public SupportingTokenSpecification(SecurityToken token, ReadOnlyCollection<IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters) : base(token, tokenPolicies) { SecurityTokenAttachmentModeHelper.Validate(attachmentMode); _tokenAttachmentMode = attachmentMode; _tokenParameters = tokenParameters; }
internal static bool IsDefined(SecurityTokenAttachmentMode value) { return value == SecurityTokenAttachmentMode.Endorsing || value == SecurityTokenAttachmentMode.Signed || value == SecurityTokenAttachmentMode.SignedEncrypted || value == SecurityTokenAttachmentMode.SignedEndorsing; }
internal static void Validate(SecurityTokenAttachmentMode value) { if (!IsDefined(value)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidEnumArgumentException("value", (int)value, typeof(SecurityTokenAttachmentMode))); } }
public SupportingTokenProviderSpecification(SecurityTokenProvider tokenProvider, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters) { SecurityTokenAttachmentModeHelper.Validate(attachmentMode); TokenProvider = tokenProvider ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenProvider)); SecurityTokenAttachmentMode = attachmentMode; TokenParameters = tokenParameters ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenParameters)); }
internal static void Categorize(SecurityTokenAttachmentMode value, out bool isBasic, out bool isSignedButNotBasic, out ReceiveSecurityHeaderBindingModes mode) { Validate(value); switch (value) { case SecurityTokenAttachmentMode.Signed: isBasic = false; isSignedButNotBasic = true; mode = ReceiveSecurityHeaderBindingModes.Signed; return; case SecurityTokenAttachmentMode.Endorsing: isBasic = false; isSignedButNotBasic = false; mode = ReceiveSecurityHeaderBindingModes.Endorsing; return; case SecurityTokenAttachmentMode.SignedEndorsing: isBasic = false; isSignedButNotBasic = true; mode = ReceiveSecurityHeaderBindingModes.SignedEndorsing; return; case SecurityTokenAttachmentMode.SignedEncrypted: isBasic = true; isSignedButNotBasic = false; mode = ReceiveSecurityHeaderBindingModes.Basic; return; } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value")); }
private void AddSignatureReference(SecurityToken token, int position, SecurityTokenAttachmentMode mode) { SecurityKeyIdentifierClause keyIdentifierClause = null; bool strTransformEnabled = ShouldUseStrTransformForToken(token, position, mode, out keyIdentifierClause); AddTokenSignatureReference(token, keyIdentifierClause, strTransformEnabled); }
internal static void Categorize(SecurityTokenAttachmentMode value, out bool isBasic, out bool isSignedButNotBasic, out ReceiveSecurityHeaderBindingModes mode) { SecurityTokenAttachmentModeHelper.Validate(value); switch (value) { case SecurityTokenAttachmentMode.Endorsing: isBasic = false; isSignedButNotBasic = false; mode = ReceiveSecurityHeaderBindingModes.Endorsing; break; case SecurityTokenAttachmentMode.Signed: isBasic = false; isSignedButNotBasic = true; mode = ReceiveSecurityHeaderBindingModes.Signed; break; case SecurityTokenAttachmentMode.SignedEncrypted: isBasic = true; isSignedButNotBasic = false; mode = ReceiveSecurityHeaderBindingModes.Basic; break; case SecurityTokenAttachmentMode.SignedEndorsing: isBasic = false; isSignedButNotBasic = true; mode = ReceiveSecurityHeaderBindingModes.SignedEndorsing; break; default: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value")); } }
internal static bool IsDefined(SecurityTokenAttachmentMode value) { return(value == SecurityTokenAttachmentMode.Endorsing || value == SecurityTokenAttachmentMode.Signed || value == SecurityTokenAttachmentMode.SignedEncrypted || value == SecurityTokenAttachmentMode.SignedEndorsing); }
internal ReadOnlyCollection <IAuthorizationPolicy> GetInitiatorTokenAuthorizationPolicies(bool includeTransportToken, SecurityContextSecurityToken supportingSessionTokenToExclude) { // fast path if (!this.HasIncomingSupportingTokens) { if (_transportToken != null && _initiatorToken == null && _protectionToken == null) { if (includeTransportToken && _transportToken.SecurityTokenPolicies != null) { return(_transportToken.SecurityTokenPolicies); } else { return(EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } } else if (_transportToken == null && _initiatorToken != null && _protectionToken == null) { return(_initiatorToken.SecurityTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } else if (_transportToken == null && _initiatorToken == null && _protectionToken != null) { return(_protectionToken.SecurityTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } } Collection <IAuthorizationPolicy> policies = new Collection <IAuthorizationPolicy>(); if (includeTransportToken) { AddAuthorizationPolicies(_transportToken, policies); } AddAuthorizationPolicies(_initiatorToken, policies); AddAuthorizationPolicies(_protectionToken, policies); if (this.HasIncomingSupportingTokens) { for (int i = 0; i < _incomingSupportingTokens.Count; ++i) { if (supportingSessionTokenToExclude != null) { SecurityContextSecurityToken sct = _incomingSupportingTokens[i].SecurityToken as SecurityContextSecurityToken; if (sct != null && sct.ContextId == supportingSessionTokenToExclude.ContextId) { continue; } } SecurityTokenAttachmentMode attachmentMode = _incomingSupportingTokens[i].SecurityTokenAttachmentMode; // a safety net in case more attachment modes get added to the product without // reviewing this code. if (attachmentMode == SecurityTokenAttachmentMode.Endorsing || attachmentMode == SecurityTokenAttachmentMode.Signed || attachmentMode == SecurityTokenAttachmentMode.SignedEncrypted || attachmentMode == SecurityTokenAttachmentMode.SignedEndorsing) { AddAuthorizationPolicies(_incomingSupportingTokens[i], policies); } } } return(new ReadOnlyCollection <IAuthorizationPolicy>(policies)); }
