void WriteDerivedKeySecurityToken(XmlWriter w, DerivedKeySecurityToken token)
{
string ns = Constants.WsscNamespace;
w.WriteStartElement("c", "DerivedKeyToken", ns);
w.WriteAttributeString("u", "Id", Constants.WsuNamespace, token.Id);
WriteKeyIdentifierClause(w, token.TokenReference);
if (token.Name != null)
{
w.WriteStartElement("Properties", ns);
w.WriteElementString("Name", ns, token.Name);
w.WriteEndElement();
}
if (token.Offset != null)
{
w.WriteElementString("Offset", ns, Convert.ToString(token.Offset));
}
if (token.Length != null)
{
w.WriteElementString("Length", ns, Convert.ToString(token.Length));
}
if (token.Label != null)
{
w.WriteElementString("Label", ns, token.Label);
}
w.WriteElementString("Nonce", ns, Convert.ToBase64String(token.Nonce));
w.WriteEndElement();
}
private void StartSignature()
{
if (this.elementContainer.SourceSigningToken == null)
{
return;
}
// determine the key identifier clause to use for the source
SecurityTokenReferenceStyle sourceSigningKeyReferenceStyle = GetTokenReferenceStyle(this.signingTokenParameters);
SecurityKeyIdentifierClause sourceSigningKeyIdentifierClause = this.signingTokenParameters.CreateKeyIdentifierClause(this.elementContainer.SourceSigningToken, sourceSigningKeyReferenceStyle);
if (sourceSigningKeyIdentifierClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.TokenManagerCannotCreateTokenReference), this.Message);
}
SecurityToken signingToken;
SecurityKeyIdentifierClause signingKeyIdentifierClause;
// determine if a token needs to be derived
if (this.signingTokenParameters.RequireDerivedKeys && !this.signingTokenParameters.HasAsymmetricKey)
{
string derivationAlgorithm = this.AlgorithmSuite.GetSignatureKeyDerivationAlgorithm(this.elementContainer.SourceSigningToken, this.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
string expectedDerivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
if (derivationAlgorithm == expectedDerivationAlgorithm)
{
DerivedKeySecurityToken derivedSigningToken = new DerivedKeySecurityToken(-1, 0, this.AlgorithmSuite.GetSignatureKeyDerivationLength(this.elementContainer.SourceSigningToken, this.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, DerivedKeySecurityToken.DefaultNonceLength, this.elementContainer.SourceSigningToken,
sourceSigningKeyIdentifierClause, derivationAlgorithm, GenerateId());
signingToken = this.elementContainer.DerivedSigningToken = derivedSigningToken;
signingKeyIdentifierClause = new LocalIdKeyIdentifierClause(signingToken.Id, signingToken.GetType());
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.UnsupportedCryptoAlgorithm, derivationAlgorithm)));
}
}
else
{
signingToken = elementContainer.SourceSigningToken;
signingKeyIdentifierClause = sourceSigningKeyIdentifierClause;
}
SecurityKeyIdentifier signingKeyIdentifier = new SecurityKeyIdentifier(signingKeyIdentifierClause);
if (signatureConfirmationsToSend != null && signatureConfirmationsToSend.Count > 0)
{
ISecurityElement[] signatureConfirmationElements;
signatureConfirmationElements = CreateSignatureConfirmationElements(signatureConfirmationsToSend);
for (int i = 0; i < signatureConfirmationElements.Length; ++i)
{
SendSecurityHeaderElement sigConfElement = new SendSecurityHeaderElement(signatureConfirmationElements[i].Id, signatureConfirmationElements[i]);
sigConfElement.MarkedForEncryption = signatureConfirmationsToSend.IsMarkedForEncryption;
this.elementContainer.AddSignatureConfirmation(sigConfElement);
}
}
bool generateTargettablePrimarySignature = ((this.endorsingTokenParameters != null) || (this.signedEndorsingTokenParameters != null));
this.StartPrimarySignatureCore(signingToken, signingKeyIdentifier, this.signatureParts, generateTargettablePrimarySignature);
}
public void ReadContents(XmlReader reader)
{
DerivedKeySecurityToken currentToken = null;
reader.MoveToContent();
reader.ReadStartElement("Security", Constants.WssNamespace);
do
{
reader.MoveToContent();
if (reader.NodeType == XmlNodeType.EndElement)
{
break;
}
object o = ReadContent(reader);
if (o is EncryptedData)
{
EncryptedData ed = (EncryptedData)o;
encryptedDataList [ed.Id] = ed;
}
else if (o is ReferenceList && currentToken != null)
{
currentToken.ReferenceList = (ReferenceList)o;
}
else if (o is SecurityToken)
{
if (o is DerivedKeySecurityToken)
{
currentToken = o as DerivedKeySecurityToken;
}
tokens.Add((SecurityToken)o);
}
header.Contents.Add(o);
} while (true);
reader.ReadEndElement();
}
// Ensure acceptable decrypting symmetric key.
// 1) if derived key, validate derived key against DefaultEncryptionKeyDerivationLength and validate
// source key against DefaultSymmetricKeyLength
// 2) if not derived key, validate key against DefaultSymmetricKeyLength
internal void EnsureAcceptableDecryptionSymmetricKeySize(SymmetricSecurityKey securityKey, SecurityToken token)
{
int keySize;
DerivedKeySecurityToken dkt = token as DerivedKeySecurityToken;
if (dkt != null)
{
token = dkt.TokenToDerive;
keySize = ((SymmetricSecurityKey)token.SecurityKeys[0]).KeySize;
// doing special case for derived key token signing length since
// the sending side doesn't honor the algorithm suite. It used the DefaultSignatureKeyDerivationLength instead
if (dkt.SecurityKeys[0].KeySize < this.DefaultEncryptionKeyDerivationLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.TokenDoesNotMeetKeySizeRequirements, this, dkt, dkt.SecurityKeys[0].KeySize)));
}
}
else
{
keySize = securityKey.KeySize;
}
if (!IsSymmetricKeyLengthSupported(keySize))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.TokenDoesNotMeetKeySizeRequirements, this, token, keySize)));
}
}
public override void WriteTokenCore(XmlDictionaryWriter writer, SecurityToken token)
{
DerivedKeySecurityToken derivedKeyToken = token as DerivedKeySecurityToken;
string serializerPrefix = parent.SerializerDictionary.Prefix.Value;
writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.DerivedKeyToken, parent.SerializerDictionary.Namespace);
if (derivedKeyToken.Id != null)
{
writer.WriteAttributeString(CoreWCF.XD.UtilityDictionary.Prefix.Value, CoreWCF.XD.UtilityDictionary.IdAttribute, CoreWCF.XD.UtilityDictionary.Namespace, derivedKeyToken.Id);
}
if (derivedKeyToken.KeyDerivationAlgorithm != parent.DerivationAlgorithm)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.UnsupportedKeyDerivationAlgorithm, derivedKeyToken.KeyDerivationAlgorithm)));
}
parent.WSSecurityTokenSerializer.WriteKeyIdentifierClause(writer, derivedKeyToken.TokenToDeriveIdentifier);
// Don't support Properties element
if (derivedKeyToken.Generation > 0 || derivedKeyToken.Offset > 0 || derivedKeyToken.Length != 32)
{
// this means they're both specified (offset must be gen * length) - we'll write generation
if (derivedKeyToken.Generation >= 0 && derivedKeyToken.Offset >= 0)
{
writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.Generation, parent.SerializerDictionary.Namespace);
writer.WriteValue(derivedKeyToken.Generation);
writer.WriteEndElement();
}
else if (derivedKeyToken.Generation != -1)
{
writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.Generation, parent.SerializerDictionary.Namespace);
writer.WriteValue(derivedKeyToken.Generation);
writer.WriteEndElement();
}
else if (derivedKeyToken.Offset != -1)
{
writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.Offset, parent.SerializerDictionary.Namespace);
writer.WriteValue(derivedKeyToken.Offset);
writer.WriteEndElement();
}
if (derivedKeyToken.Length != 32)
{
writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.Length, parent.SerializerDictionary.Namespace);
writer.WriteValue(derivedKeyToken.Length);
writer.WriteEndElement();
}
}
if (derivedKeyToken.Label != null)
{
writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.Generation, parent.SerializerDictionary.Namespace);
writer.WriteString(derivedKeyToken.Label);
writer.WriteEndElement();
}
writer.WriteStartElement(serializerPrefix, parent.SerializerDictionary.Nonce, parent.SerializerDictionary.Namespace);
writer.WriteBase64(derivedKeyToken.Nonce, 0, derivedKeyToken.Nonce.Length);
writer.WriteEndElement();
writer.WriteEndElement();
}
public void SetDerivationSourceIfRequired()
{
DerivedKeySecurityToken derivedKeyToken = Token as DerivedKeySecurityToken;
if (derivedKeyToken != null)
{
Token = derivedKeyToken.TokenToDerive;
_isDerivedToken = true;
}
}
public override void WriteTokenCore(XmlDictionaryWriter writer, SecurityToken token)
{
DerivedKeySecurityToken keySecurityToken = token as DerivedKeySecurityToken;
string prefix = this.parent.SerializerDictionary.Prefix.Value;
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.DerivedKeyToken, this.parent.SerializerDictionary.Namespace);
