private void ValidateDigestsOfTargetsInSecurityHeader(StandardSignedInfo signedInfo, SecurityTimestamp timestamp, bool isPrimarySignature, object signatureTarget, string id)
{
for (int i = 0; i < signedInfo.ReferenceCount; i++)
{
Reference reference = signedInfo[i];
base.AlgorithmSuite.EnsureAcceptableDigestAlgorithm(reference.DigestMethod);
string str = reference.ExtractReferredId();
if (isPrimarySignature || (id == str))
{
if ((((timestamp != null) && (timestamp.Id == str)) && (!reference.TransformChain.NeedsInclusiveContext && (timestamp.DigestAlgorithm == reference.DigestMethod))) && (timestamp.GetDigest() != null))
{
reference.EnsureDigestValidity(str, timestamp.GetDigest());
base.ElementManager.SetTimestampSigned(str);
}
else if (signatureTarget != null)
{
reference.EnsureDigestValidity(id, signatureTarget);
}
else
{
XmlDictionaryReader signatureVerificationReader = base.ElementManager.GetSignatureVerificationReader(str, base.EncryptBeforeSignMode);
if (signatureVerificationReader != null)
{
reference.EnsureDigestValidity(str, signatureVerificationReader);
signatureVerificationReader.Close();
}
}
if (!isPrimarySignature)
{
return;
}
}
}
}
private void ValidateDigestsOfTargetsInSecurityHeader(StandardSignedInfo signedInfo, SecurityTimestamp timestamp, bool isPrimarySignature, object signatureTarget, string id)
{
for (int i = 0; i < signedInfo.ReferenceCount; i++)
{
Reference reference = signedInfo[i];
base.AlgorithmSuite.EnsureAcceptableDigestAlgorithm(reference.DigestMethod);
string str = reference.ExtractReferredId();
if (isPrimarySignature || (id == str))
{
if ((((timestamp != null) && (timestamp.Id == str)) && (!reference.TransformChain.NeedsInclusiveContext && (timestamp.DigestAlgorithm == reference.DigestMethod))) && (timestamp.GetDigest() != null))
{
reference.EnsureDigestValidity(str, timestamp.GetDigest());
base.ElementManager.SetTimestampSigned(str);
}
else if (signatureTarget != null)
{
reference.EnsureDigestValidity(id, signatureTarget);
}
else
{
XmlDictionaryReader signatureVerificationReader = base.ElementManager.GetSignatureVerificationReader(str, base.EncryptBeforeSignMode);
if (signatureVerificationReader != null)
{
reference.EnsureDigestValidity(str, signatureVerificationReader);
signatureVerificationReader.Close();
}
}
if (!isPrimarySignature)
{
return;
}
}
}
}
void ValidateDigestsOfTargetsInSecurityHeader(StandardSignedInfo signedInfo, SecurityTimestamp timestamp, bool isPrimarySignature, object signatureTarget, string id)
{
Fx.Assert(!isPrimarySignature || (isPrimarySignature && (signatureTarget == null)), "For primary signature we try to validate all the references.");
for (int i = 0; i < signedInfo.ReferenceCount; i++)
{
Reference reference = signedInfo[i];
this.AlgorithmSuite.EnsureAcceptableDigestAlgorithm(reference.DigestMethod);
string referredId = reference.ExtractReferredId();
if (isPrimarySignature || (id == referredId))
{
if (timestamp != null && timestamp.Id == referredId && !reference.TransformChain.NeedsInclusiveContext &&
timestamp.DigestAlgorithm == reference.DigestMethod && timestamp.GetDigest() != null)
{
reference.EnsureDigestValidity(referredId, timestamp.GetDigest());
this.ElementManager.SetTimestampSigned(referredId);
}
else
{
if (signatureTarget != null)
reference.EnsureDigestValidity(id, signatureTarget);
else
{
int tokenIndex = -1;
XmlDictionaryReader reader = null;
if (reference.IsStrTranform())
{
if (this.ElementManager.TryGetTokenElementIndexFromStrId(referredId, out tokenIndex))
{
ReceiveSecurityHeaderEntry entry;
this.ElementManager.GetElementEntry(tokenIndex, out entry);
bool isSignedToken = (entry.bindingMode == ReceiveSecurityHeaderBindingModes.Signed)
|| (entry.bindingMode == ReceiveSecurityHeaderBindingModes.SignedEndorsing);
// This means it is a protected(signed)primary token.