public SupportingTokenSpecification(SecurityToken token, ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters) : base(token, tokenPolicies) { SecurityTokenAttachmentModeHelper.Validate(attachmentMode); this.tokenAttachmentMode = attachmentMode; this.tokenParameters = tokenParameters; }
public SupportingTokenInfo(SecurityToken token, SecurityTokenAttachmentMode mode, bool isOptional) { Token = token; Mode = mode; IsOptional = isOptional; }
internal static bool IsDefined(SecurityTokenAttachmentMode value) { if (((value != SecurityTokenAttachmentMode.Endorsing) && (value != SecurityTokenAttachmentMode.Signed)) && (value != SecurityTokenAttachmentMode.SignedEncrypted)) { return(value == SecurityTokenAttachmentMode.SignedEndorsing); } return(true); }
public SupportingTokenSpecification ( SecurityToken token, ReadOnlyCollection<IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode) : base (token, tokenPolicies) { mode = attachmentMode; }
public SupportingTokenSpecification( SecurityToken token, ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode) : base(token, tokenPolicies) { mode = attachmentMode; }
internal static void Validate(SecurityTokenAttachmentMode value) { if (!IsDefined(value)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidEnumArgumentException("value", (int)value, typeof(SecurityTokenAttachmentMode))); } }
internal SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters, bool isTokenOptional) { SecurityTokenAttachmentModeHelper.Validate(attachmentMode); TokenAuthenticator = tokenAuthenticator ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenAuthenticator)); TokenResolver = securityTokenResolver; SecurityTokenAttachmentMode = attachmentMode; TokenParameters = tokenParameters ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenParameters)); IsTokenOptional = isTokenOptional; }
private void AddSignatureReference(SecurityToken[] tokens, SecurityTokenAttachmentMode mode) { if (tokens != null) { for (int i = 0; i < tokens.Length; ++i) { AddSignatureReference(tokens[i], i, mode); } } }
public SupportingTokenProviderSpecification(SecurityTokenProvider tokenProvider, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters) { if (tokenProvider == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenProvider"); } SecurityTokenAttachmentModeHelper.Validate(attachmentMode); if (tokenParameters == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenParameters"); } _tokenProvider = tokenProvider; _tokenAttachmentMode = attachmentMode; _tokenParameters = tokenParameters; }
public SupportingTokenProviderSpecification(SecurityTokenProvider tokenProvider, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters) { if (tokenProvider == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenProvider"); } SecurityTokenAttachmentModeHelper.Validate(attachmentMode); if (tokenParameters == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenParameters"); } _tokenProvider = tokenProvider; _tokenAttachmentMode = attachmentMode; _tokenParameters = tokenParameters; }
internal SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters, bool isTokenOptional) { if (tokenAuthenticator == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenAuthenticator"); } SecurityTokenAttachmentModeHelper.Validate(attachmentMode); if (tokenParameters == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenParameters"); } this.tokenAuthenticator = tokenAuthenticator; this.tokenResolver = securityTokenResolver; this.tokenAttachmentMode = attachmentMode; this.tokenParameters = tokenParameters; this.isTokenOptional = isTokenOptional; }
internal SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters, bool isTokenOptional) { if (tokenAuthenticator == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenAuthenticator"); } SecurityTokenAttachmentModeHelper.Validate(attachmentMode); if (tokenParameters == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenParameters"); } _tokenAuthenticator = tokenAuthenticator; _tokenResolver = securityTokenResolver; _tokenAttachmentMode = attachmentMode; _tokenParameters = tokenParameters; _isTokenOptional = isTokenOptional; }
public SupportingTokenSpecification(System.IdentityModel.Tokens.SecurityToken token, System.Collections.ObjectModel.ReadOnlyCollection<System.IdentityModel.Policy.IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode, System.ServiceModel.Security.Tokens.SecurityTokenParameters tokenParameters) : base (default(System.IdentityModel.Tokens.SecurityToken), default(System.Collections.ObjectModel.ReadOnlyCollection<System.IdentityModel.Policy.IAuthorizationPolicy>)) { }
