private static bool AreTokensEqual(SecurityToken outOfBandToken, SecurityToken replyToken) { if ((outOfBandToken is X509SecurityToken) && (replyToken is X509SecurityToken)) { byte[] certHash = ((X509SecurityToken)outOfBandToken).Certificate.GetCertHash(); byte[] b = ((X509SecurityToken)replyToken).Certificate.GetCertHash(); return(CryptoHelper.IsEqual(certHash, b)); } return(false); }
private bool IsMatch(DerivedKeySecurityTokenCache cachedToken, string id, int generation, int offset, int length, string label, byte[] nonce, SecurityToken tokenToDerive, string derivationAlgorithm) { if ((((cachedToken.Generation != generation) || (cachedToken.Offset != offset)) || ((cachedToken.Length != length) || !(cachedToken.Label == label))) || !(cachedToken.KeyDerivationAlgorithm == derivationAlgorithm)) { return(false); } if (!cachedToken.IsSourceKeyEqual(tokenToDerive)) { return(false); } return(CryptoHelper.IsEqual(cachedToken.Nonce, nonce) && (cachedToken.SecurityKeys != null)); }
public bool IsSourceKeyEqual(SecurityToken token) { if (token.SecurityKeys.Count != 1) { return(false); } SymmetricSecurityKey key = token.SecurityKeys[0] as SymmetricSecurityKey; if (key == null) { return(false); } return(CryptoHelper.IsEqual(this.keyToDerive, key.GetSymmetricKey())); }
bool IsMatch(DerivedKeySecurityTokenCache cachedToken, string id, int generation, int offset, int length, string label, byte[] nonce, SecurityToken tokenToDerive, string derivationAlgorithm) { if ((cachedToken.Generation == generation) && (cachedToken.Offset == offset) && (cachedToken.Length == length) && (cachedToken.Label == label) && (cachedToken.KeyDerivationAlgorithm == derivationAlgorithm)) { if (!cachedToken.IsSourceKeyEqual(tokenToDerive)) { return(false); } // since derived key token keys are delay initialized during security processing, it may be possible // that the cached derived key token does not have its keys initialized as yet. If so return false for // the match so that the framework doesnt try to reference a null key. return(CryptoHelper.IsEqual(cachedToken.Nonce, nonce) && (cachedToken.SecurityKeys != null)); } else { return(false); } }
protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates) { SignatureConfirmations receivedConfirmations = securityHeader.GetSentSignatureConfirmations(); SignatureConfirmations sentSignatures = null; if (correlationStates != null) { for (int i = 0; i < correlationStates.Length; ++i) { if (correlationStates[i].SignatureConfirmations != null) { sentSignatures = correlationStates[i].SignatureConfirmations; break; } } } if (sentSignatures == null) { if (receivedConfirmations != null && receivedConfirmations.Count > 0) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.FoundUnexpectedSignatureConfirmations))); } return; } bool allSignaturesConfirmed = false; if (receivedConfirmations != null && sentSignatures.Count == receivedConfirmations.Count) { bool[] matchingSigIndexes = new bool[sentSignatures.Count]; for (int i = 0; i < sentSignatures.Count; ++i) { byte[] sentSignature; bool wasSentSigEncrypted; sentSignatures.GetConfirmation(i, out sentSignature, out wasSentSigEncrypted); for (int j = 0; j < receivedConfirmations.Count; ++j) { byte[] receivedSignature; bool wasReceivedSigEncrypted; if (matchingSigIndexes[j]) { continue; } receivedConfirmations.GetConfirmation(j, out receivedSignature, out wasReceivedSigEncrypted); if ((wasReceivedSigEncrypted == wasSentSigEncrypted) && CryptoHelper.IsEqual(receivedSignature, sentSignature)) { matchingSigIndexes[j] = true; break; } } } int k; for (k = 0; k < matchingSigIndexes.Length; ++k) { if (!matchingSigIndexes[k]) { break; } } if (k == matchingSigIndexes.Length) { allSignaturesConfirmed = true; } } if (!allSignaturesConfirmed) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NotAllSignaturesConfirmed))); } }
