internal SecurityProtocolFactory(SecurityProtocolFactory factory)
: this()
{
if (factory == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("factory");
}
_actAsInitiator = factory._actAsInitiator;
_addTimestamp = factory._addTimestamp;
_detectReplays = factory._detectReplays;
_incomingAlgorithmSuite = factory._incomingAlgorithmSuite;
_maxCachedNonces = factory._maxCachedNonces;
_maxClockSkew = factory._maxClockSkew;
_outgoingAlgorithmSuite = factory._outgoingAlgorithmSuite;
_replayWindow = factory._replayWindow;
_channelSupportingTokenAuthenticatorSpecification = new Collection <SupportingTokenAuthenticatorSpecification>(new List <SupportingTokenAuthenticatorSpecification>(factory._channelSupportingTokenAuthenticatorSpecification));
_scopedSupportingTokenAuthenticatorSpecification = new Dictionary <string, ICollection <SupportingTokenAuthenticatorSpecification> >(factory._scopedSupportingTokenAuthenticatorSpecification);
_standardsManager = factory._standardsManager;
_timestampValidityDuration = factory._timestampValidityDuration;
_auditLogLocation = factory._auditLogLocation;
_suppressAuditFailure = factory._suppressAuditFailure;
_serviceAuthorizationAuditLevel = factory._serviceAuthorizationAuditLevel;
_messageAuthenticationAuditLevel = factory._messageAuthenticationAuditLevel;
if (factory._securityBindingElement != null)
{
_securityBindingElement = (SecurityBindingElement)factory._securityBindingElement.Clone();
}
_securityTokenManager = factory._securityTokenManager;
_privacyNoticeUri = factory._privacyNoticeUri;
_privacyNoticeVersion = factory._privacyNoticeVersion;
_extendedProtectionPolicy = factory._extendedProtectionPolicy;
_nonceCache = factory._nonceCache;
}
internal SecurityProtocolFactory(SecurityProtocolFactory factory)
: this()
{
if (factory == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("factory");
}
this.actAsInitiator = factory.actAsInitiator;
this.addTimestamp = factory.addTimestamp;
this.detectReplays = factory.detectReplays;
this.incomingAlgorithmSuite = factory.incomingAlgorithmSuite;
this.maxCachedNonces = factory.maxCachedNonces;
this.maxClockSkew = factory.maxClockSkew;
this.outgoingAlgorithmSuite = factory.outgoingAlgorithmSuite;
this.replayWindow = factory.replayWindow;
// this.channelSupportingTokenAuthenticatorSpecification = (ICollection<SupportingTokenAuthenticatorSpecification>) new Collection<SupportingTokenAuthenticatorSpecification>((IList<SupportingTokenAuthenticatorSpecification>) new List<SupportingTokenAuthenticatorSpecification>((IEnumerable<SupportingTokenAuthenticatorSpecification>) factory.channelSupportingTokenAuthenticatorSpecification));
// this.scopedSupportingTokenAuthenticatorSpecification = new Dictionary<string, ICollection<SupportingTokenAuthenticatorSpecification>>((IDictionary<string, ICollection<SupportingTokenAuthenticatorSpecification>>) factory.scopedSupportingTokenAuthenticatorSpecification);
this.standardsManager = factory.standardsManager;
// this.timestampValidityDuration = factory.timestampValidityDuration;
// this.auditLogLocation = factory.auditLogLocation;
// this.suppressAuditFailure = factory.suppressAuditFailure;
// this.serviceAuthorizationAuditLevel = factory.serviceAuthorizationAuditLevel;
// this.messageAuthenticationAuditLevel = factory.messageAuthenticationAuditLevel;
if (factory.securityBindingElement != null)
{
this.securityBindingElement = (SecurityBindingElement)factory.securityBindingElement.Clone();
}
this.securityTokenManager = factory.securityTokenManager;
this.privacyNoticeUri = factory.privacyNoticeUri;
