public override Type GetTokenType(SecurityKeyIdentifierClause clause) { return(null); }
/// <summary> /// <see cref="Saml2SecurityToken.MatchesKeyIdentifierClause"/> /// </summary> /// <param name="keyIdentifierClause"></param> /// <returns>Returns true if there is a normal match or if the id is <see cref="EncryptedAssertionId"/></returns> public override bool MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause) { return(base.MatchesKeyIdentifierClause(keyIdentifierClause) || OioWsTrust.EncryptedAssertionId == keyIdentifierClause.Id); }
protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key) { key = ResolveSecurityKeyCore(keyIdentifierClause, true); return(key != null); }
// This method returns a security key identifier that can be used to refer to the provided security token when // the provided token does not appear in the message private SecurityKeyIdentifier GetExternalSecurityKeyIdentifier(SecurityToken t) { // If t is null, we're toast if (t == null) { throw new ArgumentNullException("t"); } // Set skiClause to null SecurityKeyIdentifierClause skiClause = null; // Try for an encrypted key reference first... if (t.CanCreateKeyIdentifierClause <EncryptedKeyIdentifierClause>()) { Console.WriteLine("GetExternalSecurityKeyIdentifier using EncryptedKeyIdentifierClause"); skiClause = t.CreateKeyIdentifierClause <EncryptedKeyIdentifierClause>(); } // ... kerb token reference next... else if (t.CanCreateKeyIdentifierClause <KerberosTicketHashKeyIdentifierClause>()) { Console.WriteLine("GetExternalSecurityKeyIdentifier using KerberosTicketHashKeyIdentifierClause"); skiClause = t.CreateKeyIdentifierClause <KerberosTicketHashKeyIdentifierClause>(); } // ... X509 thumbprint next... else if (t.CanCreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>()) { Console.WriteLine("GetExternalSecurityKeyIdentifier using X509ThumbprintKeyIdentifierClause"); skiClause = t.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>(); } // ... X509 raw reference next... else if (t.CanCreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>()) { Console.WriteLine("GetExternalSecurityKeyIdentifier using X509RawDataKeyIdentifierClause"); skiClause = t.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>(); } // ... X509 SKI next... else if (t.CanCreateKeyIdentifierClause <X509SubjectKeyIdentifierClause>()) { Console.WriteLine("GetExternalSecurityKeyIdentifier using X509SubjectKeyIdentifierClause"); skiClause = t.CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause>(); } // ... try for a binary secret... else if (t.CanCreateKeyIdentifierClause <BinarySecretKeyIdentifierClause>()) { Console.WriteLine("GetExternalSecurityKeyIdentifier using BinarySecretKeyIdentifierClause"); skiClause = t.CreateKeyIdentifierClause <BinarySecretKeyIdentifierClause>(); } // ... then a X509IssuerSerial reference ... else if (t.CanCreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>()) { Console.WriteLine("GetExternalSecurityKeyIdentifier using X509IssuerSerialKeyIdentifierClause"); skiClause = t.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>(); } // ... then a SAML assertion reference... else if (t.CanCreateKeyIdentifierClause <SamlAssertionKeyIdentifierClause>()) { Console.WriteLine("GetExternalSecurityKeyIdentifier using SamlAssertionKeyIdentifierClause"); skiClause = t.CreateKeyIdentifierClause <SamlAssertionKeyIdentifierClause>(); } // ... then an RSA key reference... else if (t.CanCreateKeyIdentifierClause <RsaKeyIdentifierClause>()) { Console.WriteLine("GetExternalSecurityKeyIdentifier using RsaKeyIdentifierClause"); skiClause = t.CreateKeyIdentifierClause <RsaKeyIdentifierClause>(); } // ... then a key name reference... else if (t.CanCreateKeyIdentifierClause <KeyNameIdentifierClause>()) { Console.WriteLine("GetExternalSecurityKeyIdentifier using KeyNameIdentifierClause"); skiClause = t.CreateKeyIdentifierClause <KeyNameIdentifierClause>(); } // ... and finally an SCT reference... else if (t.CanCreateKeyIdentifierClause <SecurityContextKeyIdentifierClause>()) { Console.WriteLine("GetExternalSecurityKeyIdentifier using SecurityContextKeyIdentifierClause"); skiClause = t.CreateKeyIdentifierClause <SecurityContextKeyIdentifierClause>(); } // return a SecurityKeyIdentifier return(new SecurityKeyIdentifier(skiClause)); }
