void WriteDerivedKeySecurityToken(XmlWriter w, DerivedKeySecurityToken token) { string ns = Constants.WsscNamespace; w.WriteStartElement("c", "DerivedKeyToken", ns); w.WriteAttributeString("u", "Id", Constants.WsuNamespace, token.Id); WriteKeyIdentifierClause(w, token.TokenReference); if (token.Name != null) { w.WriteStartElement("Properties", ns); w.WriteElementString("Name", ns, token.Name); w.WriteEndElement(); } if (token.Offset != null) { w.WriteElementString("Offset", ns, Convert.ToString(token.Offset)); } if (token.Length != null) { w.WriteElementString("Length", ns, Convert.ToString(token.Length)); } if (token.Label != null) { w.WriteElementString("Label", ns, token.Label); } w.WriteElementString("Nonce", ns, Convert.ToBase64String(token.Nonce)); w.WriteEndElement(); }
private void StartSignature() { if (this.elementContainer.SourceSigningToken == null) { return; } // determine the key identifier clause to use for the source SecurityTokenReferenceStyle sourceSigningKeyReferenceStyle = GetTokenReferenceStyle(this.signingTokenParameters); SecurityKeyIdentifierClause sourceSigningKeyIdentifierClause = this.signingTokenParameters.CreateKeyIdentifierClause(this.elementContainer.SourceSigningToken, sourceSigningKeyReferenceStyle); if (sourceSigningKeyIdentifierClause == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.TokenManagerCannotCreateTokenReference), this.Message); } SecurityToken signingToken; SecurityKeyIdentifierClause signingKeyIdentifierClause; // determine if a token needs to be derived if (this.signingTokenParameters.RequireDerivedKeys && !this.signingTokenParameters.HasAsymmetricKey) { string derivationAlgorithm = this.AlgorithmSuite.GetSignatureKeyDerivationAlgorithm(this.elementContainer.SourceSigningToken, this.StandardsManager.MessageSecurityVersion.SecureConversationVersion); string expectedDerivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.StandardsManager.MessageSecurityVersion.SecureConversationVersion); if (derivationAlgorithm == expectedDerivationAlgorithm) { DerivedKeySecurityToken derivedSigningToken = new DerivedKeySecurityToken(-1, 0, this.AlgorithmSuite.GetSignatureKeyDerivationLength(this.elementContainer.SourceSigningToken, this.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, DerivedKeySecurityToken.DefaultNonceLength, this.elementContainer.SourceSigningToken, sourceSigningKeyIdentifierClause, derivationAlgorithm, GenerateId()); signingToken = this.elementContainer.DerivedSigningToken = derivedSigningToken; signingKeyIdentifierClause = new LocalIdKeyIdentifierClause(signingToken.Id, signingToken.GetType()); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.UnsupportedCryptoAlgorithm, derivationAlgorithm))); } } else { signingToken = elementContainer.SourceSigningToken; signingKeyIdentifierClause = sourceSigningKeyIdentifierClause; } SecurityKeyIdentifier signingKeyIdentifier = new SecurityKeyIdentifier(signingKeyIdentifierClause); if (signatureConfirmationsToSend != null && signatureConfirmationsToSend.Count > 0) { ISecurityElement[] signatureConfirmationElements; signatureConfirmationElements = CreateSignatureConfirmationElements(signatureConfirmationsToSend); for (int i = 0; i < signatureConfirmationElements.Length; ++i) { SendSecurityHeaderElement sigConfElement = new SendSecurityHeaderElement(signatureConfirmationElements[i].Id, signatureConfirmationElements[i]); sigConfElement.MarkedForEncryption = signatureConfirmationsToSend.IsMarkedForEncryption; this.elementContainer.AddSignatureConfirmation(sigConfElement); } } bool generateTargettablePrimarySignature = ((this.endorsingTokenParameters != null) || (this.signedEndorsingTokenParameters != null)); this.StartPrimarySignatureCore(signingToken, signingKeyIdentifier, this.signatureParts, generateTargettablePrimarySignature); }
public void ReadContents(XmlReader reader) { DerivedKeySecurityToken currentToken = null; reader.MoveToContent(); reader.ReadStartElement("Security", Constants.WssNamespace); do { reader.MoveToContent(); if (reader.NodeType == XmlNodeType.EndElement) { break; } object o = ReadContent(reader); if (o is EncryptedData) { EncryptedData ed = (EncryptedData)o; encryptedDataList [ed.Id] = ed; } else if (o is ReferenceList && currentToken != null) { currentToken.ReferenceList = (ReferenceList)o; } else if (o is SecurityToken) { if (o is DerivedKeySecurityToken) { currentToken = o as DerivedKeySecurityToken; } tokens.Add((SecurityToken)o); } header.Contents.Add(o); } while (true); reader.ReadEndElement(); }
// Ensure acceptable decrypting symmetric key. // 1) if derived key, validate derived key against DefaultEncryptionKeyDerivationLength and validate // source key against DefaultSymmetricKeyLength // 2) if not derived key, validate key against DefaultSymmetricKeyLength internal void EnsureAcceptableDecryptionSymmetricKeySize(SymmetricSecurityKey securityKey, SecurityToken token) { int keySize; DerivedKeySecurityToken dkt = token as DerivedKeySecurityToken; if (dkt != null) { token = dkt.TokenToDerive; keySize = ((SymmetricSecurityKey)token.SecurityKeys[0]).KeySize; // doing special case for derived key token signing length since // the sending side doesn't honor the algorithm suite. It used the DefaultSignatureKeyDerivationLength instead if (dkt.SecurityKeys[0].KeySize < this.DefaultEncryptionKeyDerivationLength) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException( SR.GetString(SR.TokenDoesNotMeetKeySizeRequirements, this, dkt, dkt.SecurityKeys[0].KeySize))); } } else { keySize = securityKey.KeySize; } if (!IsSymmetricKeyLengthSupported(keySize)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException( SR.GetString(SR.TokenDoesNotMeetKeySizeRequirements, this, token, keySize))); } }
public override void WriteTokenCore(XmlDictionaryWriter writer, SecurityToken token) { DerivedKeySecurityToken derivedKeyToken = token as DerivedKeySecurityToken; string serializerPrefix = parent.SerializerDictionary.Prefix.Value; writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.DerivedKeyToken, parent.SerializerDictionary.Namespace); if (derivedKeyToken.Id != null) { writer.WriteAttributeString(CoreWCF.XD.UtilityDictionary.Prefix.Value, CoreWCF.XD.UtilityDictionary.IdAttribute, CoreWCF.XD.UtilityDictionary.Namespace, derivedKeyToken.Id); } if (derivedKeyToken.KeyDerivationAlgorithm != parent.DerivationAlgorithm) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.UnsupportedKeyDerivationAlgorithm, derivedKeyToken.KeyDerivationAlgorithm))); } parent.WSSecurityTokenSerializer.WriteKeyIdentifierClause(writer, derivedKeyToken.TokenToDeriveIdentifier); // Don't support Properties element if (derivedKeyToken.Generation > 0 || derivedKeyToken.Offset > 0 || derivedKeyToken.Length != 32) { // this means they're both specified (offset must be gen * length) - we'll write generation if (derivedKeyToken.Generation >= 0 && derivedKeyToken.Offset >= 0) { writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.Generation, parent.SerializerDictionary.Namespace); writer.WriteValue(derivedKeyToken.Generation); writer.WriteEndElement(); } else if (derivedKeyToken.Generation != -1) { writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.Generation, parent.SerializerDictionary.Namespace); writer.WriteValue(derivedKeyToken.Generation); writer.WriteEndElement(); } else if (derivedKeyToken.Offset != -1) { writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.Offset, parent.SerializerDictionary.Namespace); writer.WriteValue(derivedKeyToken.Offset); writer.WriteEndElement(); } if (derivedKeyToken.Length != 32) { writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.Length, parent.SerializerDictionary.Namespace); writer.WriteValue(derivedKeyToken.Length); writer.WriteEndElement(); } } if (derivedKeyToken.Label != null) { writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.Generation, parent.SerializerDictionary.Namespace); writer.WriteString(derivedKeyToken.Label); writer.WriteEndElement(); } writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.Nonce, parent.SerializerDictionary.Namespace); writer.WriteBase64(derivedKeyToken.Nonce, 0, derivedKeyToken.Nonce.Length); writer.WriteEndElement(); writer.WriteEndElement(); }
public void SetDerivationSourceIfRequired() { DerivedKeySecurityToken derivedKeyToken = Token as DerivedKeySecurityToken; if (derivedKeyToken != null) { Token = derivedKeyToken.TokenToDerive; _isDerivedToken = true; } }
