public void Union(MessagePartSpecification specification)
{
if (_isReadOnly)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.ObjectIsReadOnly));
}
if (specification == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("specification");
}
_isBodyIncluded |= specification.IsBodyIncluded;
List <XmlQualifiedName> headerTypes = specification._headerTypes;
if (headerTypes != null && headerTypes.Count > 0)
{
if (_headerTypes == null)
{
_headerTypes = new List <XmlQualifiedName>(headerTypes.Count);
}
for (int i = 0; i < headerTypes.Count; i++)
{
XmlQualifiedName qname = headerTypes[i];
_headerTypes.Add(qname);
}
}
}
public bool TryGetParts(string action, bool excludeChannelScope, out MessagePartSpecification parts)
{
if (action == null)
{
action = MessageHeaders.WildcardAction;
}
parts = null;
if (isReadOnly)
{
if (readOnlyNormalizedActionParts.ContainsKey(action))
{
if (excludeChannelScope)
{
parts = actionParts[action];
}
else
{
parts = readOnlyNormalizedActionParts[action];
}
}
}
else if (actionParts.ContainsKey(action))
{
MessagePartSpecification p = new MessagePartSpecification();
p.Union(actionParts[action]);
if (!excludeChannelScope)
{
p.Union(channelParts);
}
parts = p;
}
return(parts != null);
}
private static MessagePartSpecification ExtractMessageParts(string action,
ScopedMessagePartSpecification scopedParts, bool isForSignature)
{
MessagePartSpecification parts = null;
if (scopedParts.TryGetParts(action, out parts))
{
return(parts);
}
else if (scopedParts.TryGetParts(MessageHeaders.WildcardAction, out parts))
{
return(parts);
}
// send back a fault indication that the action is unknown
SecurityVersion wss = MessageSecurityVersion.Default.SecurityVersion;
FaultCode subCode = new FaultCode(wss.InvalidSecurityFaultCode.Value, wss.HeaderNamespace.Value);
FaultCode senderCode = FaultCode.CreateSenderFaultCode(subCode);
FaultReason reason = new FaultReason(SR.Format(SR.InvalidOrUnrecognizedAction, action), System.Globalization.CultureInfo.CurrentCulture);
MessageFault fault = MessageFault.CreateFault(senderCode, reason);
if (isForSignature)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.NoSignaturePartsSpecified, action), null, fault));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.NoEncryptionPartsSpecified, action), null, fault));
}
}
internal void AddParts(MessagePartSpecification parts, XmlDictionaryString action)
{
if (action == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException(nameof(action)));
}
AddParts(parts, action.Value);
}
public void AddParts(MessagePartSpecification parts)
{
if (parts == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException(nameof(parts)));
}
ThrowIfReadOnly();
channelParts.Union(parts);
}
protected override void StartPrimarySignatureCore(SecurityToken token,
SecurityKeyIdentifier keyIdentifier,
MessagePartSpecification signatureParts,
bool generateTargettableSignature)
{
SecurityAlgorithmSuite suite = AlgorithmSuite;
string canonicalizationAlgorithm = suite.DefaultCanonicalizationAlgorithm;
if (canonicalizationAlgorithm != SecurityAlgorithms.ExclusiveC14n)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new MessageSecurityException(SR.Format(SR.UnsupportedCanonicalizationAlgorithm, suite.DefaultCanonicalizationAlgorithm)));
}
string signatureAlgorithm;
XmlDictionaryString signatureAlgorithmDictionaryString;
SecurityKey signatureKey;
suite.GetSignatureAlgorithmAndKey(token, out signatureAlgorithm, out signatureKey, out signatureAlgorithmDictionaryString);
AsymmetricAlgorithm asymmetricAlgorithm = null;
GetSigningAlgorithm(signatureKey, signatureAlgorithm, out _signingKey, out asymmetricAlgorithm);
_signedXml = new SignedXml();
_signedXml.SignedInfo.CanonicalizationMethod = canonicalizationAlgorithm;