internal protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle) { SecurityKeyIdentifierClause result = null; switch (this.x509ReferenceStyle) { default: case X509KeyIdentifierClauseType.Any: if (referenceStyle == SecurityTokenReferenceStyle.External) { X509SecurityToken x509Token = token as X509SecurityToken; if (x509Token != null) { X509SubjectKeyIdentifierClause x509KeyIdentifierClause; if (X509SubjectKeyIdentifierClause.TryCreateFrom(x509Token.Certificate, out x509KeyIdentifierClause)) { result = x509KeyIdentifierClause; } } else { X509WindowsSecurityToken windowsX509Token = token as X509WindowsSecurityToken; if (windowsX509Token != null) { X509SubjectKeyIdentifierClause x509KeyIdentifierClause; if (X509SubjectKeyIdentifierClause.TryCreateFrom(windowsX509Token.Certificate, out x509KeyIdentifierClause)) { result = x509KeyIdentifierClause; } } } if (result == null) { result = token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>(); } if (result == null) { result = token.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>(); } } else { result = token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>(); } break; case X509KeyIdentifierClauseType.Thumbprint: result = this.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; case X509KeyIdentifierClauseType.SubjectKeyIdentifier: result = this.CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; case X509KeyIdentifierClauseType.IssuerSerial: result = this.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; case X509KeyIdentifierClauseType.RawDataKeyIdentifier: result = this.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; } return(result); }
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token) { token = ResolveToken(keyIdentifierClause, false, true); return(token != null); }
BodyWriter ProcessNegotiation(SspiNegotiationTokenAuthenticatorState negotiationState, Message incomingMessage, BinaryNegotiation incomingNego) { ISspiNegotiation sspiNegotiation = negotiationState.SspiNegotiation; byte[] outgoingBlob = sspiNegotiation.GetOutgoingBlob(incomingNego.GetNegotiationData(), SecurityUtils.GetChannelBindingFromMessage(incomingMessage), this.extendedProtectionPolicy); if (sspiNegotiation.IsValidContext == false) { throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)), incomingMessage); } // if there is no blob to send back the nego must be complete from the server side if (outgoingBlob == null && sspiNegotiation.IsCompleted == false) { throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.NoBinaryNegoToSend)), incomingMessage); } BinaryNegotiation outgoingBinaryNegotiation; if (outgoingBlob != null) { outgoingBinaryNegotiation = GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob); } else { outgoingBinaryNegotiation = null; } BodyWriter replyBody; if (sspiNegotiation.IsCompleted) { ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = ValidateSspiNegotiation(sspiNegotiation); SecurityContextSecurityToken serviceToken; WrappedKeySecurityToken proofToken; int issuedKeySize; IssueServiceToken(negotiationState, authorizationPolicies, out serviceToken, out proofToken, out issuedKeySize); negotiationState.SetServiceToken(serviceToken); SecurityKeyIdentifierClause externalTokenReference = this.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.External); SecurityKeyIdentifierClause internalTokenReference = this.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.Internal); RequestSecurityTokenResponse dummyRstr = new RequestSecurityTokenResponse(this.StandardsManager); dummyRstr.Context = negotiationState.Context; dummyRstr.KeySize = issuedKeySize; dummyRstr.TokenType = this.SecurityContextTokenUri; if (outgoingBinaryNegotiation != null) { dummyRstr.SetBinaryNegotiation(outgoingBinaryNegotiation); } dummyRstr.RequestedUnattachedReference = externalTokenReference; dummyRstr.RequestedAttachedReference = internalTokenReference; dummyRstr.SetLifetime(serviceToken.ValidFrom, serviceToken.ValidTo); if (negotiationState.AppliesTo != null) { if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10) { dummyRstr.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress( negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004) { dummyRstr.