/// <summary> /// Verifies the signature by unrecognized handle. /// </summary> /// <param name="message">The message.</param> /// <param name="signedMessage">The signed message.</param> /// <param name="protectionsApplied">The protections applied.</param> /// <returns> /// The applied protections. /// </returns> protected override MessageProtections VerifySignatureByUnrecognizedHandle(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied) { // We did not recognize the association the provider used to sign the message. // Ask the provider to check the signature then. var indirectSignedResponse = (IndirectSignedResponse)signedMessage; var checkSignatureRequest = new CheckAuthenticationRequest(indirectSignedResponse, this.Channel); var checkSignatureResponse = this.Channel.Request<CheckAuthenticationResponse>(checkSignatureRequest); if (!checkSignatureResponse.IsValid) { Logger.Bindings.Error("Provider reports signature verification failed."); throw new InvalidSignatureException(message); } // If the OP confirms that a handle should be invalidated as well, do that. if (!string.IsNullOrEmpty(checkSignatureResponse.InvalidateHandle)) { if (this.rpAssociations != null) { this.rpAssociations.RemoveAssociation(indirectSignedResponse.ProviderEndpoint, checkSignatureResponse.InvalidateHandle); } } // When we're in dumb mode we can't provide our own replay protection, // but for OpenID 2.0 Providers we can rely on them providing it as part // of signature verification. if (message.Version.Major >= 2) { protectionsApplied |= MessageProtections.ReplayProtection; } return protectionsApplied; }
/// <summary> /// Gets the association to use to sign or verify a message. /// </summary> /// <param name="signedMessage">The message to sign or verify.</param> /// <returns> /// The association to use to sign or verify the message. /// </returns> protected override Association GetAssociation(ITamperResistantOpenIdMessage signedMessage) { // We're on a Relying Party verifying a signature. IDirectedProtocolMessage directedMessage = (IDirectedProtocolMessage)signedMessage; if (this.rpAssociations != null) { return this.rpAssociations.GetAssociation(directedMessage.Recipient, signedMessage.AssociationHandle); } else { return null; } }
/// <summary> /// Gets a specific association referenced in a given message's association handle. /// </summary> /// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param> /// <returns> /// The referenced association; or <c>null</c> if such an association cannot be found. /// </returns> protected override Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage) { Association association = null; if (!string.IsNullOrEmpty(signedMessage.AssociationHandle)) { IndirectSignedResponse indirectSignedMessage = signedMessage as IndirectSignedResponse; if (this.rpAssociations != null) { // if on a smart RP Uri providerEndpoint = indirectSignedMessage.ProviderEndpoint; association = this.rpAssociations.GetAssociation(providerEndpoint, signedMessage.AssociationHandle); } } return association; }
/// <summary> /// Ensures that all message parameters that must be signed are in fact included /// in the signature. /// </summary> /// <param name="signedMessage">The signed message.</param> private static void EnsureParametersRequiringSignatureAreSigned(ITamperResistantOpenIdMessage signedMessage) { // Verify that the signed parameter order includes the mandated fields. // We do this in such a way that derived classes that add mandated fields automatically // get included in the list of checked parameters. Protocol protocol = Protocol.Lookup(signedMessage.Version); var partsRequiringProtection = from part in MessageDescription.Get(signedMessage.GetType(), signedMessage.Version).Mapping.Values where part.RequiredProtection != ProtectionLevel.None select part.Name; ErrorUtilities.VerifyInternal(partsRequiringProtection.All(name => name.StartsWith(protocol.openid.Prefix, StringComparison.Ordinal)), "Signing only works when the parameters start with the 'openid.' prefix."); string[] signedParts = signedMessage.SignedParameterOrder.Split(','); var unsignedParts = from partName in partsRequiringProtection where !signedParts.Contains(partName.Substring(protocol.openid.Prefix.Length)) select partName; ErrorUtilities.VerifyProtocol(!unsignedParts.Any(), OpenIdStrings.SignatureDoesNotIncludeMandatoryParts, string.Join(", ", unsignedParts.ToArray())); }