public override void WriteTokenCore(XmlDictionaryWriter writer, SecurityToken token) { DerivedKeySecurityToken keySecurityToken = token as DerivedKeySecurityToken; string prefix = this.parent.SerializerDictionary.Prefix.Value; writer.WriteStartElement(prefix, this.parent.SerializerDictionary.DerivedKeyToken, this.parent.SerializerDictionary.Namespace); if (keySecurityToken.Id != null) { writer.WriteAttributeString(XD.UtilityDictionary.Prefix.Value, XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace, keySecurityToken.Id); } if (keySecurityToken.KeyDerivationAlgorithm != this.parent.DerivationAlgorithm) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new MessageSecurityException(SR.GetString("UnsupportedKeyDerivationAlgorithm", new object[1] { (object)keySecurityToken.KeyDerivationAlgorithm }))); } this.parent.WSSecurityTokenSerializer.WriteKeyIdentifierClause((XmlWriter)writer, keySecurityToken.TokenToDeriveIdentifier); if (keySecurityToken.Generation > 0 || keySecurityToken.Offset > 0 || keySecurityToken.Length != 32) { if (keySecurityToken.Generation >= 0 && keySecurityToken.Offset >= 0) { writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace); writer.WriteValue(keySecurityToken.Generation); writer.WriteEndElement(); } else if (keySecurityToken.Generation != -1) { writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace); writer.WriteValue(keySecurityToken.Generation); writer.WriteEndElement(); } else if (keySecurityToken.Offset != -1) { writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Offset, this.parent.SerializerDictionary.Namespace); writer.WriteValue(keySecurityToken.Offset); writer.WriteEndElement(); } if (keySecurityToken.Length != 32) { writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Length, this.parent.SerializerDictionary.Namespace); writer.WriteValue(keySecurityToken.Length); writer.WriteEndElement(); } } if (keySecurityToken.Label != null) { writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace); writer.WriteString(keySecurityToken.Label); writer.WriteEndElement(); } writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Nonce, this.parent.SerializerDictionary.Namespace); writer.WriteBase64(keySecurityToken.Nonce, 0, keySecurityToken.Nonce.Length); writer.WriteEndElement(); writer.WriteEndElement(); }
protected override SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver) { XmlDictionaryReader dictionaryReader = XmlDictionaryReader.CreateDictionaryReader(reader); if (this.secureConversation.IsAtDerivedKeyToken(dictionaryReader)) { string id; string derivationAlgorithm; string label; int length; byte[] nonce; int offset; int generation; SecurityKeyIdentifierClause tokenToDeriveIdentifier; SecurityToken tokenToDerive; this.secureConversation.ReadDerivedKeyTokenParameters(dictionaryReader, tokenResolver, out id, out derivationAlgorithm, out label, out length, out nonce, out offset, out generation, out tokenToDeriveIdentifier, out tokenToDerive); DerivedKeySecurityToken cachedToken = GetCachedToken(id, generation, offset, length, label, nonce, tokenToDerive, tokenToDeriveIdentifier, derivationAlgorithm); if (cachedToken != null) { return(cachedToken); } lock (this.thisLock) { cachedToken = GetCachedToken(id, generation, offset, length, label, nonce, tokenToDerive, tokenToDeriveIdentifier, derivationAlgorithm); if (cachedToken != null) { return(cachedToken); } SecurityToken result = this.secureConversation.CreateDerivedKeyToken(id, derivationAlgorithm, label, length, nonce, offset, generation, tokenToDeriveIdentifier, tokenToDerive); DerivedKeySecurityToken newToken = result as DerivedKeySecurityToken; if (newToken != null) { int pos = this.indexToCache; if (this.indexToCache == int.MaxValue) { this.indexToCache = 0; } else { this.indexToCache = (++this.indexToCache) % this.cachedTokens.Length; } this.cachedTokens[pos] = new DerivedKeySecurityTokenCache(newToken); } return(result); } } else { return(this.innerTokenSerializer.ReadToken(reader, tokenResolver)); } }
public DerivedKeySecurityTokenCache(DerivedKeySecurityToken cachedToken) { this.keyToDerive = ((SymmetricSecurityKey)cachedToken.TokenToDerive.SecurityKeys[0]).GetSymmetricKey(); this.generation = cachedToken.Generation; this.offset = cachedToken.Offset; this.length = cachedToken.Length; this.label = cachedToken.Label; this.keyDerivationAlgorithm = cachedToken.KeyDerivationAlgorithm; this.nonce = cachedToken.Nonce; this.cachedToken = cachedToken; }
public override void WriteTokenCore(XmlDictionaryWriter writer, SecurityToken token) { DerivedKeySecurityToken token2 = token as DerivedKeySecurityToken; string prefix = this.parent.SerializerDictionary.Prefix.Value; writer.WriteStartElement(prefix, this.parent.SerializerDictionary.DerivedKeyToken, this.parent.SerializerDictionary.Namespace); if (token2.Id != null) { writer.WriteAttributeString(XD.UtilityDictionary.Prefix.Value, XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace, token2.Id); } if (token2.KeyDerivationAlgorithm != this.parent.DerivationAlgorithm) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnsupportedKeyDerivationAlgorithm", new object[] { token2.KeyDerivationAlgorithm }))); } this.parent.WSSecurityTokenSerializer.WriteKeyIdentifierClause(writer, token2.TokenToDeriveIdentifier); if (((token2.Generation > 0) || (token2.Offset > 0)) || (token2.Length != 0x20)) { if ((token2.Generation >= 0) && (token2.Offset >= 0)) { writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace); writer.WriteValue(token2.Generation); writer.WriteEndElement(); } else if (token2.Generation != -1) { writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace); writer.WriteValue(token2.Generation); writer.WriteEndElement(); } else if (token2.Offset != -1) { writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Offset, this.parent.SerializerDictionary.Namespace); writer.WriteValue(token2.Offset); writer.WriteEndElement(); } if (token2.Length != 0x20) { writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Length, this.parent.SerializerDictionary.Namespace); writer.WriteValue(token2.Length); writer.WriteEndElement(); } } if (token2.Label != null) { writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace); writer.WriteString(token2.Label); writer.WriteEndElement(); } writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Nonce, this.parent.SerializerDictionary.Namespace); writer.WriteBase64(token2.Nonce, 0, token2.Nonce.Length); writer.WriteEndElement(); writer.WriteEndElement(); }
private DerivedKeySecurityToken GetCachedToken(string id, int generation, int offset, int length, string label, byte[] nonce, SecurityToken tokenToDerive, SecurityKeyIdentifierClause tokenToDeriveIdentifier, string derivationAlgorithm) { for (int i = 0; i < this.cachedTokens.Length; i++) { DerivedKeySecurityTokenCache cachedToken = this.cachedTokens[i]; if ((cachedToken != null) && this.IsMatch(cachedToken, id, generation, offset, length, label, nonce, tokenToDerive, derivationAlgorithm)) { DerivedKeySecurityToken token = new DerivedKeySecurityToken(generation, offset, length, label, nonce, tokenToDerive, tokenToDeriveIdentifier, derivationAlgorithm, id); token.InitializeDerivedKey(cachedToken.SecurityKeys); return(token); } } return(null); }
protected override SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver) { XmlDictionaryReader reader2 = XmlDictionaryReader.CreateDictionaryReader(reader); if (this.secureConversation.IsAtDerivedKeyToken(reader2)) { string str; string str2; string str3; int num; byte[] buffer; int num2; int num3; SecurityKeyIdentifierClause clause; SecurityToken token; this.secureConversation.ReadDerivedKeyTokenParameters(reader2, tokenResolver, out str, out str2, out str3, out num, out buffer, out num2, out num3, out clause, out token); DerivedKeySecurityToken token2 = this.GetCachedToken(str, num3, num2, num, str3, buffer, token, clause, str2); if (token2 != null) { return(token2); } lock (this.thisLock) { token2 = this.GetCachedToken(str, num3, num2, num, str3, buffer, token, clause, str2); if (token2 != null) { return(token2); } SecurityToken token3 = this.secureConversation.CreateDerivedKeyToken(str, str2, str3, num, buffer, num2, num3, clause, token); DerivedKeySecurityToken cachedToken = token3 as DerivedKeySecurityToken; if (cachedToken != null) { int indexToCache = this.indexToCache; if (this.indexToCache == 0x7fffffff) { this.indexToCache = 0; } else { this.indexToCache = ++this.indexToCache % this.cachedTokens.Length; } this.cachedTokens[indexToCache] = new DerivedKeySecurityTokenCache(cachedToken); } return(token3); } } return(this.innerTokenSerializer.ReadToken(reader, tokenResolver)); }
public void SetOutgoingSessionToken(SecurityToken token) { if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } lock (this.ThisLock) { this.outgoingSessionToken = token; if (this.requireDerivedKeys) { string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(this.Factory.MessageSecurityVersion.SecureConversationVersion); this.derivedSignatureToken = new DerivedKeySecurityToken(-1, 0, this.Factory.OutgoingAlgorithmSuite.GetSignatureKeyDerivationLength(token, this.Factory.MessageSecurityVersion.SecureConversationVersion), null, 0x10, token, this.Factory.SecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.Internal), keyDerivationAlgorithm, System.ServiceModel.Security.SecurityUtils.GenerateId()); } } }
