private void InterceptedAcknowledgementResponse(InterceptorMessage message, Headers headers)
{
lock (signatureLock)
{
SequenceAcknowledgementHeader sequenceAcknowledgementHeader = headers.SequenceAcknowledgement;
string identityName = message.Properties.Security.ServiceSecurityContext.PrimaryIdentity.Name;
int index = identityName.LastIndexOf(';');
string certificateSubject = identityName.Substring(0, index);
// Try to get the messages that have been acked in the RM session. If none exists return.
List <UnfinishedSignatureValidationProof> ackedMessages = null;
//System.Diagnostics.Debug.WriteLine("InterceptedAcknowledgementResponse sequenceID" + sequenceAcknowledgementHeader.SequenceId);
if (this.unfinishedSignaturesValidationProofStore.TryGetValueFromSequenceAcknowledgementHeader(sequenceAcknowledgementHeader, out ackedMessages))
{
// message
foreach (UnfinishedSignatureValidationProof ackedMessage in ackedMessages)
{
SignatureValidationProof signatureValidationProof = ackedMessage.SignatureValidationProof;
if (!signatureValidationProof.Completed)
{
signatureValidationProof.CompleteValidation(certificateSubject);
}
}
}
}
}
private void InterceptedMessageResponse(InterceptorMessage message, Headers headers)
{
lock (signatureLock)
{
SequenceHeader sequenceHeader = headers.SequenceHeader;
string relatesTo = headers.RelatesTo.ToString();
// Try to get the unfinished signature validation proof. If none exists return.
UnfinishedSignatureValidationProof unfinishedSignatureValidationProof = null;
if (this.unfinishedSignaturesValidationProofStore.TryGetValueFromMessageId(relatesTo, out unfinishedSignatureValidationProof))
{
// validation proof retrived
//System.Diagnostics.Debug.WriteLine("InterceptedMessageResponse relatesTo " + relatesTo);
SignatureValidationProof signatureValidationProof = unfinishedSignatureValidationProof.SignatureValidationProof;
string signatureValidationProofKey = ClientSignatureValidationProofBindingExtensionElement.SignatureValidationProofKey;
message.AddProperty(signatureValidationProofKey, signatureValidationProof);
}
}
}
/// <summary>
/// Constructor. Adds WCF headers
/// </summary>
/// <param name="headers">The headers to set</param>
public UnfinishedSignatureValidationProof(Headers headers)
{
_headers = headers;
_signatureValidationProof = new SignatureValidationProof();
}
/* /// <summary>
* /// Overrides the method to validate the binding element order.
* /// </summary>
* /// <typeparam name="TChannel"></typeparam>
* /// <param name="context"></param>
* /// <returns></returns>
* public override IChannelListener<TChannel> BuildChannelListener<TChannel>(BindingContext context)
* {
* BindingElementCollection bindingElements = context.Binding.Elements;
* this.stackCheck.Check(bindingElements);
* return base.BuildChannelListener<TChannel>(context);
* }*/
/// <summary>
/// Intercept requests and creates the proof of validation interception before
/// attaching it to the message.
/// </summary>
/// <param name="interceptorMessage"></param>
public override void InterceptRequest(InterceptorMessage interceptorMessage)
{
this.logger.Trace("Security validate the foces certificate.");
try
{
Headers headers = new Headers(interceptorMessage);
if (interceptorMessage.IsFault)
{
// do nothing
}
else if (headers.IsCreateSequence)
{
// do nothing
}
else if (headers.SequenceHeader == null)
{
// do nothing
}
else if (headers.SequenceHeader.IsLastMessage)
{
// do nothing
}
else
{
// Get the certificate from the message
X509Certificate2 certificate;
try
{
certificate = interceptorMessage.Certificate;
}
catch
{
throw new FailedToGetCertificateSubjectException(interceptorMessage);
}
// now we must revocate check the certificate
OcesX509Certificate ocesCertificate = new OcesX509Certificate(certificate);
RevocationResponse response = ocesCertificate.CheckRevocationStatus(revocationLookup);
if (response.Exception != null)
{
string msg;
try
{
msg = response.Exception.Message;
}
catch (Exception ex)
{
this.logger.Debug("Error finding the correct error message.", ex);
msg = "unknown";
}
this.logger.Warn(string.Format("The certificate '{0}' revocation check failed. Reason is: ", ocesCertificate.Certificate.SubjectName.Name, msg));
// some error checking the certificate
// make sure the error is of the correct type, and throw it
// note - if the original exception was not a communikation exception, it is wraped in a communikation exception
if (response.Exception is CertificateRevokedTimeoutException)
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
else if (response.Exception is CertificateRevokedException)
{
throw response.Exception;
}
else if (response.Exception is CertificateRevokedValidationFailedException)
{
throw response.Exception;
}
else if (response.Exception is CheckCertificateOcspUnexpectedException)
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
else if (response.Exception is CheckCertificateRevokedUnexpectedException)
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
else
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
}
else
{
// no exception - all good so far
switch (response.RevocationCheckStatus)
{
case RevocationCheckStatus.AllChecksPassed:
{
// all good
this.logger.Debug(string.Format("Certificate '{0}' has parsed the revocation validate.", certificate.SubjectName.Name));
SignatureValidationProof signatureValidationProof = new SignatureValidationProof(certificate.Subject);
interceptorMessage.AddProperty(ServerSignatureValidationProofBindingExtensionElement.SignatureValidationProofKey, signatureValidationProof);
break;
}
case RevocationCheckStatus.CertificateRevoked:
{
this.logger.Warn(string.Format("The certificate '{0}' is revoked.", ocesCertificate.Certificate.SubjectName.Name));
throw new CertificateRevokedException();
//break;
}
default:
{
this.logger.Warn(string.Format("The certificate '{0}' failed in revocation check - reason unknown", ocesCertificate.Certificate.SubjectName.Name));
throw new CertificateRevokedValidationFailedException("The certificate failed in revocation check - reason unknown.");
//break;
}
}
}
}
}
catch (FailedToGetCertificateSubjectException)
{
// exception is of the correct type - rethrowing it
throw;
}
/* catch (CertificateRevokedTimeoutException e)
* {
* // exception is of the correct type - rethrowing it
* throw new CertificateRevokedValidationFailedException(e);
* }*/
catch (CertificateRevokedException)
{
// exception is of the correct type - rethrowing it
throw;
}
catch (CertificateRevokedValidationFailedException)
{
// exception is of the correct type - rethrowing it
throw;
}
/* catch (CheckCertificateOcspUnexpectedException)
* {
* // exception is of the correct type - rethrowing it
* throw;
* }*/
/* catch (CheckCertificateRevokedUnexpectedException)
* {
* // exception is of the correct type - rethrowing it
* throw;
* }*/
catch (Exception ex)
{
this.logger.Debug("Security validate the foces certificate", ex);
throw new CertificateRevokedValidationFailedException(ex);
}
this.logger.Trace("Security validate the foces certificate - Finish.");
}