if (keySecurityToken.Id != null)
{
writer.WriteAttributeString(XD.UtilityDictionary.Prefix.Value, XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace, keySecurityToken.Id);
}
if (keySecurityToken.KeyDerivationAlgorithm != this.parent.DerivationAlgorithm)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new MessageSecurityException(SR.GetString("UnsupportedKeyDerivationAlgorithm", new object[1] {
(object)keySecurityToken.KeyDerivationAlgorithm
})));
}
this.parent.WSSecurityTokenSerializer.WriteKeyIdentifierClause((XmlWriter)writer, keySecurityToken.TokenToDeriveIdentifier);
if (keySecurityToken.Generation > 0 || keySecurityToken.Offset > 0 || keySecurityToken.Length != 32)
{
if (keySecurityToken.Generation >= 0 && keySecurityToken.Offset >= 0)
{
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace);
writer.WriteValue(keySecurityToken.Generation);
writer.WriteEndElement();
}
else if (keySecurityToken.Generation != -1)
{
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace);
writer.WriteValue(keySecurityToken.Generation);
writer.WriteEndElement();
}
else if (keySecurityToken.Offset != -1)
{
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Offset, this.parent.SerializerDictionary.Namespace);
writer.WriteValue(keySecurityToken.Offset);
writer.WriteEndElement();
}
if (keySecurityToken.Length != 32)
{
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Length, this.parent.SerializerDictionary.Namespace);
writer.WriteValue(keySecurityToken.Length);
writer.WriteEndElement();
}
}
if (keySecurityToken.Label != null)
{
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace);
writer.WriteString(keySecurityToken.Label);
writer.WriteEndElement();
}
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Nonce, this.parent.SerializerDictionary.Namespace);
writer.WriteBase64(keySecurityToken.Nonce, 0, keySecurityToken.Nonce.Length);
writer.WriteEndElement();
writer.WriteEndElement();
}
protected override SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver)
{
XmlDictionaryReader dictionaryReader = XmlDictionaryReader.CreateDictionaryReader(reader);
if (this.secureConversation.IsAtDerivedKeyToken(dictionaryReader))
{
string id;
string derivationAlgorithm;
string label;
int length;
byte[] nonce;
int offset;
int generation;
SecurityKeyIdentifierClause tokenToDeriveIdentifier;
SecurityToken tokenToDerive;
this.secureConversation.ReadDerivedKeyTokenParameters(dictionaryReader, tokenResolver, out id, out derivationAlgorithm, out label,
out length, out nonce, out offset, out generation, out tokenToDeriveIdentifier, out tokenToDerive);
DerivedKeySecurityToken cachedToken = GetCachedToken(id, generation, offset, length, label, nonce, tokenToDerive, tokenToDeriveIdentifier, derivationAlgorithm);
if (cachedToken != null)
{
return(cachedToken);
}
lock (this.thisLock)
{
cachedToken = GetCachedToken(id, generation, offset, length, label, nonce, tokenToDerive, tokenToDeriveIdentifier, derivationAlgorithm);
if (cachedToken != null)
{
return(cachedToken);
}
SecurityToken result = this.secureConversation.CreateDerivedKeyToken(id, derivationAlgorithm, label, length, nonce, offset, generation, tokenToDeriveIdentifier, tokenToDerive);
DerivedKeySecurityToken newToken = result as DerivedKeySecurityToken;
if (newToken != null)
{
int pos = this.indexToCache;
if (this.indexToCache == int.MaxValue)
{
this.indexToCache = 0;
}
else
{
this.indexToCache = (++this.indexToCache) % this.cachedTokens.Length;
}
this.cachedTokens[pos] = new DerivedKeySecurityTokenCache(newToken);
}
return(result);
}
}
else
{
return(this.innerTokenSerializer.ReadToken(reader, tokenResolver));
}
}
public DerivedKeySecurityTokenCache(DerivedKeySecurityToken cachedToken)
{
this.keyToDerive = ((SymmetricSecurityKey)cachedToken.TokenToDerive.SecurityKeys[0]).GetSymmetricKey();
this.generation = cachedToken.Generation;
this.offset = cachedToken.Offset;
this.length = cachedToken.Length;
this.label = cachedToken.Label;
this.keyDerivationAlgorithm = cachedToken.KeyDerivationAlgorithm;
this.nonce = cachedToken.Nonce;
this.cachedToken = cachedToken;
}
public override void WriteTokenCore(XmlDictionaryWriter writer, SecurityToken token)
{
DerivedKeySecurityToken token2 = token as DerivedKeySecurityToken;
string prefix = this.parent.SerializerDictionary.Prefix.Value;
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.DerivedKeyToken, this.parent.SerializerDictionary.Namespace);
if (token2.Id != null)
{
writer.WriteAttributeString(XD.UtilityDictionary.Prefix.Value, XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace, token2.Id);
}
if (token2.KeyDerivationAlgorithm != this.parent.DerivationAlgorithm)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnsupportedKeyDerivationAlgorithm", new object[] { token2.KeyDerivationAlgorithm })));
}
this.parent.WSSecurityTokenSerializer.WriteKeyIdentifierClause(writer, token2.TokenToDeriveIdentifier);
if (((token2.Generation > 0) || (token2.Offset > 0)) || (token2.Length != 0x20))
{
if ((token2.Generation >= 0) && (token2.Offset >= 0))
{
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace);
writer.WriteValue(token2.Generation);
writer.WriteEndElement();
}
else if (token2.Generation != -1)
{
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace);
writer.WriteValue(token2.Generation);
writer.WriteEndElement();
}
else if (token2.Offset != -1)
{
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Offset, this.parent.SerializerDictionary.Namespace);
writer.WriteValue(token2.Offset);
writer.WriteEndElement();
}
if (token2.Length != 0x20)
{
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Length, this.parent.SerializerDictionary.Namespace);
writer.WriteValue(token2.Length);
writer.WriteEndElement();
}
}
if (token2.Label != null)
{
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace);
writer.WriteString(token2.Label);
writer.WriteEndElement();
}
writer.WriteStartElement(prefix, this.parent.SerializerDictionary.Nonce, this.parent.SerializerDictionary.Namespace);
writer.WriteBase64(token2.Nonce, 0, token2.Nonce.Length);
writer.WriteEndElement();
writer.WriteEndElement();
}
private DerivedKeySecurityToken GetCachedToken(string id, int generation, int offset, int length, string label, byte[] nonce, SecurityToken tokenToDerive, SecurityKeyIdentifierClause tokenToDeriveIdentifier, string derivationAlgorithm)
{
for (int i = 0; i < this.cachedTokens.Length; i++)
{
DerivedKeySecurityTokenCache cachedToken = this.cachedTokens[i];
if ((cachedToken != null) && this.IsMatch(cachedToken, id, generation, offset, length, label, nonce, tokenToDerive, derivationAlgorithm))
{
DerivedKeySecurityToken token = new DerivedKeySecurityToken(generation, offset, length, label, nonce, tokenToDerive, tokenToDeriveIdentifier, derivationAlgorithm, id);
token.InitializeDerivedKey(cachedToken.SecurityKeys);
return(token);
}
}
return(null);
}
protected override SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver)
{
XmlDictionaryReader reader2 = XmlDictionaryReader.CreateDictionaryReader(reader);
if (this.secureConversation.IsAtDerivedKeyToken(reader2))
{
string str;
string str2;
string str3;
int num;
byte[] buffer;
int num2;
int num3;
SecurityKeyIdentifierClause clause;
SecurityToken token;
this.secureConversation.ReadDerivedKeyTokenParameters(reader2, tokenResolver, out str, out str2, out str3, out num, out buffer, out num2, out num3, out clause, out token);
DerivedKeySecurityToken token2 = this.GetCachedToken(str, num3, num2, num, str3, buffer, token, clause, str2);
if (token2 != null)
{
return(token2);
}
lock (this.thisLock)
{
token2 = this.GetCachedToken(str, num3, num2, num, str3, buffer, token, clause, str2);
if (token2 != null)
{
return(token2);
}
SecurityToken token3 = this.secureConversation.CreateDerivedKeyToken(str, str2, str3, num, buffer, num2, num3, clause, token);
DerivedKeySecurityToken cachedToken = token3 as DerivedKeySecurityToken;
if (cachedToken != null)
{
int indexToCache = this.indexToCache;
if (this.indexToCache == 0x7fffffff)
{
this.indexToCache = 0;
}
else
{
this.indexToCache = ++this.indexToCache % this.cachedTokens.Length;
}
this.cachedTokens[indexToCache] = new DerivedKeySecurityTokenCache(cachedToken);
}
return(token3);
}
}
return(this.innerTokenSerializer.ReadToken(reader, tokenResolver));
}
public void SetOutgoingSessionToken(SecurityToken token)
{
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
lock (this.ThisLock)
{
this.outgoingSessionToken = token;
if (this.requireDerivedKeys)
{
string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(this.Factory.MessageSecurityVersion.SecureConversationVersion);
