public SecurityVerifiedMessage(Message messageToProcess, ReceiveSecurityHeader securityHeader) : base(messageToProcess) { this.securityHeader = securityHeader; if (securityHeader.RequireMessageProtection) { XmlDictionaryReader messageReader; BufferedMessage bufferedMessage = this.InnerMessage as BufferedMessage; if (bufferedMessage != null && this.Headers.ContainsOnlyBufferedMessageHeaders) { messageReader = bufferedMessage.GetMessageReader(); } else { this.messageBuffer = new XmlBuffer(int.MaxValue); XmlDictionaryWriter writer = this.messageBuffer.OpenSection(this.securityHeader.ReaderQuotas); this.InnerMessage.WriteMessage(writer); this.messageBuffer.CloseSection(); this.messageBuffer.Close(); messageReader = this.messageBuffer.GetReader(0); } MoveToSecurityHeader(messageReader, securityHeader.HeaderIndex, true); this.cachedReaderAtSecurityHeader = messageReader; this.state = BodyState.Buffered; } else { this.envelopeAttributes = XmlAttributeHolder.emptyArray; this.headerAttributes = XmlAttributeHolder.emptyArray; this.bodyAttributes = XmlAttributeHolder.emptyArray; this.canDelegateCreateBufferedCopyToInnerMessage = true; } }
private void WriteHeader(XmlDictionaryWriter dictionaryWriter) { dictionaryWriter.WriteStartElement(XD.MessageDictionary.Prefix.Value, XD.MessageDictionary.Header, this.message.Version.Envelope.DictionaryNamespace); MessageHeaders headers = this.message.Headers; ReceiveSecurityHeader receivedSecurityHeader = null; if (this.message is SecurityVerifiedMessage) { SecurityVerifiedMessage message = this.message as SecurityVerifiedMessage; receivedSecurityHeader = message.ReceivedSecurityHeader; } for (int i = 0; i < headers.Count; i++) { if (((receivedSecurityHeader != null) && receivedSecurityHeader.HasAtLeastOneItemInsideSecurityHeaderEncrypted) && (receivedSecurityHeader.HeaderIndex == i)) { receivedSecurityHeader.WriteStartHeader(dictionaryWriter, headers.MessageVersion); receivedSecurityHeader.WriteHeaderContents(dictionaryWriter, headers.MessageVersion); dictionaryWriter.WriteEndElement(); } else { headers.WriteHeader(i, dictionaryWriter); } } dictionaryWriter.WriteEndElement(); }
protected override async ValueTask <Message> VerifyIncomingMessageCoreAsync(Message message, TimeSpan timeout) { string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor; ReceiveSecurityHeader securityHeader = Factory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor, Factory.IncomingAlgorithmSuite, MessageDirection.Input); securityHeader.RequireMessageProtection = false; securityHeader.ReaderQuotas = Factory.SecurityBindingElement.ReaderQuotas; IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = GetSupportingTokenAuthenticatorsAndSetExpectationFlags(Factory, message, securityHeader); ReadOnlyCollection <SecurityTokenResolver> mergedTokenResolvers = MergeOutOfBandResolvers(supportingAuthenticators, _sessionTokenResolverList); if (supportingAuthenticators != null && supportingAuthenticators.Count > 0) { supportingAuthenticators = new List <SupportingTokenAuthenticatorSpecification>(supportingAuthenticators); supportingAuthenticators.Insert(0, _sessionTokenAuthenticatorSpecificationList[0]); } else { supportingAuthenticators = _sessionTokenAuthenticatorSpecificationList; } securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators); securityHeader.ConfigureOutOfBandTokenResolver(mergedTokenResolvers); securityHeader.ExpectEndorsingTokens = true; TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); securityHeader.ReplayDetectionEnabled = Factory.DetectReplays; securityHeader.SetTimeParameters(Factory.NonceCache, Factory.ReplayWindow, Factory.MaxClockSkew); // do not enforce key derivation requirement for Cancel messages due to WSE interop securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != Factory.StandardsManager.SecureConversationDriver.CloseAction.Value); await securityHeader.ProcessAsync(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), Factory.ExtendedProtectionPolicy); if (securityHeader.Timestamp == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.RequiredTimestampMissingInSecurityHeader))); } bool didSessionSctEndorse = false; if (securityHeader.EndorsingSupportingTokens != null) { for (int i = 0; i < securityHeader.EndorsingSupportingTokens.Count; ++i) { SecurityContextSecurityToken signingSct = (securityHeader.EndorsingSupportingTokens[i] as SecurityContextSecurityToken); if (signingSct != null && signingSct.ContextId == _sessionId) { didSessionSctEndorse = true; break; } } } if (!didSessionSctEndorse) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.NoSessionTokenPresentInMessage))); } Message processedMessage = securityHeader.ProcessedMessage; AttachRecipientSecurityProperty(processedMessage, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); OnIncomingMessageVerified(processedMessage); return(processedMessage); }
