public static void AddSupportingToken(Message message, RequestSecurityTokenResponse rstr) { GenericXmlSecurityToken token = rstr.GetIssuedToken(null, null, SecurityKeyEntropyMode.ServerEntropy, null, null, null); SecurityMessageProperty property = new SecurityMessageProperty(); SupportingTokenSpecification item = new SupportingTokenSpecification(token, new List <IAuthorizationPolicy>().AsReadOnly(), SecurityTokenAttachmentMode.Endorsing, SecurityContextSecurityTokenParameters); property.OutgoingSupportingTokens.Add(item); message.Properties.Security = property; if (DebugTrace.Verbose) { DebugTrace.Trace(TraceLevel.Verbose, "Attached supporting token {0} to register message", rstr.Context); } }
void ValidateTokensByParameters(IEnumerable <SecurityTokenParameters> plist, List <SupportingTokenInfo> tokens, bool optional, SecurityTokenAttachmentMode attachMode) { foreach (SecurityTokenParameters p in plist) { SecurityTokenResolver r; SecurityTokenAuthenticator a = security.CreateTokenAuthenticator(p, out r); SupportingTokenSpecification spec = ValidateTokensByParameters(a, r, tokens); if (spec == null) { if (optional) { continue; } else { throw new MessageSecurityException(String.Format("No security token could be validated for authenticator '{0}' which is indicated by the '{1}' supporting token parameters", a, attachMode)); } } else { // For endorsing tokens, verify corresponding signatures. switch (attachMode) { case SecurityTokenAttachmentMode.Endorsing: case SecurityTokenAttachmentMode.SignedEndorsing: WSSignedXml esxml = GetSignatureForToken(spec.SecurityToken); if (esxml == null) { throw new MessageSecurityException(String.Format("The '{1}' token '{0}' is expected to endorse the primary signature but no corresponding signature is found.", spec.SecurityToken, attachMode)); } bool confirmed; SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite; foreach (SecurityTokenReferenceKeyInfo kic in esxml.KeyInfo) { SecurityKey signKey = spec.SecurityToken.ResolveKeyIdentifierClause(kic.Clause); SymmetricSecurityKey symkey = signKey as SymmetricSecurityKey; if (symkey != null) { confirmed = esxml.CheckSignature(symkey.GetKeyedHashAlgorithm(suite.DefaultSymmetricSignatureAlgorithm)); } else { AsymmetricAlgorithm alg = ((AsymmetricSecurityKey)signKey).GetAsymmetricAlgorithm(suite.DefaultAsymmetricSignatureAlgorithm, false); confirmed = esxml.CheckSignature(alg); } if (!confirmed) { throw new MessageSecurityException(String.Format("Signature for '{1}' token '{0}' is invalid.", spec.SecurityToken, attachMode)); } break; } sec_prop.ConfirmedSignatures.Insert(0, Convert.ToBase64String(esxml.SignatureValue)); break; } } sec_prop.IncomingSupportingTokens.Add(spec); } }
protected override BodyWriter GetFirstOutgoingMessageBody(FederatedTokenProviderState negotiationState, out MessageProperties messageProperties) { messageProperties = null; RequestSecurityToken rst = new RequestSecurityToken(this.StandardsManager); if (this.addTargetServiceAppliesTo) { if (this.MessageVersion.Addressing == AddressingVersion.WSAddressing10) { rst.SetAppliesTo <EndpointAddress10>( EndpointAddress10.FromEndpointAddress(negotiationState.TargetAddress), DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddress10), DataContractSerializerDefaults.MaxItemsInObjectGraph)); } else if (this.MessageVersion.Addressing == AddressingVersion.WSAddressingAugust2004) { rst.SetAppliesTo <EndpointAddressAugust2004>( EndpointAddressAugust2004.FromEndpointAddress(negotiationState.TargetAddress), DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddressAugust2004), DataContractSerializerDefaults.MaxItemsInObjectGraph)); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new ProtocolException(SR.GetString(SR.AddressingVersionNotSupported, this.MessageVersion.Addressing))); } } rst.Context = negotiationState.Context; if (!this.isKeySizePresentInRstProperties) { rst.KeySize = this.keySize; } Collection <XmlElement> newRequestProperties = new Collection <XmlElement>(); if (this.requestProperties != null) { for (int i = 0; i < this.requestProperties.Count; ++i) { newRequestProperties.Add(this.requestProperties[i]); } } if (!isKeyTypePresentInRstProperties) { XmlElement keyTypeElement = this.StandardsManager.TrustDriver.CreateKeyTypeElement(this.keyType); newRequestProperties.Insert(0, keyTypeElement); } if (this.keyType == SecurityKeyType.SymmetricKey) { byte[] requestorEntropy = negotiationState.GetRequestorEntropy(); rst.SetRequestorEntropy(requestorEntropy); } else if (this.keyType == SecurityKeyType.AsymmetricKey) { RsaKeyIdentifierClause rsaClause = new RsaKeyIdentifierClause(negotiationState.Rsa); SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(rsaClause); newRequestProperties.Add(this.StandardsManager.TrustDriver.CreateUseKeyElement(keyIdentifier, this.StandardsManager)); RsaSecurityTokenParameters rsaParameters = new RsaSecurityTokenParameters(); rsaParameters.InclusionMode = SecurityTokenInclusionMode.Never; rsaParameters.RequireDerivedKeys = false; SupportingTokenSpecification rsaSpec = new SupportingTokenSpecification(negotiationState.RsaSecurityToken, EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance, SecurityTokenAttachmentMode.Endorsing, rsaParameters); messageProperties = new MessageProperties(); SecurityMessageProperty security = new SecurityMessageProperty(); security.OutgoingSupportingTokens.Add(rsaSpec); messageProperties.Security = security; } if (this.keyType == SecurityKeyType.SymmetricKey && this.KeyEntropyMode == SecurityKeyEntropyMode.CombinedEntropy) { newRequestProperties.Add(this.StandardsManager.TrustDriver.CreateComputedKeyAlgorithmElement(this.StandardsManager.TrustDriver.ComputedKeyAlgorithm)); } rst.RequestProperties = newRequestProperties; rst.MakeReadOnly(); return(rst); }
protected override BodyWriter GetFirstOutgoingMessageBody(IssuedSecurityTokenProvider.FederatedTokenProviderState negotiationState, out MessageProperties messageProperties) { messageProperties = null; RequestSecurityToken token = new RequestSecurityToken(base.StandardsManager); if (this.addTargetServiceAppliesTo) { if (this.MessageVersion.Addressing != AddressingVersion.WSAddressing10) { if (this.MessageVersion.Addressing != AddressingVersion.WSAddressingAugust2004) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("AddressingVersionNotSupported", new object[] { this.MessageVersion.Addressing }))); } token.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress(negotiationState.TargetAddress), DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddressAugust2004), 0x10000)); } else { token.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress(negotiationState.TargetAddress), DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddress10), 0x10000)); } } token.Context = negotiationState.Context; if (!this.isKeySizePresentInRstProperties) { token.KeySize = this.keySize; } Collection <XmlElement> collection = new Collection <XmlElement>(); if (this.requestProperties != null) { for (int i = 0; i < this.requestProperties.Count; i++) { collection.Add(this.requestProperties[i]); } } if (!this.isKeyTypePresentInRstProperties) { XmlElement item = base.StandardsManager.TrustDriver.CreateKeyTypeElement(this.keyType); collection.Insert(0, item); } if (this.keyType == SecurityKeyType.SymmetricKey) { byte[] requestorEntropy = negotiationState.GetRequestorEntropy(); token.SetRequestorEntropy(requestorEntropy); } else if (this.keyType == SecurityKeyType.AsymmetricKey) { RsaKeyIdentifierClause clause = new RsaKeyIdentifierClause(negotiationState.Rsa); SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { clause }); collection.Add(base.StandardsManager.TrustDriver.CreateUseKeyElement(keyIdentifier, base.StandardsManager)); RsaSecurityTokenParameters tokenParameters = new RsaSecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.Never, RequireDerivedKeys = false }; SupportingTokenSpecification specification = new SupportingTokenSpecification(negotiationState.RsaSecurityToken, System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance, SecurityTokenAttachmentMode.Endorsing, tokenParameters); messageProperties = new MessageProperties(); SecurityMessageProperty property = new SecurityMessageProperty { OutgoingSupportingTokens = { specification } }; messageProperties.Security = property; } if ((this.keyType == SecurityKeyType.SymmetricKey) && (this.KeyEntropyMode == SecurityKeyEntropyMode.CombinedEntropy)) { collection.Add(base.StandardsManager.TrustDriver.CreateComputedKeyAlgorithmElement(base.StandardsManager.TrustDriver.ComputedKeyAlgorithm)); } token.RequestProperties = collection; token.MakeReadOnly(); return(token); }