/// <summary>
/// Verifies the signature by unrecognized handle.
/// </summary>
/// <param name="message">The message.</param>
/// <param name="signedMessage">The signed message.</param>
/// <param name="protectionsApplied">The protections applied.</param>
/// <returns>
/// The applied protections.
/// </returns>
protected override MessageProtections VerifySignatureByUnrecognizedHandle(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied) {
// We did not recognize the association the provider used to sign the message.
// Ask the provider to check the signature then.
var indirectSignedResponse = (IndirectSignedResponse)signedMessage;
var checkSignatureRequest = new CheckAuthenticationRequest(indirectSignedResponse, this.Channel);
var checkSignatureResponse = this.Channel.Request<CheckAuthenticationResponse>(checkSignatureRequest);
if (!checkSignatureResponse.IsValid) {
Logger.Bindings.Error("Provider reports signature verification failed.");
throw new InvalidSignatureException(message);
}
// If the OP confirms that a handle should be invalidated as well, do that.
if (!string.IsNullOrEmpty(checkSignatureResponse.InvalidateHandle)) {
if (this.rpAssociations != null) {
this.rpAssociations.RemoveAssociation(indirectSignedResponse.ProviderEndpoint, checkSignatureResponse.InvalidateHandle);
}
}
// When we're in dumb mode we can't provide our own replay protection,
// but for OpenID 2.0 Providers we can rely on them providing it as part
// of signature verification.
if (message.Version.Major >= 2) {
protectionsApplied |= MessageProtections.ReplayProtection;
}
return protectionsApplied;
}
/// <summary>
/// Gets the association to use to sign or verify a message.
/// </summary>
/// <param name="signedMessage">The message to sign or verify.</param>
/// <returns>
/// The association to use to sign or verify the message.
/// </returns>
protected override Association GetAssociation(ITamperResistantOpenIdMessage signedMessage) {
// We're on a Relying Party verifying a signature.
IDirectedProtocolMessage directedMessage = (IDirectedProtocolMessage)signedMessage;
if (this.rpAssociations != null) {
return this.rpAssociations.GetAssociation(directedMessage.Recipient, signedMessage.AssociationHandle);
} else {
return null;
}
}
/// <summary>
/// Gets a specific association referenced in a given message's association handle.
/// </summary>
/// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param>
/// <returns>
/// The referenced association; or <c>null</c> if such an association cannot be found.
/// </returns>
protected override Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage) {
Association association = null;
if (!string.IsNullOrEmpty(signedMessage.AssociationHandle)) {
IndirectSignedResponse indirectSignedMessage = signedMessage as IndirectSignedResponse;
if (this.rpAssociations != null) { // if on a smart RP
Uri providerEndpoint = indirectSignedMessage.ProviderEndpoint;
association = this.rpAssociations.GetAssociation(providerEndpoint, signedMessage.AssociationHandle);
}
}
return association;
}
/// <summary>
/// Ensures that all message parameters that must be signed are in fact included
/// in the signature.
/// </summary>
/// <param name="signedMessage">The signed message.</param>
private static void EnsureParametersRequiringSignatureAreSigned(ITamperResistantOpenIdMessage signedMessage)
{
// Verify that the signed parameter order includes the mandated fields.
// We do this in such a way that derived classes that add mandated fields automatically
// get included in the list of checked parameters.
Protocol protocol = Protocol.Lookup(signedMessage.Version);
var partsRequiringProtection = from part in MessageDescription.Get(signedMessage.GetType(), signedMessage.Version).Mapping.Values
where part.RequiredProtection != ProtectionLevel.None
select part.Name;
ErrorUtilities.VerifyInternal(partsRequiringProtection.All(name => name.StartsWith(protocol.openid.Prefix, StringComparison.Ordinal)), "Signing only works when the parameters start with the 'openid.' prefix.");
string[] signedParts = signedMessage.SignedParameterOrder.Split(',');
var unsignedParts = from partName in partsRequiringProtection
where !signedParts.Contains(partName.Substring(protocol.openid.Prefix.Length))
select partName;
ErrorUtilities.VerifyProtocol(!unsignedParts.Any(), OpenIdStrings.SignatureDoesNotIncludeMandatoryParts, string.Join(", ", unsignedParts.ToArray()));
}
/// <summary>
/// Gets a dictionary of all the message part names and values
/// that are included in the message signature.