public ReceiveSecurityHeaderElementManager(ReceiveSecurityHeader securityHeader) { _securityHeader = securityHeader; _elements = new ReceiveSecurityHeaderEntry[InitialCapacity]; if (securityHeader.RequireMessageProtection) { _headerIds = new string[securityHeader.ProcessedMessage.Headers.Count]; } }
public override async ValueTask ExecuteProcessingPassesAsync(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader) { // pass 1 await securityHeader.ExecuteReadingPassAsync(reader); // pass 1.5 securityHeader.ExecuteDerivedKeyTokenStubPass(false); // pass 2 await securityHeader.ExecuteSubheaderDecryptionPassAsync(); // pass 2.5 securityHeader.ExecuteDerivedKeyTokenStubPass(true); // layout-specific inferences MarkElements(securityHeader.ElementManager, securityHeader.RequireMessageProtection); // pass 3 await securityHeader.ExecuteSignatureEncryptionProcessingPassAsync(); }
public SecurityVerifiedMessage(Message messageToProcess, ReceiveSecurityHeader securityHeader) : base(messageToProcess) { ReceivedSecurityHeader = securityHeader; if (securityHeader.RequireMessageProtection) { XmlDictionaryReader messageReader; if (InnerMessage is BufferedMessage bufferedMessage && Headers.ContainsOnlyBufferedMessageHeaders) { messageReader = bufferedMessage.GetMessageReader(); } else { _messageBuffer = new XmlBuffer(int.MaxValue); XmlDictionaryWriter writer = _messageBuffer.OpenSection(ReceivedSecurityHeader.ReaderQuotas); InnerMessage.WriteMessage(writer); _messageBuffer.CloseSection(); _messageBuffer.Close(); messageReader = _messageBuffer.GetReader(0); } MoveToSecurityHeader(messageReader, securityHeader.HeaderIndex, true); _cachedReaderAtSecurityHeader = messageReader; _state = BodyState.Buffered; }
public abstract void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader);
public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader) { securityHeader.ExecuteFullPass(reader); }
protected virtual void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout) { TransportSecurityProtocolFactory factory = (TransportSecurityProtocolFactory)SecurityProtocolFactory; string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor; ReceiveSecurityHeader securityHeader = factory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor, factory.IncomingAlgorithmSuite, (factory.ActAsInitiator) ? MessageDirection.Output : MessageDirection.Input); IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = factory.GetSupportingTokenAuthenticators(message.Headers.Action, out bool expectSignedTokens, out bool expectBasicTokens, out bool expectEndorsingTokens); if (securityHeader == null) { bool expectSupportingTokens = expectEndorsingTokens || expectSignedTokens || expectBasicTokens; if ((factory.ActAsInitiator && (!factory.AddTimestamp || factory.SecurityBindingElement.EnableUnsecuredResponse)) || (!factory.ActAsInitiator && !factory.AddTimestamp && !expectSupportingTokens)) { return; } else { if (string.IsNullOrEmpty(actor)) { throw Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException( SR.Format(SR.UnableToFindSecurityHeaderInMessageNoActor)), message); } else { throw Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException( SR.Format(SR.UnableToFindSecurityHeaderInMessage, actor)), message); } } } securityHeader.RequireMessageProtection = false; securityHeader.ExpectBasicTokens = expectBasicTokens; securityHeader.ExpectSignedTokens = expectSignedTokens; securityHeader.ExpectEndorsingTokens = expectEndorsingTokens; securityHeader.MaxReceivedMessageSize = factory.SecurityBindingElement.MaxReceivedMessageSize; securityHeader.ReaderQuotas = factory.SecurityBindingElement.ReaderQuotas; // Due to compatibility, only honor this setting if this app setting is enabled if (ServiceModelAppSettings.UseConfiguredTransportSecurityHeaderLayout) { securityHeader.Layout = factory.SecurityHeaderLayout; } TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); if (!factory.ActAsInitiator) { securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators); securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, EmptyReadOnlyCollection <SecurityTokenResolver> .Instance)); if (factory.ExpectKeyDerivation) { securityHeader.DerivedTokenAuthenticator = factory.DerivedKeyTokenAuthenticator; } } securityHeader.ReplayDetectionEnabled = factory.DetectReplays; securityHeader.SetTimeParameters(factory.NonceCache, factory.ReplayWindow, factory.MaxClockSkew); securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), factory.ExtendedProtectionPolicy); message = securityHeader.ProcessedMessage; if (!factory.ActAsInitiator) { AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); } base.OnIncomingMessageVerified(message); }
internal override void WriteTo(XmlWriter writer) { writer.WriteStartElement(MessageLogTraceRecord.NamespacePrefix, MessageLogTraceRecord.MessageLogTraceRecordElementName, MessageLogTraceRecord.NamespaceUri); // <MessageLogTraceRecord> writer.WriteAttributeString(MessageLogTraceRecord.TraceTimeAttributeName, this.timestamp.ToString("o", CultureInfo.InvariantCulture)); writer.WriteAttributeString(DiagnosticStrings.SourceTag, this.source.ToString()); if (null != this.type) { Fx.Assert(this.message != null, ""); XmlDictionaryWriter dictionaryWriter = XmlDictionaryWriter.CreateDictionaryWriter(writer); dictionaryWriter.WriteAttributeString(MessageLogTraceRecord.TypeElementName, this.type.ToString()); #if DEBUG MessageProperties properties = this.message.Properties; dictionaryWriter.WriteStartElement("Properties"); foreach (string key in properties.Keys) { dictionaryWriter.WriteElementString(key, properties[key].ToString()); } dictionaryWriter.WriteEndElement(); // </Properties> #endif WriteAddressingProperties(dictionaryWriter); WriteHttpProperties(dictionaryWriter); if (null != this.reader) //TransportSend case: Message may miss some security data, so we use XmlReader created from serialized message { this.reader.MoveToContent(); } if (this.logMessageBody) { if (null != this.reader) { dictionaryWriter.WriteNode(this.reader, true); } else { bool hasAtLeastOneItemInsideSecurityHeaderEncrypted = false; if (this.message is SecurityVerifiedMessage) { SecurityVerifiedMessage verifiedMessage = this.message as SecurityVerifiedMessage; ReceiveSecurityHeader receivedHeader = verifiedMessage.ReceivedSecurityHeader; hasAtLeastOneItemInsideSecurityHeaderEncrypted = receivedHeader.HasAtLeastOneItemInsideSecurityHeaderEncrypted; } if (!hasAtLeastOneItemInsideSecurityHeaderEncrypted) { this.message.ToString(dictionaryWriter); } else { if (this.message.Version.Envelope != EnvelopeVersion.None) { dictionaryWriter.WriteStartElement(XD.MessageDictionary.Prefix.Value, XD.MessageDictionary.Envelope, this.message.Version.Envelope.DictionaryNamespace); WriteHeader(dictionaryWriter); this.message.WriteStartBody(writer); } this.message.BodyToString(dictionaryWriter); if (this.message.Version.Envelope != EnvelopeVersion.None) { writer.WriteEndElement(); // </Body> dictionaryWriter.WriteEndElement(); // </Envelope> } } } } else if (this.message.Version.Envelope != EnvelopeVersion.None) //No headers for EnvelopeVersion.None { if (null != this.reader) { dictionaryWriter.WriteStartElement(reader.Prefix, reader.LocalName, reader.NamespaceURI); this.reader.Read(); if (0 == String.CompareOrdinal(reader.LocalName, "Header")) { dictionaryWriter.WriteNode(this.reader, true); } dictionaryWriter.WriteEndElement(); } else { dictionaryWriter.WriteStartElement(XD.MessageDictionary.Prefix.Value, XD.MessageDictionary.Envelope, this.message.Version.Envelope.DictionaryNamespace); WriteHeader(dictionaryWriter); dictionaryWriter.WriteEndElement(); // </Envelope> } } if (null != this.reader) { this.reader.Close(); this.reader = null; } } else { writer.WriteCData(this.messageString); } writer.WriteEndElement(); // </MessageLogTraceRecord> }
