private void OnNegotiationComplete(SspiNegotiationTokenProviderState sspiState, RequestSecurityTokenResponse negotiationRstr, RequestSecurityTokenResponse authenticatorRstr) { ISspiNegotiation sspiNegotiation = sspiState.SspiNegotiation; ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = this.ValidateSspiNegotiation(sspiNegotiation); SecurityTokenResolver resolver = new SspiSecurityTokenResolver(sspiNegotiation); GenericXmlSecurityToken serviceToken = negotiationRstr.GetIssuedToken(resolver, System.ServiceModel.Security.EmptyReadOnlyCollection <SecurityTokenAuthenticator> .Instance, SecurityKeyEntropyMode.ServerEntropy, null, base.SecurityContextTokenUri, authorizationPolicies, 0, false); if (serviceToken == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("NoServiceTokenReceived"))); } WrappedKeySecurityToken proofToken = serviceToken.ProofToken as WrappedKeySecurityToken; if ((proofToken == null) || (proofToken.WrappingAlgorithm != sspiNegotiation.KeyEncryptionAlgorithm)) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("ProofTokenWasNotWrappedCorrectly"))); } byte[] wrappedKey = proofToken.GetWrappedKey(); if (authenticatorRstr == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("RSTRAuthenticatorNotPresent"))); } byte[] authenticator = authenticatorRstr.GetAuthenticator(); if (authenticator == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("RSTRAuthenticatorNotPresent"))); } if (!IsCorrectAuthenticator(sspiState, wrappedKey, authenticator)) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("RSTRAuthenticatorIncorrect"))); } sspiState.SetServiceToken(serviceToken); }
protected override BinaryNegotiation GetOutgoingBinaryNegotiation(ISspiNegotiation sspiNegotiation, byte[] outgoingBlob) { TlsSspiNegotiation negotiation = sspiNegotiation as TlsSspiNegotiation; if (((base.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005) && (negotiation != null)) && (negotiation.IncomingValueTypeUri != null)) { return new BinaryNegotiation(negotiation.IncomingValueTypeUri, outgoingBlob); } return base.GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob); }
public SspiNegotiationTokenProviderState(ISspiNegotiation sspiNegotiation) { if (sspiNegotiation == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sspiNegotiation"); } this.sspiNegotiation = sspiNegotiation; this.negotiationDigest = CryptoHelper.NewSha1HashAlgorithm(); }
public SspiNegotiationTokenProviderState(ISspiNegotiation sspiNegotiation) { if (sspiNegotiation == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sspiNegotiation"); } this.sspiNegotiation = sspiNegotiation; this.negotiationDigest = CryptoHelper.NewSha1HashAlgorithm(); }
public SspiNegotiationTokenAuthenticatorState(ISspiNegotiation sspiNegotiation) { if (sspiNegotiation == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sspiNegotiation"); } this.sspiNegotiation = sspiNegotiation; this.negotiationDigest = CryptoHelper.NewSha1HashAlgorithm(); }
protected override BinaryNegotiation GetOutgoingBinaryNegotiation(ISspiNegotiation sspiNegotiation, byte[] outgoingBlob) { TlsSspiNegotiation negotiation = sspiNegotiation as TlsSspiNegotiation; if (((base.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005) && (negotiation != null)) && (negotiation.IncomingValueTypeUri != null)) { return(new BinaryNegotiation(negotiation.IncomingValueTypeUri, outgoingBlob)); } return(base.GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob)); }
public WrappedKeySecurityToken(string id, byte[] keyToWrap, string wrappingAlgorithm, ISspiNegotiation wrappingSspiContext, byte[] wrappedKey) : this(id, keyToWrap, wrappingAlgorithm, (XmlDictionaryString)null) { if (wrappingSspiContext == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("wrappingSspiContext"); } this.wrappingSspiContext = wrappingSspiContext; this.wrappedKey = wrappedKey != null ? wrappedKey : wrappingSspiContext.Encrypt(keyToWrap); this.serializeCarriedKeyName = false; }
protected override BinaryNegotiation GetOutgoingBinaryNegotiation(ISspiNegotiation sspiNegotiation, byte[] outgoingBlob) { TlsSspiNegotiation tlsNegotiation = sspiNegotiation as TlsSspiNegotiation; // Echo only for TrustFeb2005 and ValueType mismatch if (this.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005 && tlsNegotiation != null && tlsNegotiation.IncomingValueTypeUri != null) { return(new BinaryNegotiation(tlsNegotiation.IncomingValueTypeUri, outgoingBlob)); } else { return(base.GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob)); } }
