want signed.
MessagePartSpecification partSpec = new MessagePartSpecification(
new XmlQualifiedName(PeerStrings.Via, PeerStrings.Namespace),
new XmlQualifiedName(PeerOperationNames.Flood, PeerStrings.Namespace),
new XmlQualifiedName(PeerOperationNames.PeerTo, PeerStrings.Namespace),
new XmlQualifiedName(PeerStrings.MessageId, PeerStrings.Namespace));
foreach (string action in spec.Actions)
{
spec.AddParts(partSpec, action);
}
spec.AddParts(partSpec, MessageHeaders.WildcardAction);
}
internal static MessagePartSpecification GetIssuedTokenHeaderSpecification(SecurityStandardsManager standardsManager)
{
MessagePartSpecification result;
if (standardsManager.TrustDriver.IsIssuedTokensSupported)
{
result = new MessagePartSpecification(new XmlQualifiedName(standardsManager.TrustDriver.IssuedTokensHeaderName, standardsManager.TrustDriver.IssuedTokensHeaderNamespace));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.TrustDriverVersionDoesNotSupportIssuedTokens)));
}
return(result);
}
ChannelProtectionRequirements GetProtectionRequirements()
{
// Listing headers that must be signed.
ChannelProtectionRequirements result = new ChannelProtectionRequirements();
MessagePartSpecification signedReliabilityMessageParts = MakeConnectionUtility.GetSignedReliabilityMessageParts();
result.IncomingSignatureParts.AddParts(signedReliabilityMessageParts);
result.OutgoingSignatureParts.AddParts(signedReliabilityMessageParts);
// From the Client to the Service
ScopedMessagePartSpecification signaturePart = result.IncomingSignatureParts;
ScopedMessagePartSpecification encryptionPart = result.IncomingEncryptionParts;
ProtectProtocolMessage(signaturePart, encryptionPart, MakeConnectionConstants.MakeConnectionMessage.Action);
return(result);
}
public void AddBindingParameters(ServiceEndpoint endpoint, BindingParameterCollection bindingParameters)
{
var requirements = new ChannelProtectionRequirements();
var signatureProtectionSpecification = new MessagePartSpecification(_protectionLevel != ProtectionLevel.None);
requirements.IncomingSignatureParts.AddParts(signatureProtectionSpecification, "*");
requirements.OutgoingSignatureParts.AddParts(signatureProtectionSpecification, "*");
var encryptionProtectionSpecification = new MessagePartSpecification(_protectionLevel == ProtectionLevel.EncryptAndSign);
requirements.IncomingEncryptionParts.AddParts(encryptionProtectionSpecification, "*");
requirements.OutgoingEncryptionParts.AddParts(encryptionProtectionSpecification, "*");
bindingParameters.Remove <ChannelProtectionRequirements>();
bindingParameters.Add(requirements);
endpoint.Contract.ProtectionLevel = _protectionLevel;
}
public void AddBindingParameters(ServiceEndpoint endpoint, System.ServiceModel.Channels.BindingParameterCollection bindingParameters)
{
var proReq =
bindingParameters.Remove <ChannelProtectionRequirements>();
proReq = new ChannelProtectionRequirements();
MessagePartSpecification unProtectedSpec = new MessagePartSpecification();
MessagePartSpecification protectedSpec = new MessagePartSpecification(true);
// I'm setting same protection level for all the actions.
// You could specify different protection level per action, if required.
// Also note, I haven't implemented any support for custom SOAP headers.
// However that can easily be added using the same mechansim.
switch (level)
{
case ProtectionLevel.None:
proReq.OutgoingSignatureParts.AddParts(unProtectedSpec, "*");
proReq.IncomingSignatureParts.AddParts(unProtectedSpec, "*");
proReq.OutgoingEncryptionParts.AddParts(unProtectedSpec, "*");
proReq.IncomingEncryptionParts.AddParts(unProtectedSpec, "*");
break;
case ProtectionLevel.Sign:
proReq.OutgoingSignatureParts.AddParts(protectedSpec, "*");
proReq.IncomingSignatureParts.AddParts(protectedSpec, "*");
proReq.OutgoingEncryptionParts.AddParts(unProtectedSpec, "*");
proReq.IncomingEncryptionParts.AddParts(unProtectedSpec, "*");
break;
case ProtectionLevel.EncryptAndSign:
proReq.OutgoingSignatureParts.AddParts(protectedSpec, "*");
proReq.IncomingSignatureParts.AddParts(protectedSpec, "*");
proReq.OutgoingEncryptionParts.AddParts(protectedSpec, "*");
proReq.IncomingEncryptionParts.AddParts(protectedSpec, "*");
break;
}
// Add our protection requirement for this endpoint into the binding params.