/// </summary>
/// <param name="channel">The channel.</param>
/// <returns>
/// A dictionary of the signed message parts.
/// </returns>
internal IDictionary<string, string> GetSignedMessageParts(Channel channel) {
Requires.NotNull(channel, "channel");
ITamperResistantOpenIdMessage signedSelf = this;
if (signedSelf.SignedParameterOrder == null) {
return EmptyDictionary<string, string>.Instance;
}
MessageDictionary messageDictionary = channel.MessageDescriptions.GetAccessor(this);
string[] signedPartNamesWithoutPrefix = signedSelf.SignedParameterOrder.Split(',');
Dictionary<string, string> signedParts = new Dictionary<string, string>(signedPartNamesWithoutPrefix.Length);
var signedPartNames = signedPartNamesWithoutPrefix.Select(part => Protocol.openid.Prefix + part);
foreach (string partName in signedPartNames) {
signedParts[partName] = messageDictionary[partName];
}
return signedParts;
}
public void ExtensionResponsesAreSigned()
{
Protocol protocol = Protocol.Default;
var op = this.CreateProvider();
IndirectSignedResponse response = this.CreateResponseWithExtensions(protocol);
op.Channel.PrepareResponse(response);
ITamperResistantOpenIdMessage signedResponse = (ITamperResistantOpenIdMessage)response;
string extensionAliasKey = signedResponse.ExtraData.Single(kv => kv.Value == MockOpenIdExtension.MockTypeUri).Key;
Assert.IsTrue(extensionAliasKey.StartsWith("openid.ns."));
string extensionAlias = extensionAliasKey.Substring("openid.ns.".Length);
// Make sure that the extension members and the alias=namespace declaration are all signed.
Assert.IsNotNull(signedResponse.SignedParameterOrder);
string[] signedParameters = signedResponse.SignedParameterOrder.Split(',');
Assert.IsTrue(signedParameters.Contains(extensionAlias + ".Part"));
Assert.IsTrue(signedParameters.Contains(extensionAlias + ".data"));
Assert.IsTrue(signedParameters.Contains("ns." + extensionAlias));
}
/// <summary>
/// Gets the association to use to sign or verify a message.
/// </summary>
/// <param name="signedMessage">The message to sign or verify.</param>
/// <returns>The association to use to sign or verify the message.</returns>
private Association GetAssociation(ITamperResistantOpenIdMessage signedMessage)
{
if (this.IsOnProvider)
{
// We're on a Provider to either sign (smart/dumb) or verify a dumb signature.
return(this.GetSpecificAssociation(signedMessage) ?? this.GetDumbAssociationForSigning());
}
else
{
// We're on a Relying Party verifying a signature.
IDirectedProtocolMessage directedMessage = (IDirectedProtocolMessage)signedMessage;
if (this.rpAssociations != null)
{
return(this.rpAssociations.GetAssociation(directedMessage.Recipient, signedMessage.AssociationHandle));
}
else
{
return(null);
}
}
}
/// <summary>
/// Gets the value to use for the openid.signed parameter.
/// </summary>
/// <param name="signedMessage">The signable message.</param>
/// <returns>
/// A comma-delimited list of parameter names, omitting the 'openid.' prefix, that determines
/// the inclusion and order of message parts that will be signed.
