public void SetSessionTokenAuthenticator(UniqueId sessionId, SecurityTokenAuthenticator sessionTokenAuthenticator, SecurityTokenResolver sessionTokenResolver) { this.CommunicationObject.ThrowIfDisposedOrImmutable(); this.sessionId = sessionId; this.sessionTokenResolver = sessionTokenResolver; Collection<SecurityTokenResolver> tmp = new Collection<SecurityTokenResolver>(); tmp.Add(this.sessionTokenResolver); this.sessionTokenResolverList = new ReadOnlyCollection<SecurityTokenResolver>(tmp); this.sessionTokenAuthenticator = sessionTokenAuthenticator; SupportingTokenAuthenticatorSpecification spec = new SupportingTokenAuthenticatorSpecification(this.sessionTokenAuthenticator, this.sessionTokenResolver, SecurityTokenAttachmentMode.Endorsing, this.Factory.SecurityTokenParameters); this.sessionTokenAuthenticatorSpecificationList = new Collection<SupportingTokenAuthenticatorSpecification>(); this.sessionTokenAuthenticatorSpecificationList.Add(spec); }
public void SetSessionTokenAuthenticator(UniqueId sessionId, SecurityTokenAuthenticator sessionTokenAuthenticator, SecurityTokenResolver sessionTokenResolver) { this.CommunicationObject.ThrowIfDisposedOrImmutable(); this.sessionId = sessionId; this.sessionTokenResolver = sessionTokenResolver; Collection <SecurityTokenResolver> tmp = new Collection <SecurityTokenResolver>(); tmp.Add(this.sessionTokenResolver); this.sessionTokenResolverList = new ReadOnlyCollection <SecurityTokenResolver>(tmp); this.sessionTokenAuthenticator = sessionTokenAuthenticator; SupportingTokenAuthenticatorSpecification spec = new SupportingTokenAuthenticatorSpecification(this.sessionTokenAuthenticator, this.sessionTokenResolver, SecurityTokenAttachmentMode.Endorsing, this.Factory.SecurityTokenParameters); this.sessionTokenAuthenticatorSpecificationList = new Collection <SupportingTokenAuthenticatorSpecification>(); this.sessionTokenAuthenticatorSpecificationList.Add(spec); }
private void AddSupportingTokenAuthenticators(SupportingTokenParameters supportingTokenParameters, bool isOptional, IList <SupportingTokenAuthenticatorSpecification> authenticatorSpecList) { for (int i = 0; i < supportingTokenParameters.Endorsing.Count; ++i) { SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.Endorsing[i], SecurityTokenAttachmentMode.Endorsing); try { System.IdentityModel.Selectors.SecurityTokenResolver resolver; System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver); SupportingTokenAuthenticatorSpecification authenticatorSpec = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.Endorsing, supportingTokenParameters.Endorsing[i], isOptional); authenticatorSpecList.Add(authenticatorSpec); } catch (Exception e) { if (!isOptional || Fx.IsFatal(e)) { throw; } } } for (int i = 0; i < supportingTokenParameters.SignedEndorsing.Count; ++i) { SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.SignedEndorsing[i], SecurityTokenAttachmentMode.SignedEndorsing); try { System.IdentityModel.Selectors.SecurityTokenResolver resolver; System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver); SupportingTokenAuthenticatorSpecification authenticatorSpec = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.SignedEndorsing, supportingTokenParameters.SignedEndorsing[i], isOptional); authenticatorSpecList.Add(authenticatorSpec); } catch (Exception e) { if (!isOptional || Fx.IsFatal(e)) { throw; } } } for (int i = 0; i < supportingTokenParameters.SignedEncrypted.Count; ++i) { SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.SignedEncrypted[i], SecurityTokenAttachmentMode.SignedEncrypted); try { System.IdentityModel.Selectors.SecurityTokenResolver resolver; System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver); SupportingTokenAuthenticatorSpecification authenticatorSpec = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.SignedEncrypted, supportingTokenParameters.SignedEncrypted[i], isOptional); authenticatorSpecList.Add(authenticatorSpec); } catch (Exception e) { if (!isOptional || Fx.IsFatal(e)) { throw; } } } for (int i = 0; i < supportingTokenParameters.Signed.Count; ++i) { SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.Signed[i], SecurityTokenAttachmentMode.Signed); try { System.IdentityModel.Selectors.SecurityTokenResolver resolver; System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver); SupportingTokenAuthenticatorSpecification authenticatorSpec = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.Signed, supportingTokenParameters.Signed[i], isOptional); authenticatorSpecList.Add(authenticatorSpec); } catch (Exception e) { if (!isOptional || Fx.IsFatal(e)) { throw; } } } }
public void Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy) { Fx.Assert(ReaderQuotas != null, "Reader quotas must be set before processing"); MessageProtectionOrder actualProtectionOrder = _protectionOrder; bool wasProtectionOrderDowngraded = false; if (_protectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature) { throw ExceptionHelper.PlatformNotSupported(); // No support for message encryption } _channelBinding = channelBinding; _extendedProtectionPolicy = extendedProtectionPolicy; _orderTracker.SetRequiredProtectionOrder(actualProtectionOrder); SetProcessingStarted(); _timeoutHelper = new TimeoutHelper(timeout); Message = SecurityVerifiedMessage = new SecurityVerifiedMessage(Message, this); XmlDictionaryReader reader = CreateSecurityHeaderReader(); reader.MoveToStartElement(); if (reader.IsEmptyElement) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.SecurityHeaderIsEmpty), Message); } if (RequireMessageProtection) { _securityElementAttributes = XmlAttributeHolder.ReadAttributes(reader); } else { _securityElementAttributes = XmlAttributeHolder.emptyArray; } reader.ReadStartElement(); if (_primaryTokenParameters != null) { _primaryTokenTracker = new TokenTracker(null, _outOfBandPrimaryToken, _allowFirstTokenMismatch); } // universalTokenResolver is used for resolving tokens _universalTokenResolver = new SecurityHeaderTokenResolver(this); // primary token resolver is used for resolving primary signature and decryption _primaryTokenResolver = new SecurityHeaderTokenResolver(this); if (_outOfBandPrimaryToken != null) { _universalTokenResolver.Add(_outOfBandPrimaryToken, SecurityTokenReferenceStyle.External, _primaryTokenParameters); _primaryTokenResolver.Add(_outOfBandPrimaryToken, SecurityTokenReferenceStyle.External, _primaryTokenParameters); } else if (_outOfBandPrimaryTokenCollection != null) { for (int i = 0; i < _outOfBandPrimaryTokenCollection.Count; ++i) { _universalTokenResolver.Add(_outOfBandPrimaryTokenCollection[i], SecurityTokenReferenceStyle.External, _primaryTokenParameters); _primaryTokenResolver.Add(_outOfBandPrimaryTokenCollection[i], SecurityTokenReferenceStyle.External, _primaryTokenParameters); } } if (_wrappingToken != null) { _universalTokenResolver.ExpectedWrapper = _wrappingToken; _universalTokenResolver.ExpectedWrapperTokenParameters = _wrappingTokenParameters; _primaryTokenResolver.ExpectedWrapper = _wrappingToken; _primaryTokenResolver.ExpectedWrapperTokenParameters = _wrappingTokenParameters; } if (_outOfBandTokenResolver == null) { CombinedUniversalTokenResolver = _universalTokenResolver; _combinedPrimaryTokenResolver = _primaryTokenResolver; } else { CombinedUniversalTokenResolver = new AggregateSecurityHeaderTokenResolver(_universalTokenResolver, _outOfBandTokenResolver); _combinedPrimaryTokenResolver = new AggregateSecurityHeaderTokenResolver(_primaryTokenResolver, _outOfBandTokenResolver); } _allowedAuthenticators = new List <SecurityTokenAuthenticator>(); if (_primaryTokenAuthenticator != null) { _allowedAuthenticators.Add(_primaryTokenAuthenticator); } if (DerivedTokenAuthenticator != null) { _allowedAuthenticators.Add(DerivedTokenAuthenticator); } _pendingSupportingTokenAuthenticator = null; int numSupportingTokensRequiringDerivation = 0; if (_supportingTokenAuthenticators != null && _supportingTokenAuthenticators.Count > 0) { _supportingTokenTrackers = new List <TokenTracker>(_supportingTokenAuthenticators.Count); for (int i = 0; i < _supportingTokenAuthenticators.Count; ++i) { SupportingTokenAuthenticatorSpecification spec = _supportingTokenAuthenticators[i]; switch (spec.SecurityTokenAttachmentMode) { case SecurityTokenAttachmentMode.Endorsing: _hasEndorsingOrSignedEndorsingSupportingTokens = true; break; case SecurityTokenAttachmentMode.Signed: break; case SecurityTokenAttachmentMode.SignedEndorsing: _hasEndorsingOrSignedEndorsingSupportingTokens = true; break; case SecurityTokenAttachmentMode.SignedEncrypted: break; } if ((_primaryTokenAuthenticator != null) && (_primaryTokenAuthenticator.GetType().Equals(spec.TokenAuthenticator.GetType()))) { _pendingSupportingTokenAuthenticator = spec.TokenAuthenticator; } else { _allowedAuthenticators.Add(spec.TokenAuthenticator); } if (spec.TokenParameters.RequireDerivedKeys && !spec.TokenParameters.HasAsymmetricKey && (spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing || spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)) { ++numSupportingTokensRequiringDerivation; } _supportingTokenTrackers.Add(new TokenTracker(spec)); } } if (DerivedTokenAuthenticator != null) { // we expect key derivation. Compute quotas for derived keys int maxKeyDerivationLengthInBits = AlgorithmSuite.DefaultEncryptionKeyDerivationLength >= AlgorithmSuite.DefaultSignatureKeyDerivationLength ? AlgorithmSuite.DefaultEncryptionKeyDerivationLength : AlgorithmSuite.DefaultSignatureKeyDerivationLength; MaxDerivedKeyLength = maxKeyDerivationLengthInBits / 8; // the upper bound of derived keys is (1 for primary signature + 1 for encryption + supporting token signatures requiring derivation)*2 // the multiplication by 2 is to take care of interop scenarios that may arise that require more derived keys than the lower bound. _maxDerivedKeys = (1 + 1 + numSupportingTokensRequiringDerivation) * 2; } SecurityHeaderElementInferenceEngine engine = SecurityHeaderElementInferenceEngine.GetInferenceEngine(Layout); engine.ExecuteProcessingPasses(this, reader); if (RequireMessageProtection) { throw ExceptionHelper.PlatformNotSupported(); } EnsureDecryptionComplete(); _signatureTracker.SetDerivationSourceIfRequired(); _encryptionTracker.SetDerivationSourceIfRequired(); if (EncryptionToken != null) { throw ExceptionHelper.PlatformNotSupported(); } // ensure that the primary signature was signed with derived keys if required if (EnforceDerivedKeyRequirement) { if (SignatureToken != null) { if (_primaryTokenParameters != null) { if (_primaryTokenParameters.RequireDerivedKeys && !_primaryTokenParameters.HasAsymmetricKey && !_primaryTokenTracker.IsDerivedFrom) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.PrimarySignatureWasNotSignedByDerivedKey, _primaryTokenParameters))); } } else if (_wrappingTokenParameters != null && _wrappingTokenParameters.RequireDerivedKeys) { if (!_signatureTracker.IsDerivedToken) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.PrimarySignatureWasNotSignedByDerivedWrappedKey, _wrappingTokenParameters))); } } } // verify that the encryption is using key derivation if (EncryptionToken != null) { throw ExceptionHelper.PlatformNotSupported(); } } if (wasProtectionOrderDowngraded && (BasicSupportingTokens != null) && (BasicSupportingTokens.Count > 0)) { throw ExceptionHelper.PlatformNotSupported(); } // verify all supporting token parameters have their requirements met if (_supportingTokenTrackers != null && _supportingTokenTrackers.Count > 0) { throw ExceptionHelper.PlatformNotSupported(); } if (_replayDetectionEnabled) { throw ExceptionHelper.PlatformNotSupported(); } if (ExpectSignatureConfirmation) { throw ExceptionHelper.PlatformNotSupported(); } MarkHeaderAsUnderstood(); }
