internal override void WriteTimestampCanonicalForm(Stream stream, SecurityTimestamp timestamp, byte[] workBuffer) { TimestampCanonicalFormWriter.Instance.WriteCanonicalForm( stream, timestamp.Id, timestamp.GetCreationTimeChars(), timestamp.GetExpiryTimeChars(), workBuffer); }
public void AddTimestamp(SecurityTimestamp timestamp) { ThrowIfProcessingStarted(); if (ElementContainer.Timestamp != null) { throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.TimestampAlreadySetForSecurityHeader), Message); } ElementContainer.Timestamp = timestamp ?? throw TraceUtility.ThrowHelperArgumentNull(nameof(timestamp), Message); }
protected override ISignatureValueSecurityElement CompletePrimarySignatureCore(SendSecurityHeaderElement[] signatureConfirmations, SecurityToken[] signedEndorsingTokens, SecurityToken[] signedTokens, SendSecurityHeaderElement[] basicTokens) { ISignatureValueSecurityElement signedXml; if (this.signedXml == null) { return(null); } SecurityTimestamp timestamp = base.Timestamp; if (timestamp != null) { if (timestamp.Id == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("TimestampToSignHasNoId"))); } HashStream stream = this.TakeHashStream(); base.StandardsManager.WSUtilitySpecificationVersion.WriteTimestampCanonicalForm(stream, timestamp, this.signedInfo.ResourcePool.TakeEncodingBuffer()); this.signedInfo.AddReference(timestamp.Id, stream.FlushHashAndGetValue()); } if ((base.ShouldSignToHeader && (this.signatureKey is AsymmetricSecurityKey)) && (base.Version.Addressing != AddressingVersion.None)) { if (this.toHeaderHash == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("TransportSecurityRequireToHeader"))); } this.signedInfo.AddReference(this.toHeaderId, this.toHeaderHash); } this.AddSignatureReference(signatureConfirmations); if (base.RequireMessageProtection) { this.AddSignatureReference(signedEndorsingTokens); this.AddSignatureReference(signedTokens); this.AddSignatureReference(basicTokens); } if (this.signedInfo.ReferenceCount == 0) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NoPartsOfMessageMatchedPartsToSign")), base.Message); } try { this.signedXml.ComputeSignature(this.signatureKey); signedXml = this.signedXml; } finally { this.hashStream = null; this.signedInfo = null; this.signedXml = null; this.signatureKey = null; this.effectiveSignatureParts = null; } return(signedXml); }
public void AddTimestamp(SecurityTimestamp timestamp) { base.ThrowIfProcessingStarted(); if (this.elementContainer.Timestamp != null) { throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("TimestampAlreadySetForSecurityHeader")), base.Message); } if (timestamp == null) { throw TraceUtility.ThrowHelperArgumentNull("timestamp", base.Message); } this.elementContainer.Timestamp = timestamp; }
private void ReadTimestamp(XmlDictionaryReader reader) { if (_timestamp != null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.DuplicateTimestampInSecurityHeader), Message); } bool expectTimestampToBeSigned = RequireMessageProtection || _hasEndorsingOrSignedEndorsingSupportingTokens; string expectedDigestAlgorithm = expectTimestampToBeSigned ? AlgorithmSuite.DefaultDigestAlgorithm : null; SignatureResourcePool resourcePool = expectTimestampToBeSigned ? ResourcePool : null; _timestamp = StandardsManager.WSUtilitySpecificationVersion.ReadTimestamp(reader, expectedDigestAlgorithm, resourcePool); _timestamp.ValidateRangeAndFreshness(_replayWindow, _clockSkew); ElementManager.AppendTimestamp(_timestamp); }
internal override void WriteTimestamp(XmlDictionaryWriter writer, SecurityTimestamp timestamp) { writer.WriteStartElement(System.ServiceModel.XD.UtilityDictionary.Prefix.Value, System.ServiceModel.XD.UtilityDictionary.Timestamp, System.ServiceModel.XD.UtilityDictionary.Namespace); writer.WriteAttributeString(System.ServiceModel.XD.UtilityDictionary.IdAttribute, System.ServiceModel.XD.UtilityDictionary.Namespace, timestamp.Id); writer.WriteStartElement(System.ServiceModel.XD.UtilityDictionary.CreatedElement, System.ServiceModel.XD.UtilityDictionary.Namespace); char[] creationTimeChars = timestamp.GetCreationTimeChars(); writer.WriteChars(creationTimeChars, 0, creationTimeChars.Length); writer.WriteEndElement(); writer.WriteStartElement(System.ServiceModel.XD.UtilityDictionary.ExpiresElement, System.ServiceModel.XD.UtilityDictionary.Namespace); char[] expiryTimeChars = timestamp.GetExpiryTimeChars(); writer.WriteChars(expiryTimeChars, 0, expiryTimeChars.Length); writer.WriteEndElement(); writer.WriteEndElement(); }
