private void OnNegotiationComplete(SspiNegotiationTokenProviderState sspiState, RequestSecurityTokenResponse negotiationRstr, RequestSecurityTokenResponse authenticatorRstr)
{
ISspiNegotiation sspiNegotiation = sspiState.SspiNegotiation;
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = this.ValidateSspiNegotiation(sspiNegotiation);
SecurityTokenResolver resolver = new SspiSecurityTokenResolver(sspiNegotiation);
GenericXmlSecurityToken serviceToken = negotiationRstr.GetIssuedToken(resolver, System.ServiceModel.Security.EmptyReadOnlyCollection <SecurityTokenAuthenticator> .Instance, SecurityKeyEntropyMode.ServerEntropy, null, base.SecurityContextTokenUri, authorizationPolicies, 0, false);
if (serviceToken == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("NoServiceTokenReceived")));
}
WrappedKeySecurityToken proofToken = serviceToken.ProofToken as WrappedKeySecurityToken;
if ((proofToken == null) || (proofToken.WrappingAlgorithm != sspiNegotiation.KeyEncryptionAlgorithm))
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("ProofTokenWasNotWrappedCorrectly")));
}
byte[] wrappedKey = proofToken.GetWrappedKey();
if (authenticatorRstr == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("RSTRAuthenticatorNotPresent")));
}
byte[] authenticator = authenticatorRstr.GetAuthenticator();
if (authenticator == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("RSTRAuthenticatorNotPresent")));
}
if (!IsCorrectAuthenticator(sspiState, wrappedKey, authenticator))
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("RSTRAuthenticatorIncorrect")));
}
sspiState.SetServiceToken(serviceToken);
}
protected override BinaryNegotiation GetOutgoingBinaryNegotiation(ISspiNegotiation sspiNegotiation, byte[] outgoingBlob)
{
TlsSspiNegotiation negotiation = sspiNegotiation as TlsSspiNegotiation;
if (((base.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005) && (negotiation != null)) && (negotiation.IncomingValueTypeUri != null))
{
return new BinaryNegotiation(negotiation.IncomingValueTypeUri, outgoingBlob);
}
return base.GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob);
}
public SspiNegotiationTokenProviderState(ISspiNegotiation sspiNegotiation)
{
if (sspiNegotiation == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sspiNegotiation");
}
this.sspiNegotiation = sspiNegotiation;
this.negotiationDigest = CryptoHelper.NewSha1HashAlgorithm();
}
public SspiNegotiationTokenProviderState(ISspiNegotiation sspiNegotiation)
{
if (sspiNegotiation == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sspiNegotiation");
}
this.sspiNegotiation = sspiNegotiation;
this.negotiationDigest = CryptoHelper.NewSha1HashAlgorithm();
}
public SspiNegotiationTokenAuthenticatorState(ISspiNegotiation sspiNegotiation)
{
if (sspiNegotiation == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sspiNegotiation");
}
this.sspiNegotiation = sspiNegotiation;
this.negotiationDigest = CryptoHelper.NewSha1HashAlgorithm();
}
protected override BinaryNegotiation GetOutgoingBinaryNegotiation(ISspiNegotiation sspiNegotiation, byte[] outgoingBlob)
{
TlsSspiNegotiation negotiation = sspiNegotiation as TlsSspiNegotiation;
if (((base.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005) && (negotiation != null)) && (negotiation.IncomingValueTypeUri != null))
{
return(new BinaryNegotiation(negotiation.IncomingValueTypeUri, outgoingBlob));
}
return(base.GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob));
}
public WrappedKeySecurityToken(string id, byte[] keyToWrap, string wrappingAlgorithm, ISspiNegotiation wrappingSspiContext, byte[] wrappedKey)
: this(id, keyToWrap, wrappingAlgorithm, (XmlDictionaryString)null)
{
if (wrappingSspiContext == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("wrappingSspiContext");
}
this.wrappingSspiContext = wrappingSspiContext;
this.wrappedKey = wrappedKey != null ? wrappedKey : wrappingSspiContext.Encrypt(keyToWrap);
this.serializeCarriedKeyName = false;
}
protected override BinaryNegotiation GetOutgoingBinaryNegotiation(ISspiNegotiation sspiNegotiation, byte[] outgoingBlob)
{
TlsSspiNegotiation tlsNegotiation = sspiNegotiation as TlsSspiNegotiation;
// Echo only for TrustFeb2005 and ValueType mismatch
if (this.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005 &&
tlsNegotiation != null &&
tlsNegotiation.IncomingValueTypeUri != null)