_signedXml.SignedInfo.SignatureMethod = signatureAlgorithm;
_signedXml.SigningKey = asymmetricAlgorithm;
if (keyIdentifier != null)
{
var stream = new MemoryStream();
using (var xmlWriter = XmlDictionaryWriter.CreateTextWriter(stream, Encoding.UTF8, false))
{
StandardsManager.SecurityTokenSerializer.WriteKeyIdentifier(xmlWriter, keyIdentifier);
}
stream.Position = 0;
XmlDocument doc = new XmlDocument();
doc.Load(stream);
var keyInfo = new KeyInfo();
keyInfo.LoadXml(doc.DocumentElement);
_signedXml.KeyInfo = keyInfo;
}
if (generateTargettableSignature)
{
_signedXml.Signature.Id = GenerateId();
}
_effectiveSignatureParts = signatureParts;
}
public void MakeReadOnly()
{
if (!isReadOnly)
{
readOnlyNormalizedActionParts = new Dictionary <string, MessagePartSpecification>();
foreach (string action in actionParts.Keys)
{
MessagePartSpecification p = new MessagePartSpecification();
p.Union(actionParts[action]);
p.Union(channelParts);
p.MakeReadOnly();
readOnlyNormalizedActionParts[action] = p;
}
isReadOnly = true;
}
}
static void AddHeaderProtectionRequirements(MessageHeaderDescription header, MessagePartSpecification signedParts,
MessagePartSpecification encryptedParts, ProtectionLevel defaultProtectionLevel)
{
var p = defaultProtectionLevel; //header.HasProtectionLevel currently is always false;
//ProtectionLevel p = header.HasProtectionLevel ? header.ProtectionLevel : defaultProtectionLevel;
if (p != ProtectionLevel.None)
{
var headerName = new XmlQualifiedName(header.Name, header.Namespace);
signedParts.HeaderTypes.Add(headerName);
if (p == ProtectionLevel.EncryptAndSign)
{
encryptedParts.HeaderTypes.Add(headerName);
}
}
}
public ScopedMessagePartSpecification(ScopedMessagePartSpecification other)
: this()
{
if (other == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException(nameof(other)));
}
channelParts.Union(other.channelParts);
if (other.actionParts != null)
{
foreach (string action in other.actionParts.Keys)
{
MessagePartSpecification p = new MessagePartSpecification();
p.Union(other.actionParts[action]);
actionParts[action] = p;
}
}
}
public void AddParts(MessagePartSpecification parts, string action)
{
if (action == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException(nameof(action)));
}
if (parts == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException(nameof(parts)));
}
ThrowIfReadOnly();
if (!actionParts.ContainsKey(action))
{
actionParts[action] = new MessagePartSpecification();
}
actionParts[action].Union(parts);
}
private static void AddFaultProtectionRequirements(FaultDescriptionCollection faults, ChannelProtectionRequirements requirements, ProtectionLevel defaultProtectionLevel, bool addToIncoming)
{
if (faults == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(faults));
}
if (requirements == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(requirements));
}
foreach (FaultDescription fault in faults)
{
var signedParts = new MessagePartSpecification();
var encryptedParts = new MessagePartSpecification();
ProtectionLevel p = defaultProtectionLevel; // FaultDescription.HasProtectionLevel currently is always false
//ProtectionLevel p = fault.HasProtectionLevel ? fault.ProtectionLevel : defaultProtectionLevel;
if (p != ProtectionLevel.None)
{
signedParts.IsBodyIncluded = true;
if (p == ProtectionLevel.EncryptAndSign)
{
encryptedParts.IsBodyIncluded = true;
}
}
if (addToIncoming)
{
requirements.IncomingSignatureParts.AddParts(signedParts, fault.Action);
requirements.IncomingEncryptionParts.AddParts(encryptedParts, fault.Action);
}
else
{
requirements.OutgoingSignatureParts.AddParts(signedParts, fault.Action);
requirements.OutgoingEncryptionParts.AddParts(encryptedParts, fault.Action);
}
}
}