internal override void WriteTimestamp(XmlDictionaryWriter writer, SecurityTimestamp timestamp) { writer.WriteStartElement(XD.UtilityDictionary.Prefix.Value, XD.UtilityDictionary.Timestamp, XD.UtilityDictionary.Namespace); writer.WriteAttributeString(XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace, timestamp.Id); writer.WriteStartElement(XD.UtilityDictionary.CreatedElement, XD.UtilityDictionary.Namespace); char[] creationTime = timestamp.GetCreationTimeChars(); writer.WriteChars(creationTime, 0, creationTime.Length); writer.WriteEndElement(); // wsu:Created writer.WriteStartElement(XD.UtilityDictionary.ExpiresElement, XD.UtilityDictionary.Namespace); char[] expiryTime = timestamp.GetExpiryTimeChars(); writer.WriteChars(expiryTime, 0, expiryTime.Length); writer.WriteEndElement(); // wsu:Expires writer.WriteEndElement(); }
internal abstract void WriteTimestampCanonicalForm(Stream stream, SecurityTimestamp timestamp, byte[] buffer);
internal abstract void WriteTimestamp(XmlDictionaryWriter writer, SecurityTimestamp timestamp);
void ValidateDigestsOfTargetsInSecurityHeader(StandardSignedInfo signedInfo, SecurityTimestamp timestamp, bool isPrimarySignature, object signatureTarget, string id) { Fx.Assert(!isPrimarySignature || (isPrimarySignature && (signatureTarget == null)), "For primary signature we try to validate all the references."); for (int i = 0; i < signedInfo.ReferenceCount; i++) { Reference reference = signedInfo[i]; this.AlgorithmSuite.EnsureAcceptableDigestAlgorithm(reference.DigestMethod); string referredId = reference.ExtractReferredId(); if (isPrimarySignature || (id == referredId)) { if (timestamp != null && timestamp.Id == referredId && !reference.TransformChain.NeedsInclusiveContext && timestamp.DigestAlgorithm == reference.DigestMethod && timestamp.GetDigest() != null) { reference.EnsureDigestValidity(referredId, timestamp.GetDigest()); this.ElementManager.SetTimestampSigned(referredId); } else { if (signatureTarget != null) { reference.EnsureDigestValidity(id, signatureTarget); } else { int tokenIndex = -1; XmlDictionaryReader reader = null; if (reference.IsStrTranform()) { if (this.ElementManager.TryGetTokenElementIndexFromStrId(referredId, out tokenIndex)) { ReceiveSecurityHeaderEntry entry; this.ElementManager.GetElementEntry(tokenIndex, out entry); bool isSignedToken = (entry.bindingMode == ReceiveSecurityHeaderBindingModes.Signed) || (entry.bindingMode == ReceiveSecurityHeaderBindingModes.SignedEndorsing); // This means it is a protected(signed)primary token. if (!this.ElementManager.IsPrimaryTokenSigned) { this.ElementManager.IsPrimaryTokenSigned = entry.bindingMode == ReceiveSecurityHeaderBindingModes.Primary && entry.elementCategory == ReceiveSecurityHeaderElementCategory.Token; } this.ElementManager.SetSigned(tokenIndex); // We pass true if it is a signed supporting token, signed primary token or a SignedEndorsing token. We pass false if it is a SignedEncrypted Token. reader = this.ElementManager.GetReader(tokenIndex, isSignedToken); } } else { reader = this.ElementManager.GetSignatureVerificationReader(referredId, this.EncryptBeforeSignMode); } if (reader != null) { reference.EnsureDigestValidity(referredId, reader); reader.Close(); } } } if (!isPrimarySignature) { // We were given an id to verify and we have verified it. So just break out // of the loop. break; } } } // This check makes sure that if RequireSignedPrimaryToken is true (ProtectTokens is enabled on sbe) then the incoming message // should have the primary signature over the primary(signing)token. if (isPrimarySignature && this.RequireSignedPrimaryToken && !this.ElementManager.IsPrimaryTokenSigned) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.SupportingTokenIsNotSigned, new IssuedSecurityTokenParameters()))); } // NOTE: On both client and server side, WCF quietly consumes protected tokens even if protect token is not enabled on sbe. // To change this behaviour add another check below and throw appropriate exception message. }