this.derivedSignatureToken = new DerivedKeySecurityToken(-1, 0, this.Factory.OutgoingAlgorithmSuite.GetSignatureKeyDerivationLength(token, this.Factory.MessageSecurityVersion.SecureConversationVersion), null, 0x10, token, this.Factory.SecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.Internal), keyDerivationAlgorithm, System.ServiceModel.Security.SecurityUtils.GenerateId());
}
}
}
private void StartSignature()
{
if (this.elementContainer.SourceSigningToken != null)
{
SecurityToken sourceSigningToken;
SecurityKeyIdentifierClause clause2;
SecurityTokenReferenceStyle tokenReferenceStyle = this.GetTokenReferenceStyle(this.signingTokenParameters);
SecurityKeyIdentifierClause tokenToDeriveIdentifier = this.signingTokenParameters.CreateKeyIdentifierClause(this.elementContainer.SourceSigningToken, tokenReferenceStyle);
if (tokenToDeriveIdentifier == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenManagerCannotCreateTokenReference")), base.Message);
}
if (this.signingTokenParameters.RequireDerivedKeys && !this.signingTokenParameters.HasAsymmetricKey)
{
string signatureKeyDerivationAlgorithm = base.AlgorithmSuite.GetSignatureKeyDerivationAlgorithm(this.elementContainer.SourceSigningToken, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(base.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
if (signatureKeyDerivationAlgorithm != keyDerivationAlgorithm)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("UnsupportedCryptoAlgorithm", new object[] { signatureKeyDerivationAlgorithm })));
}
DerivedKeySecurityToken token2 = new DerivedKeySecurityToken(-1, 0, base.AlgorithmSuite.GetSignatureKeyDerivationLength(this.elementContainer.SourceSigningToken, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, 0x10, this.elementContainer.SourceSigningToken, tokenToDeriveIdentifier, signatureKeyDerivationAlgorithm, this.GenerateId());
sourceSigningToken = this.elementContainer.DerivedSigningToken = token2;
clause2 = new LocalIdKeyIdentifierClause(sourceSigningToken.Id, sourceSigningToken.GetType());
}
else
{
sourceSigningToken = this.elementContainer.SourceSigningToken;
clause2 = tokenToDeriveIdentifier;
}
SecurityKeyIdentifier identifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { clause2 });
if ((this.signatureConfirmationsToSend != null) && (this.signatureConfirmationsToSend.Count > 0))
{
ISecurityElement[] elementArray = this.CreateSignatureConfirmationElements(this.signatureConfirmationsToSend);
for (int i = 0; i < elementArray.Length; i++)
{
SendSecurityHeaderElement confirmation = new SendSecurityHeaderElement(elementArray[i].Id, elementArray[i])
{
MarkedForEncryption = this.signatureConfirmationsToSend.IsMarkedForEncryption
};
this.elementContainer.AddSignatureConfirmation(confirmation);
}
}
bool generateTargettablePrimarySignature = (this.endorsingTokenParameters != null) || (this.signedEndorsingTokenParameters != null);
this.StartPrimarySignatureCore(sourceSigningToken, identifier, this.signatureParts, generateTargettablePrimarySignature);
}
}
public void SetOutgoingSessionToken(SecurityToken token)
{
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
lock (ThisLock)
{
this.outgoingSessionToken = token;
if (this.requireDerivedKeys)
{
string derivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.sessionStandardsManager.MessageSecurityVersion.SecureConversationVersion);
this.derivedSignatureToken = new DerivedKeySecurityToken(-1, 0,
this.Factory.OutgoingAlgorithmSuite.GetSignatureKeyDerivationLength(token, this.sessionStandardsManager.MessageSecurityVersion.SecureConversationVersion), null,
DerivedKeySecurityToken.DefaultNonceLength, token, this.Factory.SecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.External), derivationAlgorithm, SecurityUtils.GenerateId());
this.derivedEncryptionToken = new DerivedKeySecurityToken(-1, 0,
this.Factory.OutgoingAlgorithmSuite.GetEncryptionKeyDerivationLength(token, this.sessionStandardsManager.MessageSecurityVersion.SecureConversationVersion), null,
DerivedKeySecurityToken.DefaultNonceLength, token, this.Factory.SecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.External), derivationAlgorithm, SecurityUtils.GenerateId());
}
}
}
internal void EnsureAcceptableDecryptionSymmetricKeySize(SymmetricSecurityKey securityKey, SecurityToken token)
{
int keySize;
DerivedKeySecurityToken token2 = token as DerivedKeySecurityToken;
if (token2 != null)
{
token = token2.TokenToDerive;
keySize = ((SymmetricSecurityKey)token.SecurityKeys[0]).KeySize;
if (token2.SecurityKeys[0].KeySize < this.DefaultEncryptionKeyDerivationLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenDoesNotMeetKeySizeRequirements", new object[] { this, token2, token2.SecurityKeys[0].KeySize })));
}
}
else
{
keySize = securityKey.KeySize;
}
if (!this.IsSymmetricKeyLengthSupported(keySize))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenDoesNotMeetKeySizeRequirements", new object[] { this, token, keySize })));
}
}
DerivedKeySecurityToken CreateDerivedKey(string id,
SecurityKeyIdentifierClause actualClause,
SymmetricAlgorithm actualKey)
{
RijndaelManaged deriv = new RijndaelManaged();
deriv.KeySize = security.Element.DefaultAlgorithmSuite.DefaultEncryptionKeyDerivationLength;
deriv.Mode = CipherMode.CBC;
deriv.Padding = PaddingMode.ISO10126;
deriv.GenerateKey();
var dkeyToken = new DerivedKeySecurityToken(
id,
null, // algorithm
actualClause,
new InMemorySymmetricSecurityKey(actualKey.Key),
null, // name
null, // generation
null, // offset
deriv.Key.Length,
null, // label
deriv.Key);
return(dkeyToken);
}
internal SecurityToken ResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternal, bool resolveIntrinsicKeyClause)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
SecurityToken resolvedToken = null;
for (int i = 0; i < this.tokenCount; i++)
{
if (matchOnlyExternal && tokens[i].AllowedReferenceStyle != SecurityTokenReferenceStyle.External)
{
continue;
}
SecurityToken token = tokens[i].Token;
if (tokens[i].TokenParameters != null && tokens[i].TokenParameters.MatchesKeyIdentifierClause(token, keyIdentifierClause, tokens[i].AllowedReferenceStyle))
{
resolvedToken = token;
break;
}
else if (tokens[i].TokenParameters == null)
{
// match it according to the allowed reference style
if (tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.Internal && MatchDirectReference(token, keyIdentifierClause))
{
resolvedToken = token;
break;
}
}
}
if ((resolvedToken == null) && (keyIdentifierClause is EncryptedKeyIdentifierClause))
{
EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause;
SecurityKeyIdentifier wrappingTokenReference = keyClause.EncryptingKeyIdentifier;
SecurityToken unwrappingToken;
if (this.expectedWrapper != null &&
CheckExternalWrapperMatch(wrappingTokenReference))
{
unwrappingToken = this.expectedWrapper;
}
else
{
unwrappingToken = ResolveToken(wrappingTokenReference, true, resolveIntrinsicKeyClause);
}
if (unwrappingToken != null)
{
resolvedToken = SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, unwrappingToken);
}
}
if ((resolvedToken == null) && (keyIdentifierClause is X509RawDataKeyIdentifierClause) && (!matchOnlyExternal) && (resolveIntrinsicKeyClause))
{
resolvedToken = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData()));
}
byte[] derivationNonce = keyIdentifierClause.GetDerivationNonce();
if ((resolvedToken != null) && (derivationNonce != null))
{
// A Implicit Derived Key is specified. Create a derived key off of the resolve token.
if (SecurityUtils.GetSecurityKey <SymmetricSecurityKey>(resolvedToken) == null)
{
// The resolved token contains no Symmetric Security key and thus we cannot create
// a derived key off of it.
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.UnableToDeriveKeyFromKeyInfoClause, keyIdentifierClause, resolvedToken)));
}
int derivationLength = (keyIdentifierClause.DerivationLength == 0) ? DerivedKeySecurityToken.DefaultDerivedKeyLength : keyIdentifierClause.DerivationLength;
if (derivationLength > this.securityHeader.MaxDerivedKeyLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.DerivedKeyLengthSpecifiedInImplicitDerivedKeyClauseTooLong, keyIdentifierClause.ToString(), derivationLength, this.securityHeader.MaxDerivedKeyLength)));
}
bool alreadyDerived = false;
for (int i = 0; i < this.tokenCount; ++i)
{
DerivedKeySecurityToken derivedKeyToken = this.tokens[i].Token as DerivedKeySecurityToken;
if (derivedKeyToken != null)
{
if ((derivedKeyToken.Length == derivationLength) &&
(CryptoHelper.IsEqual(derivedKeyToken.Nonce, derivationNonce)) &&
(derivedKeyToken.TokenToDerive.MatchesKeyIdentifierClause(keyIdentifierClause)))
{
// This is a implcit derived key for which we have already derived the
// token.
