internal static bool IsMutualCertificateBinding(System.ServiceModel.Channels.SecurityBindingElement sbe, bool p) { Type type = typeof(System.ServiceModel.Channels.SecurityBindingElement); object[] objArray = new object[] { sbe, p }; return((bool)InvokeHelper.InvokeStaticMethod(type, "IsMutualCertificateBinding", objArray)); }
internal static bool IsSslNegotiationBinding(System.ServiceModel.Channels.SecurityBindingElement bootstrapSecurity, bool p, bool p_3) { Type type = typeof(System.ServiceModel.Channels.SecurityBindingElement); object[] objArray = new object[] { bootstrapSecurity, p, p_3 }; return((bool)InvokeHelper.InvokeStaticMethod(type, "IsSslNegotiationBinding", objArray)); }
internal static bool AreBindingsMatching(System.ServiceModel.Channels.SecurityBindingElement securityBindingElement, System.ServiceModel.Channels.SecurityBindingElement sbe) { Type type = typeof(System.ServiceModel.Channels.SecurityBindingElement); object[] objArray = new object[] { securityBindingElement, sbe }; return((bool)InvokeHelper.InvokeStaticMethod(type, "AreBindingsMatching", objArray)); }
internal static bool IsUserNameForSslBinding(System.ServiceModel.Channels.SecurityBindingElement bootstrapSecurity, bool p) { Type type = typeof(System.ServiceModel.Channels.SecurityBindingElement); object[] objArray = new object[] { bootstrapSecurity, p }; return((bool)InvokeHelper.InvokeStaticMethod(type, "IsUserNameForSslBinding", objArray)); }
internal SecurityProtocolFactory(SecurityProtocolFactory factory) : this() { if (factory == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("factory"); } this.actAsInitiator = factory.actAsInitiator; this.addTimestamp = factory.addTimestamp; this.detectReplays = factory.detectReplays; this.incomingAlgorithmSuite = factory.incomingAlgorithmSuite; this.maxCachedNonces = factory.maxCachedNonces; this.maxClockSkew = factory.maxClockSkew; this.outgoingAlgorithmSuite = factory.outgoingAlgorithmSuite; this.replayWindow = factory.replayWindow; this.channelSupportingTokenAuthenticatorSpecification = new Collection <SupportingTokenAuthenticatorSpecification>(new List <SupportingTokenAuthenticatorSpecification>(factory.channelSupportingTokenAuthenticatorSpecification)); this.scopedSupportingTokenAuthenticatorSpecification = new Dictionary <string, ICollection <SupportingTokenAuthenticatorSpecification> >(factory.scopedSupportingTokenAuthenticatorSpecification); this.standardsManager = factory.standardsManager; this.timestampValidityDuration = factory.timestampValidityDuration; this.auditLogLocation = factory.auditLogLocation; this.suppressAuditFailure = factory.suppressAuditFailure; this.serviceAuthorizationAuditLevel = factory.serviceAuthorizationAuditLevel; this.messageAuthenticationAuditLevel = factory.messageAuthenticationAuditLevel; if (factory.securityBindingElement != null) { this.securityBindingElement = (System.ServiceModel.Channels.SecurityBindingElement)factory.securityBindingElement.Clone(); } this.securityTokenManager = factory.securityTokenManager; this.privacyNoticeUri = factory.privacyNoticeUri; this.privacyNoticeVersion = factory.privacyNoticeVersion; this.endpointFilterTable = factory.endpointFilterTable; this.extendedProtectionPolicy = factory.extendedProtectionPolicy; }
internal static bool IsCertificateOverTransportBinding(System.ServiceModel.Channels.SecurityBindingElement bootstrapSecurity) { Type type = typeof(System.ServiceModel.Channels.SecurityBindingElement); object[] objArray = new object[] { bootstrapSecurity }; return((bool)InvokeHelper.InvokeStaticMethod(type, "IsCertificateOverTransportBinding", objArray)); }
internal static bool IsSecureConversationBinding(System.ServiceModel.Channels.SecurityBindingElement sbe, bool requireCancellation, out System.ServiceModel.Channels.SecurityBindingElement bootstrapSecurity) { object[] objArray = new object[] { sbe, requireCancellation, null }; bool flag = (bool)InvokeHelper.InvokeStaticMethod(typeof(System.ServiceModel.Channels.SecurityBindingElement), "IsSecureConversationBinding", objArray); bootstrapSecurity = objArray[2] as System.ServiceModel.Channels.SecurityBindingElement; return(flag); }
internal static bool IsIssuedTokenForSslBinding(System.ServiceModel.Channels.SecurityBindingElement bootstrapSecurity, bool p, out System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters infocardParameters) { object[] objArray = new object[] { bootstrapSecurity, p, null }; bool flag = (bool)InvokeHelper.InvokeStaticMethod(typeof(System.ServiceModel.Channels.SecurityBindingElement), "IsIssuedTokenForSslBinding", objArray); infocardParameters = objArray[2] as System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters; return(flag); }
