public SecurityVerifiedMessage(Message messageToProcess, ReceiveSecurityHeader securityHeader)
: base(messageToProcess)
{
this.securityHeader = securityHeader;
if (securityHeader.RequireMessageProtection)
{
XmlDictionaryReader messageReader;
BufferedMessage bufferedMessage = this.InnerMessage as BufferedMessage;
if (bufferedMessage != null && this.Headers.ContainsOnlyBufferedMessageHeaders)
{
messageReader = bufferedMessage.GetMessageReader();
}
else
{
this.messageBuffer = new XmlBuffer(int.MaxValue);
XmlDictionaryWriter writer = this.messageBuffer.OpenSection(this.securityHeader.ReaderQuotas);
this.InnerMessage.WriteMessage(writer);
this.messageBuffer.CloseSection();
this.messageBuffer.Close();
messageReader = this.messageBuffer.GetReader(0);
}
MoveToSecurityHeader(messageReader, securityHeader.HeaderIndex, true);
this.cachedReaderAtSecurityHeader = messageReader;
this.state = BodyState.Buffered;
}
else
{
this.envelopeAttributes = XmlAttributeHolder.emptyArray;
this.headerAttributes = XmlAttributeHolder.emptyArray;
this.bodyAttributes = XmlAttributeHolder.emptyArray;
this.canDelegateCreateBufferedCopyToInnerMessage = true;
}
}
private void WriteHeader(XmlDictionaryWriter dictionaryWriter)
{
dictionaryWriter.WriteStartElement(XD.MessageDictionary.Prefix.Value, XD.MessageDictionary.Header, this.message.Version.Envelope.DictionaryNamespace);
MessageHeaders headers = this.message.Headers;
ReceiveSecurityHeader receivedSecurityHeader = null;
if (this.message is SecurityVerifiedMessage)
{
SecurityVerifiedMessage message = this.message as SecurityVerifiedMessage;
receivedSecurityHeader = message.ReceivedSecurityHeader;
}
for (int i = 0; i < headers.Count; i++)
{
if (((receivedSecurityHeader != null) && receivedSecurityHeader.HasAtLeastOneItemInsideSecurityHeaderEncrypted) && (receivedSecurityHeader.HeaderIndex == i))
{
receivedSecurityHeader.WriteStartHeader(dictionaryWriter, headers.MessageVersion);
receivedSecurityHeader.WriteHeaderContents(dictionaryWriter, headers.MessageVersion);
dictionaryWriter.WriteEndElement();
}
else
{
headers.WriteHeader(i, dictionaryWriter);
}
}
dictionaryWriter.WriteEndElement();
}
protected override async ValueTask <Message> VerifyIncomingMessageCoreAsync(Message message, TimeSpan timeout)
{
string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor;
ReceiveSecurityHeader securityHeader = Factory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor,
Factory.IncomingAlgorithmSuite, MessageDirection.Input);
securityHeader.RequireMessageProtection = false;
securityHeader.ReaderQuotas = Factory.SecurityBindingElement.ReaderQuotas;
IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = GetSupportingTokenAuthenticatorsAndSetExpectationFlags(Factory, message, securityHeader);
ReadOnlyCollection <SecurityTokenResolver> mergedTokenResolvers = MergeOutOfBandResolvers(supportingAuthenticators, _sessionTokenResolverList);
if (supportingAuthenticators != null && supportingAuthenticators.Count > 0)
{
supportingAuthenticators = new List <SupportingTokenAuthenticatorSpecification>(supportingAuthenticators);
supportingAuthenticators.Insert(0, _sessionTokenAuthenticatorSpecificationList[0]);
}
else
{
supportingAuthenticators = _sessionTokenAuthenticatorSpecificationList;
}
securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators);
securityHeader.ConfigureOutOfBandTokenResolver(mergedTokenResolvers);
securityHeader.ExpectEndorsingTokens = true;
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
securityHeader.ReplayDetectionEnabled = Factory.DetectReplays;
securityHeader.SetTimeParameters(Factory.NonceCache, Factory.ReplayWindow, Factory.MaxClockSkew);
// do not enforce key derivation requirement for Cancel messages due to WSE interop
securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != Factory.StandardsManager.SecureConversationDriver.CloseAction.Value);
await securityHeader.ProcessAsync(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), Factory.ExtendedProtectionPolicy);
if (securityHeader.Timestamp == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.RequiredTimestampMissingInSecurityHeader)));
}
bool didSessionSctEndorse = false;
if (securityHeader.EndorsingSupportingTokens != null)
{
for (int i = 0; i < securityHeader.EndorsingSupportingTokens.Count; ++i)
{
