public SecurityVerifiedMessage(Message messageToProcess, ReceiveSecurityHeader securityHeader) : base(messageToProcess) { this.securityHeader = securityHeader; if (securityHeader.RequireMessageProtection) { XmlDictionaryReader messageReader; BufferedMessage bufferedMessage = this.InnerMessage as BufferedMessage; if (bufferedMessage != null && this.Headers.ContainsOnlyBufferedMessageHeaders) { messageReader = bufferedMessage.GetMessageReader(); } else { this.messageBuffer = new XmlBuffer(int.MaxValue); XmlDictionaryWriter writer = this.messageBuffer.OpenSection(this.securityHeader.ReaderQuotas); this.InnerMessage.WriteMessage(writer); this.messageBuffer.CloseSection(); this.messageBuffer.Close(); messageReader = this.messageBuffer.GetReader(0); } MoveToSecurityHeader(messageReader, securityHeader.HeaderIndex, true); this.cachedReaderAtSecurityHeader = messageReader; this.state = BodyState.Buffered; } else { this.envelopeAttributes = XmlAttributeHolder.emptyArray; this.headerAttributes = XmlAttributeHolder.emptyArray; this.bodyAttributes = XmlAttributeHolder.emptyArray; this.canDelegateCreateBufferedCopyToInnerMessage = true; } }
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) { IList <SupportingTokenAuthenticatorSpecification> list; SessionSymmetricMessageSecurityProtocolFactory factory = this.Factory; ReceiveSecurityHeader securityHeader = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, this.requireDerivedKeys ? this.sessionStandardsManager : null, out list); List <SecurityToken> incomingSessionTokens = this.GetIncomingSessionTokens(); securityHeader.ConfigureSymmetricBindingClientReceiveHeader(incomingSessionTokens, this.Factory.SecurityTokenParameters); securityHeader.EnforceDerivedKeyRequirement = message.Headers.Action != factory.StandardsManager.SecureConversationDriver.CloseResponseAction.Value; base.ProcessSecurityHeader(securityHeader, ref message, null, timeout, correlationStates); SecurityToken signatureToken = securityHeader.SignatureToken; bool flag = false; for (int i = 0; i < incomingSessionTokens.Count; i++) { if (object.ReferenceEquals(signatureToken, incomingSessionTokens[i])) { flag = true; break; } } if (!flag) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("NoSessionTokenPresentInMessage"))); } if (factory.RequireIntegrity) { ReadOnlyCollection <IAuthorizationPolicy> protectionTokenPolicies = this.sessionTokenAuthenticator.ValidateToken(signatureToken); base.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signatureToken, protectionTokenPolicies); } return(null); }
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) { SessionSymmetricMessageSecurityProtocolFactory factory = this.Factory; IList <SupportingTokenAuthenticatorSpecification> dummyAuthenticators; ReceiveSecurityHeader securityHeader = ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, this.requireDerivedKeys ? this.sessionStandardsManager : null, out dummyAuthenticators); List <SecurityToken> sessionTokens = GetIncomingSessionTokens(); securityHeader.ConfigureSymmetricBindingClientReceiveHeader(sessionTokens, this.Factory.SecurityTokenParameters); // do not enforce the key derivation requirement for CancelResponse due to WSE interop securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != factory.StandardsManager.SecureConversationDriver.CloseResponseAction.Value); ProcessSecurityHeader(securityHeader, ref message, null, timeout, correlationStates); SecurityToken signingToken = securityHeader.SignatureToken; // verify that the signing token was one of the session tokens bool isSessionToken = false; for (int i = 0; i < sessionTokens.Count; ++i) { if (Object.ReferenceEquals(signingToken, sessionTokens[i])) { isSessionToken = true; break; } } if (!isSessionToken) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.NoSessionTokenPresentInMessage))); } if (factory.RequireIntegrity) { ReadOnlyCollection <IAuthorizationPolicy> signingTokenPolicies = this.sessionTokenAuthenticator.ValidateToken(signingToken); DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signingToken, signingTokenPolicies); } return(null); }
protected void ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, ref Message message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) { TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); securityHeader.ReplayDetectionEnabled = this.factory.DetectReplays; securityHeader.SetTimeParameters(this.factory.NonceCache, this.factory.ReplayWindow, this.factory.MaxClockSkew); securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), this.factory.ExtendedProtectionPolicy); if (this.factory.AddTimestamp && securityHeader.Timestamp == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.RequiredTimestampMissingInSecurityHeader))); } if (requiredSigningToken != null && requiredSigningToken != securityHeader.SignatureToken) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.ReplyWasNotSignedWithRequiredSigningToken)), message); } if (this.DoAutomaticEncryptionMatch) { SecurityUtils.EnsureExpectedSymmetricMatch(securityHeader.SignatureToken, securityHeader.EncryptionToken, message); } if (securityHeader.MaintainSignatureConfirmationState && this.factory.ActAsInitiator) { CheckSignatureConfirmation(securityHeader, correlationStates); } message = securityHeader.ProcessedMessage; }
