public SecurityVerifiedMessage(Message messageToProcess, ReceiveSecurityHeader securityHeader)
     : base(messageToProcess)
 {
     this.securityHeader = securityHeader;
     if (securityHeader.RequireMessageProtection)
     {
         XmlDictionaryReader messageReader;
         BufferedMessage bufferedMessage = this.InnerMessage as BufferedMessage;
         if (bufferedMessage != null && this.Headers.ContainsOnlyBufferedMessageHeaders)
         {
             messageReader = bufferedMessage.GetMessageReader();
         }
         else
         {
             this.messageBuffer = new XmlBuffer(int.MaxValue);
             XmlDictionaryWriter writer = this.messageBuffer.OpenSection(this.securityHeader.ReaderQuotas);
             this.InnerMessage.WriteMessage(writer);
             this.messageBuffer.CloseSection();
             this.messageBuffer.Close();
             messageReader = this.messageBuffer.GetReader(0);
         }
         MoveToSecurityHeader(messageReader, securityHeader.HeaderIndex, true);
         this.cachedReaderAtSecurityHeader = messageReader;
         this.state = BodyState.Buffered;
     }
     else
     {
         this.envelopeAttributes = XmlAttributeHolder.emptyArray;
         this.headerAttributes = XmlAttributeHolder.emptyArray;
         this.bodyAttributes = XmlAttributeHolder.emptyArray;
         this.canDelegateCreateBufferedCopyToInnerMessage = true;
     }
 }
Esempio n. 2
0
 public SecurityVerifiedMessage(Message messageToProcess, ReceiveSecurityHeader securityHeader)
     : base(messageToProcess)
 {
     this.securityHeader = securityHeader;
     if (securityHeader.RequireMessageProtection)
     {
         XmlDictionaryReader messageReader;
         BufferedMessage     bufferedMessage = this.InnerMessage as BufferedMessage;
         if (bufferedMessage != null && this.Headers.ContainsOnlyBufferedMessageHeaders)
         {
             messageReader = bufferedMessage.GetMessageReader();
         }
         else
         {
             this.messageBuffer = new XmlBuffer(int.MaxValue);
             XmlDictionaryWriter writer = this.messageBuffer.OpenSection(this.securityHeader.ReaderQuotas);
             this.InnerMessage.WriteMessage(writer);
             this.messageBuffer.CloseSection();
             this.messageBuffer.Close();
             messageReader = this.messageBuffer.GetReader(0);
         }
         MoveToSecurityHeader(messageReader, securityHeader.HeaderIndex, true);
         this.cachedReaderAtSecurityHeader = messageReader;
         this.state = BodyState.Buffered;
     }
     else
     {
         this.envelopeAttributes = XmlAttributeHolder.emptyArray;
         this.headerAttributes   = XmlAttributeHolder.emptyArray;
         this.bodyAttributes     = XmlAttributeHolder.emptyArray;
         this.canDelegateCreateBufferedCopyToInnerMessage = true;
     }
 }
Esempio n. 3
0
        protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
        {
            IList <SupportingTokenAuthenticatorSpecification> list;
            SessionSymmetricMessageSecurityProtocolFactory    factory = this.Factory;
            ReceiveSecurityHeader securityHeader        = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, this.requireDerivedKeys ? this.sessionStandardsManager : null, out list);
            List <SecurityToken>  incomingSessionTokens = this.GetIncomingSessionTokens();

            securityHeader.ConfigureSymmetricBindingClientReceiveHeader(incomingSessionTokens, this.Factory.SecurityTokenParameters);
            securityHeader.EnforceDerivedKeyRequirement = message.Headers.Action != factory.StandardsManager.SecureConversationDriver.CloseResponseAction.Value;
            base.ProcessSecurityHeader(securityHeader, ref message, null, timeout, correlationStates);
            SecurityToken signatureToken = securityHeader.SignatureToken;
            bool          flag           = false;

            for (int i = 0; i < incomingSessionTokens.Count; i++)
            {
                if (object.ReferenceEquals(signatureToken, incomingSessionTokens[i]))
                {
                    flag = true;
                    break;
                }
            }
            if (!flag)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("NoSessionTokenPresentInMessage")));
            }
            if (factory.RequireIntegrity)
            {
                ReadOnlyCollection <IAuthorizationPolicy> protectionTokenPolicies = this.sessionTokenAuthenticator.ValidateToken(signatureToken);
                base.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signatureToken, protectionTokenPolicies);
            }
            return(null);
        }
        protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
        {
            SessionSymmetricMessageSecurityProtocolFactory    factory = this.Factory;
            IList <SupportingTokenAuthenticatorSpecification> dummyAuthenticators;
            ReceiveSecurityHeader securityHeader = ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, this.requireDerivedKeys ? this.sessionStandardsManager : null, out dummyAuthenticators);

            List <SecurityToken> sessionTokens = GetIncomingSessionTokens();

            securityHeader.ConfigureSymmetricBindingClientReceiveHeader(sessionTokens, this.Factory.SecurityTokenParameters);
            // do not enforce the key derivation requirement for CancelResponse due to WSE interop
            securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != factory.StandardsManager.SecureConversationDriver.CloseResponseAction.Value);
            ProcessSecurityHeader(securityHeader, ref message, null, timeout, correlationStates);
            SecurityToken signingToken = securityHeader.SignatureToken;
            // verify that the signing token was one of the session tokens
            bool isSessionToken = false;

            for (int i = 0; i < sessionTokens.Count; ++i)
            {
                if (Object.ReferenceEquals(signingToken, sessionTokens[i]))
                {
                    isSessionToken = true;
                    break;
                }
            }
            if (!isSessionToken)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.NoSessionTokenPresentInMessage)));
            }
            if (factory.RequireIntegrity)
            {
                ReadOnlyCollection <IAuthorizationPolicy> signingTokenPolicies = this.sessionTokenAuthenticator.ValidateToken(signingToken);
                DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signingToken, signingTokenPolicies);
            }
            return(null);
        }
        protected void ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, ref Message message,
                                             SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
        {
            TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);

            securityHeader.ReplayDetectionEnabled = this.factory.DetectReplays;
            securityHeader.SetTimeParameters(this.factory.NonceCache, this.factory.ReplayWindow, this.factory.MaxClockSkew);

            securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), this.factory.ExtendedProtectionPolicy);
            if (this.factory.AddTimestamp && securityHeader.Timestamp == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.RequiredTimestampMissingInSecurityHeader)));
            }

            if (requiredSigningToken != null && requiredSigningToken != securityHeader.SignatureToken)
            {
                throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.ReplyWasNotSignedWithRequiredSigningToken)), message);
            }

            if (this.DoAutomaticEncryptionMatch)
            {
                SecurityUtils.EnsureExpectedSymmetricMatch(securityHeader.SignatureToken, securityHeader.EncryptionToken, message);
            }

