/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a WSS token.
IssuedIdentityToken wssToken = args.NewIdentity as IssuedIdentityToken;
if (wssToken != null)
{
SecurityToken samlToken = ParseAndVerifySamlToken(wssToken.DecryptedTokenData);
args.Identity = new UserIdentity(samlToken);
Utils.Trace("SAML Token Accepted: {0}", args.Identity.DisplayName);
return;
}
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
VerifyPassword(userNameToken.UserName, userNameToken.DecryptedPassword);
args.Identity = new UserIdentity(userNameToken);
Utils.Trace("UserName Token Accepted: {0}", args.Identity.DisplayName);
return;
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (userNameToken != null)
{
VerifyCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName);
return;
}
}
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
UserNameIdentityToken userNameIdentityToken = args.NewIdentity as UserNameIdentityToken;
if (userNameIdentityToken != null)
{
args.Identity = VerifyPassword(userNameIdentityToken);
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
if (args.Identity is SystemConfigurationIdentity)
{
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_ConfigureAdmin);
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_SecurityAdmin);
}
return;
}
X509IdentityToken x509IdentityToken = args.NewIdentity as X509IdentityToken;
if (x509IdentityToken != null)
{
VerifyUserTokenCertificate(x509IdentityToken.Certificate);
args.Identity = new UserIdentity(x509IdentityToken);
Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName);
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
return;
}
args.Identity = new UserIdentity();
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_Anonymous);
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a WSS token.
IssuedIdentityToken wssToken = args.NewIdentity as IssuedIdentityToken;
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
args.Identity = VerifyPassword(userNameToken);
Logger.Information($"UserName Token Accepted: {args.Identity.DisplayName}");
return;
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (x509Token != null)
{
VerifyCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Logger.Information($"X509 Token Accepted: {args.Identity.DisplayName}");
return;
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a user name token
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
if (VerifyPassword(userNameToken))
{
switch (userNameToken.UserName)
{
// Server configuration administrator, manages the GDS server security
case "sysadmin":
{
args.Identity = new SystemConfigurationIdentity(new UserIdentity(userNameToken));
Utils.Trace("SystemConfigurationAdmin Token Accepted: {0}", args.Identity.DisplayName);
return;
}
// GDS administrator
case "appadmin":
{
args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationAdmin);
Utils.Trace("ApplicationAdmin Token Accepted: {0}", args.Identity.DisplayName);
return;
}
// GDS user
case "appuser":
{
args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationUser);
Utils.Trace("ApplicationUser Token Accepted: {0}", args.Identity.DisplayName);
return;
}
}
}
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (x509Token != null)
{
GdsRole role = GdsRole.ApplicationUser;
VerifyUserTokenCertificate(x509Token.Certificate);
// todo: is cert listed in admin list? then
// role = GdsRole.ApplicationAdmin;
Utils.Trace("X509 Token Accepted: {0} as {1}", args.Identity.DisplayName, role.ToString());
args.Identity = new RoleBasedIdentity(new UserIdentity(x509Token), role);
return;
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
args.Identity = VerifyPassword(userNameToken);
Utils.LogInfo(Utils.TraceMasks.Security, "Username Token Accepted: {0}", args.Identity?.DisplayName);
// set AuthenticatedUser role for accepted user/password authentication
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
if (args.Identity is SystemConfigurationIdentity)
{
// set ConfigureAdmin role for user with permission to configure server
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_ConfigureAdmin);
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_SecurityAdmin);
}
return;
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (x509Token != null)
{
VerifyUserTokenCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Utils.LogInfo(Utils.TraceMasks.Security, "X509 Token Accepted: {0}", args.Identity?.DisplayName);
// set AuthenticatedUser role for accepted certificate authentication
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
return;
}
// check for anonymous token.
if (args.NewIdentity is AnonymousIdentityToken || args.NewIdentity == null)
{
// allow anonymous authentication and set Anonymous role for this authentication
args.Identity = new UserIdentity();
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_Anonymous);
return;
}
// unsuported identity token type.
throw ServiceResultException.Create(StatusCodes.BadIdentityTokenInvalid,
"Not supported user token type: {0}.", args.NewIdentity);
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) {
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null) {
args.Identity = VerifyPassword(userNameToken);
return;
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (x509Token != null) {
VerifyUserTokenCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName);
return;
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
args.Identity = VerifyPassword(userNameToken);
// set AuthenticatedUser role for accepted user/password authentication
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
if (args.Identity is SystemConfigurationIdentity)
{
// set ConfigureAdmin role for user with permission to configure server
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_ConfigureAdmin);
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_SecurityAdmin);
}
return;
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (x509Token != null)
{
VerifyUserTokenCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName);
// set AuthenticatedUser role for accepted certificate authentication
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
return;
}
// allow anonymous authentication and set Anonymous role for this authentication
args.Identity = new UserIdentity();
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_Anonymous);
}
/// <inheritdoc/>
protected override async Task OnOpenAsync(CancellationToken token = default(CancellationToken))
{
this.logger?.LogInformation($"Opening session channel with endpoint '{this.RemoteEndpoint.EndpointUrl}'.");
this.logger?.LogInformation($"SecurityPolicy: '{this.RemoteEndpoint.SecurityPolicyUri}'.");
this.logger?.LogInformation($"SecurityMode: '{this.RemoteEndpoint.SecurityMode}'.");
this.logger?.LogInformation($"UserIdentity: '{this.UserIdentity}'.");
await base.OnOpenAsync(token).ConfigureAwait(false);
token.ThrowIfCancellationRequested();
// if SessionId is provided then we skip the CreateSessionRequest and go directly to (re)ActivateSession.