this.privacyNoticeVersion = factory.privacyNoticeVersion;
// this.endpointFilterTable = factory.endpointFilterTable;
this.extendedProtectionPolicy = factory.extendedProtectionPolicy;
this.nonceCache = factory.nonceCache;
}
LocalClientSecuritySettings(LocalClientSecuritySettings other)
{
this.detectReplays = other.detectReplays;
this.replayCacheSize = other.replayCacheSize;
this.replayWindow = other.replayWindow;
this.maxClockSkew = other.maxClockSkew;
this.cacheCookies = other.cacheCookies;
this.maxCookieCachingTime = other.maxCookieCachingTime;
this.sessionKeyRenewalInterval = other.sessionKeyRenewalInterval;
this.sessionKeyRolloverInterval = other.sessionKeyRolloverInterval;
this.reconnectTransportOnFailure = other.reconnectTransportOnFailure;
this.timestampValidityDuration = other.timestampValidityDuration;
this.identityVerifier = other.identityVerifier;
this.cookieRenewalThresholdPercentage = other.cookieRenewalThresholdPercentage;
this.nonceCache = other.nonceCache;
}
private LocalClientSecuritySettings(LocalClientSecuritySettings other)
{
_detectReplays = other._detectReplays;
_replayCacheSize = other._replayCacheSize;
_replayWindow = other._replayWindow;
_maxClockSkew = other._maxClockSkew;
_cacheCookies = other._cacheCookies;
_maxCookieCachingTime = other._maxCookieCachingTime;
_sessionKeyRenewalInterval = other._sessionKeyRenewalInterval;
_sessionKeyRolloverInterval = other._sessionKeyRolloverInterval;
_reconnectTransportOnFailure = other._reconnectTransportOnFailure;
_timestampValidityDuration = other._timestampValidityDuration;
_identityVerifier = other._identityVerifier;
_cookieRenewalThresholdPercentage = other._cookieRenewalThresholdPercentage;
_nonceCache = other._nonceCache;
}
LocalServiceSecuritySettings(LocalServiceSecuritySettings other)
{
this.detectReplays = other.detectReplays;
this.replayCacheSize = other.replayCacheSize;
this.replayWindow = other.replayWindow;
this.maxClockSkew = other.maxClockSkew;
this.issuedCookieLifetime = other.issuedCookieLifetime;
this.maxStatefulNegotiations = other.maxStatefulNegotiations;
this.negotiationTimeout = other.negotiationTimeout;
this.maxPendingSessions = other.maxPendingSessions;
this.inactivityTimeout = other.inactivityTimeout;
this.sessionKeyRenewalInterval = other.sessionKeyRenewalInterval;
this.sessionKeyRolloverInterval = other.sessionKeyRolloverInterval;
this.reconnectTransportOnFailure = other.reconnectTransportOnFailure;
this.timestampValidityDuration = other.timestampValidityDuration;
this.maxCachedCookies = other.maxCachedCookies;
this.nonceCache = other.nonceCache;
}
public virtual Task OnOpenAsync(TimeSpan timeout)
{
if (SecurityBindingElement == null)
{
OnPropertySettingsError(nameof(SecurityBindingElement), true);
}
if (SecurityTokenManager == null)
{
OnPropertySettingsError(nameof(SecurityTokenManager), true);
}
MessageSecurityVersion = _standardsManager.MessageSecurityVersion;
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
_expectOutgoingMessages = ActAsInitiator || SupportsRequestReply;
_expectIncomingMessages = !ActAsInitiator || SupportsRequestReply;
if (!ActAsInitiator)
{
throw ExceptionHelper.PlatformNotSupported();
}
if (DetectReplays)
{
if (!SupportsReplayDetection)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(nameof(DetectReplays), SR.Format(SR.SecurityProtocolCannotDoReplayDetection, this));
}
if (MaxClockSkew == TimeSpan.MaxValue || ReplayWindow == TimeSpan.MaxValue)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.NoncesCachedInfinitely));
}
// If DetectReplays is true and nonceCache is null then use the default InMemoryNonceCache.