private void AddSupportingTokenSpecification(SecurityMessageProperty security, IList<SecurityToken> tokens, SecurityTokenAttachmentMode attachmentMode, IDictionary<SecurityToken, ReadOnlyCollection<IAuthorizationPolicy>> tokenPoliciesMapping) { if ((tokens != null) && (tokens.Count != 0)) { for (int i = 0; i < tokens.Count; i++) { security.IncomingSupportingTokens.Add(new SupportingTokenSpecification(tokens[i], tokenPoliciesMapping[tokens[i]], attachmentMode)); } } }
void AddSupportingTokenSpecification(SecurityMessageProperty security, IList<SecurityToken> tokens, SecurityTokenAttachmentMode attachmentMode, IDictionary<SecurityToken, ReadOnlyCollection<IAuthorizationPolicy>> tokenPoliciesMapping) { if (tokens == null || tokens.Count == 0) { return; } for (int i = 0; i < tokens.Count; ++i) { security.IncomingSupportingTokens.Add(new SupportingTokenSpecification(tokens[i], tokenPoliciesMapping[tokens[i]], attachmentMode)); } }
void ValidateTokensByParameters (IEnumerable<SecurityTokenParameters> plist, List<SupportingTokenInfo> tokens, bool optional, SecurityTokenAttachmentMode attachMode) { foreach (SecurityTokenParameters p in plist) { SecurityTokenResolver r; SecurityTokenAuthenticator a = security.CreateTokenAuthenticator (p, out r); SupportingTokenSpecification spec = ValidateTokensByParameters (a, r, tokens); if (spec == null) { if (optional) continue; else throw new MessageSecurityException (String.Format ("No security token could be validated for authenticator '{0}' which is indicated by the '{1}' supporting token parameters", a, attachMode)); } else { // For endorsing tokens, verify corresponding signatures. switch (attachMode) { case SecurityTokenAttachmentMode.Endorsing: case SecurityTokenAttachmentMode.SignedEndorsing: WSSignedXml esxml = GetSignatureForToken (spec.SecurityToken); if (esxml == null) throw new MessageSecurityException (String.Format ("The '{1}' token '{0}' is expected to endorse the primary signature but no corresponding signature is found.", spec.SecurityToken, attachMode)); bool confirmed; SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite; foreach (SecurityTokenReferenceKeyInfo kic in esxml.KeyInfo) { SecurityKey signKey = spec.SecurityToken.ResolveKeyIdentifierClause (kic.Clause); SymmetricSecurityKey symkey = signKey as SymmetricSecurityKey; if (symkey != null) { confirmed = esxml.CheckSignature (symkey.GetKeyedHashAlgorithm (suite.DefaultSymmetricSignatureAlgorithm)); } else { AsymmetricAlgorithm alg = ((AsymmetricSecurityKey) signKey).GetAsymmetricAlgorithm (suite.DefaultAsymmetricSignatureAlgorithm, false); confirmed = esxml.CheckSignature (alg); } if (!confirmed) throw new MessageSecurityException (String.Format ("Signature for '{1}' token '{0}' is invalid.", spec.SecurityToken, attachMode)); break; } sec_prop.ConfirmedSignatures.Insert (0, Convert.ToBase64String (esxml.SignatureValue)); break; } } sec_prop.IncomingSupportingTokens.Add (spec); } }
public SupportingTokenSpecification(SecurityToken token, ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode) : this(token, tokenPolicies, attachmentMode, null) { }
protected bool ShouldUseStrTransformForToken(SecurityToken securityToken, int position, SecurityTokenAttachmentMode mode, out SecurityKeyIdentifierClause keyIdentifierClause) { IssuedSecurityTokenParameters tokenParams = null; keyIdentifierClause = null; switch (mode) { case SecurityTokenAttachmentMode.SignedEndorsing: tokenParams = this.signedEndorsingTokenParameters[position] as IssuedSecurityTokenParameters; break; case SecurityTokenAttachmentMode.Signed: tokenParams = this.signedTokenParameters[position] as IssuedSecurityTokenParameters; break; case SecurityTokenAttachmentMode.SignedEncrypted: tokenParams = this.basicSupportingTokenParameters[position] as IssuedSecurityTokenParameters; break; default: return false; } if (tokenParams != null && tokenParams.UseStrTransform) { keyIdentifierClause = tokenParams.CreateKeyIdentifierClause(securityToken, GetTokenReferenceStyle(tokenParams)); if (keyIdentifierClause == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.TokenManagerCannotCreateTokenReference)), this.Message); } return true; } return false; }
void ValidateTokensByParameters(IEnumerable <SecurityTokenParameters> plist, List <SupportingTokenInfo> tokens, bool optional, SecurityTokenAttachmentMode attachMode) { foreach (SecurityTokenParameters p in plist) { SecurityTokenResolver r; SecurityTokenAuthenticator a = security.CreateTokenAuthenticator(p, out r); SupportingTokenSpecification spec = ValidateTokensByParameters(a, r, tokens); if (spec == null) { if (optional) { continue; } else { throw new MessageSecurityException(String.Format("No security token could be validated for authenticator '{0}' which is indicated by the '{1}' supporting token parameters", a, attachMode)); } } else { // For endorsing tokens, verify corresponding signatures. switch (attachMode) { case SecurityTokenAttachmentMode.Endorsing: case SecurityTokenAttachmentMode.SignedEndorsing: WSSignedXml esxml = GetSignatureForToken(spec.SecurityToken); if (esxml == null) { throw new MessageSecurityException(String.Format("The '{1}' token '{0}' is expected to endorse the primary signature but no corresponding signature is found.", spec.SecurityToken, attachMode)); } bool