// requires from previous Session: SessionId, AuthenticationToken, RemoteNonce
if (this.SessionId == null)
{
var localNonce = this.RemoteEndpoint.SecurityMode != MessageSecurityMode.None ? this.GetNextNonce(NonceLength) : null;
var localCertificate = this.RemoteEndpoint.SecurityMode != MessageSecurityMode.None ? this.LocalCertificate : null;
var createSessionRequest = new CreateSessionRequest
{
ClientDescription = this.LocalDescription,
EndpointUrl = this.RemoteEndpoint.EndpointUrl,
SessionName = this.LocalDescription.ApplicationName,
ClientNonce = localNonce,
ClientCertificate = localCertificate,
RequestedSessionTimeout = this.options.SessionTimeout,
MaxResponseMessageSize = this.RemoteMaxMessageSize
};
var createSessionResponse = await this.CreateSessionAsync(createSessionRequest).ConfigureAwait(false);
this.SessionId = createSessionResponse.SessionId;
this.AuthenticationToken = createSessionResponse.AuthenticationToken;
this.RemoteNonce = createSessionResponse.ServerNonce;
// verify the server's certificate is the same as the certificate from the selected endpoint.
if (this.RemoteEndpoint.ServerCertificate != null && !this.RemoteEndpoint.ServerCertificate.SequenceEqual(createSessionResponse.ServerCertificate))
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Server did not return the same certificate used to create the channel.");
}
// verify the server's signature.
ISigner verifier = null;
bool verified = false;
switch (this.RemoteEndpoint.SecurityPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
case SecurityPolicyUris.Basic256:
verifier = SignerUtilities.GetSigner("SHA-1withRSA");
verifier.Init(false, this.RemotePublicKey);
verifier.BlockUpdate(localCertificate, 0, localCertificate.Length);
verifier.BlockUpdate(localNonce, 0, localNonce.Length);
verified = verifier.VerifySignature(createSessionResponse.ServerSignature.Signature);
break;
case SecurityPolicyUris.Basic256Sha256:
case SecurityPolicyUris.Aes128_Sha256_RsaOaep:
verifier = SignerUtilities.GetSigner("SHA-256withRSA");
verifier.Init(false, this.RemotePublicKey);
verifier.BlockUpdate(localCertificate, 0, localCertificate.Length);
verifier.BlockUpdate(localNonce, 0, localNonce.Length);
verified = verifier.VerifySignature(createSessionResponse.ServerSignature.Signature);
break;
case SecurityPolicyUris.Aes256_Sha256_RsaPss:
verifier = SignerUtilities.GetSigner("SHA-256withRSAandMGF1");
verifier.Init(false, this.RemotePublicKey);
verifier.BlockUpdate(localCertificate, 0, localCertificate.Length);
verifier.BlockUpdate(localNonce, 0, localNonce.Length);
verified = verifier.VerifySignature(createSessionResponse.ServerSignature.Signature);
break;
default:
verified = true;
break;
}
verifier = null;
if (!verified)
{
throw new ServiceResultException(StatusCodes.BadApplicationSignatureInvalid, "Server did not provide a correct signature for the nonce data provided by the client.");
}
}
// create client signature
SignatureData clientSignature = null;
ISigner signer = null;
switch (this.RemoteEndpoint.SecurityPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
case SecurityPolicyUris.Basic256:
signer = SignerUtilities.GetSigner("SHA-1withRSA");
signer.Init(true, this.LocalPrivateKey);
signer.BlockUpdate(this.RemoteEndpoint.ServerCertificate, 0, this.RemoteEndpoint.ServerCertificate.Length);
signer.BlockUpdate(this.RemoteNonce, 0, this.RemoteNonce.Length);
clientSignature = new SignatureData
{
Signature = signer.GenerateSignature(),
Algorithm = RsaSha1Signature,
};
break;
case SecurityPolicyUris.Basic256Sha256:
case SecurityPolicyUris.Aes128_Sha256_RsaOaep:
signer = SignerUtilities.GetSigner("SHA-256withRSA");
signer.Init(true, this.LocalPrivateKey);
signer.BlockUpdate(this.RemoteEndpoint.ServerCertificate, 0, this.RemoteEndpoint.ServerCertificate.Length);
signer.BlockUpdate(this.RemoteNonce, 0, this.RemoteNonce.Length);
clientSignature = new SignatureData
{
Signature = signer.GenerateSignature(),
Algorithm = RsaSha256Signature,
};
break;
case SecurityPolicyUris.Aes256_Sha256_RsaPss:
signer = SignerUtilities.GetSigner("SHA-256withRSAandMGF1");
signer.Init(true, this.LocalPrivateKey);
signer.BlockUpdate(this.RemoteEndpoint.ServerCertificate, 0, this.RemoteEndpoint.ServerCertificate.Length);
signer.BlockUpdate(this.RemoteNonce, 0, this.RemoteNonce.Length);
clientSignature = new SignatureData
{
Signature = signer.GenerateSignature(),
Algorithm = RsaPssSha256Signature,
};
break;
default:
clientSignature = new SignatureData();
break;
}
signer = null;
// supported UserIdentityToken types are AnonymousIdentityToken, UserNameIdentityToken, IssuedIdentityToken, X509IdentityToken
UserIdentityToken identityToken = null;
SignatureData tokenSignature = null;
// if UserIdentity type is IssuedIdentity
if (this.UserIdentity is IssuedIdentity)
{
var tokenPolicy = this.RemoteEndpoint.UserIdentityTokens.FirstOrDefault(t => t.TokenType == UserTokenType.IssuedToken);
if (tokenPolicy == null)
{
throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected);
}
var issuedIdentity = (IssuedIdentity)this.UserIdentity;
int plainTextLength = issuedIdentity.TokenData.Length + this.RemoteNonce.Length;
IBufferedCipher encryptor;
byte[] cipherText;
int pos;
var secPolicyUri = tokenPolicy.SecurityPolicyUri ?? this.RemoteEndpoint.SecurityPolicyUri;
switch (secPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
encryptor = CipherUtilities.GetCipher("RSA//PKCS1Padding");
encryptor.Init(true, this.RemotePublicKey);
cipherText = new byte[encryptor.GetOutputSize(4 + plainTextLength)];
pos = encryptor.ProcessBytes(BitConverter.GetBytes(plainTextLength), cipherText, 0);
pos = encryptor.ProcessBytes(issuedIdentity.TokenData, cipherText, pos);
pos = encryptor.DoFinal(this.RemoteNonce, cipherText, pos);
identityToken = new IssuedIdentityToken
{
TokenData = cipherText,
EncryptionAlgorithm = RsaV15KeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
case SecurityPolicyUris.Basic256:
case SecurityPolicyUris.Basic256Sha256:
case SecurityPolicyUris.Aes128_Sha256_RsaOaep:
encryptor = CipherUtilities.GetCipher("RSA//OAEPPADDING");
encryptor.Init(true, this.RemotePublicKey);
cipherText = new byte[encryptor.GetOutputSize(4 + plainTextLength)];
pos = encryptor.ProcessBytes(BitConverter.GetBytes(plainTextLength), cipherText, 0);
pos = encryptor.ProcessBytes(issuedIdentity.TokenData, cipherText, pos);
pos = encryptor.DoFinal(this.RemoteNonce, cipherText, pos);
identityToken = new IssuedIdentityToken
{
TokenData = cipherText,
EncryptionAlgorithm = RsaOaepKeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
case SecurityPolicyUris.Aes256_Sha256_RsaPss:
encryptor = CipherUtilities.GetCipher("RSA//OAEPWITHSHA256ANDMGF1PADDING");
encryptor.Init(true, this.RemotePublicKey);
cipherText = new byte[encryptor.GetOutputSize(4 + plainTextLength)];
pos = encryptor.ProcessBytes(BitConverter.GetBytes(plainTextLength), cipherText, 0);
pos = encryptor.ProcessBytes(issuedIdentity.TokenData, cipherText, pos);
pos = encryptor.DoFinal(this.RemoteNonce, cipherText, pos);
identityToken = new IssuedIdentityToken
{
TokenData = cipherText,
EncryptionAlgorithm = RsaOaepSha256KeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
default:
identityToken = new IssuedIdentityToken
{
TokenData = issuedIdentity.TokenData,
EncryptionAlgorithm = null,
PolicyId = tokenPolicy.PolicyId
};
break;
}
tokenSignature = new SignatureData();
encryptor = null;
cipherText = null;
}
// if UserIdentity type is X509Identity
else if (this.UserIdentity is X509Identity)
{
var tokenPolicy = this.RemoteEndpoint.UserIdentityTokens.FirstOrDefault(t => t.TokenType == UserTokenType.Certificate);
if (tokenPolicy == null)
{
throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected);
}
var x509Identity = (X509Identity)this.UserIdentity;
identityToken = new X509IdentityToken {
CertificateData = x509Identity.Certificate?.GetEncoded(), PolicyId = tokenPolicy.PolicyId
};
var secPolicyUri = tokenPolicy.SecurityPolicyUri ?? this.RemoteEndpoint.SecurityPolicyUri;
switch (secPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
case SecurityPolicyUris.Basic256:
signer = SignerUtilities.GetSigner("SHA-1withRSA");
signer.Init(true, x509Identity.PrivateKey);
signer.BlockUpdate(this.RemoteEndpoint.ServerCertificate, 0, this.RemoteEndpoint.ServerCertificate.Length);
signer.BlockUpdate(this.RemoteNonce, 0, this.RemoteNonce.Length);
tokenSignature = new SignatureData
{
Signature = signer.GenerateSignature(),
Algorithm = RsaSha1Signature,
};
break;
case SecurityPolicyUris.Basic256Sha256:
case SecurityPolicyUris.Aes128_Sha256_RsaOaep:
signer = SignerUtilities.GetSigner("SHA-256withRSA");
signer.Init(true, x509Identity.PrivateKey);
signer.BlockUpdate(this.RemoteEndpoint.ServerCertificate, 0, this.RemoteEndpoint.ServerCertificate.Length);
signer.BlockUpdate(this.RemoteNonce, 0, this.RemoteNonce.Length);
tokenSignature = new SignatureData
{
Signature = signer.GenerateSignature(),
Algorithm = RsaSha256Signature,
};
break;
case SecurityPolicyUris.Aes256_Sha256_RsaPss:
signer = SignerUtilities.GetSigner("SHA-256withRSAandMGF1");
signer.Init(true, x509Identity.PrivateKey);
signer.BlockUpdate(this.RemoteEndpoint.ServerCertificate, 0, this.RemoteEndpoint.ServerCertificate.Length);
signer.BlockUpdate(this.RemoteNonce, 0, this.RemoteNonce.Length);
tokenSignature = new SignatureData
{
Signature = signer.GenerateSignature(),
Algorithm = RsaSha256Signature,
};
break;
default:
tokenSignature = new SignatureData();
break;
}
signer = null;
}
// if UserIdentity type is UserNameIdentity
else if (this.UserIdentity is UserNameIdentity)
{
var tokenPolicy = this.RemoteEndpoint.UserIdentityTokens.FirstOrDefault(t => t.TokenType == UserTokenType.UserName);
if (tokenPolicy == null)
{
throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected);
}
var userNameIdentity = (UserNameIdentity)this.UserIdentity;
byte[] passwordBytes = userNameIdentity.Password != null?System.Text.Encoding.UTF8.GetBytes(userNameIdentity.Password) : new byte[0];
int plainTextLength = passwordBytes.Length + this.RemoteNonce.Length;
IBufferedCipher encryptor;
byte[] cipherText;
int pos;
var secPolicyUri = tokenPolicy.SecurityPolicyUri ?? this.RemoteEndpoint.SecurityPolicyUri;
switch (secPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
encryptor = CipherUtilities.GetCipher("RSA//PKCS1Padding");
encryptor.Init(true, this.RemotePublicKey);
cipherText = new byte[encryptor.GetOutputSize(4 + plainTextLength)];
pos = encryptor.ProcessBytes(BitConverter.GetBytes(plainTextLength), cipherText, 0);
pos = encryptor.ProcessBytes(passwordBytes, cipherText, pos);
pos = encryptor.DoFinal(this.RemoteNonce, cipherText, pos);
identityToken = new UserNameIdentityToken
{
UserName = userNameIdentity.UserName,
Password = cipherText,
EncryptionAlgorithm = RsaV15KeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
case SecurityPolicyUris.Basic256:
case SecurityPolicyUris.Basic256Sha256:
case SecurityPolicyUris.Aes128_Sha256_RsaOaep:
encryptor = CipherUtilities.GetCipher("RSA//OAEPPADDING");
encryptor.Init(true, this.RemotePublicKey);
cipherText = new byte[encryptor.GetOutputSize(4 + plainTextLength)];
pos = encryptor.ProcessBytes(BitConverter.GetBytes(plainTextLength), cipherText, 0);
pos = encryptor.ProcessBytes(passwordBytes, cipherText, pos);
pos = encryptor.DoFinal(this.RemoteNonce, cipherText, pos);
identityToken = new UserNameIdentityToken
{
UserName = userNameIdentity.UserName,
Password = cipherText,
EncryptionAlgorithm = RsaOaepKeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
case SecurityPolicyUris.Aes256_Sha256_RsaPss:
encryptor = CipherUtilities.GetCipher("RSA//OAEPWITHSHA256ANDMGF1PADDING");
encryptor.Init(true, this.RemotePublicKey);
cipherText = new byte[encryptor.GetOutputSize(4 + plainTextLength)];
pos = encryptor.ProcessBytes(BitConverter.GetBytes(plainTextLength), cipherText, 0);
pos = encryptor.ProcessBytes(passwordBytes, cipherText, pos);
pos = encryptor.DoFinal(this.RemoteNonce, cipherText, pos);
identityToken = new UserNameIdentityToken
{
UserName = userNameIdentity.UserName,
Password = cipherText,
EncryptionAlgorithm = RsaOaepSha256KeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
default:
identityToken = new UserNameIdentityToken
{
UserName = userNameIdentity.UserName,
Password = passwordBytes,
EncryptionAlgorithm = null,
PolicyId = tokenPolicy.PolicyId
};
break;
}
tokenSignature = new SignatureData();
passwordBytes = null;
encryptor = null;
cipherText = null;
}
// if UserIdentity type is AnonymousIdentity or null
else
{
var tokenPolicy = this.RemoteEndpoint.UserIdentityTokens.FirstOrDefault(t => t.TokenType == UserTokenType.Anonymous);
if (tokenPolicy == null)
{
throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected);
}
identityToken = new AnonymousIdentityToken {
PolicyId = tokenPolicy.PolicyId
};
tokenSignature = new SignatureData();
}
var activateSessionRequest = new ActivateSessionRequest
{
ClientSignature = clientSignature,
LocaleIds = new[] { CultureInfo.CurrentUICulture.TwoLetterISOLanguageName },
UserIdentityToken = identityToken,
UserTokenSignature = tokenSignature
};
var activateSessionResponse = await this.ActivateSessionAsync(activateSessionRequest).ConfigureAwait(false);
this.RemoteNonce = activateSessionResponse.ServerNonce;
// fetch namespace array, etc.
var readValueIds = new ReadValueId[]
{
new ReadValueId
{
NodeId = NodeId.Parse(VariableIds.Server_NamespaceArray),
AttributeId = AttributeIds.Value
},
new ReadValueId
{
NodeId = NodeId.Parse(VariableIds.Server_ServerArray),
AttributeId = AttributeIds.Value
}
};
var readRequest = new ReadRequest
{
NodesToRead = readValueIds
};
var readResponse = await this.ReadAsync(readRequest).ConfigureAwait(false);
if (readResponse.Results.Length == 2)
{
if (StatusCode.IsGood(readResponse.Results[0].StatusCode))
{
this.NamespaceUris.Clear();
this.NamespaceUris.AddRange(readResponse.Results[0].GetValueOrDefault <string[]>());
}
if (StatusCode.IsGood(readResponse.Results[1].StatusCode))
{
this.ServerUris.Clear();
this.ServerUris.AddRange(readResponse.Results[1].GetValueOrDefault <string[]>());
}
}
// create the keep alive subscription.
var subscriptionRequest = new CreateSubscriptionRequest
{
RequestedPublishingInterval = DefaultPublishingInterval,
RequestedMaxKeepAliveCount = DefaultKeepaliveCount,
RequestedLifetimeCount = DefaultKeepaliveCount * 3,
PublishingEnabled = true,
};
var subscriptionResponse = await this.CreateSubscriptionAsync(subscriptionRequest).ConfigureAwait(false);
// link up the dataflow blocks
var id = subscriptionResponse.SubscriptionId;
var linkToken = this.LinkTo(this.actionBlock, pr => pr.SubscriptionId == id);
// start publishing.
this.stateMachineTask = Task.Run(() => this.StateMachineAsync(this.stateMachineCts.Token));
}
protected override async Task OnOpenAsync(CancellationToken token)
{
await base.OnOpenAsync(token).ConfigureAwait(false);
token.ThrowIfCancellationRequested();
// if SessionId is provided then we skip the CreateSessionRequest and go directly to (re)ActivateSession.