bindingParameters.Add(proReq);
}
private AddressingVersion(string ns, XmlDictionaryString dictionaryNs, string toStringFormat, MessagePartSpecification signedMessageParts, string anonymous, XmlDictionaryString dictionaryAnonymous, string none, string faultAction, string defaultFaultAction)
{
this.ns = ns;
this.dictionaryNs = dictionaryNs;
this.toStringFormat = toStringFormat;
this.signedMessageParts = signedMessageParts;
this.anonymous = anonymous;
this.dictionaryAnonymous = dictionaryAnonymous;
if (anonymous != null)
{
this.anonymousUri = new Uri(anonymous);
}
if (none != null)
{
this.noneUri = new Uri(none);
}
this.faultAction = faultAction;
this.defaultFaultAction = defaultFaultAction;
}
public void Union()
{
XmlQualifiedName q1, q2, q3;
q1 = new XmlQualifiedName("foo");
q2 = new XmlQualifiedName("bar");
q3 = new XmlQualifiedName("baz");
MessagePartSpecification p1 =
new MessagePartSpecification(false, new XmlQualifiedName [] { q1, q2 });
MessagePartSpecification p2 =
new MessagePartSpecification(true, new XmlQualifiedName [] { q3, q2 });
p1.Union(p2);
Assert.IsTrue(p1.IsBodyIncluded, "#1");
// Sigh. It does not exclude duplicates.
Assert.AreEqual(4, p1.HeaderTypes.Count, "#1-2");
Assert.IsTrue(p1.HeaderTypes.Contains(q1), "#2");
Assert.IsTrue(p1.HeaderTypes.Contains(q2), "#3");
Assert.IsTrue(p1.HeaderTypes.Contains(q3), "#4");
}
public static MessagePartSpecification MessagePartSpecificationWsp()
{
// WS-Addressing headers. This logic only checks if a given header is part of the signature. It does not fail if the header is not present.
// This is just an extra insanity check on top of WCF after realizing that MessageId header was not automatically included in the response from WSP.
// Instead of only checking MessageID all WS-Addressing headers specified by [OIO IDWS SOAP 1.1] has been included ... just to be sure.
// Required by [OIO IDWS SOAP 1.1]
var wsAddressingMessageIdQualifiedName = new XmlQualifiedName(WsAdressing.WsAdressingMessageId,
WsAdressing.WsAdressing10NameSpace);
var wsAddressingToQualifiedName = new XmlQualifiedName(WsAdressing.WsAdressingTo, WsAdressing.WsAdressing10NameSpace); // This one is optional according to [OIO IDWS SOAP 1.1]
var part =
new MessagePartSpecification(
wsAddressingMessageIdQualifiedName,
wsAddressingToQualifiedName
);
// Setting IsBodyIncluded to true ensures that the body is always signed. Required by [OIO IDWS SOAP 1.1]
part.IsBodyIncluded = true;
return(part);
}
internal static ChannelProtectionRequirements GetChannelProtectionRequirements(ProtectionLevel protectionLevel)
{
ChannelProtectionRequirements result;
if (protectionLevel == ProtectionLevel.EncryptAndSign)
{
if (encryptAndSignChannelProtectionRequirements == null)
{
MessagePartSpecification header = new MessagePartSpecification();
header.HeaderTypes.Add(new XmlQualifiedName(CallbackContextHeaderName, CallbackContextHeaderNamespace));
ChannelProtectionRequirements requirements = new ChannelProtectionRequirements();
requirements.IncomingSignatureParts.AddParts(header);
requirements.IncomingEncryptionParts.AddParts(header);
requirements.OutgoingSignatureParts.AddParts(header);
requirements.OutgoingEncryptionParts.AddParts(header);
requirements.MakeReadOnly();
encryptAndSignChannelProtectionRequirements = requirements;
}
result = encryptAndSignChannelProtectionRequirements;
}
else if (protectionLevel == ProtectionLevel.Sign)
{
if (signChannelProtectionRequirements == null)
{
MessagePartSpecification header = new MessagePartSpecification();
header.HeaderTypes.Add(new XmlQualifiedName(CallbackContextHeaderName, CallbackContextHeaderNamespace));
ChannelProtectionRequirements requirements = new ChannelProtectionRequirements();
requirements.IncomingSignatureParts.AddParts(header);
requirements.OutgoingSignatureParts.AddParts(header);
requirements.MakeReadOnly();
signChannelProtectionRequirements = requirements;
}
result = signChannelProtectionRequirements;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("protectionLevel"));
}
return(result);
}
/// <summary>
/// Adds the requirement telling WCF to encrypt the body of RM messages
/// </summary>
private void AddProtectionRequirements(BindingParameterCollection bindingParameters)
{
logging.WCFLogger.Write(System.Diagnostics.TraceEventType.Start, "Custom header signing behavior adding protection requirements");
// Get the protection requirements for the binding
ChannelProtectionRequirements cpr = bindingParameters.Find <ChannelProtectionRequirements>();
// If there were no requirements since before, create them
if (cpr == null)
{
cpr = new ChannelProtectionRequirements();
bindingParameters.Add(cpr);
}
// Select the headers to be affected by this behavior
