|
//------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//------------------------------------------------------------
namespace System.ServiceModel.Security
{
using System;
using System.ServiceModel;
using System.ServiceModel.Description;
using System.ServiceModel.Dispatcher;
using System.Collections;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Diagnostics;
using System.Globalization;
using System.IO;
using System.Text;
using System.Threading;
using System.Xml;
using System.Runtime;
using System.Security.Cryptography;
using System.IdentityModel.Claims;
using System.IdentityModel.Policy;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.Security.Cryptography.X509Certificates;
using System.ServiceModel.Security.Tokens;
using HexBinary = System.Runtime.Remoting.Metadata.W3cXsd2001.SoapHexBinary;
using System.ServiceModel.Channels;
using System.ServiceModel.Security;
using System.Runtime.Serialization;
using KeyIdentifierEntry = WSSecurityTokenSerializer.KeyIdentifierEntry;
using KeyIdentifierClauseEntry = WSSecurityTokenSerializer.KeyIdentifierClauseEntry;
using TokenEntry = WSSecurityTokenSerializer.TokenEntry;
using StrEntry = WSSecurityTokenSerializer.StrEntry;
using Psha1DerivedKeyGenerator = System.IdentityModel.Psha1DerivedKeyGenerator;
abstract class WSTrust : WSSecurityTokenSerializer.SerializerEntries
{
WSSecurityTokenSerializer tokenSerializer;
public WSTrust(WSSecurityTokenSerializer tokenSerializer)
{
this.tokenSerializer = tokenSerializer;
}
public WSSecurityTokenSerializer WSSecurityTokenSerializer
{
get { return this.tokenSerializer; }
}
public abstract TrustDictionary SerializerDictionary
{
get;
}
public override void PopulateTokenEntries(IList<TokenEntry> tokenEntryList)
{
tokenEntryList.Add(new BinarySecretTokenEntry(this));
}
class BinarySecretTokenEntry : TokenEntry
{
WSTrust parent;
TrustDictionary otherDictionary;
public BinarySecretTokenEntry(WSTrust parent)
{
this.parent = parent;
this.otherDictionary = null;
if (parent.SerializerDictionary is TrustDec2005Dictionary)
{
this.otherDictionary = XD.TrustFeb2005Dictionary;
}
if (parent.SerializerDictionary is TrustFeb2005Dictionary)
{
this.otherDictionary = DXD.TrustDec2005Dictionary;
}
// always set it, so we don't have to worry about null
if (this.otherDictionary == null)
this.otherDictionary = this.parent.SerializerDictionary;
}
protected override XmlDictionaryString LocalName { get { return parent.SerializerDictionary.BinarySecret; } }
protected override XmlDictionaryString NamespaceUri { get { return parent.SerializerDictionary.Namespace; } }
protected override Type[] GetTokenTypesCore() { return new Type[] { typeof(BinarySecretSecurityToken) }; }
public override string TokenTypeUri { get { return null; } }
protected override string ValueTypeUri { get { return null; } }
public override bool CanReadTokenCore(XmlElement element)
{
string valueTypeUri = null;
if (element.HasAttribute(SecurityJan2004Strings.ValueType, null))
{
valueTypeUri = element.GetAttribute(SecurityJan2004Strings.ValueType, null);
}
return element.LocalName == LocalName.Value && (element.NamespaceURI == NamespaceUri.Value || element.NamespaceURI == this.otherDictionary.Namespace.Value) && valueTypeUri == this.ValueTypeUri;
}
public override bool CanReadTokenCore(XmlDictionaryReader reader)
{
return (reader.IsStartElement(this.LocalName, this.NamespaceUri) || reader.IsStartElement(this.LocalName, this.otherDictionary.Namespace)) &&
reader.GetAttribute(XD.SecurityJan2004Dictionary.ValueType, null) == this.ValueTypeUri;