// requires from previous Session: SessionId, AuthenticationToken, RemoteNonce
if (this.SessionId == null)
{
var localNonce = this.RemoteEndpoint.SecurityMode != MessageSecurityMode.None ? this.GetNextNonce() : null;
var localCertificateBlob = this.RemoteEndpoint.SecurityMode != MessageSecurityMode.None ? this.LocalCertificate.RawData : null;
var createSessionRequest = new CreateSessionRequest
{
ClientDescription = this.LocalDescription,
EndpointUrl = this.RemoteEndpoint.EndpointUrl,
SessionName = this.LocalDescription.ApplicationName,
ClientNonce = localNonce,
ClientCertificate = localCertificateBlob,
RequestedSessionTimeout = this.SessionTimeout,
MaxResponseMessageSize = this.RemoteMaxMessageSize
};
var createSessionResponse = await this.CreateSessionAsync(createSessionRequest).ConfigureAwait(false);
this.SessionId = createSessionResponse.SessionId;
this.AuthenticationToken = createSessionResponse.AuthenticationToken;
this.RemoteNonce = createSessionResponse.ServerNonce;
// verify the server's certificate is the same as the certificate from the selected endpoint.
if (this.RemoteEndpoint.ServerCertificate != null && !this.RemoteEndpoint.ServerCertificate.SequenceEqual(createSessionResponse.ServerCertificate))
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Server did not return the same certificate used to create the channel.");
}
// verify the server's signature.
switch (this.RemoteEndpoint.SecurityPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
case SecurityPolicyUris.Basic256:
byte[] dataToVerify = Concat(localCertificateBlob, localNonce);
if (!this.RemotePublicKey.VerifyData(dataToVerify, createSessionResponse.ServerSignature.Signature, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1))
{
throw new ServiceResultException(StatusCodes.BadApplicationSignatureInvalid, "Server did not provide a correct signature for the nonce data provided by the client.");
}
break;
case SecurityPolicyUris.Basic256Sha256:
byte[] dataToVerify256 = Concat(localCertificateBlob, localNonce);
if (!this.RemotePublicKey.VerifyData(dataToVerify256, createSessionResponse.ServerSignature.Signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1))
{
throw new ServiceResultException(StatusCodes.BadApplicationSignatureInvalid, "Server did not provide a correct signature for the nonce data provided by the client.");
}
break;
default:
break;
}
}
// create client signature
SignatureData clientSignature = null;
switch (this.RemoteEndpoint.SecurityPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
case SecurityPolicyUris.Basic256:
byte[] dataToSign = Concat(this.RemoteEndpoint.ServerCertificate, this.RemoteNonce);
clientSignature = new SignatureData
{
Signature = this.LocalPrivateKey.SignData(dataToSign, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1),
Algorithm = RsaSha1Signature,
};
break;
case SecurityPolicyUris.Basic256Sha256:
byte[] dataToSign256 = Concat(this.RemoteEndpoint.ServerCertificate, this.RemoteNonce);
clientSignature = new SignatureData
{
Signature = this.LocalPrivateKey.SignData(dataToSign256, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1),
Algorithm = RsaSha256Signature,
};
break;
default:
clientSignature = new SignatureData();
break;
}
// supported UserIdentityToken types are AnonymousIdentityToken, UserNameIdentityToken, IssuedIdentityToken, X509IdentityToken
UserIdentityToken identityToken = null;
SignatureData tokenSignature = null;
// if UserIdentity type is IssuedIdentity
if (this.UserIdentity is IssuedIdentity)
{
var tokenPolicy = this.RemoteEndpoint.UserIdentityTokens.FirstOrDefault(t => t.TokenType == UserTokenType.IssuedToken);
if (tokenPolicy == null)
{
throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected);
}
var issuedIdentity = (IssuedIdentity)this.UserIdentity;
byte[] plainText = Concat(issuedIdentity.TokenData, this.RemoteNonce);
var secPolicyUri = tokenPolicy.SecurityPolicyUri ?? this.RemoteEndpoint.SecurityPolicyUri;
RSA asymRemoteEncryptionKey;
switch (secPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
asymRemoteEncryptionKey = this.RemoteCertificate.GetRSAPublicKey();
identityToken = new IssuedIdentityToken
{
TokenData = asymRemoteEncryptionKey.EncryptTokenData(plainText, secPolicyUri),
EncryptionAlgorithm = RsaV15KeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
case SecurityPolicyUris.Basic256:
case SecurityPolicyUris.Basic256Sha256:
asymRemoteEncryptionKey = this.RemoteCertificate.GetRSAPublicKey();
identityToken = new IssuedIdentityToken
{
TokenData = asymRemoteEncryptionKey.EncryptTokenData(plainText, secPolicyUri),
EncryptionAlgorithm = RsaOaepKeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
default:
identityToken = new IssuedIdentityToken
{
TokenData = issuedIdentity.TokenData,
EncryptionAlgorithm = null,
PolicyId = tokenPolicy.PolicyId
};
break;
}
tokenSignature = new SignatureData();
}
// if UserIdentity type is X509Identity