internal override void WriteTimestampCanonicalForm(Stream stream, SecurityTimestamp timestamp, byte[] workBuffer) { WSUtilitySpecificationVersion.TimestampCanonicalFormWriter.Instance.WriteCanonicalForm(stream, timestamp.Id, timestamp.GetCreationTimeChars(), timestamp.GetExpiryTimeChars(), workBuffer); }
public void AppendTimestamp(SecurityTimestamp timestamp) { AppendElement(ReceiveSecurityHeaderElementCategory.Timestamp, timestamp, ReceiveSecurityHeaderBindingModes.Unknown, timestamp.Id, null); }
private void ValidateDigestsOfTargetsInSecurityHeader(StandardSignedInfo signedInfo, SecurityTimestamp timestamp, bool isPrimarySignature, object signatureTarget, string id) { for (int i = 0; i < signedInfo.ReferenceCount; i++) { Reference reference = signedInfo[i]; base.AlgorithmSuite.EnsureAcceptableDigestAlgorithm(reference.DigestMethod); string str = reference.ExtractReferredId(); if (isPrimarySignature || (id == str)) { if ((((timestamp != null) && (timestamp.Id == str)) && (!reference.TransformChain.NeedsInclusiveContext && (timestamp.DigestAlgorithm == reference.DigestMethod))) && (timestamp.GetDigest() != null)) { reference.EnsureDigestValidity(str, timestamp.GetDigest()); base.ElementManager.SetTimestampSigned(str); } else if (signatureTarget != null) { reference.EnsureDigestValidity(id, signatureTarget); } else { XmlDictionaryReader signatureVerificationReader = base.ElementManager.GetSignatureVerificationReader(str, base.EncryptBeforeSignMode); if (signatureVerificationReader != null) { reference.EnsureDigestValidity(str, signatureVerificationReader); signatureVerificationReader.Close(); } } if (!isPrimarySignature) { return; } } } }
protected override ISignatureValueSecurityElement CompletePrimarySignatureCore( SendSecurityHeaderElement[] signatureConfirmations, SecurityToken[] signedEndorsingTokens, SecurityToken[] signedTokens, SendSecurityHeaderElement[] basicTokens, bool isPrimarySignature) { if (this.signedXml == null) { return(null); } SecurityTimestamp timestamp = this.Timestamp; if (timestamp != null) { if (timestamp.Id == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.TimestampToSignHasNoId))); } HashStream hashStream = TakeHashStream(); this.StandardsManager.WSUtilitySpecificationVersion.WriteTimestampCanonicalForm( hashStream, timestamp, this.signedInfo.ResourcePool.TakeEncodingBuffer()); signedInfo.AddReference(timestamp.Id, hashStream.FlushHashAndGetValue()); } if ((this.ShouldSignToHeader) && (this.signatureKey is AsymmetricSecurityKey) && (this.Version.Addressing != AddressingVersion.None)) { if (this.toHeaderHash != null) { signedInfo.AddReference(this.toHeaderId, this.toHeaderHash); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.TransportSecurityRequireToHeader))); } } AddSignatureReference(signatureConfirmations); if (isPrimarySignature && this.ShouldProtectTokens) { AddPrimaryTokenSignatureReference(this.ElementContainer.SourceSigningToken, this.SigningTokenParameters); } if (this.RequireMessageProtection) { AddSignatureReference(signedEndorsingTokens, SecurityTokenAttachmentMode.SignedEndorsing); AddSignatureReference(signedTokens, SecurityTokenAttachmentMode.Signed); AddSignatureReference(basicTokens); } if (this.signedInfo.ReferenceCount == 0) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NoPartsOfMessageMatchedPartsToSign)), this.Message); } try { this.signedXml.ComputeSignature(this.signatureKey); return(this.signedXml); } finally { this.hashStream = null; this.signedInfo = null; this.signedXml = null; this.signatureKey = null; this.effectiveSignatureParts = null; } }
