protected override ISecurityElement CompleteEncryptionCore(
SendSecurityHeaderElement primarySignature,
SendSecurityHeaderElement[] basicTokens,
SendSecurityHeaderElement[] signatureConfirmations,
SendSecurityHeaderElement[] endorsingSignatures)
{
if (this.referenceList == null)
{
return(null);
}
if (primarySignature != null && primarySignature.Item != null && primarySignature.MarkedForEncryption)
{
EncryptElement(primarySignature);
}
if (basicTokens != null)
{
for (int i = 0; i < basicTokens.Length; ++i)
{
if (basicTokens[i].MarkedForEncryption)
{
EncryptElement(basicTokens[i]);
}
}
}
if (signatureConfirmations != null)
{
for (int i = 0; i < signatureConfirmations.Length; ++i)
{
if (signatureConfirmations[i].MarkedForEncryption)
{
EncryptElement(signatureConfirmations[i]);
}
}
}
if (endorsingSignatures != null)
{
for (int i = 0; i < endorsingSignatures.Length; ++i)
{
if (endorsingSignatures[i].MarkedForEncryption)
{
EncryptElement(endorsingSignatures[i]);
}
}
}
try
{
return(this.referenceList.DataReferenceCount > 0 ? this.referenceList : null);
}
finally
{
this.referenceList = null;
this.encryptingSymmetricAlgorithm = null;
this.encryptionKeyIdentifier = null;
}
}
private void EncryptElement(SendSecurityHeaderElement element)
{
string id = base.GenerateId();
ISecurityElement item = this.CreateEncryptedData(CaptureSecurityElement(element.Item), id, true);
this.referenceList.AddReferredId(id);
element.Replace(id, item);
}
protected override ISecurityElement CompleteEncryptionCore(SendSecurityHeaderElement primarySignature, SendSecurityHeaderElement[] basicTokens, SendSecurityHeaderElement[] signatureConfirmations, SendSecurityHeaderElement[] endorsingSignatures)
{
ISecurityElement element;
if (this.referenceList == null)
{
return(null);
}
if (((primarySignature != null) && (primarySignature.Item != null)) && primarySignature.MarkedForEncryption)
{
this.EncryptElement(primarySignature);
}
if (basicTokens != null)
{
for (int i = 0; i < basicTokens.Length; i++)
{
if (basicTokens[i].MarkedForEncryption)
{
this.EncryptElement(basicTokens[i]);
}
}
}
if (signatureConfirmations != null)
{
for (int j = 0; j < signatureConfirmations.Length; j++)
{
if (signatureConfirmations[j].MarkedForEncryption)
{
this.EncryptElement(signatureConfirmations[j]);
}
}
}
if (endorsingSignatures != null)
{
for (int k = 0; k < endorsingSignatures.Length; k++)
{
if (endorsingSignatures[k].MarkedForEncryption)
{
this.EncryptElement(endorsingSignatures[k]);
}
}
}
try
{
element = (this.referenceList.DataReferenceCount > 0) ? this.referenceList : null;
}
finally
{
this.referenceList = null;
this.encryptingSymmetricAlgorithm = null;
this.encryptionKeyIdentifier = null;
}
return(element);
}
private void StartSignature()
{
if (ElementContainer.SourceSigningToken == null)
{
return;
}
// determine the key identifier clause to use for the source
SecurityTokenReferenceStyle sourceSigningKeyReferenceStyle = GetTokenReferenceStyle(SigningTokenParameters);
SecurityKeyIdentifierClause sourceSigningKeyIdentifierClause = SigningTokenParameters.CreateKeyIdentifierClause(ElementContainer.SourceSigningToken, sourceSigningKeyReferenceStyle);
if (sourceSigningKeyIdentifierClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.TokenManagerCannotCreateTokenReference), Message);
}
SecurityToken signingToken;
SecurityKeyIdentifierClause signingKeyIdentifierClause;
// determine if a token needs to be derived
if (SigningTokenParameters.RequireDerivedKeys && !SigningTokenParameters.HasAsymmetricKey)
{
// Derived keys not required for initial implementation
throw ExceptionHelper.PlatformNotSupported();
}
else
{
signingToken = ElementContainer.SourceSigningToken;
signingKeyIdentifierClause = sourceSigningKeyIdentifierClause;
}
SecurityKeyIdentifier signingKeyIdentifier = new SecurityKeyIdentifier(signingKeyIdentifierClause);
if (_signatureConfirmationsToSend != null && _signatureConfirmationsToSend.Count > 0)
{
ISecurityElement[] signatureConfirmationElements;
signatureConfirmationElements = CreateSignatureConfirmationElements(_signatureConfirmationsToSend);
for (int i = 0; i < signatureConfirmationElements.Length; ++i)
{
SendSecurityHeaderElement sigConfElement = new SendSecurityHeaderElement(signatureConfirmationElements[i].Id, signatureConfirmationElements[i]);