internal SecurityBindingElement(SecurityBindingElement elementToBeCloned) : base(elementToBeCloned) { if (elementToBeCloned == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("elementToBeCloned"); } _includeTimestamp = elementToBeCloned._includeTimestamp; _messageSecurityVersion = elementToBeCloned._messageSecurityVersion; _securityHeaderLayout = elementToBeCloned._securityHeaderLayout; _endpointSupportingTokenParameters = elementToBeCloned._endpointSupportingTokenParameters.Clone(); _localClientSettings = elementToBeCloned._localClientSettings.Clone(); _maxReceivedMessageSize = elementToBeCloned._maxReceivedMessageSize; _readerQuotas = elementToBeCloned._readerQuotas; }
void IPolicyImportExtension.ImportPolicy(MetadataImporter importer, PolicyConversionContext policyContext) { if (importer == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("importer"); } if (policyContext == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("policyContext"); } WSSecurityPolicy securityPolicy; if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out securityPolicy)) { if ((importer.State != null) && (!importer.State.ContainsKey(MaxPolicyRedirectionsKey))) { importer.State.Add(MaxPolicyRedirectionsKey, this.MaxPolicyRedirections); } SecurityBindingElement sbe = null; bool success = this.TryImportSymmetricSecurityBindingElement(importer, policyContext, out sbe); if (!success) { success = this.TryImportAsymmetricSecurityBindingElement(importer, policyContext, out sbe); } if (!success) { success = this.TryImportTransportSecurityBindingElement(importer, policyContext, out sbe, false); } else { // We already have found and imported the message security binding element above. Hence this could be the dual mode security. // Now let us see if there is HttpsTransportBinding assertion also below it .This is to avoid the // warning messages while importing wsdl representing the message security over Https transport security scenario. See Bug:136416. SecurityBindingElement tbe = null; this.TryImportTransportSecurityBindingElement(importer, policyContext, out tbe, true); } } }
// this method reverses CreateMutualCertificateBindingElement() logic internal static bool IsCertificateOverTransportBinding(SecurityBindingElement sbe) { // do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings if (!sbe.IncludeTimestamp) { return(false); } if (!(sbe is TransportSecurityBindingElement)) { return(false); } SupportingTokenParameters parameters = sbe.EndpointSupportingTokenParameters; if (parameters.Signed.Count != 0 || parameters.SignedEncrypted.Count != 0 || parameters.Endorsing.Count != 1 || parameters.SignedEndorsing.Count != 0) { return(false); } throw ExceptionHelper.PlatformNotSupported("SecurityBindingElement.IsCertificateOverTransportBinding is not supported."); }
void IPolicyImportExtension.ImportPolicy(MetadataImporter importer, PolicyConversionContext policyContext) { WSSecurityPolicy policy; if (importer == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("importer"); } if (policyContext == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("policyContext"); } if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out policy)) { if ((importer.State != null) && !importer.State.ContainsKey("MaxPolicyRedirections")) { importer.State.Add("MaxPolicyRedirections", this.MaxPolicyRedirections); } SecurityBindingElement sbe = null; bool flag = this.TryImportSymmetricSecurityBindingElement(importer, policyContext, out sbe); if (!flag) { flag = this.TryImportTransportSecurityBindingElement(importer, policyContext, out sbe); } if (!flag) { this.TryImportAsymmetricSecurityBindingElement(importer, policyContext, out sbe); } if (sbe != null) { SecurityElement element2 = new SecurityElement(); element2.InitializeFrom(sbe, false); if (element2.HasImportFailed) { importer.Errors.Add(new MetadataConversionError(System.ServiceModel.SR.GetString("SecurityBindingElementCannotBeExpressedInConfig"), true)); } } } }
internal SecurityBindingElement(SecurityBindingElement other) { alg_suite = other.alg_suite; include_timestamp = other.include_timestamp; key_entropy_mode = other.key_entropy_mode; security_header_layout = other.security_header_layout; msg_security_version = other.msg_security_version; endpoint = other.endpoint.Clone(); opt_endpoint = other.opt_endpoint.Clone(); operation = new Dictionary <string, SupportingTokenParameters> (); foreach (KeyValuePair <string, SupportingTokenParameters> p in other.operation) { operation.Add(p.Key, p.Value.Clone()); } opt_operation = new Dictionary <string, SupportingTokenParameters> (); foreach (KeyValuePair <string, SupportingTokenParameters> p in other.opt_operation) { opt_operation.Add(p.Key, p.Value.Clone()); } client_settings = other.client_settings.Clone(); service_settings = other.service_settings.Clone(); }
