private BodyWriter ProcessNegotiation(SspiNegotiationTokenAuthenticatorState negotiationState, Message incomingMessage, BinaryNegotiation incomingNego)
{
ISspiNegotiation sspiNegotiation = negotiationState.SspiNegotiation;
byte[] outgoingBlob = sspiNegotiation.GetOutgoingBlob(incomingNego.GetNegotiationData(),
SecurityUtils.GetChannelBindingFromMessage(incomingMessage),
ExtendedProtectionPolicy);
if (sspiNegotiation.IsValidContext == false)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.InvalidSspiNegotiation)), incomingMessage);
}
// if there is no blob to send back the nego must be complete from the server side
if (outgoingBlob == null && sspiNegotiation.IsCompleted == false)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.NoBinaryNegoToSend)), incomingMessage);
}
BinaryNegotiation outgoingBinaryNegotiation;
if (outgoingBlob != null)
{
outgoingBinaryNegotiation = GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob);
}
else
{
outgoingBinaryNegotiation = null;
}
BodyWriter replyBody;
if (sspiNegotiation.IsCompleted)
{
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = ValidateSspiNegotiation(sspiNegotiation);
SecurityContextSecurityToken serviceToken;
WrappedKeySecurityToken proofToken;
int issuedKeySize;
IssueServiceToken(negotiationState, authorizationPolicies, out serviceToken, out proofToken, out issuedKeySize);
negotiationState.SetServiceToken(serviceToken);
SecurityKeyIdentifierClause externalTokenReference = IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.External);
SecurityKeyIdentifierClause internalTokenReference = IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.Internal);
RequestSecurityTokenResponse dummyRstr = new RequestSecurityTokenResponse(StandardsManager)
{
Context = negotiationState.Context,
KeySize = issuedKeySize,
TokenType = SecurityContextTokenUri
};
if (outgoingBinaryNegotiation != null)
{
dummyRstr.SetBinaryNegotiation(outgoingBinaryNegotiation);
}
dummyRstr.RequestedUnattachedReference = externalTokenReference;
dummyRstr.RequestedAttachedReference = internalTokenReference;
dummyRstr.SetLifetime(serviceToken.ValidFrom, serviceToken.ValidTo);
if (negotiationState.AppliesTo != null)
{
if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10)
{
dummyRstr.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress(
negotiationState.AppliesTo),
negotiationState.AppliesToSerializer);
}
else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004)
{
dummyRstr.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress(
negotiationState.AppliesTo),
negotiationState.AppliesToSerializer);
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new ProtocolException(SR.Format(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing)));
}
}
dummyRstr.MakeReadOnly();
AddToDigest(negotiationState, dummyRstr, false);
RequestSecurityTokenResponse negotiationRstr = new RequestSecurityTokenResponse(StandardsManager)
{
RequestedSecurityToken = serviceToken,
RequestedProofToken = proofToken,
Context = negotiationState.Context,
KeySize = issuedKeySize,
TokenType = SecurityContextTokenUri
};
if (outgoingBinaryNegotiation != null)
{
negotiationRstr.SetBinaryNegotiation(outgoingBinaryNegotiation);
}
negotiationRstr.RequestedAttachedReference = internalTokenReference;
negotiationRstr.RequestedUnattachedReference = externalTokenReference;
if (negotiationState.AppliesTo != null)
{
if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10)
{
negotiationRstr.SetAppliesTo <EndpointAddress10>(
EndpointAddress10.FromEndpointAddress(negotiationState.AppliesTo),
negotiationState.AppliesToSerializer);
}
else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004)
{
negotiationRstr.SetAppliesTo <EndpointAddressAugust2004>(
EndpointAddressAugust2004.FromEndpointAddress(negotiationState.AppliesTo),
negotiationState.AppliesToSerializer);
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new ProtocolException(SR.Format(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing)));
}
}
negotiationRstr.MakeReadOnly();
byte[] authenticator = ComputeAuthenticator(negotiationState, serviceToken.GetKeyBytes());
RequestSecurityTokenResponse authenticatorRstr = new RequestSecurityTokenResponse(StandardsManager)
{
Context = negotiationState.Context
};
authenticatorRstr.SetAuthenticator(authenticator);
authenticatorRstr.MakeReadOnly();
List <RequestSecurityTokenResponse> rstrList = new List <RequestSecurityTokenResponse>(2)
{
negotiationRstr,
authenticatorRstr
};
replyBody = new RequestSecurityTokenResponseCollection(rstrList, StandardsManager);
}
else
{
RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(StandardsManager)
{
Context = negotiationState.Context
};
rstr.SetBinaryNegotiation(outgoingBinaryNegotiation);
rstr.MakeReadOnly();
AddToDigest(negotiationState, rstr, false);
replyBody = rstr;
}
return(replyBody);
}
protected SecurityTokenAuthenticator CreateSecureConversationTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool preserveBootstrapTokens, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.Format(SR.TokenAuthenticatorRequiresSecurityBindingElement, (object)recipientRequirement));