{
return(new BinaryNegotiation(tlsNegotiation.IncomingValueTypeUri, outgoingBlob));
}
else
{
return(base.GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob));
}
}
public override void Dispose()
{
try
{
if (this.sspiNegotiation != null)
{
this.sspiNegotiation.Dispose();
this.sspiNegotiation = null;
this.negotiationDigest.Dispose();
this.negotiationDigest = null;
}
}
finally
{
base.Dispose();
}
}
public override void Dispose()
{
try
{
if (this.sspiNegotiation != null)
{
this.sspiNegotiation.Dispose();
this.sspiNegotiation = null;
this.negotiationDigest.Dispose();
this.negotiationDigest = null;
}
}
finally
{
base.Dispose();
}
}
// direct receiver use, chained sender use
internal WrappedKeySecurityToken(string id, byte[] keyToWrap, string wrappingAlgorithm, ISspiNegotiation wrappingSspiContext, byte[] wrappedKey)
: this(id, keyToWrap, wrappingAlgorithm, null)
{
if (wrappingSspiContext == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("wrappingSspiContext");
}
_wrappingSspiContext = wrappingSspiContext;
if (wrappedKey == null)
{
_wrappedKey = wrappingSspiContext.Encrypt(keyToWrap);
}
else
{
_wrappedKey = wrappedKey;
}
_serializeCarriedKeyName = false;
}
void OnNegotiationComplete(SspiNegotiationTokenProviderState sspiState, RequestSecurityTokenResponse negotiationRstr, RequestSecurityTokenResponse authenticatorRstr)
{
ISspiNegotiation sspiNegotiation = sspiState.SspiNegotiation;
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = ValidateSspiNegotiation(sspiNegotiation);
// the negotiation has completed successfully - the service token needs to be extracted from the
// negotiationRstr
SecurityTokenResolver tokenResolver = new SspiSecurityTokenResolver(sspiNegotiation);
GenericXmlSecurityToken serviceToken = negotiationRstr.GetIssuedToken(tokenResolver, EmptyReadOnlyCollection <SecurityTokenAuthenticator> .Instance,
SecurityKeyEntropyMode.ServerEntropy, null, this.SecurityContextTokenUri, authorizationPolicies, 0, false);
if (serviceToken == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.NoServiceTokenReceived)));
}
WrappedKeySecurityToken wrappedToken = (serviceToken.ProofToken as WrappedKeySecurityToken);
if (wrappedToken == null || wrappedToken.WrappingAlgorithm != sspiNegotiation.KeyEncryptionAlgorithm)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.ProofTokenWasNotWrappedCorrectly)));
}
byte[] proofKey = wrappedToken.GetWrappedKey();
if (authenticatorRstr == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.RSTRAuthenticatorNotPresent)));
}
byte[] serverAuthenticator = authenticatorRstr.GetAuthenticator();
if (serverAuthenticator == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.RSTRAuthenticatorNotPresent)));
}
if (!IsCorrectAuthenticator(sspiState, proofKey, serverAuthenticator))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.RSTRAuthenticatorIncorrect)));
}
sspiState.SetServiceToken(serviceToken);
}
public SspiSecurityTokenResolver(ISspiNegotiation sspiNegotiation)
{
this.sspiNegotiation = sspiNegotiation;
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation;
if (windowsNegotiation.IsValidContext == false)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)));
}
if (this.AuthenticateServer && windowsNegotiation.IsMutualAuthFlag == false)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.CannotAuthenticateServer)));
}
SecurityTraceRecordHelper.TraceClientSpnego(windowsNegotiation);
return(SecurityUtils.CreatePrincipalNameAuthorizationPolicies(windowsNegotiation.ServicePrincipalName));
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
TlsSspiNegotiation tlsNegotiation = (TlsSspiNegotiation)sspiNegotiation;
if (tlsNegotiation.IsValidContext == false)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)));
}
if (this.ClientTokenAuthenticator == null)
{
return(EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
X509Certificate2 clientCertificate = tlsNegotiation.RemoteCertificate;
if (clientCertificate == null)
{
// isAnonymous is false. So, fail the negotiation
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(SR.GetString(SR.ClientCertificateNotProvided)));
}
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
if (this.ClientTokenAuthenticator != null)
{
X509SecurityToken clientToken;
WindowsIdentity preMappedIdentity;