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress( negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new ProtocolException(SR.GetString(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing))); } } dummyRstr.MakeReadOnly(); AddToDigest(negotiationState, dummyRstr, false); RequestSecurityTokenResponse negotiationRstr = new RequestSecurityTokenResponse(this.StandardsManager); negotiationRstr.RequestedSecurityToken = serviceToken; negotiationRstr.RequestedProofToken = proofToken; negotiationRstr.Context = negotiationState.Context; negotiationRstr.KeySize = issuedKeySize; negotiationRstr.TokenType = this.SecurityContextTokenUri; if (outgoingBinaryNegotiation != null) { negotiationRstr.SetBinaryNegotiation(outgoingBinaryNegotiation); } negotiationRstr.RequestedAttachedReference = internalTokenReference; negotiationRstr.RequestedUnattachedReference = externalTokenReference; if (negotiationState.AppliesTo != null) { if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10) { negotiationRstr.SetAppliesTo <EndpointAddress10>( EndpointAddress10.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004) { negotiationRstr.SetAppliesTo <EndpointAddressAugust2004>( EndpointAddressAugust2004.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new ProtocolException(SR.GetString(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing))); } } negotiationRstr.MakeReadOnly(); byte[] authenticator = ComputeAuthenticator(negotiationState, serviceToken.GetKeyBytes()); RequestSecurityTokenResponse authenticatorRstr = new RequestSecurityTokenResponse(this.StandardsManager); authenticatorRstr.Context = negotiationState.Context; authenticatorRstr.SetAuthenticator(authenticator); authenticatorRstr.MakeReadOnly(); List <RequestSecurityTokenResponse> rstrList = new List <RequestSecurityTokenResponse>(2); rstrList.Add(negotiationRstr); rstrList.Add(authenticatorRstr); replyBody = new RequestSecurityTokenResponseCollection(rstrList, this.StandardsManager); } else { RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(this.StandardsManager); rstr.Context = negotiationState.Context; rstr.SetBinaryNegotiation(outgoingBinaryNegotiation); rstr.MakeReadOnly(); AddToDigest(negotiationState, rstr, false); replyBody = rstr; } return(replyBody); }
private bool ResolvesToSigningToken(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key, out SecurityToken token) { token = null; key = null; CertMatcher certMatcher = null; // for SAML tokens the highest probability are certs, with RawData first X509RawDataKeyIdentifierClause rawCertKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause; if (rawCertKeyIdentifierClause != null) { certMatcher = rawCertKeyIdentifierClause.Matches; } else { X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause; if (subjectKeyIdentifierClause != null) { certMatcher = subjectKeyIdentifierClause.Matches; } else { X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause; if (thumbprintKeyIdentifierClause != null) { certMatcher = thumbprintKeyIdentifierClause.Matches; } else { X509IssuerSerialKeyIdentifierClause issuerKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause; if (issuerKeyIdentifierClause != null) { certMatcher = issuerKeyIdentifierClause.Matches; } } } } if (_validationParameters.IssuerSigningKeyResolver != null) { key = _validationParameters.IssuerSigningKeyResolver(token: _securityToken, securityToken: null, keyIdentifier: new SecurityKeyIdentifier(keyIdentifierClause), validationParameters: _validationParameters); if (key != null) { this.IsKeyMatched = true; } } if (_validationParameters.IssuerSigningKey != null) { if (Matches(keyIdentifierClause, _validationParameters.IssuerSigningKey, certMatcher, out token)) { key = _validationParameters.IssuerSigningKey; this.IsKeyMatched = true; } } if (_validationParameters.IssuerSigningKeys != null) { foreach (SecurityKey securityKey in _validationParameters.IssuerSigningKeys) { if (Matches(keyIdentifierClause, securityKey, certMatcher, out token)) { key = securityKey; this.IsKeyMatched = true; break; } } } if (_validationParameters.IssuerSigningToken != null) { if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause)) { token = _validationParameters.IssuerSigningToken; key = token.SecurityKeys[0]; this.IsKeyMatched = true; } } if (_validationParameters.IssuerSigningTokens != null) { foreach (SecurityToken issuerToken in _validationParameters.IssuerSigningTokens) { if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause)) { token = issuerToken; key = token.SecurityKeys[0]; this.IsKeyMatched = true; break; } } } return(this.IsKeyMatched); }
protected override bool CanWriteKeyIdentifierClauseCore(SecurityKeyIdentifierClause keyIdentifierClause) { throw new NotImplementedException(); }