/// </returns>
private string GetSignedParameterOrder(ITamperResistantOpenIdMessage signedMessage)
{
RequiresEx.ValidState(this.Channel != null);
Requires.NotNull(signedMessage, "signedMessage");
Protocol protocol = Protocol.Lookup(signedMessage.Version);
MessageDescription description = this.Channel.MessageDescriptions.Get(signedMessage);
var signedParts =
from part in description.Mapping.Values
where (part.RequiredProtection & System.Net.Security.ProtectionLevel.Sign) != 0 &&
part.GetValue(signedMessage) != null
select part.Name;
string prefix = Protocol.V20.openid.Prefix;
ErrorUtilities.VerifyInternal(signedParts.All(name => name.StartsWith(prefix, StringComparison.Ordinal)), "All signed message parts must start with 'openid.'.");
if (this.opSecuritySettings.SignOutgoingExtensions)
{
// Tack on any ExtraData parameters that start with 'openid.'.
List <string> extraSignedParameters = new List <string>(signedMessage.ExtraData.Count);
foreach (string key in signedMessage.ExtraData.Keys)
{
if (key.StartsWith(protocol.openid.Prefix, StringComparison.Ordinal))
{
extraSignedParameters.Add(key);
}
else
{
Logger.Signatures.DebugFormat("The extra parameter '{0}' will not be signed because it does not start with 'openid.'.", key);
}
}
signedParts = signedParts.Concat(extraSignedParameters);
}
int skipLength = prefix.Length;
string signedFields = string.Join(",", signedParts.Select(name => name.Substring(skipLength)).ToArray());
return(signedFields);
}
/// <summary>
/// Gets a dictionary of all the message part names and values
/// that are included in the message signature.
/// </summary>
/// <returns>A dictionary of the signed message parts.</returns>
internal IDictionary <string, string> GetSignedMessageParts()
{
ITamperResistantOpenIdMessage signedSelf = this;
if (signedSelf.SignedParameterOrder == null)
{
return(EmptyDictionary <string, string> .Instance);
}
MessageDictionary messageDictionary = new MessageDictionary(this);
string[] signedPartNamesWithoutPrefix = signedSelf.SignedParameterOrder.Split(',');
Dictionary <string, string> signedParts = new Dictionary <string, string>(signedPartNamesWithoutPrefix.Length);
var signedPartNames = signedPartNamesWithoutPrefix.Select(part => Protocol.openid.Prefix + part);
foreach (string partName in signedPartNames)
{
signedParts[partName] = messageDictionary[partName];
}
return(signedParts);
}
public void SignaturesMatchKnownGood()
{
Protocol protocol = Protocol.V20;
var settings = new ProviderSecuritySettings();
var store = new AssociationMemoryStore <AssociationRelyingPartyType>();
byte[] associationSecret = Convert.FromBase64String("rsSwv1zPWfjPRQU80hciu8FPDC+GONAMJQ/AvSo1a2M=");
Association association = HmacShaAssociation.Create("mock", associationSecret, TimeSpan.FromDays(1));
store.StoreAssociation(AssociationRelyingPartyType.Smart, association);
SigningBindingElement signer = new SigningBindingElement(store, settings);
signer.Channel = new TestChannel(this.MessageDescriptions);
IndirectSignedResponse message = new IndirectSignedResponse(protocol.Version, new Uri("http://rp"));
ITamperResistantOpenIdMessage signedMessage = message;
message.ProviderEndpoint = new Uri("http://provider");
signedMessage.UtcCreationDate = DateTime.Parse("1/1/2009");
signedMessage.AssociationHandle = association.Handle;
Assert.IsNotNull(signer.ProcessOutgoingMessage(message));
Assert.AreEqual("o9+uN7qTaUS9v0otbHTuNAtbkpBm14+es9QnNo6IHD4=", signedMessage.Signature);
}
/// <summary>
/// Gets a specific association referenced in a given message's association handle.
/// </summary>
/// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param>
/// <returns>
/// The referenced association; or <c>null</c> if such an association cannot be found.