if (!this.MapCertificateToWindowsAccount || !tlsNegotiation.TryGetContextIdentity(out preMappedIdentity))
{
clientToken = new X509SecurityToken(clientCertificate);
}
else
{
clientToken = new X509WindowsSecurityToken(clientCertificate, preMappedIdentity, preMappedIdentity.AuthenticationType, true);
preMappedIdentity.Dispose();
}
authorizationPolicies = this.ClientTokenAuthenticator.ValidateToken(clientToken);
clientToken.Dispose();
}
else
{
authorizationPolicies = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
return(authorizationPolicies);
}
private BodyWriter ProcessNegotiation(SspiNegotiationTokenAuthenticatorState negotiationState, Message incomingMessage, BinaryNegotiation incomingNego)
{
BinaryNegotiation outgoingBinaryNegotiation;
ISspiNegotiation sspiNegotiation = negotiationState.SspiNegotiation;
byte[] outgoingBlob = sspiNegotiation.GetOutgoingBlob(incomingNego.GetNegotiationData(), System.ServiceModel.Security.SecurityUtils.GetChannelBindingFromMessage(incomingMessage), this.extendedProtectionPolicy);
if (!sspiNegotiation.IsValidContext)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation")), incomingMessage);
}
if ((outgoingBlob == null) && !sspiNegotiation.IsCompleted)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("NoBinaryNegoToSend")), incomingMessage);
}
if (outgoingBlob != null)
{
outgoingBinaryNegotiation = this.GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob);
}
else
{
outgoingBinaryNegotiation = null;
}
if (sspiNegotiation.IsCompleted)
{
SecurityContextSecurityToken token;
WrappedKeySecurityToken token2;
int num;
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = this.ValidateSspiNegotiation(sspiNegotiation);
this.IssueServiceToken(negotiationState, authorizationPolicies, out token, out token2, out num);
negotiationState.SetServiceToken(token);
SecurityKeyIdentifierClause clause = base.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.External);
SecurityKeyIdentifierClause clause2 = base.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.Internal);
RequestSecurityTokenResponse response = new RequestSecurityTokenResponse(base.StandardsManager)
{
Context = negotiationState.Context,
KeySize = num,
TokenType = base.SecurityContextTokenUri
};
if (outgoingBinaryNegotiation != null)
{
response.SetBinaryNegotiation(outgoingBinaryNegotiation);
}
response.RequestedUnattachedReference = clause;
response.RequestedAttachedReference = clause2;
response.SetLifetime(token.ValidFrom, token.ValidTo);
if (negotiationState.AppliesTo != null)
{
if (incomingMessage.Version.Addressing != AddressingVersion.WSAddressing10)
{
if (incomingMessage.Version.Addressing != AddressingVersion.WSAddressingAugust2004)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("AddressingVersionNotSupported", new object[] { incomingMessage.Version.Addressing })));
}
response.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer);
}
else
{
response.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer);
}
}
response.MakeReadOnly();
AddToDigest(negotiationState, response, false);
RequestSecurityTokenResponse response2 = new RequestSecurityTokenResponse(base.StandardsManager)
{
RequestedSecurityToken = token,
RequestedProofToken = token2,
Context = negotiationState.Context,
KeySize = num,
TokenType = base.SecurityContextTokenUri
};
if (outgoingBinaryNegotiation != null)
{
response2.SetBinaryNegotiation(outgoingBinaryNegotiation);
}
response2.RequestedAttachedReference = clause2;
response2.RequestedUnattachedReference = clause;
if (negotiationState.AppliesTo != null)
{
if (incomingMessage.Version.Addressing != AddressingVersion.WSAddressing10)
{
if (incomingMessage.Version.Addressing != AddressingVersion.WSAddressingAugust2004)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("AddressingVersionNotSupported", new object[] { incomingMessage.Version.Addressing })));
}
response2.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer);
}
else
{
response2.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer);
}
}
response2.MakeReadOnly();
byte[] authenticator = ComputeAuthenticator(negotiationState, token.GetKeyBytes());
RequestSecurityTokenResponse response3 = new RequestSecurityTokenResponse(base.StandardsManager)
{
Context = negotiationState.Context
};
response3.SetAuthenticator(authenticator);
response3.MakeReadOnly();