MessagePartSpecification headerMessagePart = new MessagePartSpecification(_headers.ToArray());
headerMessagePart.MakeReadOnly();
ChannelProtectionRequirements newCpr = new ChannelProtectionRequirements();
// Specify each header to be signed
foreach (string action in actionsToWhichThisBehaviorApplies)
{
newCpr.IncomingSignatureParts.AddParts(headerMessagePart, action);
newCpr.OutgoingSignatureParts.AddParts(headerMessagePart, action);
}
newCpr.MakeReadOnly();
cpr.Add(newCpr);
// Tracing
foreach (XmlQualifiedName name in _headers)
{
logging.WCFLogger.Write(System.Diagnostics.TraceEventType.Information, "Header '" + name + "' added for signing");
}
logging.WCFLogger.Write(System.Diagnostics.TraceEventType.Stop, "Custom header signing behavior finished adding protection requirements");
}
ChannelProtectionRequirements GetProtectionRequirements()
{
if (this.Transactions || (this.IssuedTokens != TransactionFlowOption.NotAllowed))
{
ChannelProtectionRequirements requirements = new ChannelProtectionRequirements();
if (this.Transactions)
{
MessagePartSpecification p = new MessagePartSpecification(
new XmlQualifiedName(CoordinationExternalStrings.CoordinationContext, CoordinationExternal10Strings.Namespace),
new XmlQualifiedName(CoordinationExternalStrings.CoordinationContext, CoordinationExternal11Strings.Namespace),
new XmlQualifiedName(OleTxTransactionExternalStrings.OleTxTransaction, OleTxTransactionExternalStrings.Namespace));
p.MakeReadOnly();
requirements.IncomingSignatureParts.AddParts(p);
requirements.OutgoingSignatureParts.AddParts(p);
requirements.IncomingEncryptionParts.AddParts(p);
requirements.OutgoingEncryptionParts.AddParts(p);
}
if (this.IssuedTokens != TransactionFlowOption.NotAllowed)
{
MessagePartSpecification trustParts = GetIssuedTokenHeaderSpecification(SecurityStandardsManager.DefaultInstance);
trustParts.MakeReadOnly();
requirements.IncomingSignatureParts.AddParts(trustParts);
requirements.IncomingEncryptionParts.AddParts(trustParts);
requirements.OutgoingSignatureParts.AddParts(trustParts);
requirements.OutgoingEncryptionParts.AddParts(trustParts);
}
MessagePartSpecification body = new MessagePartSpecification(true);
body.MakeReadOnly();
requirements.OutgoingSignatureParts.AddParts(body, FaultCodeConstants.Actions.Transactions);
requirements.OutgoingEncryptionParts.AddParts(body, FaultCodeConstants.Actions.Transactions);
return(requirements);
}
else
{
return(null);
}
}
private AddressingVersion(string ns, XmlDictionaryString dictionaryNs, string toStringFormat,
MessagePartSpecification signedMessageParts, string anonymous, XmlDictionaryString dictionaryAnonymous, string none, string faultAction, string defaultFaultAction)
{
Namespace = ns;
DictionaryNamespace = dictionaryNs;
_toStringFormat = toStringFormat;
SignedMessageParts = signedMessageParts;
Anonymous = anonymous;
DictionaryAnonymous = dictionaryAnonymous;
if (anonymous != null)
{
AnonymousUri = new Uri(anonymous);
}
if (none != null)
{
_noneUri = new Uri(none);
}
FaultAction = faultAction;
_defaultFaultAction = defaultFaultAction;
}
public static ChannelProtectionRequirements GetChannelProtectionRequirements(ProtectionLevel protectionLevel)
{
MessagePartSpecification messagePartSpecification = new MessagePartSpecification(true);
MessagePartSpecification messagePartSpecification1 = new MessagePartSpecification();
ChannelProtectionRequirements channelProtectionRequirement = new ChannelProtectionRequirements();
switch (protectionLevel)
{
case ProtectionLevel.None:
{
channelProtectionRequirement.IncomingSignatureParts.AddParts(messagePartSpecification1, "*");
channelProtectionRequirement.OutgoingSignatureParts.AddParts(messagePartSpecification1, "*");
channelProtectionRequirement.IncomingEncryptionParts.AddParts(messagePartSpecification1, "*");
channelProtectionRequirement.OutgoingEncryptionParts.AddParts(messagePartSpecification1, "*");
break;
}
case ProtectionLevel.Sign:
{
channelProtectionRequirement.IncomingSignatureParts.AddParts(messagePartSpecification, "*");
channelProtectionRequirement.OutgoingSignatureParts.AddParts(messagePartSpecification, "*");
channelProtectionRequirement.IncomingEncryptionParts.AddParts(messagePartSpecification1, "*");
channelProtectionRequirement.OutgoingEncryptionParts.AddParts(messagePartSpecification1, "*");
break;
}
case ProtectionLevel.EncryptAndSign:
{
channelProtectionRequirement.IncomingSignatureParts.AddParts(messagePartSpecification, "*");
channelProtectionRequirement.OutgoingSignatureParts.AddParts(messagePartSpecification, "*");
channelProtectionRequirement.IncomingEncryptionParts.AddParts(messagePartSpecification, "*");
channelProtectionRequirement.OutgoingEncryptionParts.AddParts(messagePartSpecification, "*");
break;
}
}
return(channelProtectionRequirement);
}