protected ReceiveSecurityHeader ConfigureReceiveSecurityHeader(Message message, string actor, SecurityProtocolCorrelationState[] correlationStates, SecurityStandardsManager standardsManager, out IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators) { System.ServiceModel.Security.MessageSecurityProtocolFactory messageSecurityProtocolFactory = this.MessageSecurityProtocolFactory; MessageDirection transferDirection = messageSecurityProtocolFactory.ActAsInitiator ? MessageDirection.Output : MessageDirection.Input; ReceiveSecurityHeader securityHeader = this.CreateSecurityHeader(message, actor, transferDirection, standardsManager); string action = message.Headers.Action; supportingAuthenticators = base.GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.factory, message, securityHeader); if (messageSecurityProtocolFactory.RequireIntegrity || securityHeader.ExpectSignedTokens) { securityHeader.RequiredSignatureParts = messageSecurityProtocolFactory.GetIncomingSignatureParts(action); } if (messageSecurityProtocolFactory.RequireConfidentiality || securityHeader.ExpectBasicTokens) { securityHeader.RequiredEncryptionParts = messageSecurityProtocolFactory.GetIncomingEncryptionParts(action); } securityHeader.ExpectEncryption = messageSecurityProtocolFactory.RequireConfidentiality || securityHeader.ExpectBasicTokens; securityHeader.ExpectSignature = messageSecurityProtocolFactory.RequireIntegrity || securityHeader.ExpectSignedTokens; securityHeader.SetRequiredProtectionOrder(messageSecurityProtocolFactory.MessageProtectionOrder); if ((messageSecurityProtocolFactory.ActAsInitiator && messageSecurityProtocolFactory.DoRequestSignatureConfirmation) && this.HasCorrelationState(correlationStates)) { securityHeader.MaintainSignatureConfirmationState = true; securityHeader.ExpectSignatureConfirmation = true; return(securityHeader); } if (!messageSecurityProtocolFactory.ActAsInitiator && messageSecurityProtocolFactory.DoRequestSignatureConfirmation) { securityHeader.MaintainSignatureConfirmationState = true; return(securityHeader); } securityHeader.MaintainSignatureConfirmationState = false; return(securityHeader); }
public ReceiveSecurityHeaderElementManager(ReceiveSecurityHeader securityHeader) { this.securityHeader = securityHeader; this.elements = new ReceiveSecurityHeaderEntry[8]; if (securityHeader.RequireMessageProtection) { this.headerIds = new string[securityHeader.ProcessedMessage.Headers.Count]; } }
public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader) { securityHeader.ExecuteReadingPass(reader); securityHeader.ExecuteDerivedKeyTokenStubPass(false); securityHeader.ExecuteSubheaderDecryptionPass(); securityHeader.ExecuteDerivedKeyTokenStubPass(true); this.MarkElements(securityHeader.ElementManager, securityHeader.RequireMessageProtection); securityHeader.ExecuteSignatureEncryptionProcessingPass(); }
public ReceiveSecurityHeaderElementManager(ReceiveSecurityHeader securityHeader) { _securityHeader = securityHeader; _elements = new ReceiveSecurityHeaderEntry[InitialCapacity]; if (securityHeader.RequireMessageProtection) { _headerIds = new string[securityHeader.ProcessedMessage.Headers.Count]; } }
protected override void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout) { string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor; ReceiveSecurityHeader securityHeader = this.Factory.StandardsManager.CreateReceiveSecurityHeader(message, actor, this.Factory.IncomingAlgorithmSuite, MessageDirection.Input); securityHeader.RequireMessageProtection = false; securityHeader.ReaderQuotas = this.Factory.SecurityBindingElement.ReaderQuotas; IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.Factory, message, securityHeader); ReadOnlyCollection <SecurityTokenResolver> mergedTokenResolvers = MergeOutOfBandResolvers(supportingAuthenticators, this.sessionTokenResolverList); if (supportingAuthenticators != null && supportingAuthenticators.Count > 0) { supportingAuthenticators = new List <SupportingTokenAuthenticatorSpecification>(supportingAuthenticators); supportingAuthenticators.Insert(0, this.sessionTokenAuthenticatorSpecificationList[0]); } else { supportingAuthenticators = this.sessionTokenAuthenticatorSpecificationList; } securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators); securityHeader.ConfigureOutOfBandTokenResolver(mergedTokenResolvers); securityHeader.ExpectEndorsingTokens = true; TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); securityHeader.ReplayDetectionEnabled = this.Factory.DetectReplays; securityHeader.SetTimeParameters(this.Factory.NonceCache, this.Factory.ReplayWindow, this.Factory.MaxClockSkew); // do not enforce key derivation requirement for Cancel messages due to WSE interop securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != this.Factory.StandardsManager.SecureConversationDriver.CloseAction.Value); securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), this.Factory.ExtendedProtectionPolicy); if (securityHeader.Timestamp == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.RequiredTimestampMissingInSecurityHeader))); } bool didSessionSctEndorse = false; if (securityHeader.EndorsingSupportingTokens != null) { for (int i = 0; i < securityHeader.EndorsingSupportingTokens.Count; ++i) { SecurityContextSecurityToken signingSct = (securityHeader.EndorsingSupportingTokens[i] as SecurityContextSecurityToken); if (signingSct != null && signingSct.ContextId == this.sessionId) { didSessionSctEndorse = true; break; } } } if (!didSessionSctEndorse) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.NoSessionTokenPresentInMessage))); } message = securityHeader.ProcessedMessage; AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); base.OnIncomingMessageVerified(message); }
