/// <summary>
/// Converts the ListenUri in the <see cref="SecurityTokenRequirement"/> to a normalized string.
/// The method preserves the Uri scheme, port and absolute path and replaces the host name
/// with the string 'NormalizedHostName'.
/// </summary>
/// <param name="tokenRequirement">The <see cref="SecurityTokenRequirement"/> which contains the 'ListenUri' property.</param>
/// <returns>A string representing the Normalized URI string.</returns>
public static string GetNormalizedEndpointId(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
Uri listenUri = null;
if (tokenRequirement.Properties.ContainsKey(ListenUriProperty))
{
listenUri = tokenRequirement.Properties[ListenUriProperty] as Uri;
}
if (listenUri == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4287, tokenRequirement));
}
if (listenUri.IsDefaultPort)
{
return(String.Format(CultureInfo.InvariantCulture, "{0}://NormalizedHostName{1}", listenUri.Scheme, listenUri.AbsolutePath));
}
else
{
return(String.Format(CultureInfo.InvariantCulture, "{0}://NormalizedHostName:{1}{2}", listenUri.Scheme, listenUri.Port, listenUri.AbsolutePath));
}
}
public static string GetString(string name)
{
System.ServiceModel.SR loader = GetLoader();
if (loader == null)
{
return(null);
}
return(loader.resources.GetString(name, Culture));
}
private static System.ServiceModel.SR GetLoader()
{
if (loader == null)
{
System.ServiceModel.SR sr = new System.ServiceModel.SR();
Interlocked.CompareExchange <System.ServiceModel.SR>(ref loader, sr, null);
}
return(loader);
}
public void UpdateContextCachingTime(SecurityContextSecurityToken token, DateTime expirationTime)
{
if (token.ValidTo <= expirationTime.ToUniversalTime())
{
return;
}
SessionSecurityTokenCacheKey key = new SessionSecurityTokenCacheKey(_claimsHandler.EndpointId, token.ContextId, token.KeyGeneration);
SessionSecurityToken sessionToken = SecurityContextSecurityTokenHelper.ConvertSctToSessionToken(token, SecureConversationVersion.Default);
DateTime expiryTime = DateTimeUtil.Add(sessionToken.ValidTo, _claimsHandler.SecurityTokenHandlerCollection.Configuration.MaxClockSkew);
if (_tokenCache.Get(key) == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4285, sessionToken.ContextId.ToString()));
}
_tokenCache.AddOrUpdate(key, sessionToken, expiryTime);
}
public override IChannelFactory <TChannel> BuildChannelFactory <TChannel>(BindingContext context)
{
if (context == null)
{
throw FxTrace.Exception.ArgumentNull("context");
}
if (!this.CanBuildChannelFactory <TChannel>(context.Clone()))
{
throw FxTrace.Exception.Argument("TChannel", SR2.GetString(SR2.ChannelTypeNotSupported, typeof(TChannel)));
}
IChannelFactory <TChannel> innerFactory = context.BuildInnerChannelFactory <TChannel>();
if (innerFactory != null)
{
return(new SynchronousChannelFactory <TChannel>(context.Binding, innerFactory));
}
return(null);
}
public static string GetString(string name, params object[] args)
{
System.ServiceModel.SR loader = GetLoader();
if (loader == null)
{
return(null);
}
string format = loader.resources.GetString(name, Culture);
if ((args == null) || (args.Length <= 0))
{
return(format);
}
for (int i = 0; i < args.Length; i++)
{
string str2 = args[i] as string;
if ((str2 != null) && (str2.Length > 0x400))
{
args[i] = str2.Substring(0, 0x3fd) + "...";
}
}
return(string.Format(CultureInfo.CurrentCulture, format, args));
}
/// <summary>
/// This method creates a SAML security token authenticator when token type is null.
/// It wraps the SAML 1.1 and the SAML 2.0 token handlers that are configured.
/// If no token handler was found, then the inner token manager is created.
/// </summary>
SecurityTokenAuthenticator CreateSamlSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
outOfBandTokenResolver = null;
SecurityTokenAuthenticator securityTokenAuthenticator = null;
SamlSecurityTokenHandler saml11SecurityTokenHandler = _securityTokenHandlerCollection[SecurityTokenTypes.SamlTokenProfile11] as SamlSecurityTokenHandler;
Saml2SecurityTokenHandler saml2SecurityTokenHandler = _securityTokenHandlerCollection[SecurityTokenTypes.Saml2TokenProfile11] as Saml2SecurityTokenHandler;
if (saml11SecurityTokenHandler != null && saml11SecurityTokenHandler.Configuration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
if (saml2SecurityTokenHandler != null && saml2SecurityTokenHandler.Configuration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
if (saml11SecurityTokenHandler != null && saml2SecurityTokenHandler != null)
{
//
// Both SAML 1.1 and SAML 2.0 token handlers have been configured.