/* * /// <summary>Sets a value that indicates whether derived keys are required.</summary> * /// <param name="requireDerivedKeys">true to indicate that derived keys are required; otherwise, false.</param> * public override void SetKeyDerivation(bool requireDerivedKeys) * { * base.SetKeyDerivation(requireDerivedKeys); * if (this.protectionTokenParameters == null) * return; * this.protectionTokenParameters.RequireDerivedKeys = requireDerivedKeys; * } * * internal override bool IsSetKeyDerivation(bool requireDerivedKeys) * { * return base.IsSetKeyDerivation(requireDerivedKeys) && (this.protectionTokenParameters == null || this.protectionTokenParameters.RequireDerivedKeys == requireDerivedKeys); * }*/ // Nothing to override internal override SecurityProtocolFactory CreateSecurityProtocolFactory <TChannel>(BindingContext context, SecurityCredentialsManager credentialsManager, bool isForService, BindingContext issuerBindingContext) { if (context == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("context"); } if (credentialsManager == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("credentialsManager"); } if (this.ProtectionTokenParameters == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new InvalidOperationException(SR.GetString("SymmetricSecurityBindingElementNeedsProtectionTokenParameters", new object[1] { (object)this.ToString() }))); } #if FEATURE_CORECLR throw new NotImplementedException("SymmetricSecurityProtocolFactory not supported in .NET Core"); #else SymmetricSecurityProtocolFactory securityProtocolFactory = new SymmetricSecurityProtocolFactory(); if (isForService) { this.ApplyAuditBehaviorSettings(context, (SecurityProtocolFactory)securityProtocolFactory); } securityProtocolFactory.SecurityTokenParameters = this.ProtectionTokenParameters.Clone(); SecurityBindingElement.SetIssuerBindingContextIfRequired(securityProtocolFactory.SecurityTokenParameters, issuerBindingContext); securityProtocolFactory.ApplyConfidentiality = true; securityProtocolFactory.RequireConfidentiality = true; securityProtocolFactory.ApplyIntegrity = true; securityProtocolFactory.RequireIntegrity = true; securityProtocolFactory.IdentityVerifier = this.LocalClientSettings.IdentityVerifier; securityProtocolFactory.DoRequestSignatureConfirmation = this.RequireSignatureConfirmation; securityProtocolFactory.MessageProtectionOrder = this.MessageProtectionOrder; securityProtocolFactory.ProtectionRequirements.Add(SecurityBindingElement.ComputeProtectionRequirements((SecurityBindingElement)this, context.BindingParameters, context.Binding.Elements, isForService)); this.ConfigureProtocolFactory((SecurityProtocolFactory)securityProtocolFactory, credentialsManager, isForService, issuerBindingContext, (Binding)context.Binding); return((SecurityProtocolFactory)securityProtocolFactory); #endif }
private static bool HasSupportingTokens(SecurityBindingElement binding) { if (binding.EndpointSupportingTokenParameters.Endorsing.Count > 0 || binding.EndpointSupportingTokenParameters.SignedEndorsing.Count > 0 || binding.EndpointSupportingTokenParameters.SignedEncrypted.Count > 0 || binding.EndpointSupportingTokenParameters.Signed.Count > 0) { return(true); } foreach (SupportingTokenParameters r in binding.OperationSupportingTokenParameters.Values) { if (r.Endorsing.Count > 0 || r.SignedEndorsing.Count > 0 || r.SignedEncrypted.Count > 0 || r.Signed.Count > 0) { return(true); } } return(false); }
internal SecurityBindingElement(SecurityBindingElement other) { security_header_layout = other.security_header_layout; msg_security_version = other.msg_security_version; endpoint = other.endpoint.Clone(); #if !MOBILE && !XAMMAC_4_5 alg_suite = other.alg_suite; key_entropy_mode = other.key_entropy_mode; opt_endpoint = other.opt_endpoint.Clone(); operation = new Dictionary <string, SupportingTokenParameters> (); foreach (KeyValuePair <string, SupportingTokenParameters> p in other.operation) { operation.Add(p.Key, p.Value.Clone()); } opt_operation = new Dictionary <string, SupportingTokenParameters> (); foreach (KeyValuePair <string, SupportingTokenParameters> p in other.opt_operation) { opt_operation.Add(p.Key, p.Value.Clone()); } service_settings = other.service_settings.Clone(); #endif IncludeTimestamp = other.IncludeTimestamp; LocalClientSettings = other.LocalClientSettings.Clone(); }
void IPolicyExportExtension.ExportPolicy(MetadataExporter exporter, PolicyConversionContext policyContext) { if (exporter == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("exporter"); } if (policyContext == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("policyContext"); } if (policyContext.BindingElements.Find <ITransportTokenAssertionProvider>() == null) { if (!this.AllowInsecureTransport) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ExportOfBindingWithTransportSecurityBindingElementAndNoTransportSecurityNotSupported))); } // In AllowInsecureTransport mode there is no assertion provider to export the endpoint supporting tokens. Hence we explicitly call into ExportPolicyForTransportTokenAssertionProviders. SecurityBindingElement.ExportPolicyForTransportTokenAssertionProviders(exporter, policyContext); } // the ITransportTokenAssertionProvider will perform the acutal export steps. }
