// FIXME: use timeout
Message ProcessClientHello(Message request, TimeSpan timeout)
{
// FIXME: use correct buffer size
MessageBuffer buffer = request.CreateBufferedCopy(0x10000);
WSTrustRequestSecurityTokenReader reader =
new WSTrustRequestSecurityTokenReader(buffer.CreateMessage().GetReaderAtBodyContents(), SecurityTokenSerializer);
reader.Read();
if (sessions.ContainsKey(reader.Value.Context))
{
throw new SecurityNegotiationException(String.Format("The context '{0}' already exists in this SSL negotiation manager", reader.Value.Context));
}
// FIXME: it seems .NET retrieves X509 Certificate through CreateSecurityTokenProvider(somex509requirement).GetToken().SecurityKeys[0]
// (should result in X509AsymmetricSecurityKey) and continues tlsstart.
// That's not very required feature so I ignore it.
TlsServerSession tls = new TlsServerSession(owner.Manager.ServiceCredentials.ServiceCertificate.Certificate, owner.IsMutual);
TlsServerSessionInfo tlsInfo = new TlsServerSessionInfo(
reader.Value.Context, tls);
AppendNegotiationMessageXml(buffer.CreateMessage().GetReaderAtBodyContents(), tlsInfo);
tls.ProcessClientHello(reader.Value.BinaryExchange.Value);
WstRequestSecurityTokenResponse rstr =
new WstRequestSecurityTokenResponse(SecurityTokenSerializer);
rstr.Context = reader.Value.Context;
rstr.BinaryExchange = new WstBinaryExchange(Constants.WstBinaryExchangeValueTls);
rstr.BinaryExchange.Value = tls.ProcessServerHello();
Message reply = Message.CreateMessage(request.Version, Constants.WstIssueReplyAction, rstr);
reply.Headers.RelatesTo = request.Headers.MessageId;
// FIXME: use correct buffer size
buffer = reply.CreateBufferedCopy(0x10000);
AppendNegotiationMessageXml(buffer.CreateMessage().GetReaderAtBodyContents(), tlsInfo);
sessions [reader.Value.Context] = tlsInfo;
return(buffer.CreateMessage());
}
Message ProcessClientHello(Message request)
{
// FIXME: use correct buffer size
MessageBuffer buffer = request.CreateBufferedCopy(0x10000);
WSTrustRequestSecurityTokenReader reader =
new WSTrustRequestSecurityTokenReader(buffer.CreateMessage().GetReaderAtBodyContents(), SecurityTokenSerializer);
reader.Read();
if (sessions.ContainsKey(reader.Value.Context))
{
throw new SecurityNegotiationException(String.Format("The context '{0}' already exists in this SSL negotiation manager", reader.Value.Context));
}
TlsServerSession tls = new TlsServerSession(owner.Manager.ServiceCredentials.ServiceCertificate.Certificate, owner.IsMutual);
TlsServerSessionInfo tlsInfo = new TlsServerSessionInfo(
reader.Value.Context, tls);
AppendNegotiationMessageXml(buffer.CreateMessage().GetReaderAtBodyContents(), tlsInfo);
tls.ProcessClientHello(reader.Value.BinaryExchange.Value);
WstRequestSecurityTokenResponse rstr =
new WstRequestSecurityTokenResponse(SecurityTokenSerializer);
rstr.Context = reader.Value.Context;
rstr.BinaryExchange = new WstBinaryExchange(Constants.WstBinaryExchangeValueTls);
rstr.BinaryExchange.Value = tls.ProcessServerHello();
Message reply = Message.CreateMessage(request.Version, Constants.WstIssueReplyAction, rstr);
reply.Headers.RelatesTo = request.Headers.MessageId;
// FIXME: use correct buffer size
buffer = reply.CreateBufferedCopy(0x10000);
AppendNegotiationMessageXml(buffer.CreateMessage().GetReaderAtBodyContents(), tlsInfo);
sessions [reader.Value.Context] = tlsInfo;
return(buffer.CreateMessage());
}
public TlsServerSessionInfo(string context, TlsServerSession tls)
{
ContextId = context;