//
WrappedSaml11SecurityTokenAuthenticator wrappedSaml11SecurityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator(saml11SecurityTokenHandler, _exceptionMapper);
WrappedSaml2SecurityTokenAuthenticator wrappedSaml2SecurityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator(saml2SecurityTokenHandler, _exceptionMapper);
securityTokenAuthenticator = new WrappedSamlSecurityTokenAuthenticator(wrappedSaml11SecurityTokenAuthenticator, wrappedSaml2SecurityTokenAuthenticator);
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
List <SecurityTokenResolver> resolvers = new List <SecurityTokenResolver>();
resolvers.Add(saml11SecurityTokenHandler.Configuration.ServiceTokenResolver);
resolvers.Add(saml2SecurityTokenHandler.Configuration.ServiceTokenResolver);
outOfBandTokenResolver = new AggregateTokenResolver(resolvers);
}
else if (saml11SecurityTokenHandler == null && saml2SecurityTokenHandler != null)
{
//
// SAML 1.1 token handler is not present but SAML 2.0 is. Set the token type to SAML 2.0
//
securityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator(saml2SecurityTokenHandler, _exceptionMapper);
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml2SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else if (saml11SecurityTokenHandler != null && saml2SecurityTokenHandler == null)
{
//
// SAML 1.1 token handler is present but SAML 2.0 is not. Set the token type to SAML 1.1
//
securityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator(saml11SecurityTokenHandler, _exceptionMapper);
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml11SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else
{
securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
return(securityTokenAuthenticator);
}
/// <summary>
/// Overriden from the base class. Creates the requested Token Authenticator.
/// Looks up the list of Token Handlers registered with the token Manager
/// based on the TokenType Uri in the SecurityTokenRequirement. If none is found,
/// then the call is delegated to the inner Token Manager.
/// </summary>
/// <param name="tokenRequirement">Security Token Requirement for which the Authenticator should be created.</param>
/// <param name="outOfBandTokenResolver">Token resolver that resolves any out-of-band tokens.</param>
/// <returns>Instance of Security Token Authenticator.</returns>
/// <exception cref="ArgumentNullException">'tokenRequirement' parameter is null.</exception>
/// <exception cref="NotSupportedException">No Authenticator is registered for the given token type.</exception>
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
outOfBandTokenResolver = null;
// Check for a registered authenticator
SecurityTokenAuthenticator securityTokenAuthenticator = null;
string tokenType = tokenRequirement.TokenType;
//
// When the TokenRequirement.TokenType is null, we treat this as a SAML issued token case. It may be SAML 1.1 or SAML 2.0.
//
if (String.IsNullOrEmpty(tokenType))
{
return(CreateSamlSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver));
}
//
// When the TokenType is set, build a token authenticator for the specified token type.
//
SecurityTokenHandler securityTokenHandler = _securityTokenHandlerCollection[tokenType];
if ((securityTokenHandler != null) && (securityTokenHandler.CanValidateToken))
{
outOfBandTokenResolver = GetDefaultOutOfBandTokenResolver();
if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.UserName))
{
UserNameSecurityTokenHandler upSecurityTokenHandler = securityTokenHandler as UserNameSecurityTokenHandler;
if (upSecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(UserNameSecurityTokenHandler))));
}
securityTokenAuthenticator = new WrappedUserNameSecurityTokenAuthenticator(upSecurityTokenHandler, _exceptionMapper);
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Kerberos))
{
securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Rsa))
{
RsaSecurityTokenHandler rsaSecurityTokenHandler = securityTokenHandler as RsaSecurityTokenHandler;
if (rsaSecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(RsaSecurityTokenHandler))));
}
securityTokenAuthenticator = new WrappedRsaSecurityTokenAuthenticator(rsaSecurityTokenHandler, _exceptionMapper);
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.X509Certificate))
{
X509SecurityTokenHandler x509SecurityTokenHandler = securityTokenHandler as X509SecurityTokenHandler;
if (x509SecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(X509SecurityTokenHandler))));
}
securityTokenAuthenticator = new WrappedX509SecurityTokenAuthenticator(x509SecurityTokenHandler, _exceptionMapper);
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.SamlTokenProfile11) ||
StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.OasisWssSamlTokenProfile11))
{
SamlSecurityTokenHandler saml11SecurityTokenHandler = securityTokenHandler as SamlSecurityTokenHandler;
if (saml11SecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(SamlSecurityTokenHandler))));
}
if (saml11SecurityTokenHandler.Configuration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
securityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator(saml11SecurityTokenHandler, _exceptionMapper);
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml11SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Saml2TokenProfile11) ||
StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.OasisWssSaml2TokenProfile11))
{
Saml2SecurityTokenHandler saml2SecurityTokenHandler = securityTokenHandler as Saml2SecurityTokenHandler;
if (saml2SecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(Saml2SecurityTokenHandler))));