public override void Dispose() { try { if (this.sspiNegotiation != null) { this.sspiNegotiation.Dispose(); this.sspiNegotiation = null; this.negotiationDigest.Dispose(); this.negotiationDigest = null; } } finally { base.Dispose(); } }
public override void Dispose() { try { if (this.sspiNegotiation != null) { this.sspiNegotiation.Dispose(); this.sspiNegotiation = null; this.negotiationDigest.Dispose(); this.negotiationDigest = null; } } finally { base.Dispose(); } }
// direct receiver use, chained sender use internal WrappedKeySecurityToken(string id, byte[] keyToWrap, string wrappingAlgorithm, ISspiNegotiation wrappingSspiContext, byte[] wrappedKey) : this(id, keyToWrap, wrappingAlgorithm, null) { if (wrappingSspiContext == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("wrappingSspiContext"); } _wrappingSspiContext = wrappingSspiContext; if (wrappedKey == null) { _wrappedKey = wrappingSspiContext.Encrypt(keyToWrap); } else { _wrappedKey = wrappedKey; } _serializeCarriedKeyName = false; }
void OnNegotiationComplete(SspiNegotiationTokenProviderState sspiState, RequestSecurityTokenResponse negotiationRstr, RequestSecurityTokenResponse authenticatorRstr) { ISspiNegotiation sspiNegotiation = sspiState.SspiNegotiation; ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = ValidateSspiNegotiation(sspiNegotiation); // the negotiation has completed successfully - the service token needs to be extracted from the // negotiationRstr SecurityTokenResolver tokenResolver = new SspiSecurityTokenResolver(sspiNegotiation); GenericXmlSecurityToken serviceToken = negotiationRstr.GetIssuedToken(tokenResolver, EmptyReadOnlyCollection <SecurityTokenAuthenticator> .Instance, SecurityKeyEntropyMode.ServerEntropy, null, this.SecurityContextTokenUri, authorizationPolicies, 0, false); if (serviceToken == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.NoServiceTokenReceived))); } WrappedKeySecurityToken wrappedToken = (serviceToken.ProofToken as WrappedKeySecurityToken); if (wrappedToken == null || wrappedToken.WrappingAlgorithm != sspiNegotiation.KeyEncryptionAlgorithm) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.ProofTokenWasNotWrappedCorrectly))); } byte[] proofKey = wrappedToken.GetWrappedKey(); if (authenticatorRstr == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.RSTRAuthenticatorNotPresent))); } byte[] serverAuthenticator = authenticatorRstr.GetAuthenticator(); if (serverAuthenticator == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.RSTRAuthenticatorNotPresent))); } if (!IsCorrectAuthenticator(sspiState, proofKey, serverAuthenticator)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.RSTRAuthenticatorIncorrect))); } sspiState.SetServiceToken(serviceToken); }
public SspiSecurityTokenResolver(ISspiNegotiation sspiNegotiation) { this.sspiNegotiation = sspiNegotiation; }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation; if (windowsNegotiation.IsValidContext == false) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation))); } if (this.AuthenticateServer && windowsNegotiation.IsMutualAuthFlag == false) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.CannotAuthenticateServer))); } SecurityTraceRecordHelper.TraceClientSpnego(windowsNegotiation); return(SecurityUtils.CreatePrincipalNameAuthorizationPolicies(windowsNegotiation.ServicePrincipalName)); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { TlsSspiNegotiation tlsNegotiation = (TlsSspiNegotiation)sspiNegotiation; if (tlsNegotiation.IsValidContext == false) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation))); } if (this.ClientTokenAuthenticator == null) { return(EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } X509Certificate2 clientCertificate = tlsNegotiation.RemoteCertificate; if (clientCertificate == null) { // isAnonymous is false. So, fail the negotiation throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(SR.GetString(SR.ClientCertificateNotProvided))); } ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies; if (this.ClientTokenAuthenticator != null) { X509SecurityToken clientToken; WindowsIdentity preMappedIdentity; if (!this.MapCertificateToWindowsAccount || !tlsNegotiation.TryGetContextIdentity(out preMappedIdentity)) { clientToken = new X509SecurityToken(clientCertificate); } else { clientToken = new X509WindowsSecurityToken(clientCertificate, preMappedIdentity, preMappedIdentity.AuthenticationType, true); preMappedIdentity.Dispose(); } authorizationPolicies = this.ClientTokenAuthenticator.ValidateToken(clientToken); clientToken.Dispose(); } else { authorizationPolicies = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance; } return(authorizationPolicies); }