private void StartSignature() { if (this.elementContainer.SourceSigningToken != null) { SecurityToken sourceSigningToken; SecurityKeyIdentifierClause clause2; SecurityTokenReferenceStyle tokenReferenceStyle = this.GetTokenReferenceStyle(this.signingTokenParameters); SecurityKeyIdentifierClause tokenToDeriveIdentifier = this.signingTokenParameters.CreateKeyIdentifierClause(this.elementContainer.SourceSigningToken, tokenReferenceStyle); if (tokenToDeriveIdentifier == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenManagerCannotCreateTokenReference")), base.Message); } if (this.signingTokenParameters.RequireDerivedKeys && !this.signingTokenParameters.HasAsymmetricKey) { string signatureKeyDerivationAlgorithm = base.AlgorithmSuite.GetSignatureKeyDerivationAlgorithm(this.elementContainer.SourceSigningToken, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion); string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(base.StandardsManager.MessageSecurityVersion.SecureConversationVersion); if (signatureKeyDerivationAlgorithm != keyDerivationAlgorithm) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("UnsupportedCryptoAlgorithm", new object[] { signatureKeyDerivationAlgorithm }))); } DerivedKeySecurityToken token2 = new DerivedKeySecurityToken(-1, 0, base.AlgorithmSuite.GetSignatureKeyDerivationLength(this.elementContainer.SourceSigningToken, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, 0x10, this.elementContainer.SourceSigningToken, tokenToDeriveIdentifier, signatureKeyDerivationAlgorithm, this.GenerateId()); sourceSigningToken = this.elementContainer.DerivedSigningToken = token2; clause2 = new LocalIdKeyIdentifierClause(sourceSigningToken.Id, sourceSigningToken.GetType()); } else { sourceSigningToken = this.elementContainer.SourceSigningToken; clause2 = tokenToDeriveIdentifier; } SecurityKeyIdentifier identifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { clause2 }); if ((this.signatureConfirmationsToSend != null) && (this.signatureConfirmationsToSend.Count > 0)) { ISecurityElement[] elementArray = this.CreateSignatureConfirmationElements(this.signatureConfirmationsToSend); for (int i = 0; i < elementArray.Length; i++) { SendSecurityHeaderElement confirmation = new SendSecurityHeaderElement(elementArray[i].Id, elementArray[i]) { MarkedForEncryption = this.signatureConfirmationsToSend.IsMarkedForEncryption }; this.elementContainer.AddSignatureConfirmation(confirmation); } } bool generateTargettablePrimarySignature = (this.endorsingTokenParameters != null) || (this.signedEndorsingTokenParameters != null); this.StartPrimarySignatureCore(sourceSigningToken, identifier, this.signatureParts, generateTargettablePrimarySignature); } }
public void SetOutgoingSessionToken(SecurityToken token) { if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } lock (ThisLock) { this.outgoingSessionToken = token; if (this.requireDerivedKeys) { string derivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.sessionStandardsManager.MessageSecurityVersion.SecureConversationVersion); this.derivedSignatureToken = new DerivedKeySecurityToken(-1, 0, this.Factory.OutgoingAlgorithmSuite.GetSignatureKeyDerivationLength(token, this.sessionStandardsManager.MessageSecurityVersion.SecureConversationVersion), null, DerivedKeySecurityToken.DefaultNonceLength, token, this.Factory.SecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.External), derivationAlgorithm, SecurityUtils.GenerateId()); this.derivedEncryptionToken = new DerivedKeySecurityToken(-1, 0, this.Factory.OutgoingAlgorithmSuite.GetEncryptionKeyDerivationLength(token, this.sessionStandardsManager.MessageSecurityVersion.SecureConversationVersion), null, DerivedKeySecurityToken.DefaultNonceLength, token, this.Factory.SecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.External), derivationAlgorithm, SecurityUtils.GenerateId()); } } }
internal void EnsureAcceptableDecryptionSymmetricKeySize(SymmetricSecurityKey securityKey, SecurityToken token) { int keySize; DerivedKeySecurityToken token2 = token as DerivedKeySecurityToken; if (token2 != null) { token = token2.TokenToDerive; keySize = ((SymmetricSecurityKey)token.SecurityKeys[0]).KeySize; if (token2.SecurityKeys[0].KeySize < this.DefaultEncryptionKeyDerivationLength) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenDoesNotMeetKeySizeRequirements", new object[] { this, token2, token2.SecurityKeys[0].KeySize }))); } } else { keySize = securityKey.KeySize; } if (!this.IsSymmetricKeyLengthSupported(keySize)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenDoesNotMeetKeySizeRequirements", new object[] { this, token, keySize }))); } }
DerivedKeySecurityToken CreateDerivedKey(string id, SecurityKeyIdentifierClause actualClause, SymmetricAlgorithm actualKey) { RijndaelManaged deriv = new RijndaelManaged(); deriv.KeySize = security.Element.DefaultAlgorithmSuite.DefaultEncryptionKeyDerivationLength; deriv.Mode = CipherMode.CBC; deriv.Padding = PaddingMode.ISO10126; deriv.GenerateKey(); var dkeyToken = new DerivedKeySecurityToken( id, null, // algorithm actualClause, new InMemorySymmetricSecurityKey(actualKey.Key), null, // name null, // generation null, // offset deriv.Key.Length, null, // label deriv.Key); return(dkeyToken); }
internal SecurityToken ResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternal, bool resolveIntrinsicKeyClause) { if (keyIdentifierClause == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause"); } SecurityToken resolvedToken = null; for (int i = 0; i < this.tokenCount; i++) { if (matchOnlyExternal && tokens[i].AllowedReferenceStyle != SecurityTokenReferenceStyle.External) { continue; } SecurityToken token = tokens[i].Token; if (tokens[i].TokenParameters != null && tokens[i].TokenParameters.MatchesKeyIdentifierClause(token, keyIdentifierClause, tokens[i].AllowedReferenceStyle)) { resolvedToken = token; break; } else if (tokens[i].TokenParameters == null) { // match it according to the allowed reference style if (tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.Internal && MatchDirectReference(token, keyIdentifierClause)) { resolvedToken = token; break; } } } if ((resolvedToken == null) && (keyIdentifierClause is EncryptedKeyIdentifierClause)) { EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause; SecurityKeyIdentifier wrappingTokenReference = keyClause.EncryptingKeyIdentifier; SecurityToken unwrappingToken; if (this.expectedWrapper != null && CheckExternalWrapperMatch(wrappingTokenReference)) { unwrappingToken = this.expectedWrapper; } else { unwrappingToken = ResolveToken(wrappingTokenReference, true, resolveIntrinsicKeyClause); } if (unwrappingToken != null) { resolvedToken = SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, unwrappingToken); } } if ((resolvedToken == null) && (keyIdentifierClause is X509RawDataKeyIdentifierClause) && (!matchOnlyExternal) && (resolveIntrinsicKeyClause)) { resolvedToken = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData())); } byte[] derivationNonce = keyIdentifierClause.GetDerivationNonce(); if ((resolvedToken != null) && (derivationNonce != null)) { // A Implicit Derived Key is specified. Create a derived key off of the resolve token. if (SecurityUtils.GetSecurityKey <SymmetricSecurityKey>(resolvedToken) == null) { // The resolved token contains no Symmetric Security key and thus we cannot create // a derived key off of it. throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.UnableToDeriveKeyFromKeyInfoClause, keyIdentifierClause, resolvedToken))); } int derivationLength = (keyIdentifierClause.DerivationLength == 0) ? DerivedKeySecurityToken.DefaultDerivedKeyLength : keyIdentifierClause.DerivationLength; if (derivationLength > this.securityHeader.MaxDerivedKeyLength) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.DerivedKeyLengthSpecifiedInImplicitDerivedKeyClauseTooLong, keyIdentifierClause.ToString(), derivationLength, this.securityHeader.MaxDerivedKeyLength))); } bool alreadyDerived = false; for (int i = 0; i < this.tokenCount; ++i) { DerivedKeySecurityToken derivedKeyToken = this.tokens[i].Token as DerivedKeySecurityToken; if (derivedKeyToken != null) { if ((derivedKeyToken.Length == derivationLength) && (CryptoHelper.IsEqual(derivedKeyToken.Nonce, derivationNonce)) && (derivedKeyToken.TokenToDerive.MatchesKeyIdentifierClause(keyIdentifierClause))) { // This is a implcit derived key for which we have already derived the // token. resolvedToken = this.tokens[i].Token; alreadyDerived = true; break; } } } if (!alreadyDerived) { string psha1Algorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.securityHeader.StandardsManager.MessageSecurityVersion.SecureConversationVersion); resolvedToken = new DerivedKeySecurityToken(-1, 0, derivationLength, null, derivationNonce, resolvedToken, keyIdentifierClause, psha1Algorithm, SecurityUtils.GenerateId()); ((DerivedKeySecurityToken)resolvedToken).InitializeDerivedKey(derivationLength); Add(resolvedToken, SecurityTokenReferenceStyle.Internal, null); this.securityHeader.EnsureDerivedKeyLimitNotReached(); } } return(resolvedToken); }