protected override void WriteKeyIdentifierClauseCore(XmlWriter writer, SecurityKeyIdentifierClause keyIdentifierClause) { throw new NotImplementedException(); }
internal bool TryCreateKeyIdentifierClauseFromTokenXml(XmlElement element, SecurityTokenReferenceStyle tokenReferenceStyle, out SecurityKeyIdentifierClause securityKeyIdentifierClause) { return(this.WSSecurityTokenSerializer.TryCreateKeyIdentifierClauseFromTokenXml(element, tokenReferenceStyle, out securityKeyIdentifierClause)); }
internal protected virtual bool MatchesKeyIdentifierClause(SecurityToken token, SecurityKeyIdentifierClause keyIdentifierClause, SecurityTokenReferenceStyle referenceStyle) { if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(token)); } if (token is GenericXmlSecurityToken) { return(MatchesGenericXmlTokenKeyIdentifierClause(token, keyIdentifierClause, referenceStyle)); } bool result; switch (referenceStyle) { default: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException( SR.Format(SR.TokenDoesNotSupportKeyIdentifierClauseCreation, token.GetType().Name, referenceStyle))); case SecurityTokenReferenceStyle.External: if (keyIdentifierClause is LocalIdKeyIdentifierClause) { result = false; } else { result = token.MatchesKeyIdentifierClause(keyIdentifierClause); } break; case SecurityTokenReferenceStyle.Internal: result = token.MatchesKeyIdentifierClause(keyIdentifierClause); break; } return(result); }
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause) { BinarySecretKeyIdentifierClause objB = keyIdentifierClause as BinarySecretKeyIdentifierClause; return(object.ReferenceEquals(this, objB) || ((objB != null) && objB.Matches(base.GetRawBuffer()))); }
public virtual SecurityToken CreateDerivedKeyToken(string id, string derivationAlgorithm, string label, int length, byte[] nonce, int offset, int generation, SecurityKeyIdentifierClause tokenToDeriveIdentifier, SecurityToken tokenToDerive) { return(this.derivedKeyEntry.CreateDerivedKeyToken(id, derivationAlgorithm, label, length, nonce, offset, generation, tokenToDeriveIdentifier, tokenToDerive)); }
public RequestSecurityTokenResponse(XmlElement requestSecurityTokenResponseXml, string context, string tokenType, int keySize, SecurityKeyIdentifierClause requestedAttachedReference, SecurityKeyIdentifierClause requestedUnattachedReference, bool computeKey, DateTime validFrom, DateTime validTo, bool isRequestedTokenClosed) : this(SecurityStandardsManager.DefaultInstance, requestSecurityTokenResponseXml, context, tokenType, keySize, requestedAttachedReference, requestedUnattachedReference, computeKey, validFrom, validTo, isRequestedTokenClosed, null) { }
public abstract void WriteContent(XmlDictionaryWriter writer, SecurityKeyIdentifierClause clause);
public RequestSecurityTokenResponse(MessageSecurityVersion messageSecurityVersion, SecurityTokenSerializer securityTokenSerializer, XmlElement requestSecurityTokenResponseXml, string context, string tokenType, int keySize, SecurityKeyIdentifierClause requestedAttachedReference, SecurityKeyIdentifierClause requestedUnattachedReference, bool computeKey, DateTime validFrom, DateTime validTo, bool isRequestedTokenClosed) : this(System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(messageSecurityVersion, securityTokenSerializer), requestSecurityTokenResponseXml, context, tokenType, keySize, requestedAttachedReference, requestedUnattachedReference, computeKey, validFrom, validTo, isRequestedTokenClosed, null) { }
/// <summary> /// Returns a <see cref="SecurityKey"/> that matches the <see cref="SecurityKeyIdentifierClause"/> /// </summary> /// <param name="keyIdentifierClause">clause to match.</param> /// <param name="key">key to assign.</param> /// <returns>true if matched.</returns> protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key) { SecurityToken token = null; return(ResolvesToSigningToken(keyIdentifierClause, out key, out token)); }
