/**
* Create Idemix Identity from a Serialized Identity
*
* @param proto
*/
public IdemixIdentity(SerializedIdentity proto)
{
if (proto == null)
{
throw new ArgumentException("Input must not be null");
}
mspId = proto.Mspid;
try
{
logger.Trace("Fetching Idemix Proto");
SerializedIdemixIdentity idemixProto = SerializedIdemixIdentity.Parser.ParseFrom(proto.IdBytes);
if (idemixProto == null)
{
throw new ArgumentException("The identity does not contain a serialized idemix identity");
}
logger.Trace("Deserializing Nym and attribute values");
pseudonym = new ECP(BIG.FromBytes(idemixProto.NymX.ToByteArray()), BIG.FromBytes(idemixProto.NymY.ToByteArray()));
OrganizationUnit ou = OrganizationUnit.Parser.ParseFrom(idemixProto.Ou);
MSPRole role = MSPRole.Parser.ParseFrom(idemixProto.Role);
Ou = ou.OrganizationalUnitIdentifier;
RoleMask = role.Role.ToIdemixRole();
ipkHash = ou.CertifiersIdentifier.ToByteArray();
logger.Trace("Deserializing Proof");
associationProof = new IdemixSignature(Signature.Parser.ParseFrom(idemixProto.Proof.ToByteArray()));
}
catch (InvalidProtocolBufferException e)
{
throw new CryptoException("Cannot deserialize MSP ID", e);
}
}
// Token: 0x06001274 RID: 4724 RVA: 0x0003B65C File Offset: 0x0003985C
internal static PswsAuthZUserToken GetAuthZPluginUserToken(UserToken userToken)
{
ExAssert.RetailAssert(userToken != null, "[PswsAuthorization.GetAuthZPluginUserToken] userToken can't be null.");
Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType = userToken.AuthenticationType;
SecurityIdentifier userSid = userToken.UserSid;
DelegatedPrincipal delegatedPrincipal = userToken.DelegatedPrincipal;
ExAssert.RetailAssert(userSid != null, "The user sid is invalid (null).");
PartitionId partitionId = userToken.PartitionId;
string text = AuthenticatedUserCache.CreateKeyForPsws(userSid, userToken.AuthenticationType, partitionId);
ExTraceGlobals.PublicPluginAPITracer.TraceDebug <string>(0L, "[PswsAuthZHelper.GetAuthZPluginUserToken] User cache key = \"{0}\".", text);
AuthZPluginUserToken authZPluginUserToken;
if (!AuthenticatedUserCache.Instance.TryGetValue(text, out authZPluginUserToken))
{
ExTraceGlobals.PublicPluginAPITracer.TraceDebug(0L, "[PswsAuthZHelper.GetAuthZPluginUserToken] User not found in cache.");
IIdentity identity = HttpContext.Current.Items["X-Psws-CurrentLogonUser"] as IIdentity;
SerializedIdentity serializedIdentity = null;
if (identity is WindowsTokenIdentity)
{
serializedIdentity = ((WindowsTokenIdentity)identity).ToSerializedIdentity();
}
ADRawEntry adrawEntry = ExchangeAuthorizationPlugin.FindUserEntry(userSid, null, serializedIdentity, partitionId);
ExAssert.RetailAssert(adrawEntry != null, "UnAuthorized. Unable to find the user.");
bool condition = (adrawEntry is MiniRecipient || adrawEntry is ADUser) && (bool)adrawEntry[ADRecipientSchema.RemotePowerShellEnabled];
ExAssert.RetailAssert(condition, "UnAuthorized. PSWS not enabled user.");
authZPluginUserToken = new AuthZPluginUserToken(delegatedPrincipal, adrawEntry, authenticationType, userSid.Value);
AuthenticatedUserCache.Instance.AddUserToCache(text, authZPluginUserToken);
}
return(new PswsAuthZUserToken(authZPluginUserToken.DelegatedPrincipal, authZPluginUserToken.UserEntry, authenticationType, authZPluginUserToken.DefaultUserName, userToken.UserName));
}
/**
* Serialize Idemix Identity
*/
public SerializedIdentity CreateSerializedIdentity()
{
OrganizationUnit ou = new OrganizationUnit();
ou.CertifiersIdentifier = ByteString.CopyFrom(ipkHash);
ou.MspIdentifier = mspId;
ou.OrganizationalUnitIdentifier = Ou;
//Warning, this does not support multi-roleMask.