}
bool flag = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
IMessageFilterTable <EndpointAddress> propertyOrDefault = recipientRequirement.GetPropertyOrDefault <IMessageFilterTable <EndpointAddress> >(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, (IMessageFilterTable <EndpointAddress>)null);
if (!flag)
{
sctResolver = (SecurityTokenResolver) new SecurityContextSecurityTokenResolver(int.MaxValue, false);
return((SecurityTokenAuthenticator) new SecuritySessionSecurityTokenAuthenticator()
{
BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement((ServiceModelSecurityTokenRequirement)recipientRequirement),
IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty),
IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver,
IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty),
KeyEntropyMode = securityBindingElement.KeyEntropyMode,
ListenUri = recipientRequirement.ListenUri,
SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite,
SessionTokenLifetime = TimeSpan.MaxValue,
KeyRenewalInterval = securityBindingElement.LocalServiceSettings.SessionKeyRenewalInterval,
StandardsManager = SecurityUtils.CreateSecurityStandardsManager((SecurityTokenRequirement)recipientRequirement, (SecurityTokenManager)this),
EndpointFilterTable = propertyOrDefault,
MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations,
NegotiationTimeout = localServiceSettings.NegotiationTimeout,
PreserveBootstrapTokens = preserveBootstrapTokens
});
}
throw new NotImplementedException();
/*
* sctResolver = (SecurityTokenResolver)new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true, localServiceSettings.MaxClockSkew);
* AcceleratedTokenAuthenticator tokenAuthenticator = new AcceleratedTokenAuthenticator();
* tokenAuthenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement((ServiceModelSecurityTokenRequirement)recipientRequirement);
* tokenAuthenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode;
* tokenAuthenticator.EncryptStateInServiceToken = true;
* tokenAuthenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
* tokenAuthenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
* tokenAuthenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
* tokenAuthenticator.ListenUri = recipientRequirement.ListenUri;
* tokenAuthenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
* tokenAuthenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager((SecurityTokenRequirement)recipientRequirement, (SecurityTokenManager)this);
* tokenAuthenticator.SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder;
* tokenAuthenticator.KnownTypes = (IList<System.Type>)this.parent.SecureConversationAuthentication.SecurityContextClaimTypes;
* tokenAuthenticator.PreserveBootstrapTokens = preserveBootstrapTokens;
* tokenAuthenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
* tokenAuthenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
* tokenAuthenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
* tokenAuthenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
* // tokenAuthenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
* // tokenAuthenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
* // tokenAuthenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
* tokenAuthenticator.EndpointFilterTable = propertyOrDefault;
* return (SecurityTokenAuthenticator)tokenAuthenticator;*/
}
internal static WindowsIdentity CloneWindowsIdentityIfNecessary(WindowsIdentity wid)
{
return(SecurityUtils.CloneWindowsIdentityIfNecessary(wid, null));
}
private void SignWithSupportingTokens()
{
SecurityToken[] endorsingTokens = this.elementContainer.GetEndorsingSupportingTokens();
if (endorsingTokens != null)
{
for (int i = 0; i < endorsingTokens.Length; ++i)
{
SecurityToken source = endorsingTokens[i];
SecurityKeyIdentifierClause sourceKeyClause = endorsingTokenParameters[i].CreateKeyIdentifierClause(source, GetTokenReferenceStyle(endorsingTokenParameters[i]));
if (sourceKeyClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCannotCreateTokenReference)), this.Message);
}
SecurityToken signingToken;
SecurityKeyIdentifierClause signingKeyClause;
if (endorsingTokenParameters[i].RequireDerivedKeys && !endorsingTokenParameters[i].HasAsymmetricKey)
{
string derivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
DerivedKeySecurityToken dkt = new DerivedKeySecurityToken(-1, 0,
this.AlgorithmSuite.GetSignatureKeyDerivationLength(source, this.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null,
DerivedKeySecurityToken.DefaultNonceLength, source, sourceKeyClause, derivationAlgorithm, GenerateId());
signingToken = dkt;
signingKeyClause = new LocalIdKeyIdentifierClause(dkt.Id, dkt.GetType());
this.elementContainer.AddEndorsingDerivedSupportingToken(dkt);
}
else
{
signingToken = source;
signingKeyClause = sourceKeyClause;
}
SignWithSupportingToken(signingToken, signingKeyClause);
}
}
SecurityToken[] signedEndorsingSupportingTokens = this.elementContainer.GetSignedEndorsingSupportingTokens();
if (signedEndorsingSupportingTokens != null)
{
for (int i = 0; i < signedEndorsingSupportingTokens.Length; ++i)
{
SecurityToken source = signedEndorsingSupportingTokens[i];
SecurityKeyIdentifierClause sourceKeyClause = signedEndorsingTokenParameters[i].CreateKeyIdentifierClause(source, GetTokenReferenceStyle(signedEndorsingTokenParameters[i]));
if (sourceKeyClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCannotCreateTokenReference)), this.Message);
}
SecurityToken signingToken;
SecurityKeyIdentifierClause signingKeyClause;
if (signedEndorsingTokenParameters[i].RequireDerivedKeys && !signedEndorsingTokenParameters[i].HasAsymmetricKey)
{
string derivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
DerivedKeySecurityToken dkt = new DerivedKeySecurityToken(-1, 0,
this.AlgorithmSuite.GetSignatureKeyDerivationLength(source, this.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null,
DerivedKeySecurityToken.DefaultNonceLength, source, sourceKeyClause, derivationAlgorithm, GenerateId());
signingToken = dkt;
signingKeyClause = new LocalIdKeyIdentifierClause(dkt.Id, dkt.GetType());
this.elementContainer.AddSignedEndorsingDerivedSupportingToken(dkt);
}
else
{
signingToken = source;
signingKeyClause = sourceKeyClause;
}
SignWithSupportingToken(signingToken, signingKeyClause);
}
}
}
private void StartEncryption()
{
if (this.elementContainer.SourceEncryptionToken == null)
{
return;
}
// determine the key identifier clause to use for the source
SecurityTokenReferenceStyle sourceEncryptingKeyReferenceStyle = GetTokenReferenceStyle(this.encryptingTokenParameters);
bool encryptionTokenSerialized = sourceEncryptingKeyReferenceStyle == SecurityTokenReferenceStyle.Internal;
SecurityKeyIdentifierClause sourceEncryptingKeyIdentifierClause = this.encryptingTokenParameters.CreateKeyIdentifierClause(this.elementContainer.SourceEncryptionToken, sourceEncryptingKeyReferenceStyle);
if (sourceEncryptingKeyIdentifierClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.TokenManagerCannotCreateTokenReference), this.Message);
}
SecurityToken sourceToken;
SecurityKeyIdentifierClause sourceTokenIdentifierClause;
// if the source token cannot do symmetric crypto, create a wrapped key
if (!SecurityUtils.HasSymmetricSecurityKey(elementContainer.SourceEncryptionToken))
{
int keyLength = Math.Max(128, this.AlgorithmSuite.DefaultSymmetricKeyLength);
CryptoHelper.ValidateSymmetricKeyLength(keyLength, this.AlgorithmSuite);
byte[] key = new byte[keyLength / 8];
CryptoHelper.FillRandomBytes(key);
string keyWrapAlgorithm;
XmlDictionaryString keyWrapAlgorithmDictionaryString;
this.AlgorithmSuite.GetKeyWrapAlgorithm(elementContainer.SourceEncryptionToken, out keyWrapAlgorithm, out keyWrapAlgorithmDictionaryString);
WrappedKeySecurityToken wrappedKey = new WrappedKeySecurityToken(GenerateId(), key, keyWrapAlgorithm, keyWrapAlgorithmDictionaryString,
elementContainer.SourceEncryptionToken, new SecurityKeyIdentifier(sourceEncryptingKeyIdentifierClause));
elementContainer.WrappedEncryptionToken = wrappedKey;
sourceToken = wrappedKey;
sourceTokenIdentifierClause = new LocalIdKeyIdentifierClause(wrappedKey.Id, wrappedKey.GetType());
encryptionTokenSerialized = true;
}
else
{
sourceToken = elementContainer.SourceEncryptionToken;
sourceTokenIdentifierClause = sourceEncryptingKeyIdentifierClause;
}
// determine if a key needs to be derived
SecurityKeyIdentifierClause encryptingKeyIdentifierClause;
// determine if a token needs to be derived
if (this.encryptingTokenParameters.RequireDerivedKeys)
{
string derivationAlgorithm = this.AlgorithmSuite.GetEncryptionKeyDerivationAlgorithm(sourceToken, this.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
string expectedDerivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
if (derivationAlgorithm == expectedDerivationAlgorithm)
{
DerivedKeySecurityToken derivedEncryptingToken = new DerivedKeySecurityToken(-1, 0,
this.AlgorithmSuite.GetEncryptionKeyDerivationLength(sourceToken, this.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, DerivedKeySecurityToken.DefaultNonceLength, sourceToken, sourceTokenIdentifierClause, derivationAlgorithm, GenerateId());
this.encryptingToken = this.elementContainer.DerivedEncryptionToken = derivedEncryptingToken;
encryptingKeyIdentifierClause = new LocalIdKeyIdentifierClause(derivedEncryptingToken.Id, derivedEncryptingToken.GetType());
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.UnsupportedCryptoAlgorithm, derivationAlgorithm)));
}
}
else
{
this.encryptingToken = sourceToken;
encryptingKeyIdentifierClause = sourceTokenIdentifierClause;
}
this.skipKeyInfoForEncryption = encryptionTokenSerialized && this.EncryptedKeyContainsReferenceList && (this.encryptingToken is WrappedKeySecurityToken) && this.signThenEncrypt;
SecurityKeyIdentifier identifier;
if (this.skipKeyInfoForEncryption)
{
identifier = null;
}
else
{
identifier = new SecurityKeyIdentifier(encryptingKeyIdentifierClause);
}
StartEncryptionCore(this.encryptingToken, identifier);
}
protected override void ReadCipherData(XmlDictionaryReader reader, long maxBufferSize)
{
this.cipherText = SecurityUtils.ReadContentAsBase64(reader, maxBufferSize);
}