            if (securityHeader.MaintainSignatureConfirmationState && this.factory.ActAsInitiator)
            {
                CheckSignatureConfirmation(securityHeader, correlationStates);
            }

            message = securityHeader.ProcessedMessage;
        }
        protected ReceiveSecurityHeader ConfigureReceiveSecurityHeader(Message message, string actor, SecurityProtocolCorrelationState[] correlationStates, SecurityStandardsManager standardsManager, out IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators)
        {
            System.ServiceModel.Security.MessageSecurityProtocolFactory messageSecurityProtocolFactory = this.MessageSecurityProtocolFactory;
            MessageDirection      transferDirection = messageSecurityProtocolFactory.ActAsInitiator ? MessageDirection.Output : MessageDirection.Input;
            ReceiveSecurityHeader securityHeader    = this.CreateSecurityHeader(message, actor, transferDirection, standardsManager);
            string action = message.Headers.Action;

            supportingAuthenticators = base.GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.factory, message, securityHeader);
            if (messageSecurityProtocolFactory.RequireIntegrity || securityHeader.ExpectSignedTokens)
            {
                securityHeader.RequiredSignatureParts = messageSecurityProtocolFactory.GetIncomingSignatureParts(action);
            }
            if (messageSecurityProtocolFactory.RequireConfidentiality || securityHeader.ExpectBasicTokens)
            {
                securityHeader.RequiredEncryptionParts = messageSecurityProtocolFactory.GetIncomingEncryptionParts(action);
            }
            securityHeader.ExpectEncryption = messageSecurityProtocolFactory.RequireConfidentiality || securityHeader.ExpectBasicTokens;
            securityHeader.ExpectSignature  = messageSecurityProtocolFactory.RequireIntegrity || securityHeader.ExpectSignedTokens;
            securityHeader.SetRequiredProtectionOrder(messageSecurityProtocolFactory.MessageProtectionOrder);
            if ((messageSecurityProtocolFactory.ActAsInitiator && messageSecurityProtocolFactory.DoRequestSignatureConfirmation) && this.HasCorrelationState(correlationStates))
            {
                securityHeader.MaintainSignatureConfirmationState = true;
                securityHeader.ExpectSignatureConfirmation        = true;
                return(securityHeader);
            }
            if (!messageSecurityProtocolFactory.ActAsInitiator && messageSecurityProtocolFactory.DoRequestSignatureConfirmation)
            {
                securityHeader.MaintainSignatureConfirmationState = true;
                return(securityHeader);
            }
            securityHeader.MaintainSignatureConfirmationState = false;
            return(securityHeader);
        }
Esempio n. 7
0
 public ReceiveSecurityHeaderElementManager(ReceiveSecurityHeader securityHeader)
 {
     this.securityHeader = securityHeader;
     this.elements       = new ReceiveSecurityHeaderEntry[8];
     if (securityHeader.RequireMessageProtection)
     {
         this.headerIds = new string[securityHeader.ProcessedMessage.Headers.Count];
     }
 }
Esempio n. 8
0
 public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
 {
     securityHeader.ExecuteReadingPass(reader);
     securityHeader.ExecuteDerivedKeyTokenStubPass(false);
     securityHeader.ExecuteSubheaderDecryptionPass();
     securityHeader.ExecuteDerivedKeyTokenStubPass(true);
     this.MarkElements(securityHeader.ElementManager, securityHeader.RequireMessageProtection);
     securityHeader.ExecuteSignatureEncryptionProcessingPass();
 }
Esempio n. 9
0
 public ReceiveSecurityHeaderElementManager(ReceiveSecurityHeader securityHeader)
 {
     _securityHeader = securityHeader;
     _elements       = new ReceiveSecurityHeaderEntry[InitialCapacity];
     if (securityHeader.RequireMessageProtection)
     {
         _headerIds = new string[securityHeader.ProcessedMessage.Headers.Count];
     }
 }
 public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
 {
     securityHeader.ExecuteReadingPass(reader);
     securityHeader.ExecuteDerivedKeyTokenStubPass(false);
     securityHeader.ExecuteSubheaderDecryptionPass();
     securityHeader.ExecuteDerivedKeyTokenStubPass(true);
     this.MarkElements(securityHeader.ElementManager, securityHeader.RequireMessageProtection);
     securityHeader.ExecuteSignatureEncryptionProcessingPass();
 }
Esempio n. 11
0
        protected override void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout)
        {
            string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor;
            ReceiveSecurityHeader securityHeader = this.Factory.StandardsManager.CreateReceiveSecurityHeader(message, actor,
                                                                                                             this.Factory.IncomingAlgorithmSuite, MessageDirection.Input);

            securityHeader.RequireMessageProtection = false;
            securityHeader.ReaderQuotas             = this.Factory.SecurityBindingElement.ReaderQuotas;
            IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.Factory, message, securityHeader);
            ReadOnlyCollection <SecurityTokenResolver>        mergedTokenResolvers     = MergeOutOfBandResolvers(supportingAuthenticators, this.sessionTokenResolverList);

            if (supportingAuthenticators != null && supportingAuthenticators.Count > 0)
            {
                supportingAuthenticators = new List <SupportingTokenAuthenticatorSpecification>(supportingAuthenticators);
                supportingAuthenticators.Insert(0, this.sessionTokenAuthenticatorSpecificationList[0]);
            }
            else
            {
                supportingAuthenticators = this.sessionTokenAuthenticatorSpecificationList;
            }
            securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators);
            securityHeader.ConfigureOutOfBandTokenResolver(mergedTokenResolvers);
            securityHeader.ExpectEndorsingTokens = true;
            TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);

            securityHeader.ReplayDetectionEnabled = this.Factory.DetectReplays;
            securityHeader.SetTimeParameters(this.Factory.NonceCache, this.Factory.ReplayWindow, this.Factory.MaxClockSkew);
            // do not enforce key derivation requirement for Cancel messages due to WSE interop
            securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != this.Factory.StandardsManager.SecureConversationDriver.CloseAction.Value);
            securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), this.Factory.ExtendedProtectionPolicy);
            if (securityHeader.Timestamp == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.RequiredTimestampMissingInSecurityHeader)));
            }
            bool didSessionSctEndorse = false;

            if (securityHeader.EndorsingSupportingTokens != null)
            {
                for (int i = 0; i < securityHeader.EndorsingSupportingTokens.Count; ++i)
                {
                    SecurityContextSecurityToken signingSct = (securityHeader.EndorsingSupportingTokens[i] as SecurityContextSecurityToken);
                    if (signingSct != null && signingSct.ContextId == this.sessionId)
                    {
                        didSessionSctEndorse = true;
                        break;
                    }
                }
            }
            if (!didSessionSctEndorse)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.NoSessionTokenPresentInMessage)));
            }
            message = securityHeader.ProcessedMessage;
            AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens,
                                            securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
            base.OnIncomingMessageVerified(message);
        }
        protected override void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout)
        {
            string actor = string.Empty;
            ReceiveSecurityHeader securityHeader = this.Factory.StandardsManager.CreateReceiveSecurityHeader(message, actor, this.Factory.IncomingAlgorithmSuite, MessageDirection.Input);