//Serialize the bitmask is the correct way to support multi-roleMask in the future
MSPRole role = new MSPRole();
role.Role = RoleMask.ToMSPRoleTypes().First();
role.MspIdentifier = mspId;
SerializedIdemixIdentity serializedIdemixIdentity = new SerializedIdemixIdentity();
serializedIdemixIdentity.Proof = ByteString.CopyFrom(associationProof.ToProto().ToByteArray());
serializedIdemixIdentity.Ou = ByteString.CopyFrom(ou.ToByteArray());
serializedIdemixIdentity.Role = ByteString.CopyFrom(role.ToByteArray());
serializedIdemixIdentity.NymY = ByteString.CopyFrom(pseudonym.Y.ToBytes());
serializedIdemixIdentity.NymX = ByteString.CopyFrom(pseudonym.X.ToBytes());
SerializedIdentity serializedIdentity = new SerializedIdentity();
serializedIdentity.IdBytes = ByteString.CopyFrom(serializedIdemixIdentity.ToByteArray());
serializedIdentity.Mspid = mspId;
return(serializedIdentity);
}
public static ByteString GetSignatureHeaderAsByteString(IUser user, TransactionContext transactionContext)
{
SerializedIdentity identity = transactionContext.Identity;
if (isDebugLevel)
{
IEnrollment enrollment = user.Enrollment;
string cert = enrollment.Cert;
string hexcert = cert == null ? "null" : cert.ToBytes().ToHexString();
logger.Debug($" User: {user.Name} Certificate: {hexcert}");
if (enrollment is X509Enrollment)
{
cert = transactionContext.CryptoPrimitives.Hash(Certificate.Create(cert).ExtractDER()).ToHexString();
// logger.debug(format(" User: %s Certificate:\n%s", user.getName(), cert));
logger.Debug($"SignatureHeader: nonce: {transactionContext.Nonce.ToHexString()}, User:{user.Name}, MSPID: {user.MspId}, idBytes: {cert}");
}
}
return((new SignatureHeader {
Creator = identity.ToByteString(), Nonce = transactionContext.Nonce
}).ToByteString());
}
private void ParseIdentity(Protos.Discovery.Peer peerRet)
{
try
{
SerializedIdentity serializedIdentity = SerializedIdentity.Parser.ParseFrom(peerRet.Identity);
MspId = serializedIdentity.Mspid;
}
catch (Exception e)
{
throw new InvalidProtocolBufferRuntimeException(e);
}
}
public void TestSerializingAndDeserializingIdentity()
{
SerializedIdentity proto = signingIdentity.CreateSerializedIdentity();
Assert.IsNotNull(proto);
SerializedIdemixIdentity idemixProto = null;
try
{
idemixProto = SerializedIdemixIdentity.Parser.ParseFrom(proto.IdBytes);
}
catch (InvalidProtocolBufferException e)
{
Assert.Fail("Could not parse Idemix Serialized Identity" + e.Message);
}
if (idemixProto != null)
{
new ECP(BIG.FromBytes(idemixProto.NymX.ToByteArray()), BIG.FromBytes(idemixProto.NymY.ToByteArray()));
idemixProto.Ou.ToByteArray();
idemixProto.Role.ToByteArray();
try
{
new IdemixSignature(Signature.Parser.ParseFrom(idemixProto.Proof.ToByteArray()));
}
catch (InvalidProtocolBufferException e)
{
Assert.Fail("Cannot deserialize proof" + e.Message);
}
}
try
{
new IdemixIdentity(proto);
}
catch (System.Exception e) when(e is CryptoException || e is ArgumentException)
{
Assert.Fail("Cannot create Idemix Identity from Proto" + e.Message);
}
}
internal static ADRawEntry FindUserEntry(SecurityIdentifier userSid, WindowsIdentity windowsIdentity, SerializedIdentity serializedIdentity, PartitionId partitionId)
{
ADRawEntry result;
using (new MonitoredScope("FindUserEntry", "FindUserEntry", AuthZLogHelper.AuthZPerfMonitors))
{
ADSessionSettings sessionSettings;
if (partitionId != null)
{
sessionSettings = ADSessionSettings.FromAllTenantsPartitionId(partitionId);
}
else
{
sessionSettings = ADSessionSettings.FromRootOrgScopeSet();
}
IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, sessionSettings, 817, "FindUserEntry", "f:\\15.00.1497\\sources\\dev\\Configuration\\src\\ObjectModel\\rbac\\ExchangeAuthorizationPlugin.cs");
ADRawEntry adrawEntry = tenantOrRootOrgRecipientSession.FindMiniRecipientBySid <MiniRecipient>(userSid, ExchangeRunspaceConfiguration.userPropertyArray);
if (adrawEntry == null && VariantConfiguration.InvariantNoFlightingSnapshot.CmdletInfra.ServiceAccountForest.Enabled)
{
adrawEntry = PartitionDataAggregator.GetMiniRecipientFromUserId(userSid, ExchangeRunspaceConfiguration.userPropertyArray, ConsistencyMode.IgnoreInvalid);
}
if (adrawEntry == null)
{
ExTraceGlobals.AccessDeniedTracer.TraceWarning <SecurityIdentifier, string>(0L, "EAP.FindUserEntry user {0} could not be found in AD, partitionId: {1}", userSid, (partitionId == null) ? "null" : partitionId.ToString());
