public override void OnOpen(TimeSpan timeout) { TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); base.OnOpen(timeoutHelper.RemainingTime()); if (this.Factory.ActAsInitiator) { // 1. Create a token requirement for the provider InitiatorServiceModelSecurityTokenRequirement tokenProviderRequirement = CreateInitiatorTokenRequirement(); // 2. Create a provider SecurityTokenProvider tokenProvider = this.Factory.SecurityTokenManager.CreateSecurityTokenProvider(tokenProviderRequirement); SecurityUtils.OpenTokenProviderIfRequired(tokenProvider, timeoutHelper.RemainingTime()); if (this.Factory.SecurityTokenParameters.HasAsymmetricKey) { this.initiatorAsymmetricTokenProvider = tokenProvider; } else { this.initiatorSymmetricTokenProvider = tokenProvider; } // 3. Create a token requirement for authenticator InitiatorServiceModelSecurityTokenRequirement tokenAuthenticatorRequirement = CreateInitiatorTokenRequirement(); // 4. Create authenticator (we dont support out of band resolvers on the client side SecurityTokenResolver outOfBandTokenResolver; this.initiatorTokenAuthenticator = this.Factory.SecurityTokenManager.CreateSecurityTokenAuthenticator(tokenAuthenticatorRequirement, out outOfBandTokenResolver); SecurityUtils.OpenTokenAuthenticatorIfRequired(this.initiatorTokenAuthenticator, timeoutHelper.RemainingTime()); } }
internal void Open(string propertyName, bool requiredForForwardDirection, SecurityTokenAuthenticator authenticator, TimeSpan timeout) { if (authenticator != null) { SecurityUtils.OpenTokenAuthenticatorIfRequired(authenticator, timeout); } else { OnPropertySettingsError(propertyName, requiredForForwardDirection); } }
public override void OnOpen(TimeSpan timeout) { TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); if (this.ClientTokenProvider != null) { SecurityUtils.OpenTokenProviderIfRequired(this.ClientTokenProvider, timeoutHelper.RemainingTime()); } if (this.ServerTokenAuthenticator != null) { SecurityUtils.OpenTokenAuthenticatorIfRequired(this.ServerTokenAuthenticator, timeoutHelper.RemainingTime()); } base.OnOpen(timeoutHelper.RemainingTime()); }
public override void OnOpen(TimeSpan timeout) { if (this.serverTokenProvider == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.NoServerX509TokenProvider))); } TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); SecurityUtils.OpenTokenProviderIfRequired(this.serverTokenProvider, timeoutHelper.RemainingTime()); if (this.clientTokenAuthenticator != null) { SecurityUtils.OpenTokenAuthenticatorIfRequired(this.clientTokenAuthenticator, timeoutHelper.RemainingTime()); } SecurityToken token = this.serverTokenProvider.GetToken(timeoutHelper.RemainingTime()); this.serverToken = ValidateX509Token(token); base.OnOpen(timeoutHelper.RemainingTime()); }
public override void OnOpen(TimeSpan timeout) { TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); base.OnOpen(timeoutHelper.RemainingTime()); if (this.Factory.ActAsInitiator) { if (this.Factory.ApplyIntegrity) { InitiatorServiceModelSecurityTokenRequirement requirement = CreateInitiatorSecurityTokenRequirement(); this.Factory.CryptoTokenParameters.InitializeSecurityTokenRequirement(requirement); requirement.KeyUsage = SecurityKeyUsage.Signature; requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Output; this.initiatorCryptoTokenProvider = this.Factory.SecurityTokenManager.CreateSecurityTokenProvider(requirement); SecurityUtils.OpenTokenProviderIfRequired(this.initiatorCryptoTokenProvider, timeoutHelper.RemainingTime()); } if (this.Factory.RequireIntegrity || this.Factory.ApplyConfidentiality) { InitiatorServiceModelSecurityTokenRequirement providerRequirement = CreateInitiatorSecurityTokenRequirement(); this.Factory.AsymmetricTokenParameters.InitializeSecurityTokenRequirement(providerRequirement); providerRequirement.KeyUsage = SecurityKeyUsage.Exchange; providerRequirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = (this.Factory.ApplyConfidentiality) ? MessageDirection.Output : MessageDirection.Input; this.initiatorAsymmetricTokenProvider = this.Factory.SecurityTokenManager.CreateSecurityTokenProvider(providerRequirement); SecurityUtils.OpenTokenProviderIfRequired(this.initiatorAsymmetricTokenProvider, timeoutHelper.RemainingTime()); InitiatorServiceModelSecurityTokenRequirement authenticatorRequirement = CreateInitiatorSecurityTokenRequirement(); this.Factory.AsymmetricTokenParameters.InitializeSecurityTokenRequirement(authenticatorRequirement); authenticatorRequirement.IsOutOfBandToken = !this.Factory.AllowSerializedSigningTokenOnReply; authenticatorRequirement.KeyUsage = SecurityKeyUsage.Exchange; authenticatorRequirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = (this.Factory.ApplyConfidentiality) ? MessageDirection.Output : MessageDirection.Input; // Create authenticator (we dont support out of band resolvers on the client side SecurityTokenResolver outOfBandTokenResolver; this.initiatorAsymmetricTokenAuthenticator = this.Factory.SecurityTokenManager.CreateSecurityTokenAuthenticator(authenticatorRequirement, out outOfBandTokenResolver); SecurityUtils.OpenTokenAuthenticatorIfRequired(this.initiatorAsymmetricTokenAuthenticator, timeoutHelper.RemainingTime()); } } }
public virtual void OnOpen(TimeSpan timeout) { if (this.SecurityBindingElement == null) { this.OnPropertySettingsError("SecurityBindingElement", true); } if (this.SecurityTokenManager == null) { this.OnPropertySettingsError("SecurityTokenManager", true); } _messageSecurityVersion = _standardsManager.MessageSecurityVersion; TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); _expectOutgoingMessages = this.ActAsInitiator || this.SupportsRequestReply; _expectIncomingMessages = !this.ActAsInitiator || this.SupportsRequestReply; if (!_actAsInitiator) { AddSupportingTokenAuthenticators(_securityBindingElement.EndpointSupportingTokenParameters, false, (IList <SupportingTokenAuthenticatorSpecification>)_channelSupportingTokenAuthenticatorSpecification); // validate the token authenticator types and create a merged map if needed. if (!_channelSupportingTokenAuthenticatorSpecification.IsReadOnly) { if (_channelSupportingTokenAuthenticatorSpecification.Count == 0) { _channelSupportingTokenAuthenticatorSpecification = EmptyTokenAuthenticators; } else { _expectSupportingTokens = true; foreach (SupportingTokenAuthenticatorSpecification tokenAuthenticatorSpec in _channelSupportingTokenAuthenticatorSpecification) { SecurityUtils.OpenTokenAuthenticatorIfRequired(tokenAuthenticatorSpec.TokenAuthenticator, timeoutHelper.RemainingTime()); if (tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing || tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing) { if (tokenAuthenticatorSpec.TokenParameters.RequireDerivedKeys && !tokenAuthenticatorSpec.TokenParameters.HasAsymmetricKey) { _expectKeyDerivation = true; } } SecurityTokenAttachmentMode mode = tokenAuthenticatorSpec.SecurityTokenAttachmentMode; if (mode == SecurityTokenAttachmentMode.SignedEncrypted || mode == SecurityTokenAttachmentMode.Signed || mode == SecurityTokenAttachmentMode.SignedEndorsing) { _expectChannelSignedTokens = true; if (mode == SecurityTokenAttachmentMode.SignedEncrypted) { _expectChannelBasicTokens = true; } } if (mode == SecurityTokenAttachmentMode.Endorsing || mode == SecurityTokenAttachmentMode.SignedEndorsing) { _expectChannelEndorsingTokens = true; } } _channelSupportingTokenAuthenticatorSpecification = new ReadOnlyCollection <SupportingTokenAuthenticatorSpecification>((Collection <SupportingTokenAuthenticatorSpecification>)_channelSupportingTokenAuthenticatorSpecification); } } VerifyTypeUniqueness(_channelSupportingTokenAuthenticatorSpecification); MergeSupportingTokenAuthenticators(timeoutHelper.RemainingTime()); } if (this.DetectReplays) { if (!this.SupportsReplayDetection) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("DetectReplays", SR.Format(SR.SecurityProtocolCannotDoReplayDetection, this)); } if (this.MaxClockSkew == TimeSpan.MaxValue || this.ReplayWindow == TimeSpan.MaxValue) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.NoncesCachedInfinitely)); } // If DetectReplays is true and nonceCache is null then use the default InMemoryNonceCache. if (_nonceCache == null) { // The nonce needs to be cached for replayWindow + 2*clockSkew to eliminate replays _nonceCache = new InMemoryNonceCache(this.ReplayWindow + this.MaxClockSkew + this.MaxClockSkew, this.MaxCachedNonces); } } _derivedKeyTokenAuthenticator = new NonValidatingSecurityTokenAuthenticator <DerivedKeySecurityToken>(); }
private void MergeSupportingTokenAuthenticators(TimeSpan timeout) { if (_scopedSupportingTokenAuthenticatorSpecification.Count == 0) { _mergedSupportingTokenAuthenticatorsMap = null; } else { TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); _expectSupportingTokens = true; _mergedSupportingTokenAuthenticatorsMap = new Dictionary <string, MergedSupportingTokenAuthenticatorSpecification>(); foreach (string action in _scopedSupportingTokenAuthenticatorSpecification.Keys) { ICollection <SupportingTokenAuthenticatorSpecification> scopedAuthenticators = _scopedSupportingTokenAuthenticatorSpecification[action]; if (scopedAuthenticators == null || scopedAuthenticators.Count == 0) { continue; } Collection <SupportingTokenAuthenticatorSpecification> mergedAuthenticators = new Collection <SupportingTokenAuthenticatorSpecification>(); bool expectSignedTokens = _expectChannelSignedTokens; bool expectBasicTokens = _expectChannelBasicTokens; bool expectEndorsingTokens = _expectChannelEndorsingTokens; foreach (SupportingTokenAuthenticatorSpecification spec in _channelSupportingTokenAuthenticatorSpecification) { mergedAuthenticators.Add(spec); } foreach (SupportingTokenAuthenticatorSpecification spec in scopedAuthenticators) { SecurityUtils.OpenTokenAuthenticatorIfRequired(spec.TokenAuthenticator, timeoutHelper.RemainingTime()); mergedAuthenticators.Add(spec); if (spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing || spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing) { if (spec.TokenParameters.RequireDerivedKeys && !spec.TokenParameters.HasAsymmetricKey) { _expectKeyDerivation = true; } } SecurityTokenAttachmentMode mode = spec.SecurityTokenAttachmentMode; if (mode == SecurityTokenAttachmentMode.SignedEncrypted || mode == SecurityTokenAttachmentMode.Signed || mode == SecurityTokenAttachmentMode.SignedEndorsing) { expectSignedTokens = true; if (mode == SecurityTokenAttachmentMode.SignedEncrypted) { expectBasicTokens = true; } } if (mode == SecurityTokenAttachmentMode.Endorsing || mode == SecurityTokenAttachmentMode.SignedEndorsing) { expectEndorsingTokens = true; } } VerifyTypeUniqueness(mergedAuthenticators); MergedSupportingTokenAuthenticatorSpecification mergedSpec = new MergedSupportingTokenAuthenticatorSpecification(); mergedSpec.SupportingTokenAuthenticators = mergedAuthenticators; mergedSpec.ExpectBasicTokens = expectBasicTokens; mergedSpec.ExpectEndorsingTokens = expectEndorsingTokens; mergedSpec.ExpectSignedTokens = expectSignedTokens; _mergedSupportingTokenAuthenticatorsMap.Add(action, mergedSpec); } } }