private BodyWriter ProcessNegotiation(SspiNegotiationTokenAuthenticatorState negotiationState, Message incomingMessage, BinaryNegotiation incomingNego) { BinaryNegotiation outgoingBinaryNegotiation; ISspiNegotiation sspiNegotiation = negotiationState.SspiNegotiation; byte[] outgoingBlob = sspiNegotiation.GetOutgoingBlob(incomingNego.GetNegotiationData(), System.ServiceModel.Security.SecurityUtils.GetChannelBindingFromMessage(incomingMessage), this.extendedProtectionPolicy); if (!sspiNegotiation.IsValidContext) { throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation")), incomingMessage); } if ((outgoingBlob == null) && !sspiNegotiation.IsCompleted) { throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("NoBinaryNegoToSend")), incomingMessage); } if (outgoingBlob != null) { outgoingBinaryNegotiation = this.GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob); } else { outgoingBinaryNegotiation = null; } if (sspiNegotiation.IsCompleted) { SecurityContextSecurityToken token; WrappedKeySecurityToken token2; int num; ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = this.ValidateSspiNegotiation(sspiNegotiation); this.IssueServiceToken(negotiationState, authorizationPolicies, out token, out token2, out num); negotiationState.SetServiceToken(token); SecurityKeyIdentifierClause clause = base.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.External); SecurityKeyIdentifierClause clause2 = base.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.Internal); RequestSecurityTokenResponse response = new RequestSecurityTokenResponse(base.StandardsManager) { Context = negotiationState.Context, KeySize = num, TokenType = base.SecurityContextTokenUri }; if (outgoingBinaryNegotiation != null) { response.SetBinaryNegotiation(outgoingBinaryNegotiation); } response.RequestedUnattachedReference = clause; response.RequestedAttachedReference = clause2; response.SetLifetime(token.ValidFrom, token.ValidTo); if (negotiationState.AppliesTo != null) { if (incomingMessage.Version.Addressing != AddressingVersion.WSAddressing10) { if (incomingMessage.Version.Addressing != AddressingVersion.WSAddressingAugust2004) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("AddressingVersionNotSupported", new object[] { incomingMessage.Version.Addressing }))); } response.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else { response.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } } response.MakeReadOnly(); AddToDigest(negotiationState, response, false); RequestSecurityTokenResponse response2 = new RequestSecurityTokenResponse(base.StandardsManager) { RequestedSecurityToken = token, RequestedProofToken = token2, Context = negotiationState.Context, KeySize = num, TokenType = base.SecurityContextTokenUri }; if (outgoingBinaryNegotiation != null) { response2.SetBinaryNegotiation(outgoingBinaryNegotiation); } response2.RequestedAttachedReference = clause2; response2.RequestedUnattachedReference = clause; if (negotiationState.AppliesTo != null) { if (incomingMessage.Version.Addressing != AddressingVersion.WSAddressing10) { if (incomingMessage.Version.Addressing != AddressingVersion.WSAddressingAugust2004) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("AddressingVersionNotSupported", new object[] { incomingMessage.Version.Addressing }))); } response2.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else { response2.