void ValidateDigestsOfTargetsInSecurityHeader(StandardSignedInfo signedInfo, SecurityTimestamp timestamp, bool isPrimarySignature, object signatureTarget, string id) { Fx.Assert(!isPrimarySignature || (isPrimarySignature && (signatureTarget == null)), "For primary signature we try to validate all the references."); for (int i = 0; i < signedInfo.ReferenceCount; i++) { Reference reference = signedInfo[i]; this.AlgorithmSuite.EnsureAcceptableDigestAlgorithm(reference.DigestMethod); string referredId = reference.ExtractReferredId(); if (isPrimarySignature || (id == referredId)) { if (timestamp != null && timestamp.Id == referredId && !reference.TransformChain.NeedsInclusiveContext && timestamp.DigestAlgorithm == reference.DigestMethod && timestamp.GetDigest() != null) { reference.EnsureDigestValidity(referredId, timestamp.GetDigest()); this.ElementManager.SetTimestampSigned(referredId); } else { if (signatureTarget != null) reference.EnsureDigestValidity(id, signatureTarget); else { int tokenIndex = -1; XmlDictionaryReader reader = null; if (reference.IsStrTranform()) { if (this.ElementManager.TryGetTokenElementIndexFromStrId(referredId, out tokenIndex)) { ReceiveSecurityHeaderEntry entry; this.ElementManager.GetElementEntry(tokenIndex, out entry); bool isSignedToken = (entry.bindingMode == ReceiveSecurityHeaderBindingModes.Signed) || (entry.bindingMode == ReceiveSecurityHeaderBindingModes.SignedEndorsing); // This means it is a protected(signed)primary token. if (!this.ElementManager.IsPrimaryTokenSigned) { this.ElementManager.IsPrimaryTokenSigned = entry.bindingMode == ReceiveSecurityHeaderBindingModes.Primary && entry.elementCategory == ReceiveSecurityHeaderElementCategory.Token; } this.ElementManager.SetSigned(tokenIndex); // We pass true if it is a signed supporting token, signed primary token or a SignedEndorsing token. We pass false if it is a SignedEncrypted Token. reader = this.ElementManager.GetReader(tokenIndex, isSignedToken); } } else reader = this.ElementManager.GetSignatureVerificationReader(referredId, this.EncryptBeforeSignMode); if (reader != null) { reference.EnsureDigestValidity(referredId, reader); reader.Close(); } } } if (!isPrimarySignature) { // We were given an id to verify and we have verified it. So just break out // of the loop. break; } } } // This check makes sure that if RequireSignedPrimaryToken is true (ProtectTokens is enabled on sbe) then the incoming message // should have the primary signature over the primary(signing)token. if (isPrimarySignature && this.RequireSignedPrimaryToken && !this.ElementManager.IsPrimaryTokenSigned) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.SupportingTokenIsNotSigned, new IssuedSecurityTokenParameters()))); } // NOTE: On both client and server side, WCF quietly consumes protected tokens even if protect token is not enabled on sbe. // To change this behaviour add another check below and throw appropriate exception message. }
protected override ISignatureValueSecurityElement CompletePrimarySignatureCore( SendSecurityHeaderElement[] signatureConfirmations, SecurityToken[] signedEndorsingTokens, SecurityToken[] signedTokens, SendSecurityHeaderElement[] basicTokens, bool isPrimarySignature) { if (_signedXml == null) { return(null); } SecurityTimestamp timestamp = Timestamp; if (timestamp != null) { if (timestamp.Id == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.TimestampToSignHasNoId)); } var buffer = new byte[64]; var ms = new MemoryStream(); StandardsManager.WSUtilitySpecificationVersion.WriteTimestampCanonicalForm( ms, timestamp, buffer); ms.Position = 0; AddReference("#" + timestamp.Id, ms); var reference = new Reference(ms); } if ((ShouldSignToHeader) && (_signingKey != null || _signedXml.SigningKey != null) && (Version.Addressing != AddressingVersion.None)) { if (_toHeaderStream != null) { AddReference("#" + _toHeaderId, _toHeaderStream); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.TransportSecurityRequireToHeader)); } } AddSignatureReference(signatureConfirmations); if (isPrimarySignature && ShouldProtectTokens) { AddPrimaryTokenSignatureReference(ElementContainer.SourceSigningToken, SigningTokenParameters); } if (RequireMessageProtection) { throw new PlatformNotSupportedException(nameof(RequireMessageProtection)); } if (_signedXml.SignedInfo.References.Count == 0) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.NoPartsOfMessageMatchedPartsToSign), Message); } try { if (_signingKey != null) { _signedXml.ComputeSignature(_signingKey); } else { _signedXml.ComputeSignature(); } return(new SignatureValue(_signedXml.Signature)); } finally { _hashStream = null; _signingKey = null; _signedXml = null; _effectiveSignatureParts = null; } }