private static MessagePartSpecification UnionMessagePartSpecifications(ScopedMessagePartSpecification actionParts)
{
var result = new MessagePartSpecification(false);
foreach (string action in actionParts.Actions)
{
if (actionParts.TryGetParts(action, out MessagePartSpecification parts))
{
if (parts.IsBodyIncluded)
{
result.IsBodyIncluded = true;
}
foreach (XmlQualifiedName headerType in parts.HeaderTypes)
{
if (!result.IsHeaderIncluded(headerType.Name, headerType.Namespace))
{
result.HeaderTypes.Add(headerType);
}
}
}
}
return(result);
}
protected abstract void StartPrimarySignatureCore(SecurityToken token, SecurityKeyIdentifier identifier, MessagePartSpecification signatureParts, bool generateTargettablePrimarySignature);
protected override ISignatureValueSecurityElement CompletePrimarySignatureCore(
SendSecurityHeaderElement[] signatureConfirmations,
SecurityToken[] signedEndorsingTokens,
SecurityToken[] signedTokens,
SendSecurityHeaderElement[] basicTokens, bool isPrimarySignature)
{
if (_signedXml == null)
{
return(null);
}
SecurityTimestamp timestamp = Timestamp;
if (timestamp != null)
{
if (timestamp.Id == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.TimestampToSignHasNoId));
}
var buffer = new byte[64];
var ms = new MemoryStream();
StandardsManager.WSUtilitySpecificationVersion.WriteTimestampCanonicalForm(
ms, timestamp, buffer);
ms.Position = 0;
AddReference("#" + timestamp.Id, ms);
var reference = new System.Security.Cryptography.Xml.Reference(ms);
}
if ((ShouldSignToHeader) && (_signingKey != null || _signedXml.SigningKey != null) && (Version.Addressing != AddressingVersion.None))
{
if (_toHeaderStream != null)
{
AddReference("#" + _toHeaderId, _toHeaderStream);
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.TransportSecurityRequireToHeader));
}
}
AddSignatureReference(signatureConfirmations);
if (isPrimarySignature && ShouldProtectTokens)
{
AddPrimaryTokenSignatureReference(ElementContainer.SourceSigningToken, SigningTokenParameters);
}
if (RequireMessageProtection)
{
throw new PlatformNotSupportedException(nameof(RequireMessageProtection));
}
if (_signedXml.SignedInfo.References.Count == 0)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.NoPartsOfMessageMatchedPartsToSign), Message);
}
try
{
if (_signingKey != null)
{
_signedXml.ComputeSignature(_signingKey);
}
else
{
_signedXml.ComputeSignature();
}
return(new SignatureValue(_signedXml.Signature));
}
finally
{
_hashStream = null;
_signingKey = null;
_signedXml = null;
_effectiveSignatureParts = null;
}
}
public bool TryGetParts(string action, out MessagePartSpecification parts)
{
return(TryGetParts(action, false, out parts));
}
public ScopedMessagePartSpecification()
{
channelParts = new MessagePartSpecification();
actionParts = new Dictionary <string, MessagePartSpecification>();
}
internal static ChannelProtectionRequirements CreateFromContract(ContractDescription contract, ProtectionLevel defaultRequestProtectionLevel, ProtectionLevel defaultResponseProtectionLevel)
{
if (contract == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(contract));
}
var requirements = new ChannelProtectionRequirements();
var contractScopeDefaultRequestProtectionLevel = ProtectionLevel.None;
var contractScopeDefaultResponseProtectionLevel = ProtectionLevel.None;
if (contract.HasProtectionLevel) // Currently always false
{
//contractScopeDefaultRequestProtectionLevel = contract.ProtectionLevel;
//contractScopeDefaultResponseProtectionLevel = contract.ProtectionLevel;
}
else
{
contractScopeDefaultRequestProtectionLevel = defaultRequestProtectionLevel;
contractScopeDefaultResponseProtectionLevel = defaultResponseProtectionLevel;
}
foreach (var operation in contract.Operations)
{