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } } response2.MakeReadOnly(); byte[] authenticator = ComputeAuthenticator(negotiationState, token.GetKeyBytes()); RequestSecurityTokenResponse response3 = new RequestSecurityTokenResponse(base.StandardsManager) { Context = negotiationState.Context }; response3.SetAuthenticator(authenticator); response3.MakeReadOnly(); return(new RequestSecurityTokenResponseCollection(new List <RequestSecurityTokenResponse>(2) { response2, response3 }, base.StandardsManager)); } RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(base.StandardsManager) { Context = negotiationState.Context }; rstr.SetBinaryNegotiation(outgoingBinaryNegotiation); rstr.MakeReadOnly(); AddToDigest(negotiationState, rstr, false); return(rstr); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { TlsSspiNegotiation tlsNegotiation = (TlsSspiNegotiation)sspiNegotiation; if (tlsNegotiation.IsValidContext == false) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation))); } X509Certificate2 serverCert = tlsNegotiation.RemoteCertificate; if (serverCert == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.ServerCertificateNotProvided))); } ReadOnlyCollection <IAuthorizationPolicy> authzPolicies; if (this.ServerTokenAuthenticator != null) { X509SecurityToken certToken = new X509SecurityToken(serverCert, false); authzPolicies = this.ServerTokenAuthenticator.ValidateToken(certToken); } else { authzPolicies = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance; } return(authzPolicies); }
public WrappedKeySecurityToken(string id, byte[] keyToWrap, ISspiNegotiation wrappingSspiContext) : this(id, keyToWrap, wrappingSspiContext != null ? wrappingSspiContext.KeyEncryptionAlgorithm : (string)null, wrappingSspiContext, (byte[])null) { }
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation; if (windowsNegotiation.IsValidContext == false) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation))); } if (this.AuthenticateServer && windowsNegotiation.IsMutualAuthFlag == false) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.CannotAuthenticateServer))); } SecurityTraceRecordHelper.TraceClientSpnego(windowsNegotiation); return SecurityUtils.CreatePrincipalNameAuthorizationPolicies(windowsNegotiation.ServicePrincipalName); }
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { X509SecurityToken token; WindowsIdentity identity; TlsSspiNegotiation negotiation = (TlsSspiNegotiation) sspiNegotiation; if (!negotiation.IsValidContext) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation"))); } if (this.ClientTokenAuthenticator == null) { return System.ServiceModel.Security.EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance; } X509Certificate2 remoteCertificate = negotiation.RemoteCertificate; if (remoteCertificate == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvided"))); } if (this.ClientTokenAuthenticator == null) { return System.ServiceModel.Security.EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance; } if (!this.MapCertificateToWindowsAccount || !negotiation.TryGetContextIdentity(out identity)) { token = new X509SecurityToken(remoteCertificate); } else { token = new X509WindowsSecurityToken(remoteCertificate, identity, identity.AuthenticationType, true); identity.Dispose(); } ReadOnlyCollection<IAuthorizationPolicy> onlys = this.ClientTokenAuthenticator.ValidateToken(token); token.Dispose(); return onlys; }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { X509SecurityToken token; WindowsIdentity identity; TlsSspiNegotiation negotiation = (TlsSspiNegotiation)sspiNegotiation; if (!negotiation.IsValidContext) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation"))); } if (this.ClientTokenAuthenticator == null) { return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } X509Certificate2 remoteCertificate = negotiation.RemoteCertificate; if (remoteCertificate == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvided"))); } if (this.ClientTokenAuthenticator == null) { return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } if (!this.MapCertificateToWindowsAccount || !negotiation.TryGetContextIdentity(out identity)) { token = new X509SecurityToken(remoteCertificate); } else { token = new X509WindowsSecurityToken(remoteCertificate, identity, identity.AuthenticationType, true); identity.Dispose(); } ReadOnlyCollection <IAuthorizationPolicy> onlys = this.ClientTokenAuthenticator.ValidateToken(token); token.Dispose(); return(onlys); }