/// </returns>
protected override Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage)
{
Association association = null;
if (!string.IsNullOrEmpty(signedMessage.AssociationHandle))
{
IndirectSignedResponse indirectSignedMessage = signedMessage as IndirectSignedResponse;
// Since we have an association handle, we're either signing with a smart association,
// or verifying a dumb one.
bool signing = string.IsNullOrEmpty(signedMessage.Signature);
bool isPrivateAssociation = !signing;
association = this.opAssociations.Deserialize(signedMessage, isPrivateAssociation, signedMessage.AssociationHandle);
if (association == null)
{
// There was no valid association with the requested handle.
// Let's tell the RP to forget about that association.
signedMessage.InvalidateHandle = signedMessage.AssociationHandle;
signedMessage.AssociationHandle = null;
}
}
return(association);
}
/// <summary>
/// Gets a specific association referenced in a given message's association handle.
/// </summary>
/// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param>
/// <returns>The referenced association; or <c>null</c> if such an association cannot be found.</returns>
/// <remarks>
/// If the association handle set in the message does not match any valid association,
/// the association handle property is cleared, and the
/// <see cref="ITamperResistantOpenIdMessage.InvalidateHandle"/> property is set to the
/// handle that could not be found.
/// </remarks>
private Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage) {
Association association = null;
if (!string.IsNullOrEmpty(signedMessage.AssociationHandle)) {
IndirectSignedResponse indirectSignedMessage = signedMessage as IndirectSignedResponse;
if (this.IsOnProvider) {
// Since we have an association handle, we're either signing with a smart association,
// or verifying a dumb one.
bool signing = string.IsNullOrEmpty(signedMessage.Signature);
AssociationRelyingPartyType type = signing ? AssociationRelyingPartyType.Smart : AssociationRelyingPartyType.Dumb;
association = this.opAssociations.GetAssociation(type, signedMessage.AssociationHandle);
if (association == null) {
// There was no valid association with the requested handle.
// Let's tell the RP to forget about that association.
signedMessage.InvalidateHandle = signedMessage.AssociationHandle;
signedMessage.AssociationHandle = null;
}
} else if (this.rpAssociations != null) { // if on a smart RP
Uri providerEndpoint = indirectSignedMessage.ProviderEndpoint;
association = this.rpAssociations.GetAssociation(providerEndpoint, signedMessage.AssociationHandle);
}
}
return association;
}
/// <summary>
/// Gets the association to use to sign or verify a message.
/// </summary>
/// <param name="signedMessage">The message to sign or verify.</param>
/// <returns>The association to use to sign or verify the message.</returns>
private Association GetAssociation(ITamperResistantOpenIdMessage signedMessage) {
Contract.Requires<ArgumentNullException>(signedMessage != null);
if (this.IsOnProvider) {
// We're on a Provider to either sign (smart/dumb) or verify a dumb signature.
bool signing = string.IsNullOrEmpty(signedMessage.Signature);
if (signing) {
// If the RP has no replay protection, coerce use of a private association
// instead of a shared one (if security settings indicate)
// to protect the authenticating user from replay attacks.
bool forcePrivateAssociation = this.opSecuritySettings.ProtectDownlevelReplayAttacks
&& IsRelyingPartyVulnerableToReplays(null, (IndirectSignedResponse)signedMessage);
if (forcePrivateAssociation) {
if (!string.IsNullOrEmpty(signedMessage.AssociationHandle)) {
Logger.Signatures.Info("An OpenID 1.x authentication request with a shared association handle will be responded to with a private association in order to provide OP-side replay protection.");
}
return this.GetDumbAssociationForSigning();
} else {
return this.GetSpecificAssociation(signedMessage) ?? this.GetDumbAssociationForSigning();
}
} else {
return this.GetSpecificAssociation(signedMessage);
}
} else {
// We're on a Relying Party verifying a signature.