else if (this.UserIdentity is X509Identity)
{
var tokenPolicy = this.RemoteEndpoint.UserIdentityTokens.FirstOrDefault(t => t.TokenType == UserTokenType.Certificate);
if (tokenPolicy == null)
{
throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected);
}
var x509Identity = (X509Identity)this.UserIdentity;
identityToken = new X509IdentityToken {
CertificateData = x509Identity.Certificate?.RawData, PolicyId = tokenPolicy.PolicyId
};
var secPolicyUri = tokenPolicy.SecurityPolicyUri ?? this.RemoteEndpoint.SecurityPolicyUri;
switch (secPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
case SecurityPolicyUris.Basic256:
var asymSigningKey = x509Identity.Certificate?.GetRSAPrivateKey();
if (asymSigningKey != null)
{
byte[] dataToSign = Concat(this.RemoteEndpoint.ServerCertificate, this.RemoteNonce);
tokenSignature = new SignatureData
{
Signature = asymSigningKey.SignData(dataToSign, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1),
Algorithm = RsaSha1Signature,
};
break;
}
tokenSignature = new SignatureData();
break;
case SecurityPolicyUris.Basic256Sha256:
var asymSigningKey256 = x509Identity.Certificate?.GetRSAPrivateKey();
if (asymSigningKey256 != null)
{
byte[] dataToSign256 = Concat(this.RemoteEndpoint.ServerCertificate, this.RemoteNonce);
tokenSignature = new SignatureData
{
Signature = asymSigningKey256.SignData(dataToSign256, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1),
Algorithm = RsaSha256Signature,
};
break;
}
tokenSignature = new SignatureData();
break;
default:
tokenSignature = new SignatureData();
break;
}
}
// if UserIdentity type is UserNameIdentity
else if (this.UserIdentity is UserNameIdentity)
{
var tokenPolicy = this.RemoteEndpoint.UserIdentityTokens.FirstOrDefault(t => t.TokenType == UserTokenType.UserName);
if (tokenPolicy == null)
{
throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected);
}
var userNameIdentity = (UserNameIdentity)this.UserIdentity;
byte[] plainText = Concat(System.Text.Encoding.UTF8.GetBytes(userNameIdentity.Password), this.RemoteNonce);
var secPolicyUri = tokenPolicy.SecurityPolicyUri ?? this.RemoteEndpoint.SecurityPolicyUri;
RSA asymRemoteEncryptionKey;
switch (secPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
asymRemoteEncryptionKey = this.RemoteCertificate.GetRSAPublicKey();
identityToken = new UserNameIdentityToken
{
UserName = userNameIdentity.UserName,
Password = asymRemoteEncryptionKey.EncryptTokenData(plainText, secPolicyUri),
EncryptionAlgorithm = RsaV15KeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
case SecurityPolicyUris.Basic256:
case SecurityPolicyUris.Basic256Sha256:
asymRemoteEncryptionKey = this.RemoteCertificate.GetRSAPublicKey();
identityToken = new UserNameIdentityToken
{
UserName = userNameIdentity.UserName,
Password = asymRemoteEncryptionKey.EncryptTokenData(plainText, secPolicyUri),
EncryptionAlgorithm = RsaOaepKeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
default:
identityToken = new UserNameIdentityToken
{
UserName = userNameIdentity.UserName,
Password = System.Text.Encoding.UTF8.GetBytes(userNameIdentity.Password),
EncryptionAlgorithm = null,
PolicyId = tokenPolicy.PolicyId
};
break;
}
tokenSignature = new SignatureData();
}
// if UserIdentity type is AnonymousIdentity or null
else
{
var tokenPolicy = this.RemoteEndpoint.UserIdentityTokens.FirstOrDefault(t => t.TokenType == UserTokenType.Anonymous);
if (tokenPolicy == null)
{
throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected);
}
identityToken = new AnonymousIdentityToken {
PolicyId = tokenPolicy.PolicyId
};
tokenSignature = new SignatureData();
}
var activateSessionRequest = new ActivateSessionRequest
{
ClientSignature = clientSignature,
LocaleIds = new[] { CultureInfo.CurrentUICulture.TwoLetterISOLanguageName },
UserIdentityToken = identityToken,
UserTokenSignature = tokenSignature
};
var activateSessionResponse = await this.ActivateSessionAsync(activateSessionRequest).ConfigureAwait(false);
this.RemoteNonce = activateSessionResponse.ServerNonce;
// fetch namespace array, etc.
var readValueIds = new ReadValueId[]
{
new ReadValueId
{
NodeId = NodeId.Parse(VariableIds.Server_NamespaceArray),
AttributeId = AttributeIds.Value
},
new ReadValueId
{
NodeId = NodeId.Parse(VariableIds.Server_ServerArray),
AttributeId = AttributeIds.Value
}
};
var readRequest = new ReadRequest
{
NodesToRead = readValueIds
};
var readResponse = await this.ReadAsync(readRequest).ConfigureAwait(false);
if (readResponse.Results.Length == 2)
{
if (StatusCode.IsGood(readResponse.Results[0].StatusCode))
{
this.NamespaceUris.Clear();
this.NamespaceUris.AddRange(readResponse.Results[0].GetValueOrDefault <string[]>());
}
if (StatusCode.IsGood(readResponse.Results[1].StatusCode))
{
this.ServerUris.Clear();
this.ServerUris.AddRange(readResponse.Results[1].GetValueOrDefault <string[]>());
}
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for an issued token.
