public SecurityHeader(Message message,
string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager
, SecurityAlgorithmSuite algorithmSuite,
MessageDirection transferDirection)
{
if (message == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(message));
}
if (actor == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(actor));
}
if (standardsManager == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(standardsManager));
}
if (algorithmSuite == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(algorithmSuite));
}
this.message = message;
this.actor = actor;
this.mustUnderstand = mustUnderstand;
this.relay = relay;
this.standardsManager = standardsManager;
this.algorithmSuite = algorithmSuite;
this.transferDirection = transferDirection;
}
internal override SendSecurityHeader CreateSendSecurityHeader(Message message,
string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite, MessageDirection direction)
{
return(new WSSecurityOneDotOneSendSecurityHeader(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, direction));
}
public WSSecurityOneDotZeroSendSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
MessageDirection direction)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, direction)
{
}
internal SecurityProtocolFactory(SecurityProtocolFactory factory) : this()
{
if (factory == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(factory));
}
ActAsInitiator = factory.ActAsInitiator;
_addTimestamp = factory._addTimestamp;
_detectReplays = factory._detectReplays;
_incomingAlgorithmSuite = factory._incomingAlgorithmSuite;
_maxCachedNonces = factory._maxCachedNonces;
_maxClockSkew = factory._maxClockSkew;
_outgoingAlgorithmSuite = factory._outgoingAlgorithmSuite;
_replayWindow = factory._replayWindow;
ChannelSupportingTokenAuthenticatorSpecification = new Collection <SupportingTokenAuthenticatorSpecification>(new List <SupportingTokenAuthenticatorSpecification>(factory.ChannelSupportingTokenAuthenticatorSpecification));
ScopedSupportingTokenAuthenticatorSpecification = new Dictionary <string, ICollection <SupportingTokenAuthenticatorSpecification> >(factory.ScopedSupportingTokenAuthenticatorSpecification);
_standardsManager = factory._standardsManager;
_timestampValidityDuration = factory._timestampValidityDuration;
// this.auditLogLocation = factory.auditLogLocation;
_suppressAuditFailure = factory._suppressAuditFailure;
// this.serviceAuthorizationAuditLevel = factory.serviceAuthorizationAuditLevel;
// this.messageAuthenticationAuditLevel = factory.messageAuthenticationAuditLevel;
if (factory._securityBindingElement != null)
{
_securityBindingElement = (SecurityBindingElement)factory._securityBindingElement.Clone();
}
_securityTokenManager = factory._securityTokenManager;
_privacyNoticeUri = factory._privacyNoticeUri;
_privacyNoticeVersion = factory._privacyNoticeVersion;
_endpointFilterTable = factory._endpointFilterTable;
ExtendedProtectionPolicy = factory.ExtendedProtectionPolicy;
_nonceCache = factory._nonceCache;
}
public WSSecurityOneDotOneReceiveSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
int headerIndex, MessageDirection direction)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, headerIndex, direction)
{
}
protected SendSecurityHeader(Message message, string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
MessageDirection transferDirection)
: base(message, actor, mustUnderstand, relay, standardsManager, algorithmSuite, transferDirection)
{
ElementContainer = new SendSecurityHeaderElementContainer();
}
internal static bool IsRsaSHA256(SecurityAlgorithmSuite suite)
{
if (suite == null)
{
return(false);
}
return(suite == Basic128Sha256 || suite == Basic128Sha256Rsa15 || suite == Basic192Sha256 || suite == Basic192Sha256Rsa15 ||
suite == Basic256Sha256 || suite == Basic256Sha256Rsa15 || suite == TripleDesSha256 || suite == TripleDesSha256Rsa15);
}
internal override ReceiveSecurityHeader CreateReceiveSecurityHeader(Message message,
string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
MessageDirection direction,
int headerIndex)
{
return(new WSSecurityOneDotZeroReceiveSecurityHeader(
message,
actor, mustUnderstand, relay,
standardsManager,
algorithmSuite, headerIndex, direction));
}
internal static void ValidateSymmetricKeyLength(int keyLength, SecurityAlgorithmSuite algorithmSuite)
{
if (!algorithmSuite.IsSymmetricKeyLengthSupported(keyLength))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new ArgumentOutOfRangeException(nameof(algorithmSuite),
SR.Format(SR.UnsupportedKeyLength, keyLength, algorithmSuite.ToString())));
}
if (keyLength % 8 != 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new ArgumentOutOfRangeException(nameof(algorithmSuite),
SR.Format(SR.KeyLengthMustBeMultipleOfEight, keyLength)));
}
}
public SecurityHeader(Message message,
string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager
, SecurityAlgorithmSuite algorithmSuite,