sigConfElement.MarkedForEncryption = _signatureConfirmationsToSend.IsMarkedForEncryption;
ElementContainer.AddSignatureConfirmation(sigConfElement);
}
}
bool generateTargettablePrimarySignature = ((_endorsingTokenParameters != null) || (_signedEndorsingTokenParameters != null));
StartPrimarySignatureCore(signingToken, signingKeyIdentifier, _signatureParts, generateTargettablePrimarySignature);
}
private void SignWithSupportingToken(SecurityToken token, SecurityKeyIdentifierClause identifierClause)
{
if (token == null)
{
throw TraceUtility.ThrowHelperArgumentNull(nameof(token), Message);
}
if (identifierClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.TokenManagerCannotCreateTokenReference), Message);
}
if (!RequireMessageProtection)
{
if (ElementContainer.Timestamp == null)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(
SR.SigningWithoutPrimarySignatureRequiresTimestamp), Message);
}
}
else
{
if (!_primarySignatureDone)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(
SR.PrimarySignatureMustBeComputedBeforeSupportingTokenSignatures), Message);
}
if (ElementContainer.PrimarySignature.Item == null)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(
SR.SupportingTokenSignaturesNotExpected), Message);
}
}
SecurityKeyIdentifier identifier = new SecurityKeyIdentifier(identifierClause);
ISignatureValueSecurityElement supportingSignature;
if (!RequireMessageProtection)
{
supportingSignature = CreateSupportingSignature(token, identifier);
}
else
{
supportingSignature = CreateSupportingSignature(token, identifier, ElementContainer.PrimarySignature.Item);
}
AddGeneratedSignatureValue(supportingSignature.GetSignatureValue(), _encryptSignature);
SendSecurityHeaderElement supportingSignatureElement = new SendSecurityHeaderElement(supportingSignature.Id, supportingSignature);
supportingSignatureElement.MarkedForEncryption = _encryptSignature;
ElementContainer.AddEndorsingSignature(supportingSignatureElement);
}
private void SignWithSupportingToken(SecurityToken token, SecurityKeyIdentifierClause identifierClause)
{
ISignatureValueSecurityElement element;
if (token == null)
{
throw TraceUtility.ThrowHelperArgumentNull("token", base.Message);
}
if (identifierClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenManagerCannotCreateTokenReference")), base.Message);
}
if (!base.RequireMessageProtection)
{
if (this.elementContainer.Timestamp == null)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SigningWithoutPrimarySignatureRequiresTimestamp")), base.Message);
}
}
else
{
if (!this.primarySignatureDone)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("PrimarySignatureMustBeComputedBeforeSupportingTokenSignatures")), base.Message);
}
if (this.elementContainer.PrimarySignature.Item == null)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SupportingTokenSignaturesNotExpected")), base.Message);
}
}
SecurityKeyIdentifier identifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { identifierClause });
if (!base.RequireMessageProtection)
{
element = this.CreateSupportingSignature(token, identifier);
}
else
{
element = this.CreateSupportingSignature(token, identifier, this.elementContainer.PrimarySignature.Item);
}
this.AddGeneratedSignatureValue(element.GetSignatureValue(), this.encryptSignature);
SendSecurityHeaderElement signature = new SendSecurityHeaderElement(element.Id, element)
{
MarkedForEncryption = this.encryptSignature
};
this.elementContainer.AddEndorsingSignature(signature);
}
private void StartSignature()
{
if (this.elementContainer.SourceSigningToken != null)
{
SecurityToken sourceSigningToken;
SecurityKeyIdentifierClause clause2;
SecurityTokenReferenceStyle tokenReferenceStyle = this.GetTokenReferenceStyle(this.signingTokenParameters);
SecurityKeyIdentifierClause tokenToDeriveIdentifier = this.signingTokenParameters.CreateKeyIdentifierClause(this.elementContainer.SourceSigningToken, tokenReferenceStyle);
if (tokenToDeriveIdentifier == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenManagerCannotCreateTokenReference")), base.Message);
}
if (this.signingTokenParameters.RequireDerivedKeys && !this.signingTokenParameters.HasAsymmetricKey)
{