internal SecurityToken ResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternal, bool resolveIntrinsicKeyClause) { if (keyIdentifierClause == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause"); } SecurityToken resolvedToken = null; for (int i = 0; i < this.tokenCount; i++) { if (matchOnlyExternal && tokens[i].AllowedReferenceStyle != SecurityTokenReferenceStyle.External) { continue; } SecurityToken token = tokens[i].Token; if (tokens[i].TokenParameters != null && tokens[i].TokenParameters.MatchesKeyIdentifierClause(token, keyIdentifierClause, tokens[i].AllowedReferenceStyle)) { resolvedToken = token; break; } else if (tokens[i].TokenParameters == null) { // match it according to the allowed reference style if (tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.Internal && MatchDirectReference(token, keyIdentifierClause)) { resolvedToken = token; break; } } } if ((resolvedToken == null) && (keyIdentifierClause is EncryptedKeyIdentifierClause)) { EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause; SecurityKeyIdentifier wrappingTokenReference = keyClause.EncryptingKeyIdentifier; SecurityToken unwrappingToken; if (this.expectedWrapper != null && CheckExternalWrapperMatch(wrappingTokenReference)) { unwrappingToken = this.expectedWrapper; } else { unwrappingToken = ResolveToken(wrappingTokenReference, true, resolveIntrinsicKeyClause); } if (unwrappingToken != null) { resolvedToken = SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, unwrappingToken); } } if ((resolvedToken == null) && (keyIdentifierClause is X509RawDataKeyIdentifierClause) && (!matchOnlyExternal) && (resolveIntrinsicKeyClause)) { resolvedToken = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData())); } byte[] derivationNonce = keyIdentifierClause.GetDerivationNonce(); if ((resolvedToken != null) && (derivationNonce != null)) { // A Implicit Derived Key is specified. Create a derived key off of the resolve token. if (SecurityUtils.GetSecurityKey <SymmetricSecurityKey>(resolvedToken) == null) { // The resolved token contains no Symmetric Security key and thus we cannot create // a derived key off of it. throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.UnableToDeriveKeyFromKeyInfoClause, keyIdentifierClause, resolvedToken))); } int derivationLength = (keyIdentifierClause.DerivationLength == 0) ? DerivedKeySecurityToken.DefaultDerivedKeyLength : keyIdentifierClause.DerivationLength; if (derivationLength > this.securityHeader.MaxDerivedKeyLength) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.DerivedKeyLengthSpecifiedInImplicitDerivedKeyClauseTooLong, keyIdentifierClause.ToString(), derivationLength, this.securityHeader.MaxDerivedKeyLength))); } bool alreadyDerived = false; for (int i = 0; i < this.tokenCount; ++i) { DerivedKeySecurityToken derivedKeyToken = this.tokens[i].Token as DerivedKeySecurityToken; if (derivedKeyToken != null) { if ((derivedKeyToken.Length == derivationLength) && (CryptoHelper.IsEqual(derivedKeyToken.Nonce, derivationNonce)) && (derivedKeyToken.TokenToDerive.MatchesKeyIdentifierClause(keyIdentifierClause))) { // This is a implcit derived key for which we have already derived the // token. resolvedToken = this.tokens[i].Token; alreadyDerived = true; break; } } } if (!alreadyDerived) { string psha1Algorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.securityHeader.StandardsManager.MessageSecurityVersion.SecureConversationVersion); resolvedToken = new DerivedKeySecurityToken(-1, 0, derivationLength, null, derivationNonce, resolvedToken, keyIdentifierClause, psha1Algorithm, SecurityUtils.GenerateId()); ((DerivedKeySecurityToken)resolvedToken).InitializeDerivedKey(derivationLength); Add(resolvedToken, SecurityTokenReferenceStyle.Internal, null); this.securityHeader.EnsureDerivedKeyLimitNotReached(); } } return(resolvedToken); }
protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates) { SignatureConfirmations sentSignatureConfirmations = securityHeader.GetSentSignatureConfirmations(); SignatureConfirmations signatureConfirmations = null; if (correlationStates != null) { for (int i = 0; i < correlationStates.Length; i++) { if (correlationStates[i].SignatureConfirmations != null) { signatureConfirmations = correlationStates[i].SignatureConfirmations; break; } } } if (signatureConfirmations == null) { if ((sentSignatureConfirmations != null) && (sentSignatureConfirmations.Count > 0)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("FoundUnexpectedSignatureConfirmations"))); } } else { bool flag = false; if ((sentSignatureConfirmations != null) && (signatureConfirmations.Count == sentSignatureConfirmations.Count)) { bool[] flagArray = new bool[signatureConfirmations.Count]; for (int j = 0; j < signatureConfirmations.Count; j++) { byte[] buffer; bool flag2; signatureConfirmations.GetConfirmation(j, out buffer, out flag2); for (int k = 0; k < sentSignatureConfirmations.Count; k++) { if (!flagArray[k]) { byte[] buffer2; bool flag3; sentSignatureConfirmations.GetConfirmation(k, out buffer2, out flag3); if ((flag3 == flag2) && CryptoHelper.IsEqual(buffer2, buffer)) { flagArray[k] = true; break; } } } } int index = 0; while (index < flagArray.Length) { if (!flagArray[index]) { break; } index++; } if (index == flagArray.Length) { flag = true; } } if (!flag) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NotAllSignaturesConfirmed"))); } } }
internal SecurityToken ResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternal, bool resolveIntrinsicKeyClause) { if (keyIdentifierClause == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause"); } SecurityToken token = null; for (int i = 0; i < this.tokenCount; i++) { if (!matchOnlyExternal || (this.tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.External)) { SecurityToken token2 = this.tokens[i].Token; if ((this.tokens[i].TokenParameters != null) && this.tokens[i].TokenParameters.MatchesKeyIdentifierClause(token2, keyIdentifierClause, this.tokens[i].AllowedReferenceStyle)) { token = token2; break; } if (((this.tokens[i].TokenParameters == null) && (this.tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.Internal)) && this.MatchDirectReference(token2, keyIdentifierClause)) { token = token2; break; } } } if ((token == null) && (keyIdentifierClause is EncryptedKeyIdentifierClause)) { SecurityToken expectedWrapper; EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause; SecurityKeyIdentifier encryptingKeyIdentifier = keyClause.EncryptingKeyIdentifier; if ((this.expectedWrapper != null) && this.CheckExternalWrapperMatch(encryptingKeyIdentifier)) { expectedWrapper = this.expectedWrapper; } else { expectedWrapper = this.ResolveToken(encryptingKeyIdentifier, true, resolveIntrinsicKeyClause); } if (expectedWrapper != null) { token = System.ServiceModel.Security.SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, expectedWrapper); } } if (((token == null) && (keyIdentifierClause is X509RawDataKeyIdentifierClause)) && (!matchOnlyExternal && resolveIntrinsicKeyClause)) { token = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData())); } byte[] derivationNonce = keyIdentifierClause.GetDerivationNonce(); if ((token != null) && (derivationNonce != null)) { if (System.ServiceModel.Security.SecurityUtils.GetSecurityKey <SymmetricSecurityKey>(token) == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToDeriveKeyFromKeyInfoClause", new object[] { keyIdentifierClause, token }))); } int length = (keyIdentifierClause.DerivationLength == 0) ? 0x20 : keyIdentifierClause.DerivationLength; if (length > this.securityHeader.MaxDerivedKeyLength) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("DerivedKeyLengthSpecifiedInImplicitDerivedKeyClauseTooLong", new object[] { keyIdentifierClause.ToString(), length, this.securityHeader.MaxDerivedKeyLength }))); } bool flag = false; for (int j = 0; j < this.tokenCount; j++) { DerivedKeySecurityToken token4 = this.tokens[j].Token as DerivedKeySecurityToken; if (((token4 != null) && (token4.Length == length)) && (CryptoHelper.IsEqual(token4.Nonce, derivationNonce) && token4.TokenToDerive.MatchesKeyIdentifierClause(keyIdentifierClause))) { token = this.tokens[j].Token; flag = true; break; } } if (!flag) { string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(this.securityHeader.StandardsManager.MessageSecurityVersion.SecureConversationVersion); token = new DerivedKeySecurityToken(-1, 0, length, null, derivationNonce, token, keyIdentifierClause, keyDerivationAlgorithm, System.ServiceModel.Security.SecurityUtils.GenerateId()); ((DerivedKeySecurityToken)token).InitializeDerivedKey(length); this.Add(token, SecurityTokenReferenceStyle.Internal, null); this.securityHeader.EnsureDerivedKeyLimitNotReached(); } } return(token); }