MessageDirection transferDirection)
{
Message = message ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(message));
_actor = actor ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(actor));
_mustUnderstand = mustUnderstand;
_relay = relay;
StandardsManager = standardsManager ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(standardsManager));
AlgorithmSuite = algorithmSuite ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(algorithmSuite));
MessageDirection = transferDirection;
}
protected override void StartPrimarySignatureCore(SecurityToken token,
SecurityKeyIdentifier keyIdentifier,
MessagePartSpecification signatureParts,
bool generateTargettableSignature)
{
SecurityAlgorithmSuite suite = AlgorithmSuite;
string canonicalizationAlgorithm = suite.DefaultCanonicalizationAlgorithm;
if (canonicalizationAlgorithm != SecurityAlgorithms.ExclusiveC14n)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new MessageSecurityException(SR.Format(SR.UnsupportedCanonicalizationAlgorithm, suite.DefaultCanonicalizationAlgorithm)));
}
string signatureAlgorithm;
XmlDictionaryString signatureAlgorithmDictionaryString;
SecurityKey signatureKey;
suite.GetSignatureAlgorithmAndKey(token, out signatureAlgorithm, out signatureKey, out signatureAlgorithmDictionaryString);
AsymmetricAlgorithm asymmetricAlgorithm = null;
GetSigningAlgorithm(signatureKey, signatureAlgorithm, out _signingKey, out asymmetricAlgorithm);
_signedXml = new SignedXml();
_signedXml.SignedInfo.CanonicalizationMethod = canonicalizationAlgorithm;
_signedXml.SignedInfo.SignatureMethod = signatureAlgorithm;
_signedXml.SigningKey = asymmetricAlgorithm;
if (keyIdentifier != null)
{
var stream = new MemoryStream();
using (var xmlWriter = XmlDictionaryWriter.CreateTextWriter(stream, Encoding.UTF8, false))
{
StandardsManager.SecurityTokenSerializer.WriteKeyIdentifier(xmlWriter, keyIdentifier);
}
stream.Position = 0;
XmlDocument doc = new XmlDocument();
doc.Load(stream);
var keyInfo = new KeyInfo();
keyInfo.LoadXml(doc.DocumentElement);
_signedXml.KeyInfo = keyInfo;
}
if (generateTargettableSignature)
{
_signedXml.Signature.Id = GenerateId();
}
_effectiveSignatureParts = signatureParts;
}
// The security always look for Empty soap role. If not found, we will also look for Ultimate actors (next incl).
// In the future, till we support intermediary scenario, we should refactor this api to do not take actor parameter.
internal ReceiveSecurityHeader TryCreateReceiveSecurityHeader(Message message,
string actor,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite, MessageDirection direction)
{
int headerIndex = message.Headers.FindHeader(HeaderName.Value, HeaderNamespace.Value, actor);
if (headerIndex < 0 && string.IsNullOrEmpty(actor))
{
headerIndex = message.Headers.FindHeader(HeaderName.Value, HeaderNamespace.Value, message.Version.Envelope.UltimateDestinationActorValues);
}
if (headerIndex < 0)
{
return(null);
}
MessageHeaderInfo headerInfo = message.Headers[headerIndex];
return(CreateReceiveSecurityHeader(message,
headerInfo.Actor, headerInfo.MustUnderstand, headerInfo.Relay,
standardsManager, algorithmSuite,
direction, headerIndex));
}
public MessageSecurityOverTcp()
{
_clientCredentialType = DefaultClientCredentialType;
_algorithmSuite = SecurityAlgorithmSuite.Default;
}
protected override SecurityToken VerifySignature(SignedXml signedXml, bool isPrimarySignature, SecurityHeaderTokenResolver resolver, object signatureTarget, string id)
{
SecurityKeyIdentifier securityKeyIdentifier = null;
string keyInfoString = signedXml.Signature.KeyInfo.GetXml().OuterXml;
using (var strReader = new StringReader(keyInfoString))
{
XmlReader xmlReader = XmlReader.Create(strReader);
securityKeyIdentifier = StandardsManager.SecurityTokenSerializer.ReadKeyIdentifier(xmlReader);
}
if (securityKeyIdentifier == null)
{
throw new Exception("SecurityKeyIdentifier is missing");
}
SecurityToken token = ResolveSignatureToken(securityKeyIdentifier, resolver, isPrimarySignature);
if (isPrimarySignature)
{
RecordSignatureToken(token);
}
ReadOnlyCollection <SecurityKey> keys = token.SecurityKeys;
SecurityKey securityKey = (keys != null && keys.Count > 0) ? keys[0] : null;
if (securityKey == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.Format(SR.UnableToCreateICryptoFromTokenForSignatureVerification, token)));
}
// signedXml.SigningKey = securityKey;
// signedXml.StartSignatureVerification(securityKey);
// StandardSignedInfo signedInfo = (StandardSignedInfo)signedXml.Signature.SignedInfo;
// ValidateDigestsOfTargetsInSecurityHeader(signedInfo, this.Timestamp, isPrimarySignature, signatureTarget, id);
if (!isPrimarySignature)
{
//TODO securityKey is AsymmetricSecurityKey
//if ((!this.RequireMessageProtection) && (securityKey is AsymmetricSecurityKey) && (this.Version.Addressing != AddressingVersion.None))
//{
// // For Transport Security using Asymmetric Keys verify that
// // the 'To' header is signed.