IDirectedProtocolMessage directedMessage = (IDirectedProtocolMessage)signedMessage;
if (this.rpAssociations != null) {
return this.rpAssociations.GetAssociation(directedMessage.Recipient, signedMessage.AssociationHandle);
} else {
return null;
}
}
}
/// <summary>
/// Gets the value to use for the openid.signed parameter.
/// </summary>
/// <param name="signedMessage">The signable message.</param>
/// <returns>
/// A comma-delimited list of parameter names, omitting the 'openid.' prefix, that determines
/// the inclusion and order of message parts that will be signed.
/// </returns>
private string GetSignedParameterOrder(ITamperResistantOpenIdMessage signedMessage) {
Contract.Requires<InvalidOperationException>(this.Channel != null);
Contract.Requires<ArgumentNullException>(signedMessage != null);
Protocol protocol = Protocol.Lookup(signedMessage.Version);
MessageDescription description = this.Channel.MessageDescriptions.Get(signedMessage);
var signedParts = from part in description.Mapping.Values
where (part.RequiredProtection & System.Net.Security.ProtectionLevel.Sign) != 0
&& part.GetValue(signedMessage) != null
select part.Name;
string prefix = Protocol.V20.openid.Prefix;
ErrorUtilities.VerifyInternal(signedParts.All(name => name.StartsWith(prefix, StringComparison.Ordinal)), "All signed message parts must start with 'openid.'.");
if (this.opSecuritySettings.SignOutgoingExtensions) {
// Tack on any ExtraData parameters that start with 'openid.'.
List<string> extraSignedParameters = new List<string>(signedMessage.ExtraData.Count);
foreach (string key in signedMessage.ExtraData.Keys) {
if (key.StartsWith(protocol.openid.Prefix, StringComparison.Ordinal)) {
extraSignedParameters.Add(key);
} else {
Logger.Signatures.DebugFormat("The extra parameter '{0}' will not be signed because it does not start with 'openid.'.", key);
}
}
signedParts = signedParts.Concat(extraSignedParameters);
}
int skipLength = prefix.Length;
string signedFields = string.Join(",", signedParts.Select(name => name.Substring(skipLength)).ToArray());
return signedFields;
}
/// <summary>
/// Calculates the signature for a given message.
/// </summary>
/// <param name="signedMessage">The message to sign or verify.</param>
/// <param name="association">The association to use to sign the message.</param>
/// <returns>The calculated signature of the method.</returns>
private string GetSignature(ITamperResistantOpenIdMessage signedMessage, Association association) {
Contract.Requires<ArgumentNullException>(signedMessage != null);
Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(signedMessage.SignedParameterOrder));
Contract.Requires<ArgumentNullException>(association != null);
// Prepare the parts to sign, taking care to replace an openid.mode value
// of check_authentication with its original id_res so the signature matches.
MessageDictionary dictionary = this.Channel.MessageDescriptions.GetAccessor(signedMessage);
var parametersToSign = from name in signedMessage.SignedParameterOrder.Split(',')
let prefixedName = Protocol.V20.openid.Prefix + name
select new KeyValuePair<string, string>(name, dictionary[prefixedName]);
byte[] dataToSign = KeyValueFormEncoding.GetBytes(parametersToSign);
string signature = Convert.ToBase64String(association.Sign(dataToSign));
if (Logger.Signatures.IsDebugEnabled) {
Logger.Signatures.DebugFormat(
"Signing these message parts: {0}{1}{0}Base64 representation of signed data: {2}{0}Signature: {3}",
Environment.NewLine,
parametersToSign.ToStringDeferred(),
Convert.ToBase64String(dataToSign),
signature);
}
return signature;
}
/// <summary>
/// Ensures that all message parameters that must be signed are in fact included
/// in the signature.
/// </summary>
/// <param name="signedMessage">The signed message.</param>
private void EnsureParametersRequiringSignatureAreSigned(ITamperResistantOpenIdMessage signedMessage) {
// Verify that the signed parameter order includes the mandated fields.