// xml format //<DerivedKeyToken wsu:Id="..." wsse:Algorithm="..."> id required, alg optional (curr disallowed) // <SecurityTokenReference>...</SecurityTokenReference> - required // <Properties>...</Properties> - disallowed (optional in spec, but we disallow it) // choice begin - (schema requires a choice - we allow neither on read - we always write one) // <Generation>...</Generation> - optional // <Offset>...</Offset> - optional // choice end // <Length>...</Length> - optional - default 32 on read (default specified in spec, not in schema - we always write it) // <Label>...</Label> - optional // <Nonce>...</Nonce> - required (optional in spec, but we require it) //</DerivedKeyToken> public virtual void ReadDerivedKeyTokenParameters(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver, out string id, out string derivationAlgorithm, out string label, out int length, out byte[] nonce, out int offset, out int generation, out SecurityKeyIdentifierClause tokenToDeriveIdentifier, out SecurityToken tokenToDerive) { if (tokenResolver == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenResolver"); } id = reader.GetAttribute(CoreWCF.XD.UtilityDictionary.IdAttribute, CoreWCF.XD.UtilityDictionary.Namespace); derivationAlgorithm = reader.GetAttribute(CoreWCF.XD.XmlSignatureDictionary.Algorithm, null); if (derivationAlgorithm == null) { derivationAlgorithm = parent.DerivationAlgorithm; } reader.ReadStartElement(); tokenToDeriveIdentifier = null; tokenToDerive = null; if (reader.IsStartElement(CoreWCF.XD.SecurityJan2004Dictionary.SecurityTokenReference, CoreWCF.XD.SecurityJan2004Dictionary.Namespace)) { tokenToDeriveIdentifier = parent.WSSecurityTokenSerializer.ReadKeyIdentifierClause(reader); tokenResolver.TryResolveToken(tokenToDeriveIdentifier, out tokenToDerive); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.Format(SR.DerivedKeyTokenRequiresTokenReference))); } // no support for properties generation = -1; if (reader.IsStartElement(parent.SerializerDictionary.Generation, parent.SerializerDictionary.Namespace)) { reader.ReadStartElement(); generation = reader.ReadContentAsInt(); reader.ReadEndElement(); if (generation < 0) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.Format(SR.DerivedKeyInvalidGenerationSpecified, generation))); } } offset = -1; if (reader.IsStartElement(parent.SerializerDictionary.Offset, parent.SerializerDictionary.Namespace)) { reader.ReadStartElement(); offset = reader.ReadContentAsInt(); reader.ReadEndElement(); if (offset < 0) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.Format(SR.DerivedKeyInvalidOffsetSpecified, offset))); } } length = DerivedKeySecurityToken.DefaultDerivedKeyLength; if (reader.IsStartElement(parent.SerializerDictionary.Length, parent.SerializerDictionary.Namespace)) { reader.ReadStartElement(); length = reader.ReadContentAsInt(); reader.ReadEndElement(); } if ((offset == -1) && (generation == -1)) { offset = 0; } // verify that the offset is not larger than the max allowed DerivedKeySecurityToken.EnsureAcceptableOffset(offset, generation, length, this.maxKeyDerivationOffset); label = null; if (reader.IsStartElement(parent.SerializerDictionary.Label, parent.SerializerDictionary.Namespace)) { reader.ReadStartElement(); label = reader.ReadString(); reader.ReadEndElement(); } if (label != null && label.Length > this.maxKeyDerivationLabelLength) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.DerivedKeyTokenLabelTooLong, label.Length, this.maxKeyDerivationLabelLength))); } nonce = null; reader.ReadStartElement(parent.SerializerDictionary.Nonce, parent.SerializerDictionary.Namespace); nonce = reader.ReadContentAsBase64(); reader.ReadEndElement(); if (nonce != null && nonce.Length > this.maxKeyDerivationNonceLength) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.DerivedKeyTokenNonceTooLong, nonce.Length, this.maxKeyDerivationNonceLength))); } reader.ReadEndElement(); }
private void SignWithSupportingTokens() { SecurityToken[] endorsingTokens = ElementContainer.GetEndorsingSupportingTokens(); if (endorsingTokens != null) { for (int i = 0; i < endorsingTokens.Length; ++i) { SecurityToken source = endorsingTokens[i]; SecurityKeyIdentifierClause sourceKeyClause = _endorsingTokenParameters[i].CreateKeyIdentifierClause(source, GetTokenReferenceStyle(_endorsingTokenParameters[i])); if (sourceKeyClause == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCannotCreateTokenReference)), Message); } SecurityToken signingToken; SecurityKeyIdentifierClause signingKeyClause; if (_endorsingTokenParameters[i].RequireDerivedKeys && !_endorsingTokenParameters[i].HasAsymmetricKey) { string derivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(StandardsManager.MessageSecurityVersion.SecureConversationVersion); DerivedKeySecurityToken dkt = new DerivedKeySecurityToken(-1, 0, AlgorithmSuite.GetSignatureKeyDerivationLength(source, StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, DerivedKeySecurityToken.DefaultNonceLength, source, sourceKeyClause, derivationAlgorithm, GenerateId()); signingToken = dkt; signingKeyClause = new LocalIdKeyIdentifierClause(dkt.Id, dkt.GetType()); ElementContainer.AddEndorsingDerivedSupportingToken(dkt); } else { signingToken = source; signingKeyClause = sourceKeyClause; } SignWithSupportingToken(signingToken, signingKeyClause); } } SecurityToken[] signedEndorsingSupportingTokens = ElementContainer.GetSignedEndorsingSupportingTokens(); if (signedEndorsingSupportingTokens != null) { for (int i = 0; i < signedEndorsingSupportingTokens.Length; ++i) { SecurityToken source = signedEndorsingSupportingTokens[i]; SecurityKeyIdentifierClause sourceKeyClause = _signedEndorsingTokenParameters[i].CreateKeyIdentifierClause(source, GetTokenReferenceStyle(_signedEndorsingTokenParameters[i])); if (sourceKeyClause == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCannotCreateTokenReference)), Message); } SecurityToken signingToken; SecurityKeyIdentifierClause signingKeyClause; if (_signedEndorsingTokenParameters[i].RequireDerivedKeys && !_signedEndorsingTokenParameters[i].HasAsymmetricKey) { string derivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(StandardsManager.MessageSecurityVersion.SecureConversationVersion); DerivedKeySecurityToken dkt = new DerivedKeySecurityToken(-1, 0, AlgorithmSuite.GetSignatureKeyDerivationLength(source, StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, DerivedKeySecurityToken.DefaultNonceLength, source, sourceKeyClause, derivationAlgorithm, GenerateId()); signingToken = dkt; signingKeyClause = new LocalIdKeyIdentifierClause(dkt.Id, dkt.GetType()); ElementContainer.AddSignedEndorsingDerivedSupportingToken(dkt); } else { signingToken = source; signingKeyClause = sourceKeyClause; } SignWithSupportingToken(signingToken, signingKeyClause); } } }
private void StartEncryption() { if (ElementContainer.SourceEncryptionToken == null) { return; } // determine the key identifier clause to use for the source SecurityTokenReferenceStyle sourceEncryptingKeyReferenceStyle = GetTokenReferenceStyle(_encryptingTokenParameters); bool encryptionTokenSerialized = sourceEncryptingKeyReferenceStyle == SecurityTokenReferenceStyle.Internal; SecurityKeyIdentifierClause sourceEncryptingKeyIdentifierClause = _encryptingTokenParameters.CreateKeyIdentifierClause(ElementContainer.SourceEncryptionToken, sourceEncryptingKeyReferenceStyle); if (sourceEncryptingKeyIdentifierClause == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.TokenManagerCannotCreateTokenReference), Message); } SecurityToken sourceToken; SecurityKeyIdentifierClause sourceTokenIdentifierClause; // if the source token cannot do symmetric crypto, create a wrapped key if (!SecurityUtils.HasSymmetricSecurityKey(ElementContainer.SourceEncryptionToken)) { int keyLength = Math.Max(128, AlgorithmSuite.DefaultSymmetricKeyLength); CryptoHelper.ValidateSymmetricKeyLength(keyLength, AlgorithmSuite); byte[] key = new byte[keyLength / 8]; CryptoHelper.FillRandomBytes(key); AlgorithmSuite.GetKeyWrapAlgorithm(ElementContainer.SourceEncryptionToken, out string keyWrapAlgorithm, out XmlDictionaryString keyWrapAlgorithmDictionaryString); WrappedKeySecurityToken wrappedKey = new WrappedKeySecurityToken(GenerateId(), key, keyWrapAlgorithm, keyWrapAlgorithmDictionaryString, ElementContainer.SourceEncryptionToken, new SecurityKeyIdentifier(sourceEncryptingKeyIdentifierClause)); ElementContainer.WrappedEncryptionToken = wrappedKey; sourceToken = wrappedKey; sourceTokenIdentifierClause = new LocalIdKeyIdentifierClause(wrappedKey.Id, wrappedKey.GetType()); encryptionTokenSerialized = true; } else { sourceToken = ElementContainer.SourceEncryptionToken; sourceTokenIdentifierClause = sourceEncryptingKeyIdentifierClause; } // determine if a key needs to be derived SecurityKeyIdentifierClause encryptingKeyIdentifierClause; // determine if a token needs to be derived if (_encryptingTokenParameters.RequireDerivedKeys) { string derivationAlgorithm = AlgorithmSuite.GetEncryptionKeyDerivationAlgorithm(sourceToken, StandardsManager.MessageSecurityVersion.SecureConversationVersion); string expectedDerivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(StandardsManager.MessageSecurityVersion.SecureConversationVersion); if (derivationAlgorithm == expectedDerivationAlgorithm) { DerivedKeySecurityToken derivedEncryptingToken = new DerivedKeySecurityToken(-1, 0, AlgorithmSuite.GetEncryptionKeyDerivationLength(sourceToken, StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, DerivedKeySecurityToken.DefaultNonceLength, sourceToken, sourceTokenIdentifierClause, derivationAlgorithm, GenerateId()); _encryptingToken = ElementContainer.DerivedEncryptionToken = derivedEncryptingToken; encryptingKeyIdentifierClause = new LocalIdKeyIdentifierClause(derivedEncryptingToken.Id, derivedEncryptingToken.GetType()); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.UnsupportedCryptoAlgorithm, derivationAlgorithm))); } } else { _encryptingToken = sourceToken; encryptingKeyIdentifierClause = sourceTokenIdentifierClause; } _skipKeyInfoForEncryption = encryptionTokenSerialized && EncryptedKeyContainsReferenceList && (_encryptingToken is WrappedKeySecurityToken) && _signThenEncrypt; SecurityKeyIdentifier identifier; if (_skipKeyInfoForEncryption) { identifier = null; } else { identifier = new SecurityKeyIdentifier(encryptingKeyIdentifierClause); } StartEncryptionCore(_encryptingToken, identifier); }
private void SignWithSupportingTokens() { SecurityToken[] endorsingSupportingTokens = this.elementContainer.GetEndorsingSupportingTokens(); if (endorsingSupportingTokens != null) { for (int i = 0; i < endorsingSupportingTokens.Length; i++) { SecurityToken token2; SecurityKeyIdentifierClause clause2; SecurityToken token = endorsingSupportingTokens[i]; SecurityKeyIdentifierClause tokenToDeriveIdentifier = this.endorsingTokenParameters[i].CreateKeyIdentifierClause(token, this.GetTokenReferenceStyle(this.endorsingTokenParameters[i])); if (tokenToDeriveIdentifier == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenManagerCannotCreateTokenReference")), base.Message); } if (this.endorsingTokenParameters[i].RequireDerivedKeys && !this.endorsingTokenParameters[i].HasAsymmetricKey) { string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(base.StandardsManager.MessageSecurityVersion.SecureConversationVersion); DerivedKeySecurityToken token3 = new DerivedKeySecurityToken(-1, 0, base.AlgorithmSuite.GetSignatureKeyDerivationLength(token, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, 0x10, token, tokenToDeriveIdentifier, keyDerivationAlgorithm, this.GenerateId()); token2 = token3; clause2 = new LocalIdKeyIdentifierClause(token3.Id, token3.GetType()); this.elementContainer.AddEndorsingDerivedSupportingToken(token3); } else { token2 = token; clause2 = tokenToDeriveIdentifier; } this.SignWithSupportingToken(token2, clause2); } } SecurityToken[] signedEndorsingSupportingTokens = this.elementContainer.GetSignedEndorsingSupportingTokens(); if (signedEndorsingSupportingTokens != null) { for (int j = 0; j < signedEndorsingSupportingTokens.Length; j++) { SecurityToken token5; SecurityKeyIdentifierClause clause4; SecurityToken token4 = signedEndorsingSupportingTokens[j]; SecurityKeyIdentifierClause clause3 = this.signedEndorsingTokenParameters[j].CreateKeyIdentifierClause(token4, this.GetTokenReferenceStyle(this.signedEndorsingTokenParameters[j])); if (clause3 == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenManagerCannotCreateTokenReference")), base.Message); } if (this.signedEndorsingTokenParameters[j].RequireDerivedKeys && !this.signedEndorsingTokenParameters[j].HasAsymmetricKey) { string derivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(base.StandardsManager.MessageSecurityVersion.SecureConversationVersion); DerivedKeySecurityToken token6 = new DerivedKeySecurityToken(-1, 0, base.AlgorithmSuite.GetSignatureKeyDerivationLength(token4, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, 0x10, token4, clause3, derivationAlgorithm, this.GenerateId()); token5 = token6; clause4 = new LocalIdKeyIdentifierClause(token6.Id, token6.GetType()); this.elementContainer.AddSignedEndorsingDerivedSupportingToken(token6); } else { token5 = token4; clause4 = clause3; } this.SignWithSupportingToken(token5, clause4); } } }
public Message SecureMessage() { secprop = Message.Properties.Security ?? new SecurityMessageProperty(); SecurityToken encToken = secprop.InitiatorToken != null ? secprop.InitiatorToken.SecurityToken : security.EncryptionToken; // FIXME: it might be still incorrect. SecurityToken signToken = Parameters == CounterParameters ? null : security.SigningToken; MessageProtectionOrder protectionOrder = security.MessageProtectionOrder; SecurityTokenSerializer serializer = security.TokenSerializer; SecurityBindingElement element = security.Element; SecurityAlgorithmSuite suite = element.DefaultAlgorithmSuite; string messageId = "uuid-" + Guid.NewGuid(); int identForMessageId = 1; XmlDocument doc = new XmlDocument(); doc.PreserveWhitespace = true; // FIXME: get correct ReplyTo value if (Direction == MessageDirection.Input) { msg.Headers.ReplyTo = new EndpointAddress(Constants.WsaAnonymousUri); } if (MessageTo != null) { msg.Headers.To = MessageTo.Uri; } // wss:Security WSSecurityMessageHeader header = new WSSecurityMessageHeader(serializer); msg.Headers.Add(header); // 1. [Timestamp] if (element.IncludeTimestamp) { WsuTimestamp timestamp = new WsuTimestamp(); timestamp.Id = messageId + "-" + identForMessageId++; timestamp.Created = DateTime.Now; // FIXME: on service side, use element.LocalServiceSettings.TimestampValidityDuration timestamp.Expires = timestamp.Created.Add(element.LocalClientSettings.TimestampValidityDuration); header.AddContent(timestamp); } XmlNamespaceManager nsmgr = new XmlNamespaceManager(doc.NameTable); nsmgr.AddNamespace("s", msg.Version.Envelope.Namespace); nsmgr.AddNamespace("o", Constants.WssNamespace); nsmgr.AddNamespace("u", Constants.WsuNamespace); nsmgr.AddNamespace("o11", Constants.Wss11Namespace); /*WrappedKey*/ SecurityToken primaryToken = null; DerivedKeySecurityToken dkeyToken = null; SecurityToken actualToken = null; SecurityKeyIdentifierClause actualClause = null; Signature sig = null; List <DerivedKeySecurityToken> derivedKeys = new List <DerivedKeySecurityToken> (); SymmetricAlgorithm masterKey = new RijndaelManaged(); masterKey.KeySize = suite.DefaultSymmetricKeyLength; masterKey.Mode = CipherMode.CBC; masterKey.Padding = PaddingMode.ISO10126; SymmetricAlgorithm actualKey = masterKey; // 2. [Encryption Token] // SecurityTokenInclusionMode // - Initiator or Recipient // - done or notyet. FIXME: not implemented yet // It also affects on key reference output bool includeEncToken = // /* FIXME: remove this hack */Parameters is SslSecurityTokenParameters ? false : ShouldIncludeToken( Security.RecipientParameters.InclusionMode, false); bool includeSigToken = // /* FIXME: remove this hack */ Parameters is SslSecurityTokenParameters ? false : ShouldIncludeToken( Security.InitiatorParameters.InclusionMode, false); SecurityKeyIdentifierClause encClause = ShouldOutputEncryptedKey ? CounterParameters.CallCreateKeyIdentifierClause(encToken, !ShouldOutputEncryptedKey ? SecurityTokenReferenceStyle.Internal : includeEncToken ? Parameters.ReferenceStyle : SecurityTokenReferenceStyle.External) : null; MessagePartSpecification sigSpec = SignaturePart; MessagePartSpecification encSpec = EncryptionPart; // encryption key (possibly also used for signing) // FIXME: get correct SymmetricAlgorithm according to the algorithm suite if (secprop.EncryptionKey != null) { actualKey.Key = secprop.EncryptionKey; } // FIXME: remove thid hack if (!ShouldOutputEncryptedKey) { primaryToken = secprop.ProtectionToken.SecurityToken as WrappedKeySecurityToken; } else { primaryToken = // FIXME: remove this hack? encToken is SecurityContextSecurityToken ? encToken : new WrappedKeySecurityToken(messageId + "-" + identForMessageId++, actualKey.Key, // security.DefaultKeyWrapAlgorithm, Parameters.InternalHasAsymmetricKey ? suite.DefaultAsymmetricKeyWrapAlgorithm : suite.DefaultSymmetricKeyWrapAlgorithm, encToken, encClause != null ? new SecurityKeyIdentifier(encClause) : null); } // If it reuses request's encryption key, do not