SecurityContextSecurityToken signingSct = (securityHeader.EndorsingSupportingTokens[i] as SecurityContextSecurityToken);
if (signingSct != null && signingSct.ContextId == _sessionId)
{
didSessionSctEndorse = true;
break;
}
}
}
if (!didSessionSctEndorse)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.NoSessionTokenPresentInMessage)));
}
Message processedMessage = securityHeader.ProcessedMessage;
AttachRecipientSecurityProperty(processedMessage, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens,
securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
OnIncomingMessageVerified(processedMessage);
return(processedMessage);
}
public ReceiveSecurityHeaderElementManager(ReceiveSecurityHeader securityHeader)
{
_securityHeader = securityHeader;
_elements = new ReceiveSecurityHeaderEntry[InitialCapacity];
if (securityHeader.RequireMessageProtection)
{
_headerIds = new string[securityHeader.ProcessedMessage.Headers.Count];
}
}
public override async ValueTask ExecuteProcessingPassesAsync(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
{
// pass 1
await securityHeader.ExecuteReadingPassAsync(reader);
// pass 1.5
securityHeader.ExecuteDerivedKeyTokenStubPass(false);
// pass 2
await securityHeader.ExecuteSubheaderDecryptionPassAsync();
// pass 2.5
securityHeader.ExecuteDerivedKeyTokenStubPass(true);
// layout-specific inferences
MarkElements(securityHeader.ElementManager, securityHeader.RequireMessageProtection);
// pass 3
await securityHeader.ExecuteSignatureEncryptionProcessingPassAsync();
}
public SecurityVerifiedMessage(Message messageToProcess, ReceiveSecurityHeader securityHeader)
: base(messageToProcess)
{
ReceivedSecurityHeader = securityHeader;
if (securityHeader.RequireMessageProtection)
{
XmlDictionaryReader messageReader;
if (InnerMessage is BufferedMessage bufferedMessage && Headers.ContainsOnlyBufferedMessageHeaders)
{
messageReader = bufferedMessage.GetMessageReader();
}
else
{
_messageBuffer = new XmlBuffer(int.MaxValue);
XmlDictionaryWriter writer = _messageBuffer.OpenSection(ReceivedSecurityHeader.ReaderQuotas);
InnerMessage.WriteMessage(writer);
_messageBuffer.CloseSection();
_messageBuffer.Close();
messageReader = _messageBuffer.GetReader(0);
}
MoveToSecurityHeader(messageReader, securityHeader.HeaderIndex, true);
_cachedReaderAtSecurityHeader = messageReader;
_state = BodyState.Buffered;
}
public abstract void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader);
public override void ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
{
securityHeader.ExecuteFullPass(reader);
}
protected virtual void VerifyIncomingMessageCore(ref Message message, TimeSpan timeout)
{
TransportSecurityProtocolFactory factory = (TransportSecurityProtocolFactory)SecurityProtocolFactory;
string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor;
ReceiveSecurityHeader securityHeader = factory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor,
factory.IncomingAlgorithmSuite, (factory.ActAsInitiator) ? MessageDirection.Output : MessageDirection.Input);
IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = factory.GetSupportingTokenAuthenticators(message.Headers.Action,
out bool expectSignedTokens, out bool expectBasicTokens, out bool expectEndorsingTokens);
if (securityHeader == null)
{
bool expectSupportingTokens = expectEndorsingTokens || expectSignedTokens || expectBasicTokens;
if ((factory.ActAsInitiator && (!factory.AddTimestamp || factory.SecurityBindingElement.EnableUnsecuredResponse)) ||
(!factory.ActAsInitiator && !factory.AddTimestamp && !expectSupportingTokens))
{
return;
}
else
{
if (string.IsNullOrEmpty(actor))
{
throw Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
SR.Format(SR.UnableToFindSecurityHeaderInMessageNoActor)), message);
}
else
{
throw Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
SR.Format(SR.UnableToFindSecurityHeaderInMessage, actor)), message);
}
}
}
securityHeader.RequireMessageProtection = false;
securityHeader.ExpectBasicTokens = expectBasicTokens;
securityHeader.ExpectSignedTokens = expectSignedTokens;
securityHeader.ExpectEndorsingTokens = expectEndorsingTokens;
securityHeader.MaxReceivedMessageSize = factory.SecurityBindingElement.MaxReceivedMessageSize;
securityHeader.ReaderQuotas = factory.SecurityBindingElement.ReaderQuotas;
// Due to compatibility, only honor this setting if this app setting is enabled
if (ServiceModelAppSettings.UseConfiguredTransportSecurityHeaderLayout)
{
securityHeader.Layout = factory.SecurityHeaderLayout;
}
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
if (!factory.ActAsInitiator)
{
securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators);
securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, EmptyReadOnlyCollection <SecurityTokenResolver> .Instance));
if (factory.ExpectKeyDerivation)
{
securityHeader.DerivedTokenAuthenticator = factory.DerivedKeyTokenAuthenticator;
}
}
securityHeader.ReplayDetectionEnabled = factory.DetectReplays;
securityHeader.SetTimeParameters(factory.NonceCache, factory.ReplayWindow, factory.MaxClockSkew);
securityHeader.Process(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), factory.ExtendedProtectionPolicy);
message = securityHeader.ProcessedMessage;
if (!factory.ActAsInitiator)
{
AttachRecipientSecurityProperty(message, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens,
securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
}
base.OnIncomingMessageVerified(message);
}
internal override void WriteTo(XmlWriter writer)
{
writer.WriteStartElement(MessageLogTraceRecord.NamespacePrefix, MessageLogTraceRecord.MessageLogTraceRecordElementName, MessageLogTraceRecord.NamespaceUri); // <MessageLogTraceRecord>
writer.WriteAttributeString(MessageLogTraceRecord.TraceTimeAttributeName, this.timestamp.ToString("o", CultureInfo.InvariantCulture));
writer.WriteAttributeString(DiagnosticStrings.SourceTag, this.source.ToString());
if (null != this.type)
{
Fx.Assert(this.message != null, "");
XmlDictionaryWriter dictionaryWriter = XmlDictionaryWriter.CreateDictionaryWriter(writer);
dictionaryWriter.WriteAttributeString(MessageLogTraceRecord.TypeElementName, this.type.ToString());
#if DEBUG
MessageProperties properties = this.message.Properties;
dictionaryWriter.WriteStartElement("Properties");
foreach (string key in properties.Keys)
{
dictionaryWriter.WriteElementString(key, properties[key].ToString());
}
dictionaryWriter.WriteEndElement(); // </Properties>
#endif
WriteAddressingProperties(dictionaryWriter);
WriteHttpProperties(dictionaryWriter);
if (null != this.reader) //TransportSend case: Message may miss some security data, so we use XmlReader created from serialized message
{
this.reader.MoveToContent();
}
if (this.logMessageBody)
{
if (null != this.reader)
{
dictionaryWriter.WriteNode(this.reader, true);
}
else
{
bool hasAtLeastOneItemInsideSecurityHeaderEncrypted = false;
if (this.message is SecurityVerifiedMessage)
{
SecurityVerifiedMessage verifiedMessage = this.message as SecurityVerifiedMessage;
ReceiveSecurityHeader receivedHeader = verifiedMessage.ReceivedSecurityHeader;
hasAtLeastOneItemInsideSecurityHeaderEncrypted = receivedHeader.HasAtLeastOneItemInsideSecurityHeaderEncrypted;
}
if (!hasAtLeastOneItemInsideSecurityHeaderEncrypted)
{
this.message.ToString(dictionaryWriter);
}
else
{
if (this.message.Version.Envelope != EnvelopeVersion.None)
{
dictionaryWriter.WriteStartElement(XD.MessageDictionary.Prefix.Value, XD.MessageDictionary.Envelope, this.message.Version.Envelope.DictionaryNamespace);
WriteHeader(dictionaryWriter);
this.message.WriteStartBody(writer);
}
this.message.BodyToString(dictionaryWriter);
if (this.message.Version.Envelope != EnvelopeVersion.None)
{
writer.WriteEndElement(); // </Body>
dictionaryWriter.WriteEndElement(); // </Envelope>
}
}
}
}
else if (this.message.Version.Envelope != EnvelopeVersion.None) //No headers for EnvelopeVersion.None
{
if (null != this.reader)
{
dictionaryWriter.WriteStartElement(reader.Prefix, reader.LocalName, reader.NamespaceURI);
this.reader.Read();
if (0 == String.CompareOrdinal(reader.LocalName, "Header"))
{
dictionaryWriter.WriteNode(this.reader, true);
}
dictionaryWriter.WriteEndElement();
}
else
{
dictionaryWriter.WriteStartElement(XD.MessageDictionary.Prefix.Value, XD.MessageDictionary.Envelope, this.message.Version.Envelope.DictionaryNamespace);
WriteHeader(dictionaryWriter);
dictionaryWriter.WriteEndElement(); // </Envelope>
}
}
if (null != this.reader)
{
this.reader.Close();
this.reader = null;
}
}
else
{
writer.WriteCData(this.messageString);
}
writer.WriteEndElement(); // </MessageLogTraceRecord>
}
