public override SecurityTokenProvider CreateSecurityTokenProvider( SecurityTokenRequirement requirement) { SecurityTokenProvider result = null; if (requirement.TokenType == SecurityTokenTypes.X509Certificate) { var direction = requirement.GetProperty<MessageDirection>(ServiceModelSecurityTokenRequirement.MessageDirectionProperty); if (direction == MessageDirection.Output) { if (requirement.KeyUsage == SecurityKeyUsage.Signature) result = new X509SecurityTokenProvider(this._credentials.ClientSigningCertificate); else result = new X509SecurityTokenProvider(this._credentials.ServiceEncryptingCertificate); } else { if (requirement.KeyUsage == SecurityKeyUsage.Signature) result = new X509SecurityTokenProvider(this._credentials.ServiceSigningCertificate); else result = new X509SecurityTokenProvider(_credentials.ClientEncryptingCertificate); } } else { result = base.CreateSecurityTokenProvider(requirement); } return result; }
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } SecurityTokenProvider result = null; if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange) { // this is the uncorrelated duplex case if (_parent.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate); } else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) { InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; string tokenType = initiatorRequirement.TokenType; if (IsIssuedSecurityTokenRequirement(initiatorRequirement)) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider (IsIssuedSecurityTokenRequirement(initiatorRequirement)"); } else if (tokenType == SecurityTokenTypes.X509Certificate) { if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - SecurityKeyUsage.Exchange"); } else { if (_parent.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate); } } else if (tokenType == SecurityTokenTypes.UserName) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider SecurityTokenTypes.Username"); } } if ((result == null) && !tokenRequirement.IsOptionalToken) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement))); } return result; }
public override bool CheckAccess(OperationContext operationContext) { int index = operationContext.RequestContext.RequestMessage.Headers.FindHeader("Security", WSSecurity10Constants.Namespace); if (index < 0) { return false; } var securityHeader = operationContext.RequestContext.RequestMessage.Headers.GetReaderAtHeader(index); var configuration = new ServiceConfiguration(true); securityHeader.Read(); if (!configuration.SecurityTokenHandlers.CanReadToken(securityHeader)) return false; if (configuration.ServiceCertificate != null) { SecurityToken xtoken; using (var xprovider = new X509SecurityTokenProvider(configuration.ServiceCertificate)) { xtoken = xprovider.GetToken(new TimeSpan(10, 1, 1)); } var outOfBandTokens = new Collection<SecurityToken>(); outOfBandTokens.Add(xtoken); configuration.SecurityTokenHandlers[typeof(EncryptedSecurityToken)].Configuration.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection<SecurityToken>(outOfBandTokens), false); } SecurityToken token = configuration.SecurityTokenHandlers.ReadToken(securityHeader); if (configuration.CertificateValidationMode == X509CertificateValidationMode.None) { configuration.CertificateValidator = X509CertificateValidator.None; } var claimsCollection = configuration.SecurityTokenHandlers.ValidateToken(token); IClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(claimsCollection); SetPrincipal(operationContext, claimsPrincipal); return true; }
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } SecurityTokenProvider result = null; if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange) { // this is the uncorrelated duplex case if (_parent.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate, _parent.ClientCertificate.CloneCertificate); } else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) { InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; string tokenType = initiatorRequirement.TokenType; if (IsIssuedSecurityTokenRequirement(initiatorRequirement)) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider (IsIssuedSecurityTokenRequirement(initiatorRequirement)"); } else if (tokenType == SecurityTokenTypes.X509Certificate) { if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - SecurityKeyUsage.Exchange"); } else { if (_parent.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate, _parent.ClientCertificate.CloneCertificate); } } else if (tokenType == SecurityTokenTypes.Kerberos) { string spn = GetServicePrincipalName(initiatorRequirement); result = new KerberosSecurityTokenProviderWrapper( new KerberosSecurityTokenProvider(spn, _parent.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(_parent.Windows.ClientCredential))); } else if (tokenType == SecurityTokenTypes.UserName) { if (_parent.UserName.UserName == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.UserNamePasswordNotProvidedOnClientCredentials)); } result = new UserNameSecurityTokenProvider(_parent.UserName.UserName, _parent.UserName.Password); } else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential) { if (IsDigestAuthenticationScheme(initiatorRequirement)) { result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(_parent.HttpDigest.ClientCredential), true, TokenImpersonationLevel.Delegation); } else { #pragma warning disable 618 // to disable AllowNtlm obsolete wanring. result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(_parent.Windows.ClientCredential), _parent.Windows.AllowNtlm, _parent.Windows.AllowedImpersonationLevel); #pragma warning restore 618 } } } if ((result == null) && !tokenRequirement.IsOptionalToken) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement))); } return result; }