protected override void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout) { string actor = string.Empty; ReceiveSecurityHeader securityHeader = this.Factory.StandardsManager.CreateReceiveSecurityHeader(message, actor, this.Factory.IncomingAlgorithmSuite, MessageDirection.Input); securityHeader.RequireMessageProtection = false; securityHeader.ReaderQuotas = this.Factory.SecurityBindingElement.ReaderQuotas; IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = base.GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.Factory, message, securityHeader); ReadOnlyCollection <SecurityTokenResolver> outOfBandResolvers = base.MergeOutOfBandResolvers(supportingAuthenticators, this.sessionTokenResolverList); if ((supportingAuthenticators != null) && (supportingAuthenticators.Count > 0)) { supportingAuthenticators = new List <SupportingTokenAuthenticatorSpecification>(supportingAuthenticators); supportingAuthenticators.Insert(0, this.sessionTokenAuthenticatorSpecificationList[0]); } else { supportingAuthenticators = this.sessionTokenAuthenticatorSpecificationList; } securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators); securityHeader.ConfigureOutOfBandTokenResolver(outOfBandResolvers); securityHeader.ExpectEndorsingTokens = true; TimeoutHelper helper = new TimeoutHelper(timeout); securityHeader.SetTimeParameters(this.Factory.NonceCache, this.Factory.ReplayWindow, this.Factory.MaxClockSkew); securityHeader.EnforceDerivedKeyRequirement = message.Headers.Action != this.Factory.StandardsManager.SecureConversationDriver.CloseAction.Value; securityHeader.Process(helper.RemainingTime(), System.ServiceModel.Security.SecurityUtils.GetChannelBindingFromMessage(message), this.Factory.ExtendedProtectionPolicy); if (securityHeader.Timestamp == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("RequiredTimestampMissingInSecurityHeader"))); } bool flag = false; if (securityHeader.EndorsingSupportingTokens != null) { for (int i = 0; i < securityHeader.EndorsingSupportingTokens.Count; i++) { SecurityContextSecurityToken token = securityHeader.EndorsingSupportingTokens[i] as SecurityContextSecurityToken; if ((token != null) && (token.ContextId == this.sessionId)) { flag = true; break; } } } if (!flag) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("NoSessionTokenPresentInMessage"))); } message = securityHeader.ProcessedMessage; base.AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); base.OnIncomingMessageVerified(message); }
internal ReceiveSecurityHeader CreateReceiveSecurityHeader(Message message, string actor, SecurityAlgorithmSuite algorithmSuite, MessageDirection direction) { ReceiveSecurityHeader header = this.TryCreateReceiveSecurityHeader(message, actor, algorithmSuite, direction); if (header != null) { return(header); } if (string.IsNullOrEmpty(actor)) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessageNoActor")), message); } throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessage", new object[] { actor })), message); }
protected ReceiveSecurityHeader CreateSecurityHeader(Message message, string actor, MessageDirection transferDirection, SecurityStandardsManager standardsManager) { standardsManager = standardsManager ?? this.factory.StandardsManager; ReceiveSecurityHeader header = standardsManager.CreateReceiveSecurityHeader(message, actor, this.factory.IncomingAlgorithmSuite, transferDirection); header.Layout = this.factory.SecurityHeaderLayout; header.MaxReceivedMessageSize = this.factory.SecurityBindingElement.MaxReceivedMessageSize; header.ReaderQuotas = this.factory.SecurityBindingElement.ReaderQuotas; if (this.factory.ExpectKeyDerivation) { header.DerivedTokenAuthenticator = this.factory.DerivedKeyTokenAuthenticator; } return(header); }
protected virtual void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout) { bool flag; bool flag2; bool flag3; TransportSecurityProtocolFactory securityProtocolFactory = (TransportSecurityProtocolFactory)base.SecurityProtocolFactory; string actor = string.Empty; ReceiveSecurityHeader header = securityProtocolFactory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor, securityProtocolFactory.IncomingAlgorithmSuite, securityProtocolFactory.ActAsInitiator ? MessageDirection.Output : MessageDirection.Input); IList <SupportingTokenAuthenticatorSpecification> supportingTokenAuthenticators = securityProtocolFactory.GetSupportingTokenAuthenticators(message.Headers.Action, out flag3, out flag, out flag2); if (header == null) { bool flag4 = (flag2 || flag3) || flag; if ((securityProtocolFactory.ActAsInitiator && (!securityProtocolFactory.AddTimestamp || securityProtocolFactory.SecurityBindingElement.EnableUnsecuredResponse)) || ((!securityProtocolFactory.ActAsInitiator && !securityProtocolFactory.AddTimestamp) && !flag4)) { return; } if (string.IsNullOrEmpty(actor)) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessageNoActor")), message); } throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessage", new object[] { actor })), message); } header.RequireMessageProtection = false; header.ExpectBasicTokens = flag; header.ExpectSignedTokens = flag3; header.ExpectEndorsingTokens = flag2; header.MaxReceivedMessageSize = securityProtocolFactory.SecurityBindingElement.MaxReceivedMessageSize; header.ReaderQuotas = securityProtocolFactory.SecurityBindingElement.ReaderQuotas; TimeoutHelper helper = new TimeoutHelper(timeout); if (!securityProtocolFactory.ActAsInitiator) { header.ConfigureTransportBindingServerReceiveHeader(supportingTokenAuthenticators); header.