public override void SecureMessage(SoapEnvelope envelope, WSE.Security security)
{
// get server password from database
string password = parentAssertion.Password;
if (password == null)
return;
// hash password
password = SHA1(password);
// create username token
UsernameToken userToken = new UsernameToken(parentAssertion.ServerId.ToString(), password,
PasswordOption.SendNone);
if (parentAssertion.signRequest || parentAssertion.encryptRequest)
{
// Add the token to the SOAP header.
security.Tokens.Add(userToken);
}
if (parentAssertion.signRequest)
{
// Sign the SOAP message by using the UsernameToken.
MessageSignature sig = new MessageSignature(userToken);
security.Elements.Add(sig);
}
if (parentAssertion.encryptRequest)
{
// we don't return any custom SOAP headers
// so, just encrypt a message Body
EncryptedData data = new EncryptedData(userToken);
// encrypt custom headers
for (int index = 0; index < envelope.Header.ChildNodes.Count; index++)
{
XmlElement child = envelope.Header.ChildNodes[index] as XmlElement;
// find all SecureSoapHeader headers marked with a special attribute
if (child != null && child.NamespaceURI == "http://smbsaas/websitepanel/server/")
{
// create ID attribute for referencing purposes
string id = Guid.NewGuid().ToString();
child.SetAttribute("Id", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", id);
// Create an encryption reference for the custom SOAP header.
data.AddReference(new EncryptionReference("#" + id));
}
}
security.Elements.Add(data);
}
}
public override void SecureMessage(SoapEnvelope envelope, WSE.Security security)
{
// create username token
UsernameToken userToken = new UsernameToken(parentAssertion.Username, parentAssertion.Password,
PasswordOption.SendNone);
// Add the token to the SOAP header.
security.Tokens.Add(userToken);
// Sign the SOAP message by using the UsernameToken.
MessageSignature sig = new MessageSignature(userToken);
security.Elements.Add(sig);
// Encrypt SOAP message
EncryptedData data = new EncryptedData(userToken);
security.Elements.Add(data);
}
public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
: base(parentAssertion.ServiceActor, true)
{
userToken = new UsernameToken(parentAssertion.Username.Trim(), parentAssertion.Password.Trim(), PasswordOption.SendPlainText);
signatureToken = GetSecurityToken();
sig = new MessageSignature(signatureToken);
}
public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
: base(parentAssertion.ServiceActor, true)
{
X509Certificate2 solutionCertificate = parentAssertion.SolutionCertificate;
solutionCertificateToken = new X509SecurityToken(solutionCertificate);
sig = new MessageSignature(solutionCertificateToken);
}
/// <summary>
/// Creates a custom SOAP request filter
/// </summary>
/// <param name="parentAssertion">Custom security assertion</param>
public CustomSecurityClientOutputFilterHok(CustomSecurityAssertionHok parentAssertion)
: base(parentAssertion.ServiceActor, true)
{
issuedToken = new IssuedToken(parentAssertion.BinaryToken, parentAssertion.TokenType);
samlAssertionId = parentAssertion.BinaryToken.Attributes.GetNamedItem("ID").Value;
messageSignature = new MessageSignature(parentAssertion.SecurityToken);
}
public bool VerifyMessageSignature(int messageHash, MessageSignature messageSignature, PublicKey publicKey)
{
/*
* h = 3 # the hash value as the message digest
* w = 6 # computed: s*w mod q = 1: 2*w mod 11 = 1
* u1 = 7 # computed: u1 = h*w mod q = 3*6 mod 11 = 7
* u2 = 6 # computed: u2 = r*w mod q = 1*6 mod 11 = 6
* v = 1 # computed: v = (((g**u1)*(y**u2)) mod p) mod q
# = (((4**7)*(8**6)) mod 23) mod 11 = 2
# = 16384*262144 mod 23 mod 11 = 1
# v == r # verification passed
*/
var inverseW = NaiveModuloInverse(messageSignature.SignatureS, publicKey.PrimeQ);
var factorU1 = messageHash * inverseW % publicKey.PrimeQ;
var factorU2 = messageSignature.RandomR * inverseW % publicKey.PrimeQ;
var verificationV =
((long)Math.Pow(publicKey.BaseG, factorU1) % publicKey.PrimeP) *
((long)Math.Pow(publicKey.PublicKeyY, factorU2) % publicKey.PrimeP)
% publicKey.PrimeP
% publicKey.PrimeQ;
return(verificationV == messageSignature.RandomR);
}
/// <summary>
/// Creates a custom SOAP request filter
/// </summary>
/// <param name="parentAssertion">Custom security assertion</param>
public CustomSecurityClientOutputFilterHok(CustomSecurityAssertionHok parentAssertion)
: base(parentAssertion.ServiceActor, true)
{