/// <summary> /// Gets a dictionary of all the message part names and values /// that are included in the message signature. /// </summary> /// <param name="channel">The channel.</param> /// <returns> /// A dictionary of the signed message parts. /// </returns> internal IDictionary<string, string> GetSignedMessageParts(Channel channel) { Requires.NotNull(channel, "channel"); ITamperResistantOpenIdMessage signedSelf = this; if (signedSelf.SignedParameterOrder == null) { return EmptyDictionary<string, string>.Instance; } MessageDictionary messageDictionary = channel.MessageDescriptions.GetAccessor(this); string[] signedPartNamesWithoutPrefix = signedSelf.SignedParameterOrder.Split(','); Dictionary<string, string> signedParts = new Dictionary<string, string>(signedPartNamesWithoutPrefix.Length); var signedPartNames = signedPartNamesWithoutPrefix.Select(part => Protocol.openid.Prefix + part); foreach (string partName in signedPartNames) { signedParts[partName] = messageDictionary[partName]; } return signedParts; }
public void ExtensionResponsesAreSigned() { Protocol protocol = Protocol.Default; var op = this.CreateProvider(); IndirectSignedResponse response = this.CreateResponseWithExtensions(protocol); op.Channel.PrepareResponse(response); ITamperResistantOpenIdMessage signedResponse = (ITamperResistantOpenIdMessage)response; string extensionAliasKey = signedResponse.ExtraData.Single(kv => kv.Value == MockOpenIdExtension.MockTypeUri).Key; Assert.IsTrue(extensionAliasKey.StartsWith("openid.ns.")); string extensionAlias = extensionAliasKey.Substring("openid.ns.".Length); // Make sure that the extension members and the alias=namespace declaration are all signed. Assert.IsNotNull(signedResponse.SignedParameterOrder); string[] signedParameters = signedResponse.SignedParameterOrder.Split(','); Assert.IsTrue(signedParameters.Contains(extensionAlias + ".Part")); Assert.IsTrue(signedParameters.Contains(extensionAlias + ".data")); Assert.IsTrue(signedParameters.Contains("ns." + extensionAlias)); }
/// <summary> /// Gets the association to use to sign or verify a message. /// </summary> /// <param name="signedMessage">The message to sign or verify.</param> /// <returns>The association to use to sign or verify the message.</returns> private Association GetAssociation(ITamperResistantOpenIdMessage signedMessage) { if (this.IsOnProvider) { // We're on a Provider to either sign (smart/dumb) or verify a dumb signature. return(this.GetSpecificAssociation(signedMessage) ?? this.GetDumbAssociationForSigning()); } else { // We're on a Relying Party verifying a signature. IDirectedProtocolMessage directedMessage = (IDirectedProtocolMessage)signedMessage; if (this.rpAssociations != null) { return(this.rpAssociations.GetAssociation(directedMessage.Recipient, signedMessage.AssociationHandle)); } else { return(null); } } }
/// <summary> /// Gets the value to use for the openid.signed parameter. /// </summary> /// <param name="signedMessage">The signable message.</param> /// <returns> /// A comma-delimited list of parameter names, omitting the 'openid.' prefix, that determines /// the inclusion and order of message parts that will be signed. /// </returns> private string GetSignedParameterOrder(ITamperResistantOpenIdMessage signedMessage) { RequiresEx.ValidState(this.Channel != null); Requires.NotNull(signedMessage, "signedMessage"); Protocol protocol = Protocol.Lookup(signedMessage.Version); MessageDescription description = this.Channel.MessageDescriptions.Get(signedMessage); var signedParts = from part in description.Mapping.Values where (part.RequiredProtection & System.Net.Security.ProtectionLevel.Sign) != 0 && part.GetValue(signedMessage) != null select part.Name; string prefix = Protocol.V20.openid.Prefix; ErrorUtilities.VerifyInternal(signedParts.All(name => name.StartsWith(prefix, StringComparison.Ordinal)), "All signed message parts must start with 'openid.'."); if (this.opSecuritySettings.SignOutgoingExtensions) { // Tack on any ExtraData parameters that start with 'openid.'. List <string> extraSignedParameters = new List <string>(signedMessage.ExtraData.Count); foreach (string key in signedMessage.ExtraData.Keys) { if (key.StartsWith(protocol.openid.Prefix, StringComparison.Ordinal)) { extraSignedParameters.Add(key); } else { Logger.Signatures.DebugFormat("The extra parameter '{0}' will not be signed because it does not start with 'openid.'.", key); } } signedParts = signedParts.Concat(extraSignedParameters); } int skipLength = prefix.Length; string signedFields = string.Join(",", signedParts.Select(name => name.Substring(skipLength)).ToArray()); return(signedFields); }