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(supportingTokenAuthenticators, EmptyReadOnlyCollection <SecurityTokenResolver> .Instance)); if (securityProtocolFactory.ExpectKeyDerivation) { header.DerivedTokenAuthenticator = securityProtocolFactory.DerivedKeyTokenAuthenticator; } } header.SetTimeParameters(securityProtocolFactory.NonceCache, securityProtocolFactory.ReplayWindow, securityProtocolFactory.MaxClockSkew); header.Process(helper.RemainingTime(), System.ServiceModel.Security.SecurityUtils.GetChannelBindingFromMessage(message), securityProtocolFactory.ExtendedProtectionPolicy); message = header.ProcessedMessage; if (!securityProtocolFactory.ActAsInitiator) { this.AttachRecipientSecurityProperty(message, header.BasicSupportingTokens, header.EndorsingSupportingTokens, header.SignedEndorsingSupportingTokens, header.SignedSupportingTokens, header.SecurityTokenAuthorizationPoliciesMapping); } base.OnIncomingMessageVerified(message); }
protected ReceiveSecurityHeader ConfigureReceiveSecurityHeader(Message message, string actor, SecurityProtocolCorrelationState[] correlationStates, SecurityStandardsManager standardsManager, out IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators) { MessageSecurityProtocolFactory factory = this.MessageSecurityProtocolFactory; MessageDirection direction = factory.ActAsInitiator ? MessageDirection.Output : MessageDirection.Input; ReceiveSecurityHeader securityHeader = CreateSecurityHeader(message, actor, direction, standardsManager); string action = message.Headers.Action; supportingAuthenticators = GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.factory, message, securityHeader); if (factory.RequireIntegrity || securityHeader.ExpectSignedTokens) { securityHeader.RequiredSignatureParts = factory.GetIncomingSignatureParts(action); } if (factory.RequireConfidentiality || securityHeader.ExpectBasicTokens) { securityHeader.RequiredEncryptionParts = factory.GetIncomingEncryptionParts(action); } securityHeader.ExpectEncryption = factory.RequireConfidentiality || securityHeader.ExpectBasicTokens; securityHeader.ExpectSignature = factory.RequireIntegrity || securityHeader.ExpectSignedTokens; securityHeader.SetRequiredProtectionOrder(factory.MessageProtectionOrder); // On the receiving side if protectTokens is enabled // 1. If we are service, we make sure that the client always signs the primary token( can be any token type)else we throw. // But currently the service can sign the primary token in reply only if the primary token is an issued token // 2. If we are client, we do not care if the service signs the primary token or not. Otherwise it will be impossible to have a wcf client /service talk to each other unless we // either use a symmetric binding with issued tokens or asymmetric bindings with both the intiator and recipient parameters being issued tokens( later one is rare). securityHeader.RequireSignedPrimaryToken = !factory.ActAsInitiator && factory.SecurityBindingElement.ProtectTokens; if (factory.ActAsInitiator && factory.DoRequestSignatureConfirmation && HasCorrelationState(correlationStates)) { securityHeader.MaintainSignatureConfirmationState = true; securityHeader.ExpectSignatureConfirmation = true; } else if (!factory.ActAsInitiator && factory.DoRequestSignatureConfirmation) { securityHeader.MaintainSignatureConfirmationState = true; } else { securityHeader.MaintainSignatureConfirmationState = false; } return(securityHeader); }
public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader) { // pass 1 securityHeader.ExecuteReadingPass(reader); // pass 1.5 securityHeader.ExecuteDerivedKeyTokenStubPass(false); // pass 2 securityHeader.ExecuteSubheaderDecryptionPass(); // pass 2.5 securityHeader.ExecuteDerivedKeyTokenStubPass(true); // layout-specific inferences MarkElements(securityHeader.ElementManager, securityHeader.RequireMessageProtection); // pass 3 securityHeader.ExecuteSignatureEncryptionProcessingPass(); }
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) { IList <SupportingTokenAuthenticatorSpecification> list; SessionSymmetricMessageSecurityProtocolFactory factory = this.Factory; ReceiveSecurityHeader securityHeader = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, this.requireDerivedKeys ? this.sessionStandardsManager : null, out list); securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.sessionTokenAuthenticator, this.Factory.SecurityTokenParameters, list); securityHeader.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(list, this.sessionResolverList)); securityHeader.EnforceDerivedKeyRequirement = message.Headers.Action != factory.StandardsManager.SecureConversationDriver.CloseAction.Value; base.ProcessSecurityHeader(securityHeader, ref message, null, timeout, correlationStates); SecurityToken signatureToken = securityHeader.SignatureToken; SecurityContextSecurityToken token2 = signatureToken as SecurityContextSecurityToken; if ((token2 == null) || (token2.ContextId != this.sessionId)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("NoSessionTokenPresentInMessage"))); } base.AttachRecipientSecurityProperty(message, signatureToken, false, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); return(base.GetCorrelationState(null, securityHeader)); }