confirmed; SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite; foreach (SecurityTokenReferenceKeyInfo kic in esxml.KeyInfo) { SecurityKey signKey = spec.SecurityToken.ResolveKeyIdentifierClause(kic.Clause); SymmetricSecurityKey symkey = signKey as SymmetricSecurityKey; if (symkey != null) { confirmed = esxml.CheckSignature(symkey.GetKeyedHashAlgorithm(suite.DefaultSymmetricSignatureAlgorithm)); } else { AsymmetricAlgorithm alg = ((AsymmetricSecurityKey)signKey).GetAsymmetricAlgorithm(suite.DefaultAsymmetricSignatureAlgorithm, false); confirmed = esxml.CheckSignature(alg); } if (!confirmed) { throw new MessageSecurityException(String.Format("Signature for '{1}' token '{0}' is invalid.", spec.SecurityToken, attachMode)); } break; } sec_prop.ConfirmedSignatures.Insert(0, Convert.ToBase64String(esxml.SignatureValue)); break; } } sec_prop.IncomingSupportingTokens.Add(spec); } }
void AddSignatureReference(SecurityToken token, int position, SecurityTokenAttachmentMode mode) { SecurityKeyIdentifierClause keyIdentifierClause = null; bool strTransformEnabled = this.ShouldUseStrTransformForToken(token, position, mode, out keyIdentifierClause); AddTokenSignatureReference(token, keyIdentifierClause, strTransformEnabled); }
public SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters) : this(tokenAuthenticator, securityTokenResolver, attachmentMode, tokenParameters, false) { }
protected bool ShouldUseStrTransformForToken(SecurityToken securityToken, int position, SecurityTokenAttachmentMode mode, out SecurityKeyIdentifierClause keyIdentifierClause) { keyIdentifierClause = null; return(false); }
public SupportingTokenSpecification(System.IdentityModel.Tokens.SecurityToken token, System.Collections.ObjectModel.ReadOnlyCollection <System.IdentityModel.Policy.IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode, System.ServiceModel.Security.Tokens.SecurityTokenParameters tokenParameters) : base(default(System.IdentityModel.Tokens.SecurityToken), default(System.Collections.ObjectModel.ReadOnlyCollection <System.IdentityModel.Policy.IAuthorizationPolicy>)) { }
protected bool ShouldUseStrTransformForToken(SecurityToken securityToken, int position, SecurityTokenAttachmentMode mode, out SecurityKeyIdentifierClause keyIdentifierClause) { keyIdentifierClause = null; IssuedSecurityTokenParameters tokenParams; switch (mode) { case SecurityTokenAttachmentMode.SignedEndorsing: tokenParams = _signedEndorsingTokenParameters[position] as IssuedSecurityTokenParameters; break; case SecurityTokenAttachmentMode.Signed: tokenParams = _signedTokenParameters[position] as IssuedSecurityTokenParameters; break; case SecurityTokenAttachmentMode.SignedEncrypted: tokenParams = _basicSupportingTokenParameters[position] as IssuedSecurityTokenParameters; break; default: return(false); } if (tokenParams != null && tokenParams.UseStrTransform) { keyIdentifierClause = tokenParams.CreateKeyIdentifierClause(securityToken, GetTokenReferenceStyle(tokenParams)); if (keyIdentifierClause == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCannotCreateTokenReference)), Message); } return(true); } return(false); }
private InitiatorServiceModelSecurityTokenRequirement CreateInitiatorSecurityTokenRequirement(SecurityTokenParameters parameters, SecurityTokenAttachmentMode attachmentMode) { InitiatorServiceModelSecurityTokenRequirement requirement = CreateInitiatorSecurityTokenRequirement(); parameters.InitializeSecurityTokenRequirement(requirement); requirement.KeyUsage = SecurityKeyUsage.Signature; requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Output; requirement.Properties[ServiceModelSecurityTokenRequirement.SupportingTokenAttachmentModeProperty] = attachmentMode; return(requirement); }
public SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters) : this(tokenAuthenticator, securityTokenResolver, attachmentMode, tokenParameters, false) { }
InitiatorServiceModelSecurityTokenRequirement CreateInitiatorSecurityTokenRequirement(SecurityTokenParameters parameters, SecurityTokenAttachmentMode attachmentMode) { InitiatorServiceModelSecurityTokenRequirement requirement = CreateInitiatorSecurityTokenRequirement(); parameters.InitializeSecurityTokenRequirement(requirement); requirement.KeyUsage = SecurityKeyUsage.Signature; requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Output; requirement.Properties[ServiceModelSecurityTokenRequirement.SupportingTokenAttachmentModeProperty] = attachmentMode; return requirement; }
public SupportingTokenSpecification(SecurityToken token, ReadOnlyCollection<IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode) : this(token, tokenPolicies, attachmentMode, null) { }
private void AddSupportingTokenSpecification(SecurityMessageProperty security, IList <SecurityToken> tokens, SecurityTokenAttachmentMode attachmentMode, IDictionary <SecurityToken, ReadOnlyCollection <IAuthorizationPolicy> > tokenPoliciesMapping) { if (tokens == null || tokens.Count == 0) { return; } for (int i = 0; i < tokens.Count; ++i) { security.IncomingSupportingTokens.Add(new SupportingTokenSpecification(tokens[i], tokenPoliciesMapping[tokens[i]], attachmentMode)); } }