internal RequestSecurityTokenResponse(SecurityStandardsManager standardsManager, XmlElement rstrXml, string context, string tokenType, int keySize, SecurityKeyIdentifierClause requestedAttachedReference, SecurityKeyIdentifierClause requestedUnattachedReference, bool computeKey, DateTime validFrom, DateTime validTo, bool isRequestedTokenClosed, XmlBuffer issuedTokenBuffer) : base(true) { this.thisLock = new object(); if (standardsManager == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("standardsManager")); } this.standardsManager = standardsManager; if (rstrXml == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rstrXml"); } this.rstrXml = rstrXml; this.context = context; this.tokenType = tokenType; this.keySize = keySize; this.requestedAttachedReference = requestedAttachedReference; this.requestedUnattachedReference = requestedUnattachedReference; this.computeKey = computeKey; this.effectiveTime = validFrom.ToUniversalTime(); this.expirationTime = validTo.ToUniversalTime(); this.isLifetimeSet = true; this.isRequestedTokenClosed = isRequestedTokenClosed; this.issuedTokenBuffer = issuedTokenBuffer; this.isReceiver = true; this.isReadOnly = true; }
internal SecurityToken ResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternal, bool resolveIntrinsicKeyClause) { if (keyIdentifierClause == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause"); } SecurityToken resolvedToken = null; for (int i = 0; i < this.tokenCount; i++) { if (matchOnlyExternal && tokens[i].AllowedReferenceStyle != SecurityTokenReferenceStyle.External) { continue; } SecurityToken token = tokens[i].Token; if (tokens[i].TokenParameters != null && tokens[i].TokenParameters.MatchesKeyIdentifierClause(token, keyIdentifierClause, tokens[i].AllowedReferenceStyle)) { resolvedToken = token; break; } else if (tokens[i].TokenParameters == null) { // match it according to the allowed reference style if (tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.Internal && MatchDirectReference(token, keyIdentifierClause)) { resolvedToken = token; break; } } } if ((resolvedToken == null) && (keyIdentifierClause is EncryptedKeyIdentifierClause)) { EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause; SecurityKeyIdentifier wrappingTokenReference = keyClause.EncryptingKeyIdentifier; SecurityToken unwrappingToken; if (this.expectedWrapper != null && CheckExternalWrapperMatch(wrappingTokenReference)) { unwrappingToken = this.expectedWrapper; } else { unwrappingToken = ResolveToken(wrappingTokenReference, true, resolveIntrinsicKeyClause); } if (unwrappingToken != null) { resolvedToken = SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, unwrappingToken); } } if ((resolvedToken == null) && (keyIdentifierClause is X509RawDataKeyIdentifierClause) && (!matchOnlyExternal) && (resolveIntrinsicKeyClause)) { resolvedToken = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData())); } byte[] derivationNonce = keyIdentifierClause.GetDerivationNonce(); if ((resolvedToken != null) && (derivationNonce != null)) { // A Implicit Derived Key is specified. Create a derived key off of the resolve token. if (SecurityUtils.GetSecurityKey <SymmetricSecurityKey>(resolvedToken) == null) { // The resolved token contains no Symmetric Security key and thus we cannot create // a derived key off of it. throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.UnableToDeriveKeyFromKeyInfoClause, keyIdentifierClause, resolvedToken))); } int derivationLength = (keyIdentifierClause.DerivationLength == 0) ? DerivedKeySecurityToken.DefaultDerivedKeyLength : keyIdentifierClause.DerivationLength; if (derivationLength > this.securityHeader.MaxDerivedKeyLength) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.DerivedKeyLengthSpecifiedInImplicitDerivedKeyClauseTooLong, keyIdentifierClause.ToString(), derivationLength, this.securityHeader.MaxDerivedKeyLength))); } bool alreadyDerived = false; for (int i = 0; i < this.tokenCount; ++i) { DerivedKeySecurityToken derivedKeyToken = this.tokens[i].Token as DerivedKeySecurityToken; if (derivedKeyToken != null) { if ((derivedKeyToken.Length == derivationLength) && (CryptoHelper.IsEqual(derivedKeyToken.Nonce, derivationNonce)) && (derivedKeyToken.TokenToDerive.MatchesKeyIdentifierClause(keyIdentifierClause))) { // This is a implcit derived key for which we have already derived the // token. resolvedToken = this.tokens[i].Token; alreadyDerived = true; break; } } } if (!alreadyDerived) { string psha1Algorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.securityHeader.StandardsManager.MessageSecurityVersion.SecureConversationVersion); resolvedToken = new DerivedKeySecurityToken(-1, 0, derivationLength, null, derivationNonce, resolvedToken, keyIdentifierClause, psha1Algorithm, SecurityUtils.GenerateId()); ((DerivedKeySecurityToken)resolvedToken).InitializeDerivedKey(derivationLength); Add(resolvedToken, SecurityTokenReferenceStyle.Internal, null); this.securityHeader.EnsureDerivedKeyLimitNotReached(); } } return(resolvedToken); }