output. if (ShouldOutputEncryptedKey) { header.AddContent(primaryToken); } actualToken = primaryToken; // FIXME: I doubt it is correct... WrappedKeySecurityToken requestEncKey = ShouldOutputEncryptedKey ? null : primaryToken as WrappedKeySecurityToken; actualClause = requestEncKey == null ? (SecurityKeyIdentifierClause) new LocalIdKeyIdentifierClause(actualToken.Id, typeof(WrappedKeySecurityToken)) : new InternalEncryptedKeyIdentifierClause(SHA1.Create().ComputeHash(requestEncKey.GetWrappedKey())); // generate derived key if needed if (CounterParameters.RequireDerivedKeys) { RijndaelManaged deriv = new RijndaelManaged(); deriv.KeySize = suite.DefaultEncryptionKeyDerivationLength; deriv.Mode = CipherMode.CBC; deriv.Padding = PaddingMode.ISO10126; deriv.GenerateKey(); dkeyToken = new DerivedKeySecurityToken( GenerateId(doc), null, // algorithm actualClause, new InMemorySymmetricSecurityKey(actualKey.Key), null, // name null, // generation null, // offset deriv.Key.Length, null, // label deriv.Key); derivedKeys.Add(dkeyToken); actualToken = dkeyToken; actualKey.Key = ((SymmetricSecurityKey)dkeyToken.SecurityKeys [0]).GetSymmetricKey(); actualClause = new LocalIdKeyIdentifierClause(dkeyToken.Id); header.AddContent(dkeyToken); } ReferenceList refList = new ReferenceList(); // When encrypted with DerivedKeyToken, put references // immediately after the derived token (not inside the // primary token). // Similarly, when we do not output EncryptedKey, // output ReferenceList in the same way. if (CounterParameters.RequireDerivedKeys || !ShouldOutputEncryptedKey) { header.AddContent(refList); } else { ((WrappedKeySecurityToken)primaryToken).ReferenceList = refList; } // [Signature Confirmation] if (security.RequireSignatureConfirmation && secprop.ConfirmedSignatures.Count > 0) { foreach (string value in secprop.ConfirmedSignatures) { header.AddContent(new Wss11SignatureConfirmation(GenerateId(doc), value)); } } SupportingTokenInfoCollection tokenInfos = Direction == MessageDirection.Input ? security.CollectSupportingTokens(GetAction()) : new SupportingTokenInfoCollection(); // empty foreach (SupportingTokenInfo tinfo in tokenInfos) { header.AddContent(tinfo.Token); } // populate DOM to sign. XPathNavigator nav = doc.CreateNavigator(); using (XmlWriter w = nav.AppendChild()) { msg.WriteMessage(w); } XmlElement body = doc.SelectSingleNode("/s:Envelope/s:Body/*", nsmgr) as XmlElement; string bodyId = null; XmlElement secElem = null; Collection <WSSignedXml> endorsedSignatures = new Collection <WSSignedXml> (); bool signatureProtection = (protectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature); // Below are o:Security contents that are not signed... if (includeSigToken && signToken != null) { header.AddContent(signToken); } switch (protectionOrder) { case MessageProtectionOrder.EncryptBeforeSign: // FIXME: implement throw new NotImplementedException(); case MessageProtectionOrder.SignBeforeEncrypt: case MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature: // sign // see clause 8 of WS-SecurityPolicy C.2.2 WSSignedXml sxml = new WSSignedXml(doc); SecurityTokenReferenceKeyInfo sigKeyInfo; sig = sxml.Signature; sig.SignedInfo.CanonicalizationMethod = suite.DefaultCanonicalizationAlgorithm; foreach (XmlElement elem in doc.SelectNodes("/s:Envelope/s:Header/o:Security/u:Timestamp", nsmgr)) { CreateReference(sig, elem, elem.GetAttribute("Id", Constants.WsuNamespace)); } foreach (XmlElement elem in doc.SelectNodes("/s:Envelope/s:Header/o:Security/o11:SignatureConfirmation", nsmgr)) { CreateReference(sig, elem, elem.GetAttribute("Id", Constants.WsuNamespace)); } foreach (SupportingTokenInfo tinfo in tokenInfos) { if (tinfo.Mode != SecurityTokenAttachmentMode.Endorsing) { XmlElement el = sxml.GetIdElement(doc, tinfo.Token.Id); CreateReference(sig, el, el.GetAttribute("Id", Constants.WsuNamespace)); } } XmlNodeList nodes = doc.SelectNodes("/s:Envelope/s:Header/*", nsmgr); for (int i = 0; i < msg.Headers.Count; i++) { MessageHeaderInfo h = msg.Headers [i]; if (h.Name == "Security" && h.Namespace == Constants.WssNamespace) { secElem = nodes [i] as XmlElement; } else if (sigSpec.HeaderTypes.Count == 0 || sigSpec.HeaderTypes.Contains(new XmlQualifiedName(h.Name, h.Namespace))) { string id = GenerateId(doc); h.Id = id; CreateReference(sig, nodes [i] as XmlElement, id); } } if (sigSpec.IsBodyIncluded) { bodyId = GenerateId(doc); CreateReference(sig, body.ParentNode as XmlElement, bodyId); } if (security.DefaultSignatureAlgorithm == SignedXml.XmlDsigHMACSHA1Url) { // FIXME: use appropriate hash algorithm sxml.ComputeSignature(new HMACSHA1(actualKey.Key)); sigKeyInfo = new SecurityTokenReferenceKeyInfo(actualClause, serializer, doc); } else { SecurityKeyIdentifierClause signClause = CounterParameters.CallCreateKeyIdentifierClause(signToken, includeSigToken ? CounterParameters.ReferenceStyle : SecurityTokenReferenceStyle.External); AsymmetricSecurityKey signKey = (AsymmetricSecurityKey)signToken.ResolveKeyIdentifierClause(signClause); sxml.SigningKey = signKey.GetAsymmetricAlgorithm(security.DefaultSignatureAlgorithm, true); sxml.ComputeSignature(); sigKeyInfo = new SecurityTokenReferenceKeyInfo(signClause, serializer, doc); } sxml.KeyInfo = new KeyInfo(); sxml.KeyInfo.AddClause(sigKeyInfo); if (!signatureProtection) { header.AddContent(sig); } // endorse the signature with (signed)endorsing // supporting tokens. foreach (SupportingTokenInfo tinfo in tokenInfos) { switch (tinfo.Mode) { case SecurityTokenAttachmentMode.Endorsing: case SecurityTokenAttachmentMode.SignedEndorsing: if (sxml.Signature.Id == null) { sig.Id = GenerateId(doc); secElem.AppendChild(sxml.GetXml()); } WSSignedXml ssxml = new WSSignedXml(doc); ssxml.Signature.SignedInfo.CanonicalizationMethod = suite.DefaultCanonicalizationAlgorithm; CreateReference(ssxml.Signature, doc, sig.Id); SecurityToken sst = tinfo.Token; SecurityKey ssk = sst.SecurityKeys [0]; // FIXME: could be different? SecurityKeyIdentifierClause tclause = new LocalIdKeyIdentifierClause(sst.Id); // FIXME: could be different? if (ssk is SymmetricSecurityKey) { SymmetricSecurityKey signKey = (SymmetricSecurityKey)ssk; ssxml.ComputeSignature(signKey.GetKeyedHashAlgorithm(suite.DefaultSymmetricSignatureAlgorithm)); } else { AsymmetricSecurityKey signKey = (AsymmetricSecurityKey)ssk; ssxml.SigningKey = signKey.GetAsymmetricAlgorithm(suite.DefaultAsymmetricSignatureAlgorithm, true); ssxml.ComputeSignature(); } ssxml.KeyInfo.AddClause(new SecurityTokenReferenceKeyInfo(tclause, serializer, doc)); if (!signatureProtection) { header.AddContent(ssxml.Signature); } endorsedSignatures.Add(ssxml); break; } } // encrypt WSEncryptedXml exml = new WSEncryptedXml(doc); EncryptedData edata = Encrypt(body, actualKey, actualToken.Id, refList, actualClause, exml, doc); EncryptedXml.ReplaceElement(body, edata, false); // encrypt signature if (signatureProtection) { XmlElement sigxml = sig.GetXml(); edata = Encrypt(sigxml, actualKey, actualToken.Id, refList, actualClause, exml, doc); header.AddContent(edata); foreach (WSSignedXml ssxml in endorsedSignatures) { sigxml = ssxml.GetXml(); edata = Encrypt(sigxml, actualKey, actualToken.Id, refList, actualClause, exml, doc); header.AddContent(edata); } if (security.RequireSignatureConfirmation) { Collection <Wss11SignatureConfirmation> confs = header.FindAll <Wss11SignatureConfirmation> (); int count = 0; foreach (XmlElement elem in doc.SelectNodes("/s:Envelope/s:Header/o:Security/o11:SignatureConfirmation", nsmgr)) { edata = Encrypt(elem, actualKey, confs [count].Id, refList, actualClause, exml, doc); EncryptedXml.ReplaceElement(elem, edata, false); header.Contents.Insert(header.Contents.IndexOf(confs [count]), edata); header.Contents.Remove(confs [count++]); } } } // encrypt Encrypted supporting tokens foreach (SupportingTokenInfo tinfo in tokenInfos) { if (tinfo.Mode == SecurityTokenAttachmentMode.SignedEncrypted) { XmlElement el = exml.GetIdElement(doc, tinfo.Token.Id); tinfo.Encrypted = Encrypt(el, actualKey, actualToken.Id, refList, actualClause, exml, doc); EncryptedXml.ReplaceElement(el, tinfo.Encrypted, false); header.Contents.Insert(header.Contents.IndexOf(tinfo.Token), tinfo.Encrypted); header.Contents.Remove(tinfo.Token); } } break; } Message ret = new WSSecurityMessage(Message.CreateMessage(msg.Version, msg.Headers.Action, new XmlNodeReader(doc.SelectSingleNode("/s:Envelope/s:Body/*", nsmgr) as XmlElement)), bodyId); ret.Properties.Security = (SecurityMessageProperty)secprop.CreateCopy(); ret.Properties.Security.EncryptionKey = masterKey.Key; // FIXME: can we support TransportToken here? if (element is AsymmetricSecurityBindingElement) { ret.Properties.Security.InitiatorToken = new SecurityTokenSpecification(encToken, null); // FIXME: second argument ret.Properties.Security.InitiatorToken = new SecurityTokenSpecification(signToken, null); // FIXME: second argument } else { ret.Properties.Security.ProtectionToken = new SecurityTokenSpecification(primaryToken, null); } ret.Headers.Clear(); ret.Headers.CopyHeadersFrom(msg); // Header contents are: // - Timestamp // - SignatureConfirmation if required // - EncryptionToken if included // - derived key token for EncryptionToken // - ReferenceList for encrypted items // - signed supporting tokens // - signed endorsing supporting tokens // (i.e. Signed/SignedEncrypted/SignedEndorsing) // - Signature Token if different from enc token. // - derived key token for sig token if different // - Signature for: // - Timestamp // - supporting tokens (regardless of // its inclusion) // - message parts in SignedParts // - SignatureToken if TokenProtection // (regardless of its inclusion) // - Signatures for the main signature (above), // for every endorsing token and signed // endorsing token. // //MessageBuffer zzz = ret.CreateBufferedCopy (100000); //ret = zzz.CreateMessage (); //Console.WriteLine (zzz.CreateMessage ()); return(ret); }