Tls = tls;
}
Message ProcessClientHello (Message request)
{
// FIXME: use correct buffer size
MessageBuffer buffer = request.CreateBufferedCopy (0x10000);
WSTrustRequestSecurityTokenReader reader =
new WSTrustRequestSecurityTokenReader (buffer.CreateMessage ().GetReaderAtBodyContents (), SecurityTokenSerializer);
reader.Read ();
if (sessions.ContainsKey (reader.Value.Context))
throw new SecurityNegotiationException (String.Format ("The context '{0}' already exists in this SSL negotiation manager", reader.Value.Context));
TlsServerSession tls = new TlsServerSession (owner.Manager.ServiceCredentials.ServiceCertificate.Certificate, owner.IsMutual);
TlsServerSessionInfo tlsInfo = new TlsServerSessionInfo (
reader.Value.Context, tls);
AppendNegotiationMessageXml (buffer.CreateMessage ().GetReaderAtBodyContents (), tlsInfo);
tls.ProcessClientHello (reader.Value.BinaryExchange.Value);
WstRequestSecurityTokenResponse rstr =
new WstRequestSecurityTokenResponse (SecurityTokenSerializer);
rstr.Context = reader.Value.Context;
rstr.BinaryExchange = new WstBinaryExchange (Constants.WstBinaryExchangeValueTls);
rstr.BinaryExchange.Value = tls.ProcessServerHello ();
Message reply = Message.CreateMessage (request.Version, Constants.WstIssueReplyAction, rstr);
reply.Headers.RelatesTo = request.Headers.MessageId;
// FIXME: use correct buffer size
buffer = reply.CreateBufferedCopy (0x10000);
AppendNegotiationMessageXml (buffer.CreateMessage ().GetReaderAtBodyContents (), tlsInfo);
sessions [reader.Value.Context] = tlsInfo;
return buffer.CreateMessage ();
}
public TlsServerSessionInfo (string context, TlsServerSession tls)
{
ContextId = context;
Tls = tls;
}
Message ProcessClientKeyExchange(Message request)
{
// FIXME: use correct buffer size
MessageBuffer buffer = request.CreateBufferedCopy(0x10000);
WSTrustRequestSecurityTokenResponseReader reader =
new WSTrustRequestSecurityTokenResponseReader(Constants.WstTlsnegoProofTokenType, buffer.CreateMessage().GetReaderAtBodyContents(), SecurityTokenSerializer, null);
reader.Read();
TlsServerSessionInfo tlsInfo;
if (!sessions.TryGetValue(reader.Value.Context, out tlsInfo))
{
throw new SecurityNegotiationException(String.Format("The context '{0}' does not exist in this SSL negotiation manager", reader.Value.Context));
}
TlsServerSession tls = tlsInfo.Tls;
AppendNegotiationMessageXml(buffer.CreateMessage().GetReaderAtBodyContents(), tlsInfo);
//Console.WriteLine (System.Text.Encoding.UTF8.GetString (tlsInfo.Messages.ToArray ()));
tls.ProcessClientKeyExchange(reader.Value.BinaryExchange.Value);
byte [] serverFinished = tls.ProcessServerFinished();
// The shared key is computed as recommended in WS-Trust:
// P_SHA1(encrypted_key,SHA1(exc14n(RST..RSTRs))+"CK-HASH")
byte [] hash = SHA1.Create().ComputeHash(tlsInfo.Messages.ToArray());
byte [] key = tls.CreateHash(tls.MasterSecret, hash, "CK-HASH");
byte [] keyTlsApplied = tls.ProcessApplicationData(key);
foreach (byte b in hash)
{
Console.Write("{0:X02} ", b);
}
Console.WriteLine();
foreach (byte b in key)
{
Console.Write("{0:X02} ", b);
}
Console.WriteLine();
WstRequestSecurityTokenResponseCollection col =
new WstRequestSecurityTokenResponseCollection();
WstRequestSecurityTokenResponse rstr =
new WstRequestSecurityTokenResponse(SecurityTokenSerializer);
rstr.Context = reader.Value.Context;
rstr.TokenType = Constants.WsscContextToken;
DateTime from = DateTime.Now;
// FIXME: not sure if arbitrary key is used here.