// int headerIndex = this.Message.Headers.FindHeader(XD.AddressingDictionary.To.Value, this.Message.Version.Addressing.Namespace);
// if (headerIndex == -1)
// throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.TransportSecuredMessageMissingToHeader)));
// XmlDictionaryReader toHeaderReader = this.Message.Headers.GetReaderAtHeader(headerIndex);
// id = toHeaderReader.GetAttribute(XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace);
// // DevDiv:938534 - We added a flag that allow unsigned headers. If this is set, we do not throw an Exception but move on to CompleteSignatureVerification()
// if (LocalAppContextSwitches.AllowUnsignedToHeader)
// {
// // The lack of an id indicates that the sender did not wish to sign the header. We can safely assume that null indicates this header is not signed.
// // If id is not null, then we need to validate the Digest and ensure signature is valid. The exception is thrown deeper in the System.IdentityModel stack.
// if (id != null)
// {
// signedXml.EnsureDigestValidityIfIdMatches(id, toHeaderReader);
// }
// }
// else
// {
// // default behavior for all platforms
// if (id == null)
// {
// //
// throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.UnsignedToHeaderInTransportSecuredMessage)));
// }
// signedXml.EnsureDigestValidity(id, toHeaderReader);
// }
//}
// signedXml.CompleteSignatureVerification();
SecurityAlgorithmSuite suite = AlgorithmSuite;
AlgorithmSuite.EnsureAcceptableSignatureKeySize(securityKey, token);
AlgorithmSuite.EnsureAcceptableSignatureAlgorithm(securityKey, signedXml.Signature.SignedInfo.SignatureMethod);
string canonicalizationAlgorithm = suite.DefaultCanonicalizationAlgorithm;
suite.GetSignatureAlgorithmAndKey(token, out string signatureAlgorithm, out SecurityKey signatureKey, out XmlDictionaryString signatureAlgorithmDictionaryString);
GetSigningAlgorithm(signatureKey, signatureAlgorithm, out _signingKey, out AsymmetricAlgorithm asymmetricAlgorithm);
if (_signingKey != null)
{
if (!signedXml.CheckSignature(_signingKey))
{
throw new Exception("Signature not valid.");
}
}
else
{
if (!signedXml.CheckSignature(asymmetricAlgorithm))
{
throw new Exception("Signature not valid.");
}
}
}
// this.pendingSignature = signedXml;
//if (TD.SignatureVerificationSuccessIsEnabled())
//{
// TD.SignatureVerificationSuccess(this.EventTraceActivity);
//}
return(token);
}
internal abstract SendSecurityHeader CreateSendSecurityHeader(Message message,
string actor, bool mustUnderstand, bool relay,
SecurityStandardsManager standardsManager,
SecurityAlgorithmSuite algorithmSuite,
MessageDirection direction);
internal SendSecurityHeader CreateSendSecurityHeader(Message message,
string actor, bool mustUnderstand, bool relay,
SecurityAlgorithmSuite algorithmSuite, MessageDirection direction)
{
return(SecurityVersion.CreateSendSecurityHeader(message, actor, mustUnderstand, relay, this, algorithmSuite, direction));
}
internal ReceiveSecurityHeader TryCreateReceiveSecurityHeader(Message message,
string actor,
SecurityAlgorithmSuite algorithmSuite, MessageDirection direction)
{
return(SecurityVersion.TryCreateReceiveSecurityHeader(message, actor, this, algorithmSuite, direction));
}