            securityHeader.RequireMessageProtection = false;
            securityHeader.ReaderQuotas             = this.Factory.SecurityBindingElement.ReaderQuotas;
            IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = base.GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.Factory, message, securityHeader);
            ReadOnlyCollection <SecurityTokenResolver>        outOfBandResolvers       = base.MergeOutOfBandResolvers(supportingAuthenticators, this.sessionTokenResolverList);

            if ((supportingAuthenticators != null) && (supportingAuthenticators.Count > 0))
            {
                supportingAuthenticators = new List <SupportingTokenAuthenticatorSpecification>(supportingAuthenticators);
                supportingAuthenticators.Insert(0, this.sessionTokenAuthenticatorSpecificationList[0]);
            }
            else
            {
                supportingAuthenticators = this.sessionTokenAuthenticatorSpecificationList;
            }
            securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators);
            securityHeader.ConfigureOutOfBandTokenResolver(outOfBandResolvers);
            securityHeader.ExpectEndorsingTokens = true;
            TimeoutHelper helper = new TimeoutHelper(timeout);

            securityHeader.SetTimeParameters(this.Factory.NonceCache, this.Factory.ReplayWindow, this.Factory.MaxClockSkew);
            securityHeader.EnforceDerivedKeyRequirement = message.Headers.Action != this.Factory.StandardsManager.SecureConversationDriver.CloseAction.Value;
            securityHeader.Process(helper.RemainingTime(), System.ServiceModel.Security.SecurityUtils.GetChannelBindingFromMessage(message), this.Factory.ExtendedProtectionPolicy);
            if (securityHeader.Timestamp == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("RequiredTimestampMissingInSecurityHeader")));
            }
            bool flag = false;

            if (securityHeader.EndorsingSupportingTokens != null)
            {
                for (int i = 0; i < securityHeader.EndorsingSupportingTokens.Count; i++)
                {
                    SecurityContextSecurityToken token = securityHeader.EndorsingSupportingTokens[i] as SecurityContextSecurityToken;
                    if ((token != null) && (token.ContextId == this.sessionId))
                    {
                        flag = true;
                        break;
                    }
                }
            }
            if (!flag)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("NoSessionTokenPresentInMessage")));
            }
            message = securityHeader.ProcessedMessage;
            base.AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
            base.OnIncomingMessageVerified(message);
        }
        internal ReceiveSecurityHeader CreateReceiveSecurityHeader(Message message, string actor, SecurityAlgorithmSuite algorithmSuite, MessageDirection direction)
        {
            ReceiveSecurityHeader header = this.TryCreateReceiveSecurityHeader(message, actor, algorithmSuite, direction);

            if (header != null)
            {
                return(header);
            }
            if (string.IsNullOrEmpty(actor))
            {
                throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessageNoActor")), message);
            }
            throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessage", new object[] { actor })), message);
        }
        protected ReceiveSecurityHeader CreateSecurityHeader(Message message, string actor, MessageDirection transferDirection, SecurityStandardsManager standardsManager)
        {
            standardsManager = standardsManager ?? this.factory.StandardsManager;
            ReceiveSecurityHeader header = standardsManager.CreateReceiveSecurityHeader(message, actor, this.factory.IncomingAlgorithmSuite, transferDirection);

            header.Layout = this.factory.SecurityHeaderLayout;
            header.MaxReceivedMessageSize = this.factory.SecurityBindingElement.MaxReceivedMessageSize;
            header.ReaderQuotas           = this.factory.SecurityBindingElement.ReaderQuotas;
            if (this.factory.ExpectKeyDerivation)
            {
                header.DerivedTokenAuthenticator = this.factory.DerivedKeyTokenAuthenticator;
            }
            return(header);
        }
        protected virtual void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout)
        {
            bool flag;
            bool flag2;
            bool flag3;
            TransportSecurityProtocolFactory securityProtocolFactory = (TransportSecurityProtocolFactory)base.SecurityProtocolFactory;
            string actor = string.Empty;
            ReceiveSecurityHeader header = securityProtocolFactory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor, securityProtocolFactory.IncomingAlgorithmSuite, securityProtocolFactory.ActAsInitiator ? MessageDirection.Output : MessageDirection.Input);
            IList <SupportingTokenAuthenticatorSpecification> supportingTokenAuthenticators = securityProtocolFactory.GetSupportingTokenAuthenticators(message.Headers.Action, out flag3, out flag, out flag2);

            if (header == null)
            {
                bool flag4 = (flag2 || flag3) || flag;
                if ((securityProtocolFactory.ActAsInitiator && (!securityProtocolFactory.AddTimestamp || securityProtocolFactory.SecurityBindingElement.EnableUnsecuredResponse)) || ((!securityProtocolFactory.ActAsInitiator && !securityProtocolFactory.AddTimestamp) && !flag4))
                {
                    return;
                }
                if (string.IsNullOrEmpty(actor))
                {
                    throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessageNoActor")), message);
                }
                throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessage", new object[] { actor })), message);
            }
            header.RequireMessageProtection = false;
            header.ExpectBasicTokens        = flag;
            header.ExpectSignedTokens       = flag3;
            header.ExpectEndorsingTokens    = flag2;
            header.MaxReceivedMessageSize   = securityProtocolFactory.SecurityBindingElement.MaxReceivedMessageSize;
            header.ReaderQuotas             = securityProtocolFactory.SecurityBindingElement.ReaderQuotas;
            TimeoutHelper helper = new TimeoutHelper(timeout);

            if (!securityProtocolFactory.ActAsInitiator)
            {
                header.ConfigureTransportBindingServerReceiveHeader(supportingTokenAuthenticators);
                header.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(supportingTokenAuthenticators, EmptyReadOnlyCollection <SecurityTokenResolver> .Instance));
                if (securityProtocolFactory.ExpectKeyDerivation)
                {
                    header.DerivedTokenAuthenticator = securityProtocolFactory.DerivedKeyTokenAuthenticator;
                }
            }
            header.SetTimeParameters(securityProtocolFactory.NonceCache, securityProtocolFactory.ReplayWindow, securityProtocolFactory.MaxClockSkew);
            header.Process(helper.RemainingTime(), System.ServiceModel.Security.SecurityUtils.GetChannelBindingFromMessage(message), securityProtocolFactory.ExtendedProtectionPolicy);
            message = header.ProcessedMessage;
            if (!securityProtocolFactory.ActAsInitiator)
            {
                this.AttachRecipientSecurityProperty(message, header.BasicSupportingTokens, header.EndorsingSupportingTokens, header.SignedEndorsingSupportingTokens, header.SignedSupportingTokens, header.SecurityTokenAuthorizationPoliciesMapping);
            }
            base.OnIncomingMessageVerified(message);
        }
        protected ReceiveSecurityHeader ConfigureReceiveSecurityHeader(Message message, string actor, SecurityProtocolCorrelationState[] correlationStates, SecurityStandardsManager standardsManager, out IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators)
        {
            MessageSecurityProtocolFactory factory = this.MessageSecurityProtocolFactory;
            MessageDirection      direction        = factory.ActAsInitiator ? MessageDirection.Output : MessageDirection.Input;
            ReceiveSecurityHeader securityHeader   = CreateSecurityHeader(message, actor, direction, standardsManager);