void AddSignatureReference(SecurityToken[] tokens, SecurityTokenAttachmentMode mode) { if (tokens != null) { for (int i = 0; i < tokens.Length; ++i) { AddSignatureReference(tokens[i], i, mode); } } }
private RecipientServiceModelSecurityTokenRequirement CreateRecipientSecurityTokenRequirement(SecurityTokenParameters parameters, SecurityTokenAttachmentMode attachmentMode) { RecipientServiceModelSecurityTokenRequirement requirement = CreateRecipientSecurityTokenRequirement(); requirement.KeyUsage = SecurityKeyUsage.Signature; requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Input; requirement.Properties[ServiceModelSecurityTokenRequirement.SupportingTokenAttachmentModeProperty] = attachmentMode; requirement.Properties[ServiceModelSecurityTokenRequirement.ExtendedProtectionPolicy] = _extendedProtectionPolicy; return(requirement); }
// authenticate and map supporting tokens to proper SupportingTokenSpecification list. void ProcessSupportingTokens(SignedXml sxml) { List <SupportingTokenInfo> tokens = new List <SupportingTokenInfo> (); // First, categorize those tokens in the Security // header: // - Endorsing signing // - Signed signed // - SignedEncrypted signed encrypted // - SignedEndorsing signing signed foreach (object obj in wss_header.Contents) { SecurityToken token = obj as SecurityToken; if (token == null) { continue; } bool signed = false, endorsing = false, encrypted = false; // signed foreach (Reference r in sxml.SignedInfo.References) { if (r.Uri.Substring(1) == token.Id) { signed = true; break; } } // FIXME: how to get 'encrypted' state? // FIXME: endorsing SecurityTokenAttachmentMode mode = signed ? encrypted ? SecurityTokenAttachmentMode.SignedEncrypted : endorsing ? SecurityTokenAttachmentMode.SignedEndorsing : SecurityTokenAttachmentMode.Signed : SecurityTokenAttachmentMode.Endorsing; tokens.Add(new SupportingTokenInfo(token, mode, false)); } // then, // 1. validate every mandatory supporting token // parameters (Endpoint-, Operation-). To do that, // iterate all tokens in the header against every // parameter in the mandatory list. // 2. validate every token that is not validated. // To do that, iterate all supporting token parameters // and check if any of them can validate it. SupportingTokenParameters supp; string action = GetAction(); ValidateTokensByParameters(security.Element.EndpointSupportingTokenParameters, tokens, false); if (security.Element.OperationSupportingTokenParameters.TryGetValue(action, out supp)) { ValidateTokensByParameters(supp, tokens, false); } ValidateTokensByParameters(security.Element.OptionalEndpointSupportingTokenParameters, tokens, true); if (security.Element.OptionalOperationSupportingTokenParameters.TryGetValue(action, out supp)) { ValidateTokensByParameters(supp, tokens, true); } }
private void MergeSupportingTokenAuthenticators(TimeSpan timeout) { if (this.scopedSupportingTokenAuthenticatorSpecification.Count == 0) { this.mergedSupportingTokenAuthenticatorsMap = null; } else { TimeoutHelper helper = new TimeoutHelper(timeout); this.expectSupportingTokens = true; this.mergedSupportingTokenAuthenticatorsMap = new Dictionary <string, MergedSupportingTokenAuthenticatorSpecification>(); foreach (string str in this.scopedSupportingTokenAuthenticatorSpecification.Keys) { ICollection <SupportingTokenAuthenticatorSpecification> is2 = this.scopedSupportingTokenAuthenticatorSpecification[str]; if ((is2 != null) && (is2.Count != 0)) { Collection <SupportingTokenAuthenticatorSpecification> supportingTokenAuthenticators = new Collection <SupportingTokenAuthenticatorSpecification>(); bool expectChannelSignedTokens = this.expectChannelSignedTokens; bool expectChannelBasicTokens = this.expectChannelBasicTokens; bool expectChannelEndorsingTokens = this.expectChannelEndorsingTokens; foreach (SupportingTokenAuthenticatorSpecification specification in this.channelSupportingTokenAuthenticatorSpecification) { supportingTokenAuthenticators.Add(specification); } foreach (SupportingTokenAuthenticatorSpecification specification2 in is2) { System.ServiceModel.Security.SecurityUtils.OpenTokenAuthenticatorIfRequired(specification2.TokenAuthenticator, helper.RemainingTime()); supportingTokenAuthenticators.Add(specification2); if (((specification2.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing) || (specification2.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)) && (specification2.TokenParameters.RequireDerivedKeys && !specification2.TokenParameters.HasAsymmetricKey)) { this.expectKeyDerivation = true; } SecurityTokenAttachmentMode securityTokenAttachmentMode = specification2.SecurityTokenAttachmentMode; switch (securityTokenAttachmentMode) { case SecurityTokenAttachmentMode.SignedEncrypted: case SecurityTokenAttachmentMode.Signed: case SecurityTokenAttachmentMode.SignedEndorsing: expectChannelSignedTokens = true; if (securityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEncrypted) { expectChannelBasicTokens = true; } break; } if ((securityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing) || (securityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)) { expectChannelEndorsingTokens = true; } } this.VerifyTypeUniqueness(supportingTokenAuthenticators); MergedSupportingTokenAuthenticatorSpecification specification3 = new MergedSupportingTokenAuthenticatorSpecification { SupportingTokenAuthenticators = supportingTokenAuthenticators, ExpectBasicTokens = expectChannelBasicTokens, ExpectEndorsingTokens = expectChannelEndorsingTokens, ExpectSignedTokens = expectChannelSignedTokens }; this.mergedSupportingTokenAuthenticatorsMap.Add(str, specification3); } } } }