resolvedToken = this.tokens[i].Token;
alreadyDerived = true;
break;
}
}
}
if (!alreadyDerived)
{
string psha1Algorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.securityHeader.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
resolvedToken = new DerivedKeySecurityToken(-1, 0, derivationLength, null, derivationNonce, resolvedToken, keyIdentifierClause, psha1Algorithm, SecurityUtils.GenerateId());
((DerivedKeySecurityToken)resolvedToken).InitializeDerivedKey(derivationLength);
Add(resolvedToken, SecurityTokenReferenceStyle.Internal, null);
this.securityHeader.EnsureDerivedKeyLimitNotReached();
}
}
return(resolvedToken);
}
// xml format
//<DerivedKeyToken wsu:Id="..." wsse:Algorithm="..."> id required, alg optional (curr disallowed)
// <SecurityTokenReference>...</SecurityTokenReference> - required
// <Properties>...</Properties> - disallowed (optional in spec, but we disallow it)
// choice begin - (schema requires a choice - we allow neither on read - we always write one)
// <Generation>...</Generation> - optional
// <Offset>...</Offset> - optional
// choice end
// <Length>...</Length> - optional - default 32 on read (default specified in spec, not in schema - we always write it)
// <Label>...</Label> - optional
// <Nonce>...</Nonce> - required (optional in spec, but we require it)
//</DerivedKeyToken>
public virtual void ReadDerivedKeyTokenParameters(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver, out string id, out string derivationAlgorithm, out string label, out int length, out byte[] nonce, out int offset, out int generation, out SecurityKeyIdentifierClause tokenToDeriveIdentifier, out SecurityToken tokenToDerive)
{
if (tokenResolver == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenResolver");
}
id = reader.GetAttribute(CoreWCF.XD.UtilityDictionary.IdAttribute, CoreWCF.XD.UtilityDictionary.Namespace);
derivationAlgorithm = reader.GetAttribute(CoreWCF.XD.XmlSignatureDictionary.Algorithm, null);
if (derivationAlgorithm == null)
{
derivationAlgorithm = parent.DerivationAlgorithm;
}
reader.ReadStartElement();
tokenToDeriveIdentifier = null;
tokenToDerive = null;
if (reader.IsStartElement(CoreWCF.XD.SecurityJan2004Dictionary.SecurityTokenReference, CoreWCF.XD.SecurityJan2004Dictionary.Namespace))
{
tokenToDeriveIdentifier = parent.WSSecurityTokenSerializer.ReadKeyIdentifierClause(reader);
tokenResolver.TryResolveToken(tokenToDeriveIdentifier, out tokenToDerive);
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.Format(SR.DerivedKeyTokenRequiresTokenReference)));
}
// no support for properties
generation = -1;
if (reader.IsStartElement(parent.SerializerDictionary.Generation, parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
generation = reader.ReadContentAsInt();
reader.ReadEndElement();
if (generation < 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.Format(SR.DerivedKeyInvalidGenerationSpecified, generation)));
}
}
offset = -1;
if (reader.IsStartElement(parent.SerializerDictionary.Offset, parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
offset = reader.ReadContentAsInt();
reader.ReadEndElement();
if (offset < 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.Format(SR.DerivedKeyInvalidOffsetSpecified, offset)));
}
}
length = DerivedKeySecurityToken.DefaultDerivedKeyLength;
if (reader.IsStartElement(parent.SerializerDictionary.Length, parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
length = reader.ReadContentAsInt();
reader.ReadEndElement();
}
if ((offset == -1) && (generation == -1))
{
offset = 0;
}
// verify that the offset is not larger than the max allowed
DerivedKeySecurityToken.EnsureAcceptableOffset(offset, generation, length, this.maxKeyDerivationOffset);
label = null;
if (reader.IsStartElement(parent.SerializerDictionary.Label, parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
label = reader.ReadString();
reader.ReadEndElement();
}
if (label != null && label.Length > this.maxKeyDerivationLabelLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.DerivedKeyTokenLabelTooLong, label.Length, this.maxKeyDerivationLabelLength)));
}
nonce = null;
reader.ReadStartElement(parent.SerializerDictionary.Nonce, parent.SerializerDictionary.Namespace);
nonce = reader.ReadContentAsBase64();
reader.ReadEndElement();
if (nonce != null && nonce.Length > this.maxKeyDerivationNonceLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.DerivedKeyTokenNonceTooLong, nonce.Length, this.maxKeyDerivationNonceLength)));
}
reader.ReadEndElement();
}
private void SignWithSupportingTokens()
{
SecurityToken[] endorsingTokens = ElementContainer.GetEndorsingSupportingTokens();
if (endorsingTokens != null)
{
for (int i = 0; i < endorsingTokens.Length; ++i)
{
SecurityToken source = endorsingTokens[i];
SecurityKeyIdentifierClause sourceKeyClause = _endorsingTokenParameters[i].CreateKeyIdentifierClause(source, GetTokenReferenceStyle(_endorsingTokenParameters[i]));
if (sourceKeyClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCannotCreateTokenReference)), Message);
}
SecurityToken signingToken;
SecurityKeyIdentifierClause signingKeyClause;
if (_endorsingTokenParameters[i].RequireDerivedKeys && !_endorsingTokenParameters[i].HasAsymmetricKey)
{
string derivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(StandardsManager.MessageSecurityVersion.SecureConversationVersion);
DerivedKeySecurityToken dkt = new DerivedKeySecurityToken(-1, 0,
AlgorithmSuite.GetSignatureKeyDerivationLength(source, StandardsManager.MessageSecurityVersion.SecureConversationVersion), null,
DerivedKeySecurityToken.DefaultNonceLength, source, sourceKeyClause, derivationAlgorithm, GenerateId());
signingToken = dkt;
signingKeyClause = new LocalIdKeyIdentifierClause(dkt.Id, dkt.GetType());
ElementContainer.AddEndorsingDerivedSupportingToken(dkt);
}
else
{
signingToken = source;
signingKeyClause = sourceKeyClause;
}
SignWithSupportingToken(signingToken, signingKeyClause);
}
}
SecurityToken[] signedEndorsingSupportingTokens = ElementContainer.GetSignedEndorsingSupportingTokens();
if (signedEndorsingSupportingTokens != null)
{
for (int i = 0; i < signedEndorsingSupportingTokens.Length; ++i)
{
SecurityToken source = signedEndorsingSupportingTokens[i];
SecurityKeyIdentifierClause sourceKeyClause = _signedEndorsingTokenParameters[i].CreateKeyIdentifierClause(source, GetTokenReferenceStyle(_signedEndorsingTokenParameters[i]));
if (sourceKeyClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCannotCreateTokenReference)), Message);
}
SecurityToken signingToken;
SecurityKeyIdentifierClause signingKeyClause;
if (_signedEndorsingTokenParameters[i].RequireDerivedKeys && !_signedEndorsingTokenParameters[i].HasAsymmetricKey)
{
string derivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(StandardsManager.MessageSecurityVersion.SecureConversationVersion);
DerivedKeySecurityToken dkt = new DerivedKeySecurityToken(-1, 0,
AlgorithmSuite.GetSignatureKeyDerivationLength(source, StandardsManager.MessageSecurityVersion.SecureConversationVersion), null,
DerivedKeySecurityToken.DefaultNonceLength, source, sourceKeyClause, derivationAlgorithm, GenerateId());
signingToken = dkt;
signingKeyClause = new LocalIdKeyIdentifierClause(dkt.Id, dkt.GetType());
ElementContainer.AddSignedEndorsingDerivedSupportingToken(dkt);
}
else
{
signingToken = source;
signingKeyClause = sourceKeyClause;
}
SignWithSupportingToken(signingToken, signingKeyClause);
}
}
}
private void StartEncryption()
{
if (ElementContainer.SourceEncryptionToken == null)
{
return;
}
// determine the key identifier clause to use for the source
SecurityTokenReferenceStyle sourceEncryptingKeyReferenceStyle = GetTokenReferenceStyle(_encryptingTokenParameters);
bool encryptionTokenSerialized = sourceEncryptingKeyReferenceStyle == SecurityTokenReferenceStyle.Internal;
SecurityKeyIdentifierClause sourceEncryptingKeyIdentifierClause = _encryptingTokenParameters.CreateKeyIdentifierClause(ElementContainer.SourceEncryptionToken, sourceEncryptingKeyReferenceStyle);
if (sourceEncryptingKeyIdentifierClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.TokenManagerCannotCreateTokenReference), Message);
}
SecurityToken sourceToken;
SecurityKeyIdentifierClause sourceTokenIdentifierClause;
// if the source token cannot do symmetric crypto, create a wrapped key
if (!SecurityUtils.HasSymmetricSecurityKey(ElementContainer.SourceEncryptionToken))
{
int keyLength = Math.Max(128, AlgorithmSuite.DefaultSymmetricKeyLength);
CryptoHelper.ValidateSymmetricKeyLength(keyLength, AlgorithmSuite);
byte[] key = new byte[keyLength / 8];
CryptoHelper.FillRandomBytes(key);
AlgorithmSuite.GetKeyWrapAlgorithm(ElementContainer.SourceEncryptionToken, out string keyWrapAlgorithm, out XmlDictionaryString keyWrapAlgorithmDictionaryString);
WrappedKeySecurityToken wrappedKey = new WrappedKeySecurityToken(GenerateId(), key, keyWrapAlgorithm, keyWrapAlgorithmDictionaryString,
ElementContainer.SourceEncryptionToken, new SecurityKeyIdentifier(sourceEncryptingKeyIdentifierClause));