protected TokenTracker GetSupportingTokenTracker(SecurityTokenAuthenticator tokenAuthenticator, out SupportingTokenAuthenticatorSpecification spec) { spec = null; if (_supportingTokenAuthenticators == null) { return(null); } for (int i = 0; i < _supportingTokenAuthenticators.Count; ++i) { if (_supportingTokenAuthenticators[i].TokenAuthenticator == tokenAuthenticator) { spec = _supportingTokenAuthenticators[i]; return(_supportingTokenTrackers[i]); } } return(null); }
public TokenTracker(SupportingTokenAuthenticatorSpecification spec, SecurityToken token, bool allowFirstTokenMismatch) { this.spec = spec; Token = token; _allowFirstTokenMismatch = allowFirstTokenMismatch; }
public TokenTracker(SupportingTokenAuthenticatorSpecification spec) : this(spec, null, false) { }
private void AddSupportingTokenAuthenticators(SupportingTokenParameters supportingTokenParameters, bool isOptional, IList <SupportingTokenAuthenticatorSpecification> authenticatorSpecList) { for (int i = 0; i < supportingTokenParameters.Endorsing.Count; i++) { SecurityTokenRequirement tokenRequirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.Endorsing[i], SecurityTokenAttachmentMode.Endorsing); try { SecurityTokenResolver resolver; SupportingTokenAuthenticatorSpecification item = new SupportingTokenAuthenticatorSpecification(this.SecurityTokenManager.CreateSecurityTokenAuthenticator(tokenRequirement, out resolver), resolver, SecurityTokenAttachmentMode.Endorsing, supportingTokenParameters.Endorsing[i], isOptional); authenticatorSpecList.Add(item); } catch (Exception exception) { if (!isOptional || Fx.IsFatal(exception)) { throw; } } } for (int j = 0; j < supportingTokenParameters.SignedEndorsing.Count; j++) { SecurityTokenRequirement requirement2 = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.SignedEndorsing[j], SecurityTokenAttachmentMode.SignedEndorsing); try { SecurityTokenResolver resolver2; SupportingTokenAuthenticatorSpecification specification2 = new SupportingTokenAuthenticatorSpecification(this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement2, out resolver2), resolver2, SecurityTokenAttachmentMode.SignedEndorsing, supportingTokenParameters.SignedEndorsing[j], isOptional); authenticatorSpecList.Add(specification2); } catch (Exception exception2) { if (!isOptional || Fx.IsFatal(exception2)) { throw; } } } for (int k = 0; k < supportingTokenParameters.SignedEncrypted.Count; k++) { SecurityTokenRequirement requirement3 = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.SignedEncrypted[k], SecurityTokenAttachmentMode.SignedEncrypted); try { SecurityTokenResolver resolver3; SupportingTokenAuthenticatorSpecification specification3 = new SupportingTokenAuthenticatorSpecification(this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement3, out resolver3), resolver3, SecurityTokenAttachmentMode.SignedEncrypted, supportingTokenParameters.SignedEncrypted[k], isOptional); authenticatorSpecList.Add(specification3); } catch (Exception exception3) { if (!isOptional || Fx.IsFatal(exception3)) { throw; } } } for (int m = 0; m < supportingTokenParameters.Signed.Count; m++) { SecurityTokenRequirement requirement4 = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.Signed[m], SecurityTokenAttachmentMode.Signed); try { SecurityTokenResolver resolver4; SupportingTokenAuthenticatorSpecification specification4 = new SupportingTokenAuthenticatorSpecification(this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement4, out resolver4), resolver4, SecurityTokenAttachmentMode.Signed, supportingTokenParameters.Signed[m], isOptional); authenticatorSpecList.Add(specification4); } catch (Exception exception4) { if (!isOptional || Fx.IsFatal(exception4)) { throw; } } } }
public TokenTracker(SupportingTokenAuthenticatorSpecification spec, SecurityToken token, bool allowFirstTokenMismatch) { this.spec = spec; this.token = token; this.allowFirstTokenMismatch = allowFirstTokenMismatch; }
public TokenTracker(SupportingTokenAuthenticatorSpecification spec) : this(spec, null, false) { }