private void MergeSupportingTokenAuthenticators(TimeSpan timeout) { if (_scopedSupportingTokenAuthenticatorSpecification.Count == 0) { _mergedSupportingTokenAuthenticatorsMap = null; } else { TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); _expectSupportingTokens = true; _mergedSupportingTokenAuthenticatorsMap = new Dictionary <string, MergedSupportingTokenAuthenticatorSpecification>(); foreach (string action in _scopedSupportingTokenAuthenticatorSpecification.Keys) { ICollection <SupportingTokenAuthenticatorSpecification> scopedAuthenticators = _scopedSupportingTokenAuthenticatorSpecification[action]; if (scopedAuthenticators == null || scopedAuthenticators.Count == 0) { continue; } Collection <SupportingTokenAuthenticatorSpecification> mergedAuthenticators = new Collection <SupportingTokenAuthenticatorSpecification>(); bool expectSignedTokens = _expectChannelSignedTokens; bool expectBasicTokens = _expectChannelBasicTokens; bool expectEndorsingTokens = _expectChannelEndorsingTokens; foreach (SupportingTokenAuthenticatorSpecification spec in _channelSupportingTokenAuthenticatorSpecification) { mergedAuthenticators.Add(spec); } foreach (SupportingTokenAuthenticatorSpecification spec in scopedAuthenticators) { SecurityUtils.OpenTokenAuthenticatorIfRequired(spec.TokenAuthenticator, timeoutHelper.RemainingTime()); mergedAuthenticators.Add(spec); if (spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing || spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing) { if (spec.TokenParameters.RequireDerivedKeys && !spec.TokenParameters.HasAsymmetricKey) { _expectKeyDerivation = true; } } SecurityTokenAttachmentMode mode = spec.SecurityTokenAttachmentMode; if (mode == SecurityTokenAttachmentMode.SignedEncrypted || mode == SecurityTokenAttachmentMode.Signed || mode == SecurityTokenAttachmentMode.SignedEndorsing) { expectSignedTokens = true; if (mode == SecurityTokenAttachmentMode.SignedEncrypted) { expectBasicTokens = true; } } if (mode == SecurityTokenAttachmentMode.Endorsing || mode == SecurityTokenAttachmentMode.SignedEndorsing) { expectEndorsingTokens = true; } } VerifyTypeUniqueness(mergedAuthenticators); MergedSupportingTokenAuthenticatorSpecification mergedSpec = new MergedSupportingTokenAuthenticatorSpecification(); mergedSpec.SupportingTokenAuthenticators = mergedAuthenticators; mergedSpec.ExpectBasicTokens = expectBasicTokens; mergedSpec.ExpectEndorsingTokens = expectEndorsingTokens; mergedSpec.ExpectSignedTokens = expectSignedTokens; _mergedSupportingTokenAuthenticatorsMap.Add(action, mergedSpec); } } }
public virtual void OnOpen(TimeSpan timeout) { if (this.SecurityBindingElement == null) { this.OnPropertySettingsError("SecurityBindingElement", true); } if (this.SecurityTokenManager == null) { this.OnPropertySettingsError("SecurityTokenManager", true); } this.messageSecurityVersion = this.standardsManager.MessageSecurityVersion; TimeoutHelper helper = new TimeoutHelper(timeout); this.expectOutgoingMessages = this.ActAsInitiator || this.SupportsRequestReply; this.expectIncomingMessages = !this.ActAsInitiator || this.SupportsRequestReply; if (!this.actAsInitiator) { this.AddSupportingTokenAuthenticators(this.securityBindingElement.EndpointSupportingTokenParameters, false, (IList <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification); this.AddSupportingTokenAuthenticators(this.securityBindingElement.OptionalEndpointSupportingTokenParameters, true, (IList <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification); foreach (string str in this.securityBindingElement.OperationSupportingTokenParameters.Keys) { Collection <SupportingTokenAuthenticatorSpecification> authenticatorSpecList = new Collection <SupportingTokenAuthenticatorSpecification>(); this.AddSupportingTokenAuthenticators(this.securityBindingElement.OperationSupportingTokenParameters[str], false, authenticatorSpecList); this.scopedSupportingTokenAuthenticatorSpecification.Add(str, authenticatorSpecList); } foreach (string str2 in this.securityBindingElement.OptionalOperationSupportingTokenParameters.Keys) { Collection <SupportingTokenAuthenticatorSpecification> collection2; ICollection <SupportingTokenAuthenticatorSpecification> is2; if (this.scopedSupportingTokenAuthenticatorSpecification.TryGetValue(str2, out is2)) { collection2 = (Collection <SupportingTokenAuthenticatorSpecification>)is2; } else { collection2 = new Collection <SupportingTokenAuthenticatorSpecification>(); this.scopedSupportingTokenAuthenticatorSpecification.Add(str2, collection2); } this.AddSupportingTokenAuthenticators(this.securityBindingElement.OptionalOperationSupportingTokenParameters[str2], true, collection2); } if (!this.channelSupportingTokenAuthenticatorSpecification.IsReadOnly) { if (this.channelSupportingTokenAuthenticatorSpecification.Count == 0) { this.channelSupportingTokenAuthenticatorSpecification = EmptyTokenAuthenticators; } else { this.expectSupportingTokens = true; foreach (SupportingTokenAuthenticatorSpecification specification in this.channelSupportingTokenAuthenticatorSpecification) { System.ServiceModel.Security.SecurityUtils.OpenTokenAuthenticatorIfRequired(specification.TokenAuthenticator, helper.RemainingTime()); if (((specification.