            string action = message.Headers.Action;

            supportingAuthenticators = GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.factory, message, securityHeader);
            if (factory.RequireIntegrity || securityHeader.ExpectSignedTokens)
            {
                securityHeader.RequiredSignatureParts = factory.GetIncomingSignatureParts(action);
            }
            if (factory.RequireConfidentiality || securityHeader.ExpectBasicTokens)
            {
                securityHeader.RequiredEncryptionParts = factory.GetIncomingEncryptionParts(action);
            }

            securityHeader.ExpectEncryption = factory.RequireConfidentiality || securityHeader.ExpectBasicTokens;
            securityHeader.ExpectSignature  = factory.RequireIntegrity || securityHeader.ExpectSignedTokens;
            securityHeader.SetRequiredProtectionOrder(factory.MessageProtectionOrder);

            // On the receiving side if protectTokens is enabled
            // 1. If we are service, we make sure that the client always signs the primary token( can be any token type)else we throw.
            //    But currently the service can sign the primary token in reply only if the primary token is an issued token
            // 2. If we are client, we do not care if the service signs the primary token or not. Otherwise it will be impossible to have a wcf client /service talk to each other unless we
            // either use a symmetric binding with issued tokens or asymmetric bindings with both the intiator and recipient parameters being issued tokens( later one is rare).
            securityHeader.RequireSignedPrimaryToken = !factory.ActAsInitiator && factory.SecurityBindingElement.ProtectTokens;

            if (factory.ActAsInitiator && factory.DoRequestSignatureConfirmation && HasCorrelationState(correlationStates))
            {
                securityHeader.MaintainSignatureConfirmationState = true;
                securityHeader.ExpectSignatureConfirmation        = true;
            }
            else if (!factory.ActAsInitiator && factory.DoRequestSignatureConfirmation)
            {
                securityHeader.MaintainSignatureConfirmationState = true;
            }
            else
            {
                securityHeader.MaintainSignatureConfirmationState = false;
            }
            return(securityHeader);
        }
        public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
        {
            // pass 1
            securityHeader.ExecuteReadingPass(reader);

            // pass 1.5
            securityHeader.ExecuteDerivedKeyTokenStubPass(false);

            // pass 2
            securityHeader.ExecuteSubheaderDecryptionPass();

            // pass 2.5
            securityHeader.ExecuteDerivedKeyTokenStubPass(true);

            // layout-specific inferences
            MarkElements(securityHeader.ElementManager, securityHeader.RequireMessageProtection);

            // pass 3
            securityHeader.ExecuteSignatureEncryptionProcessingPass();
        }
Esempio n. 18
0
        protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
        {
            IList <SupportingTokenAuthenticatorSpecification> list;
            SessionSymmetricMessageSecurityProtocolFactory    factory = this.Factory;
            ReceiveSecurityHeader securityHeader = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, this.requireDerivedKeys ? this.sessionStandardsManager : null, out list);

            securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.sessionTokenAuthenticator, this.Factory.SecurityTokenParameters, list);
            securityHeader.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(list, this.sessionResolverList));
            securityHeader.EnforceDerivedKeyRequirement = message.Headers.Action != factory.StandardsManager.SecureConversationDriver.CloseAction.Value;
            base.ProcessSecurityHeader(securityHeader, ref message, null, timeout, correlationStates);
            SecurityToken signatureToken        = securityHeader.SignatureToken;
            SecurityContextSecurityToken token2 = signatureToken as SecurityContextSecurityToken;

            if ((token2 == null) || (token2.ContextId != this.sessionId))
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("NoSessionTokenPresentInMessage")));
            }
            base.AttachRecipientSecurityProperty(message, signatureToken, false, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
            return(base.GetCorrelationState(null, securityHeader));
        }
        public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
        {
            // pass 1
            securityHeader.ExecuteReadingPass(reader);

            // pass 1.5
            securityHeader.ExecuteDerivedKeyTokenStubPass(false);

            // pass 2
            securityHeader.ExecuteSubheaderDecryptionPass();

            // pass 2.5
            securityHeader.ExecuteDerivedKeyTokenStubPass(true);

            // layout-specific inferences
            MarkElements(securityHeader.ElementManager, securityHeader.RequireMessageProtection);

            // pass 3
            securityHeader.ExecuteSignatureEncryptionProcessingPass();
        }
        internal ReceiveSecurityHeader CreateReceiveSecurityHeader(Message message,
                                                                   string actor,
                                                                   SecurityAlgorithmSuite algorithmSuite, MessageDirection direction)
        {
            ReceiveSecurityHeader header = TryCreateReceiveSecurityHeader(message, actor, algorithmSuite, direction);

            if (header == null)
            {
                if (String.IsNullOrEmpty(actor))
                {
                    throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
                                                                                            SR.GetString(SR.UnableToFindSecurityHeaderInMessageNoActor)), message);
                }
                else
                {
                    throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
                                                                                            SR.GetString(SR.UnableToFindSecurityHeaderInMessage, actor)), message);
                }
            }
            return(header);
        }
        protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
        {
            SessionSymmetricMessageSecurityProtocolFactory    factory = this.Factory;
            IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators;
            ReceiveSecurityHeader securityHeader = ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, (this.requireDerivedKeys) ? this.sessionStandardsManager : null, out supportingAuthenticators);

            securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.sessionTokenAuthenticator, this.Factory.SecurityTokenParameters, supportingAuthenticators);
            securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, this.sessionResolverList));
            // do not enforce key derivation requirement for Cancel messages due to WSE interop
            securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != factory.StandardsManager.SecureConversationDriver.CloseAction.Value);
            ProcessSecurityHeader(securityHeader, ref message, null, timeout, correlationStates);
            SecurityToken signingToken = securityHeader.SignatureToken;
            SecurityContextSecurityToken signingSct = (signingToken as SecurityContextSecurityToken);