ElementContainer.WrappedEncryptionToken = wrappedKey;
sourceToken = wrappedKey;
sourceTokenIdentifierClause = new LocalIdKeyIdentifierClause(wrappedKey.Id, wrappedKey.GetType());
encryptionTokenSerialized = true;
}
else
{
sourceToken = ElementContainer.SourceEncryptionToken;
sourceTokenIdentifierClause = sourceEncryptingKeyIdentifierClause;
}
// determine if a key needs to be derived
SecurityKeyIdentifierClause encryptingKeyIdentifierClause;
// determine if a token needs to be derived
if (_encryptingTokenParameters.RequireDerivedKeys)
{
string derivationAlgorithm = AlgorithmSuite.GetEncryptionKeyDerivationAlgorithm(sourceToken, StandardsManager.MessageSecurityVersion.SecureConversationVersion);
string expectedDerivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(StandardsManager.MessageSecurityVersion.SecureConversationVersion);
if (derivationAlgorithm == expectedDerivationAlgorithm)
{
DerivedKeySecurityToken derivedEncryptingToken = new DerivedKeySecurityToken(-1, 0,
AlgorithmSuite.GetEncryptionKeyDerivationLength(sourceToken, StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, DerivedKeySecurityToken.DefaultNonceLength, sourceToken, sourceTokenIdentifierClause, derivationAlgorithm, GenerateId());
_encryptingToken = ElementContainer.DerivedEncryptionToken = derivedEncryptingToken;
encryptingKeyIdentifierClause = new LocalIdKeyIdentifierClause(derivedEncryptingToken.Id, derivedEncryptingToken.GetType());
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.UnsupportedCryptoAlgorithm, derivationAlgorithm)));
}
}
else
{
_encryptingToken = sourceToken;
encryptingKeyIdentifierClause = sourceTokenIdentifierClause;
}
_skipKeyInfoForEncryption = encryptionTokenSerialized && EncryptedKeyContainsReferenceList && (_encryptingToken is WrappedKeySecurityToken) && _signThenEncrypt;
SecurityKeyIdentifier identifier;
if (_skipKeyInfoForEncryption)
{
identifier = null;
}
else
{
identifier = new SecurityKeyIdentifier(encryptingKeyIdentifierClause);
}
StartEncryptionCore(_encryptingToken, identifier);
}
private void SignWithSupportingTokens()
{
SecurityToken[] endorsingSupportingTokens = this.elementContainer.GetEndorsingSupportingTokens();
if (endorsingSupportingTokens != null)
{
for (int i = 0; i < endorsingSupportingTokens.Length; i++)
{
SecurityToken token2;
SecurityKeyIdentifierClause clause2;
SecurityToken token = endorsingSupportingTokens[i];
SecurityKeyIdentifierClause tokenToDeriveIdentifier = this.endorsingTokenParameters[i].CreateKeyIdentifierClause(token, this.GetTokenReferenceStyle(this.endorsingTokenParameters[i]));
if (tokenToDeriveIdentifier == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenManagerCannotCreateTokenReference")), base.Message);
}
if (this.endorsingTokenParameters[i].RequireDerivedKeys && !this.endorsingTokenParameters[i].HasAsymmetricKey)
{
string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(base.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
DerivedKeySecurityToken token3 = new DerivedKeySecurityToken(-1, 0, base.AlgorithmSuite.GetSignatureKeyDerivationLength(token, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, 0x10, token, tokenToDeriveIdentifier, keyDerivationAlgorithm, this.GenerateId());
token2 = token3;
clause2 = new LocalIdKeyIdentifierClause(token3.Id, token3.GetType());
this.elementContainer.AddEndorsingDerivedSupportingToken(token3);
}
else
{
token2 = token;
clause2 = tokenToDeriveIdentifier;
}
this.SignWithSupportingToken(token2, clause2);
}
}
SecurityToken[] signedEndorsingSupportingTokens = this.elementContainer.GetSignedEndorsingSupportingTokens();
if (signedEndorsingSupportingTokens != null)
{
for (int j = 0; j < signedEndorsingSupportingTokens.Length; j++)
{
SecurityToken token5;
SecurityKeyIdentifierClause clause4;
SecurityToken token4 = signedEndorsingSupportingTokens[j];
SecurityKeyIdentifierClause clause3 = this.signedEndorsingTokenParameters[j].CreateKeyIdentifierClause(token4, this.GetTokenReferenceStyle(this.signedEndorsingTokenParameters[j]));
if (clause3 == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenManagerCannotCreateTokenReference")), base.Message);
}
if (this.signedEndorsingTokenParameters[j].RequireDerivedKeys && !this.signedEndorsingTokenParameters[j].HasAsymmetricKey)
{
string derivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(base.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
DerivedKeySecurityToken token6 = new DerivedKeySecurityToken(-1, 0, base.AlgorithmSuite.GetSignatureKeyDerivationLength(token4, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, 0x10, token4, clause3, derivationAlgorithm, this.GenerateId());
token5 = token6;
clause4 = new LocalIdKeyIdentifierClause(token6.Id, token6.GetType());
this.elementContainer.AddSignedEndorsingDerivedSupportingToken(token6);
}
else
{
token5 = token4;
clause4 = clause3;
}
this.SignWithSupportingToken(token5, clause4);
}
}
}
public Message SecureMessage()
{
secprop = Message.Properties.Security ?? new SecurityMessageProperty();
SecurityToken encToken =
secprop.InitiatorToken != null ? secprop.InitiatorToken.SecurityToken : security.EncryptionToken;
// FIXME: it might be still incorrect.
SecurityToken signToken =
Parameters == CounterParameters ? null :
security.SigningToken;
MessageProtectionOrder protectionOrder =
security.MessageProtectionOrder;
SecurityTokenSerializer serializer =
security.TokenSerializer;
SecurityBindingElement element =
security.Element;
SecurityAlgorithmSuite suite = element.DefaultAlgorithmSuite;
string messageId = "uuid-" + Guid.NewGuid();
int identForMessageId = 1;
XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = true;
// FIXME: get correct ReplyTo value
if (Direction == MessageDirection.Input)
{
msg.Headers.ReplyTo = new EndpointAddress(Constants.WsaAnonymousUri);
}
if (MessageTo != null)
{
msg.Headers.To = MessageTo.Uri;
}
// wss:Security
WSSecurityMessageHeader header =
new WSSecurityMessageHeader(serializer);
msg.Headers.Add(header);
// 1. [Timestamp]
if (element.IncludeTimestamp)
{
WsuTimestamp timestamp = new WsuTimestamp();
timestamp.Id = messageId + "-" + identForMessageId++;
timestamp.Created = DateTime.Now;
// FIXME: on service side, use element.LocalServiceSettings.TimestampValidityDuration
timestamp.Expires = timestamp.Created.Add(element.LocalClientSettings.TimestampValidityDuration);
header.AddContent(timestamp);
}
XmlNamespaceManager nsmgr = new XmlNamespaceManager(doc.NameTable);
nsmgr.AddNamespace("s", msg.Version.Envelope.Namespace);
nsmgr.AddNamespace("o", Constants.WssNamespace);
nsmgr.AddNamespace("u", Constants.WsuNamespace);
nsmgr.AddNamespace("o11", Constants.Wss11Namespace);
/*WrappedKey*/ SecurityToken primaryToken = null;
DerivedKeySecurityToken dkeyToken = null;
SecurityToken actualToken = null;
SecurityKeyIdentifierClause actualClause = null;
Signature sig = null;
List <DerivedKeySecurityToken> derivedKeys =
new List <DerivedKeySecurityToken> ();
SymmetricAlgorithm masterKey = new RijndaelManaged();
masterKey.KeySize = suite.DefaultSymmetricKeyLength;
masterKey.Mode = CipherMode.CBC;
masterKey.Padding = PaddingMode.ISO10126;
SymmetricAlgorithm actualKey = masterKey;
// 2. [Encryption Token]
// SecurityTokenInclusionMode
// - Initiator or Recipient
// - done or notyet. FIXME: not implemented yet
// It also affects on key reference output
bool includeEncToken = // /* FIXME: remove this hack */Parameters is SslSecurityTokenParameters ? false :
ShouldIncludeToken(
Security.RecipientParameters.InclusionMode, false);
bool includeSigToken = // /* FIXME: remove this hack */ Parameters is SslSecurityTokenParameters ? false :
ShouldIncludeToken(
Security.InitiatorParameters.InclusionMode, false);
SecurityKeyIdentifierClause encClause = ShouldOutputEncryptedKey ?
CounterParameters.CallCreateKeyIdentifierClause(encToken, !ShouldOutputEncryptedKey ? SecurityTokenReferenceStyle.Internal : includeEncToken ? Parameters.ReferenceStyle : SecurityTokenReferenceStyle.External) : null;
MessagePartSpecification sigSpec = SignaturePart;
MessagePartSpecification encSpec = EncryptionPart;
// encryption key (possibly also used for signing)
// FIXME: get correct SymmetricAlgorithm according to the algorithm suite
if (secprop.EncryptionKey != null)
{
actualKey.Key = secprop.EncryptionKey;
}
// FIXME: remove thid hack
if (!ShouldOutputEncryptedKey)
{
primaryToken = secprop.ProtectionToken.SecurityToken as WrappedKeySecurityToken;
}
else
{
primaryToken =
// FIXME: remove this hack?
encToken is SecurityContextSecurityToken ? encToken :
new WrappedKeySecurityToken(messageId + "-" + identForMessageId++,
actualKey.Key,
// security.DefaultKeyWrapAlgorithm,
Parameters.InternalHasAsymmetricKey ?
suite.DefaultAsymmetricKeyWrapAlgorithm :
suite.DefaultSymmetricKeyWrapAlgorithm,
encToken,
encClause != null ? new SecurityKeyIdentifier(encClause) : null);
}
// If it reuses request's encryption key, do not output.
if (ShouldOutputEncryptedKey)
{
header.AddContent(primaryToken);
}
actualToken = primaryToken;
// FIXME: I doubt it is correct...