private void StartEncryption() { if (this.elementContainer.SourceEncryptionToken != null) { SecurityToken sourceEncryptionToken; SecurityKeyIdentifierClause clause2; SecurityKeyIdentifierClause clause3; SecurityKeyIdentifier identifier; SecurityTokenReferenceStyle tokenReferenceStyle = this.GetTokenReferenceStyle(this.encryptingTokenParameters); bool flag = tokenReferenceStyle == SecurityTokenReferenceStyle.Internal; SecurityKeyIdentifierClause clause = this.encryptingTokenParameters.CreateKeyIdentifierClause(this.elementContainer.SourceEncryptionToken, tokenReferenceStyle); if (clause == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenManagerCannotCreateTokenReference")), base.Message); } if (!System.ServiceModel.Security.SecurityUtils.HasSymmetricSecurityKey(this.elementContainer.SourceEncryptionToken)) { string str; XmlDictionaryString str2; int keyLength = Math.Max(0x80, base.AlgorithmSuite.DefaultSymmetricKeyLength); System.ServiceModel.Security.CryptoHelper.ValidateSymmetricKeyLength(keyLength, base.AlgorithmSuite); byte[] buffer = new byte[keyLength / 8]; System.ServiceModel.Security.CryptoHelper.FillRandomBytes(buffer); base.AlgorithmSuite.GetKeyWrapAlgorithm(this.elementContainer.SourceEncryptionToken, out str, out str2); WrappedKeySecurityToken token2 = new WrappedKeySecurityToken(this.GenerateId(), buffer, str, str2, this.elementContainer.SourceEncryptionToken, new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { clause })); this.elementContainer.WrappedEncryptionToken = token2; sourceEncryptionToken = token2; clause2 = new LocalIdKeyIdentifierClause(token2.Id, token2.GetType()); flag = true; } else { sourceEncryptionToken = this.elementContainer.SourceEncryptionToken; clause2 = clause; } if (this.encryptingTokenParameters.RequireDerivedKeys) { string encryptionKeyDerivationAlgorithm = base.AlgorithmSuite.GetEncryptionKeyDerivationAlgorithm(sourceEncryptionToken, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion); string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(base.StandardsManager.MessageSecurityVersion.SecureConversationVersion); if (encryptionKeyDerivationAlgorithm != keyDerivationAlgorithm) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("UnsupportedCryptoAlgorithm", new object[] { encryptionKeyDerivationAlgorithm }))); } DerivedKeySecurityToken token3 = new DerivedKeySecurityToken(-1, 0, base.AlgorithmSuite.GetEncryptionKeyDerivationLength(sourceEncryptionToken, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, 0x10, sourceEncryptionToken, clause2, encryptionKeyDerivationAlgorithm, this.GenerateId()); this.encryptingToken = this.elementContainer.DerivedEncryptionToken = token3; clause3 = new LocalIdKeyIdentifierClause(token3.Id, token3.GetType()); } else { this.encryptingToken = sourceEncryptionToken; clause3 = clause2; } this.skipKeyInfoForEncryption = ((flag && base.EncryptedKeyContainsReferenceList) && (this.encryptingToken is WrappedKeySecurityToken)) && this.signThenEncrypt; if (this.skipKeyInfoForEncryption) { identifier = null; } else { identifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { clause3 }); } this.StartEncryptionCore(this.encryptingToken, identifier); } }
public virtual void ReadDerivedKeyTokenParameters(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver, out string id, out string derivationAlgorithm, out string label, out int length, out byte[] nonce, out int offset, out int generation, out SecurityKeyIdentifierClause tokenToDeriveIdentifier, out SecurityToken tokenToDerive) { if (tokenResolver == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenResolver"); } id = reader.GetAttribute(XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace); derivationAlgorithm = reader.GetAttribute(XD.XmlSignatureDictionary.Algorithm, (XmlDictionaryString)null); if (derivationAlgorithm == null) { derivationAlgorithm = this.parent.DerivationAlgorithm; } reader.ReadStartElement(); tokenToDeriveIdentifier = (SecurityKeyIdentifierClause)null; tokenToDerive = (SecurityToken)null; if (!reader.IsStartElement(XD.SecurityJan2004Dictionary.SecurityTokenReference, XD.SecurityJan2004Dictionary.Namespace)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new XmlException(SR.GetString("DerivedKeyTokenRequiresTokenReference"))); } tokenToDeriveIdentifier = this.parent.WSSecurityTokenSerializer.ReadKeyIdentifierClause((XmlReader)reader); tokenResolver.TryResolveToken(tokenToDeriveIdentifier, out tokenToDerive); generation = -1; if (reader.IsStartElement(this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace)) { reader.ReadStartElement(); generation = reader.ReadContentAsInt(); reader.ReadEndElement(); if (generation < 0) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new XmlException(SR.GetString("DerivedKeyInvalidGenerationSpecified", new object[1] { (object)generation }))); } } offset = -1; if (reader.IsStartElement(this.parent.SerializerDictionary.Offset, this.parent.SerializerDictionary.Namespace)) { reader.ReadStartElement(); offset = reader.ReadContentAsInt(); reader.ReadEndElement(); if (offset < 0) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new XmlException(SR.GetString("DerivedKeyInvalidOffsetSpecified", new object[1] { (object)offset }))); } } length = 32; if (reader.IsStartElement(this.parent.SerializerDictionary.Length, this.parent.SerializerDictionary.Namespace)) { reader.ReadStartElement(); length = reader.ReadContentAsInt(); reader.ReadEndElement(); } if (offset == -1 && generation == -1) { offset = 0; } DerivedKeySecurityToken.EnsureAcceptableOffset(offset, generation, length, this.maxKeyDerivationOffset); label = (string)null; if (reader.IsStartElement(this.parent.SerializerDictionary.Label, this.parent.SerializerDictionary.Namespace)) { reader.ReadStartElement(); label = reader.ReadString(); reader.ReadEndElement(); } if (label != null && label.Length > this.maxKeyDerivationLabelLength) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning((Exception) new MessageSecurityException(SR.GetString("DerivedKeyTokenLabelTooLong", (object)label.Length, (object)this.maxKeyDerivationLabelLength))); } nonce = (byte[])null; reader.ReadStartElement(this.parent.SerializerDictionary.Nonce, this.parent.SerializerDictionary.Namespace); nonce = reader.ReadContentAsBase64(); reader.ReadEndElement(); if (nonce != null && nonce.Length > this.maxKeyDerivationNonceLength) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning((Exception) new MessageSecurityException(SR.GetString("DerivedKeyTokenNonceTooLong", (object)nonce.Length, (object)this.maxKeyDerivationNonceLength))); } reader.ReadEndElement(); }