            if (signingSct == null || signingSct.ContextId != sessionId)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.NoSessionTokenPresentInMessage)));
            }
            AttachRecipientSecurityProperty(message, signingToken, false, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens,
                                            securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
            return(GetCorrelationState(null, securityHeader));
        }
 public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
 {
     securityHeader.ExecuteFullPass(reader);
 }
 protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates)
 {
     SignatureConfirmations receivedConfirmations = securityHeader.GetSentSignatureConfirmations();
     SignatureConfirmations sentSignatures = null;
     if (correlationStates != null)
     {
         for (int i = 0; i < correlationStates.Length; ++i)
         {
             if (correlationStates[i].SignatureConfirmations != null)
             {
                 sentSignatures = correlationStates[i].SignatureConfirmations;
                 break;
             }
         }
     }
     if (sentSignatures == null)
     {
         if (receivedConfirmations != null && receivedConfirmations.Count > 0)
         {
             throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.FoundUnexpectedSignatureConfirmations)));
         }
         return;
     }
     bool allSignaturesConfirmed = false;
     if (receivedConfirmations != null && sentSignatures.Count == receivedConfirmations.Count)
     {
         bool[] matchingSigIndexes = new bool[sentSignatures.Count];
         for (int i = 0; i < sentSignatures.Count; ++i)
         {
             byte[] sentSignature;
             bool wasSentSigEncrypted;
             sentSignatures.GetConfirmation(i, out sentSignature, out wasSentSigEncrypted);
             for (int j = 0; j < receivedConfirmations.Count; ++j)
             {
                 byte[] receivedSignature;
                 bool wasReceivedSigEncrypted;
                 if (matchingSigIndexes[j])
                 {
                     continue;
                 }
                 receivedConfirmations.GetConfirmation(j, out receivedSignature, out wasReceivedSigEncrypted);
                 if ((wasReceivedSigEncrypted == wasSentSigEncrypted) && CryptoHelper.IsEqual(receivedSignature, sentSignature))
                 {
                     matchingSigIndexes[j] = true;
                     break;
                 }
             }
         }
         int k;
         for (k = 0; k < matchingSigIndexes.Length; ++k)
         {
             if (!matchingSigIndexes[k])
             {
                 break;
             }
         }
         if (k == matchingSigIndexes.Length)
         {
             allSignaturesConfirmed = true;
         }
     }
     if (!allSignaturesConfirmed)
     {
         throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NotAllSignaturesConfirmed)));
     }
 }
 public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
 {
     securityHeader.ExecuteFullPass(reader);
 }
 protected SecurityProtocolCorrelationState GetCorrelationState(SecurityToken correlationToken, ReceiveSecurityHeader securityHeader)
 {
     SecurityProtocolCorrelationState result = new SecurityProtocolCorrelationState(correlationToken);
     if (securityHeader.MaintainSignatureConfirmationState && !this.factory.ActAsInitiator)
     {
         result.SignatureConfirmations = securityHeader.GetSentSignatureValues();
     }
     return result;
 }
        protected void ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, ref Message message,
            SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
        {
            TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);

            securityHeader.ReplayDetectionEnabled = this.factory.DetectReplays;
            securityHeader.SetTimeParameters(this.factory.NonceCache, this.factory.ReplayWindow, this.factory.MaxClockSkew);

            securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), this.factory.ExtendedProtectionPolicy);
            if (this.factory.AddTimestamp && securityHeader.Timestamp == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.RequiredTimestampMissingInSecurityHeader)));
            }

            if (requiredSigningToken != null && requiredSigningToken != securityHeader.SignatureToken)
            {
                throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.ReplyWasNotSignedWithRequiredSigningToken)), message);
            }

            if (this.DoAutomaticEncryptionMatch)
            {
                SecurityUtils.EnsureExpectedSymmetricMatch(securityHeader.SignatureToken, securityHeader.EncryptionToken, message);
            }

            if (securityHeader.MaintainSignatureConfirmationState && this.factory.ActAsInitiator)
            {
                CheckSignatureConfirmation(securityHeader, correlationStates);
            }

            message = securityHeader.ProcessedMessage;
        }
        protected SecurityProtocolCorrelationState GetCorrelationState(SecurityToken correlationToken, ReceiveSecurityHeader securityHeader)
        {
            SecurityProtocolCorrelationState result = new SecurityProtocolCorrelationState(correlationToken);

            if (securityHeader.MaintainSignatureConfirmationState && !this.factory.ActAsInitiator)
            {
                result.SignatureConfirmations = securityHeader.GetSentSignatureValues();
            }
            return(result);
        }
 public SecurityHeaderTokenResolver(ReceiveSecurityHeader securityHeader)
 {
     this.tokens = new SecurityTokenEntry[10];
     this.securityHeader = securityHeader;
 }
        protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates)
        {
            SignatureConfirmations sentSignatureConfirmations = securityHeader.GetSentSignatureConfirmations();
            SignatureConfirmations signatureConfirmations     = null;

            if (correlationStates != null)
            {
                for (int i = 0; i < correlationStates.Length; i++)
                {
                    if (correlationStates[i].SignatureConfirmations != null)
                    {
                        signatureConfirmations = correlationStates[i].SignatureConfirmations;
                        break;
                    }
                }
            }
            if (signatureConfirmations == null)
            {
                if ((sentSignatureConfirmations != null) && (sentSignatureConfirmations.Count > 0))
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("FoundUnexpectedSignatureConfirmations")));
                }
            }
            else
            {
                bool flag = false;
                if ((sentSignatureConfirmations != null) && (signatureConfirmations.Count == sentSignatureConfirmations.Count))
                {
                    bool[] flagArray = new bool[signatureConfirmations.Count];
                    for (int j = 0; j < signatureConfirmations.Count; j++)
                    {
                        byte[] buffer;
                        bool   flag2;
                        signatureConfirmations.GetConfirmation(j, out buffer, out flag2);
                        for (int k = 0; k < sentSignatureConfirmations.Count; k++)
                        {
                            if (!flagArray[k])
                            {
                                byte[] buffer2;
                                bool   flag3;
                                sentSignatureConfirmations.GetConfirmation(k, out buffer2, out flag3);
                                if ((flag3 == flag2) && CryptoHelper.IsEqual(buffer2, buffer))
                                {
                                    flagArray[k] = true;
                                    break;
                                }
                            }
                        }
                    }
                    int index = 0;
                    while (index < flagArray.Length)
                    {
                        if (!flagArray[index])
                        {
                            break;
                        }
                        index++;
                    }
                    if (index == flagArray.Length)
                    {
                        flag = true;
                    }
                }
                if (!flag)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NotAllSignaturesConfirmed")));
                }
            }
        }
 public abstract void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader);
 protected IList<SupportingTokenAuthenticatorSpecification> GetSupportingTokenAuthenticatorsAndSetExpectationFlags(System.ServiceModel.Security.SecurityProtocolFactory factory, Message message, ReceiveSecurityHeader securityHeader)
 {
     bool flag;
     bool flag2;
     bool flag3;
     if (factory.ActAsInitiator)
     {
         return null;
     }
     if (message == null)
     {
         throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message");
     }
     IList<SupportingTokenAuthenticatorSpecification> list = factory.GetSupportingTokenAuthenticators(message.Headers.Action, out flag2, out flag, out flag3);
     securityHeader.ExpectBasicTokens = flag;
     securityHeader.ExpectEndorsingTokens = flag3;
     securityHeader.ExpectSignedTokens = flag2;
     return list;
 }
        protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
        {
            AsymmetricSecurityProtocolFactory factory = this.Factory;
            IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators;
            TimeoutHelper         timeoutHelper             = new TimeoutHelper(timeout);
            ReceiveSecurityHeader securityHeader            = ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out supportingAuthenticators);
            SecurityToken         requiredReplySigningToken = null;

