void VerifySoapAttributeMatchForHeader(MessageHeaderInfo info, MessagePartSpecification signatureParts, XmlDictionaryReader reader) { if (!signatureParts.IsHeaderIncluded(info.Name, info.Namespace)) { return; } EnvelopeVersion currentVersion = this.Version.Envelope; EnvelopeVersion otherVersion = currentVersion == EnvelopeVersion.Soap11 ? EnvelopeVersion.Soap12 : EnvelopeVersion.Soap11; bool presentInCurrentVersion; bool presentInOtherVersion; presentInCurrentVersion = null != reader.GetAttribute(XD.MessageDictionary.MustUnderstand, currentVersion.DictionaryNamespace); presentInOtherVersion = null != reader.GetAttribute(XD.MessageDictionary.MustUnderstand, otherVersion.DictionaryNamespace); if (presentInOtherVersion && !presentInCurrentVersion) { throw TraceUtility.ThrowHelperError( new MessageSecurityException(SR.GetString( SR.InvalidAttributeInSignedHeader, info.Name, info.Namespace, XD.MessageDictionary.MustUnderstand, otherVersion.DictionaryNamespace, XD.MessageDictionary.MustUnderstand, currentVersion.DictionaryNamespace)), this.SecurityVerifiedMessage); } presentInCurrentVersion = null != reader.GetAttribute(currentVersion.DictionaryActor, currentVersion.DictionaryNamespace); presentInOtherVersion = null != reader.GetAttribute(otherVersion.DictionaryActor, otherVersion.DictionaryNamespace); if (presentInOtherVersion && !presentInCurrentVersion) { throw TraceUtility.ThrowHelperError( new MessageSecurityException(SR.GetString( SR.InvalidAttributeInSignedHeader, info.Name, info.Namespace, otherVersion.DictionaryActor, otherVersion.DictionaryNamespace, currentVersion.DictionaryActor, currentVersion.DictionaryNamespace)), this.SecurityVerifiedMessage); } }
private MessagePartProtectionMode GetProtectionMode(MessageHeader header) { if (!RequireMessageProtection) { return(MessagePartProtectionMode.None); } bool sign = _signedXml != null && _effectiveSignatureParts.IsHeaderIncluded(header); bool encrypt = false; return(MessagePartProtectionModeHelper.GetProtectionMode(sign, encrypt, SignThenEncrypt)); }
protected void EnsureEndpointAddressDoesNotRequireEncryption(EndpointAddress target) { if ((this.ApplicationProtectionRequirements != null) && (this.ApplicationProtectionRequirements.OutgoingEncryptionParts != null)) { MessagePartSpecification channelParts = this.ApplicationProtectionRequirements.OutgoingEncryptionParts.ChannelParts; if (channelParts != null) { for (int i = 0; i < this.targetAddress.Headers.Count; i++) { AddressHeader header = target.Headers[i]; if (channelParts.IsHeaderIncluded(header.Name, header.Namespace)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("SecurityNegotiationCannotProtectConfidentialEndpointHeader", new object[] { target, header.Name, header.Namespace }))); } } } } }
private void VerifySoapAttributeMatchForHeader(MessageHeaderInfo info, MessagePartSpecification signatureParts, XmlDictionaryReader reader) { if (signatureParts.IsHeaderIncluded(info.Name, info.Namespace)) { EnvelopeVersion envelope = base.Version.Envelope; EnvelopeVersion version2 = (envelope == EnvelopeVersion.Soap11) ? EnvelopeVersion.Soap12 : EnvelopeVersion.Soap11; bool flag = null != reader.GetAttribute(System.ServiceModel.XD.MessageDictionary.MustUnderstand, envelope.DictionaryNamespace); if ((null != reader.GetAttribute(System.ServiceModel.XD.MessageDictionary.MustUnderstand, version2.DictionaryNamespace)) && !flag) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("InvalidAttributeInSignedHeader", new object[] { info.Name, info.Namespace, System.ServiceModel.XD.MessageDictionary.MustUnderstand, version2.DictionaryNamespace, System.ServiceModel.XD.MessageDictionary.MustUnderstand, envelope.DictionaryNamespace })), base.SecurityVerifiedMessage); } flag = null != reader.GetAttribute(envelope.DictionaryActor, envelope.DictionaryNamespace); if ((null != reader.GetAttribute(version2.DictionaryActor, version2.DictionaryNamespace)) && !flag) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("InvalidAttributeInSignedHeader", new object[] { info.Name, info.Namespace, version2.DictionaryActor, version2.DictionaryNamespace, envelope.DictionaryActor, envelope.DictionaryNamespace })), base.SecurityVerifiedMessage); } } }