internal WrappedKeySecurityToken(string id, byte[] keyToWrap, ISspiNegotiation wrappingSspiContext) : this(id, keyToWrap, (wrappingSspiContext != null) ? wrappingSspiContext.KeyEncryptionAlgorithm : null, wrappingSspiContext, null) { }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation; if (!windowsNegotiation.IsValidContext) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation"))); } SecurityTraceRecordHelper.TraceServiceSpnego(windowsNegotiation); if (base.IsClientAnonymous) { return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } using (System.IdentityModel.SafeCloseHandle handle = windowsNegotiation.GetContextToken()) { WindowsIdentity identity = new WindowsIdentity(handle.DangerousGetHandle(), windowsNegotiation.ProtocolName); System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(identity, this.AllowUnauthenticatedCallers); List <IAuthorizationPolicy> list = new List <IAuthorizationPolicy>(1); WindowsClaimSet issuance = new WindowsClaimSet(identity, windowsNegotiation.ProtocolName, this.extractGroupsForWindowsAccounts, false); list.Add(new UnconditionalPolicy(issuance, TimeoutHelper.Add(DateTime.UtcNow, base.ServiceTokenLifetime))); return(list.AsReadOnly()); } }
protected abstract ValueTask <ReadOnlyCollection <IAuthorizationPolicy> > ValidateSspiNegotiationAsync(ISspiNegotiation sspiNegotiation);
protected virtual BinaryNegotiation GetOutgoingBinaryNegotiation(ISspiNegotiation sspiNegotiation, byte[] outgoingBlob) { return(new BinaryNegotiation(NegotiationValueType, outgoingBlob)); }
public SspiNegotiationTokenAuthenticatorState(ISspiNegotiation sspiNegotiation) : base() { SspiNegotiation = sspiNegotiation ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sspiNegotiation"); NegotiationDigest = CryptoHelper.NewSha1HashAlgorithm(); }
private async ValueTask <BodyWriter> ProcessNegotiationAsync(SspiNegotiationTokenAuthenticatorState negotiationState, Message incomingMessage, BinaryNegotiation incomingNego) { ISspiNegotiation sspiNegotiation = negotiationState.SspiNegotiation; byte[] outgoingBlob = sspiNegotiation.GetOutgoingBlob(incomingNego.GetNegotiationData(), SecurityUtils.GetChannelBindingFromMessage(incomingMessage), ExtendedProtectionPolicy); if (sspiNegotiation.IsValidContext == false) { throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.InvalidSspiNegotiation)), incomingMessage); } // if there is no blob to send back the nego must be complete from the server side if (outgoingBlob == null && sspiNegotiation.IsCompleted == false) { throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.NoBinaryNegoToSend)), incomingMessage); } BinaryNegotiation outgoingBinaryNegotiation; if (outgoingBlob != null) { outgoingBinaryNegotiation = GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob); } else { outgoingBinaryNegotiation = null; } BodyWriter replyBody; if (sspiNegotiation.IsCompleted) { ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = await ValidateSspiNegotiationAsync(sspiNegotiation); SecurityContextSecurityToken serviceToken; WrappedKeySecurityToken proofToken; int issuedKeySize; IssueServiceToken(negotiationState, authorizationPolicies, out serviceToken, out proofToken, out issuedKeySize); negotiationState.SetServiceToken(serviceToken); SecurityKeyIdentifierClause externalTokenReference = IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.External); SecurityKeyIdentifierClause internalTokenReference = IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.Internal); RequestSecurityTokenResponse dummyRstr = new RequestSecurityTokenResponse(StandardsManager) { Context = negotiationState.Context, KeySize = issuedKeySize, TokenType = SecurityContextTokenUri }; if (outgoingBinaryNegotiation != null) { dummyRstr.SetBinaryNegotiation(outgoingBinaryNegotiation); } dummyRstr.RequestedUnattachedReference = externalTokenReference; dummyRstr.RequestedAttachedReference = internalTokenReference; dummyRstr.SetLifetime(serviceToken.ValidFrom, serviceToken.ValidTo); if (negotiationState.AppliesTo != null) { if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10) { dummyRstr.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress( negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004) { dummyRstr.