X509SecurityTokenProvider CreateX509SecurityTokenProvider (SecurityTokenRequirement requirement) { bool isInitiator; requirement.TryGetProperty<bool> (ReqType.IsInitiatorProperty, out isInitiator); // when it is initiator, then it is for MutualCertificateDuplex. X509Certificate2 cert; if (isInitiator) { cert = credentials.ClientCertificate.Certificate; if (cert == null) throw new InvalidOperationException ("Client certificate is not provided in ServiceCredentials."); if (cert.PrivateKey == null) throw new ArgumentException ("Client certificate for MutualCertificateDuplex does not have a private key which is required for key exchange."); } else { cert = credentials.ServiceCertificate.Certificate; if (cert == null) throw new InvalidOperationException ("Service certificate is not provided in ServiceCredentials."); if (cert.PrivateKey == null) throw new ArgumentException ("Service certificate does not have a private key which is required for key exchange."); } X509SecurityTokenProvider p = new X509SecurityTokenProvider (cert); return p; }
SecurityTokenProvider CreateUncorrelatedDuplexSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement) { string tokenType = initiatorRequirement.TokenType; SecurityTokenProvider result = null; if (tokenType == SecurityTokenTypes.X509Certificate) { SecurityKeyUsage keyUsage = initiatorRequirement.KeyUsage; if (keyUsage == SecurityKeyUsage.Exchange) { if (parent.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnServiceCredentials))); } result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate); } else { // this is a request for the server's own cert for signing result = CreateServerX509TokenProvider(); } } return result; }
internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } SecurityTokenProvider result = null; if (disableInfoCard || !CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out result)) { if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange) { // this is the uncorrelated duplex case if (parent.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate); } else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) { InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; #pragma warning suppress 56506 // initiatorRequirement will never be null due to the preceding 'is' validation. string tokenType = initiatorRequirement.TokenType; if (IsIssuedSecurityTokenRequirement(initiatorRequirement)) { FederatedClientCredentialsParameters additionalParameters = this.FindFederatedChannelParameters(tokenRequirement); if (additionalParameters != null && additionalParameters.IssuedSecurityToken != null) { return new SimpleSecurityTokenProvider(additionalParameters.IssuedSecurityToken, tokenRequirement); } result = CreateIssuedSecurityTokenProvider(initiatorRequirement, additionalParameters); } else if (tokenType == SecurityTokenTypes.X509Certificate) { if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange) { result = CreateServerX509TokenProvider(initiatorRequirement.TargetAddress); } else { if (parent.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate); } } else if (tokenType == SecurityTokenTypes.Kerberos) { string spn = GetServicePrincipalName(initiatorRequirement); result = new KerberosSecurityTokenProviderWrapper( new KerberosSecurityTokenProvider(spn, parent.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential)), GetCredentialsHandle(initiatorRequirement)); } else if (tokenType == SecurityTokenTypes.UserName) { if (parent.UserName.UserName == null ) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UserNamePasswordNotProvidedOnClientCredentials))); } result = new UserNameSecurityTokenProvider(parent.UserName.UserName, parent.UserName.Password); } else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential) { if (IsDigestAuthenticationScheme(initiatorRequirement)) { result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.HttpDigest.ClientCredential), true, parent.HttpDigest.AllowedImpersonationLevel); } else { #pragma warning disable 618 // to disable AllowNtlm obsolete wanring. result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential), parent.Windows.AllowNtlm, parent.Windows.AllowedImpersonationLevel); #pragma warning restore 618 } } else if (tokenType == ServiceModelSecurityTokenTypes.Spnego) { result = CreateSpnegoTokenProvider(initiatorRequirement); } else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego) { result = CreateTlsnegoTokenProvider(initiatorRequirement, true); } else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) { result = CreateTlsnegoTokenProvider(initiatorRequirement, false); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { result = CreateSecureConversationSecurityTokenProvider(initiatorRequirement); } } } if ((result == null) && !tokenRequirement.IsOptionalToken) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement))); } return result; }
X509SecurityTokenProvider CreateX509SecurityTokenProvider (SecurityTokenRequirement requirement) { // - When the request is as an initiator, then // - if the purpose is key exchange, then // the initiator wants the service certificate // to encrypt the message with its public key. // - otherwise, the initiator wants the client // certificate to sign the message with the // private key. // - otherwise // - if the purpose is key exchange, then // the recipient wants the client certificate // to encrypt the message with its public key. // - otherwise, the recipient wants the service // certificate to sign the message with the // private key. bool isInitiator; if (!requirement.TryGetProperty<bool> (ReqType.IsInitiatorProperty, out isInitiator)) isInitiator = false; X509Certificate2 cert; bool isClient; if (isInitiator) isClient = requirement.KeyUsage == SecurityKeyUsage.Signature; else { if (!requirement.Properties.ContainsKey (SecurityTokenRequirement.KeyUsageProperty)) throw new NotSupportedException (String.Format ("Cannot create a security token provider from this requirement '{0}'", requirement)); isClient = requirement.KeyUsage == SecurityKeyUsage.Exchange; } if (isClient) cert = credentials.ClientCertificate.Certificate; else cert = GetServiceCertificate (requirement); if (cert == null) { if (isClient) throw new InvalidOperationException ("Client certificate is not provided in ClientCredentials."); else throw new InvalidOperationException ("Service certificate is not provided."); } X509SecurityTokenProvider p = new X509SecurityTokenProvider (cert); return p; }
internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard) { if (tokenRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } SecurityTokenProvider provider = null; if (disableInfoCard || !this.CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out provider)) { if (((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && (tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)) && (tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)) { if (this.parent.ClientCertificate.Certificate == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvidedOnClientCredentials"))); } provider = new X509SecurityTokenProvider(this.parent.ClientCertificate.Certificate); } else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) { InitiatorServiceModelSecurityTokenRequirement requirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; string tokenType = requirement.TokenType; if (this.IsIssuedSecurityTokenRequirement(requirement)) { provider = this.CreateIssuedSecurityTokenProvider(requirement); } else if (tokenType == SecurityTokenTypes.X509Certificate) { if (requirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && (requirement.KeyUsage == SecurityKeyUsage.Exchange)) { provider = this.CreateServerX509TokenProvider(requirement.TargetAddress); } else { if (this.parent.ClientCertificate.Certificate == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvidedOnClientCredentials"))); } provider = new X509SecurityTokenProvider(this.parent.ClientCertificate.Certificate); } } else if (tokenType == SecurityTokenTypes.Kerberos) { provider = new KerberosSecurityTokenProviderWrapper(new KerberosSecurityTokenProvider(this.GetServicePrincipalName(requirement), this.parent.Windows.AllowedImpersonationLevel, System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.Windows.ClientCredential)), this.GetCredentialsHandle(requirement)); } else if (tokenType == SecurityTokenTypes.UserName) { if (this.parent.UserName.UserName == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("UserNamePasswordNotProvidedOnClientCredentials"))); } provider = new UserNameSecurityTokenProvider(this.parent.UserName.UserName, this.parent.UserName.Password); } else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential) { if (this.IsDigestAuthenticationScheme(requirement)) { provider = new SspiSecurityTokenProvider(System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.HttpDigest.ClientCredential), true, this.parent.HttpDigest.AllowedImpersonationLevel); } else { provider = new SspiSecurityTokenProvider(System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.Windows.ClientCredential), this.parent.Windows.AllowNtlm, this.parent.Windows.AllowedImpersonationLevel); } } else if (tokenType == ServiceModelSecurityTokenTypes.Spnego) { provider = this.CreateSpnegoTokenProvider(requirement); } else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego) { provider = this.CreateTlsnegoTokenProvider(requirement, true); } else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) { provider = this.CreateTlsnegoTokenProvider(requirement, false); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { provider = this.CreateSecureConversationSecurityTokenProvider(requirement); } } } if (provider == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateProviderForRequirement", new object[] { tokenRequirement }))); } return provider; }
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement) { ServiceModelSecurityTokenRequirement requirement = tokenRequirement as ServiceModelSecurityTokenRequirement; if (requirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } if (this.IsX509TokenRequirement(requirement)) { X509CertificateValidator validator; if (this.IsForConnectionValidator(requirement)) { SecurityTokenProvider provider = null; if (this.ssc != null) { provider = new X509SecurityTokenProvider(this.ssc.GetX509Certificate()); } else if (this.delegateManager != null) { requirement.Properties[SecurityTokenRequirement.PeerAuthenticationMode] = SecurityMode.Transport; requirement.TransportScheme = "net.p2p"; provider = this.delegateManager.CreateSecurityTokenProvider(tokenRequirement); } else if (this.credential.Certificate != null) { provider = new X509SecurityTokenProvider(this.credential.Certificate); } if ((provider == null) && (this.mode == PeerAuthenticationMode.Password)) { this.ssc = this.parent.GetCertificate(); provider = new X509SecurityTokenProvider(this.ssc.GetX509Certificate()); } return provider; } if (this.delegateManager != null) { requirement.TransportScheme = "net.p2p"; requirement.Properties[SecurityTokenRequirement.PeerAuthenticationMode] = SecurityMode.Message; return this.delegateManager.CreateSecurityTokenProvider(tokenRequirement); } if (!this.credential.MessageSenderAuthentication.TryGetCertificateValidator(out validator)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("TokenType"); } return new PeerX509TokenProvider(validator, this.credential.Certificate); } if (!this.IsPasswordTokenRequirement(requirement)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("TokenType"); } return this.GetPasswordTokenProvider(); }