string signatureKeyDerivationAlgorithm = base.AlgorithmSuite.GetSignatureKeyDerivationAlgorithm(this.elementContainer.SourceSigningToken, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(base.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
if (signatureKeyDerivationAlgorithm != keyDerivationAlgorithm)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("UnsupportedCryptoAlgorithm", new object[] { signatureKeyDerivationAlgorithm })));
}
DerivedKeySecurityToken token2 = new DerivedKeySecurityToken(-1, 0, base.AlgorithmSuite.GetSignatureKeyDerivationLength(this.elementContainer.SourceSigningToken, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, 0x10, this.elementContainer.SourceSigningToken, tokenToDeriveIdentifier, signatureKeyDerivationAlgorithm, this.GenerateId());
sourceSigningToken = this.elementContainer.DerivedSigningToken = token2;
clause2 = new LocalIdKeyIdentifierClause(sourceSigningToken.Id, sourceSigningToken.GetType());
}
else
{
sourceSigningToken = this.elementContainer.SourceSigningToken;
clause2 = tokenToDeriveIdentifier;
}
SecurityKeyIdentifier identifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { clause2 });
if ((this.signatureConfirmationsToSend != null) && (this.signatureConfirmationsToSend.Count > 0))
{
ISecurityElement[] elementArray = this.CreateSignatureConfirmationElements(this.signatureConfirmationsToSend);
for (int i = 0; i < elementArray.Length; i++)
{
SendSecurityHeaderElement confirmation = new SendSecurityHeaderElement(elementArray[i].Id, elementArray[i])
{
MarkedForEncryption = this.signatureConfirmationsToSend.IsMarkedForEncryption
};
this.elementContainer.AddSignatureConfirmation(confirmation);
}
}
bool generateTargettablePrimarySignature = (this.endorsingTokenParameters != null) || (this.signedEndorsingTokenParameters != null);
this.StartPrimarySignatureCore(sourceSigningToken, identifier, this.signatureParts, generateTargettablePrimarySignature);
}
}
private void AddSignatureReference(SendSecurityHeaderElement[] elements)
{
if (elements != null)
{
for (int i = 0; i < elements.Length; i++)
{
if (elements[i].Id == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("ElementToSignMustHaveId")), base.Message);
}
HashStream stream = this.TakeHashStream();
XmlDictionaryWriter writer = this.TakeUtf8Writer();
writer.StartCanonicalization(stream, false, null);
elements[i].Item.WriteTo(writer, ServiceModelDictionaryManager.Instance);
writer.EndCanonicalization();
this.signedInfo.AddReference(elements[i].Id, stream.FlushHashAndGetValue());
}
}
}
public void AddBasicSupportingToken(SecurityToken token, SecurityTokenParameters parameters)
{
if (token == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
if (parameters == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parameters");
}
base.ThrowIfProcessingStarted();
SendSecurityHeaderElement tokenElement = new SendSecurityHeaderElement(token.Id, new TokenElement(token, base.StandardsManager)) {
MarkedForEncryption = true
};
this.elementContainer.AddBasicSupportingToken(tokenElement);
this.hasEncryptedTokens = true;
this.hasSignedTokens = true;
this.AddParameters(ref this.basicSupportingTokenParameters, parameters);
}
public void AddBasicSupportingToken(SecurityToken token, SecurityTokenParameters parameters)
{
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(token));
}
if (parameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(parameters));
}
ThrowIfProcessingStarted();
SendSecurityHeaderElement tokenElement = new SendSecurityHeaderElement(token.Id, new TokenElement(token, StandardsManager));
tokenElement.MarkedForEncryption = true;
ElementContainer.AddBasicSupportingToken(tokenElement);
AddParameters(ref _basicSupportingTokenParameters, parameters);
}
public void AddBasicSupportingToken(SecurityToken token, SecurityTokenParameters parameters)
{
if (token == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
if (parameters == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parameters");
}
base.ThrowIfProcessingStarted();
SendSecurityHeaderElement tokenElement = new SendSecurityHeaderElement(token.Id, new TokenElement(token, base.StandardsManager))
{
MarkedForEncryption = true
};
this.elementContainer.AddBasicSupportingToken(tokenElement);
this.hasEncryptedTokens = true;