// We do this in such a way that derived classes that add mandated fields automatically
// get included in the list of checked parameters.
Protocol protocol = Protocol.Lookup(signedMessage.Version);
var partsRequiringProtection = from part in this.Channel.MessageDescriptions.Get(signedMessage).Mapping.Values
where part.RequiredProtection != ProtectionLevel.None
where part.IsRequired || part.IsNondefaultValueSet(signedMessage)
select part.Name;
ErrorUtilities.VerifyInternal(partsRequiringProtection.All(name => name.StartsWith(protocol.openid.Prefix, StringComparison.Ordinal)), "Signing only works when the parameters start with the 'openid.' prefix.");
string[] signedParts = signedMessage.SignedParameterOrder.Split(',');
var unsignedParts = from partName in partsRequiringProtection
where !signedParts.Contains(partName.Substring(protocol.openid.Prefix.Length))
select partName;
ErrorUtilities.VerifyProtocol(!unsignedParts.Any(), OpenIdStrings.SignatureDoesNotIncludeMandatoryParts, string.Join(", ", unsignedParts.ToArray()));
}
/// <summary> /// Gets a specific association referenced in a given message's association handle. /// </summary> /// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param> /// <returns>The referenced association; or <c>null</c> if such an association cannot be found.</returns> /// <remarks> /// If the association handle set in the message does not match any valid association, /// the association handle property is cleared, and the /// <see cref="ITamperResistantOpenIdMessage.InvalidateHandle"/> property is set to the /// handle that could not be found. /// </remarks> protected abstract Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage);
/// <summary>
/// Verifies the signature by unrecognized handle.
/// </summary>
/// <param name="message">The message.</param>
/// <param name="signedMessage">The signed message.</param>
/// <param name="protectionsApplied">The protections applied.</param>
/// <returns>
/// The applied protections.
/// </returns>
protected override MessageProtections VerifySignatureByUnrecognizedHandle(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied)
{
throw new NotImplementedException();
}
/// <summary>
/// Verifies the signature by unrecognized handle.
/// </summary>
/// <param name="message">The message.</param>
/// <param name="signedMessage">The signed message.</param>
/// <param name="protectionsApplied">The protections applied.</param>
/// <returns>
/// The applied protections.
/// </returns>
protected override MessageProtections VerifySignatureByUnrecognizedHandle(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied) {
// If we're on the Provider, then the RP sent us a check_auth with a signature
// we don't have an association for. (It may have expired, or it may be a faulty RP).
throw new InvalidSignatureException(message);
}
/// <summary>
/// Calculates the signature for a given message.
/// </summary>
/// <param name="signedMessage">The message to sign or verify.</param>
/// <param name="association">The association to use to sign the message.</param>
/// <returns>The calculated signature of the method.</returns>
private string GetSignature(ITamperResistantOpenIdMessage signedMessage, Association association)
{
ErrorUtilities.VerifyArgumentNotNull(signedMessage, "signedMessage");
ErrorUtilities.VerifyNonZeroLength(signedMessage.SignedParameterOrder, "signedMessage.SignedParameterOrder");
ErrorUtilities.VerifyArgumentNotNull(association, "association");
// Prepare the parts to sign, taking care to replace an openid.mode value
// of check_authentication with its original id_res so the signature matches.