}
public override SecurityKeyIdentifierClause CreateKeyIdentifierClauseFromTokenXmlCore(XmlElement issuedTokenXml,
SecurityTokenReferenceStyle tokenReferenceStyle)
{
TokenReferenceStyleHelper.Validate(tokenReferenceStyle);
switch (tokenReferenceStyle)
{
case SecurityTokenReferenceStyle.Internal:
return CreateDirectReference(issuedTokenXml, UtilityStrings.IdAttribute, UtilityStrings.Namespace, typeof(GenericXmlSecurityToken));
case SecurityTokenReferenceStyle.External:
// Binary Secret tokens aren't referred to externally
return null;
default:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("tokenReferenceStyle"));
}
}
public override SecurityToken ReadTokenCore(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver)
{
string secretType = reader.GetAttribute(XD.SecurityJan2004Dictionary.TypeAttribute, null);
string id = reader.GetAttribute(XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace);
bool isNonce = false;
if (secretType != null && secretType.Length > 0)
{
if (secretType == parent.SerializerDictionary.NonceBinarySecret.Value || secretType == otherDictionary.NonceBinarySecret.Value)
{
isNonce = true;
}
else if (secretType != parent.SerializerDictionary.SymmetricKeyBinarySecret.Value && secretType != otherDictionary.SymmetricKeyBinarySecret.Value)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.UnexpectedBinarySecretType, parent.SerializerDictionary.SymmetricKeyBinarySecret.Value, secretType)));
}
}
byte[] secret = reader.ReadElementContentAsBase64();
if (isNonce)
{
return new NonceToken(id, secret);
}
else
{
return new BinarySecretSecurityToken(id, secret);
}
}
public override void WriteTokenCore(XmlDictionaryWriter writer, SecurityToken token)
{
BinarySecretSecurityToken simpleToken = token as BinarySecretSecurityToken;
byte[] secret = simpleToken.GetKeyBytes();
writer.WriteStartElement(parent.SerializerDictionary.Prefix.Value, parent.SerializerDictionary.BinarySecret, parent.SerializerDictionary.Namespace);
if (simpleToken.Id != null)
{
writer.WriteAttributeString(XD.UtilityDictionary.Prefix.Value, XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace, simpleToken.Id);
}
if (token is NonceToken)
{
writer.WriteAttributeString(XD.SecurityJan2004Dictionary.TypeAttribute, null, parent.SerializerDictionary.NonceBinarySecret.Value);
}
writer.WriteBase64(secret, 0, secret.Length);
writer.WriteEndElement();
}
}
public abstract class Driver : TrustDriver
{
static readonly string base64Uri = SecurityJan2004Strings.EncodingTypeValueBase64Binary;
static readonly string hexBinaryUri = SecurityJan2004Strings.EncodingTypeValueHexBinary;
SecurityStandardsManager standardsManager;
List<SecurityTokenAuthenticator> entropyAuthenticators;
public Driver(SecurityStandardsManager standardsManager)
{
this.standardsManager = standardsManager;
this.entropyAuthenticators = new List<SecurityTokenAuthenticator>(2);
}
public abstract TrustDictionary DriverDictionary
{
get;
}
public override XmlDictionaryString RequestSecurityTokenAction
{
get
{
return DriverDictionary.RequestSecurityTokenIssuance;
}
}
public override XmlDictionaryString RequestSecurityTokenResponseAction
{
get
{
return DriverDictionary.RequestSecurityTokenIssuanceResponse;
}
}
public override string RequestTypeIssue
{
get
{
return DriverDictionary.RequestTypeIssue.Value;
}
}
public override string ComputedKeyAlgorithm
{
get { return DriverDictionary.Psha1ComputedKeyUri.Value; }
}
public override SecurityStandardsManager StandardsManager