WrappedKeySecurityToken requestEncKey = ShouldOutputEncryptedKey ? null : primaryToken as WrappedKeySecurityToken;
actualClause = requestEncKey == null ? (SecurityKeyIdentifierClause)
new LocalIdKeyIdentifierClause(actualToken.Id, typeof(WrappedKeySecurityToken)) :
new InternalEncryptedKeyIdentifierClause(SHA1.Create().ComputeHash(requestEncKey.GetWrappedKey()));
// generate derived key if needed
if (CounterParameters.RequireDerivedKeys)
{
RijndaelManaged deriv = new RijndaelManaged();
deriv.KeySize = suite.DefaultEncryptionKeyDerivationLength;
deriv.Mode = CipherMode.CBC;
deriv.Padding = PaddingMode.ISO10126;
deriv.GenerateKey();
dkeyToken = new DerivedKeySecurityToken(
GenerateId(doc),
null, // algorithm
actualClause,
new InMemorySymmetricSecurityKey(actualKey.Key),
null, // name
null, // generation
null, // offset
deriv.Key.Length,
null, // label
deriv.Key);
derivedKeys.Add(dkeyToken);
actualToken = dkeyToken;
actualKey.Key = ((SymmetricSecurityKey)dkeyToken.SecurityKeys [0]).GetSymmetricKey();
actualClause = new LocalIdKeyIdentifierClause(dkeyToken.Id);
header.AddContent(dkeyToken);
}
ReferenceList refList = new ReferenceList();
// When encrypted with DerivedKeyToken, put references
// immediately after the derived token (not inside the
// primary token).
// Similarly, when we do not output EncryptedKey,
// output ReferenceList in the same way.
if (CounterParameters.RequireDerivedKeys ||
!ShouldOutputEncryptedKey)
{
header.AddContent(refList);
}
else
{
((WrappedKeySecurityToken)primaryToken).ReferenceList = refList;
}
// [Signature Confirmation]
if (security.RequireSignatureConfirmation && secprop.ConfirmedSignatures.Count > 0)
{
foreach (string value in secprop.ConfirmedSignatures)
{
header.AddContent(new Wss11SignatureConfirmation(GenerateId(doc), value));
}
}
SupportingTokenInfoCollection tokenInfos =
Direction == MessageDirection.Input ?
security.CollectSupportingTokens(GetAction()) :
new SupportingTokenInfoCollection(); // empty
foreach (SupportingTokenInfo tinfo in tokenInfos)
{
header.AddContent(tinfo.Token);
}
// populate DOM to sign.
XPathNavigator nav = doc.CreateNavigator();
using (XmlWriter w = nav.AppendChild()) {
msg.WriteMessage(w);
}
XmlElement body = doc.SelectSingleNode("/s:Envelope/s:Body/*", nsmgr) as XmlElement;
string bodyId = null;
XmlElement secElem = null;
Collection <WSSignedXml> endorsedSignatures =
new Collection <WSSignedXml> ();
bool signatureProtection = (protectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature);
// Below are o:Security contents that are not signed...
if (includeSigToken && signToken != null)
{
header.AddContent(signToken);
}
switch (protectionOrder)
{
case MessageProtectionOrder.EncryptBeforeSign:
// FIXME: implement
throw new NotImplementedException();
case MessageProtectionOrder.SignBeforeEncrypt:
case MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature:
// sign
// see clause 8 of WS-SecurityPolicy C.2.2
WSSignedXml sxml = new WSSignedXml(doc);
SecurityTokenReferenceKeyInfo sigKeyInfo;
sig = sxml.Signature;
sig.SignedInfo.CanonicalizationMethod =
suite.DefaultCanonicalizationAlgorithm;
foreach (XmlElement elem in doc.SelectNodes("/s:Envelope/s:Header/o:Security/u:Timestamp", nsmgr))
{
CreateReference(sig, elem, elem.GetAttribute("Id", Constants.WsuNamespace));
}
foreach (XmlElement elem in doc.SelectNodes("/s:Envelope/s:Header/o:Security/o11:SignatureConfirmation", nsmgr))
{
CreateReference(sig, elem, elem.GetAttribute("Id", Constants.WsuNamespace));
}
foreach (SupportingTokenInfo tinfo in tokenInfos)
{
if (tinfo.Mode != SecurityTokenAttachmentMode.Endorsing)
{
XmlElement el = sxml.GetIdElement(doc, tinfo.Token.Id);
CreateReference(sig, el, el.GetAttribute("Id", Constants.WsuNamespace));
}
}
XmlNodeList nodes = doc.SelectNodes("/s:Envelope/s:Header/*", nsmgr);
for (int i = 0; i < msg.Headers.Count; i++)
{
MessageHeaderInfo h = msg.Headers [i];
if (h.Name == "Security" && h.Namespace == Constants.WssNamespace)
{
secElem = nodes [i] as XmlElement;
}
else if (sigSpec.HeaderTypes.Count == 0 ||
sigSpec.HeaderTypes.Contains(new XmlQualifiedName(h.Name, h.Namespace)))
{
string id = GenerateId(doc);
h.Id = id;
CreateReference(sig, nodes [i] as XmlElement, id);
}
}
if (sigSpec.IsBodyIncluded)
{
bodyId = GenerateId(doc);
CreateReference(sig, body.ParentNode as XmlElement, bodyId);
}
if (security.DefaultSignatureAlgorithm == SignedXml.XmlDsigHMACSHA1Url)
{
// FIXME: use appropriate hash algorithm
sxml.ComputeSignature(new HMACSHA1(actualKey.Key));
sigKeyInfo = new SecurityTokenReferenceKeyInfo(actualClause, serializer, doc);
}
else
{
SecurityKeyIdentifierClause signClause =
CounterParameters.CallCreateKeyIdentifierClause(signToken, includeSigToken ? CounterParameters.ReferenceStyle : SecurityTokenReferenceStyle.External);
AsymmetricSecurityKey signKey = (AsymmetricSecurityKey)signToken.ResolveKeyIdentifierClause(signClause);
sxml.SigningKey = signKey.GetAsymmetricAlgorithm(security.DefaultSignatureAlgorithm, true);
sxml.ComputeSignature();
sigKeyInfo = new SecurityTokenReferenceKeyInfo(signClause, serializer, doc);
}
sxml.KeyInfo = new KeyInfo();
sxml.KeyInfo.AddClause(sigKeyInfo);
if (!signatureProtection)
{
header.AddContent(sig);
}
// endorse the signature with (signed)endorsing
// supporting tokens.
foreach (SupportingTokenInfo tinfo in tokenInfos)
{
switch (tinfo.Mode)
{
case SecurityTokenAttachmentMode.Endorsing:
case SecurityTokenAttachmentMode.SignedEndorsing:
if (sxml.Signature.Id == null)
{
sig.Id = GenerateId(doc);
secElem.AppendChild(sxml.GetXml());
}
WSSignedXml ssxml = new WSSignedXml(doc);
ssxml.Signature.SignedInfo.CanonicalizationMethod = suite.DefaultCanonicalizationAlgorithm;
CreateReference(ssxml.Signature, doc, sig.Id);
SecurityToken sst = tinfo.Token;
SecurityKey ssk = sst.SecurityKeys [0]; // FIXME: could be different?
SecurityKeyIdentifierClause tclause = new LocalIdKeyIdentifierClause(sst.Id); // FIXME: could be different?
if (ssk is SymmetricSecurityKey)
{
SymmetricSecurityKey signKey = (SymmetricSecurityKey)ssk;
ssxml.ComputeSignature(signKey.GetKeyedHashAlgorithm(suite.DefaultSymmetricSignatureAlgorithm));
}
else
{
AsymmetricSecurityKey signKey = (AsymmetricSecurityKey)ssk;
ssxml.SigningKey = signKey.GetAsymmetricAlgorithm(suite.DefaultAsymmetricSignatureAlgorithm, true);
ssxml.ComputeSignature();
}
ssxml.KeyInfo.AddClause(new SecurityTokenReferenceKeyInfo(tclause, serializer, doc));
if (!signatureProtection)
{
header.AddContent(ssxml.Signature);
}
endorsedSignatures.Add(ssxml);
break;
}
}
// encrypt
WSEncryptedXml exml = new WSEncryptedXml(doc);
EncryptedData edata = Encrypt(body, actualKey, actualToken.Id, refList, actualClause, exml, doc);
EncryptedXml.ReplaceElement(body, edata, false);
// encrypt signature
if (signatureProtection)
{
XmlElement sigxml = sig.GetXml();
edata = Encrypt(sigxml, actualKey, actualToken.Id, refList, actualClause, exml, doc);
header.AddContent(edata);
foreach (WSSignedXml ssxml in endorsedSignatures)
{
sigxml = ssxml.GetXml();
edata = Encrypt(sigxml, actualKey, actualToken.Id, refList, actualClause, exml, doc);
header.AddContent(edata);
}
if (security.RequireSignatureConfirmation)
{
Collection <Wss11SignatureConfirmation> confs = header.FindAll <Wss11SignatureConfirmation> ();
int count = 0;
foreach (XmlElement elem in doc.SelectNodes("/s:Envelope/s:Header/o:Security/o11:SignatureConfirmation", nsmgr))
{
edata = Encrypt(elem, actualKey, confs [count].Id, refList, actualClause, exml, doc);
EncryptedXml.ReplaceElement(elem, edata, false);
header.Contents.Insert(header.Contents.IndexOf(confs [count]), edata);
header.Contents.Remove(confs [count++]);
}
}
}
// encrypt Encrypted supporting tokens
foreach (SupportingTokenInfo tinfo in tokenInfos)
{
if (tinfo.Mode == SecurityTokenAttachmentMode.SignedEncrypted)
{
XmlElement el = exml.GetIdElement(doc, tinfo.Token.Id);
tinfo.Encrypted = Encrypt(el, actualKey, actualToken.Id, refList, actualClause, exml, doc);
EncryptedXml.ReplaceElement(el, tinfo.Encrypted, false);
header.Contents.Insert(header.Contents.IndexOf(tinfo.Token), tinfo.Encrypted);
header.Contents.Remove(tinfo.Token);
}
}
break;
}
Message ret = new WSSecurityMessage(Message.CreateMessage(msg.Version, msg.Headers.Action, new XmlNodeReader(doc.SelectSingleNode("/s:Envelope/s:Body/*", nsmgr) as XmlElement)), bodyId);
ret.Properties.Security = (SecurityMessageProperty)secprop.CreateCopy();
ret.Properties.Security.EncryptionKey = masterKey.Key;
// FIXME: can we support TransportToken here?
if (element is AsymmetricSecurityBindingElement)
{
ret.Properties.Security.InitiatorToken = new SecurityTokenSpecification(encToken, null); // FIXME: second argument
ret.Properties.Security.InitiatorToken = new SecurityTokenSpecification(signToken, null); // FIXME: second argument
}
else
{
ret.Properties.Security.ProtectionToken = new SecurityTokenSpecification(primaryToken, null);
}
ret.Headers.Clear();
ret.Headers.CopyHeadersFrom(msg);
// Header contents are:
// - Timestamp
// - SignatureConfirmation if required
// - EncryptionToken if included
// - derived key token for EncryptionToken
// - ReferenceList for encrypted items
// - signed supporting tokens
// - signed endorsing supporting tokens
// (i.e. Signed/SignedEncrypted/SignedEndorsing)
// - Signature Token if different from enc token.