SecurityContextSecurityToken sct = SecurityContextSecurityToken.CreateCookieSecurityContextToken(
// Create a new context.
// (do not use sslnego context here.)
new UniqueId(),
"uuid-" + Guid.NewGuid(),
key,
from,
// FIXME: use LocalServiceSecuritySettings.NegotiationTimeout
from.AddHours(8),
null,
owner.Manager.ServiceCredentials.SecureConversationAuthentication.SecurityStateEncoder);
rstr.RequestedSecurityToken = sct;
// without this ProcessApplicationData(), .NET seems
// to fail recovering the key.
rstr.RequestedProofToken = keyTlsApplied;
rstr.RequestedAttachedReference = new LocalIdKeyIdentifierClause(sct.Id);
rstr.RequestedUnattachedReference = new SecurityContextKeyIdentifierClause(sct.ContextId, null);
WstLifetime lt = new WstLifetime();
lt.Created = from;
lt.Expires = from.Add(SecurityBindingElement.LocalServiceSettings.IssuedCookieLifetime);
rstr.Lifetime = lt;
rstr.BinaryExchange = new WstBinaryExchange(Constants.WstBinaryExchangeValueTls);
rstr.BinaryExchange.Value = serverFinished;
col.Responses.Add(rstr);
// Authenticator is mandatory for MS sslnego.
rstr = new WstRequestSecurityTokenResponse(SecurityTokenSerializer);
rstr.Context = reader.Value.Context;
rstr.Authenticator = tls.CreateHash(key, hash, "AUTH-HASH");
col.Responses.Add(rstr);
sessions.Remove(reader.Value.Context);
// FIXME: get correct tokenRequestor address (probably identity authorized?)
if (owner.IssuedSecurityTokenHandler != null)
{
owner.IssuedSecurityTokenHandler(sct, request.Headers.ReplyTo);
}
return(Message.CreateMessage(request.Version, Constants.WstIssueReplyAction, col));
}
// FIXME: use timeout
Message ProcessClientHello (Message request, TimeSpan timeout)
{
// FIXME: use correct buffer size
MessageBuffer buffer = request.CreateBufferedCopy (0x10000);
WSTrustRequestSecurityTokenReader reader =
new WSTrustRequestSecurityTokenReader (buffer.CreateMessage ().GetReaderAtBodyContents (), SecurityTokenSerializer);
reader.Read ();
if (sessions.ContainsKey (reader.Value.Context))
throw new SecurityNegotiationException (String.Format ("The context '{0}' already exists in this SSL negotiation manager", reader.Value.Context));
// FIXME: it seems .NET retrieves X509 Certificate through CreateSecurityTokenProvider(somex509requirement).GetToken().SecurityKeys[0]
// (should result in X509AsymmetricSecurityKey) and continues tlsstart.
// That's not very required feature so I ignore it.
TlsServerSession tls = new TlsServerSession (owner.Manager.ServiceCredentials.ServiceCertificate.Certificate, owner.IsMutual);
TlsServerSessionInfo tlsInfo = new TlsServerSessionInfo (
reader.Value.Context, tls);
AppendNegotiationMessageXml (buffer.CreateMessage ().GetReaderAtBodyContents (), tlsInfo);
tls.ProcessClientHello (reader.Value.BinaryExchange.Value);
WstRequestSecurityTokenResponse rstr =
new WstRequestSecurityTokenResponse (SecurityTokenSerializer);
rstr.Context = reader.Value.Context;
rstr.BinaryExchange = new WstBinaryExchange (Constants.WstBinaryExchangeValueTls);
rstr.BinaryExchange.Value = tls.ProcessServerHello ();
Message reply = Message.CreateMessage (request.Version, Constants.WstIssueReplyAction, rstr);
reply.Headers.RelatesTo = request.Headers.MessageId;
// FIXME: use correct buffer size
buffer = reply.CreateBufferedCopy (0x10000);
AppendNegotiationMessageXml (buffer.CreateMessage ().GetReaderAtBodyContents (), tlsInfo);
sessions [reader.Value.Context] = tlsInfo;
return buffer.CreateMessage ();
}