this.hasSignedTokens = true;
this.AddParameters(ref this.basicSupportingTokenParameters, parameters);
}
public void AddEndorsingSignature(SendSecurityHeaderElement signature)
{
this.Add <SendSecurityHeaderElement>(ref this.endorsingSignatures, signature);
}
public void AddBasicSupportingToken(SendSecurityHeaderElement tokenElement)
{
this.Add <SendSecurityHeaderElement>(ref this.basicSupportingTokens, tokenElement);
}
public void AddBasicSupportingToken(SecurityToken token, SecurityTokenParameters parameters)
{
if (token == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
if (parameters == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parameters");
ThrowIfProcessingStarted();
SendSecurityHeaderElement tokenElement = new SendSecurityHeaderElement(token.Id, new TokenElement(token, this.StandardsManager));
tokenElement.MarkedForEncryption = true;
this.elementContainer.AddBasicSupportingToken(tokenElement);
hasEncryptedTokens = true;
hasSignedTokens = true;
this.AddParameters(ref this.basicSupportingTokenParameters, parameters);
if (this.basicTokens == null)
{
this.basicTokens = new List<SecurityToken>();
}
// We maintain a list of the basic tokens for the SignThenEncrypt case as we will
// need this token to write STR entry on OnWriteHeaderContents.
this.basicTokens.Add(token);
}
void StartSignature()
{
if (this.elementContainer.SourceSigningToken == null)
{
return;
}
// determine the key identifier clause to use for the source
SecurityTokenReferenceStyle sourceSigningKeyReferenceStyle = GetTokenReferenceStyle(this.signingTokenParameters);
SecurityKeyIdentifierClause sourceSigningKeyIdentifierClause = this.signingTokenParameters.CreateKeyIdentifierClause(this.elementContainer.SourceSigningToken, sourceSigningKeyReferenceStyle);
if (sourceSigningKeyIdentifierClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.TokenManagerCannotCreateTokenReference)), this.Message);
}
SecurityToken signingToken;
SecurityKeyIdentifierClause signingKeyIdentifierClause;
// determine if a token needs to be derived
if (this.signingTokenParameters.RequireDerivedKeys && !this.signingTokenParameters.HasAsymmetricKey)
{
string derivationAlgorithm = this.AlgorithmSuite.GetSignatureKeyDerivationAlgorithm(this.elementContainer.SourceSigningToken, this.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
string expectedDerivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
if (derivationAlgorithm == expectedDerivationAlgorithm)
{
DerivedKeySecurityToken derivedSigningToken = new DerivedKeySecurityToken(-1, 0, this.AlgorithmSuite.GetSignatureKeyDerivationLength(this.elementContainer.SourceSigningToken, this.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, DerivedKeySecurityToken.DefaultNonceLength, this.elementContainer.SourceSigningToken,
sourceSigningKeyIdentifierClause, derivationAlgorithm, GenerateId());
signingToken = this.elementContainer.DerivedSigningToken = derivedSigningToken;
signingKeyIdentifierClause = new LocalIdKeyIdentifierClause(signingToken.Id, signingToken.GetType());
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.UnsupportedCryptoAlgorithm, derivationAlgorithm)));
}
}
else
{
signingToken = elementContainer.SourceSigningToken;
signingKeyIdentifierClause = sourceSigningKeyIdentifierClause;
}
SecurityKeyIdentifier signingKeyIdentifier = new SecurityKeyIdentifier(signingKeyIdentifierClause);
if (signatureConfirmationsToSend != null && signatureConfirmationsToSend.Count > 0)
{
ISecurityElement[] signatureConfirmationElements;
signatureConfirmationElements = CreateSignatureConfirmationElements(signatureConfirmationsToSend);
for (int i = 0; i < signatureConfirmationElements.Length; ++i)
{
SendSecurityHeaderElement sigConfElement = new SendSecurityHeaderElement(signatureConfirmationElements[i].Id, signatureConfirmationElements[i]);
sigConfElement.MarkedForEncryption = signatureConfirmationsToSend.IsMarkedForEncryption;
this.elementContainer.AddSignatureConfirmation(sigConfElement);
}
}
bool generateTargettablePrimarySignature = ((this.endorsingTokenParameters != null) || (this.signedEndorsingTokenParameters != null));
this.StartPrimarySignatureCore(signingToken, signingKeyIdentifier, this.signatureParts, generateTargettablePrimarySignature);
}