// - derived key token for sig token if different
// - Signature for:
// - Timestamp
// - supporting tokens (regardless of
// its inclusion)
// - message parts in SignedParts
// - SignatureToken if TokenProtection
// (regardless of its inclusion)
// - Signatures for the main signature (above),
// for every endorsing token and signed
// endorsing token.
//
//MessageBuffer zzz = ret.CreateBufferedCopy (100000);
//ret = zzz.CreateMessage ();
//Console.WriteLine (zzz.CreateMessage ());
return(ret);
}
private void StartEncryption()
{
if (this.elementContainer.SourceEncryptionToken != null)
{
SecurityToken sourceEncryptionToken;
SecurityKeyIdentifierClause clause2;
SecurityKeyIdentifierClause clause3;
SecurityKeyIdentifier identifier;
SecurityTokenReferenceStyle tokenReferenceStyle = this.GetTokenReferenceStyle(this.encryptingTokenParameters);
bool flag = tokenReferenceStyle == SecurityTokenReferenceStyle.Internal;
SecurityKeyIdentifierClause clause = this.encryptingTokenParameters.CreateKeyIdentifierClause(this.elementContainer.SourceEncryptionToken, tokenReferenceStyle);
if (clause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenManagerCannotCreateTokenReference")), base.Message);
}
if (!System.ServiceModel.Security.SecurityUtils.HasSymmetricSecurityKey(this.elementContainer.SourceEncryptionToken))
{
string str;
XmlDictionaryString str2;
int keyLength = Math.Max(0x80, base.AlgorithmSuite.DefaultSymmetricKeyLength);
System.ServiceModel.Security.CryptoHelper.ValidateSymmetricKeyLength(keyLength, base.AlgorithmSuite);
byte[] buffer = new byte[keyLength / 8];
System.ServiceModel.Security.CryptoHelper.FillRandomBytes(buffer);
base.AlgorithmSuite.GetKeyWrapAlgorithm(this.elementContainer.SourceEncryptionToken, out str, out str2);
WrappedKeySecurityToken token2 = new WrappedKeySecurityToken(this.GenerateId(), buffer, str, str2, this.elementContainer.SourceEncryptionToken, new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { clause }));
this.elementContainer.WrappedEncryptionToken = token2;
sourceEncryptionToken = token2;
clause2 = new LocalIdKeyIdentifierClause(token2.Id, token2.GetType());
flag = true;
}
else
{
sourceEncryptionToken = this.elementContainer.SourceEncryptionToken;
clause2 = clause;
}
if (this.encryptingTokenParameters.RequireDerivedKeys)
{
string encryptionKeyDerivationAlgorithm = base.AlgorithmSuite.GetEncryptionKeyDerivationAlgorithm(sourceEncryptionToken, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(base.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
if (encryptionKeyDerivationAlgorithm != keyDerivationAlgorithm)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("UnsupportedCryptoAlgorithm", new object[] { encryptionKeyDerivationAlgorithm })));
}
DerivedKeySecurityToken token3 = new DerivedKeySecurityToken(-1, 0, base.AlgorithmSuite.GetEncryptionKeyDerivationLength(sourceEncryptionToken, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, 0x10, sourceEncryptionToken, clause2, encryptionKeyDerivationAlgorithm, this.GenerateId());
this.encryptingToken = this.elementContainer.DerivedEncryptionToken = token3;
clause3 = new LocalIdKeyIdentifierClause(token3.Id, token3.GetType());
}
else
{
this.encryptingToken = sourceEncryptionToken;
clause3 = clause2;
}
this.skipKeyInfoForEncryption = ((flag && base.EncryptedKeyContainsReferenceList) && (this.encryptingToken is WrappedKeySecurityToken)) && this.signThenEncrypt;
if (this.skipKeyInfoForEncryption)
{
identifier = null;
}
else
{
identifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { clause3 });
}
this.StartEncryptionCore(this.encryptingToken, identifier);
}
}
public virtual void ReadDerivedKeyTokenParameters(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver, out string id, out string derivationAlgorithm, out string label, out int length, out byte[] nonce, out int offset, out int generation, out SecurityKeyIdentifierClause tokenToDeriveIdentifier, out SecurityToken tokenToDerive)
{
if (tokenResolver == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenResolver");
}
id = reader.GetAttribute(XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace);
derivationAlgorithm = reader.GetAttribute(XD.XmlSignatureDictionary.Algorithm, (XmlDictionaryString)null);
if (derivationAlgorithm == null)
{
derivationAlgorithm = this.parent.DerivationAlgorithm;
}
reader.ReadStartElement();
tokenToDeriveIdentifier = (SecurityKeyIdentifierClause)null;
tokenToDerive = (SecurityToken)null;
if (!reader.IsStartElement(XD.SecurityJan2004Dictionary.SecurityTokenReference, XD.SecurityJan2004Dictionary.Namespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new XmlException(SR.GetString("DerivedKeyTokenRequiresTokenReference")));
}
tokenToDeriveIdentifier = this.parent.WSSecurityTokenSerializer.ReadKeyIdentifierClause((XmlReader)reader);
tokenResolver.TryResolveToken(tokenToDeriveIdentifier, out tokenToDerive);
generation = -1;
if (reader.IsStartElement(this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
generation = reader.ReadContentAsInt();
reader.ReadEndElement();
if (generation < 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new XmlException(SR.GetString("DerivedKeyInvalidGenerationSpecified", new object[1] {
(object)generation
})));
}
}
offset = -1;
if (reader.IsStartElement(this.parent.SerializerDictionary.Offset, this.parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
offset = reader.ReadContentAsInt();
reader.ReadEndElement();
if (offset < 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new XmlException(SR.GetString("DerivedKeyInvalidOffsetSpecified", new object[1] {
(object)offset
})));
}
}
length = 32;
if (reader.IsStartElement(this.parent.SerializerDictionary.Length, this.parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
length = reader.ReadContentAsInt();
reader.ReadEndElement();
}
if (offset == -1 && generation == -1)
{
offset = 0;
}
DerivedKeySecurityToken.EnsureAcceptableOffset(offset, generation, length, this.maxKeyDerivationOffset);
label = (string)null;
if (reader.IsStartElement(this.parent.SerializerDictionary.Label, this.parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
label = reader.ReadString();
reader.ReadEndElement();
}
if (label != null && label.Length > this.maxKeyDerivationLabelLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning((Exception) new MessageSecurityException(SR.GetString("DerivedKeyTokenLabelTooLong", (object)label.Length, (object)this.maxKeyDerivationLabelLength)));
}
nonce = (byte[])null;
reader.ReadStartElement(this.parent.SerializerDictionary.Nonce, this.parent.SerializerDictionary.Namespace);
nonce = reader.ReadContentAsBase64();
reader.ReadEndElement();
if (nonce != null && nonce.Length > this.maxKeyDerivationNonceLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning((Exception) new MessageSecurityException(SR.GetString("DerivedKeyTokenNonceTooLong", (object)nonce.Length, (object)this.maxKeyDerivationNonceLength)));
}
reader.ReadEndElement();
}
internal SecurityToken ResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternal, bool resolveIntrinsicKeyClause)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
SecurityToken token = null;
for (int i = 0; i < this.tokenCount; i++)
{
if (!matchOnlyExternal || (this.tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.External))
{
SecurityToken token2 = this.tokens[i].Token;
if ((this.tokens[i].TokenParameters != null) && this.tokens[i].TokenParameters.MatchesKeyIdentifierClause(token2, keyIdentifierClause, this.tokens[i].AllowedReferenceStyle))
{
token = token2;
break;
}
if (((this.tokens[i].TokenParameters == null) && (this.tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.Internal)) && this.MatchDirectReference(token2, keyIdentifierClause))
{
token = token2;
break;
}
}
}
if ((token == null) && (keyIdentifierClause is EncryptedKeyIdentifierClause))
{
SecurityToken expectedWrapper;
EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause;
SecurityKeyIdentifier encryptingKeyIdentifier = keyClause.EncryptingKeyIdentifier;
if ((this.expectedWrapper != null) && this.CheckExternalWrapperMatch(encryptingKeyIdentifier))
{
expectedWrapper = this.expectedWrapper;
}
else
{
expectedWrapper = this.ResolveToken(encryptingKeyIdentifier, true, resolveIntrinsicKeyClause);
}
if (expectedWrapper != null)
{
token = System.ServiceModel.Security.SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, expectedWrapper);
}
}