adrawEntry = ExchangeRunspaceConfiguration.TryFindComputer(userSid);
}
if (adrawEntry == null && (windowsIdentity != null || serializedIdentity != null))
{
ExTraceGlobals.AccessDeniedTracer.TraceWarning <SecurityIdentifier>(0L, "EAP.FindUserEntry computer {0} could not be found in AD", userSid);
IIdentity identity = (windowsIdentity != null) ? windowsIdentity : serializedIdentity;
ICollection <SecurityIdentifier> groupAccountsSIDs = identity.GetGroupAccountsSIDs();
tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 850, "FindUserEntry", "f:\\15.00.1497\\sources\\dev\\Configuration\\src\\ObjectModel\\rbac\\ExchangeAuthorizationPlugin.cs");
List <ADObjectId> list = null;
if (ExchangeRunspaceConfiguration.TryFindLinkedRoleGroupsBySidList(tenantOrRootOrgRecipientSession, groupAccountsSIDs, identity.Name, out list))
{
adrawEntry = new ADUser
{
RemotePowerShellEnabled = true
};
}
}
result = adrawEntry;
}
return(result);
}
public IdentitiesInfo(SerializedIdentity identity)
{
Mspid = identity.Mspid;
Id = identity.IdBytes.ToStringUtf8();
}
/*
* Verifies that a Proposal response is properly signed. The payload is the
* concatenation of the response payload byte string and the endorsement The
* certificate (public key) is gotten from the Endorsement.Endorser.IdBytes
* field
*
* @param crypto the CryptoPrimitives instance to be used for signing and
* verification
*
* @return true/false depending on result of signature verification
*/
public bool Verify(ICryptoSuite crypto)
{
logger.Trace($"{Peer} verifying transaction: {TransactionID} endorsement.");
if (HasBeenVerified)
{
// check if this proposalResponse was already verified by client code
logger.Trace($"{Peer} transaction: {TransactionID} was already verified returned {IsVerified}");
return(IsVerified);
}
try
{
if (IsInvalid)
{
IsVerified = false;
logger.Debug($"{Peer} for transaction {TransactionID} returned invalid. Setting verify to false");
return(false);
}
Endorsement endorsement = ProtoProposalResponse.Endorsement;
ByteString sig = endorsement.Signature;
byte[] endorserCertifcate = null;
byte[] signature = null;
byte[] data = null;
try
{
SerializedIdentity endorser = SerializedIdentity.Parser.ParseFrom(endorsement.Endorser);
ByteString plainText = ByteString.CopyFrom(ProtoProposalResponse.Payload.Concat(endorsement.Endorser).ToArray());
if (Config.Instance.ExtraLogLevel(10))
{
if (null != diagnosticFileDumper)
{
StringBuilder sb = new StringBuilder(10000);
sb.AppendLine("payload TransactionBuilder bytes in hex: " + ProtoProposalResponse.Payload.ToByteArray().ToHexString());
sb.AppendLine("endorser bytes in hex: " + endorsement.ToByteArray().ToHexString());
sb.Append("plainText bytes in hex: " + plainText.ToByteArray().ToHexString());
logger.Trace("payload TransactionBuilder bytes: " + diagnosticFileDumper.CreateDiagnosticFile(sb.ToString()));
}
}
if (sig == null || sig.IsEmpty)
{
// we shouldn't get here ...
logger.Warn($"{Peer} {TransactionID} returned signature is empty verify set to false.");
IsVerified = false;
}
else
{
endorserCertifcate = endorser.IdBytes.ToByteArray();
signature = sig.ToByteArray();
data = plainText.ToByteArray();
IsVerified = crypto.Verify(endorserCertifcate, Config.Instance.GetSignatureAlgorithm(), signature, data);
if (!IsVerified)
{
logger.Warn($"{Peer} transaction: {TransactionID} verify: Failed to verify. Endorsers certificate: {endorserCertifcate.ToHexString()}, signature: {signature.ToHexString()}, signing algorithm: {Config.Instance.GetSignatureAlgorithm()}, signed data: {data.ToHexString()}.");
}
}
}
catch (Exception e)
{
logger.ErrorException($"{Peer} transaction: {TransactionID} verify: Failed to verify. Endorsers certificate: {endorserCertifcate.ToHexString()}, signature: {signature.ToHexString()}, signing algorithm: {Config.Instance.GetSignatureAlgorithm()}, signed data: {data.ToHexString()}.", e);
logger.Error($"{Peer} transaction: {TransactionID} verify: Cannot retrieve peer identity from ProposalResponse. Error is: {e.Message}");
logger.ErrorException("verify: Cannot retrieve peer identity from ProposalResponse. Error is: " + e.Message, e);
IsVerified = false;
}
logger.Debug($"{Peer} finished verify for transaction {TransactionID} returning {IsVerified}");
return(IsVerified);
}
finally
{
HasBeenVerified = true;
}
} // verify