internal ReceiveSecurityHeader CreateReceiveSecurityHeader(Message message, string actor, SecurityAlgorithmSuite algorithmSuite, MessageDirection direction) { ReceiveSecurityHeader header = TryCreateReceiveSecurityHeader(message, actor, algorithmSuite, direction); if (header == null) { if (String.IsNullOrEmpty(actor)) { throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException( SR.GetString(SR.UnableToFindSecurityHeaderInMessageNoActor)), message); } else { throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException( SR.GetString(SR.UnableToFindSecurityHeaderInMessage, actor)), message); } } return(header); }
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) { SessionSymmetricMessageSecurityProtocolFactory factory = this.Factory; IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators; ReceiveSecurityHeader securityHeader = ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, (this.requireDerivedKeys) ? this.sessionStandardsManager : null, out supportingAuthenticators); securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.sessionTokenAuthenticator, this.Factory.SecurityTokenParameters, supportingAuthenticators); securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, this.sessionResolverList)); // do not enforce key derivation requirement for Cancel messages due to WSE interop securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != factory.StandardsManager.SecureConversationDriver.CloseAction.Value); ProcessSecurityHeader(securityHeader, ref message, null, timeout, correlationStates); SecurityToken signingToken = securityHeader.SignatureToken; SecurityContextSecurityToken signingSct = (signingToken as SecurityContextSecurityToken); if (signingSct == null || signingSct.ContextId != sessionId) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.NoSessionTokenPresentInMessage))); } AttachRecipientSecurityProperty(message, signingToken, false, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); return(GetCorrelationState(null, securityHeader)); }
public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader) { securityHeader.ExecuteFullPass(reader); }
protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates) { SignatureConfirmations receivedConfirmations = securityHeader.GetSentSignatureConfirmations(); SignatureConfirmations sentSignatures = null; if (correlationStates != null) { for (int i = 0; i < correlationStates.Length; ++i) { if (correlationStates[i].SignatureConfirmations != null) { sentSignatures = correlationStates[i].SignatureConfirmations; break; } } } if (sentSignatures == null) { if (receivedConfirmations != null && receivedConfirmations.Count > 0) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.FoundUnexpectedSignatureConfirmations))); } return; } bool allSignaturesConfirmed = false; if (receivedConfirmations != null && sentSignatures.Count == receivedConfirmations.Count) { bool[] matchingSigIndexes = new bool[sentSignatures.Count]; for (int i = 0; i < sentSignatures.Count; ++i) { byte[] sentSignature; bool wasSentSigEncrypted; sentSignatures.GetConfirmation(i, out sentSignature, out wasSentSigEncrypted); for (int j = 0; j < receivedConfirmations.Count; ++j) { byte[] receivedSignature; bool wasReceivedSigEncrypted; if (matchingSigIndexes[j]) { continue; } receivedConfirmations.GetConfirmation(j, out receivedSignature, out wasReceivedSigEncrypted); if ((wasReceivedSigEncrypted == wasSentSigEncrypted) && CryptoHelper.IsEqual(receivedSignature, sentSignature)) { matchingSigIndexes[j] = true; break; } } } int k; for (k = 0; k < matchingSigIndexes.Length; ++k) { if (!matchingSigIndexes[k]) { break; } } if (k == matchingSigIndexes.Length) { allSignaturesConfirmed = true; } } if (!allSignaturesConfirmed) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NotAllSignaturesConfirmed))); } }
protected SecurityProtocolCorrelationState GetCorrelationState(SecurityToken correlationToken, ReceiveSecurityHeader securityHeader) { SecurityProtocolCorrelationState result = new SecurityProtocolCorrelationState(correlationToken); if (securityHeader.MaintainSignatureConfirmationState && !this.factory.ActAsInitiator) { result.SignatureConfirmations = securityHeader.GetSentSignatureValues(); } return result; }
protected SecurityProtocolCorrelationState GetCorrelationState(SecurityToken correlationToken, ReceiveSecurityHeader securityHeader) { SecurityProtocolCorrelationState result = new SecurityProtocolCorrelationState(correlationToken); if (securityHeader.MaintainSignatureConfirmationState && !this.factory.ActAsInitiator) { result.SignatureConfirmations = securityHeader.GetSentSignatureValues(); } return(result); }
public SecurityHeaderTokenResolver(ReceiveSecurityHeader securityHeader) { this.tokens = new SecurityTokenEntry[10]; this.securityHeader = securityHeader; }