internal override SecurityProtocolFactory CreateSecurityProtocolFactory <TChannel>(BindingContext context, SecurityCredentialsManager credentialsManager, bool isForService, BindingContext issuerBindingContext) { if (context == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("context"); } if (credentialsManager == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("credentialsManager"); } if (this.ProtectionTokenParameters == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SymmetricSecurityBindingElementNeedsProtectionTokenParameters, this.ToString()))); } SymmetricSecurityProtocolFactory protocolFactory = new SymmetricSecurityProtocolFactory(); if (isForService) { base.ApplyAuditBehaviorSettings(context, protocolFactory); } protocolFactory.SecurityTokenParameters = (SecurityTokenParameters)this.ProtectionTokenParameters.Clone(); SetIssuerBindingContextIfRequired(protocolFactory.SecurityTokenParameters, issuerBindingContext); protocolFactory.ApplyConfidentiality = true; protocolFactory.RequireConfidentiality = true; protocolFactory.ApplyIntegrity = true; protocolFactory.RequireIntegrity = true; protocolFactory.IdentityVerifier = this.LocalClientSettings.IdentityVerifier; protocolFactory.DoRequestSignatureConfirmation = this.RequireSignatureConfirmation; protocolFactory.MessageProtectionOrder = this.MessageProtectionOrder; protocolFactory.ProtectionRequirements.Add(SecurityBindingElement.ComputeProtectionRequirements(this, context.BindingParameters, context.Binding.Elements, isForService)); base.ConfigureProtocolFactory(protocolFactory, credentialsManager, isForService, issuerBindingContext, context.Binding); return(protocolFactory); }
CreateSecureConversationBindingElement(SecurityBindingElement binding) { return(CreateSecureConversationBindingElement(binding, false)); }
CreateSecureConversationBindingElement(SecurityBindingElement bootstrapSecurity) { return(CreateSecureConversationBindingElement(bootstrapSecurity, false)); }
// isDualSecurityModeOnly is true if the binding has both message security and https security enabled. private bool TryImportTransportSecurityBindingElement(MetadataImporter importer, PolicyConversionContext policyContext, out SecurityBindingElement sbe, bool isDualSecurityModeOnly) { TransportSecurityBindingElement binding = null; XmlElement assertion; sbe = null; WSSecurityPolicy securityPolicy; if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out securityPolicy)) { if (securityPolicy.TryImportWsspTransportBindingAssertion(importer, policyContext.GetBindingAssertions(), out binding, out assertion)) { this.ImportEndpointScopeMessageBindingAssertions(importer, policyContext, binding); // If it is not DualSecurityMode then it is Mixed mode. So we need to look for supporting tokens in the binding. if (!isDualSecurityModeOnly) { this.ImportOperationScopeSupportingTokensPolicy(importer, policyContext, binding); if (importer.State.ContainsKey(InSecureConversationBootstrapBindingImportMode)) { this.ImportMessageScopeProtectionPolicy(importer, policyContext); } if (HasSupportingTokens(binding) || binding.IncludeTimestamp) { sbe = binding; policyContext.BindingElements.Add(binding); } } } else if (assertion != null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml))); } } return(binding != null); }
private bool TryImportAsymmetricSecurityBindingElement(MetadataImporter importer, PolicyConversionContext policyContext, out SecurityBindingElement sbe) { AsymmetricSecurityBindingElement binding = null; XmlElement assertion; WSSecurityPolicy securityPolicy; if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out securityPolicy)) { if (securityPolicy.TryImportWsspAsymmetricBindingAssertion(importer, policyContext, policyContext.GetBindingAssertions(), out binding, out assertion)) { this.ImportEndpointScopeMessageBindingAssertions(importer, policyContext, binding); this.ImportOperationScopeSupportingTokensPolicy(importer, policyContext, binding); this.ImportMessageScopeProtectionPolicy(importer, policyContext); policyContext.BindingElements.Add(binding); } else if (assertion != null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml))); } } sbe = binding; return(binding != null); }
private void ImportEndpointScopeMessageBindingAssertions(MetadataImporter importer, PolicyConversionContext policyContext, SecurityBindingElement binding) { XmlElement assertion = null; this.ImportSupportingTokenAssertions(importer, policyContext, policyContext.GetBindingAssertions(), binding.EndpointSupportingTokenParameters, binding.OptionalEndpointSupportingTokenParameters); WSSecurityPolicy securityPolicy; if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out securityPolicy)) { if (!securityPolicy.TryImportWsspWssAssertion(importer, policyContext.GetBindingAssertions(), binding, out assertion) && assertion != null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml))); } if (!securityPolicy.TryImportWsspTrustAssertion(importer, policyContext.GetBindingAssertions(), binding, out assertion) && assertion != null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml))); } } // // We don't have WSTrust assertion => it is possible we are a BasicHttpBinding // Set the flag here so that later when we tried to compare binding element with basic http binding // we can have an exact match. // if (assertion == null) { binding.DoNotEmitTrust = true; } }