MessageDictionary dictionary = this.Channel.MessageDescriptions.GetAccessor(signedMessage);
var parametersToSign = from name in signedMessage.SignedParameterOrder.Split(',')
let prefixedName = Protocol.V20.openid.Prefix + name
select new KeyValuePair<string, string>(name, dictionary[prefixedName]);
byte[] dataToSign = KeyValueFormEncoding.GetBytes(parametersToSign);
string signature = Convert.ToBase64String(association.Sign(dataToSign));
if (Logger.Signatures.IsDebugEnabled) {
Logger.Signatures.DebugFormat(
CultureInfo.InvariantCulture,
"Signing these message parts: {0}{1}{0}Base64 representation of signed data: {2}{0}Signature: {3}",
Environment.NewLine,
parametersToSign.ToStringDeferred(),
Convert.ToBase64String(dataToSign),
signature);
}
return signature;
}
/// <summary> /// Verifies the signature by unrecognized handle. /// </summary> /// <param name="message">The message.</param> /// <param name="signedMessage">The signed message.</param> /// <param name="protectionsApplied">The protections applied.</param> /// <param name="cancellationToken">The cancellation token.</param> /// <returns>The applied protections.</returns> protected abstract Task <MessageProtections> VerifySignatureByUnrecognizedHandleAsync(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied, CancellationToken cancellationToken);
/// <summary>
/// Verifies the signature by unrecognized handle.
/// </summary>
/// <param name="message">The message.</param>
/// <param name="signedMessage">The signed message.</param>
/// <param name="protectionsApplied">The protections applied.</param>
/// <returns>
/// The applied protections.
/// </returns>
protected override MessageProtections VerifySignatureByUnrecognizedHandle(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied)
{
// We did not recognize the association the provider used to sign the message.
// Ask the provider to check the signature then.
var indirectSignedResponse = (IndirectSignedResponse)signedMessage;
var checkSignatureRequest = new CheckAuthenticationRequest(indirectSignedResponse, this.Channel);
var checkSignatureResponse = this.Channel.Request <CheckAuthenticationResponse>(checkSignatureRequest);
if (!checkSignatureResponse.IsValid)
{
Logger.Bindings.Error("Provider reports signature verification failed.");
throw new InvalidSignatureException(message);
}
// If the OP confirms that a handle should be invalidated as well, do that.
if (!string.IsNullOrEmpty(checkSignatureResponse.InvalidateHandle))
{
if (this.rpAssociations != null)
{
this.rpAssociations.RemoveAssociation(indirectSignedResponse.ProviderEndpoint, checkSignatureResponse.InvalidateHandle);
}
}
// When we're in dumb mode we can't provide our own replay protection,
// but for OpenID 2.0 Providers we can rely on them providing it as part
// of signature verification.
if (message.Version.Major >= 2)
{
protectionsApplied |= MessageProtections.ReplayProtection;
}
return(protectionsApplied);
}
/// <summary>
/// Verifies the signature by unrecognized handle.
/// </summary>
/// <param name="message">The message.</param>
/// <param name="signedMessage">The signed message.</param>
/// <param name="protectionsApplied">The protections applied.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// The applied protections.
/// </returns>
protected override Task<MessageProtections> VerifySignatureByUnrecognizedHandleAsync(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied, CancellationToken cancellationToken) {
// If we're on the Provider, then the RP sent us a check_auth with a signature
// we don't have an association for. (It may have expired, or it may be a faulty RP).
var tcs = new TaskCompletionSource<MessageProtections>();
tcs.SetException(new InvalidSignatureException(message));
return tcs.Task;
}
/// <summary>
/// Gets a specific association referenced in a given message's association handle.
/// </summary>
/// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param>
/// <returns>
/// The referenced association; or <c>null</c> if such an association cannot be found.
/// </returns>
protected override Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage) {
Association association = null;
if (!string.IsNullOrEmpty(signedMessage.AssociationHandle)) {
IndirectSignedResponse indirectSignedMessage = signedMessage as IndirectSignedResponse;
// Since we have an association handle, we're either signing with a smart association,
// or verifying a dumb one.
bool signing = string.IsNullOrEmpty(signedMessage.Signature);
bool isPrivateAssociation = !signing;
association = this.opAssociations.Deserialize(signedMessage, isPrivateAssociation, signedMessage.AssociationHandle);
if (association == null) {
// There was no valid association with the requested handle.
// Let's tell the RP to forget about that association.
signedMessage.InvalidateHandle = signedMessage.AssociationHandle;
signedMessage.AssociationHandle = null;
}
}
return association;
}
/// <summary>
/// Verifies the signature by unrecognized handle.