issuedToken = new IssuedToken(parentAssertion.BinaryToken, parentAssertion.TokenType);
samlAssertionId = parentAssertion.BinaryToken.Attributes.GetNamedItem("ID").Value;
messageSignature = new MessageSignature(parentAssertion.SecurityToken);
}
public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
: base(parentAssertion.ServiceActor, true)
{
userToken = new UsernameToken(parentAssertion.Username.Trim(), parentAssertion.Password.Trim(), PasswordOption.SendPlainText);
signatureToken = GetSecurityToken();
sig = new MessageSignature(signatureToken);
}
public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
: base(parentAssertion.ServiceActor, true)
{
X509Certificate2 solutionCertificate = parentAssertion.SolutionCertificate;
solutionCertificateToken = new X509SecurityToken(solutionCertificate);
sig = new MessageSignature(solutionCertificateToken);
}
public override void SecureMessage(SoapEnvelope envelope, WSE.Security security)
{
// get server password from database
string password = parentAssertion.Password;
if (password == null)
{
return;
}
// hash password
password = CryptoUtils.SHA1(password);
// create username token
UsernameToken userToken = new UsernameToken(parentAssertion.ServerId.ToString(), password,
PasswordOption.SendNone);
if (parentAssertion.signRequest || parentAssertion.encryptRequest)
{
// Add the token to the SOAP header.
security.Tokens.Add(userToken);
}
if (parentAssertion.signRequest)
{
// Sign the SOAP message by using the UsernameToken.
MessageSignature sig = new MessageSignature(userToken);
security.Elements.Add(sig);
}
if (parentAssertion.encryptRequest)
{
// we don't return any custom SOAP headers
// so, just encrypt a message Body
EncryptedData data = new EncryptedData(userToken);
// encrypt custom headers
for (int index = 0; index < envelope.Header.ChildNodes.Count; index++)
{
XmlElement child = envelope.Header.ChildNodes[index] as XmlElement;
// find all SecureSoapHeader headers marked with a special attribute
if (child != null && child.NamespaceURI == "http://com/SolidCP/server/")
{
// create ID attribute for referencing purposes
string id = Guid.NewGuid().ToString();
child.SetAttribute("Id", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", id);
// Create an encryption reference for the custom SOAP header.
data.AddReference(new EncryptionReference("#" + id));
}
}
security.Elements.Add(data);
}
}
public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
: base(parentAssertion.ServiceActor, true)
{
String username = parentAssertion.username;
String password = parentAssertion.password;
userToken = new UsernameToken(username.Trim(), password.Trim(), PasswordOption.SendPlainText);
signatureToken = GetSecurityToken("CN=TestSSSCert");
sig = new MessageSignature(signatureToken);
}
public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
: base(parentAssertion.ServiceActor, true)
{
String username = parentAssertion.username;
String password = parentAssertion.password;
userToken = new UsernameToken(username.Trim(), password.Trim(), PasswordOption.SendPlainText);
signatureToken = GetSecurityToken("CN=TestSSSCert");
sig = new MessageSignature(signatureToken);
}
//get certificate and attach it
public static void prepareSoapContext(SoapContext soapContext)
{
X509Certificate2 ucert = GetCertificate();
X509SecurityToken cerToken = new X509SecurityToken(ucert);
MessageSignature cerSig = new MessageSignature(cerToken);
soapContext.Security.Elements.Add(cerSig);
// requestContext.Security.Tokens.Add(cerToken);
}
protected void SetUsernameToken(UsernameToken userToken)
{
if (webService.RequestSoapContext.Security.Tokens.Contains(userToken))
{
return;
}
webService.RequestSoapContext.Security.Tokens.Add(userToken);
var sig = new MessageSignature(userToken);
webService.RequestSoapContext.Security.Elements.Add(sig);
webService.RequestSoapContext.Security.Timestamp.TtlInSeconds = 60;
}
static bool CheckSignature(SoapContext context, MessageSignature signature)
{
//
// Now verify which parts of the message were actually signed.
//
SignatureOptions actualOptions = signature.SignatureOptions;
SignatureOptions expectedOptions = SignatureOptions.IncludeSoapBody;
if (context.Security != null && context.Security.Timestamp != null &&
context.Security.Timestamp.TargetElement != null)
{
expectedOptions |= SignatureOptions.IncludeTimestamp;
}
//
// The <Action> and <To> are required addressing elements.