if (_nonceCache == null)
{
// The nonce needs to be cached for replayWindow + 2*clockSkew to eliminate replays
_nonceCache = new InMemoryNonceCache(ReplayWindow + MaxClockSkew + MaxClockSkew, MaxCachedNonces);
}
}
//derivedKeyTokenAuthenticator = new NonValidatingSecurityTokenAuthenticator<DerivedKeySecurityToken>();
return(Task.CompletedTask);
}
internal SecurityProtocolFactory(SecurityProtocolFactory factory) : this()
{
if (factory == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(factory));
}
ActAsInitiator = factory.ActAsInitiator;
_addTimestamp = factory._addTimestamp;
_detectReplays = factory._detectReplays;
_incomingAlgorithmSuite = factory._incomingAlgorithmSuite;
_maxCachedNonces = factory._maxCachedNonces;
_maxClockSkew = factory._maxClockSkew;
_outgoingAlgorithmSuite = factory._outgoingAlgorithmSuite;
_replayWindow = factory._replayWindow;
_channelSupportingTokenAuthenticatorSpecification = new Collection <SupportingTokenAuthenticatorSpecification>(new List <SupportingTokenAuthenticatorSpecification>(factory._channelSupportingTokenAuthenticatorSpecification));
_standardsManager = factory._standardsManager;
_timestampValidityDuration = factory._timestampValidityDuration;
_securityBindingElement = (SecurityBindingElement)factory._securityBindingElement?.Clone();
_securityTokenManager = factory._securityTokenManager;
_nonceCache = factory._nonceCache;
}
public virtual void OnOpen(TimeSpan timeout)
{
if (this.SecurityBindingElement == null)
{
this.OnPropertySettingsError("SecurityBindingElement", true);
}
if (this.SecurityTokenManager == null)
{
this.OnPropertySettingsError("SecurityTokenManager", true);
}
_messageSecurityVersion = _standardsManager.MessageSecurityVersion;
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
_expectOutgoingMessages = this.ActAsInitiator || this.SupportsRequestReply;
_expectIncomingMessages = !this.ActAsInitiator || this.SupportsRequestReply;
if (!_actAsInitiator)
{
AddSupportingTokenAuthenticators(_securityBindingElement.EndpointSupportingTokenParameters, false, (IList <SupportingTokenAuthenticatorSpecification>)_channelSupportingTokenAuthenticatorSpecification);
// validate the token authenticator types and create a merged map if needed.
if (!_channelSupportingTokenAuthenticatorSpecification.IsReadOnly)
{
if (_channelSupportingTokenAuthenticatorSpecification.Count == 0)
{
_channelSupportingTokenAuthenticatorSpecification = EmptyTokenAuthenticators;
}
else
{
_expectSupportingTokens = true;
foreach (SupportingTokenAuthenticatorSpecification tokenAuthenticatorSpec in _channelSupportingTokenAuthenticatorSpecification)
{
SecurityUtils.OpenTokenAuthenticatorIfRequired(tokenAuthenticatorSpec.TokenAuthenticator, timeoutHelper.RemainingTime());
if (tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing ||
tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)
{
if (tokenAuthenticatorSpec.TokenParameters.RequireDerivedKeys && !tokenAuthenticatorSpec.TokenParameters.HasAsymmetricKey)
{
_expectKeyDerivation = true;
}
}
SecurityTokenAttachmentMode mode = tokenAuthenticatorSpec.SecurityTokenAttachmentMode;
if (mode == SecurityTokenAttachmentMode.SignedEncrypted ||
mode == SecurityTokenAttachmentMode.Signed ||
mode == SecurityTokenAttachmentMode.SignedEndorsing)
{
_expectChannelSignedTokens = true;
if (mode == SecurityTokenAttachmentMode.SignedEncrypted)
{
_expectChannelBasicTokens = true;
}
}
if (mode == SecurityTokenAttachmentMode.Endorsing || mode == SecurityTokenAttachmentMode.SignedEndorsing)
{
_expectChannelEndorsingTokens = true;
}
}
_channelSupportingTokenAuthenticatorSpecification =
new ReadOnlyCollection <SupportingTokenAuthenticatorSpecification>((Collection <SupportingTokenAuthenticatorSpecification>)_channelSupportingTokenAuthenticatorSpecification);
}
}
VerifyTypeUniqueness(_channelSupportingTokenAuthenticatorSpecification);
MergeSupportingTokenAuthenticators(timeoutHelper.RemainingTime());
}
if (this.DetectReplays)
{
if (!this.SupportsReplayDetection)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("DetectReplays", SR.Format(SR.SecurityProtocolCannotDoReplayDetection, this));
}
if (this.MaxClockSkew == TimeSpan.MaxValue || this.ReplayWindow == TimeSpan.MaxValue)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.NoncesCachedInfinitely));
}
// If DetectReplays is true and nonceCache is null then use the default InMemoryNonceCache.