/// <summary> /// Gets a dictionary of all the message part names and values /// that are included in the message signature. /// </summary> /// <returns>A dictionary of the signed message parts.</returns> internal IDictionary <string, string> GetSignedMessageParts() { ITamperResistantOpenIdMessage signedSelf = this; if (signedSelf.SignedParameterOrder == null) { return(EmptyDictionary <string, string> .Instance); } MessageDictionary messageDictionary = new MessageDictionary(this); string[] signedPartNamesWithoutPrefix = signedSelf.SignedParameterOrder.Split(','); Dictionary <string, string> signedParts = new Dictionary <string, string>(signedPartNamesWithoutPrefix.Length); var signedPartNames = signedPartNamesWithoutPrefix.Select(part => Protocol.openid.Prefix + part); foreach (string partName in signedPartNames) { signedParts[partName] = messageDictionary[partName]; } return(signedParts); }
public void SignaturesMatchKnownGood() { Protocol protocol = Protocol.V20; var settings = new ProviderSecuritySettings(); var store = new AssociationMemoryStore <AssociationRelyingPartyType>(); byte[] associationSecret = Convert.FromBase64String("rsSwv1zPWfjPRQU80hciu8FPDC+GONAMJQ/AvSo1a2M="); Association association = HmacShaAssociation.Create("mock", associationSecret, TimeSpan.FromDays(1)); store.StoreAssociation(AssociationRelyingPartyType.Smart, association); SigningBindingElement signer = new SigningBindingElement(store, settings); signer.Channel = new TestChannel(this.MessageDescriptions); IndirectSignedResponse message = new IndirectSignedResponse(protocol.Version, new Uri("http://rp")); ITamperResistantOpenIdMessage signedMessage = message; message.ProviderEndpoint = new Uri("http://provider"); signedMessage.UtcCreationDate = DateTime.Parse("1/1/2009"); signedMessage.AssociationHandle = association.Handle; Assert.IsNotNull(signer.ProcessOutgoingMessage(message)); Assert.AreEqual("o9+uN7qTaUS9v0otbHTuNAtbkpBm14+es9QnNo6IHD4=", signedMessage.Signature); }
/// <summary> /// Gets a specific association referenced in a given message's association handle. /// </summary> /// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param> /// <returns> /// The referenced association; or <c>null</c> if such an association cannot be found. /// </returns> protected override Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage) { Association association = null; if (!string.IsNullOrEmpty(signedMessage.AssociationHandle)) { IndirectSignedResponse indirectSignedMessage = signedMessage as IndirectSignedResponse; // Since we have an association handle, we're either signing with a smart association, // or verifying a dumb one. bool signing = string.IsNullOrEmpty(signedMessage.Signature); bool isPrivateAssociation = !signing; association = this.opAssociations.Deserialize(signedMessage, isPrivateAssociation, signedMessage.AssociationHandle); if (association == null) { // There was no valid association with the requested handle. // Let's tell the RP to forget about that association. signedMessage.InvalidateHandle = signedMessage.AssociationHandle; signedMessage.AssociationHandle = null; } } return(association); }
/// <summary> /// Gets a specific association referenced in a given message's association handle. /// </summary> /// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param> /// <returns>The referenced association; or <c>null</c> if such an association cannot be found.