public void AddBasicSupportingToken(SendSecurityHeaderElement tokenElement)
{
Add(ref _basicSupportingTokens, tokenElement);
}
protected override ISignatureValueSecurityElement CompletePrimarySignatureCore(SendSecurityHeaderElement[] signatureConfirmations, SecurityToken[] signedEndorsingTokens, SecurityToken[] signedTokens, SendSecurityHeaderElement[] basicTokens)
{
ISignatureValueSecurityElement signedXml;
if (this.signedXml == null)
{
return null;
}
SecurityTimestamp timestamp = base.Timestamp;
if (timestamp != null)
{
if (timestamp.Id == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("TimestampToSignHasNoId")));
}
HashStream stream = this.TakeHashStream();
base.StandardsManager.WSUtilitySpecificationVersion.WriteTimestampCanonicalForm(stream, timestamp, this.signedInfo.ResourcePool.TakeEncodingBuffer());
this.signedInfo.AddReference(timestamp.Id, stream.FlushHashAndGetValue());
}
if ((base.ShouldSignToHeader && (this.signatureKey is AsymmetricSecurityKey)) && (base.Version.Addressing != AddressingVersion.None))
{
if (this.toHeaderHash == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("TransportSecurityRequireToHeader")));
}
this.signedInfo.AddReference(this.toHeaderId, this.toHeaderHash);
}
this.AddSignatureReference(signatureConfirmations);
if (base.RequireMessageProtection)
{
this.AddSignatureReference(signedEndorsingTokens);
this.AddSignatureReference(signedTokens);
this.AddSignatureReference(basicTokens);
}
if (this.signedInfo.ReferenceCount == 0)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NoPartsOfMessageMatchedPartsToSign")), base.Message);
}
try
{
this.signedXml.ComputeSignature(this.signatureKey);
signedXml = this.signedXml;
}
finally
{
this.hashStream = null;
this.signedInfo = null;
this.signedXml = null;
this.signatureKey = null;
this.effectiveSignatureParts = null;
}
return signedXml;
}
protected override ISignatureValueSecurityElement CompletePrimarySignatureCore(
SendSecurityHeaderElement[] signatureConfirmations,
SecurityToken[] signedEndorsingTokens,
SecurityToken[] signedTokens,
SendSecurityHeaderElement[] basicTokens, bool isPrimarySignature)
{
if (this.signedXml == null)
{
return null;
}
SecurityTimestamp timestamp = this.Timestamp;
if (timestamp != null)
{
if (timestamp.Id == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.TimestampToSignHasNoId)));
}
HashStream hashStream = TakeHashStream();
this.StandardsManager.WSUtilitySpecificationVersion.WriteTimestampCanonicalForm(
hashStream, timestamp, this.signedInfo.ResourcePool.TakeEncodingBuffer());
signedInfo.AddReference(timestamp.Id, hashStream.FlushHashAndGetValue());
}
if ((this.ShouldSignToHeader) && (this.signatureKey is AsymmetricSecurityKey) && (this.Version.Addressing != AddressingVersion.None))
{
if (this.toHeaderHash != null)
signedInfo.AddReference(this.toHeaderId, this.toHeaderHash);
else
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.TransportSecurityRequireToHeader)));
}
AddSignatureReference(signatureConfirmations);
if (isPrimarySignature && this.ShouldProtectTokens)
{
AddPrimaryTokenSignatureReference(this.ElementContainer.SourceSigningToken, this.SigningTokenParameters);
}
if (this.RequireMessageProtection)
{
AddSignatureReference(signedEndorsingTokens, SecurityTokenAttachmentMode.SignedEndorsing);
AddSignatureReference(signedTokens, SecurityTokenAttachmentMode.Signed);
AddSignatureReference(basicTokens);
}
if (this.signedInfo.ReferenceCount == 0)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NoPartsOfMessageMatchedPartsToSign)), this.Message);
}
try
{
this.signedXml.ComputeSignature(this.signatureKey);
return this.signedXml;
}
finally
{
this.hashStream = null;
this.signedInfo = null;
this.signedXml = null;
this.signatureKey = null;
this.effectiveSignatureParts = null;
}
}
void AddSignatureReference(SendSecurityHeaderElement[] elements)
{
if (elements != null)
{
for (int i = 0; i < elements.Length; ++i)
{
SecurityKeyIdentifierClause keyIdentifierClause = null;
TokenElement signedEncryptedTokenElement = elements[i].Item as TokenElement;
// signedEncryptedTokenElement can either be a TokenElement ( in SignThenEncrypt case) or EncryptedData ( in !SignThenEncryptCase)
// STR-Transform does not make sense in !SignThenEncrypt case .