            if (factory.ActAsInitiator)
            {
                SecurityToken encryptionToken = null;
                SecurityToken receiverToken   = null;
                if (factory.RequireIntegrity)
                {
                    receiverToken             = GetToken(this.initiatorAsymmetricTokenProvider, null, timeoutHelper.RemainingTime());
                    requiredReplySigningToken = receiverToken;
                }
                if (factory.RequireConfidentiality)
                {
                    encryptionToken = GetCorrelationToken(correlationStates);
                    if (!SecurityUtils.HasSymmetricSecurityKey(encryptionToken))
                    {
                        securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;
                    }
                }
                SecurityTokenAuthenticator primaryTokenAuthenticator;
                if (factory.AllowSerializedSigningTokenOnReply)
                {
                    primaryTokenAuthenticator = this.initiatorAsymmetricTokenAuthenticator;
                    requiredReplySigningToken = null;
                }
                else
                {
                    primaryTokenAuthenticator = null;
                }

                securityHeader.ConfigureAsymmetricBindingClientReceiveHeader(receiverToken,
                                                                             factory.AsymmetricTokenParameters, encryptionToken, factory.CryptoTokenParameters,
                                                                             primaryTokenAuthenticator);
            }
            else
            {
                SecurityToken wrappingToken;
                if (this.Factory.RecipientAsymmetricTokenProvider != null && this.Factory.RequireConfidentiality)
                {
                    wrappingToken = GetToken(factory.RecipientAsymmetricTokenProvider, null, timeoutHelper.RemainingTime());
                }
                else
                {
                    wrappingToken = null;
                }
                securityHeader.ConfigureAsymmetricBindingServerReceiveHeader(this.Factory.RecipientCryptoTokenAuthenticator,
                                                                             this.Factory.CryptoTokenParameters, wrappingToken, this.Factory.AsymmetricTokenParameters, supportingAuthenticators);
                securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;

                securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, this.Factory.RecipientOutOfBandTokenResolverList));
            }

            ProcessSecurityHeader(securityHeader, ref message, requiredReplySigningToken, timeoutHelper.RemainingTime(), correlationStates);
            SecurityToken signingToken    = securityHeader.SignatureToken;
            SecurityToken encryptingToken = securityHeader.EncryptionToken;

            if (factory.RequireIntegrity)
            {
                if (factory.ActAsInitiator)
                {
                    ReadOnlyCollection <IAuthorizationPolicy> signingTokenPolicies = this.initiatorAsymmetricTokenAuthenticator.ValidateToken(signingToken);
                    EnsureNonWrappedToken(signingToken, message);
                    DoIdentityCheckAndAttachInitiatorSecurityProperty(message, encryptingToken, signingToken, signingTokenPolicies);
                }
                else
                {
                    EnsureNonWrappedToken(signingToken, message);
                    AttachRecipientSecurityProperty(message, signingToken, encryptingToken, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens,
                                                    securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
                }
            }

            return(GetCorrelationState(signingToken, securityHeader));
        }
 protected IList<SupportingTokenAuthenticatorSpecification> GetSupportingTokenAuthenticatorsAndSetExpectationFlags(SecurityProtocolFactory factory, Message message,
     ReceiveSecurityHeader securityHeader)
 {
     if (factory.ActAsInitiator)
     {
         return null;
     }
     if (message == null)
     {
         throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message");
     }
     bool expectBasicTokens;
     bool expectSignedTokens;
     bool expectEndorsingTokens;
     IList<SupportingTokenAuthenticatorSpecification> authenticators = factory.GetSupportingTokenAuthenticators(message.Headers.Action,
         out expectSignedTokens, out expectBasicTokens, out expectEndorsingTokens);
     securityHeader.ExpectBasicTokens = expectBasicTokens;
     securityHeader.ExpectEndorsingTokens = expectEndorsingTokens;
     securityHeader.ExpectSignedTokens = expectSignedTokens;
     return authenticators;
 }
        protected virtual void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout)
        {
            TransportSecurityProtocolFactory factory = (TransportSecurityProtocolFactory)this.SecurityProtocolFactory;
            string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor;

            ReceiveSecurityHeader securityHeader = factory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor,
                                                                                                           factory.IncomingAlgorithmSuite, (factory.ActAsInitiator) ? MessageDirection.Output : MessageDirection.Input);
            bool expectBasicTokens;
            bool expectEndorsingTokens;
            bool expectSignedTokens;
            IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = factory.GetSupportingTokenAuthenticators(message.Headers.Action,
                                                                                                                                  out expectSignedTokens, out expectBasicTokens, out expectEndorsingTokens);

            if (securityHeader == null)
            {
                bool expectSupportingTokens = expectEndorsingTokens || expectSignedTokens || expectBasicTokens;
                if ((factory.ActAsInitiator && (!factory.AddTimestamp || factory.SecurityBindingElement.EnableUnsecuredResponse)) ||
                    (!factory.ActAsInitiator && !factory.AddTimestamp && !expectSupportingTokens))
                {
                    return;
                }
                else
                {
                    if (String.IsNullOrEmpty(actor))
                    {
                        throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
                                                                                                SR.GetString(SR.UnableToFindSecurityHeaderInMessageNoActor)), message);
                    }
                    else
                    {
                        throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
                                                                                                SR.GetString(SR.UnableToFindSecurityHeaderInMessage, actor)), message);
                    }
                }
            }

            securityHeader.RequireMessageProtection = false;
            securityHeader.ExpectBasicTokens        = expectBasicTokens;
            securityHeader.ExpectSignedTokens       = expectSignedTokens;
            securityHeader.ExpectEndorsingTokens    = expectEndorsingTokens;
            securityHeader.MaxReceivedMessageSize   = factory.SecurityBindingElement.MaxReceivedMessageSize;
            securityHeader.ReaderQuotas             = factory.SecurityBindingElement.ReaderQuotas;
            TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);

            if (!factory.ActAsInitiator)
            {
                securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators);
                securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, EmptyReadOnlyCollection <SecurityTokenResolver> .Instance));
                if (factory.ExpectKeyDerivation)
                {
                    securityHeader.DerivedTokenAuthenticator = factory.DerivedKeyTokenAuthenticator;
                }
            }
            securityHeader.ReplayDetectionEnabled = factory.DetectReplays;
            securityHeader.SetTimeParameters(factory.NonceCache, factory.ReplayWindow, factory.MaxClockSkew);
            securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), factory.ExtendedProtectionPolicy);
            message = securityHeader.ProcessedMessage;
            if (!factory.ActAsInitiator)
            {
                AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens,
                                                securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
            }