return(new RequestSecurityTokenResponseCollection(new List <RequestSecurityTokenResponse>(2)
{
response2, response3
}, base.StandardsManager));
}
RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(base.StandardsManager)
{
Context = negotiationState.Context
};
rstr.SetBinaryNegotiation(outgoingBinaryNegotiation);
rstr.MakeReadOnly();
AddToDigest(negotiationState, rstr, false);
return(rstr);
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
TlsSspiNegotiation tlsNegotiation = (TlsSspiNegotiation)sspiNegotiation;
if (tlsNegotiation.IsValidContext == false)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)));
}
X509Certificate2 serverCert = tlsNegotiation.RemoteCertificate;
if (serverCert == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.ServerCertificateNotProvided)));
}
ReadOnlyCollection <IAuthorizationPolicy> authzPolicies;
if (this.ServerTokenAuthenticator != null)
{
X509SecurityToken certToken = new X509SecurityToken(serverCert, false);
authzPolicies = this.ServerTokenAuthenticator.ValidateToken(certToken);
}
else
{
authzPolicies = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
return(authzPolicies);
}
public WrappedKeySecurityToken(string id, byte[] keyToWrap, ISspiNegotiation wrappingSspiContext)
: this(id, keyToWrap, wrappingSspiContext != null ? wrappingSspiContext.KeyEncryptionAlgorithm : (string)null, wrappingSspiContext, (byte[])null)
{
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation;
if (windowsNegotiation.IsValidContext == false)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)));
}
if (this.AuthenticateServer && windowsNegotiation.IsMutualAuthFlag == false)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.CannotAuthenticateServer)));
}
SecurityTraceRecordHelper.TraceClientSpnego(windowsNegotiation);
return SecurityUtils.CreatePrincipalNameAuthorizationPolicies(windowsNegotiation.ServicePrincipalName);
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
X509SecurityToken token;
WindowsIdentity identity;
TlsSspiNegotiation negotiation = (TlsSspiNegotiation) sspiNegotiation;
if (!negotiation.IsValidContext)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation")));
}
if (this.ClientTokenAuthenticator == null)
{
return System.ServiceModel.Security.EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance;
}
X509Certificate2 remoteCertificate = negotiation.RemoteCertificate;
if (remoteCertificate == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvided")));
}
if (this.ClientTokenAuthenticator == null)
{
return System.ServiceModel.Security.EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance;
}
if (!this.MapCertificateToWindowsAccount || !negotiation.TryGetContextIdentity(out identity))
{
token = new X509SecurityToken(remoteCertificate);
}
else
{
token = new X509WindowsSecurityToken(remoteCertificate, identity, identity.AuthenticationType, true);
identity.Dispose();
}
ReadOnlyCollection<IAuthorizationPolicy> onlys = this.ClientTokenAuthenticator.ValidateToken(token);
token.Dispose();
return onlys;
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
X509SecurityToken token;
WindowsIdentity identity;
TlsSspiNegotiation negotiation = (TlsSspiNegotiation)sspiNegotiation;
if (!negotiation.IsValidContext)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation")));
}
if (this.ClientTokenAuthenticator == null)
{
return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
X509Certificate2 remoteCertificate = negotiation.RemoteCertificate;
if (remoteCertificate == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvided")));
}
if (this.ClientTokenAuthenticator == null)
{
return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
if (!this.MapCertificateToWindowsAccount || !negotiation.TryGetContextIdentity(out identity))
{
token = new X509SecurityToken(remoteCertificate);
}
else
{
token = new X509WindowsSecurityToken(remoteCertificate, identity, identity.AuthenticationType, true);
identity.Dispose();
}
ReadOnlyCollection <IAuthorizationPolicy> onlys = this.ClientTokenAuthenticator.ValidateToken(token);
token.Dispose();
return(onlys);
}
internal WrappedKeySecurityToken(string id, byte[] keyToWrap, ISspiNegotiation wrappingSspiContext) : this(id, keyToWrap, (wrappingSspiContext != null) ? wrappingSspiContext.KeyEncryptionAlgorithm : null, wrappingSspiContext, null)
{
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation;