protected void CheckSignatureConfirmation(ReceiveSecurityHeader securityHeader, SecurityProtocolCorrelationState[] correlationStates) { SignatureConfirmations sentSignatureConfirmations = securityHeader.GetSentSignatureConfirmations(); SignatureConfirmations signatureConfirmations = null; if (correlationStates != null) { for (int i = 0; i < correlationStates.Length; i++) { if (correlationStates[i].SignatureConfirmations != null) { signatureConfirmations = correlationStates[i].SignatureConfirmations; break; } } } if (signatureConfirmations == null) { if ((sentSignatureConfirmations != null) && (sentSignatureConfirmations.Count > 0)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("FoundUnexpectedSignatureConfirmations"))); } } else { bool flag = false; if ((sentSignatureConfirmations != null) && (signatureConfirmations.Count == sentSignatureConfirmations.Count)) { bool[] flagArray = new bool[signatureConfirmations.Count]; for (int j = 0; j < signatureConfirmations.Count; j++) { byte[] buffer; bool flag2; signatureConfirmations.GetConfirmation(j, out buffer, out flag2); for (int k = 0; k < sentSignatureConfirmations.Count; k++) { if (!flagArray[k]) { byte[] buffer2; bool flag3; sentSignatureConfirmations.GetConfirmation(k, out buffer2, out flag3); if ((flag3 == flag2) && CryptoHelper.IsEqual(buffer2, buffer)) { flagArray[k] = true; break; } } } } int index = 0; while (index < flagArray.Length) { if (!flagArray[index]) { break; } index++; } if (index == flagArray.Length) { flag = true; } } if (!flag) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NotAllSignaturesConfirmed"))); } } }
public abstract void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader);
protected IList<SupportingTokenAuthenticatorSpecification> GetSupportingTokenAuthenticatorsAndSetExpectationFlags(System.ServiceModel.Security.SecurityProtocolFactory factory, Message message, ReceiveSecurityHeader securityHeader) { bool flag; bool flag2; bool flag3; if (factory.ActAsInitiator) { return null; } if (message == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message"); } IList<SupportingTokenAuthenticatorSpecification> list = factory.GetSupportingTokenAuthenticators(message.Headers.Action, out flag2, out flag, out flag3); securityHeader.ExpectBasicTokens = flag; securityHeader.ExpectEndorsingTokens = flag3; securityHeader.ExpectSignedTokens = flag2; return list; }
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) { AsymmetricSecurityProtocolFactory factory = this.Factory; IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators; TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); ReceiveSecurityHeader securityHeader = ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out supportingAuthenticators); SecurityToken requiredReplySigningToken = null; if (factory.ActAsInitiator) { SecurityToken encryptionToken = null; SecurityToken receiverToken = null; if (factory.RequireIntegrity) { receiverToken = GetToken(this.initiatorAsymmetricTokenProvider, null, timeoutHelper.RemainingTime()); requiredReplySigningToken = receiverToken; } if (factory.RequireConfidentiality) { encryptionToken = GetCorrelationToken(correlationStates); if (!SecurityUtils.HasSymmetricSecurityKey(encryptionToken)) { securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator; } } SecurityTokenAuthenticator primaryTokenAuthenticator; if (factory.AllowSerializedSigningTokenOnReply) { primaryTokenAuthenticator = this.initiatorAsymmetricTokenAuthenticator; requiredReplySigningToken = null; } else { primaryTokenAuthenticator = null; } securityHeader.ConfigureAsymmetricBindingClientReceiveHeader(receiverToken, factory.AsymmetricTokenParameters, encryptionToken, factory.CryptoTokenParameters, primaryTokenAuthenticator); } else { SecurityToken wrappingToken; if (this.Factory.RecipientAsymmetricTokenProvider != null && this.Factory.RequireConfidentiality) { wrappingToken = GetToken(factory.RecipientAsymmetricTokenProvider, null, timeoutHelper.RemainingTime()); } else { wrappingToken = null; } securityHeader.ConfigureAsymmetricBindingServerReceiveHeader(this.Factory.RecipientCryptoTokenAuthenticator, this.Factory.CryptoTokenParameters, wrappingToken, this.Factory.AsymmetricTokenParameters, supportingAuthenticators); securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator; securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, this.Factory.RecipientOutOfBandTokenResolverList)); } ProcessSecurityHeader(securityHeader, ref message, requiredReplySigningToken, timeoutHelper.RemainingTime(), correlationStates); SecurityToken signingToken = securityHeader.SignatureToken; SecurityToken encryptingToken = securityHeader.EncryptionToken; if (factory.RequireIntegrity) { if (factory.ActAsInitiator) { ReadOnlyCollection <IAuthorizationPolicy> signingTokenPolicies = this.initiatorAsymmetricTokenAuthenticator.ValidateToken(signingToken); EnsureNonWrappedToken(signingToken, message); DoIdentityCheckAndAttachInitiatorSecurityProperty(message, encryptingToken, signingToken, signingTokenPolicies); } else { EnsureNonWrappedToken(signingToken, message); AttachRecipientSecurityProperty(message, signingToken, encryptingToken, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); } } return(GetCorrelationState(signingToken, securityHeader)); }
protected IList<SupportingTokenAuthenticatorSpecification> GetSupportingTokenAuthenticatorsAndSetExpectationFlags(SecurityProtocolFactory factory, Message message, ReceiveSecurityHeader securityHeader) { if (factory.ActAsInitiator) { return null; } if (message == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message"); } bool expectBasicTokens; bool expectSignedTokens; bool expectEndorsingTokens; IList<SupportingTokenAuthenticatorSpecification> authenticators = factory.GetSupportingTokenAuthenticators(message.Headers.Action, out expectSignedTokens, out expectBasicTokens, out expectEndorsingTokens); securityHeader.ExpectBasicTokens = expectBasicTokens; securityHeader.ExpectEndorsingTokens = expectEndorsingTokens; securityHeader.ExpectSignedTokens = expectSignedTokens; return authenticators; }