</returns> /// <remarks> /// If the association handle set in the message does not match any valid association, /// the association handle property is cleared, and the /// <see cref="ITamperResistantOpenIdMessage.InvalidateHandle"/> property is set to the /// handle that could not be found. /// </remarks> private Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage) { Association association = null; if (!string.IsNullOrEmpty(signedMessage.AssociationHandle)) { IndirectSignedResponse indirectSignedMessage = signedMessage as IndirectSignedResponse; if (this.IsOnProvider) { // Since we have an association handle, we're either signing with a smart association, // or verifying a dumb one. bool signing = string.IsNullOrEmpty(signedMessage.Signature); AssociationRelyingPartyType type = signing ? AssociationRelyingPartyType.Smart : AssociationRelyingPartyType.Dumb; association = this.opAssociations.GetAssociation(type, signedMessage.AssociationHandle); if (association == null) { // There was no valid association with the requested handle. // Let's tell the RP to forget about that association. signedMessage.InvalidateHandle = signedMessage.AssociationHandle; signedMessage.AssociationHandle = null; } } else if (this.rpAssociations != null) { // if on a smart RP Uri providerEndpoint = indirectSignedMessage.ProviderEndpoint; association = this.rpAssociations.GetAssociation(providerEndpoint, signedMessage.AssociationHandle); } } return association; }
/// <summary> /// Gets the association to use to sign or verify a message. /// </summary> /// <param name="signedMessage">The message to sign or verify.</param> /// <returns>The association to use to sign or verify the message.</returns> private Association GetAssociation(ITamperResistantOpenIdMessage signedMessage) { Contract.Requires<ArgumentNullException>(signedMessage != null); if (this.IsOnProvider) { // We're on a Provider to either sign (smart/dumb) or verify a dumb signature. bool signing = string.IsNullOrEmpty(signedMessage.Signature); if (signing) { // If the RP has no replay protection, coerce use of a private association // instead of a shared one (if security settings indicate) // to protect the authenticating user from replay attacks. bool forcePrivateAssociation = this.opSecuritySettings.ProtectDownlevelReplayAttacks && IsRelyingPartyVulnerableToReplays(null, (IndirectSignedResponse)signedMessage); if (forcePrivateAssociation) { if (!string.IsNullOrEmpty(signedMessage.AssociationHandle)) { Logger.Signatures.Info("An OpenID 1.x authentication request with a shared association handle will be responded to with a private association in order to provide OP-side replay protection."); } return this.GetDumbAssociationForSigning(); } else { return this.GetSpecificAssociation(signedMessage) ?? this.GetDumbAssociationForSigning(); } } else { return this.GetSpecificAssociation(signedMessage); } } else { // We're on a Relying Party verifying a signature. IDirectedProtocolMessage directedMessage = (IDirectedProtocolMessage)signedMessage; if (this.rpAssociations != null) { return this.rpAssociations.GetAssociation(directedMessage.Recipient, signedMessage.AssociationHandle); } else { return null; } } }
/// <summary> /// Gets the value to use for the openid.signed parameter. /// </summary> /// <param name="signedMessage">The signable message.</param> /// <returns> /// A comma-delimited list of parameter names, omitting the 'openid.' prefix, that determines /// the inclusion and order of message parts that will be signed. /// </returns> private string GetSignedParameterOrder(ITamperResistantOpenIdMessage signedMessage) { Contract.Requires<InvalidOperationException>(this.Channel != null); Contract.Requires<ArgumentNullException>(signedMessage != null); Protocol protocol = Protocol.Lookup(signedMessage.Version); MessageDescription description = this.Channel.MessageDescriptions.Get(signedMessage); var signedParts = from part in description.Mapping.Values where (part.RequiredProtection & System.Net.Security.ProtectionLevel.Sign) != 0 && part.GetValue(signedMessage) != null select part.Name; string prefix = Protocol.V20.openid.Prefix; ErrorUtilities.VerifyInternal(signedParts.All(name => name.StartsWith(prefix, StringComparison.Ordinal)), "All signed message parts must start with 'openid.'."); if (this.opSecuritySettings.SignOutgoingExtensions) { // Tack on any ExtraData parameters that start with 'openid.'. List<string> extraSignedParameters = new List<string>(signedMessage.ExtraData.Count); foreach (string key in signedMessage.ExtraData.Keys) { if (key.StartsWith(protocol.openid.Prefix, StringComparison.Ordinal)) { extraSignedParameters.Add(key); } else { Logger.Signatures.DebugFormat("The extra parameter '{0}' will not be signed because it does not start with 'openid.'.", key); } } signedParts = signedParts.Concat(extraSignedParameters); } int skipLength = prefix.Length; string signedFields = string.Join(",", signedParts.Select(name => name.Substring(skipLength)).ToArray()); return signedFields; }