if (((token == null) && (keyIdentifierClause is X509RawDataKeyIdentifierClause)) && (!matchOnlyExternal && resolveIntrinsicKeyClause))
{
token = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData()));
}
byte[] derivationNonce = keyIdentifierClause.GetDerivationNonce();
if ((token != null) && (derivationNonce != null))
{
if (System.ServiceModel.Security.SecurityUtils.GetSecurityKey <SymmetricSecurityKey>(token) == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToDeriveKeyFromKeyInfoClause", new object[] { keyIdentifierClause, token })));
}
int length = (keyIdentifierClause.DerivationLength == 0) ? 0x20 : keyIdentifierClause.DerivationLength;
if (length > this.securityHeader.MaxDerivedKeyLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("DerivedKeyLengthSpecifiedInImplicitDerivedKeyClauseTooLong", new object[] { keyIdentifierClause.ToString(), length, this.securityHeader.MaxDerivedKeyLength })));
}
bool flag = false;
for (int j = 0; j < this.tokenCount; j++)
{
DerivedKeySecurityToken token4 = this.tokens[j].Token as DerivedKeySecurityToken;
if (((token4 != null) && (token4.Length == length)) && (CryptoHelper.IsEqual(token4.Nonce, derivationNonce) && token4.TokenToDerive.MatchesKeyIdentifierClause(keyIdentifierClause)))
{
token = this.tokens[j].Token;
flag = true;
break;
}
}
if (!flag)
{
string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(this.securityHeader.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
token = new DerivedKeySecurityToken(-1, 0, length, null, derivationNonce, token, keyIdentifierClause, keyDerivationAlgorithm, System.ServiceModel.Security.SecurityUtils.GenerateId());
((DerivedKeySecurityToken)token).InitializeDerivedKey(length);
this.Add(token, SecurityTokenReferenceStyle.Internal, null);
this.securityHeader.EnsureDerivedKeyLimitNotReached();
}
}
return(token);
}
void ExtractSecurity()
{
if (security.MessageProtectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature &&
wss_header.Find <SignedXml> () != null)
{
throw new MessageSecurityException("The security binding element expects that the message signature is encrypted, while it isn't.");
}
WrappedKeySecurityToken wk = wss_header.Find <WrappedKeySecurityToken> ();
DerivedKeySecurityToken dk = wss_header.Find <DerivedKeySecurityToken> ();
if (wk != null)
{
if (Parameters.RequireDerivedKeys && dk == null)
{
throw new MessageSecurityException("DerivedKeyToken is required in this contract, but was not found in the message");
}
}
else
{
// FIXME: this is kind of hack for symmetric reply processing.
wk = RequestSecurity.ProtectionToken != null ? RequestSecurity.ProtectionToken.SecurityToken as WrappedKeySecurityToken : null;
}
SymmetricSecurityKey wkkey = wk != null ? wk.SecurityKeys [0] as SymmetricSecurityKey : null;
wss_header_reader.DecryptSecurity(this, wkkey, RequestSecurity != null ? RequestSecurity.EncryptionKey : null);
// signature confirmation
WSSignedXml sxml = wss_header.Find <WSSignedXml> ();
if (sxml == null)
{
throw new MessageSecurityException("The the message signature is expected but not found.");
}
bool confirmed = false;
SecurityKeyIdentifierClause sigClause = null;
foreach (KeyInfoClause kic in sxml.KeyInfo)
{
SecurityTokenReferenceKeyInfo r = kic as SecurityTokenReferenceKeyInfo;
if (r != null)
{
sigClause = r.Clause;
}
}
if (sigClause == null)
{
throw new MessageSecurityException("SecurityTokenReference was not found in dsig:Signature KeyInfo.");
}
SecurityToken signToken;
SecurityKey signKey;
signToken = TokenResolver.ResolveToken(sigClause);
signKey = signToken.ResolveKeyIdentifierClause(sigClause);
SymmetricSecurityKey symkey = signKey as SymmetricSecurityKey;
if (symkey != null)
{
confirmed = sxml.CheckSignature(new HMACSHA1(symkey.GetSymmetricKey()));
if (wk != null)
{
// FIXME: authenticate token
sec_prop.ProtectionToken = new SecurityTokenSpecification(wk, null);
}
}
else
{
AsymmetricAlgorithm alg = ((AsymmetricSecurityKey)signKey).GetAsymmetricAlgorithm(security.DefaultSignatureAlgorithm, false);
confirmed = sxml.CheckSignature(alg);
sec_prop.InitiatorToken = new SecurityTokenSpecification(
signToken,
security.TokenAuthenticator.ValidateToken(signToken));
}
if (!confirmed)
{
throw new MessageSecurityException("Message signature is invalid.");
}
// token authentication
// FIXME: it might not be limited to recipient
if (Direction == MessageDirection.Input)
{
ProcessSupportingTokens(sxml);
}
sec_prop.EncryptionKey = ((SymmetricSecurityKey)wk.SecurityKeys [0]).GetSymmetricKey();
sec_prop.ConfirmedSignatures.Add(Convert.ToBase64String(sxml.SignatureValue));
}
private void ReadToken(XmlDictionaryReader reader, int position, byte[] decryptedBuffer,
SecurityToken encryptionToken, string idInEncryptedForm, TimeSpan timeout)
{
Fx.Assert((position == AppendPosition) == (decryptedBuffer == null), "inconsistent position, decryptedBuffer parameters");
Fx.Assert((position == AppendPosition) == (encryptionToken == null), "inconsistent position, encryptionToken parameters");
string localName = reader.LocalName;
string namespaceUri = reader.NamespaceURI;
string valueType = reader.GetAttribute(XD.SecurityJan2004Dictionary.ValueType, null);
SecurityTokenAuthenticator usedTokenAuthenticator;
SecurityToken token = ReadToken(reader, CombinedUniversalTokenResolver, _allowedAuthenticators, out usedTokenAuthenticator);
if (token == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCouldNotReadToken, localName, namespaceUri, valueType)), Message);
}
DerivedKeySecurityToken derivedKeyToken = token as DerivedKeySecurityToken;
if (derivedKeyToken != null)
{
EnsureDerivedKeyLimitNotReached();
derivedKeyToken.InitializeDerivedKey(MaxDerivedKeyLength);
}
if (usedTokenAuthenticator == _primaryTokenAuthenticator)
{
_allowedAuthenticators.Remove(usedTokenAuthenticator);
}
ReceiveSecurityHeaderBindingModes mode;
TokenTracker supportingTokenTracker = null;
if (usedTokenAuthenticator == _primaryTokenAuthenticator)
{
// this is the primary token. Add to resolver as such
_universalTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, _primaryTokenParameters);
_primaryTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, _primaryTokenParameters);
if (_pendingSupportingTokenAuthenticator != null)
{
_allowedAuthenticators.Add(_pendingSupportingTokenAuthenticator);
_pendingSupportingTokenAuthenticator = null;
}
_primaryTokenTracker.RecordToken(token);
mode = ReceiveSecurityHeaderBindingModes.Primary;
}
else if (usedTokenAuthenticator == DerivedTokenAuthenticator)
{
if (token is DerivedKeySecurityTokenStub)
{
if (Layout == SecurityHeaderLayout.Strict)
{
DerivedKeySecurityTokenStub tmpToken = (DerivedKeySecurityTokenStub)token;
throw TraceUtility.ThrowHelperError(new MessageSecurityException(
SR.Format(SR.UnableToResolveKeyInfoClauseInDerivedKeyToken, tmpToken.TokenToDeriveIdentifier)), Message);
}
}
else
{
AddDerivedKeyTokenToResolvers(token);
}
mode = ReceiveSecurityHeaderBindingModes.Unknown;
}
else
{
SupportingTokenAuthenticatorSpecification supportingTokenSpec;
supportingTokenTracker = GetSupportingTokenTracker(usedTokenAuthenticator, out supportingTokenSpec);
if (supportingTokenTracker == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, usedTokenAuthenticator)));
}
if (supportingTokenTracker.Token != null)
{
supportingTokenTracker = new TokenTracker(supportingTokenSpec);
_supportingTokenTrackers.Add(supportingTokenTracker);
}
supportingTokenTracker.RecordToken(token);
if (encryptionToken != null)
{
supportingTokenTracker.IsEncrypted = true;
}
bool isBasic;
bool isSignedButNotBasic;
SecurityTokenAttachmentModeHelper.Categorize(supportingTokenSpec.SecurityTokenAttachmentMode, out isBasic, out isSignedButNotBasic, out mode);
if (isBasic)
{
if (!ExpectBasicTokens)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.BasicTokenNotExpected));
}
// only basic tokens have to be part of the reference list. Encrypted Saml tokens dont for example
if (RequireMessageProtection && encryptionToken != null)
{
throw ExceptionHelper.PlatformNotSupported();
}
}
if (isSignedButNotBasic && !ExpectSignedTokens)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.SignedSupportingTokenNotExpected));
}
_universalTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, supportingTokenSpec.TokenParameters);
}
if (position == AppendPosition)
{
ElementManager.AppendToken(token, mode, supportingTokenTracker);
}
else
{
ElementManager.SetTokenAfterDecryption(position, token, mode, decryptedBuffer, supportingTokenTracker);
}
}