protected abstract bool CanWriteKeyIdentifierClauseCore(SecurityKeyIdentifierClause keyIdentifierClause);
internal bool TryResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternalTokens, bool resolveIntrinsicKeyClause, out SecurityToken token) { token = ResolveToken(keyIdentifierClause, matchOnlyExternalTokens, resolveIntrinsicKeyClause); return(token != null); }
protected abstract void WriteKeyIdentifierClauseCore(XmlWriter writer, SecurityKeyIdentifierClause keyIdentifierClause);
void ExtractSecurity() { if (security.MessageProtectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature && wss_header.Find <SignedXml> () != null) { throw new MessageSecurityException("The security binding element expects that the message signature is encrypted, while it isn't."); } WrappedKeySecurityToken wk = wss_header.Find <WrappedKeySecurityToken> (); DerivedKeySecurityToken dk = wss_header.Find <DerivedKeySecurityToken> (); if (wk != null) { if (Parameters.RequireDerivedKeys && dk == null) { throw new MessageSecurityException("DerivedKeyToken is required in this contract, but was not found in the message"); } } else { // FIXME: this is kind of hack for symmetric reply processing. wk = RequestSecurity.ProtectionToken != null ? RequestSecurity.ProtectionToken.SecurityToken as WrappedKeySecurityToken : null; } SymmetricSecurityKey wkkey = wk != null ? wk.SecurityKeys [0] as SymmetricSecurityKey : null; wss_header_reader.DecryptSecurity(this, wkkey, RequestSecurity != null ? RequestSecurity.EncryptionKey : null); // signature confirmation WSSignedXml sxml = wss_header.Find <WSSignedXml> (); if (sxml == null) { throw new MessageSecurityException("The the message signature is expected but not found."); } bool confirmed = false; SecurityKeyIdentifierClause sigClause = null; foreach (KeyInfoClause kic in sxml.KeyInfo) { SecurityTokenReferenceKeyInfo r = kic as SecurityTokenReferenceKeyInfo; if (r != null) { sigClause = r.Clause; } } if (sigClause == null) { throw new MessageSecurityException("SecurityTokenReference was not found in dsig:Signature KeyInfo."); } SecurityToken signToken; SecurityKey signKey; signToken = TokenResolver.ResolveToken(sigClause); signKey = signToken.ResolveKeyIdentifierClause(sigClause); SymmetricSecurityKey symkey = signKey as SymmetricSecurityKey; if (symkey != null) { confirmed = sxml.CheckSignature(new HMACSHA1(symkey.GetSymmetricKey())); if (wk != null) { // FIXME: authenticate token sec_prop.ProtectionToken = new SecurityTokenSpecification(wk, null); } } else { AsymmetricAlgorithm alg = ((AsymmetricSecurityKey)signKey).GetAsymmetricAlgorithm(security.DefaultSignatureAlgorithm, false); confirmed = sxml.CheckSignature(alg); sec_prop.InitiatorToken = new SecurityTokenSpecification( signToken, security.TokenAuthenticator.ValidateToken(signToken)); } if (!confirmed) { throw new MessageSecurityException("Message signature is invalid."); } // token authentication // FIXME: it might not be limited to recipient if (Direction == MessageDirection.Input) { ProcessSupportingTokens(sxml); } sec_prop.EncryptionKey = ((SymmetricSecurityKey)wk.SecurityKeys [0]).GetSymmetricKey(); sec_prop.ConfirmedSignatures.Add(Convert.ToBase64String(sxml.SignatureValue)); }
public abstract void WriteKeyIdentifierClauseCore(XmlDictionaryWriter writer, SecurityKeyIdentifierClause keyIdentifierClause);
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token) { throw new NotImplementedException(); }
public abstract Type GetTokenType(SecurityKeyIdentifierClause clause);
public override bool SupportsCore(SecurityKeyIdentifierClause clause) { return(clause is SecurityContextKeyIdentifierClause); }
public abstract bool SupportsCore(SecurityKeyIdentifierClause clause);
public virtual bool Matches(SecurityKeyIdentifierClause keyIdentifierClause) { return ReferenceEquals(this, keyIdentifierClause); }
public virtual void ReadDerivedKeyTokenParameters(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver, out string id, out string derivationAlgorithm, out string label, out int length, out byte[] nonce, out int offset, out int generation, out SecurityKeyIdentifierClause tokenToDeriveIdentifier, out SecurityToken tokenToDerive) { this.derivedKeyEntry.ReadDerivedKeyTokenParameters(reader, tokenResolver, out id, out derivationAlgorithm, out label, out length, out nonce, out offset, out generation, out tokenToDeriveIdentifier, out tokenToDerive); }