protected virtual async ValueTask <Message> VerifyIncomingMessageCoreAsync(Message message, TimeSpan timeout)
{
TransportSecurityProtocolFactory factory = (TransportSecurityProtocolFactory)SecurityProtocolFactory;
string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor;
ReceiveSecurityHeader securityHeader = factory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor,
factory.IncomingAlgorithmSuite, (factory.ActAsInitiator) ? MessageDirection.Output : MessageDirection.Input);
IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = factory.GetSupportingTokenAuthenticators(message.Headers.Action,
out bool expectSignedTokens, out bool expectBasicTokens, out bool expectEndorsingTokens);
if (securityHeader == null)
{
bool expectSupportingTokens = expectEndorsingTokens || expectSignedTokens || expectBasicTokens;
if ((factory.ActAsInitiator && (!factory.AddTimestamp || factory.SecurityBindingElement.EnableUnsecuredResponse)) ||
(!factory.ActAsInitiator && !factory.AddTimestamp && !expectSupportingTokens))
{
return(message);
}
else
{
if (string.IsNullOrEmpty(actor))
{
throw Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
SR.Format(SR.UnableToFindSecurityHeaderInMessageNoActor)), message);
}
else
{
throw Diagnostics.TraceUtility.ThrowHelperError(new MessageSecurityException(
SR.Format(SR.UnableToFindSecurityHeaderInMessage, actor)), message);
}
}
}
securityHeader.RequireMessageProtection = false;
securityHeader.ExpectBasicTokens = expectBasicTokens;
securityHeader.ExpectSignedTokens = expectSignedTokens;
securityHeader.ExpectEndorsingTokens = expectEndorsingTokens;
securityHeader.MaxReceivedMessageSize = factory.SecurityBindingElement.MaxReceivedMessageSize;
securityHeader.ReaderQuotas = factory.SecurityBindingElement.ReaderQuotas;
// This was behind an app setting on WCF. If this breaks someone, it's because they are setting SecurityHeaderLayout and it
// wasn't being applied. The customer fix is to not set the SecurityHeaderLayout as that's what they were effectively running with.
securityHeader.Layout = factory.SecurityHeaderLayout;
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
if (!factory.ActAsInitiator)
{
securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators);
securityHeader.ConfigureOutOfBandTokenResolver(MergeOutOfBandResolvers(supportingAuthenticators, EmptyReadOnlyCollection <SecurityTokenResolver> .Instance));
if (factory.ExpectKeyDerivation)
{
securityHeader.DerivedTokenAuthenticator = factory.DerivedKeyTokenAuthenticator;
}
}
securityHeader.ReplayDetectionEnabled = factory.DetectReplays;
securityHeader.SetTimeParameters(factory.NonceCache, factory.ReplayWindow, factory.MaxClockSkew);
await securityHeader.ProcessAsync(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), factory.ExtendedProtectionPolicy);
Message processedMessage = securityHeader.ProcessedMessage;
if (!factory.ActAsInitiator)
{
AttachRecipientSecurityProperty(processedMessage, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens,
securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
}
base.OnIncomingMessageVerified(processedMessage);
return(processedMessage);
}
protected IList <SupportingTokenAuthenticatorSpecification> GetSupportingTokenAuthenticatorsAndSetExpectationFlags(SecurityProtocolFactory factory, Message message,
ReceiveSecurityHeader securityHeader)
{
if (message == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("message");
}
bool expectBasicTokens;
bool expectSignedTokens;
bool expectEndorsingTokens;
IList <SupportingTokenAuthenticatorSpecification> authenticators = factory.GetSupportingTokenAuthenticators(message.Headers.Action,
out expectSignedTokens, out expectBasicTokens, out expectEndorsingTokens);
securityHeader.ExpectBasicTokens = expectBasicTokens;
securityHeader.ExpectEndorsingTokens = expectEndorsingTokens;
securityHeader.ExpectSignedTokens = expectSignedTokens;
return(authenticators);
}
public SecurityHeaderTokenResolver(ReceiveSecurityHeader securityHeader)
{
this.tokens = new SecurityTokenEntry[InitialTokenArraySize];
this.securityHeader = securityHeader;
}
public override ValueTask ExecuteProcessingPassesAsync(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader) => securityHeader.ExecuteFullPassAsync(reader);
public abstract ValueTask ExecuteProcessingPassesAsync(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader);