private void ImportOperationScopeSupportingTokensPolicy(MetadataImporter importer, PolicyConversionContext policyContext, SecurityBindingElement binding) { foreach (OperationDescription operation in policyContext.Contract.Operations) { string requestAction = null; foreach (MessageDescription message in operation.Messages) { if (message.Direction == MessageDirection.Input) { requestAction = message.Action; break; } } SupportingTokenParameters requirements = new SupportingTokenParameters(); SupportingTokenParameters optionalRequirements = new SupportingTokenParameters(); ICollection <XmlElement> operationBindingAssertions = policyContext.GetOperationBindingAssertions(operation); this.ImportSupportingTokenAssertions(importer, policyContext, operationBindingAssertions, requirements, optionalRequirements); if (requirements.Endorsing.Count > 0 || requirements.Signed.Count > 0 || requirements.SignedEncrypted.Count > 0 || requirements.SignedEndorsing.Count > 0) { if (requestAction != null) { binding.OperationSupportingTokenParameters[requestAction] = requirements; } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SRServiceModel.CannotImportSupportingTokensForOperationWithoutRequestAction)); } } if (optionalRequirements.Endorsing.Count > 0 || optionalRequirements.Signed.Count > 0 || optionalRequirements.SignedEncrypted.Count > 0 || optionalRequirements.SignedEndorsing.Count > 0) { if (requestAction != null) { binding.OptionalOperationSupportingTokenParameters[requestAction] = optionalRequirements; } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.CannotImportSupportingTokensForOperationWithoutRequestAction))); } } } }
void CreateSecurityProtocolFactory() { SecurityProtocolFactory incomingProtocolFactory; SecurityProtocolFactory outgoingProtocolFactory; ChannelProtectionRequirements protectionRequirements; lock (ThisLock) { if (null != securityProtocolFactory) { return; } TimeoutHelper timeoutHelper = new TimeoutHelper(ServiceDefaults.SendTimeout); if (!enableSigning) { outgoingProtocolFactory = new PeerDoNothingSecurityProtocolFactory(); incomingProtocolFactory = new PeerDoNothingSecurityProtocolFactory(); } else { X509Certificate2 cert = credManager.Certificate; if (cert != null) { SecurityBindingElement securityBindingElement = SecurityBindingElement.CreateCertificateSignatureBindingElement(); securityBindingElement.ReaderQuotas = this.readerQuotas; BindingParameterCollection bpc = new BindingParameterCollection(); if (protection == null) { protectionRequirements = new ChannelProtectionRequirements(); } else { protectionRequirements = new ChannelProtectionRequirements(protection); } ApplySigningRequirements(protectionRequirements.IncomingSignatureParts); ApplySigningRequirements(protectionRequirements.OutgoingSignatureParts); bpc.Add(protectionRequirements); bpc.Add(this.auditBehavior); bpc.Add(credManager); BindingContext context = new BindingContext(new CustomBinding(securityBindingElement), bpc); outgoingProtocolFactory = securityBindingElement.CreateSecurityProtocolFactory <IOutputChannel>(context, credManager, false, null); } else { outgoingProtocolFactory = new PeerDoNothingSecurityProtocolFactory(); } SecurityTokenResolver resolver; X509SecurityTokenAuthenticator auth = tokenManager.CreateSecurityTokenAuthenticator(PeerSecurityCredentialsManager.PeerClientSecurityTokenManager.CreateRequirement(SecurityTokenTypes.X509Certificate, true), out resolver) as X509SecurityTokenAuthenticator; if (auth != null) { SecurityBindingElement securityBindingElement = SecurityBindingElement.CreateCertificateSignatureBindingElement(); securityBindingElement.ReaderQuotas = this.readerQuotas; BindingParameterCollection bpc = new BindingParameterCollection(); if (protection == null) { protectionRequirements = new ChannelProtectionRequirements(); } else { protectionRequirements = new ChannelProtectionRequirements(protection); } ApplySigningRequirements(protectionRequirements.IncomingSignatureParts); ApplySigningRequirements(protectionRequirements.OutgoingSignatureParts); bpc.Add(protectionRequirements); bpc.Add(this.auditBehavior); bpc.Add(credManager); BindingContext context = new BindingContext(new CustomBinding(securityBindingElement), bpc); incomingProtocolFactory = securityBindingElement.CreateSecurityProtocolFactory <IOutputChannel>(context, credManager, true, null); } else { incomingProtocolFactory = new PeerDoNothingSecurityProtocolFactory(); } } DuplexSecurityProtocolFactory tempFactory = new DuplexSecurityProtocolFactory(outgoingProtocolFactory, incomingProtocolFactory); tempFactory.Open(true, timeoutHelper.RemainingTime()); securityProtocolFactory = tempFactory; } }
CreateSecureConversationBindingElement( SecurityBindingElement binding, bool requireCancellation) { return(CreateSecureConversationBindingElement(binding, requireCancellation, null)); }
public static SecurityBindingElement CreateSecureConversationBindingElement(SecurityBindingElement bootstrapSecurity) { Contract.Ensures(Contract.Result <System.ServiceModel.Channels.SecurityBindingElement>() != null); return(default(SecurityBindingElement)); }