if (!windowsNegotiation.IsValidContext)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation")));
}
SecurityTraceRecordHelper.TraceServiceSpnego(windowsNegotiation);
if (base.IsClientAnonymous)
{
return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
using (System.IdentityModel.SafeCloseHandle handle = windowsNegotiation.GetContextToken())
{
WindowsIdentity identity = new WindowsIdentity(handle.DangerousGetHandle(), windowsNegotiation.ProtocolName);
System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(identity, this.AllowUnauthenticatedCallers);
List <IAuthorizationPolicy> list = new List <IAuthorizationPolicy>(1);
WindowsClaimSet issuance = new WindowsClaimSet(identity, windowsNegotiation.ProtocolName, this.extractGroupsForWindowsAccounts, false);
list.Add(new UnconditionalPolicy(issuance, TimeoutHelper.Add(DateTime.UtcNow, base.ServiceTokenLifetime)));
return(list.AsReadOnly());
}
}
protected abstract ValueTask <ReadOnlyCollection <IAuthorizationPolicy> > ValidateSspiNegotiationAsync(ISspiNegotiation sspiNegotiation);
protected virtual BinaryNegotiation GetOutgoingBinaryNegotiation(ISspiNegotiation sspiNegotiation, byte[] outgoingBlob)
{
return(new BinaryNegotiation(NegotiationValueType, outgoingBlob));
}
public SspiNegotiationTokenAuthenticatorState(ISspiNegotiation sspiNegotiation)
: base()
{
SspiNegotiation = sspiNegotiation ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sspiNegotiation");
NegotiationDigest = CryptoHelper.NewSha1HashAlgorithm();
}
private async ValueTask <BodyWriter> ProcessNegotiationAsync(SspiNegotiationTokenAuthenticatorState negotiationState, Message incomingMessage, BinaryNegotiation incomingNego)
{
ISspiNegotiation sspiNegotiation = negotiationState.SspiNegotiation;
byte[] outgoingBlob = sspiNegotiation.GetOutgoingBlob(incomingNego.GetNegotiationData(),
SecurityUtils.GetChannelBindingFromMessage(incomingMessage),
ExtendedProtectionPolicy);
if (sspiNegotiation.IsValidContext == false)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.InvalidSspiNegotiation)), incomingMessage);
}
// if there is no blob to send back the nego must be complete from the server side
if (outgoingBlob == null && sspiNegotiation.IsCompleted == false)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.NoBinaryNegoToSend)), incomingMessage);
}
BinaryNegotiation outgoingBinaryNegotiation;
if (outgoingBlob != null)
{
outgoingBinaryNegotiation = GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob);
}
else
{
outgoingBinaryNegotiation = null;
}
BodyWriter replyBody;
if (sspiNegotiation.IsCompleted)
{
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = await ValidateSspiNegotiationAsync(sspiNegotiation);
SecurityContextSecurityToken serviceToken;
WrappedKeySecurityToken proofToken;
int issuedKeySize;
IssueServiceToken(negotiationState, authorizationPolicies, out serviceToken, out proofToken, out issuedKeySize);
negotiationState.SetServiceToken(serviceToken);
SecurityKeyIdentifierClause externalTokenReference = IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.External);
SecurityKeyIdentifierClause internalTokenReference = IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.Internal);
RequestSecurityTokenResponse dummyRstr = new RequestSecurityTokenResponse(StandardsManager)
{
Context = negotiationState.Context,
KeySize = issuedKeySize,
TokenType = SecurityContextTokenUri
};
if (outgoingBinaryNegotiation != null)
{
dummyRstr.SetBinaryNegotiation(outgoingBinaryNegotiation);
}
dummyRstr.RequestedUnattachedReference = externalTokenReference;
dummyRstr.RequestedAttachedReference = internalTokenReference;
dummyRstr.SetLifetime(serviceToken.ValidFrom, serviceToken.ValidTo);
if (negotiationState.AppliesTo != null)
{
if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10)
{
dummyRstr.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress(
negotiationState.AppliesTo),
negotiationState.AppliesToSerializer);
}
else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004)
{
dummyRstr.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress(
negotiationState.AppliesTo),
negotiationState.AppliesToSerializer);
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new ProtocolException(SR.Format(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing)));
}
}
dummyRstr.MakeReadOnly();
AddToDigest(negotiationState, dummyRstr, false);