if (_nonceCache == null)
{
// The nonce needs to be cached for replayWindow + 2*clockSkew to eliminate replays
_nonceCache = new InMemoryNonceCache(this.ReplayWindow + this.MaxClockSkew + this.MaxClockSkew, this.MaxCachedNonces);
}
}
_derivedKeyTokenAuthenticator = new NonValidatingSecurityTokenAuthenticator <DerivedKeySecurityToken>();
}
public LocalClientSecuritySettings()
{
this.DetectReplays = SecurityProtocolFactory.defaultDetectReplays;
this.ReplayCacheSize = SecurityProtocolFactory.defaultMaxCachedNonces;
this.ReplayWindow = SecurityProtocolFactory.defaultReplayWindow;
this.MaxClockSkew = SecurityProtocolFactory.defaultMaxClockSkew;
this.TimestampValidityDuration = SecurityProtocolFactory.defaultTimestampValidityDuration;
this.CacheCookies = IssuanceTokenProviderBase<IssuanceTokenProviderState>.defaultClientCacheTokens;
this.MaxCookieCachingTime = IssuanceTokenProviderBase<IssuanceTokenProviderState>.DefaultClientMaxTokenCachingTime;
this.SessionKeyRenewalInterval = SecuritySessionClientSettings.defaultKeyRenewalInterval;
this.SessionKeyRolloverInterval = SecuritySessionClientSettings.defaultKeyRolloverInterval;
this.ReconnectTransportOnFailure = SecuritySessionClientSettings.defaultTolerateTransportFailures;
this.CookieRenewalThresholdPercentage = SpnegoTokenProvider.defaultServiceTokenValidityThresholdPercentage;
this.IdentityVerifier = IdentityVerifier.CreateDefault();
this.nonceCache = null;
}
// replay detection done if enableReplayDetection is set to true.
public void SetTimeParameters(NonceCache nonceCache, TimeSpan replayWindow, TimeSpan clockSkew)
{
_nonceCache = nonceCache;
_replayWindow = replayWindow;
_clockSkew = clockSkew;
}
public LocalServiceSecuritySettings()
{
this.DetectReplays = SecurityProtocolFactory.defaultDetectReplays;
this.ReplayCacheSize = SecurityProtocolFactory.defaultMaxCachedNonces;
this.ReplayWindow = SecurityProtocolFactory.defaultReplayWindow;
this.MaxClockSkew = SecurityProtocolFactory.defaultMaxClockSkew;
this.IssuedCookieLifetime = NegotiationTokenAuthenticator<NegotiationTokenAuthenticatorState>.defaultServerIssuedTokenLifetime;
this.MaxStatefulNegotiations = NegotiationTokenAuthenticator<NegotiationTokenAuthenticatorState>.defaultServerMaxActiveNegotiations;
this.NegotiationTimeout = NegotiationTokenAuthenticator<NegotiationTokenAuthenticatorState>.defaultServerMaxNegotiationLifetime;
this.maxPendingSessions = SecuritySessionServerSettings.defaultMaximumPendingSessions;
this.inactivityTimeout = SecuritySessionServerSettings.defaultInactivityTimeout;
this.sessionKeyRenewalInterval = SecuritySessionServerSettings.defaultKeyRenewalInterval;
this.sessionKeyRolloverInterval = SecuritySessionServerSettings.defaultKeyRolloverInterval;
this.reconnectTransportOnFailure = SecuritySessionServerSettings.defaultTolerateTransportFailures;
this.TimestampValidityDuration = SecurityProtocolFactory.defaultTimestampValidityDuration;
this.maxCachedCookies = NegotiationTokenAuthenticator<NegotiationTokenAuthenticatorState>.defaultServerMaxCachedTokens;
this.nonceCache = null;
}