/// </summary>
/// <param name="message">The message.</param>
/// <param name="signedMessage">The signed message.</param>
/// <param name="protectionsApplied">The protections applied.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// The applied protections.
/// </returns>
protected override Task <MessageProtections> VerifySignatureByUnrecognizedHandleAsync(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied, CancellationToken cancellationToken)
{
// If we're on the Provider, then the RP sent us a check_auth with a signature
// we don't have an association for. (It may have expired, or it may be a faulty RP).
var tcs = new TaskCompletionSource <MessageProtections>();
tcs.SetException(new InvalidSignatureException(message));
return(tcs.Task);
}
/// <summary>
/// Gets a specific association referenced in a given message's association handle.
/// </summary>
/// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param>
/// <returns>
/// The referenced association; or <c>null</c> if such an association cannot be found.
/// </returns>
protected override Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage)
{
Requires.NotNull(signedMessage, "signedMessage");
throw new NotImplementedException();
}
/// <summary>
/// Verifies the signature by unrecognized handle.
/// </summary>
/// <param name="message">The message.</param>
/// <param name="signedMessage">The signed message.</param>
/// <param name="protectionsApplied">The protections applied.</param>
/// <returns>
/// The applied protections.
/// </returns>
protected override MessageProtections VerifySignatureByUnrecognizedHandle(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied) {
throw new NotImplementedException();
}
/// <summary>
/// Gets a specific association referenced in a given message's association handle.
/// </summary>
/// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param>
/// <returns>
/// The referenced association; or <c>null</c> if such an association cannot be found.
/// </returns>
protected override Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage) {
Requires.NotNull(signedMessage, "signedMessage");
throw new NotImplementedException();
}
/// <summary> /// Verifies the signature by unrecognized handle. /// </summary> /// <param name="message">The message.</param> /// <param name="signedMessage">The signed message.</param> /// <param name="protectionsApplied">The protections applied.</param> /// <returns>The applied protections.</returns> protected abstract MessageProtections VerifySignatureByUnrecognizedHandle(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied);
/// <summary>
/// Verifies the signature by unrecognized handle.
/// </summary>
/// <param name="message">The message.</param>
/// <param name="signedMessage">The signed message.</param>
/// <param name="protectionsApplied">The protections applied.</param>
/// <returns>
/// The applied protections.
/// </returns>
protected override MessageProtections VerifySignatureByUnrecognizedHandle(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied)
{
// If we're on the Provider, then the RP sent us a check_auth with a signature
// we don't have an association for. (It may have expired, or it may be a faulty RP).
throw new InvalidSignatureException(message);
}
/// <summary> /// Verifies the signature by unrecognized handle. /// </summary> /// <param name="message">The message.</param> /// <param name="signedMessage">The signed message.</param> /// <param name="protectionsApplied">The protections applied.</param> /// <returns>The applied protections.</returns> protected abstract MessageProtections VerifySignatureByUnrecognizedHandle(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied);
/// <summary> /// Gets a specific association referenced in a given message's association handle. /// </summary> /// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param> /// <returns>The referenced association; or <c>null</c> if such an association cannot be found.</returns> /// <remarks> /// If the association handle set in the message does not match any valid association, /// the association handle property is cleared, and the /// <see cref="ITamperResistantOpenIdMessage.InvalidateHandle"/> property is set to the /// handle that could not be found. /// </remarks> protected abstract Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage);
/// <summary> /// Verifies the signature by unrecognized handle. /// </summary> /// <param name="message">The message.</param> /// <param name="signedMessage">The signed message.</param> /// <param name="protectionsApplied">The protections applied.</param> /// <param name="cancellationToken">The cancellation token.</param> /// <returns>The applied protections.</returns> protected abstract Task<MessageProtections> VerifySignatureByUnrecognizedHandleAsync(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied, CancellationToken cancellationToken);