// note: signedEncryptedTokenElement can also be SignatureConfirmation but we do not care about it here.
bool useStrTransform = signedEncryptedTokenElement != null
&& SignThenEncrypt
&& this.ShouldUseStrTransformForToken(signedEncryptedTokenElement.Token,
i,
SecurityTokenAttachmentMode.SignedEncrypted,
out keyIdentifierClause);
if (!useStrTransform && elements[i].Id == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.ElementToSignMustHaveId)), this.Message);
}
HashStream hashStream = TakeHashStream();
XmlDictionaryWriter utf8Writer = TakeUtf8Writer();
utf8Writer.StartCanonicalization(hashStream, false, null);
elements[i].Item.WriteTo(utf8Writer, ServiceModelDictionaryManager.Instance);
utf8Writer.EndCanonicalization();
if (useStrTransform)
{
if (keyIdentifierClause != null)
{
if (String.IsNullOrEmpty(keyIdentifierClause.Id))
keyIdentifierClause.Id = SecurityUniqueId.Create().Value;
this.ElementContainer.MapSecurityTokenToStrClause(signedEncryptedTokenElement.Token, keyIdentifierClause);
this.signedInfo.AddReference(keyIdentifierClause.Id, hashStream.FlushHashAndGetValue(), true);
}
else
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.TokenManagerCannotCreateTokenReference)), this.Message);
}
else
this.signedInfo.AddReference(elements[i].Id, hashStream.FlushHashAndGetValue());
}
}
}
protected abstract ISignatureValueSecurityElement CompletePrimarySignatureCore(SendSecurityHeaderElement[] signatureConfirmations, SecurityToken[] signedEndorsingTokens, SecurityToken[] signedTokens, SendSecurityHeaderElement[] basicTokens);
protected abstract ISecurityElement CompleteEncryptionCore(SendSecurityHeaderElement primarySignature, SendSecurityHeaderElement[] basicTokens, SendSecurityHeaderElement[] signatureConfirmations, SendSecurityHeaderElement[] endorsingSignatures);
public void AddSignatureConfirmation(SendSecurityHeaderElement confirmation)
{
this.Add <SendSecurityHeaderElement>(ref this.signatureConfirmations, confirmation);
}
public void AddSignatureConfirmation(SendSecurityHeaderElement confirmation)
{
Add(ref _signatureConfirmations, confirmation);
}
protected override ISecurityElement CompleteEncryptionCore(SendSecurityHeaderElement primarySignature, SendSecurityHeaderElement[] basicTokens, SendSecurityHeaderElement[] signatureConfirmations, SendSecurityHeaderElement[] endorsingSignatures)
{
ISecurityElement element;
if (this.referenceList == null)
{
return null;
}
if (((primarySignature != null) && (primarySignature.Item != null)) && primarySignature.MarkedForEncryption)
{
this.EncryptElement(primarySignature);
}
if (basicTokens != null)
{
for (int i = 0; i < basicTokens.Length; i++)
{
if (basicTokens[i].MarkedForEncryption)
{
this.EncryptElement(basicTokens[i]);
}
}
}
if (signatureConfirmations != null)
{
for (int j = 0; j < signatureConfirmations.Length; j++)
{
if (signatureConfirmations[j].MarkedForEncryption)
{
this.EncryptElement(signatureConfirmations[j]);
}
}
}
if (endorsingSignatures != null)
{
for (int k = 0; k < endorsingSignatures.Length; k++)
{
if (endorsingSignatures[k].MarkedForEncryption)
{
this.EncryptElement(endorsingSignatures[k]);
}
}
}
try
{
element = (this.referenceList.DataReferenceCount > 0) ? this.referenceList : null;
}
finally
{
this.referenceList = null;
this.encryptingSymmetricAlgorithm = null;
this.encryptionKeyIdentifier = null;
}
return element;
}
void SignWithSupportingToken(SecurityToken token, SecurityKeyIdentifierClause identifierClause)
{
if (token == null)
{
throw TraceUtility.ThrowHelperArgumentNull("token", this.Message);
}
if (identifierClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.TokenManagerCannotCreateTokenReference)), this.Message);
}