protected virtual async ValueTask <Message> VerifyIncomingMessageCoreAsync(Message message, TimeSpan timeout) { TransportSecurityProtocolFactory factory = (TransportSecurityProtocolFactory)SecurityProtocolFactory; string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor; ReceiveSecurityHeader securityHeader = factory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor, factory.IncomingAlgorithmSuite, (factory.ActAsInitiator) ? MessageDirection.Output : MessageDirection.Input); IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = factory.GetSupportingTokenAuthenticators(message.Headers.Action, out bool expectSignedTokens, out bool expectBasicTokens, out bool expectEndorsingTokens); if (securityHeader == null) { bool expectSupportingTokens = expectEndorsingTokens || expectSignedTokens || expectBasicTokens; if ((factory.ActAsInitiator && (!factory.AddTimestamp || factory.SecurityBindingElement.EnableUnsecuredResponse)) || (!factory.ActAsInitiator && !factory.AddTimestamp && !expectSupportingTokens)) { return(message); } else { if (string.IsNullOrEmpty(actor)) { throw Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException( SR.Format(SR.UnableToFindSecurityHeaderInMessageNoActor)), message); } else { throw Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException( SR.Format(SR.UnableToFindSecurityHeaderInMessage, actor)), message); } } } securityHeader.RequireMessageProtection = false; securityHeader.ExpectBasicTokens = expectBasicTokens; securityHeader.ExpectSignedTokens = expectSignedTokens; securityHeader.ExpectEndorsingTokens = expectEndorsingTokens; securityHeader.MaxReceivedMessageSize = factory.SecurityBindingElement.MaxReceivedMessageSize; securityHeader.ReaderQuotas = factory.SecurityBindingElement.ReaderQuotas; // This was behind an app setting on WCF. If this breaks someone, it's because they are setting SecurityHeaderLayout and it // wasn't being applied. The customer fix is to not set the SecurityHeaderLayout as that's what they were effectively running with. securityHeader.Layout = factory.SecurityHeaderLayout; TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); if (!factory.ActAsInitiator) { securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators); securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, EmptyReadOnlyCollection <SecurityTokenResolver> .Instance)); if (factory.ExpectKeyDerivation) { securityHeader.DerivedTokenAuthenticator = factory.DerivedKeyTokenAuthenticator; } } securityHeader.ReplayDetectionEnabled = factory.DetectReplays; securityHeader.SetTimeParameters(factory.NonceCache, factory.ReplayWindow, factory.MaxClockSkew); await securityHeader.ProcessAsync(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), factory.ExtendedProtectionPolicy); Message processedMessage = securityHeader.ProcessedMessage; if (!factory.ActAsInitiator) { AttachRecipientSecurityProperty(processedMessage, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); } base.OnIncomingMessageVerified(processedMessage); return(processedMessage); }
protected IList <SupportingTokenAuthenticatorSpecification> GetSupportingTokenAuthenticatorsAndSetExpectationFlags(SecurityProtocolFactory factory, Message message, ReceiveSecurityHeader securityHeader) { if (message == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message"); } bool expectBasicTokens; bool expectSignedTokens; bool expectEndorsingTokens; IList <SupportingTokenAuthenticatorSpecification> authenticators = factory.GetSupportingTokenAuthenticators(message.Headers.Action, out expectSignedTokens, out expectBasicTokens, out expectEndorsingTokens); securityHeader.ExpectBasicTokens = expectBasicTokens; securityHeader.ExpectEndorsingTokens = expectEndorsingTokens; securityHeader.ExpectSignedTokens = expectSignedTokens; return(authenticators); }
public SecurityHeaderTokenResolver(ReceiveSecurityHeader securityHeader) { this.tokens = new SecurityTokenEntry[InitialTokenArraySize]; this.securityHeader = securityHeader; }
public override ValueTask ExecuteProcessingPassesAsync(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader) => securityHeader.ExecuteFullPassAsync(reader);
public abstract ValueTask ExecuteProcessingPassesAsync(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader);