protected void ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, ref Message message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) { TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); securityHeader.ReplayDetectionEnabled = this.factory.DetectReplays; securityHeader.SetTimeParameters(this.factory.NonceCache, this.factory.ReplayWindow, this.factory.MaxClockSkew); securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), this.factory.ExtendedProtectionPolicy); if (this.factory.AddTimestamp && securityHeader.Timestamp == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.RequiredTimestampMissingInSecurityHeader))); } if (requiredSigningToken != null && requiredSigningToken != securityHeader.SignatureToken) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.ReplyWasNotSignedWithRequiredSigningToken)), message); } if (this.DoAutomaticEncryptionMatch) { SecurityUtils.EnsureExpectedSymmetricMatch(securityHeader.SignatureToken, securityHeader.EncryptionToken, message); } if (securityHeader.MaintainSignatureConfirmationState && this.factory.ActAsInitiator) { CheckSignatureConfirmation(securityHeader, correlationStates); } message = securityHeader.ProcessedMessage; }
protected override void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout) { string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor; ReceiveSecurityHeader securityHeader = this.Factory.StandardsManager.CreateReceiveSecurityHeader(message, actor, this.Factory.IncomingAlgorithmSuite, MessageDirection.Input); securityHeader.RequireMessageProtection = false; securityHeader.ReaderQuotas = this.Factory.SecurityBindingElement.ReaderQuotas; IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.Factory, message, securityHeader); ReadOnlyCollection <SecurityTokenResolver> mergedTokenResolvers = MergeOutOfBandResolvers(supportingAuthenticators, this.sessionTokenResolverList); if (supportingAuthenticators != null && supportingAuthenticators.Count > 0) { supportingAuthenticators = new List <SupportingTokenAuthenticatorSpecification>(supportingAuthenticators); supportingAuthenticators.Insert(0, this.sessionTokenAuthenticatorSpecificationList[0]); } else { supportingAuthenticators = this.sessionTokenAuthenticatorSpecificationList; } securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators); securityHeader.ConfigureOutOfBandTokenResolver(mergedTokenResolvers); securityHeader.ExpectEndorsingTokens = true; TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); securityHeader.ReplayDetectionEnabled = this.Factory.DetectReplays; securityHeader.SetTimeParameters(this.Factory.NonceCache, this.Factory.ReplayWindow, this.Factory.MaxClockSkew); // do not enforce key derivation requirement for Cancel messages due to WSE interop securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != this.Factory.StandardsManager.SecureConversationDriver.CloseAction.Value); securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), this.Factory.ExtendedProtectionPolicy); if (securityHeader.Timestamp == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.RequiredTimestampMissingInSecurityHeader))); } bool didSessionSctEndorse = false; if (securityHeader.EndorsingSupportingTokens != null) { for (int i = 0; i < securityHeader.EndorsingSupportingTokens.Count; ++i) { SecurityContextSecurityToken signingSct = (securityHeader.EndorsingSupportingTokens[i] as SecurityContextSecurityToken); if (signingSct != null && signingSct.ContextId == this.sessionId) { didSessionSctEndorse = true; break; } } } if (!didSessionSctEndorse) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.NoSessionTokenPresentInMessage))); } message = securityHeader.ProcessedMessage; AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); base.OnIncomingMessageVerified(message); }
protected override void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout) { string actor = string.Empty; ReceiveSecurityHeader securityHeader = this.Factory.StandardsManager.CreateReceiveSecurityHeader(message, actor, this.Factory.IncomingAlgorithmSuite, MessageDirection.Input); securityHeader.RequireMessageProtection = false; securityHeader.ReaderQuotas = this.Factory.SecurityBindingElement.ReaderQuotas; IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = base.GetSupportingTokenAuthenticatorsAndSetExpectationFlags(this.Factory, message, securityHeader); ReadOnlyCollection <SecurityTokenResolver> outOfBandResolvers = base.MergeOutOfBandResolvers(supportingAuthenticators, this.sessionTokenResolverList); if ((supportingAuthenticators != null) && (supportingAuthenticators.Count > 0)) { supportingAuthenticators = new List <SupportingTokenAuthenticatorSpecification>(supportingAuthenticators); supportingAuthenticators.Insert(0, this.sessionTokenAuthenticatorSpecificationList[0]); } else { supportingAuthenticators = this.sessionTokenAuthenticatorSpecificationList; } securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators); securityHeader.ConfigureOutOfBandTokenResolver(outOfBandResolvers); securityHeader.ExpectEndorsingTokens = true; TimeoutHelper helper = new TimeoutHelper(timeout); securityHeader.SetTimeParameters(this.Factory.NonceCache, this.Factory.ReplayWindow, this.Factory.MaxClockSkew); securityHeader.EnforceDerivedKeyRequirement = message.Headers.Action != this.Factory.StandardsManager.SecureConversationDriver.CloseAction.Value; securityHeader.Process(helper.RemainingTime(), System.ServiceModel.Security.SecurityUtils.GetChannelBindingFromMessage(message), this.Factory.ExtendedProtectionPolicy); if (securityHeader.Timestamp == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("RequiredTimestampMissingInSecurityHeader"))); } bool flag = false; if (securityHeader.EndorsingSupportingTokens != null) { for (int i = 0; i < securityHeader.EndorsingSupportingTokens.Count; i++) { SecurityContextSecurityToken token = securityHeader.EndorsingSupportingTokens[i] as SecurityContextSecurityToken; if ((token != null) && (token.ContextId == this.sessionId)) { flag = true; break; } } } if (!flag) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("NoSessionTokenPresentInMessage"))); } message = securityHeader.ProcessedMessage; base.AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); base.OnIncomingMessageVerified(message); }
protected virtual void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout) { bool flag; bool flag2; bool flag3; TransportSecurityProtocolFactory securityProtocolFactory = (TransportSecurityProtocolFactory)base.SecurityProtocolFactory; string actor = string.Empty; ReceiveSecurityHeader header = securityProtocolFactory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor, securityProtocolFactory.IncomingAlgorithmSuite, securityProtocolFactory.ActAsInitiator ? MessageDirection.Output : MessageDirection.Input); IList <SupportingTokenAuthenticatorSpecification> supportingTokenAuthenticators = securityProtocolFactory.GetSupportingTokenAuthenticators(message.Headers.Action, out flag3, out flag, out flag2); if (header == null) { bool flag4 = (flag2 || flag3) || flag; if ((securityProtocolFactory.ActAsInitiator && (!securityProtocolFactory.AddTimestamp || securityProtocolFactory.SecurityBindingElement.EnableUnsecuredResponse)) || ((!securityProtocolFactory.ActAsInitiator && !securityProtocolFactory.AddTimestamp) && !flag4)) { return; } if (string.IsNullOrEmpty(actor)) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessageNoActor")), message); } throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToFindSecurityHeaderInMessage", new object[] { actor })), message); } header.RequireMessageProtection = false; header.ExpectBasicTokens = flag; header.ExpectSignedTokens = flag3; header.ExpectEndorsingTokens = flag2; header.MaxReceivedMessageSize = securityProtocolFactory.SecurityBindingElement.MaxReceivedMessageSize; header.ReaderQuotas = securityProtocolFactory.SecurityBindingElement.ReaderQuotas; TimeoutHelper helper = new TimeoutHelper(timeout); if (!securityProtocolFactory.ActAsInitiator) { header.ConfigureTransportBindingServerReceiveHeader(supportingTokenAuthenticators); header.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(supportingTokenAuthenticators, EmptyReadOnlyCollection <SecurityTokenResolver> .Instance)); if (securityProtocolFactory.ExpectKeyDerivation) { header.DerivedTokenAuthenticator = securityProtocolFactory.DerivedKeyTokenAuthenticator; } } header.SetTimeParameters(securityProtocolFactory.NonceCache, securityProtocolFactory.ReplayWindow, securityProtocolFactory.MaxClockSkew); header.Process(helper.RemainingTime(), System.ServiceModel.Security.SecurityUtils.GetChannelBindingFromMessage(message), securityProtocolFactory.ExtendedProtectionPolicy); message = header.ProcessedMessage; if (!securityProtocolFactory.ActAsInitiator) { this.AttachRecipientSecurityProperty(message, header.BasicSupportingTokens, header.EndorsingSupportingTokens, header.SignedEndorsingSupportingTokens, header.SignedSupportingTokens, header.SecurityTokenAuthorizationPoliciesMapping); } base.OnIncomingMessageVerified(message); }
protected virtual void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout) { TransportSecurityProtocolFactory factory = (TransportSecurityProtocolFactory)this.SecurityProtocolFactory; string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor; ReceiveSecurityHeader securityHeader = factory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor, factory.IncomingAlgorithmSuite, (factory.ActAsInitiator) ? MessageDirection.Output : MessageDirection.Input); bool expectBasicTokens; bool expectEndorsingTokens; bool expectSignedTokens; IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = factory.GetSupportingTokenAuthenticators(message.Headers.Action, out expectSignedTokens, out expectBasicTokens, out expectEndorsingTokens); if (securityHeader == null) { bool expectSupportingTokens = expectEndorsingTokens || expectSignedTokens || expectBasicTokens; if ((factory.ActAsInitiator && (!factory.AddTimestamp || factory.SecurityBindingElement.EnableUnsecuredResponse)) || (!factory.ActAsInitiator && !factory.AddTimestamp && !expectSupportingTokens)) { return; } else { if (String.IsNullOrEmpty(actor)) { throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException( SR.GetString(SR.UnableToFindSecurityHeaderInMessageNoActor)), message); } else { throw System.ServiceModel.Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException( SR.GetString(SR.UnableToFindSecurityHeaderInMessage, actor)), message); } } } securityHeader.RequireMessageProtection = false; securityHeader.ExpectBasicTokens = expectBasicTokens; securityHeader.ExpectSignedTokens = expectSignedTokens; securityHeader.ExpectEndorsingTokens = expectEndorsingTokens; securityHeader.MaxReceivedMessageSize = factory.SecurityBindingElement.MaxReceivedMessageSize; securityHeader.ReaderQuotas = factory.SecurityBindingElement.ReaderQuotas; TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); if (!factory.ActAsInitiator) { securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators); securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, EmptyReadOnlyCollection <SecurityTokenResolver> .Instance)); if (factory.ExpectKeyDerivation) { securityHeader.DerivedTokenAuthenticator = factory.DerivedKeyTokenAuthenticator; } } securityHeader.ReplayDetectionEnabled = factory.DetectReplays; securityHeader.SetTimeParameters(factory.NonceCache, factory.ReplayWindow, factory.MaxClockSkew); securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), factory.ExtendedProtectionPolicy); message = securityHeader.ProcessedMessage; if (!factory.ActAsInitiator) { AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); } base.OnIncomingMessageVerified(message); }