public Message Issue(Message request)
{
try
{
Console.WriteLine("Call to IWSTrust::Issue");
// if request is null, we're toast
if (request == null)
{
throw new ArgumentNullException("request");
}
// Create an RST object from the request message
Gudge.Samples.Security.RSTRSTR.RequestSecurityToken rst = Gudge.Samples.Security.RSTRSTR.RequestSecurityToken.CreateFrom(request.GetReaderAtBodyContents());
// Check that is really is an Issue request
if (rst.RequestType == null || rst.RequestType != Constants.Trust.RequestTypes.Issue)
{
throw new InvalidOperationException(rst.RequestType);
}
// Create an RSTR object
Gudge.Samples.Security.RSTRSTR.RequestSecurityTokenResponse rstr = Issue(rst);
// Create response message
Message response = Message.CreateMessage(request.Version, Constants.Trust.Actions.IssueReply, rstr);
// Set RelatesTo of response to message id of request
response.Headers.RelatesTo = request.Headers.MessageId;
// Address response to ReplyTo of request
request.Headers.ReplyTo.ApplyTo(response);
return(response);
}
catch (Exception e)
{
Console.WriteLine("**** Exception thrown while processing Issue request:");
Console.WriteLine(e.Message);
throw;
}
}
// private methods
private Gudge.Samples.Security.RSTRSTR.RequestSecurityTokenResponse Issue(Gudge.Samples.Security.RSTRSTR.RequestSecurityToken rst)
{
// If rst is null, we're toast
if (rst == null)
throw new ArgumentNullException("rst");
// Create an RSTR object
Gudge.Samples.Security.RSTRSTR.RequestSecurityTokenResponse rstr = new Gudge.Samples.Security.RSTRSTR.RequestSecurityTokenResponse();
// Figure out the token type being requested
string tokenType = GetTokenType(rst);
Console.WriteLine("Issue: Request for token type {0}", tokenType);
// Figure out which key we're going to sign the token with...
SecurityKey signingKey = GetSigningKey();
SecurityKeyIdentifier signingKeyIdentifier = GetSigningKeyIdentifier();
SecurityKeyIdentifier proofKeyIdentifier = null;
if (rst.IsProofKeyAsymmetric())
{
Console.WriteLine("Retrieving Asymmetric Proof Key");
// Asymmetric proof key
proofKeyIdentifier = GetAsymmetricProofKey(rst);
}
else
{
// Symmetric proof key
Console.WriteLine("Constructing Symmetric Proof Key");
// Construct session key. This is the symmetric key that the client and the service will share.
// It actually appears twice in the response message; once for the service and
// once for the client. In the former case, it is typically embedded in the issued token,
// in the latter case, it is returned in a wst:RequestedProofToken element.
byte[] sessionKey = GetSessionKey(rst, rstr);
// Get token to use when encrypting key material for the service
SecurityToken encryptingToken = GetEncryptingToken(rst);
// Encrypt the session key for the service
byte[] encryptedKey = GetEncryptedKey(encryptingToken, sessionKey, out proofKeyIdentifier);
}
// Issued tokens are valid for 12 hours by default
DateTime effectiveTime = DateTime.Now;
DateTime expirationTime = DateTime.Now + new TimeSpan(12, 0, 0);
SecurityToken st = null;
switch (tokenType)
{
case "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1":
st = CreateSAMLToken(effectiveTime, expirationTime, signingKey, signingKeyIdentifier, proofKeyIdentifier, rst.ClaimRequirements );
break;
default:
throw new Exception("Unsupported Token Type");
}
rstr.RequestedSecurityToken = st;
rstr.Context = rst.Context;
rstr.TokenType = tokenType;
rstr.RequestedAttachedReference = GetInternalSecurityKeyIdentifier(st)[0];
rstr.RequestedUnattachedReference = GetExternalSecurityKeyIdentifier(st)[0];
return rstr;
}
// private methods
private Gudge.Samples.Security.RSTRSTR.RequestSecurityTokenResponse Issue(Gudge.Samples.Security.RSTRSTR.RequestSecurityToken rst)
{
// If rst is null, we're toast
if (rst == null)
{
throw new ArgumentNullException("rst");
}
// Create an RSTR object
Gudge.Samples.Security.RSTRSTR.RequestSecurityTokenResponse rstr = new Gudge.Samples.Security.RSTRSTR.RequestSecurityTokenResponse();
// Figure out the token type being requested
string tokenType = GetTokenType(rst);
Console.WriteLine("Issue: Request for token type {0}", tokenType);
// Figure out which key we're going to sign the token with...