if (!this.RequireMessageProtection)
{
if (this.elementContainer.Timestamp == null)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(
SR.GetString(SR.SigningWithoutPrimarySignatureRequiresTimestamp)), this.Message);
}
}
else
{
if (!this.primarySignatureDone)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(
SR.GetString(SR.PrimarySignatureMustBeComputedBeforeSupportingTokenSignatures)), this.Message);
}
if (this.elementContainer.PrimarySignature.Item == null)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(
SR.GetString(SR.SupportingTokenSignaturesNotExpected)), this.Message);
}
}
SecurityKeyIdentifier identifier = new SecurityKeyIdentifier(identifierClause);
ISignatureValueSecurityElement supportingSignature;
if (!this.RequireMessageProtection)
{
supportingSignature = CreateSupportingSignature(token, identifier);
}
else
{
supportingSignature = CreateSupportingSignature(token, identifier, elementContainer.PrimarySignature.Item);
}
AddGeneratedSignatureValue(supportingSignature.GetSignatureValue(), encryptSignature);
SendSecurityHeaderElement supportingSignatureElement = new SendSecurityHeaderElement(supportingSignature.Id, supportingSignature);
supportingSignatureElement.MarkedForEncryption = encryptSignature;
this.elementContainer.AddEndorsingSignature(supportingSignatureElement);
}
private void SignWithSupportingToken(SecurityToken token, SecurityKeyIdentifierClause identifierClause)
{
ISignatureValueSecurityElement element;
if (token == null)
{
throw TraceUtility.ThrowHelperArgumentNull("token", base.Message);
}
if (identifierClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenManagerCannotCreateTokenReference")), base.Message);
}
if (!base.RequireMessageProtection)
{
if (this.elementContainer.Timestamp == null)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SigningWithoutPrimarySignatureRequiresTimestamp")), base.Message);
}
}
else
{
if (!this.primarySignatureDone)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("PrimarySignatureMustBeComputedBeforeSupportingTokenSignatures")), base.Message);
}
if (this.elementContainer.PrimarySignature.Item == null)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SupportingTokenSignaturesNotExpected")), base.Message);
}
}
SecurityKeyIdentifier identifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { identifierClause });
if (!base.RequireMessageProtection)
{
element = this.CreateSupportingSignature(token, identifier);
}
else
{
element = this.CreateSupportingSignature(token, identifier, this.elementContainer.PrimarySignature.Item);
}
this.AddGeneratedSignatureValue(element.GetSignatureValue(), this.encryptSignature);
SendSecurityHeaderElement signature = new SendSecurityHeaderElement(element.Id, element) {
MarkedForEncryption = this.encryptSignature
};
this.elementContainer.AddEndorsingSignature(signature);
}
public void AddEndorsingSignature(SendSecurityHeaderElement signature)
{
Add(ref _endorsingSignatures, signature);
}
protected override ISecurityElement CompleteEncryptionCore(
SendSecurityHeaderElement primarySignature,
SendSecurityHeaderElement[] basicTokens,
SendSecurityHeaderElement[] signatureConfirmations,
SendSecurityHeaderElement[] endorsingSignatures)
{
if (this.referenceList == null)
{
return null;
}
if (primarySignature != null && primarySignature.Item != null && primarySignature.MarkedForEncryption)
{
EncryptElement(primarySignature);
}
if (basicTokens != null)
{
for (int i = 0; i < basicTokens.Length; ++i)
{
if (basicTokens[i].MarkedForEncryption)
EncryptElement(basicTokens[i]);
}
}
if (signatureConfirmations != null)
{
for (int i = 0; i < signatureConfirmations.Length; ++i)
{
if (signatureConfirmations[i].MarkedForEncryption)