//
expectedOptions |= SignatureOptions.IncludeAction;
expectedOptions |= SignatureOptions.IncludeTo;
if (context.Addressing.FaultTo != null && context.Addressing.FaultTo.TargetElement != null)
{
expectedOptions |= SignatureOptions.IncludeFaultTo;
}
if (context.Addressing.From != null && context.Addressing.From.TargetElement != null)
{
expectedOptions |= SignatureOptions.IncludeFrom;
}
if (context.Addressing.MessageID != null && context.Addressing.MessageID.TargetElement != null)
{
expectedOptions |= SignatureOptions.IncludeMessageId;
}
if (context.Addressing.RelatesTo != null && context.Addressing.RelatesTo.TargetElement != null)
{
expectedOptions |= SignatureOptions.IncludeRelatesTo;
}
if (context.Addressing.ReplyTo != null && context.Addressing.ReplyTo.TargetElement != null)
{
expectedOptions |= SignatureOptions.IncludeReplyTo;
}
//
// Check if the all the expected options are the present.
//
return((expectedOptions & actualOptions) == expectedOptions);
}
public Signature(Exception exception)
{
ErrorType = exception.GetType().FullName;
ClassName = exception.TargetSite == null ? null : exception.TargetSite.DeclaringType?.FullName;
MethodName = exception.TargetSite == null ? null : exception.TargetSite.Name;
AssemblyName = exception.TargetSite == null ? null : exception.TargetSite.DeclaringType?.Assembly.GetName().Name;
StackTrace = exception.StackTrace;
Message = exception.Message;
// signatures
StackTraceSignature = exception.GetCleanStackTrace(1).GetSignature();
MessageSignature = exception.GetCleanMessage().GetSignature();
MethodSignature = (ClassName + "." + MethodName).GetSignature();
ExceptionSignature = $"{MethodSignature.Substring(0, 7)}_{MessageSignature.Substring(0, 7)}_{StackTraceSignature}";
}
public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
: base(parentAssertion.ServiceActor, true)
{
if (parentAssertion.BinaryToken == null)
{
userToken = new UsernameToken(parentAssertion.Username.Trim(), parentAssertion.Password.Trim(), PasswordOption.SendPlainText);
signatureToken = GetSecurityToken();
parentAssertion.SecurityToken = signatureToken;
}
else
{
issuedToken = new IssuedToken(parentAssertion.BinaryToken);
signatureToken = parentAssertion.SecurityToken;
samlAssertionId = parentAssertion.BinaryToken.Attributes.GetNamedItem("ID").Value;
}
sig = new MessageSignature(signatureToken);
}
public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
: base(parentAssertion.ServiceActor, true)
{
if (parentAssertion.BinaryToken == null)
{
userToken = new UsernameToken(parentAssertion.Username.Trim(), parentAssertion.Password.Trim(), PasswordOption.SendPlainText);
signatureToken = GetSecurityToken();
parentAssertion.SecurityToken = signatureToken;
}
else
{
issuedToken = new IssuedToken(parentAssertion.BinaryToken);
signatureToken = parentAssertion.SecurityToken;
samlAssertionId = parentAssertion.BinaryToken.Attributes.GetNamedItem("ID").Value;
}
sig = new MessageSignature(signatureToken);
}
public SecurityToken GetSigningToken()
{
SoapContext context = RequestSoapContext.Current;
foreach (ISecurityElement element in context.Security.Elements)
{
if (element is MessageSignature)
{
// The given context contains a Signature element.
MessageSignature sig = element as MessageSignature;
return(sig.SigningToken);
//if (CheckSignature(context, sig)) {
// return sig.SigningToken;
//}
}
}
return(null);
}
public static SecurityToken GetSigningToken(SoapContext context)
{
foreach (ISecurityElement element in context.Security.Elements)
{
if (element is MessageSignature)
{
// The given context contains a Signature element.
MessageSignature sig = element as MessageSignature;
if (CheckSignature(context, sig))
{
// The SOAP Body is signed.
return(sig.SigningToken);
}
}
}
return(null);
}
public override void SecureMessage(SoapEnvelope envelope, WSE.Security security)
{
// create username token
UsernameToken userToken = new UsernameToken(parentAssertion.Username, parentAssertion.Password,
PasswordOption.SendNone);
// Add the token to the SOAP header.
security.Tokens.Add(userToken);
// Sign the SOAP message by using the UsernameToken.