protected virtual void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout) { TransportSecurityProtocolFactory factory = (TransportSecurityProtocolFactory)this.SecurityProtocolFactory; string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor; ReceiveSecurityHeader securityHeader = factory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor, factory.IncomingAlgorithmSuite, (factory.ActAsInitiator) ? MessageDirection.Output : MessageDirection.Input); bool expectBasicTokens; bool expectEndorsingTokens; bool expectSignedTokens; IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = factory.GetSupportingTokenAuthenticators(message.Headers.Action, out expectSignedTokens, out expectBasicTokens, out expectEndorsingTokens); if (securityHeader == null) { bool expectSupportingTokens = expectEndorsingTokens || expectSignedTokens || expectBasicTokens; if ((factory.ActAsInitiator && (!factory.AddTimestamp || factory.SecurityBindingElement.EnableUnsecuredResponse)) || (!factory.ActAsInitiator && !factory.AddTimestamp && !expectSupportingTokens)) { return; } else { if (String.IsNullOrEmpty(actor)) { throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException( SR.GetString(SR.UnableToFindSecurityHeaderInMessageNoActor)), message); } else { throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException( SR.GetString(SR.UnableToFindSecurityHeaderInMessage, actor)), message); } } } securityHeader.RequireMessageProtection = false; securityHeader.ExpectBasicTokens = expectBasicTokens; securityHeader.ExpectSignedTokens = expectSignedTokens; securityHeader.ExpectEndorsingTokens = expectEndorsingTokens; securityHeader.MaxReceivedMessageSize = factory.SecurityBindingElement.MaxReceivedMessageSize; securityHeader.ReaderQuotas = factory.SecurityBindingElement.ReaderQuotas; TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); if (!factory.ActAsInitiator) { securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators); securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, EmptyReadOnlyCollection <SecurityTokenResolver> .Instance)); if (factory.ExpectKeyDerivation) { securityHeader.DerivedTokenAuthenticator = factory.DerivedKeyTokenAuthenticator; } } securityHeader.ReplayDetectionEnabled = factory.DetectReplays; securityHeader.SetTimeParameters(factory.NonceCache, factory.ReplayWindow, factory.MaxClockSkew); securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), factory.ExtendedProtectionPolicy); message = securityHeader.ProcessedMessage; if (!factory.ActAsInitiator) { AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); } base.OnIncomingMessageVerified(message); }
public SecurityHeaderTokenResolver(ReceiveSecurityHeader securityHeader) { this.tokens = new SecurityTokenEntry[InitialTokenArraySize]; this.securityHeader = securityHeader; }
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) { IList <SupportingTokenAuthenticatorSpecification> list; AsymmetricSecurityProtocolFactory factory = this.Factory; TimeoutHelper helper = new TimeoutHelper(timeout); ReceiveSecurityHeader securityHeader = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out list); SecurityToken requiredSigningToken = null; if (factory.ActAsInitiator) { SecurityTokenAuthenticator initiatorAsymmetricTokenAuthenticator; SecurityToken token = null; SecurityToken primaryToken = null; if (factory.RequireIntegrity) { primaryToken = SecurityProtocol.GetToken(this.initiatorAsymmetricTokenProvider, null, helper.RemainingTime()); requiredSigningToken = primaryToken; } if (factory.RequireConfidentiality) { token = base.GetCorrelationToken(correlationStates); if (!System.ServiceModel.Security.SecurityUtils.HasSymmetricSecurityKey(token)) { securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator; } } if (factory.AllowSerializedSigningTokenOnReply) { initiatorAsymmetricTokenAuthenticator = this.initiatorAsymmetricTokenAuthenticator; requiredSigningToken = null; } else { initiatorAsymmetricTokenAuthenticator = null; } securityHeader.ConfigureAsymmetricBindingClientReceiveHeader(primaryToken, factory.AsymmetricTokenParameters, token, factory.CryptoTokenParameters, initiatorAsymmetricTokenAuthenticator); } else { SecurityToken token4; if ((this.Factory.RecipientAsymmetricTokenProvider != null) && this.Factory.RequireConfidentiality) { token4 = SecurityProtocol.GetToken(factory.RecipientAsymmetricTokenProvider, null, helper.RemainingTime()); } else { token4 = null; } securityHeader.ConfigureAsymmetricBindingServerReceiveHeader(this.Factory.RecipientCryptoTokenAuthenticator, this.Factory.CryptoTokenParameters, token4, this.Factory.AsymmetricTokenParameters, list); securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator; securityHeader.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(list, this.Factory.RecipientOutOfBandTokenResolverList)); } base.ProcessSecurityHeader(securityHeader, ref message, requiredSigningToken, helper.RemainingTime(), correlationStates); SecurityToken signatureToken = securityHeader.SignatureToken; SecurityToken encryptionToken = securityHeader.EncryptionToken; if (factory.RequireIntegrity) { if (factory.ActAsInitiator) { ReadOnlyCollection <IAuthorizationPolicy> recipientTokenPolicies = this.initiatorAsymmetricTokenAuthenticator.ValidateToken(signatureToken); MessageSecurityProtocol.EnsureNonWrappedToken(signatureToken, message); this.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, encryptionToken, signatureToken, recipientTokenPolicies); } else { MessageSecurityProtocol.EnsureNonWrappedToken(signatureToken, message); this.AttachRecipientSecurityProperty(message, signatureToken, encryptionToken, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); } } return(base.GetCorrelationState(signatureToken, securityHeader)); }