SecurityKey signingKey = GetSigningKey();
SecurityKeyIdentifier signingKeyIdentifier = GetSigningKeyIdentifier();
SecurityKeyIdentifier proofKeyIdentifier = null;
if (rst.IsProofKeyAsymmetric())
{
Console.WriteLine("Retrieving Asymmetric Proof Key");
// Asymmetric proof key
proofKeyIdentifier = GetAsymmetricProofKey(rst);
}
else
{
// Symmetric proof key
Console.WriteLine("Constructing Symmetric Proof Key");
// Construct session key. This is the symmetric key that the client and the service will share.
// It actually appears twice in the response message; once for the service and
// once for the client. In the former case, it is typically embedded in the issued token,
// in the latter case, it is returned in a wst:RequestedProofToken element.
byte[] sessionKey = GetSessionKey(rst, rstr);
// Get token to use when encrypting key material for the service
SecurityToken encryptingToken = GetEncryptingToken(rst);
// Encrypt the session key for the service
byte[] encryptedKey = GetEncryptedKey(encryptingToken, sessionKey, out proofKeyIdentifier);
}
// Issued tokens are valid for 12 hours by default
DateTime effectiveTime = DateTime.Now;
DateTime expirationTime = DateTime.Now + new TimeSpan(12, 0, 0);
SecurityToken st = null;
switch (tokenType)
{
case "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1":
st = CreateSAMLToken(effectiveTime, expirationTime, signingKey, signingKeyIdentifier, proofKeyIdentifier, rst.ClaimRequirements);
break;
default:
throw new Exception("Unsupported Token Type");
}
rstr.RequestedSecurityToken = st;
rstr.Context = rst.Context;
rstr.TokenType = tokenType;
rstr.RequestedAttachedReference = GetInternalSecurityKeyIdentifier(st)[0];
rstr.RequestedUnattachedReference = GetExternalSecurityKeyIdentifier(st)[0];
return(rstr);
}
private byte[] GetSessionKey(Gudge.Samples.Security.RSTRSTR.RequestSecurityToken rst, Gudge.Samples.Security.RSTRSTR.RequestSecurityTokenResponse rstr)
{
// If rst is null, we're toast
if (rst == null)
{
throw new ArgumentNullException("rst");
}
// If rstr is null, we're toast
if (rstr == null)
{
throw new ArgumentNullException("rstr");
}
// Figure out the keySize
int keySize = 256;
if (rst.KeySize != 0)
{
keySize = rst.KeySize;
}
Console.WriteLine("Proof key size {0}", keySize);
// Figure out whether we're using Combined or Issuer entropy.
byte[] sessionKey = null;
byte[] senderEntropy = GetSenderEntropy(rst);
byte[] issuerEntropy = GetIssuerEntropy(keySize);
RNGCryptoServiceProvider random = new RNGCryptoServiceProvider();
if (senderEntropy != null)
{
// Combined entropy
Console.WriteLine("Combined Entropy");
sessionKey = rstr.ComputeCombinedKey(senderEntropy, issuerEntropy, keySize);
rstr.IssuerEntropy = new BinarySecretSecurityToken(issuerEntropy);
rstr.ComputeKey = true;
}
else
{
// Issuer-only entropy
Console.WriteLine("Issuer-only entropy");
sessionKey = issuerEntropy;
rstr.RequestedProofToken = new BinarySecretSecurityToken(sessionKey);
}
rstr.KeySize = keySize;
return(sessionKey);
}