MessageSignature sig = new MessageSignature(userToken);
security.Elements.Add(sig);
// Encrypt SOAP message
EncryptedData data = new EncryptedData(userToken);
security.Elements.Add(data);
}
public override void ValidateMessageSecurity(SoapEnvelope envelope, WebSecurity security)
{
if (!ServerConfiguration.Security.SecurityEnabled)
{
return;
}
// by default we consider that SOAP messages is not signed
bool IsSigned = false;
// if security element is null
// the call is made not from WSE-enabled client
if (security != null)
{
foreach (ISecurityElement element in security.Elements)
{
if (element is MessageSignature)
{
// The given context contains a Signature element.
MessageSignature sign = element as MessageSignature;
if (CheckSignature(envelope, security, sign))
{
// The SOAP message is signed.
if (sign.SigningToken is UsernameToken)
{
UsernameToken token = sign.SigningToken as UsernameToken;
// The SOAP message is signed
// with a UsernameToken.
IsSigned = true;
}
}
}
}
}
// throw an exception if the message did not pass all the tests
if (!IsSigned)
{
throw new SecurityFault("Message did not meet security requirements.");
}
}
void verifyAll(Asn1Reader tbsResponseData, Byte[] signature, Oid signatureAlgorithm)
{
verifyHeaders();
decodeTbsResponse(tbsResponseData);
if (NonceReceived)
{
if (Request.NonceValue != NonceValue)
{
ResponseErrorInformation += (Int32)OCSPResponseComplianceError.NonceMismatch;
}
}
if (SignerCertificates.Count > 0)
{
SignatureIsValid = MessageSignature.VerifySignature(
SignerCertificates[0],
tbsResponseData.RawData,
signature,
signatureAlgorithm
);
}
else
{
findCertInStore();
if (SignerCertificates.Count > 0)
{
SignatureIsValid = MessageSignature.VerifySignature(
SignerCertificates[0],
tbsResponseData.RawData,
signature,
signatureAlgorithm
);
}
else
{
ResponseErrorInformation += (Int32)OCSPResponseComplianceError.MissingCert;
}
}
verifyResponses();
}
public static bool VerifyAckResponse(STPProvider.PostTradeServiceWse postTradeSvc)
{
SoapContext respCtx = postTradeSvc.ResponseSoapContext;
//Iterate through all Security elements
foreach (ISecurityElement secElement in respCtx.Security.Elements)
{
//Check if message is digitally signed
if (secElement is MessageSignature)
{
MessageSignature signature = (MessageSignature)secElement;
X509SecurityToken signingToken = signature.SigningToken as X509SecurityToken;
//Authenticate the Sender using any one of the attributes of Certificate
//More secure way is to verify using STP-Provider A public key
if (signingToken != null && signingToken.Certificate.FriendlyDisplayName == "STP-Provider A")
{
return(true);
}
}
}
return(false);
}
public bool VerifySignatureOrigin()
{
SoapContext reqCtx = RequestSoapContext.Current;
//Iterate through all Security elements
foreach (ISecurityElement secElement in reqCtx.Security.Elements)
{
//Check if message is digitally signed
if (secElement is MessageSignature)
{
MessageSignature signature = (MessageSignature)secElement;
X509SecurityToken signingToken = signature.SigningToken as X509SecurityToken;
//Authenticate the Sender using any one of the attributes of Certificate
//More secure way is to verify using Vendor B public key
if (signingToken != null && signingToken.Certificate.FriendlyDisplayName == "Vendor B")
{
return(true);
}
}
}
return(false);
}
void signRequest(X509Certificate2 signerCert)
{
List <Byte> tbsRequest = buildTbsRequest(signerCert.SubjectName);
Byte[] signature = MessageSignature.SignMessage(signerCert, tbsRequest.ToArray(), signatureAlgID);
SignerCertificate = signerCert;
if (includeFullSigChain)
{
buildSignerCertChain();
}
else
{
_signerChain.Add(signerCert);
}
AlgorithmIdentifier algId = new AlgorithmIdentifier(signatureAlgID);
List <Byte> signatureInfo = new List <Byte>(algId.RawData);
signatureInfo.AddRange(new Asn1BitString(signature, false).RawData);
signatureInfo.AddRange(Asn1Utils.Encode(_signerChain.Encode(), 0xa0));
tbsRequest.AddRange(Asn1Utils.Encode(Asn1Utils.Encode(signatureInfo.ToArray(), 48), 0xa0));
RawData = Asn1Utils.Encode(tbsRequest.ToArray(), 48);
IsReadOnly = true;
}
private void ProcessWSERequest(SoapEnvelope envelope, WSE.Security security)
{
// by default we consider that SOAP messages is not signed
bool IsSigned = false;
// if security element is null
// the call is made not from WSE-enabled client
if (security != null)
{
foreach (ISecurityElement element in security.Elements)
{
if (element is MessageSignature)
{
// The given context contains a Signature element.