RequestSecurityTokenResponse negotiationRstr = new RequestSecurityTokenResponse(StandardsManager)
{
RequestedSecurityToken = serviceToken,
RequestedProofToken = proofToken,
Context = negotiationState.Context,
KeySize = issuedKeySize,
TokenType = SecurityContextTokenUri
};
if (outgoingBinaryNegotiation != null)
{
negotiationRstr.SetBinaryNegotiation(outgoingBinaryNegotiation);
}
negotiationRstr.RequestedAttachedReference = internalTokenReference;
negotiationRstr.RequestedUnattachedReference = externalTokenReference;
if (negotiationState.AppliesTo != null)
{
if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10)
{
negotiationRstr.SetAppliesTo <EndpointAddress10>(
EndpointAddress10.FromEndpointAddress(negotiationState.AppliesTo),
negotiationState.AppliesToSerializer);
}
else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004)
{
negotiationRstr.SetAppliesTo <EndpointAddressAugust2004>(
EndpointAddressAugust2004.FromEndpointAddress(negotiationState.AppliesTo),
negotiationState.AppliesToSerializer);
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new ProtocolException(SR.Format(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing)));
}
}
negotiationRstr.MakeReadOnly();
byte[] authenticator = ComputeAuthenticator(negotiationState, serviceToken.GetKeyBytes());
RequestSecurityTokenResponse authenticatorRstr = new RequestSecurityTokenResponse(StandardsManager)
{
Context = negotiationState.Context
};
authenticatorRstr.SetAuthenticator(authenticator);
authenticatorRstr.MakeReadOnly();
List <RequestSecurityTokenResponse> rstrList = new List <RequestSecurityTokenResponse>(2)
{
negotiationRstr,
authenticatorRstr
};
replyBody = new RequestSecurityTokenResponseCollection(rstrList, StandardsManager);
}
else
{
RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(StandardsManager)
{
Context = negotiationState.Context
};
rstr.SetBinaryNegotiation(outgoingBinaryNegotiation);
rstr.MakeReadOnly();
AddToDigest(negotiationState, rstr, false);
replyBody = rstr;
}
return(replyBody);
}
protected override BinaryNegotiation GetOutgoingBinaryNegotiation(ISspiNegotiation sspiNegotiation, byte[] outgoingBlob)
{
TlsSspiNegotiation tlsNegotiation = sspiNegotiation as TlsSspiNegotiation;
// Echo only for TrustFeb2005 and ValueType mismatch
if (this.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005 &&
tlsNegotiation != null &&
tlsNegotiation.IncomingValueTypeUri != null)
{
return new BinaryNegotiation(tlsNegotiation.IncomingValueTypeUri, outgoingBlob);
}
else
{
return base.GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob);
}
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
TlsSspiNegotiation tlsNegotiation = (TlsSspiNegotiation)sspiNegotiation;
if (tlsNegotiation.IsValidContext == false)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)));
}
X509Certificate2 serverCert = tlsNegotiation.RemoteCertificate;
if (serverCert == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.ServerCertificateNotProvided)));
}
ReadOnlyCollection<IAuthorizationPolicy> authzPolicies;
if (this.ServerTokenAuthenticator != null)
{
X509SecurityToken certToken = new X509SecurityToken(serverCert, false);
authzPolicies = this.ServerTokenAuthenticator.ValidateToken(certToken);
}
else
{
authzPolicies = EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance;
}
return authzPolicies;
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
TlsSspiNegotiation tlsNegotiation = (TlsSspiNegotiation)sspiNegotiation;
if (tlsNegotiation.IsValidContext == false)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)));
}
if (this.ClientTokenAuthenticator == null)
{
return EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance;
}
X509Certificate2 clientCertificate = tlsNegotiation.RemoteCertificate;
if (clientCertificate == null)
{
// isAnonymous is false. So, fail the negotiation
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(SR.GetString(SR.ClientCertificateNotProvided)));
}
ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies;
if (this.ClientTokenAuthenticator != null)
{
X509SecurityToken clientToken;
WindowsIdentity preMappedIdentity;
if (!this.MapCertificateToWindowsAccount || !tlsNegotiation.TryGetContextIdentity(out preMappedIdentity))
{
clientToken = new X509SecurityToken(clientCertificate);
}
else
{