IssuedIdentityToken issuedToken = args.NewIdentity as IssuedIdentityToken;
if (issuedToken != null)
{
if (args.UserTokenPolicy.IssuedTokenType == "http://opcfoundation.org/UA/UserTokenPolicy#JWT")
{
JwtEndpointParameters parameters = new JwtEndpointParameters();
parameters.FromJson(args.UserTokenPolicy.IssuerEndpointUrl);
var jwt = new UTF8Encoding().GetString(issuedToken.DecryptedTokenData);
var identity = ValidateJwt(parameters, jwt);
Utils.Trace("JSON Web Token Accepted: {0}", identity.DisplayName);
args.Identity = identity;
return;
}
}
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
var identity = new UserIdentity(userNameToken);
var token = (UserNameIdentityToken)identity.GetIdentityToken();
switch (token.UserName)
{
case "gdsadmin":
{
if (token.DecryptedPassword == "demo")
{
Utils.Trace("GdsAdmin Token Accepted: {0}", args.Identity.DisplayName);
return;
}
break;
}
case "appadmin":
{
if (token.DecryptedPassword == "demo")
{
args.Identity = new RoleBasedIdentity(identity, GdsRole.ApplicationAdmin);
Utils.Trace("ApplicationAdmin Token Accepted: {0}", args.Identity.DisplayName);
return;
}
break;
}
case "appuser":
{
if (token.DecryptedPassword == "demo")
{
args.Identity = new RoleBasedIdentity(identity, GdsRole.ApplicationUser);
Utils.Trace("ApplicationUser Token Accepted: {0}", args.Identity.DisplayName);
return;
}
break;
}
}
args.Identity = identity;
Utils.Trace("UserName Token Accepted: {0}", args.Identity.DisplayName);
return;
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (x509Token != null)
{
VerifyCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName);
return;
}
}
protected override async Task OnOpenAsync(CancellationToken token)
{
await base.OnOpenAsync(token).ConfigureAwait(false);
token.ThrowIfCancellationRequested();
// if SessionId is provided then we skip the CreateSessionRequest and go directly to (re)ActivateSession.
// requires from previous Session: SessionId, AuthenticationToken, RemoteNonce
if (this.SessionId == null)
{
var localNonce = this.RemoteEndpoint.SecurityMode != MessageSecurityMode.None ? this.GetNextNonce() : null;
var localCertificateBlob = this.RemoteEndpoint.SecurityMode != MessageSecurityMode.None ? this.LocalCertificate.RawData : null;
var createSessionRequest = new CreateSessionRequest
{
RequestHeader = new RequestHeader { TimeoutHint = this.TimeoutHint, ReturnDiagnostics = this.DiagnosticsHint, Timestamp = DateTime.UtcNow },
ClientDescription = this.LocalDescription,
EndpointUrl = this.RemoteEndpoint.EndpointUrl,
SessionName = this.LocalDescription.ApplicationName,
ClientNonce = localNonce,
ClientCertificate = localCertificateBlob,
RequestedSessionTimeout = this.SessionTimeout,
MaxResponseMessageSize = this.RemoteMaxMessageSize
};
var createSessionResponse = (CreateSessionResponse)await this.RequestAsync(createSessionRequest).ConfigureAwait(false);
this.SessionId = createSessionResponse.SessionId;
this.AuthenticationToken = createSessionResponse.AuthenticationToken;
this.RemoteNonce = createSessionResponse.ServerNonce;
// verify the server's certificate is the same as the certificate from the selected endpoint.
if (this.RemoteEndpoint.ServerCertificate != null && !this.RemoteEndpoint.ServerCertificate.SequenceEqual(createSessionResponse.ServerCertificate))
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Server did not return the same certificate used to create the channel.");
}
// verify the server's signature.
switch (this.RemoteEndpoint.SecurityPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
case SecurityPolicyUris.Basic256:
byte[] dataToVerify = Concat(localCertificateBlob, localNonce);
if (!this.RemotePublicKey.VerifyData(dataToVerify, createSessionResponse.ServerSignature.Signature, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1))
{
throw new ServiceResultException(StatusCodes.BadApplicationSignatureInvalid, "Server did not provide a correct signature for the nonce data provided by the client.");
}
break;
case SecurityPolicyUris.Basic256Sha256:
byte[] dataToVerify256 = Concat(localCertificateBlob, localNonce);
if (!this.RemotePublicKey.VerifyData(dataToVerify256, createSessionResponse.ServerSignature.Signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1))
{
throw new ServiceResultException(StatusCodes.BadApplicationSignatureInvalid, "Server did not provide a correct signature for the nonce data provided by the client.");
}
break;
default:
break;
}
}
// create client signature
SignatureData clientSignature = null;
switch (this.RemoteEndpoint.SecurityPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
case SecurityPolicyUris.Basic256:
byte[] dataToSign = Concat(this.RemoteEndpoint.ServerCertificate, this.RemoteNonce);
clientSignature = new SignatureData
{
Signature = this.LocalPrivateKey.SignData(dataToSign, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1),
Algorithm = RsaSha1Signature,
};
break;
case SecurityPolicyUris.Basic256Sha256:
byte[] dataToSign256 = Concat(this.RemoteEndpoint.ServerCertificate, this.RemoteNonce);
clientSignature = new SignatureData
{
Signature = this.LocalPrivateKey.SignData(dataToSign256, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1),
Algorithm = RsaSha256Signature,
};
break;
default:
clientSignature = new SignatureData();
break;
}
// supported UserIdentityToken types are AnonymousIdentityToken, UserNameIdentityToken, IssuedIdentityToken, X509IdentityToken
UserIdentityToken identityToken = null;
SignatureData tokenSignature = null;
// if UserIdentity type is IssuedIdentity
if (this.UserIdentity is IssuedIdentity)
{