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress( negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new ProtocolException(SR.Format(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing))); } } dummyRstr.MakeReadOnly(); AddToDigest(negotiationState, dummyRstr, false); RequestSecurityTokenResponse negotiationRstr = new RequestSecurityTokenResponse(StandardsManager) { RequestedSecurityToken = serviceToken, RequestedProofToken = proofToken, Context = negotiationState.Context, KeySize = issuedKeySize, TokenType = SecurityContextTokenUri }; if (outgoingBinaryNegotiation != null) { negotiationRstr.SetBinaryNegotiation(outgoingBinaryNegotiation); } negotiationRstr.RequestedAttachedReference = internalTokenReference; negotiationRstr.RequestedUnattachedReference = externalTokenReference; if (negotiationState.AppliesTo != null) { if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10) { negotiationRstr.SetAppliesTo <EndpointAddress10>( EndpointAddress10.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004) { negotiationRstr.SetAppliesTo <EndpointAddressAugust2004>( EndpointAddressAugust2004.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new ProtocolException(SR.Format(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing))); } } negotiationRstr.MakeReadOnly(); byte[] authenticator = ComputeAuthenticator(negotiationState, serviceToken.GetKeyBytes()); RequestSecurityTokenResponse authenticatorRstr = new RequestSecurityTokenResponse(StandardsManager) { Context = negotiationState.Context }; authenticatorRstr.SetAuthenticator(authenticator); authenticatorRstr.MakeReadOnly(); List <RequestSecurityTokenResponse> rstrList = new List <RequestSecurityTokenResponse>(2) { negotiationRstr, authenticatorRstr }; replyBody = new RequestSecurityTokenResponseCollection(rstrList, StandardsManager); } else { RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(StandardsManager) { Context = negotiationState.Context }; rstr.SetBinaryNegotiation(outgoingBinaryNegotiation); rstr.MakeReadOnly(); AddToDigest(negotiationState, rstr, false); replyBody = rstr; } return(replyBody); }
protected override BinaryNegotiation GetOutgoingBinaryNegotiation(ISspiNegotiation sspiNegotiation, byte[] outgoingBlob) { TlsSspiNegotiation tlsNegotiation = sspiNegotiation as TlsSspiNegotiation; // Echo only for TrustFeb2005 and ValueType mismatch if (this.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005 && tlsNegotiation != null && tlsNegotiation.IncomingValueTypeUri != null) { return new BinaryNegotiation(tlsNegotiation.IncomingValueTypeUri, outgoingBlob); } else { return base.GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob); } }
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { TlsSspiNegotiation tlsNegotiation = (TlsSspiNegotiation)sspiNegotiation; if (tlsNegotiation.IsValidContext == false) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation))); } X509Certificate2 serverCert = tlsNegotiation.RemoteCertificate; if (serverCert == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.ServerCertificateNotProvided))); } ReadOnlyCollection<IAuthorizationPolicy> authzPolicies; if (this.ServerTokenAuthenticator != null) { X509SecurityToken certToken = new X509SecurityToken(serverCert, false); authzPolicies = this.ServerTokenAuthenticator.ValidateToken(certToken); } else { authzPolicies = EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance; } return authzPolicies; }
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { TlsSspiNegotiation tlsNegotiation = (TlsSspiNegotiation)sspiNegotiation; if (tlsNegotiation.IsValidContext == false) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation))); } if (this.ClientTokenAuthenticator == null) { return EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance; } X509Certificate2 clientCertificate = tlsNegotiation.RemoteCertificate; if (clientCertificate == null) { // isAnonymous is false. So, fail the negotiation throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(SR.GetString(SR.ClientCertificateNotProvided))); } ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies; if (this.ClientTokenAuthenticator != null) { X509SecurityToken clientToken; WindowsIdentity preMappedIdentity; if (!this.MapCertificateToWindowsAccount || !tlsNegotiation.TryGetContextIdentity(out preMappedIdentity)) { clientToken = new X509SecurityToken(clientCertificate); } else { clientToken = new X509WindowsSecurityToken(clientCertificate, preMappedIdentity, preMappedIdentity.AuthenticationType, true); preMappedIdentity.Dispose(); } authorizationPolicies = this.ClientTokenAuthenticator.ValidateToken(clientToken); clientToken.Dispose(); } else { authorizationPolicies = EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance; } return authorizationPolicies; }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { TlsSspiNegotiation negotiation = (TlsSspiNegotiation)sspiNegotiation; if (!negotiation.IsValidContext) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation"))); } X509Certificate2 remoteCertificate = negotiation.RemoteCertificate; if (remoteCertificate == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("ServerCertificateNotProvided"))); } if (this.ServerTokenAuthenticator != null) { X509SecurityToken token = new X509SecurityToken(remoteCertificate, false); return(this.ServerTokenAuthenticator.ValidateToken(token)); } return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); }
protected abstract ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation);
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation; if (windowsNegotiation.IsValidContext == false) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation))); } SecurityTraceRecordHelper.TraceServiceSpnego(windowsNegotiation); if (this.IsClientAnonymous) { return EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance; } using (SafeCloseHandle contextToken = windowsNegotiation.GetContextToken()) { WindowsIdentity windowsIdentity = new WindowsIdentity(contextToken.DangerousGetHandle(), windowsNegotiation.ProtocolName); SecurityUtils.ValidateAnonymityConstraint(windowsIdentity, this.AllowUnauthenticatedCallers); List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>(1); WindowsClaimSet wic = new WindowsClaimSet( windowsIdentity, windowsNegotiation.ProtocolName, this.extractGroupsForWindowsAccounts, false ); policies.Add(new System.IdentityModel.Policy.UnconditionalPolicy(wic, TimeoutHelper.Add(DateTime.UtcNow, base.ServiceTokenLifetime))); return policies.AsReadOnly(); } }
WrappedKeySecurityToken CreateWrappedKeyToken(string id, string encryptionMethod, string carriedKeyName, SecurityKeyIdentifier unwrappingTokenIdentifier, byte[] wrappedKey, SecurityTokenResolver tokenResolver) { ISspiNegotiationInfo sspiResolver = tokenResolver as ISspiNegotiationInfo; if (sspiResolver != null) { ISspiNegotiation unwrappingSspiContext = sspiResolver.SspiNegotiation; // ensure that the encryption algorithm is compatible if (encryptionMethod != unwrappingSspiContext.KeyEncryptionAlgorithm) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.BadKeyEncryptionAlgorithm, encryptionMethod))); } byte[] unwrappedKey = unwrappingSspiContext.Decrypt(wrappedKey); return(new WrappedKeySecurityToken(id, unwrappedKey, encryptionMethod, unwrappingSspiContext, unwrappedKey)); } else { if (tokenResolver == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("tokenResolver")); } if (unwrappingTokenIdentifier == null || unwrappingTokenIdentifier.Count == 0) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.MissingKeyInfoInEncryptedKey))); } SecurityToken unwrappingToken; SecurityHeaderTokenResolver resolver = tokenResolver as SecurityHeaderTokenResolver; if (resolver != null) { unwrappingToken = resolver.ExpectedWrapper; if (unwrappingToken != null) { if (!resolver.CheckExternalWrapperMatch(unwrappingTokenIdentifier)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException( SR.GetString(SR.EncryptedKeyWasNotEncryptedWithTheRequiredEncryptingToken, unwrappingToken))); } } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException( SR.GetString(SR.UnableToResolveKeyInfoForUnwrappingToken, unwrappingTokenIdentifier, resolver))); } } else { try { unwrappingToken = tokenResolver.ResolveToken(unwrappingTokenIdentifier); } catch (Exception exception) { if (exception is MessageSecurityException) { throw; } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException( SR.GetString(SR.UnableToResolveKeyInfoForUnwrappingToken, unwrappingTokenIdentifier, tokenResolver), exception)); } } SecurityKey unwrappingSecurityKey; byte[] unwrappedKey = SecurityUtils.DecryptKey(unwrappingToken, encryptionMethod, wrappedKey, out unwrappingSecurityKey); return(new WrappedKeySecurityToken(id, unwrappedKey, encryptionMethod, unwrappingToken, unwrappingTokenIdentifier, wrappedKey, unwrappingSecurityKey)); } }