clientToken = new X509WindowsSecurityToken(clientCertificate, preMappedIdentity, preMappedIdentity.AuthenticationType, true);
preMappedIdentity.Dispose();
}
authorizationPolicies = this.ClientTokenAuthenticator.ValidateToken(clientToken);
clientToken.Dispose();
}
else
{
authorizationPolicies = EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance;
}
return authorizationPolicies;
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
TlsSspiNegotiation negotiation = (TlsSspiNegotiation)sspiNegotiation;
if (!negotiation.IsValidContext)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation")));
}
X509Certificate2 remoteCertificate = negotiation.RemoteCertificate;
if (remoteCertificate == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("ServerCertificateNotProvided")));
}
if (this.ServerTokenAuthenticator != null)
{
X509SecurityToken token = new X509SecurityToken(remoteCertificate, false);
return(this.ServerTokenAuthenticator.ValidateToken(token));
}
return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
protected abstract ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation);
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation;
if (windowsNegotiation.IsValidContext == false)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)));
}
SecurityTraceRecordHelper.TraceServiceSpnego(windowsNegotiation);
if (this.IsClientAnonymous)
{
return EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance;
}
using (SafeCloseHandle contextToken = windowsNegotiation.GetContextToken())
{
WindowsIdentity windowsIdentity = new WindowsIdentity(contextToken.DangerousGetHandle(), windowsNegotiation.ProtocolName);
SecurityUtils.ValidateAnonymityConstraint(windowsIdentity, this.AllowUnauthenticatedCallers);
List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>(1);
WindowsClaimSet wic = new WindowsClaimSet( windowsIdentity, windowsNegotiation.ProtocolName, this.extractGroupsForWindowsAccounts, false );
policies.Add(new System.IdentityModel.Policy.UnconditionalPolicy(wic, TimeoutHelper.Add(DateTime.UtcNow, base.ServiceTokenLifetime)));
return policies.AsReadOnly();
}
}
WrappedKeySecurityToken CreateWrappedKeyToken(string id, string encryptionMethod, string carriedKeyName,
SecurityKeyIdentifier unwrappingTokenIdentifier, byte[] wrappedKey, SecurityTokenResolver tokenResolver)
{
ISspiNegotiationInfo sspiResolver = tokenResolver as ISspiNegotiationInfo;
if (sspiResolver != null)
{
ISspiNegotiation unwrappingSspiContext = sspiResolver.SspiNegotiation;
// ensure that the encryption algorithm is compatible
if (encryptionMethod != unwrappingSspiContext.KeyEncryptionAlgorithm)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.BadKeyEncryptionAlgorithm, encryptionMethod)));
}
byte[] unwrappedKey = unwrappingSspiContext.Decrypt(wrappedKey);
return(new WrappedKeySecurityToken(id, unwrappedKey, encryptionMethod, unwrappingSspiContext, unwrappedKey));
}
else
{
if (tokenResolver == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("tokenResolver"));
}
if (unwrappingTokenIdentifier == null || unwrappingTokenIdentifier.Count == 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.MissingKeyInfoInEncryptedKey)));
}
SecurityToken unwrappingToken;
SecurityHeaderTokenResolver resolver = tokenResolver as SecurityHeaderTokenResolver;
if (resolver != null)
{
unwrappingToken = resolver.ExpectedWrapper;
if (unwrappingToken != null)
{
if (!resolver.CheckExternalWrapperMatch(unwrappingTokenIdentifier))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.EncryptedKeyWasNotEncryptedWithTheRequiredEncryptingToken, unwrappingToken)));
}
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToResolveKeyInfoForUnwrappingToken, unwrappingTokenIdentifier, resolver)));
}
}
else
{
try
{
unwrappingToken = tokenResolver.ResolveToken(unwrappingTokenIdentifier);
}
catch (Exception exception)
{
if (exception is MessageSecurityException)
{
throw;
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToResolveKeyInfoForUnwrappingToken, unwrappingTokenIdentifier, tokenResolver), exception));
}
}
SecurityKey unwrappingSecurityKey;
byte[] unwrappedKey = SecurityUtils.DecryptKey(unwrappingToken, encryptionMethod, wrappedKey, out unwrappingSecurityKey);
return(new WrappedKeySecurityToken(id, unwrappedKey, encryptionMethod, unwrappingToken, unwrappingTokenIdentifier, wrappedKey, unwrappingSecurityKey));
}
}