            base.OnIncomingMessageVerified(message);
        }
 public SecurityHeaderTokenResolver(ReceiveSecurityHeader securityHeader)
 {
     this.tokens = new SecurityTokenEntry[InitialTokenArraySize];
     this.securityHeader = securityHeader;
 }
 public SecurityHeaderTokenResolver(ReceiveSecurityHeader securityHeader)
 {
     this.tokens         = new SecurityTokenEntry[InitialTokenArraySize];
     this.securityHeader = securityHeader;
 }
 public abstract void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader);
Esempio n. 38
0
 public SecurityHeaderTokenResolver(ReceiveSecurityHeader securityHeader)
 {
     this.tokens         = new SecurityTokenEntry[10];
     this.securityHeader = securityHeader;
 }
        protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
        {
            IList <SupportingTokenAuthenticatorSpecification> list;
            AsymmetricSecurityProtocolFactory factory = this.Factory;
            TimeoutHelper         helper               = new TimeoutHelper(timeout);
            ReceiveSecurityHeader securityHeader       = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out list);
            SecurityToken         requiredSigningToken = null;

            if (factory.ActAsInitiator)
            {
                SecurityTokenAuthenticator initiatorAsymmetricTokenAuthenticator;
                SecurityToken token        = null;
                SecurityToken primaryToken = null;
                if (factory.RequireIntegrity)
                {
                    primaryToken         = SecurityProtocol.GetToken(this.initiatorAsymmetricTokenProvider, null, helper.RemainingTime());
                    requiredSigningToken = primaryToken;
                }
                if (factory.RequireConfidentiality)
                {
                    token = base.GetCorrelationToken(correlationStates);
                    if (!System.ServiceModel.Security.SecurityUtils.HasSymmetricSecurityKey(token))
                    {
                        securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;
                    }
                }
                if (factory.AllowSerializedSigningTokenOnReply)
                {
                    initiatorAsymmetricTokenAuthenticator = this.initiatorAsymmetricTokenAuthenticator;
                    requiredSigningToken = null;
                }
                else
                {
                    initiatorAsymmetricTokenAuthenticator = null;
                }
                securityHeader.ConfigureAsymmetricBindingClientReceiveHeader(primaryToken, factory.AsymmetricTokenParameters, token, factory.CryptoTokenParameters, initiatorAsymmetricTokenAuthenticator);
            }
            else
            {
                SecurityToken token4;
                if ((this.Factory.RecipientAsymmetricTokenProvider != null) && this.Factory.RequireConfidentiality)
                {
                    token4 = SecurityProtocol.GetToken(factory.RecipientAsymmetricTokenProvider, null, helper.RemainingTime());
                }
                else
                {
                    token4 = null;
                }
                securityHeader.ConfigureAsymmetricBindingServerReceiveHeader(this.Factory.RecipientCryptoTokenAuthenticator, this.Factory.CryptoTokenParameters, token4, this.Factory.AsymmetricTokenParameters, list);
                securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;
                securityHeader.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(list, this.Factory.RecipientOutOfBandTokenResolverList));
            }
            base.ProcessSecurityHeader(securityHeader, ref message, requiredSigningToken, helper.RemainingTime(), correlationStates);
            SecurityToken signatureToken  = securityHeader.SignatureToken;
            SecurityToken encryptionToken = securityHeader.EncryptionToken;

            if (factory.RequireIntegrity)
            {
                if (factory.ActAsInitiator)
                {
                    ReadOnlyCollection <IAuthorizationPolicy> recipientTokenPolicies = this.initiatorAsymmetricTokenAuthenticator.ValidateToken(signatureToken);
                    MessageSecurityProtocol.EnsureNonWrappedToken(signatureToken, message);
                    this.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, encryptionToken, signatureToken, recipientTokenPolicies);
                }
                else
                {
                    MessageSecurityProtocol.EnsureNonWrappedToken(signatureToken, message);
                    this.AttachRecipientSecurityProperty(message, signatureToken, encryptionToken, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
                }
            }
            return(base.GetCorrelationState(signatureToken, securityHeader));
        }
Esempio n. 40
0
        protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
        {
            SymmetricSecurityProtocolFactory factory = this.Factory;
            IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators;
            TimeoutHelper         timeoutHelper             = new TimeoutHelper(timeout);
            ReceiveSecurityHeader securityHeader            = ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out supportingAuthenticators);
            SecurityToken         requiredReplySigningToken = null;

            if (this.Factory.ActAsInitiator)
            {
                // set the outofband protection token
                SecurityTokenParameters outOfBandTokenParameters;
                SecurityToken           outOfBandToken = GetCorrelationToken(correlationStates, out outOfBandTokenParameters);
                securityHeader.ConfigureSymmetricBindingClientReceiveHeader(outOfBandToken, outOfBandTokenParameters);
                requiredReplySigningToken = outOfBandToken;
            }
            else
            {
                if (factory.RecipientSymmetricTokenAuthenticator != null)
                {
                    securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.Factory.RecipientSymmetricTokenAuthenticator, this.Factory.SecurityTokenParameters, supportingAuthenticators);
                }
                else
                {
                    securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.Factory.RecipientAsymmetricTokenProvider.GetToken(timeoutHelper.RemainingTime()), this.Factory.SecurityTokenParameters, supportingAuthenticators);
                    securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;
                }
                securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, this.Factory.RecipientOutOfBandTokenResolverList));
            }

            ProcessSecurityHeader(securityHeader, ref message, requiredReplySigningToken, timeoutHelper.RemainingTime(), correlationStates);
            SecurityToken signingToken = securityHeader.SignatureToken;

            if (factory.RequireIntegrity)
            {
                if (factory.SecurityTokenParameters.HasAsymmetricKey)
                {
                    // enforce that the signing token is a wrapped key token
                    EnsureWrappedToken(signingToken, message);
                }
                else
                {
                    EnsureNonWrappedToken(signingToken, message);
                }

                if (factory.ActAsInitiator)
                {
                    if (!factory.SecurityTokenParameters.HasAsymmetricKey)
                    {
                        ReadOnlyCollection <IAuthorizationPolicy> signingTokenPolicies = this.initiatorTokenAuthenticator.ValidateToken(signingToken);
                        DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signingToken, signingTokenPolicies);
                    }
                    else
                    {
                        SecurityToken wrappingToken = (signingToken as WrappedKeySecurityToken).WrappingToken;
                        ReadOnlyCollection <IAuthorizationPolicy> wrappingTokenPolicies = this.initiatorTokenAuthenticator.ValidateToken(wrappingToken);
                        DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signingToken, wrappingTokenPolicies);
                    }
                }
                else
                {
                    AttachRecipientSecurityProperty(message, signingToken, this.Factory.SecurityTokenParameters.HasAsymmetricKey, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens,
                                                    securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
                }
            }
            return(GetCorrelationState(signingToken, securityHeader));
        }
        protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
        {
            IList <SupportingTokenAuthenticatorSpecification> list;
            SymmetricSecurityProtocolFactory factory   = this.Factory;
            TimeoutHelper         helper               = new TimeoutHelper(timeout);
            ReceiveSecurityHeader securityHeader       = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out list);
            SecurityToken         requiredSigningToken = null;