}
if (saml2SecurityTokenHandler.Configuration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
securityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator(saml2SecurityTokenHandler, _exceptionMapper);
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml2SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else if (StringComparer.Ordinal.Equals(tokenType, ServiceModelSecurityTokenTypes.SecureConversation))
{
RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if (tr == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4240, tokenRequirement.GetType().ToString()));
}
securityTokenAuthenticator = SetupSecureConversationWrapper(tr, securityTokenHandler as SessionSecurityTokenHandler, out outOfBandTokenResolver);
}
else
{
securityTokenAuthenticator = new SecurityTokenAuthenticatorAdapter(securityTokenHandler, _exceptionMapper);
}
}
else
{
if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation ||
tokenType == ServiceModelSecurityTokenTypes.MutualSslnego ||
tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego ||
tokenType == ServiceModelSecurityTokenTypes.SecurityContext ||
tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if (tr == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4240, tokenRequirement.GetType().ToString()));
}
securityTokenAuthenticator = SetupSecureConversationWrapper(tr, null, out outOfBandTokenResolver);
}
else
{
securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
}
return(securityTokenAuthenticator);
}
void OnBadData()
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.BadData)));
}
static void ValidatePrivateKey(X509Certificate2 certificate)
{
bool hasPrivateKey = false;
try
{
if (System.ServiceModel.LocalAppContextSwitches.DisableCngCertificates)
{
hasPrivateKey = certificate != null && certificate.PrivateKey != null;
}
else
{
hasPrivateKey = certificate.HasPrivateKey && SecurityUtils.CanReadPrivateKey(certificate);
}
}
catch (SecurityException e)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.SslCertMayNotDoKeyExchange, certificate.SubjectName.Name), e));
}
catch (CryptographicException e)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.SslCertMayNotDoKeyExchange, certificate.SubjectName.Name), e));
}
if (!hasPrivateKey)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.SslCertMustHavePrivateKey, certificate.SubjectName.Name)));
}
}
public byte[] GetOutgoingBlob(byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy)
{
ThrowIfDisposed();
SecurityBuffer incomingSecurity = null;
if (incomingBlob != null)
{
incomingSecurity = new SecurityBuffer(incomingBlob, BufferType.Token);
}
SecurityBuffer outgoingSecurity = new SecurityBuffer(null, BufferType.Token);
this.remoteCertificate = null;
int statusCode = 0;
if (this.isServer == true)
{
statusCode = SspiWrapper.AcceptSecurityContext(
this.credentialsHandle,
ref this.securityContext,
ServerStandardFlags | (this.clientCertRequired ? SspiContextFlags.MutualAuth : SspiContextFlags.Zero),
Endianness.Native,
incomingSecurity,
outgoingSecurity,
ref this.attributes
);
}
else
{
statusCode = SspiWrapper.InitializeSecurityContext(
this.credentialsHandle,
ref this.securityContext,
this.destination,
ClientStandardFlags,
Endianness.Native,
incomingSecurity,
outgoingSecurity,
ref this.attributes
);
}
if ((statusCode & unchecked ((int)0x80000000)) != 0)
{
this.Dispose();
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(statusCode));
}
if (statusCode == (int)SecurityStatus.OK)
{
// we're done
// ensure that the key negotiated is strong enough
if (SecurityUtils.ShouldValidateSslCipherStrength())
{
SslConnectionInfo connectionInfo = (SslConnectionInfo)SspiWrapper.QueryContextAttributes(this.securityContext, ContextAttribute.ConnectionInfo);
if (connectionInfo == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.CannotObtainSslConnectionInfo)));
}
SecurityUtils.ValidateSslCipherStrength(connectionInfo.DataKeySize);
}
this.isCompleted = true;
}
else if (statusCode == (int)SecurityStatus.CredentialsNeeded)
{
// the server requires the client to supply creds
// Currently we dont attempt to find the client cert to choose at runtime
// so just re-call the function
AcquireClientCredentials();
if (this.ClientCertificate != null)
{
this.wasClientCertificateSent = true;
}
return(this.GetOutgoingBlob(incomingBlob, channelbinding, protectionPolicy));
}
else if (statusCode != (int)SecurityStatus.ContinueNeeded)
{
this.Dispose();
if (statusCode == (int)SecurityStatus.InternalError)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(statusCode, SR.GetString(SR.LsaAuthorityNotContacted)));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(statusCode));
}
}
return(outgoingSecurity.token);
}
static void ValidatePrivateKey(X509Certificate2 certificate)
{
bool hasPrivateKey = false;
try
{
hasPrivateKey = certificate != null && certificate.PrivateKey != null;
}
catch (SecurityException e)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.SslCertMayNotDoKeyExchange, certificate.SubjectName.Name), e));
}
catch (CryptographicException e)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.SslCertMayNotDoKeyExchange, certificate.SubjectName.Name), e));
}
if (!hasPrivateKey)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.SslCertMustHavePrivateKey, certificate.SubjectName.Name)));
}
}
private static System.ServiceModel.SR GetLoader()
{
if (loader == null)
{
System.ServiceModel.SR sr = new System.ServiceModel.SR();
Interlocked.CompareExchange<System.ServiceModel.SR>(ref loader, sr, null);
}
return loader;
}