var operationScopeDefaultRequestProtectionLevel = ProtectionLevel.None;
var operationScopeDefaultResponseProtectionLevel = ProtectionLevel.None;
if (operation.HasProtectionLevel) // Currently always false
{
//operationScopeDefaultRequestProtectionLevel = operation.ProtectionLevel;
//operationScopeDefaultResponseProtectionLevel = operation.ProtectionLevel;
}
else
{
operationScopeDefaultRequestProtectionLevel = contractScopeDefaultRequestProtectionLevel;
operationScopeDefaultResponseProtectionLevel = contractScopeDefaultResponseProtectionLevel;
}
foreach (var message in operation.Messages)
{
var messageScopeDefaultProtectionLevel = ProtectionLevel.None;
if (message.HasProtectionLevel)
{
//messageScopeDefaultProtectionLevel = message.ProtectionLevel;
}
else if (message.Direction == MessageDirection.Input)
{
messageScopeDefaultProtectionLevel = operationScopeDefaultRequestProtectionLevel;
}
else
{
messageScopeDefaultProtectionLevel = operationScopeDefaultResponseProtectionLevel;
}
var signedParts = new MessagePartSpecification();
var encryptedParts = new MessagePartSpecification();
// determine header protection requirements for message
foreach (var header in message.Headers)
{
AddHeaderProtectionRequirements(header, signedParts, encryptedParts, messageScopeDefaultProtectionLevel);
}
// determine body protection requirements for message
ProtectionLevel bodyProtectionLevel;
if (message.Body.Parts.Count > 0)
{
// initialize the body protection level to none. all the body parts will be
// unioned to get the effective body protection level
bodyProtectionLevel = ProtectionLevel.None;
}
else if (message.Body.ReturnValue != null)
{
if (!(message.Body.ReturnValue.GetType().Equals(typeof(MessagePartDescription))))
{
Fx.Assert("Only body return values are supported currently");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.OnlyBodyReturnValuesSupported));
}
bodyProtectionLevel = messageScopeDefaultProtectionLevel; // MessagePartDescription.HasProtectionLevel currently always false
//MessagePartDescription desc = message.Body.ReturnValue;
//bodyProtectionLevel = desc.HasProtectionLevel ? desc.ProtectionLevel : messageScopeDefaultProtectionLevel;
}
else
{
bodyProtectionLevel = messageScopeDefaultProtectionLevel;
}
// determine body protection requirements for message
if (message.Body.Parts.Count > 0)
{
foreach (var body in message.Body.Parts)
{
var partProtectionLevel = messageScopeDefaultProtectionLevel; // MessagePartDescription.HasProtectionLevel currently always false
//ProtectionLevel partProtectionLevel = body.HasProtectionLevel ? body.ProtectionLevel : messageScopeDefaultProtectionLevel;
bodyProtectionLevel = ProtectionLevelHelper.Max(bodyProtectionLevel, partProtectionLevel);
if (bodyProtectionLevel == ProtectionLevel.EncryptAndSign)
{
break;
}
}
}
if (bodyProtectionLevel != ProtectionLevel.None)
{
signedParts.IsBodyIncluded = true;
if (bodyProtectionLevel == ProtectionLevel.EncryptAndSign)
{
encryptedParts.IsBodyIncluded = true;
}
}
// add requirements for message
if (message.Direction == MessageDirection.Input)
{
requirements.IncomingSignatureParts.AddParts(signedParts, message.Action);
requirements.IncomingEncryptionParts.AddParts(encryptedParts, message.Action);
}
else
{
requirements.OutgoingSignatureParts.AddParts(signedParts, message.Action);
requirements.OutgoingEncryptionParts.AddParts(encryptedParts, message.Action);
}
}
if (operation.Faults != null)
{
if (operation.IsServerInitiated())
{
AddFaultProtectionRequirements(operation.Faults, requirements, operationScopeDefaultRequestProtectionLevel, true);
}
else
{
AddFaultProtectionRequirements(operation.Faults, requirements, operationScopeDefaultResponseProtectionLevel, false);
}
}
}
return(requirements);
}