/// <summary> /// Calculates the signature for a given message. /// </summary> /// <param name="signedMessage">The message to sign or verify.</param> /// <param name="association">The association to use to sign the message.</param> /// <returns>The calculated signature of the method.</returns> private string GetSignature(ITamperResistantOpenIdMessage signedMessage, Association association) { Contract.Requires<ArgumentNullException>(signedMessage != null); Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(signedMessage.SignedParameterOrder)); Contract.Requires<ArgumentNullException>(association != null); // Prepare the parts to sign, taking care to replace an openid.mode value // of check_authentication with its original id_res so the signature matches. MessageDictionary dictionary = this.Channel.MessageDescriptions.GetAccessor(signedMessage); var parametersToSign = from name in signedMessage.SignedParameterOrder.Split(',') let prefixedName = Protocol.V20.openid.Prefix + name select new KeyValuePair<string, string>(name, dictionary[prefixedName]); byte[] dataToSign = KeyValueFormEncoding.GetBytes(parametersToSign); string signature = Convert.ToBase64String(association.Sign(dataToSign)); if (Logger.Signatures.IsDebugEnabled) { Logger.Signatures.DebugFormat( "Signing these message parts: {0}{1}{0}Base64 representation of signed data: {2}{0}Signature: {3}", Environment.NewLine, parametersToSign.ToStringDeferred(), Convert.ToBase64String(dataToSign), signature); } return signature; }
/// <summary> /// Ensures that all message parameters that must be signed are in fact included /// in the signature. /// </summary> /// <param name="signedMessage">The signed message.</param> private void EnsureParametersRequiringSignatureAreSigned(ITamperResistantOpenIdMessage signedMessage) { // Verify that the signed parameter order includes the mandated fields. // We do this in such a way that derived classes that add mandated fields automatically // get included in the list of checked parameters. Protocol protocol = Protocol.Lookup(signedMessage.Version); var partsRequiringProtection = from part in this.Channel.MessageDescriptions.Get(signedMessage).Mapping.Values where part.RequiredProtection != ProtectionLevel.None where part.IsRequired || part.IsNondefaultValueSet(signedMessage) select part.Name; ErrorUtilities.VerifyInternal(partsRequiringProtection.All(name => name.StartsWith(protocol.openid.Prefix, StringComparison.Ordinal)), "Signing only works when the parameters start with the 'openid.' prefix."); string[] signedParts = signedMessage.SignedParameterOrder.Split(','); var unsignedParts = from partName in partsRequiringProtection where !signedParts.Contains(partName.Substring(protocol.openid.Prefix.Length)) select partName; ErrorUtilities.VerifyProtocol(!unsignedParts.Any(), OpenIdStrings.SignatureDoesNotIncludeMandatoryParts, string.Join(", ", unsignedParts.ToArray())); }
/// <summary> /// Gets a specific association referenced in a given message's association handle. /// </summary> /// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param> /// <returns>The referenced association; or <c>null</c> if such an association cannot be found.</returns> /// <remarks> /// If the association handle set in the message does not match any valid association, /// the association handle property is cleared, and the /// <see cref="ITamperResistantOpenIdMessage.InvalidateHandle"/> property is set to the /// handle that could not be found. /// </remarks> protected abstract Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage);
/// <summary> /// Verifies the signature by unrecognized handle. /// </summary> /// <param name="message">The message.</param> /// <param name="signedMessage">The signed message.</param> /// <param name="protectionsApplied">The protections applied.</param> /// <returns> /// The applied protections. /// </returns> protected override MessageProtections VerifySignatureByUnrecognizedHandle(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied) { throw new NotImplementedException(); }