public Message SecureMessage() { secprop = Message.Properties.Security ?? new SecurityMessageProperty(); SecurityToken encToken = secprop.InitiatorToken != null ? secprop.InitiatorToken.SecurityToken : security.EncryptionToken; // FIXME: it might be still incorrect. SecurityToken signToken = Parameters == CounterParameters ? null : security.SigningToken; MessageProtectionOrder protectionOrder = security.MessageProtectionOrder; SecurityTokenSerializer serializer = security.TokenSerializer; SecurityBindingElement element = security.Element; SecurityAlgorithmSuite suite = element.DefaultAlgorithmSuite; // FIXME: remove this hack if (!ShouldOutputEncryptedKey) { encToken = new BinarySecretSecurityToken(secprop.EncryptionKey); } string messageId = "uuid-" + Guid.NewGuid(); int identForMessageId = 1; XmlDocument doc = new XmlDocument(); doc.PreserveWhitespace = true; UniqueId relatesTo = RelatesTo; if (relatesTo != null) { msg.Headers.RelatesTo = relatesTo; } else // FIXME: probably it is always added when it is stateful ? { msg.Headers.MessageId = new UniqueId("urn:" + messageId); } // FIXME: get correct ReplyTo value if (Direction == MessageDirection.Input) { msg.Headers.Add(MessageHeader.CreateHeader("ReplyTo", msg.Version.Addressing.Namespace, EndpointAddress10.FromEndpointAddress(new EndpointAddress(Constants.WsaAnonymousUri)))); } if (MessageTo != null) { msg.Headers.Add(MessageHeader.CreateHeader("To", msg.Version.Addressing.Namespace, MessageTo.Uri.AbsoluteUri, true)); } // wss:Security WSSecurityMessageHeader header = new WSSecurityMessageHeader(serializer); msg.Headers.Add(header); // 1. [Timestamp] if (element.IncludeTimestamp) { WsuTimestamp timestamp = new WsuTimestamp(); timestamp.Id = messageId + "-" + identForMessageId++; timestamp.Created = DateTime.Now; // FIXME: on service side, use element.LocalServiceSettings.TimestampValidityDuration timestamp.Expires = timestamp.Created.Add(element.LocalClientSettings.TimestampValidityDuration); header.AddContent(timestamp); } XmlNamespaceManager nsmgr = new XmlNamespaceManager(doc.NameTable); nsmgr.AddNamespace("s", msg.Version.Envelope.Namespace); nsmgr.AddNamespace("o", Constants.WssNamespace); nsmgr.AddNamespace("u", Constants.WsuNamespace); nsmgr.AddNamespace("o11", Constants.Wss11Namespace); /*WrappedKey*/ SecurityToken primaryToken = null; DerivedKeySecurityToken dkeyToken = null; SecurityToken actualToken = null; SecurityKeyIdentifierClause actualClause = null; Signature sig = null; List <DerivedKeySecurityToken> derivedKeys = new List <DerivedKeySecurityToken> (); SymmetricAlgorithm masterKey = new RijndaelManaged(); masterKey.KeySize = suite.DefaultSymmetricKeyLength; masterKey.Mode = CipherMode.CBC; masterKey.Padding = PaddingMode.ISO10126; SymmetricAlgorithm actualKey = masterKey; // 2. [Encryption Token] // SecurityTokenInclusionMode // - Initiator or Recipient // - done or notyet. FIXME: not implemented yet // It also affects on key reference output bool includeEncToken = // /* FIXME: remove this hack */Parameters is SslSecurityTokenParameters ? false : ShouldIncludeToken( Security.RecipientParameters.InclusionMode, false); bool includeSigToken = // /* FIXME: remove this hack */ Parameters is SslSecurityTokenParameters ? false : ShouldIncludeToken( Security.InitiatorParameters.InclusionMode, false); SecurityKeyIdentifierClause encClause = ShouldOutputEncryptedKey ? CounterParameters.CallCreateKeyIdentifierClause(encToken, !ShouldOutputEncryptedKey ? SecurityTokenReferenceStyle.Internal : includeEncToken ? Parameters.ReferenceStyle : SecurityTokenReferenceStyle.External) : null; MessagePartSpecification sigSpec = SignaturePart; MessagePartSpecification encSpec = EncryptionPart; // encryption key (possibly also used for signing) // FIXME: get correct SymmetricAlgorithm according to the algorithm suite if (secprop.EncryptionKey != null) { actualKey.Key = secprop.EncryptionKey; } // FIXME: remove thid hack if (!ShouldOutputEncryptedKey) { primaryToken = RequestContext.RequestMessage.Properties.Security.ProtectionToken.SecurityToken as WrappedKeySecurityToken; } else { primaryToken = // FIXME: remove this hack? encToken is SecurityContextSecurityToken ? encToken : new WrappedKeySecurityToken(messageId + "-" + identForMessageId++, actualKey.Key, // security.DefaultKeyWrapAlgorithm, Parameters.InternalHasAsymmetricKey ? suite.DefaultAsymmetricKeyWrapAlgorithm : suite.DefaultSymmetricKeyWrapAlgorithm, encToken, encClause != null ? new SecurityKeyIdentifier(encClause) : null); } // If it reuses request's encryption key, do not output. if (ShouldOutputEncryptedKey) { header.AddContent(primaryToken); } actualToken = primaryToken; // FIXME: I doubt it is correct... WrappedKeySecurityToken requestEncKey = ShouldOutputEncryptedKey ? null : primaryToken as WrappedKeySecurityToken; actualClause = requestEncKey == null ? (SecurityKeyIdentifierClause) new