var tokenPolicy = this.RemoteEndpoint.UserIdentityTokens.FirstOrDefault(t => t.TokenType == UserTokenType.IssuedToken);
if (tokenPolicy == null)
{
throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected);
}
var issuedIdentity = (IssuedIdentity)this.UserIdentity;
byte[] plainText = Concat(issuedIdentity.TokenData, this.RemoteNonce);
var secPolicyUri = tokenPolicy.SecurityPolicyUri ?? this.RemoteEndpoint.SecurityPolicyUri;
RSA asymRemoteEncryptionKey;
switch (secPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
asymRemoteEncryptionKey = this.RemoteCertificate.GetRSAPublicKey();
identityToken = new IssuedIdentityToken
{
TokenData = asymRemoteEncryptionKey.EncryptTokenData(plainText, secPolicyUri),
EncryptionAlgorithm = RsaV15KeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
case SecurityPolicyUris.Basic256:
case SecurityPolicyUris.Basic256Sha256:
asymRemoteEncryptionKey = this.RemoteCertificate.GetRSAPublicKey();
identityToken = new IssuedIdentityToken
{
TokenData = asymRemoteEncryptionKey.EncryptTokenData(plainText, secPolicyUri),
EncryptionAlgorithm = RsaOaepKeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
default:
identityToken = new IssuedIdentityToken
{
TokenData = issuedIdentity.TokenData,
EncryptionAlgorithm = null,
PolicyId = tokenPolicy.PolicyId
};
break;
}
tokenSignature = new SignatureData();
}
// if UserIdentity type is X509Identity
else if (this.UserIdentity is X509Identity)
{
var tokenPolicy = this.RemoteEndpoint.UserIdentityTokens.FirstOrDefault(t => t.TokenType == UserTokenType.Certificate);
if (tokenPolicy == null)
{
throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected);
}
var x509Identity = (X509Identity)this.UserIdentity;
identityToken = new X509IdentityToken { CertificateData = x509Identity.Certificate?.RawData, PolicyId = tokenPolicy.PolicyId };
var secPolicyUri = tokenPolicy.SecurityPolicyUri ?? this.RemoteEndpoint.SecurityPolicyUri;
switch (secPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
case SecurityPolicyUris.Basic256:
var asymSigningKey = x509Identity.Certificate?.GetRSAPrivateKey();
if (asymSigningKey != null)
{
byte[] dataToSign = Concat(this.RemoteEndpoint.ServerCertificate, this.RemoteNonce);
tokenSignature = new SignatureData
{
Signature = asymSigningKey.SignData(dataToSign, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1),
Algorithm = RsaSha1Signature,
};
break;
}
tokenSignature = new SignatureData();
break;
case SecurityPolicyUris.Basic256Sha256:
var asymSigningKey256 = x509Identity.Certificate?.GetRSAPrivateKey();
if (asymSigningKey256 != null)
{
byte[] dataToSign256 = Concat(this.RemoteEndpoint.ServerCertificate, this.RemoteNonce);
tokenSignature = new SignatureData
{
Signature = asymSigningKey256.SignData(dataToSign256, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1),
Algorithm = RsaSha256Signature,
};
break;
}
tokenSignature = new SignatureData();
break;
default:
tokenSignature = new SignatureData();
break;
}
}
// if UserIdentity type is UserNameIdentity
else if (this.UserIdentity is UserNameIdentity)
{
var tokenPolicy = this.RemoteEndpoint.UserIdentityTokens.FirstOrDefault(t => t.TokenType == UserTokenType.UserName);
if (tokenPolicy == null)
{
throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected);
}
var userNameIdentity = (UserNameIdentity)this.UserIdentity;
byte[] plainText = Concat(System.Text.Encoding.UTF8.GetBytes(userNameIdentity.Password), this.RemoteNonce);
var secPolicyUri = tokenPolicy.SecurityPolicyUri ?? this.RemoteEndpoint.SecurityPolicyUri;
RSA asymRemoteEncryptionKey;
switch (secPolicyUri)
{
case SecurityPolicyUris.Basic128Rsa15:
asymRemoteEncryptionKey = this.RemoteCertificate.GetRSAPublicKey();
identityToken = new UserNameIdentityToken
{
UserName = userNameIdentity.UserName,
Password = asymRemoteEncryptionKey.EncryptTokenData(plainText, secPolicyUri),
EncryptionAlgorithm = RsaV15KeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
case SecurityPolicyUris.Basic256:
case SecurityPolicyUris.Basic256Sha256:
asymRemoteEncryptionKey = this.RemoteCertificate.GetRSAPublicKey();
identityToken = new UserNameIdentityToken
{
UserName = userNameIdentity.UserName,
Password = asymRemoteEncryptionKey.EncryptTokenData(plainText, secPolicyUri),
EncryptionAlgorithm = RsaOaepKeyWrap,
PolicyId = tokenPolicy.PolicyId
};
break;
default:
identityToken = new UserNameIdentityToken
{
UserName = userNameIdentity.UserName,
Password = System.Text.Encoding.UTF8.GetBytes(userNameIdentity.Password),
EncryptionAlgorithm = null,
PolicyId = tokenPolicy.PolicyId
};
break;
}
tokenSignature = new SignatureData();
}
// if UserIdentity type is AnonymousIdentity or null
else
{
var tokenPolicy = this.RemoteEndpoint.UserIdentityTokens.FirstOrDefault(t => t.TokenType == UserTokenType.Anonymous);
if (tokenPolicy == null)
{
throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected);
}
identityToken = new AnonymousIdentityToken { PolicyId = tokenPolicy.PolicyId };
tokenSignature = new SignatureData();
}
var activateSessionRequest = new ActivateSessionRequest
{
RequestHeader = new RequestHeader { TimeoutHint = this.TimeoutHint, ReturnDiagnostics = this.DiagnosticsHint, Timestamp = DateTime.UtcNow },
ClientSignature = clientSignature,
LocaleIds = new[] { CultureInfo.CurrentUICulture.TwoLetterISOLanguageName },
UserIdentityToken = identityToken,
UserTokenSignature = tokenSignature
};
var activateSessionResponse = (ActivateSessionResponse)await this.RequestAsync(activateSessionRequest).ConfigureAwait(false);
this.RemoteNonce = activateSessionResponse.ServerNonce;
await this.FetchNamespaceTablesAsync().ConfigureAwait(false);
}