/// <summary> /// Verifies the signature by unrecognized handle. /// </summary> /// <param name="message">The message.</param> /// <param name="signedMessage">The signed message.</param> /// <param name="protectionsApplied">The protections applied.</param> /// <returns> /// The applied protections. /// </returns> protected override MessageProtections VerifySignatureByUnrecognizedHandle(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied) { // If we're on the Provider, then the RP sent us a check_auth with a signature // we don't have an association for. (It may have expired, or it may be a faulty RP). throw new InvalidSignatureException(message); }
/// <summary> /// Calculates the signature for a given message. /// </summary> /// <param name="signedMessage">The message to sign or verify.</param> /// <param name="association">The association to use to sign the message.</param> /// <returns>The calculated signature of the method.</returns> private string GetSignature(ITamperResistantOpenIdMessage signedMessage, Association association) { ErrorUtilities.VerifyArgumentNotNull(signedMessage, "signedMessage"); ErrorUtilities.VerifyNonZeroLength(signedMessage.SignedParameterOrder, "signedMessage.SignedParameterOrder"); ErrorUtilities.VerifyArgumentNotNull(association, "association"); // Prepare the parts to sign, taking care to replace an openid.mode value // of check_authentication with its original id_res so the signature matches. MessageDictionary dictionary = this.Channel.MessageDescriptions.GetAccessor(signedMessage); var parametersToSign = from name in signedMessage.SignedParameterOrder.Split(',') let prefixedName = Protocol.V20.openid.Prefix + name select new KeyValuePair<string, string>(name, dictionary[prefixedName]); byte[] dataToSign = KeyValueFormEncoding.GetBytes(parametersToSign); string signature = Convert.ToBase64String(association.Sign(dataToSign)); if (Logger.Signatures.IsDebugEnabled) { Logger.Signatures.DebugFormat( CultureInfo.InvariantCulture, "Signing these message parts: {0}{1}{0}Base64 representation of signed data: {2}{0}Signature: {3}", Environment.NewLine, parametersToSign.ToStringDeferred(), Convert.ToBase64String(dataToSign), signature); } return signature; }
/// <summary> /// Verifies the signature by unrecognized handle. /// </summary> /// <param name="message">The message.</param> /// <param name="signedMessage">The signed message.</param> /// <param name="protectionsApplied">The protections applied.</param> /// <param name="cancellationToken">The cancellation token.</param> /// <returns>The applied protections.</returns> protected abstract Task <MessageProtections> VerifySignatureByUnrecognizedHandleAsync(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied, CancellationToken cancellationToken);
/// <summary> /// Verifies the signature by unrecognized handle. /// </summary> /// <param name="message">The message.</param> /// <param name="signedMessage">The signed message.</param> /// <param name="protectionsApplied">The protections applied.</param> /// <returns> /// The applied protections. /// </returns> protected override MessageProtections VerifySignatureByUnrecognizedHandle(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied) { // We did not recognize the association the provider used to sign the message. // Ask the provider to check the signature then. var indirectSignedResponse = (IndirectSignedResponse)signedMessage; var checkSignatureRequest = new CheckAuthenticationRequest(indirectSignedResponse, this.Channel); var checkSignatureResponse = this.Channel.Request <CheckAuthenticationResponse>(checkSignatureRequest); if (!checkSignatureResponse.IsValid) { Logger.Bindings.Error("Provider reports signature verification failed."); throw new InvalidSignatureException(message); } // If the OP confirms that a handle should be invalidated as well, do that. if (!string.IsNullOrEmpty(checkSignatureResponse.InvalidateHandle)) { if (this.rpAssociations != null) { this.rpAssociations.RemoveAssociation(indirectSignedResponse.ProviderEndpoint, checkSignatureResponse.InvalidateHandle); } } // When we're in dumb mode we can't provide our own replay protection, // but for OpenID 2.0 Providers we can rely on them providing it as part // of signature verification. if (message.Version.Major >= 2) { protectionsApplied |= MessageProtections.ReplayProtection; } return(protectionsApplied); }