MessageSignature sign = element as MessageSignature;
if (CheckSignature(envelope, security, sign))
{
// The SOAP message is signed.
if (sign.SigningToken is UsernameToken)
{
UsernameToken token = sign.SigningToken as UsernameToken;
// The SOAP message is signed
// with a UsernameToken.
IsSigned = true;
}
}
}
}
}
// throw an exception if the message did not pass all the tests
if (!IsSigned)
{
throw new SecurityFault("SOAP response should be signed.");
}
// check encryption
bool IsEncrypted = false;
foreach (ISecurityElement element in security.Elements)
{
if (element is EncryptedData)
{
EncryptedData encryptedData = element as EncryptedData;
System.Xml.XmlElement targetElement = encryptedData.TargetElement;
if (SoapHelper.IsBodyElement(targetElement))
{
// The given SOAP message has the Body element Encrypted.
IsEncrypted = true;
}
}
}
if (!IsEncrypted)
{
throw new SecurityFault("SOAP response should be encrypted.");
}
}
private bool CheckSignature(SoapEnvelope envelope, Security security, MessageSignature signature)
{
//
// Now verify which parts of the message were actually signed.
//
SignatureOptions actualOptions = signature.SignatureOptions;
SignatureOptions expectedOptions = SignatureOptions.IncludeSoapBody;
if (security != null && security.Timestamp != null)
expectedOptions |= SignatureOptions.IncludeTimestamp;
//
// The <Action> and <To> are required addressing elements.
//
expectedOptions |= SignatureOptions.IncludeAction;
expectedOptions |= SignatureOptions.IncludeTo;
if (envelope.Context.Addressing.FaultTo != null && envelope.Context.Addressing.FaultTo.TargetElement != null)
expectedOptions |= SignatureOptions.IncludeFaultTo;
if (envelope.Context.Addressing.From != null && envelope.Context.Addressing.From.TargetElement != null)
expectedOptions |= SignatureOptions.IncludeFrom;
if (envelope.Context.Addressing.MessageID != null && envelope.Context.Addressing.MessageID.TargetElement != null)
expectedOptions |= SignatureOptions.IncludeMessageId;
if (envelope.Context.Addressing.RelatesTo != null && envelope.Context.Addressing.RelatesTo.TargetElement != null)
expectedOptions |= SignatureOptions.IncludeRelatesTo;
if (envelope.Context.Addressing.ReplyTo != null && envelope.Context.Addressing.ReplyTo.TargetElement != null)
expectedOptions |= SignatureOptions.IncludeReplyTo;
//
// Check if the all the expected options are the present.
//
return ((expectedOptions & actualOptions) == expectedOptions);
}
public override void SecureMessage(SoapEnvelope envelope, Security security)
{
UsernameToken userToken = new UsernameToken(
parentAssertion.username,
parentAssertion.password,
PasswordOption.SendNone); // we don't send password over network
// but we just use username/password to sign/encrypt message
// Add the token to the SOAP header.
security.Tokens.Add(userToken);
// Sign the SOAP message by using the UsernameToken.
MessageSignature sig = new MessageSignature(userToken);
security.Elements.Add(sig);
// encrypt BODY
EncryptedData data = new EncryptedData(userToken);
// encrypt custom headers
for (int index = 0; index < envelope.Header.ChildNodes.Count; index++)
{
XmlElement child = envelope.Header.ChildNodes[index] as XmlElement;
// find all SecureSoapHeader headers marked with a special attribute
if (child != null && child.NamespaceURI == "http://company.com/samples/wse/")
{
// create ID attribute for referencing purposes
string id = Guid.NewGuid().ToString();
child.SetAttribute("Id", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", id);
// Create an encryption reference for the custom SOAP header.
data.AddReference(new EncryptionReference("#" + id));
}
}
// add ancrypted data to the security context
security.Elements.Add(data);
}
public void Decode(NetIncomingMessage im)
{
this.Message = im.ReadString();
this.Signature = (MessageSignature)im.ReadByte();
}
void m_verifysignature()
{
SignatureIsValid = MessageSignature.VerifySignature(PublicKey, signedData);
}
public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
: base(parentAssertion.ServiceActor, true)
{
signatureToken = GetSecurityToken();
sig = new MessageSignature(signatureToken);
}
public CustomSecurityClientOutputFilter(CustomSecurityAssertion parentAssertion)
: base(parentAssertion.ServiceActor, true)
{
signatureToken = GetSecurityToken();
sig = new MessageSignature(signatureToken);
}