LocalIdKeyIdentifierClause(actualToken.Id, typeof(WrappedKeySecurityToken)) : new InternalEncryptedKeyIdentifierClause(SHA1.Create().ComputeHash(requestEncKey.GetWrappedKey())); // generate derived key if needed if (CounterParameters.RequireDerivedKeys) { RijndaelManaged deriv = new RijndaelManaged(); deriv.KeySize = suite.DefaultEncryptionKeyDerivationLength; deriv.Mode = CipherMode.CBC; deriv.Padding = PaddingMode.ISO10126; deriv.GenerateKey(); dkeyToken = new DerivedKeySecurityToken( GenerateId(doc), null, // algorithm actualClause, new InMemorySymmetricSecurityKey(actualKey.Key), null, // name null, // generation null, // offset deriv.Key.Length, null, // label deriv.Key); derivedKeys.Add(dkeyToken); actualToken = dkeyToken; actualKey.Key = ((SymmetricSecurityKey)dkeyToken.SecurityKeys [0]).GetSymmetricKey(); actualClause = new LocalIdKeyIdentifierClause(dkeyToken.Id); header.AddContent(dkeyToken); } ReferenceList refList = new ReferenceList(); // When encrypted with DerivedKeyToken, put references // immediately after the derived token (not inside the // primary token). // Similarly, when we do not output EncryptedKey, // output ReferenceList in the same way. if (CounterParameters.RequireDerivedKeys || !ShouldOutputEncryptedKey) { header.AddContent(refList); } else { ((WrappedKeySecurityToken)primaryToken).ReferenceList = refList; } // [Signature Confirmation] if (security.RequireSignatureConfirmation && secprop.ConfirmedSignatures.Count > 0) { foreach (string value in secprop.ConfirmedSignatures) { header.AddContent(new Wss11SignatureConfirmation(GenerateId(doc), value)); } } SupportingTokenInfoCollection tokenInfos = Direction == MessageDirection.Input ? security.CollectSupportingTokens(GetAction()) : new SupportingTokenInfoCollection(); // empty foreach (SupportingTokenInfo tinfo in tokenInfos) { header.AddContent(tinfo.Token); } // populate DOM to sign. XPathNavigator nav = doc.CreateNavigator(); using (XmlWriter w = nav.AppendChild()) { msg.WriteMessage(w); } XmlElement body = doc.SelectSingleNode("/s:Envelope/s:Body/*", nsmgr) as XmlElement; string bodyId = null; XmlElement secElem = null; Collection <WSSignedXml> endorsedSignatures = new Collection <WSSignedXml> (); bool signatureProtection = (protectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature); // Below are o:Security contents that are not signed... if (includeSigToken && signToken != null) { header.AddContent(signToken); } switch (protectionOrder) { case MessageProtectionOrder.EncryptBeforeSign: // FIXME: implement throw new NotImplementedException(); case MessageProtectionOrder.SignBeforeEncrypt: case MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature: // sign // see clause 8 of WS-SecurityPolicy C.2.2 WSSignedXml sxml = new WSSignedXml(doc); SecurityTokenReferenceKeyInfo sigKeyInfo; sig = sxml.Signature; sig.SignedInfo.CanonicalizationMethod = suite.DefaultCanonicalizationAlgorithm; foreach (XmlElement elem in doc.SelectNodes("/s:Envelope/s:Header/o:Security/u:Timestamp", nsmgr)) { CreateReference(sig, elem, elem.GetAttribute("Id", Constants.WsuNamespace)); } foreach (XmlElement elem in doc.SelectNodes("/s:Envelope/s:Header/o:Security/o11:SignatureConfirmation", nsmgr)) { CreateReference(sig, elem, elem.GetAttribute("Id", Constants.WsuNamespace)); } foreach (SupportingTokenInfo tinfo in tokenInfos) { if (tinfo.Mode != SecurityTokenAttachmentMode.Endorsing) { XmlElement el = sxml.GetIdElement(doc, tinfo.Token.Id); CreateReference(sig, el, el.GetAttribute("Id", Constants.WsuNamespace)); } } XmlNodeList nodes = doc.SelectNodes("/s:Envelope/s:Header/*", nsmgr); for (int i = 0; i < msg.Headers.Count; i++) { MessageHeaderInfo h = msg.Headers [i]; if (h.Name == "Security" && h.Namespace == Constants.WssNamespace) { secElem = nodes [i] as XmlElement; } else if (sigSpec.HeaderTypes.Count == 0 || sigSpec.HeaderTypes.Contains(new XmlQualifiedName(h.Name, h.Namespace))) { string id = GenerateId(doc); h.Id = id; CreateReference(sig, nodes [i] as XmlElement, id); } } if (sigSpec.IsBodyIncluded) { bodyId = GenerateId(doc); CreateReference(sig, body.ParentNode as XmlElement, bodyId); } if (security.DefaultSignatureAlgorithm == SignedXml.XmlDsigHMACSHA1Url) { // FIXME: use appropriate hash algorithm sxml.ComputeSignature(new HMACSHA1(actualKey.Key)); sigKeyInfo = new SecurityTokenReferenceKeyInfo(actualClause, serializer, doc); } else { SecurityKeyIdentifierClause signClause = CounterParameters.CallCreateKeyIdentifierClause(signToken, includeSigToken ? CounterParameters.ReferenceStyle : SecurityTokenReferenceStyle.External); AsymmetricSecurityKey signKey = (AsymmetricSecurityKey)signToken.ResolveKeyIdentifierClause(signClause); sxml.SigningKey = signKey.GetAsymmetricAlgorithm(security.DefaultSignatureAlgorithm, true); sxml.ComputeSignature(); sigKeyInfo = new SecurityTokenReferenceKeyInfo(signClause, serializer, doc); } sxml.KeyInfo = new KeyInfo(); sxml.KeyInfo.AddClause(sigKeyInfo); if (!signatureProtection) { header.AddContent(sig); } // endorse the signature with (signed)endorsing // supporting tokens. foreach (SupportingTokenInfo tinfo in tokenInfos) { switch (tinfo.Mode) { case SecurityTokenAttachmentMode.Endorsing: case SecurityTokenAttachmentMode.SignedEndorsing: if (sxml.Signature.Id == null) { sig.Id = GenerateId(doc); secElem.AppendChild(sxml.GetXml()); } WSSignedXml ssxml = new WSSignedXml(doc); ssxml.Signature.SignedInfo.CanonicalizationMethod = suite.DefaultCanonicalizationAlgorithm; CreateReference(ssxml.Signature, doc, sig.Id); SecurityToken sst = tinfo.Token; SecurityKey ssk = sst.SecurityKeys [0]; // FIXME: could be different? SecurityKeyIdentifierClause tclause = new LocalIdKeyIdentifierClause(sst.Id); // FIXME: could be different? if (ssk is SymmetricSecurityKey) { SymmetricSecurityKey signKey = (SymmetricSecurityKey)ssk; ssxml.ComputeSignature(signKey.GetKeyedHashAlgorithm(suite.DefaultSymmetricSignatureAlgorithm)); } else { AsymmetricSecurityKey signKey = (AsymmetricSecurityKey)ssk; ssxml.SigningKey = signKey.GetAsymmetricAlgorithm(suite.DefaultAsymmetricSignatureAlgorithm, true); ssxml.ComputeSignature(); } ssxml.KeyInfo.AddClause(new SecurityTokenReferenceKeyInfo(tclause, serializer, doc)); if (!signatureProtection) { header.AddContent(ssxml.Signature); } endorsedSignatures.Add(ssxml); break; } } // encrypt WSEncryptedXml exml = new WSEncryptedXml(doc); EncryptedData edata = Encrypt(body, actualKey, actualToken.Id, refList, actualClause, exml, doc); EncryptedXml.ReplaceElement(body, edata, false); // encrypt signature if (signatureProtection) { XmlElement sigxml = sig.GetXml(); edata = Encrypt(sigxml, actualKey, actualToken.Id, refList, actualClause, exml, doc); header.AddContent(edata); foreach (WSSignedXml ssxml in endorsedSignatures) { sigxml = ssxml.GetXml(); edata = Encrypt(sigxml, actualKey, actualToken.Id, refList, actualClause, exml, doc); header.AddContent(edata); } if (security.RequireSignatureConfirmation) { Collection <Wss11SignatureConfirmation> confs = header.FindAll <Wss11SignatureConfirmation> (); int count = 0; foreach (XmlElement elem in doc.SelectNodes("/s:Envelope/s:Header/o:Security/o11:SignatureConfirmation", nsmgr)) { edata = Encrypt(elem, actualKey, confs [count].Id, refList, actualClause, exml, doc); EncryptedXml.ReplaceElement(elem, edata, false); header.Contents.Insert(header.Contents.IndexOf(confs [count]), edata); header.Contents.Remove(confs [count++]); } } } // encrypt Encrypted supporting tokens foreach (SupportingTokenInfo tinfo in tokenInfos) { if (tinfo.Mode == SecurityTokenAttachmentMode.SignedEncrypted) { XmlElement el = exml.GetIdElement(doc, tinfo.Token.Id); tinfo.Encrypted = Encrypt(el, actualKey, actualToken.Id, refList, actualClause, exml, doc); EncryptedXml.ReplaceElement(el, tinfo.Encrypted, false); header.Contents.Insert(header.Contents.IndexOf(tinfo.Token), tinfo.Encrypted); header.Contents.Remove(tinfo.Token); } } break; } Message ret = Message.CreateMessage(msg.Version, msg.Headers.Action, new XmlNodeReader(doc.SelectSingleNode("/s:Envelope/s:Body/*", nsmgr) as XmlElement)); ret.Properties.Security = (SecurityMessageProperty)secprop.CreateCopy(); ret.Properties.Security.EncryptionKey = masterKey.Key; ret.BodyId = bodyId; // FIXME: can we support TransportToken here? if (element is AsymmetricSecurityBindingElement) { ret.Properties.Security.InitiatorToken = new SecurityTokenSpecification(encToken, null); // FIXME: second argument ret.Properties.Security.InitiatorToken = new SecurityTokenSpecification(signToken, null); // FIXME: second argument } else { ret.Properties.Security.ProtectionToken = new SecurityTokenSpecification(primaryToken, null); } ret.Headers.Clear(); ret.Headers.CopyHeadersFrom(msg); // Header contents are: // - Timestamp // - SignatureConfirmation if required // - EncryptionToken if included // - derived key token for EncryptionToken // - ReferenceList for encrypted items // - signed supporting tokens // - signed endorsing supporting tokens // (i.e. Signed/SignedEncrypted/SignedEndorsing) // - Signature Token if different from enc token. // - derived key token for sig token if different // - Signature for: // - Timestamp // - supporting tokens (regardless of // its inclusion) // - message parts in SignedParts // - SignatureToken if TokenProtection // (regardless of its inclusion) // - Signatures for the main signature (above), // for every endorsing token and signed // endorsing token. // //MessageBuffer zzz = ret.CreateBufferedCopy (100000); //ret = zzz.CreateMessage (); //Console.WriteLine (zzz.CreateMessage ()); return(ret); }
static public SecurityBindingElement CreateSecureConversationBindingElement(SecurityBindingElement bootstrapSecurity) { return(CreateSecureConversationBindingElement(bootstrapSecurity, SecureConversationSecurityTokenParameters.defaultRequireCancellation, null)); }
static public SecurityBindingElement CreateSecureConversationBindingElement(SecurityBindingElement bootstrapSecurity, bool requireCancellation) { return(CreateSecureConversationBindingElement(bootstrapSecurity, requireCancellation, null)); }