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing) || (specification.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)) && (specification.TokenParameters.RequireDerivedKeys && !specification.TokenParameters.HasAsymmetricKey)) { this.expectKeyDerivation = true; } SecurityTokenAttachmentMode securityTokenAttachmentMode = specification.SecurityTokenAttachmentMode; switch (securityTokenAttachmentMode) { case SecurityTokenAttachmentMode.SignedEncrypted: case SecurityTokenAttachmentMode.Signed: case SecurityTokenAttachmentMode.SignedEndorsing: this.expectChannelSignedTokens = true; if (securityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEncrypted) { this.expectChannelBasicTokens = true; } break; } if ((securityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing) || (securityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)) { this.expectChannelEndorsingTokens = true; } } this.channelSupportingTokenAuthenticatorSpecification = new ReadOnlyCollection <SupportingTokenAuthenticatorSpecification>((Collection <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification); } } this.VerifyTypeUniqueness(this.channelSupportingTokenAuthenticatorSpecification); this.MergeSupportingTokenAuthenticators(helper.RemainingTime()); } if (this.DetectReplays) { if (!this.SupportsReplayDetection) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("DetectReplays", System.ServiceModel.SR.GetString("SecurityProtocolCannotDoReplayDetection", new object[] { this })); } if ((this.MaxClockSkew == TimeSpan.MaxValue) || (this.ReplayWindow == TimeSpan.MaxValue)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("NoncesCachedInfinitely"))); } this.nonceCache = new System.ServiceModel.Security.NonceCache((this.ReplayWindow + this.MaxClockSkew) + this.MaxClockSkew, this.MaxCachedNonces); } this.derivedKeyTokenAuthenticator = new NonValidatingSecurityTokenAuthenticator <DerivedKeySecurityToken>(); }
public virtual void OnOpen(TimeSpan timeout) { if (this.SecurityBindingElement == null) { this.OnPropertySettingsError("SecurityBindingElement", true); } if (this.SecurityTokenManager == null) { this.OnPropertySettingsError("SecurityTokenManager", true); } _messageSecurityVersion = _standardsManager.MessageSecurityVersion; TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); _expectOutgoingMessages = this.ActAsInitiator || this.SupportsRequestReply; _expectIncomingMessages = !this.ActAsInitiator || this.SupportsRequestReply; if (!_actAsInitiator) { AddSupportingTokenAuthenticators(_securityBindingElement.EndpointSupportingTokenParameters, false, (IList <SupportingTokenAuthenticatorSpecification>)_channelSupportingTokenAuthenticatorSpecification); // validate the token authenticator types and create a merged map if needed. if (!_channelSupportingTokenAuthenticatorSpecification.IsReadOnly) { if (_channelSupportingTokenAuthenticatorSpecification.Count == 0) { _channelSupportingTokenAuthenticatorSpecification = EmptyTokenAuthenticators; } else { _expectSupportingTokens = true; foreach (SupportingTokenAuthenticatorSpecification tokenAuthenticatorSpec in _channelSupportingTokenAuthenticatorSpecification) { SecurityUtils.OpenTokenAuthenticatorIfRequired(tokenAuthenticatorSpec.TokenAuthenticator, timeoutHelper.RemainingTime()); if (tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing || tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing) { if (tokenAuthenticatorSpec.TokenParameters.RequireDerivedKeys && !tokenAuthenticatorSpec.TokenParameters.HasAsymmetricKey) { _expectKeyDerivation = true; } } SecurityTokenAttachmentMode mode = tokenAuthenticatorSpec.SecurityTokenAttachmentMode; if (mode == SecurityTokenAttachmentMode.SignedEncrypted || mode == SecurityTokenAttachmentMode.Signed || mode == SecurityTokenAttachmentMode.SignedEndorsing) { _expectChannelSignedTokens = true; if (mode == SecurityTokenAttachmentMode.SignedEncrypted) { _expectChannelBasicTokens = true; } } if (mode == SecurityTokenAttachmentMode.Endorsing || mode == SecurityTokenAttachmentMode.SignedEndorsing) { _expectChannelEndorsingTokens = true; } } _channelSupportingTokenAuthenticatorSpecification = new ReadOnlyCollection <SupportingTokenAuthenticatorSpecification>((Collection <SupportingTokenAuthenticatorSpecification>)_channelSupportingTokenAuthenticatorSpecification); } } VerifyTypeUniqueness(_channelSupportingTokenAuthenticatorSpecification); MergeSupportingTokenAuthenticators(timeoutHelper.RemainingTime()); } if (this.DetectReplays) { if (!this.SupportsReplayDetection) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("DetectReplays", SR.Format(SR.SecurityProtocolCannotDoReplayDetection, this)); } if (this.MaxClockSkew == TimeSpan.MaxValue || this.ReplayWindow == TimeSpan.MaxValue) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.NoncesCachedInfinitely)); } // If DetectReplays is true and nonceCache is null then use the default InMemoryNonceCache. if (_nonceCache == null) { // The nonce needs to be cached for replayWindow + 2*clockSkew to eliminate replays _nonceCache = new InMemoryNonceCache(this.ReplayWindow + this.MaxClockSkew + this.MaxClockSkew, this.MaxCachedNonces); } } _derivedKeyTokenAuthenticator = new NonValidatingSecurityTokenAuthenticator <DerivedKeySecurityToken>(); }
