protected override ISignatureValueSecurityElement CreateSupportingSignature(SecurityToken token, SecurityKeyIdentifier identifier, ISecurityElement elementToSign) { SecurityAlgorithmSuite algorithmSuite = this.AlgorithmSuite; string signatureAlgorithm; XmlDictionaryString signatureAlgorithmDictionaryString; SecurityKey signatureKey; algorithmSuite.GetSignatureAlgorithmAndKey(token, out signatureAlgorithm, out signatureKey, out signatureAlgorithmDictionaryString); SignedXml signedXml = new SignedXml(ServiceModelDictionaryManager.Instance, this.StandardsManager.SecurityTokenSerializer); SignedInfo signedInfo = signedXml.Signature.SignedInfo; signedInfo.CanonicalizationMethod = algorithmSuite.DefaultCanonicalizationAlgorithm; signedInfo.CanonicalizationMethodDictionaryString = algorithmSuite.DefaultCanonicalizationAlgorithmDictionaryString; signedInfo.SignatureMethod = signatureAlgorithm; signedInfo.SignatureMethodDictionaryString = signatureAlgorithmDictionaryString; if (elementToSign.Id == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ElementToSignMustHaveId))); } Reference reference = new Reference(ServiceModelDictionaryManager.Instance, "#" + elementToSign.Id, elementToSign); reference.DigestMethod = algorithmSuite.DefaultDigestAlgorithm; reference.DigestMethodDictionaryString = algorithmSuite.DefaultDigestAlgorithmDictionaryString; reference.AddTransform(new ExclusiveCanonicalizationTransform()); ((StandardSignedInfo)signedInfo).AddReference(reference); signedXml.ComputeSignature(signatureKey); if (identifier != null) { signedXml.Signature.KeyIdentifier = identifier; } return(signedXml); }
protected override ISignatureValueSecurityElement CreateSupportingSignature(SecurityToken token, SecurityKeyIdentifier identifier, ISecurityElement elementToSign) { SecurityAlgorithmSuite algorithmSuite = this.AlgorithmSuite; string signatureAlgorithm; XmlDictionaryString signatureAlgorithmDictionaryString; SecurityKey signatureKey; algorithmSuite.GetSignatureAlgorithmAndKey(token, out signatureAlgorithm, out signatureKey, out signatureAlgorithmDictionaryString); SignedXml signedXml = new SignedXml(ServiceModelDictionaryManager.Instance, this.StandardsManager.SecurityTokenSerializer); SignedInfo signedInfo = signedXml.Signature.SignedInfo; signedInfo.CanonicalizationMethod = algorithmSuite.DefaultCanonicalizationAlgorithm; signedInfo.CanonicalizationMethodDictionaryString = algorithmSuite.DefaultCanonicalizationAlgorithmDictionaryString; signedInfo.SignatureMethod = signatureAlgorithm; signedInfo.SignatureMethodDictionaryString = signatureAlgorithmDictionaryString; if (elementToSign.Id == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ElementToSignMustHaveId))); } Reference reference = new Reference(ServiceModelDictionaryManager.Instance, "#" + elementToSign.Id, elementToSign); reference.DigestMethod = algorithmSuite.DefaultDigestAlgorithm; reference.DigestMethodDictionaryString = algorithmSuite.DefaultDigestAlgorithmDictionaryString; reference.AddTransform(new ExclusiveCanonicalizationTransform()); ((StandardSignedInfo)signedInfo).AddReference(reference); signedXml.ComputeSignature(signatureKey); if (identifier != null) { signedXml.Signature.KeyIdentifier = identifier; } return signedXml; }
void ValidateDigestsOfTargetsInSecurityHeader(StandardSignedInfo signedInfo, SecurityTimestamp timestamp, bool isPrimarySignature, object signatureTarget, string id) { Fx.Assert(!isPrimarySignature || (isPrimarySignature && (signatureTarget == null)), "For primary signature we try to validate all the references."); for (int i = 0; i < signedInfo.ReferenceCount; i++) { Reference reference = signedInfo[i]; this.AlgorithmSuite.EnsureAcceptableDigestAlgorithm(reference.DigestMethod); string referredId = reference.ExtractReferredId(); if (isPrimarySignature || (id == referredId)) { if (timestamp != null && timestamp.Id == referredId && !reference.TransformChain.NeedsInclusiveContext && timestamp.DigestAlgorithm == reference.DigestMethod && timestamp.GetDigest() != null) { reference.EnsureDigestValidity(referredId, timestamp.GetDigest()); this.ElementManager.SetTimestampSigned(referredId); } else { if (signatureTarget != null) { reference.EnsureDigestValidity(id, signatureTarget); } else { int tokenIndex = -1; XmlDictionaryReader reader = null; if (reference.IsStrTranform()) { if (this.ElementManager.TryGetTokenElementIndexFromStrId(referredId, out tokenIndex)) { ReceiveSecurityHeaderEntry entry; this.ElementManager.GetElementEntry(tokenIndex, out entry); bool isSignedToken = (entry.bindingMode == ReceiveSecurityHeaderBindingModes.Signed) || (entry.bindingMode == ReceiveSecurityHeaderBindingModes.SignedEndorsing); // This means it is a protected(signed)primary token. if (!this.ElementManager.IsPrimaryTokenSigned) { this.ElementManager.IsPrimaryTokenSigned = entry.bindingMode == ReceiveSecurityHeaderBindingModes.Primary && entry.elementCategory == ReceiveSecurityHeaderElementCategory.Token; } this.ElementManager.SetSigned(tokenIndex); // We pass true if it is a signed supporting token, signed primary token or a SignedEndorsing token. We pass false if it is a SignedEncrypted Token. reader = this.ElementManager.GetReader(tokenIndex, isSignedToken); } } else { reader = this.ElementManager.GetSignatureVerificationReader(referredId, this.EncryptBeforeSignMode); } if (reader != null) { reference.EnsureDigestValidity(referredId, reader); reader.Close(); } } } if (!isPrimarySignature) { // We were given an id to verify and we have verified it. So just break out // of the loop. break; } } } // This check makes sure that if RequireSignedPrimaryToken is true (ProtectTokens is enabled on sbe) then the incoming message // should have the primary signature over the primary(signing)token. if (isPrimarySignature && this.RequireSignedPrimaryToken && !this.ElementManager.IsPrimaryTokenSigned) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.SupportingTokenIsNotSigned, new IssuedSecurityTokenParameters()))); } // NOTE: On both client and server side, WCF quietly consumes protected tokens even if protect token is not enabled on sbe. // To change this behaviour add another check below and throw appropriate exception message. }