/// <summary> /// Verifies the signature by unrecognized handle. /// </summary> /// <param name="message">The message.</param> /// <param name="signedMessage">The signed message.</param> /// <param name="protectionsApplied">The protections applied.</param> /// <param name="cancellationToken">The cancellation token.</param> /// <returns> /// The applied protections. /// </returns> protected override Task<MessageProtections> VerifySignatureByUnrecognizedHandleAsync(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied, CancellationToken cancellationToken) { // If we're on the Provider, then the RP sent us a check_auth with a signature // we don't have an association for. (It may have expired, or it may be a faulty RP). var tcs = new TaskCompletionSource<MessageProtections>(); tcs.SetException(new InvalidSignatureException(message)); return tcs.Task; }
/// <summary> /// Gets a specific association referenced in a given message's association handle. /// </summary> /// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param> /// <returns> /// The referenced association; or <c>null</c> if such an association cannot be found. /// </returns> protected override Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage) { Association association = null; if (!string.IsNullOrEmpty(signedMessage.AssociationHandle)) { IndirectSignedResponse indirectSignedMessage = signedMessage as IndirectSignedResponse; // Since we have an association handle, we're either signing with a smart association, // or verifying a dumb one. bool signing = string.IsNullOrEmpty(signedMessage.Signature); bool isPrivateAssociation = !signing; association = this.opAssociations.Deserialize(signedMessage, isPrivateAssociation, signedMessage.AssociationHandle); if (association == null) { // There was no valid association with the requested handle. // Let's tell the RP to forget about that association. signedMessage.InvalidateHandle = signedMessage.AssociationHandle; signedMessage.AssociationHandle = null; } } return association; }
/// <summary> /// Verifies the signature by unrecognized handle. /// </summary> /// <param name="message">The message.</param> /// <param name="signedMessage">The signed message.</param> /// <param name="protectionsApplied">The protections applied.</param> /// <param name="cancellationToken">The cancellation token.</param> /// <returns> /// The applied protections. /// </returns> protected override Task <MessageProtections> VerifySignatureByUnrecognizedHandleAsync(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied, CancellationToken cancellationToken) { // If we're on the Provider, then the RP sent us a check_auth with a signature // we don't have an association for. (It may have expired, or it may be a faulty RP). var tcs = new TaskCompletionSource <MessageProtections>(); tcs.SetException(new InvalidSignatureException(message)); return(tcs.Task); }
/// <summary> /// Gets a specific association referenced in a given message's association handle. /// </summary> /// <param name="signedMessage">The signed message whose association handle should be used to lookup the association to return.</param> /// <returns> /// The referenced association; or <c>null</c> if such an association cannot be found. /// </returns> protected override Association GetSpecificAssociation(ITamperResistantOpenIdMessage signedMessage) { Requires.NotNull(signedMessage, "signedMessage"); throw new NotImplementedException(); }
/// <summary> /// Verifies the signature by unrecognized handle. /// </summary> /// <param name="message">The message.</param> /// <param name="signedMessage">The signed message.</param> /// <param name="protectionsApplied">The protections applied.</param> /// <returns>The applied protections.</returns> protected abstract MessageProtections VerifySignatureByUnrecognizedHandle(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied);
/// <summary> /// Verifies the signature by unrecognized handle. /// </summary> /// <param name="message">The message.</param> /// <param name="signedMessage">The signed message.</param> /// <param name="protectionsApplied">The protections applied.</param> /// <param name="cancellationToken">The cancellation token.</param> /// <returns>The applied protections.</returns> protected abstract Task<MessageProtections> VerifySignatureByUnrecognizedHandleAsync(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied, CancellationToken cancellationToken);