            if (this.Factory.ActAsInitiator)
            {
                SecurityTokenParameters parameters;
                SecurityToken           correlationToken = this.GetCorrelationToken(correlationStates, out parameters);
                securityHeader.ConfigureSymmetricBindingClientReceiveHeader(correlationToken, parameters);
                requiredSigningToken = correlationToken;
            }
            else
            {
                if (factory.RecipientSymmetricTokenAuthenticator != null)
                {
                    securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.Factory.RecipientSymmetricTokenAuthenticator, this.Factory.SecurityTokenParameters, list);
                }
                else
                {
                    securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.Factory.RecipientAsymmetricTokenProvider.GetToken(helper.RemainingTime()), this.Factory.SecurityTokenParameters, list);
                    securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;
                }
                securityHeader.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(list, this.Factory.RecipientOutOfBandTokenResolverList));
            }
            base.ProcessSecurityHeader(securityHeader, ref message, requiredSigningToken, helper.RemainingTime(), correlationStates);
            SecurityToken signatureToken = securityHeader.SignatureToken;

            if (factory.RequireIntegrity)
            {
                if (factory.SecurityTokenParameters.HasAsymmetricKey)
                {
                    this.EnsureWrappedToken(signatureToken, message);
                }
                else
                {
                    MessageSecurityProtocol.EnsureNonWrappedToken(signatureToken, message);
                }
                if (factory.ActAsInitiator)
                {
                    if (!factory.SecurityTokenParameters.HasAsymmetricKey)
                    {
                        ReadOnlyCollection <IAuthorizationPolicy> protectionTokenPolicies = this.initiatorTokenAuthenticator.ValidateToken(signatureToken);
                        base.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signatureToken, protectionTokenPolicies);
                    }
                    else
                    {
                        SecurityToken wrappingToken = (signatureToken as WrappedKeySecurityToken).WrappingToken;
                        ReadOnlyCollection <IAuthorizationPolicy> onlys2 = this.initiatorTokenAuthenticator.ValidateToken(wrappingToken);
                        base.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signatureToken, onlys2);
                    }
                }
                else
                {
                    base.AttachRecipientSecurityProperty(message, signatureToken, this.Factory.SecurityTokenParameters.HasAsymmetricKey, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
                }
            }
            return(base.GetCorrelationState(signatureToken, securityHeader));
        }
        protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates)
        {
            SignatureConfirmations receivedConfirmations = securityHeader.GetSentSignatureConfirmations();
            SignatureConfirmations sentSignatures        = null;

            if (correlationStates != null)
            {
                for (int i = 0; i < correlationStates.Length; ++i)
                {
                    if (correlationStates[i].SignatureConfirmations != null)
                    {
                        sentSignatures = correlationStates[i].SignatureConfirmations;
                        break;
                    }
                }
            }
            if (sentSignatures == null)
            {
                if (receivedConfirmations != null && receivedConfirmations.Count > 0)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.FoundUnexpectedSignatureConfirmations)));
                }
                return;
            }
            bool allSignaturesConfirmed = false;

            if (receivedConfirmations != null && sentSignatures.Count == receivedConfirmations.Count)
            {
                bool[] matchingSigIndexes = new bool[sentSignatures.Count];
                for (int i = 0; i < sentSignatures.Count; ++i)
                {
                    byte[] sentSignature;
                    bool   wasSentSigEncrypted;
                    sentSignatures.GetConfirmation(i, out sentSignature, out wasSentSigEncrypted);
                    for (int j = 0; j < receivedConfirmations.Count; ++j)
                    {
                        byte[] receivedSignature;
                        bool   wasReceivedSigEncrypted;
                        if (matchingSigIndexes[j])
                        {
                            continue;
                        }
                        receivedConfirmations.GetConfirmation(j, out receivedSignature, out wasReceivedSigEncrypted);
                        if ((wasReceivedSigEncrypted == wasSentSigEncrypted) && CryptoHelper.IsEqual(receivedSignature, sentSignature))
                        {
                            matchingSigIndexes[j] = true;
                            break;
                        }
                    }
                }
                int k;
                for (k = 0; k < matchingSigIndexes.Length; ++k)
                {
                    if (!matchingSigIndexes[k])
                    {
                        break;
                    }
                }
                if (k == matchingSigIndexes.Length)
                {
                    allSignaturesConfirmed = true;
                }
            }
            if (!allSignaturesConfirmed)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NotAllSignaturesConfirmed)));
            }
        }
 protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates)
 {
     SignatureConfirmations sentSignatureConfirmations = securityHeader.GetSentSignatureConfirmations();
     SignatureConfirmations signatureConfirmations = null;
     if (correlationStates != null)
     {
         for (int i = 0; i < correlationStates.Length; i++)
         {
             if (correlationStates[i].SignatureConfirmations != null)
             {
                 signatureConfirmations = correlationStates[i].SignatureConfirmations;
                 break;
             }
         }
     }
     if (signatureConfirmations == null)
     {
         if ((sentSignatureConfirmations != null) && (sentSignatureConfirmations.Count > 0))
         {
             throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("FoundUnexpectedSignatureConfirmations")));
         }
     }
     else
     {
         bool flag = false;
         if ((sentSignatureConfirmations != null) && (signatureConfirmations.Count == sentSignatureConfirmations.Count))
         {
             bool[] flagArray = new bool[signatureConfirmations.Count];
             for (int j = 0; j < signatureConfirmations.Count; j++)
             {
                 byte[] buffer;
                 bool flag2;
                 signatureConfirmations.GetConfirmation(j, out buffer, out flag2);
                 for (int k = 0; k < sentSignatureConfirmations.Count; k++)
                 {
                     if (!flagArray[k])
                     {
                         byte[] buffer2;
                         bool flag3;
                         sentSignatureConfirmations.GetConfirmation(k, out buffer2, out flag3);
                         if ((flag3 == flag2) && CryptoHelper.IsEqual(buffer2, buffer))
                         {
                             flagArray[k] = true;
                             break;
                         }
                     }
                 }
             }
             int index = 0;
             while (index < flagArray.Length)
             {
                 if (!flagArray[index])
                 {
                     break;
                 }
                 index++;
             }
             if (index == flagArray.Length)
             {
                 flag = true;
             }
         }
         if (!flag)
         {
             throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NotAllSignaturesConfirmed")));
         }
     }
 }