public virtual Task OnOpenAsync(TimeSpan timeout) { if (this.SecurityBindingElement == null) { this.OnPropertySettingsError("SecurityBindingElement", true); } if (this.SecurityTokenManager == null) { this.OnPropertySettingsError("SecurityTokenManager", true); } this.messageSecurityVersion = this.standardsManager.MessageSecurityVersion; TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); this.expectOutgoingMessages = this.ActAsInitiator || this.SupportsRequestReply; this.expectIncomingMessages = !this.ActAsInitiator || this.SupportsRequestReply; if (!this.actAsInitiator) { AddSupportingTokenAuthenticators(this.securityBindingElement.EndpointSupportingTokenParameters, false, (IList <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification); AddSupportingTokenAuthenticators(this.securityBindingElement.OptionalEndpointSupportingTokenParameters, true, (IList <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification); foreach (string action in this.securityBindingElement.OperationSupportingTokenParameters.Keys) { Collection <SupportingTokenAuthenticatorSpecification> authenticatorSpecList = new Collection <SupportingTokenAuthenticatorSpecification>(); AddSupportingTokenAuthenticators(this.securityBindingElement.OperationSupportingTokenParameters[action], false, authenticatorSpecList); this.scopedSupportingTokenAuthenticatorSpecification.Add(action, authenticatorSpecList); } foreach (string action in this.securityBindingElement.OptionalOperationSupportingTokenParameters.Keys) { Collection <SupportingTokenAuthenticatorSpecification> authenticatorSpecList; ICollection <SupportingTokenAuthenticatorSpecification> existingList; if (this.scopedSupportingTokenAuthenticatorSpecification.TryGetValue(action, out existingList)) { authenticatorSpecList = ((Collection <SupportingTokenAuthenticatorSpecification>)existingList); } else { authenticatorSpecList = new Collection <SupportingTokenAuthenticatorSpecification>(); this.scopedSupportingTokenAuthenticatorSpecification.Add(action, authenticatorSpecList); } this.AddSupportingTokenAuthenticators(this.securityBindingElement.OptionalOperationSupportingTokenParameters[action], true, authenticatorSpecList); } // validate the token authenticator types and create a merged map if needed. if (!this.channelSupportingTokenAuthenticatorSpecification.IsReadOnly) { if (this.channelSupportingTokenAuthenticatorSpecification.Count == 0) { this.channelSupportingTokenAuthenticatorSpecification = EmptyTokenAuthenticators; } else { this.expectSupportingTokens = true; foreach (SupportingTokenAuthenticatorSpecification tokenAuthenticatorSpec in this.channelSupportingTokenAuthenticatorSpecification) { SecurityUtils.OpenTokenAuthenticatorIfRequiredAsync(tokenAuthenticatorSpec.TokenAuthenticator, timeoutHelper.GetCancellationToken()); if (tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing || tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing) { if (tokenAuthenticatorSpec.TokenParameters.RequireDerivedKeys && !tokenAuthenticatorSpec.TokenParameters.HasAsymmetricKey) { expectKeyDerivation = true; } } SecurityTokenAttachmentMode mode = tokenAuthenticatorSpec.SecurityTokenAttachmentMode; if (mode == SecurityTokenAttachmentMode.SignedEncrypted || mode == SecurityTokenAttachmentMode.Signed || mode == SecurityTokenAttachmentMode.SignedEndorsing) { this.expectChannelSignedTokens = true; if (mode == SecurityTokenAttachmentMode.SignedEncrypted) { this.expectChannelBasicTokens = true; } } if (mode == SecurityTokenAttachmentMode.Endorsing || mode == SecurityTokenAttachmentMode.SignedEndorsing) { this.expectChannelEndorsingTokens = true; } } this.channelSupportingTokenAuthenticatorSpecification = new ReadOnlyCollection <SupportingTokenAuthenticatorSpecification>((Collection <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification); } } VerifyTypeUniqueness(this.channelSupportingTokenAuthenticatorSpecification); MergeSupportingTokenAuthenticators(timeoutHelper.RemainingTime()); } if (this.DetectReplays) { if (!this.SupportsReplayDetection) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("DetectReplays", SR.Format(SR.SecurityProtocolCannotDoReplayDetection, this)); } if (this.MaxClockSkew == TimeSpan.MaxValue || this.ReplayWindow == TimeSpan.MaxValue) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.NoncesCachedInfinitely)); } // If DetectReplays is true and nonceCache is null then use the default InMemoryNonceCache. if (this.nonceCache == null) { //TODO below (InMemoryNonceCache) is coming along with WindowsAuth, so uncomment // The nonce needs to be cached for replayWindow + 2*clockSkew to eliminate replays // this.nonceCache = new InMemoryNonceCache(this.ReplayWindow + this.MaxClockSkew + this.MaxClockSkew, this.MaxCachedNonces); } } //this.derivedKeyTokenAuthenticator = new NonValidatingSecurityTokenAuthenticator<DerivedKeySecurityToken>(); return(Task.CompletedTask); }