if (!this.ElementManager.IsPrimaryTokenSigned)
{
this.ElementManager.IsPrimaryTokenSigned = entry.bindingMode == ReceiveSecurityHeaderBindingModes.Primary &&
entry.elementCategory == ReceiveSecurityHeaderElementCategory.Token;
}
this.ElementManager.SetSigned(tokenIndex);
// We pass true if it is a signed supporting token, signed primary token or a SignedEndorsing token. We pass false if it is a SignedEncrypted Token.
reader = this.ElementManager.GetReader(tokenIndex, isSignedToken);
}
}
else
reader = this.ElementManager.GetSignatureVerificationReader(referredId, this.EncryptBeforeSignMode);
if (reader != null)
{
reference.EnsureDigestValidity(referredId, reader);
reader.Close();
}
}
}
if (!isPrimarySignature)
{
// We were given an id to verify and we have verified it. So just break out
// of the loop.
break;
}
}
}
// This check makes sure that if RequireSignedPrimaryToken is true (ProtectTokens is enabled on sbe) then the incoming message
// should have the primary signature over the primary(signing)token.
if (isPrimarySignature && this.RequireSignedPrimaryToken && !this.ElementManager.IsPrimaryTokenSigned)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.SupportingTokenIsNotSigned, new IssuedSecurityTokenParameters())));
}
// NOTE: On both client and server side, WCF quietly consumes protected tokens even if protect token is not enabled on sbe.
// To change this behaviour add another check below and throw appropriate exception message.
}
void ValidateDigestsOfTargetsInSecurityHeader(StandardSignedInfo signedInfo, SecurityTimestamp timestamp, bool isPrimarySignature, object signatureTarget, string id)
{
Fx.Assert(!isPrimarySignature || (isPrimarySignature && (signatureTarget == null)), "For primary signature we try to validate all the references.");
for (int i = 0; i < signedInfo.ReferenceCount; i++)
{
Reference reference = signedInfo[i];
this.AlgorithmSuite.EnsureAcceptableDigestAlgorithm(reference.DigestMethod);
string referredId = reference.ExtractReferredId();
if (isPrimarySignature || (id == referredId))
{
if (timestamp != null && timestamp.Id == referredId && !reference.TransformChain.NeedsInclusiveContext &&
timestamp.DigestAlgorithm == reference.DigestMethod && timestamp.GetDigest() != null)
{
reference.EnsureDigestValidity(referredId, timestamp.GetDigest());
this.ElementManager.SetTimestampSigned(referredId);
}
else
{
if (signatureTarget != null)
{
reference.EnsureDigestValidity(id, signatureTarget);
}
else
{
int tokenIndex = -1;
XmlDictionaryReader reader = null;
if (reference.IsStrTranform())
{
if (this.ElementManager.TryGetTokenElementIndexFromStrId(referredId, out tokenIndex))
{
ReceiveSecurityHeaderEntry entry;
this.ElementManager.GetElementEntry(tokenIndex, out entry);
bool isSignedToken = (entry.bindingMode == ReceiveSecurityHeaderBindingModes.Signed) ||
(entry.bindingMode == ReceiveSecurityHeaderBindingModes.SignedEndorsing);
// This means it is a protected(signed)primary token.
if (!this.ElementManager.IsPrimaryTokenSigned)
{
this.ElementManager.IsPrimaryTokenSigned = entry.bindingMode == ReceiveSecurityHeaderBindingModes.Primary &&
entry.elementCategory == ReceiveSecurityHeaderElementCategory.Token;
}
this.ElementManager.SetSigned(tokenIndex);
// We pass true if it is a signed supporting token, signed primary token or a SignedEndorsing token. We pass false if it is a SignedEncrypted Token.
reader = this.ElementManager.GetReader(tokenIndex, isSignedToken);
}
}
else
{
reader = this.ElementManager.GetSignatureVerificationReader(referredId, this.EncryptBeforeSignMode);
}
if (reader != null)
{
reference.EnsureDigestValidity(referredId, reader);
reader.Close();
}
}
}
if (!isPrimarySignature)
{
// We were given an id to verify and we have verified it. So just break out
// of the loop.
break;
}
}
}
// This check makes sure that if RequireSignedPrimaryToken is true (ProtectTokens is enabled on sbe) then the incoming message
// should have the primary signature over the primary(signing)token.
if (isPrimarySignature && this.RequireSignedPrimaryToken && !this.ElementManager.IsPrimaryTokenSigned)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.SupportingTokenIsNotSigned, new IssuedSecurityTokenParameters())));
}
// NOTE: On both client and server side, WCF quietly consumes protected tokens even if protect token is not enabled on sbe.
// To change this behaviour add another check below and throw appropriate exception message.
}