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) { SymmetricSecurityProtocolFactory factory = this.Factory; IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators; TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); ReceiveSecurityHeader securityHeader = ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out supportingAuthenticators); SecurityToken requiredReplySigningToken = null; if (this.Factory.ActAsInitiator) { // set the outofband protection token SecurityTokenParameters outOfBandTokenParameters; SecurityToken outOfBandToken = GetCorrelationToken(correlationStates, out outOfBandTokenParameters); securityHeader.ConfigureSymmetricBindingClientReceiveHeader(outOfBandToken, outOfBandTokenParameters); requiredReplySigningToken = outOfBandToken; } else { if (factory.RecipientSymmetricTokenAuthenticator != null) { securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.Factory.RecipientSymmetricTokenAuthenticator, this.Factory.SecurityTokenParameters, supportingAuthenticators); } else { securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.Factory.RecipientAsymmetricTokenProvider.GetToken(timeoutHelper.RemainingTime()), this.Factory.SecurityTokenParameters, supportingAuthenticators); securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator; } securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, this.Factory.RecipientOutOfBandTokenResolverList)); } ProcessSecurityHeader(securityHeader, ref message, requiredReplySigningToken, timeoutHelper.RemainingTime(), correlationStates); SecurityToken signingToken = securityHeader.SignatureToken; if (factory.RequireIntegrity) { if (factory.SecurityTokenParameters.HasAsymmetricKey) { // enforce that the signing token is a wrapped key token EnsureWrappedToken(signingToken, message); } else { EnsureNonWrappedToken(signingToken, message); } if (factory.ActAsInitiator) { if (!factory.SecurityTokenParameters.HasAsymmetricKey) { ReadOnlyCollection <IAuthorizationPolicy> signingTokenPolicies = this.initiatorTokenAuthenticator.ValidateToken(signingToken); DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signingToken, signingTokenPolicies); } else { SecurityToken wrappingToken = (signingToken as WrappedKeySecurityToken).WrappingToken; ReadOnlyCollection <IAuthorizationPolicy> wrappingTokenPolicies = this.initiatorTokenAuthenticator.ValidateToken(wrappingToken); DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signingToken, wrappingTokenPolicies); } } else { AttachRecipientSecurityProperty(message, signingToken, this.Factory.SecurityTokenParameters.HasAsymmetricKey, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); } } return(GetCorrelationState(signingToken, securityHeader)); }
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) { IList <SupportingTokenAuthenticatorSpecification> list; SymmetricSecurityProtocolFactory factory = this.Factory; TimeoutHelper helper = new TimeoutHelper(timeout); ReceiveSecurityHeader securityHeader = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out list); SecurityToken requiredSigningToken = null; if (this.Factory.ActAsInitiator) { SecurityTokenParameters parameters; SecurityToken correlationToken = this.GetCorrelationToken(correlationStates, out parameters); securityHeader.ConfigureSymmetricBindingClientReceiveHeader(correlationToken, parameters); requiredSigningToken = correlationToken; } else { if (factory.RecipientSymmetricTokenAuthenticator != null) { securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.Factory.RecipientSymmetricTokenAuthenticator, this.Factory.SecurityTokenParameters, list); } else { securityHeader.ConfigureSymmetricBindingServerReceiveHeader(this.Factory.RecipientAsymmetricTokenProvider.GetToken(helper.RemainingTime()), this.Factory.SecurityTokenParameters, list); securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator; } securityHeader.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(list, this.Factory.RecipientOutOfBandTokenResolverList)); } base.ProcessSecurityHeader(securityHeader, ref message, requiredSigningToken, helper.RemainingTime(), correlationStates); SecurityToken signatureToken = securityHeader.SignatureToken; if (factory.RequireIntegrity) { if (factory.SecurityTokenParameters.HasAsymmetricKey) { this.EnsureWrappedToken(signatureToken, message); } else { MessageSecurityProtocol.EnsureNonWrappedToken(signatureToken, message); } if (factory.ActAsInitiator) { if (!factory.SecurityTokenParameters.HasAsymmetricKey) { ReadOnlyCollection <IAuthorizationPolicy> protectionTokenPolicies = this.initiatorTokenAuthenticator.ValidateToken(signatureToken); base.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signatureToken, protectionTokenPolicies); } else { SecurityToken wrappingToken = (signatureToken as WrappedKeySecurityToken).WrappingToken; ReadOnlyCollection <IAuthorizationPolicy> onlys2 = this.initiatorTokenAuthenticator.ValidateToken(wrappingToken); base.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, signatureToken, onlys2); } } else { base.AttachRecipientSecurityProperty(message, signatureToken, this.Factory.SecurityTokenParameters.HasAsymmetricKey, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); } } return(base.GetCorrelationState(signatureToken, securityHeader)); }