EncryptElement(signatureConfirmations[i]);
}
}
if (endorsingSignatures != null)
{
for (int i = 0; i < endorsingSignatures.Length; ++i)
{
if (endorsingSignatures[i].MarkedForEncryption)
EncryptElement(endorsingSignatures[i]);
}
}
try
{
return this.referenceList.DataReferenceCount > 0 ? this.referenceList : null;
}
finally
{
this.referenceList = null;
this.encryptingSymmetricAlgorithm = null;
this.encryptionKeyIdentifier = null;
}
}
private void StartSignature()
{
if (this.elementContainer.SourceSigningToken != null)
{
SecurityToken sourceSigningToken;
SecurityKeyIdentifierClause clause2;
SecurityTokenReferenceStyle tokenReferenceStyle = this.GetTokenReferenceStyle(this.signingTokenParameters);
SecurityKeyIdentifierClause tokenToDeriveIdentifier = this.signingTokenParameters.CreateKeyIdentifierClause(this.elementContainer.SourceSigningToken, tokenReferenceStyle);
if (tokenToDeriveIdentifier == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("TokenManagerCannotCreateTokenReference")), base.Message);
}
if (this.signingTokenParameters.RequireDerivedKeys && !this.signingTokenParameters.HasAsymmetricKey)
{
string signatureKeyDerivationAlgorithm = base.AlgorithmSuite.GetSignatureKeyDerivationAlgorithm(this.elementContainer.SourceSigningToken, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
string keyDerivationAlgorithm = System.ServiceModel.Security.SecurityUtils.GetKeyDerivationAlgorithm(base.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
if (signatureKeyDerivationAlgorithm != keyDerivationAlgorithm)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("UnsupportedCryptoAlgorithm", new object[] { signatureKeyDerivationAlgorithm })));
}
DerivedKeySecurityToken token2 = new DerivedKeySecurityToken(-1, 0, base.AlgorithmSuite.GetSignatureKeyDerivationLength(this.elementContainer.SourceSigningToken, base.StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, 0x10, this.elementContainer.SourceSigningToken, tokenToDeriveIdentifier, signatureKeyDerivationAlgorithm, this.GenerateId());
sourceSigningToken = this.elementContainer.DerivedSigningToken = token2;
clause2 = new LocalIdKeyIdentifierClause(sourceSigningToken.Id, sourceSigningToken.GetType());
}
else
{
sourceSigningToken = this.elementContainer.SourceSigningToken;
clause2 = tokenToDeriveIdentifier;
}
SecurityKeyIdentifier identifier = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { clause2 });
if ((this.signatureConfirmationsToSend != null) && (this.signatureConfirmationsToSend.Count > 0))
{
ISecurityElement[] elementArray = this.CreateSignatureConfirmationElements(this.signatureConfirmationsToSend);
for (int i = 0; i < elementArray.Length; i++)
{
SendSecurityHeaderElement confirmation = new SendSecurityHeaderElement(elementArray[i].Id, elementArray[i]) {
MarkedForEncryption = this.signatureConfirmationsToSend.IsMarkedForEncryption
};
this.elementContainer.AddSignatureConfirmation(confirmation);
}
}
bool generateTargettablePrimarySignature = (this.endorsingTokenParameters != null) || (this.signedEndorsingTokenParameters != null);
this.StartPrimarySignatureCore(sourceSigningToken, identifier, this.signatureParts, generateTargettablePrimarySignature);
}
}
void EncryptElement(SendSecurityHeaderElement element)
{
string id = GenerateId();
ISecurityElement encryptedElement = CreateEncryptedData(CaptureSecurityElement(element.Item), id, true);
this.referenceList.AddReferredId(id);
element.Replace(id, encryptedElement);
}
protected abstract ISecurityElement CompleteEncryptionCore(SendSecurityHeaderElement primarySignature, SendSecurityHeaderElement[] basicTokens, SendSecurityHeaderElement[] signatureConfirmations, SendSecurityHeaderElement[] endorsingSignatures);