internal SecurityToken ResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternal, bool resolveIntrinsicKeyClause) { if (keyIdentifierClause == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause"); } SecurityToken token = null; for (int i = 0; i < this.tokenCount; i++) { if (!matchOnlyExternal || (this.tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.External)) { SecurityToken token2 = this.tokens[i].Token; if ((this.tokens[i].TokenParameters != null) && this.tokens[i].TokenParameters.MatchesKeyIdentifierClause(token2, keyIdentifierClause, this.tokens[i].AllowedReferenceStyle)) { token = token2; break; } if (((this.tokens[i].TokenParameters == null) && (this.tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.Internal)) && this.MatchDirectReference(token2, keyIdentifierClause)) { token = token2; break; } } } if ((token == null) && (keyIdentifierClause is EncryptedKeyIdentifierClause)) { SecurityToken expectedWrapper; EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause; SecurityKeyIdentifier encryptingKeyIdentifier = keyClause.EncryptingKeyIdentifier; if ((this.expectedWrapper != null) && this.CheckExternalWrapperMatch(encryptingKeyIdentifier)) { expectedWrapper = this.expectedWrapper; } else { expectedWrapper = this.ResolveToken(encryptingKeyIdentifier, true, resolveIntrinsicKeyClause); } if (expectedWrapper != null) { token = System.ServiceModel.Security.SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, expectedWrapper); } } if (((token == null) && (keyIdentifierClause is X509RawDataKeyIdentifierClause)) && (!matchOnlyExternal && resolveIntrinsicKeyClause)) { token = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData())); } byte[] derivationNonce = keyIdentifierClause.GetDerivationNonce(); if ((token != null) && (derivationNonce != null)) { if (System.ServiceModel.Security.SecurityUtils.GetSecurityKey <SymmetricSecurityKey>(token) == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToDeriveKeyFromKeyInfoClause", new object[] { keyIdentifierClause, token }))); } int length = (keyIdentifierClause.DerivationLength == 0) ? 0x20 : keyIdentifierClause.DerivationLength; if (length > this.securityHeader.MaxDerivedKeyLength) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("DerivedKeyLengthSpecifiedInImplicitDerivedKeyClauseTooLong", new object[] { keyIdentifierClause.ToString(), length, this.securityHeader.MaxDerivedKeyLength }))); } bool flag = false; for (int j = 0; j < this.tokenCount; j++) { DerivedKeySecurityToken token4 = this.tokens[j].Token as DerivedKeySecurityToken; if (((token4 != null) && (token4.Length == length)) && (CryptoHelper.IsEqual(token4.Nonce, derivationNonce) && token4.TokenToDerive.MatchesKeyIdentifierClause(keyIdentifierClause))) { token = this.tokens[j].Token; flag = true; break; } } if (!flag) { string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(this.securityHeader.StandardsManager.MessageSecurityVersion.SecureConversationVersion); token = new DerivedKeySecurityToken(-1, 0, length, null, derivationNonce, token, keyIdentifierClause, keyDerivationAlgorithm, System.ServiceModel.Security.SecurityUtils.GenerateId()); ((DerivedKeySecurityToken)token).InitializeDerivedKey(length); this.Add(token, SecurityTokenReferenceStyle.Internal, null); this.securityHeader.EnsureDerivedKeyLimitNotReached(); } } return(token); }
void ExtractSecurity() { if (security.MessageProtectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature && wss_header.Find <SignedXml> () != null) { throw new MessageSecurityException("The security binding element expects that the message signature is encrypted, while it isn't."); } WrappedKeySecurityToken wk = wss_header.Find <WrappedKeySecurityToken> (); DerivedKeySecurityToken dk = wss_header.Find <DerivedKeySecurityToken> (); if (wk != null) { if (Parameters.RequireDerivedKeys && dk == null) { throw new MessageSecurityException("DerivedKeyToken is required in this contract, but was not found in the message"); } } else { // FIXME: this is kind of hack for symmetric reply processing. wk = RequestSecurity.ProtectionToken != null ? RequestSecurity.ProtectionToken.SecurityToken as WrappedKeySecurityToken : null; } SymmetricSecurityKey wkkey = wk != null ? wk.SecurityKeys [0] as SymmetricSecurityKey : null; wss_header_reader.DecryptSecurity(this, wkkey, RequestSecurity != null ? RequestSecurity.EncryptionKey : null); // signature confirmation WSSignedXml sxml = wss_header.Find <WSSignedXml> (); if (sxml == null) { throw new MessageSecurityException("The the message signature is expected but not found."); } bool confirmed = false; SecurityKeyIdentifierClause sigClause = null; foreach (KeyInfoClause kic in sxml.KeyInfo) { SecurityTokenReferenceKeyInfo r = kic as SecurityTokenReferenceKeyInfo; if (r != null) { sigClause = r.Clause; } } if (sigClause == null) { throw new MessageSecurityException("SecurityTokenReference was not found in dsig:Signature KeyInfo."); } SecurityToken signToken; SecurityKey signKey; signToken = TokenResolver.ResolveToken(sigClause); signKey = signToken.ResolveKeyIdentifierClause(sigClause); SymmetricSecurityKey symkey = signKey as SymmetricSecurityKey; if (symkey != null) { confirmed = sxml.CheckSignature(new HMACSHA1(symkey.GetSymmetricKey())); if (wk != null) { // FIXME: authenticate token sec_prop.ProtectionToken = new SecurityTokenSpecification(wk, null); } } else { AsymmetricAlgorithm alg = ((AsymmetricSecurityKey)signKey).GetAsymmetricAlgorithm(security.DefaultSignatureAlgorithm, false); confirmed = sxml.CheckSignature(alg); sec_prop.InitiatorToken = new SecurityTokenSpecification( signToken, security.TokenAuthenticator.ValidateToken(signToken)); } if (!confirmed) { throw new MessageSecurityException("Message signature is invalid."); } // token authentication // FIXME: it might not be limited to recipient if (Direction == MessageDirection.Input) { ProcessSupportingTokens(sxml); } sec_prop.EncryptionKey = ((SymmetricSecurityKey)wk.SecurityKeys [0]).GetSymmetricKey(); sec_prop.ConfirmedSignatures.Add(Convert.ToBase64String(sxml.SignatureValue)); }
private void ReadToken(XmlDictionaryReader reader, int position, byte[] decryptedBuffer, SecurityToken encryptionToken, string idInEncryptedForm, TimeSpan timeout) { Fx.Assert((position == AppendPosition) == (decryptedBuffer == null), "inconsistent position, decryptedBuffer parameters"); Fx.Assert((position == AppendPosition) == (encryptionToken == null), "inconsistent position, encryptionToken parameters"); string localName = reader.LocalName; string namespaceUri = reader.NamespaceURI; string valueType = reader.GetAttribute(XD.SecurityJan2004Dictionary.ValueType, null); SecurityTokenAuthenticator usedTokenAuthenticator; SecurityToken token = ReadToken(reader, CombinedUniversalTokenResolver, _allowedAuthenticators, out usedTokenAuthenticator); if (token == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCouldNotReadToken, localName, namespaceUri, valueType)), Message); } DerivedKeySecurityToken derivedKeyToken = token as DerivedKeySecurityToken; if (derivedKeyToken != null) { EnsureDerivedKeyLimitNotReached(); derivedKeyToken.InitializeDerivedKey(MaxDerivedKeyLength); } if (usedTokenAuthenticator == _primaryTokenAuthenticator) { _allowedAuthenticators.Remove(usedTokenAuthenticator); } ReceiveSecurityHeaderBindingModes mode; TokenTracker supportingTokenTracker = null; if (usedTokenAuthenticator == _primaryTokenAuthenticator) { // this is the primary token. Add to resolver as such _universalTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, _primaryTokenParameters); _primaryTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, _primaryTokenParameters); if (_pendingSupportingTokenAuthenticator != null) { _allowedAuthenticators.Add(_pendingSupportingTokenAuthenticator); _pendingSupportingTokenAuthenticator = null; } _primaryTokenTracker.RecordToken(token); mode = ReceiveSecurityHeaderBindingModes.Primary; } else if (usedTokenAuthenticator == DerivedTokenAuthenticator) { if (token is DerivedKeySecurityTokenStub) { if (Layout == SecurityHeaderLayout.Strict) { DerivedKeySecurityTokenStub tmpToken = (DerivedKeySecurityTokenStub)token; throw TraceUtility.ThrowHelperError(new MessageSecurityException( SR.Format(SR.UnableToResolveKeyInfoClauseInDerivedKeyToken, tmpToken.TokenToDeriveIdentifier)), Message); } } else { AddDerivedKeyTokenToResolvers(token); } mode = ReceiveSecurityHeaderBindingModes.Unknown; } else { SupportingTokenAuthenticatorSpecification supportingTokenSpec; supportingTokenTracker = GetSupportingTokenTracker(usedTokenAuthenticator, out supportingTokenSpec); if (supportingTokenTracker == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, usedTokenAuthenticator))); } if (supportingTokenTracker.Token != null) { supportingTokenTracker = new TokenTracker(supportingTokenSpec); _supportingTokenTrackers.Add(supportingTokenTracker); } supportingTokenTracker.RecordToken(token); if (encryptionToken != null) { supportingTokenTracker.IsEncrypted = true; } bool isBasic; bool isSignedButNotBasic; SecurityTokenAttachmentModeHelper.Categorize(supportingTokenSpec.SecurityTokenAttachmentMode, out isBasic, out isSignedButNotBasic, out mode); if (isBasic) { if (!ExpectBasicTokens) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.BasicTokenNotExpected)); } // only basic tokens have to be part of the reference list. Encrypted Saml tokens dont for example if (RequireMessageProtection && encryptionToken != null) { throw ExceptionHelper.PlatformNotSupported(); } } if (isSignedButNotBasic && !ExpectSignedTokens) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.SignedSupportingTokenNotExpected)); } _universalTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, supportingTokenSpec.TokenParameters); } if (position == AppendPosition) { ElementManager.AppendToken(token, mode, supportingTokenTracker); } else { ElementManager.SetTokenAfterDecryption(position, token, mode, decryptedBuffer, supportingTokenTracker); } }