// helper methods protected void EnsureEndpointAddressDoesNotRequireEncryption(EndpointAddress target) { if (ApplicationProtectionRequirements == null || ApplicationProtectionRequirements.OutgoingEncryptionParts == null) { return; } MessagePartSpecification channelEncryptionParts = ApplicationProtectionRequirements.OutgoingEncryptionParts.ChannelParts; if (channelEncryptionParts == null) { return; } for (int i = 0; i < _targetAddress.Headers.Count; ++i) { AddressHeader header = target.Headers[i]; if (channelEncryptionParts.IsHeaderIncluded(header.Name, header.Namespace)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.SecurityNegotiationCannotProtectConfidentialEndpointHeader, target, header.Name, header.Namespace))); } } }
private static MessagePartSpecification UnionMessagePartSpecifications(ScopedMessagePartSpecification actionParts) { MessagePartSpecification result = new MessagePartSpecification(false); foreach (string action in actionParts.Actions) { MessagePartSpecification parts; if (actionParts.TryGetParts(action, out parts)) { if (parts.IsBodyIncluded) { result.IsBodyIncluded = true; } foreach (XmlQualifiedName headerType in parts.HeaderTypes) { if (!result.IsHeaderIncluded(headerType.Name, headerType.Namespace)) { result.HeaderTypes.Add(headerType); } } } } return(result); }
private static MessagePartSpecification UnionMessagePartSpecifications(ScopedMessagePartSpecification actionParts) { MessagePartSpecification specification = new MessagePartSpecification(false); foreach (string str in actionParts.Actions) { MessagePartSpecification specification2; if (actionParts.TryGetParts(str, out specification2)) { if (specification2.IsBodyIncluded) { specification.IsBodyIncluded = true; } foreach (XmlQualifiedName name in specification2.HeaderTypes) { if (!specification.IsHeaderIncluded(name.Name, name.Namespace)) { specification.HeaderTypes.Add(name); } } } } return(specification); }
private static MessagePartSpecification UnionMessagePartSpecifications(ScopedMessagePartSpecification actionParts) { MessagePartSpecification result = new MessagePartSpecification(false); foreach (string action in actionParts.Actions) { MessagePartSpecification parts; if (actionParts.TryGetParts(action, out parts)) { if (parts.IsBodyIncluded) { result.IsBodyIncluded = true; } foreach (XmlQualifiedName headerType in parts.HeaderTypes) { if (!result.IsHeaderIncluded(headerType.Name, headerType.Namespace)) { result.HeaderTypes.Add(headerType); } } } } return result; }
protected override void ExecuteMessageProtectionPass(bool hasAtLeastOneSupportingTokenExpectedToBeSigned) { bool flag8; bool flag9; SignatureTargetIdManager idManager = base.StandardsManager.IdManager; MessagePartSpecification specification = base.RequiredEncryptionParts ?? MessagePartSpecification.NoParts; MessagePartSpecification signatureParts = base.RequiredSignatureParts ?? MessagePartSpecification.NoParts; bool checkForTokensAtHeaders = hasAtLeastOneSupportingTokenExpectedToBeSigned; bool doSoapAttributeChecks = !signatureParts.IsBodyIncluded; bool encryptBeforeSignMode = base.EncryptBeforeSignMode; SignedInfo signedInfo = (this.pendingSignature != null) ? this.pendingSignature.Signature.SignedInfo : null; SignatureConfirmations sentSignatureConfirmations = base.GetSentSignatureConfirmations(); if (((sentSignatureConfirmations != null) && (sentSignatureConfirmations.Count > 0)) && sentSignatureConfirmations.IsMarkedForEncryption) { base.VerifySignatureEncryption(); } MessageHeaders headers = base.SecurityVerifiedMessage.Headers; XmlDictionaryReader readerAtFirstHeader = base.SecurityVerifiedMessage.GetReaderAtFirstHeader(); bool atLeastOneHeaderOrBodyEncrypted = false; for (int i = 0; i < headers.Count; i++) { if (readerAtFirstHeader.NodeType != XmlNodeType.Element) { readerAtFirstHeader.MoveToContent(); } if (i == base.HeaderIndex) { readerAtFirstHeader.Skip(); } else { bool flag6; bool flag5 = false; string str = idManager.ExtractId(readerAtFirstHeader); if (str != null) { flag5 = this.TryDeleteReferenceListEntry(str); } if (!flag5 && readerAtFirstHeader.IsStartElement("EncryptedHeader", "http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd")) { XmlDictionaryReader readerAtHeader = headers.GetReaderAtHeader(i); readerAtHeader.ReadStartElement("EncryptedHeader", "http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"); if (readerAtHeader.IsStartElement(EncryptedData.ElementName, System.ServiceModel.XD.XmlEncryptionDictionary.Namespace)) { string attribute = readerAtHeader.GetAttribute(System.ServiceModel.XD.XmlEncryptionDictionary.Id, null); if ((attribute != null) && this.TryDeleteReferenceListEntry(attribute)) { flag5 = true; } } } base.ElementManager.VerifyUniquenessAndSetHeaderId(str, i); MessageHeaderInfo info = headers[i]; if (!flag5 && specification.IsHeaderIncluded(info.Name, info.Namespace)) { base.SecurityVerifiedMessage.OnUnencryptedPart(info.Name, info.Namespace); } if ((!flag5 || encryptBeforeSignMode) && (str != null)) { flag6 = this.EnsureDigestValidityIfIdMatches(signedInfo, str, readerAtFirstHeader, doSoapAttributeChecks, signatureParts, info, checkForTokensAtHeaders); } else { flag6 = false; } if (flag5) { XmlDictionaryReader reader = flag6 ? headers.GetReaderAtHeader(i) : readerAtFirstHeader; DecryptedHeader header = this.DecryptHeader(reader, this.pendingDecryptionToken); info = header; str = header.Id; base.ElementManager.VerifyUniquenessAndSetDecryptedHeaderId(str, i); headers.ReplaceAt(i, header); if (!object.ReferenceEquals(reader, readerAtFirstHeader)) { reader.Close(); } if (!encryptBeforeSignMode && (str != null)) { XmlDictionaryReader headerReader = header.GetHeaderReader(); flag6 = this.EnsureDigestValidityIfIdMatches(signedInfo, str, headerReader, doSoapAttributeChecks, signatureParts, info, checkForTokensAtHeaders); headerReader.Close(); } } if (!flag6 && signatureParts.IsHeaderIncluded(info.Name, info.Namespace)) { base.SecurityVerifiedMessage.OnUnsignedPart(info.Name, info.Namespace); } if (flag6 && flag5) { base.VerifySignatureEncryption(); } if (flag5 && !flag6) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("EncryptedHeaderNotSigned", new object[] { info.Name, info.Namespace }))); } if (!flag6 && !flag5) { readerAtFirstHeader.Skip(); } atLeastOneHeaderOrBodyEncrypted |= flag5; } } readerAtFirstHeader.ReadEndElement(); if (readerAtFirstHeader.NodeType != XmlNodeType.Element) { readerAtFirstHeader.MoveToContent(); } string id = idManager.ExtractId(readerAtFirstHeader); base.ElementManager.VerifyUniquenessAndSetBodyId(id); base.SecurityVerifiedMessage.SetBodyPrefixAndAttributes(readerAtFirstHeader); bool flag7 = specification.IsBodyIncluded || this.HasPendingDecryptionItem(); if ((!flag7 || encryptBeforeSignMode) && (id != null)) { flag8 = this.EnsureDigestValidityIfIdMatches(signedInfo, id, readerAtFirstHeader, false, null, null, false); } else { flag8 = false; } if (flag7) { XmlDictionaryReader reader5 = flag8 ? base.SecurityVerifiedMessage.CreateFullBodyReader() : readerAtFirstHeader; reader5.ReadStartElement(); string str4 = idManager.ExtractId(reader5); base.ElementManager.VerifyUniquenessAndSetBodyContentId(str4); flag9 = (str4 != null) && this.TryDeleteReferenceListEntry(str4); if (flag9) { this.DecryptBody(reader5, this.pendingDecryptionToken); } if (!object.ReferenceEquals(reader5, readerAtFirstHeader)) { reader5.Close(); } if ((!encryptBeforeSignMode && (signedInfo != null)) && signedInfo.HasUnverifiedReference(id)) { reader5 = base.SecurityVerifiedMessage.CreateFullBodyReader(); flag8 = this.EnsureDigestValidityIfIdMatches(signedInfo, id, reader5, false, null, null, false); reader5.Close(); } } else { flag9 = false; } if (flag8 && flag9) { base.VerifySignatureEncryption(); } readerAtFirstHeader.Close(); if (this.pendingSignature != null) { this.pendingSignature.CompleteSignatureVerification(); this.pendingSignature = null; } this.pendingDecryptionToken = null; atLeastOneHeaderOrBodyEncrypted |= flag9; if (!flag8 && signatureParts.IsBodyIncluded) { base.SecurityVerifiedMessage.OnUnsignedPart(System.ServiceModel.XD.MessageDictionary.Body.Value, base.Version.Envelope.Namespace); } if (!flag9 && specification.IsBodyIncluded) { base.SecurityVerifiedMessage.OnUnencryptedPart(System.ServiceModel.XD.MessageDictionary.Body.Value, base.Version.Envelope.Namespace); } base.SecurityVerifiedMessage.OnMessageProtectionPassComplete(atLeastOneHeaderOrBodyEncrypted); }
protected override void ExecuteMessageProtectionPass(bool hasAtLeastOneSupportingTokenExpectedToBeSigned) { SignatureTargetIdManager idManager = this.StandardsManager.IdManager; MessagePartSpecification encryptionParts = this.RequiredEncryptionParts ?? MessagePartSpecification.NoParts; MessagePartSpecification signatureParts = this.RequiredSignatureParts ?? MessagePartSpecification.NoParts; bool checkForTokensAtHeaders = hasAtLeastOneSupportingTokenExpectedToBeSigned; bool doSoapAttributeChecks = !signatureParts.IsBodyIncluded; bool encryptBeforeSign = this.EncryptBeforeSignMode; SignedInfo signedInfo = this.pendingSignature != null ? this.pendingSignature.Signature.SignedInfo : null; SignatureConfirmations signatureConfirmations = this.GetSentSignatureConfirmations(); if (signatureConfirmations != null && signatureConfirmations.Count > 0 && signatureConfirmations.IsMarkedForEncryption) { // If Signature Confirmations are encrypted then the signature should // be encrypted as well. this.VerifySignatureEncryption(); } MessageHeaders headers = this.SecurityVerifiedMessage.Headers; XmlDictionaryReader reader = this.SecurityVerifiedMessage.GetReaderAtFirstHeader(); bool atLeastOneHeaderOrBodyEncrypted = false; for (int i = 0; i < headers.Count; i++) { if (reader.NodeType != XmlNodeType.Element) { reader.MoveToContent(); } if (i == this.HeaderIndex) { reader.Skip(); continue; } bool isHeaderEncrypted = false; string id = idManager.ExtractId(reader); if (id != null) { isHeaderEncrypted = TryDeleteReferenceListEntry(id); } if (!isHeaderEncrypted && reader.IsStartElement(SecurityXXX2005Strings.EncryptedHeader, SecurityXXX2005Strings.Namespace)) { XmlDictionaryReader localreader = headers.GetReaderAtHeader(i); localreader.ReadStartElement(SecurityXXX2005Strings.EncryptedHeader, SecurityXXX2005Strings.Namespace); if (localreader.IsStartElement(EncryptedData.ElementName, XD.XmlEncryptionDictionary.Namespace)) { string encryptedDataId = localreader.GetAttribute(XD.XmlEncryptionDictionary.Id, null); if (encryptedDataId != null && TryDeleteReferenceListEntry(encryptedDataId)) { isHeaderEncrypted = true; } } } this.ElementManager.VerifyUniquenessAndSetHeaderId(id, i); MessageHeaderInfo info = headers[i]; if (!isHeaderEncrypted && encryptionParts.IsHeaderIncluded(info.Name, info.Namespace)) { this.SecurityVerifiedMessage.OnUnencryptedPart(info.Name, info.Namespace); } bool headerSigned; if ((!isHeaderEncrypted || encryptBeforeSign) && id != null) { headerSigned = EnsureDigestValidityIfIdMatches(signedInfo, id, reader, doSoapAttributeChecks, signatureParts, info, checkForTokensAtHeaders); } else { headerSigned = false; } if (isHeaderEncrypted) { XmlDictionaryReader decryptionReader = headerSigned ? headers.GetReaderAtHeader(i) : reader; DecryptedHeader decryptedHeader = DecryptHeader(decryptionReader, this.pendingDecryptionToken); info = decryptedHeader; id = decryptedHeader.Id; this.ElementManager.VerifyUniquenessAndSetDecryptedHeaderId(id, i); headers.ReplaceAt(i, decryptedHeader); if (!ReferenceEquals(decryptionReader, reader)) { decryptionReader.Close(); } if (!encryptBeforeSign && id != null) { XmlDictionaryReader decryptedHeaderReader = decryptedHeader.GetHeaderReader(); headerSigned = EnsureDigestValidityIfIdMatches(signedInfo, id, decryptedHeaderReader, doSoapAttributeChecks, signatureParts, info, checkForTokensAtHeaders); decryptedHeaderReader.Close(); } } if (!headerSigned && signatureParts.IsHeaderIncluded(info.Name, info.Namespace)) { this.SecurityVerifiedMessage.OnUnsignedPart(info.Name, info.Namespace); } if (headerSigned && isHeaderEncrypted) { // We have a header that is signed and encrypted. So the accompanying primary signature // should be encrypted as well. this.VerifySignatureEncryption(); } if (isHeaderEncrypted && !headerSigned) { // We require all encrypted headers (outside the security header) to be signed. throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.EncryptedHeaderNotSigned, info.Name, info.Namespace))); } if (!headerSigned && !isHeaderEncrypted) { reader.Skip(); } atLeastOneHeaderOrBodyEncrypted |= isHeaderEncrypted; } reader.ReadEndElement(); if (reader.NodeType != XmlNodeType.Element) { reader.MoveToContent(); } string bodyId = idManager.ExtractId(reader); this.ElementManager.VerifyUniquenessAndSetBodyId(bodyId); this.SecurityVerifiedMessage.SetBodyPrefixAndAttributes(reader); bool expectBodyEncryption = encryptionParts.IsBodyIncluded || HasPendingDecryptionItem(); bool bodySigned; if ((!expectBodyEncryption || encryptBeforeSign) && bodyId != null) { bodySigned = EnsureDigestValidityIfIdMatches(signedInfo, bodyId, reader, false, null, null, false); } else { bodySigned = false; } bool bodyEncrypted; if (expectBodyEncryption) { XmlDictionaryReader bodyReader = bodySigned ? this.SecurityVerifiedMessage.CreateFullBodyReader() : reader; bodyReader.ReadStartElement(); string bodyContentId = idManager.ExtractId(bodyReader); this.ElementManager.VerifyUniquenessAndSetBodyContentId(bodyContentId); bodyEncrypted = bodyContentId != null && TryDeleteReferenceListEntry(bodyContentId); if (bodyEncrypted) { DecryptBody(bodyReader, this.pendingDecryptionToken); } if (!ReferenceEquals(bodyReader, reader)) { bodyReader.Close(); } if (!encryptBeforeSign && signedInfo != null && signedInfo.HasUnverifiedReference(bodyId)) { bodyReader = this.SecurityVerifiedMessage.CreateFullBodyReader(); bodySigned = EnsureDigestValidityIfIdMatches(signedInfo, bodyId, bodyReader, false, null, null, false); bodyReader.Close(); } } else { bodyEncrypted = false; } if (bodySigned && bodyEncrypted) { this.VerifySignatureEncryption(); } reader.Close(); if (this.pendingSignature != null) { this.pendingSignature.CompleteSignatureVerification(); this.pendingSignature = null; } this.pendingDecryptionToken = null; atLeastOneHeaderOrBodyEncrypted |= bodyEncrypted; if (!bodySigned && signatureParts.IsBodyIncluded) { this.SecurityVerifiedMessage.OnUnsignedPart(XD.MessageDictionary.Body.Value, this.Version.Envelope.Namespace); } if (!bodyEncrypted && encryptionParts.IsBodyIncluded) { this.SecurityVerifiedMessage.OnUnencryptedPart(XD.MessageDictionary.Body.Value, this.Version.Envelope.Namespace); } this.SecurityVerifiedMessage.OnMessageProtectionPassComplete(atLeastOneHeaderOrBodyEncrypted); }
private static MessagePartSpecification UnionMessagePartSpecifications(ScopedMessagePartSpecification actionParts) { MessagePartSpecification specification = new MessagePartSpecification(false); foreach (string str in actionParts.Actions) { MessagePartSpecification specification2; if (actionParts.TryGetParts(str, out specification2)) { if (specification2.IsBodyIncluded) { specification.IsBodyIncluded = true; } foreach (XmlQualifiedName name in specification2.HeaderTypes) { if (!specification.IsHeaderIncluded(name.Name, name.Namespace)) { specification.HeaderTypes.Add(name); } } } } return specification; }