{
get
{
return this.standardsManager;
}
}
public override XmlDictionaryString Namespace
{
get { return DriverDictionary.Namespace; }
}
public override RequestSecurityToken CreateRequestSecurityToken(XmlReader xmlReader)
{
XmlDictionaryReader reader = XmlDictionaryReader.CreateDictionaryReader(xmlReader);
reader.MoveToStartElement(DriverDictionary.RequestSecurityToken, DriverDictionary.Namespace);
string context = null;
string tokenTypeUri = null;
string requestType = null;
int keySize = 0;
XmlDocument doc = new XmlDocument();
XmlElement rstXml = (doc.ReadNode(reader) as XmlElement);
SecurityKeyIdentifierClause renewTarget = null;
SecurityKeyIdentifierClause closeTarget = null;
for (int i = 0; i < rstXml.Attributes.Count; ++i)
{
XmlAttribute attr = rstXml.Attributes[i];
if (attr.LocalName == DriverDictionary.Context.Value)
{
context = attr.Value;
}
}
for (int i = 0; i < rstXml.ChildNodes.Count; ++i)
{
XmlElement child = (rstXml.ChildNodes[i] as XmlElement);
if (child != null)
{
if (child.LocalName == DriverDictionary.TokenType.Value && child.NamespaceURI == DriverDictionary.Namespace.Value)
tokenTypeUri = XmlHelper.ReadTextElementAsTrimmedString(child);
else if (child.LocalName == DriverDictionary.RequestType.Value && child.NamespaceURI == DriverDictionary.Namespace.Value)
requestType = XmlHelper.ReadTextElementAsTrimmedString(child);
else if (child.LocalName == DriverDictionary.KeySize.Value && child.NamespaceURI == DriverDictionary.Namespace.Value)
keySize = Int32.Parse(XmlHelper.ReadTextElementAsTrimmedString(child), NumberFormatInfo.InvariantInfo);
}
}
ReadTargets(rstXml, out renewTarget, out closeTarget);
RequestSecurityToken rst = new RequestSecurityToken(standardsManager, rstXml, context, tokenTypeUri, requestType, keySize, renewTarget, closeTarget);
return rst;
}
System.IdentityModel.XmlBuffer GetIssuedTokenBuffer(System.IdentityModel.XmlBuffer rstrBuffer)
{
System.IdentityModel.XmlBuffer issuedTokenBuffer = null;
using (XmlDictionaryReader reader = rstrBuffer.GetReader(0))
{
reader.ReadFullStartElement();
while (reader.IsStartElement())
{
if (reader.IsStartElement(this.DriverDictionary.RequestedSecurityToken, this.DriverDictionary.Namespace))
{
reader.ReadStartElement();
reader.MoveToContent();
issuedTokenBuffer = new System.IdentityModel.XmlBuffer(Int32.MaxValue);
using (XmlDictionaryWriter writer = issuedTokenBuffer.OpenSection(reader.Quotas))
{
writer.WriteNode(reader, false);
issuedTokenBuffer.CloseSection();
issuedTokenBuffer.Close();
}
reader.ReadEndElement();
break;
}
else
{
reader.Skip();
}
}
}
return issuedTokenBuffer;
}
public override RequestSecurityTokenResponse CreateRequestSecurityTokenResponse(XmlReader xmlReader)
{
if (xmlReader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("xmlReader");
}
XmlDictionaryReader reader = XmlDictionaryReader.CreateDictionaryReader(xmlReader);
if (reader.IsStartElement(DriverDictionary.RequestSecurityTokenResponse, DriverDictionary.Namespace) == false)
{
XmlHelper.OnRequiredElementMissing(DriverDictionary.RequestSecurityTokenResponse.Value, DriverDictionary.Namespace.Value);
}
System.IdentityModel.XmlBuffer rstrBuffer = new System.IdentityModel.XmlBuffer(Int32.MaxValue);
using (XmlDictionaryWriter writer = rstrBuffer.OpenSection(reader.Quotas))
{
writer.WriteNode(reader, false);
rstrBuffer.CloseSection();
rstrBuffer.Close();
}
XmlDocument doc = new XmlDocument();
XmlElement rstrXml;
using (XmlReader reader2 = rstrBuffer.GetReader(0))
{
rstrXml = (doc.ReadNode(reader2) as XmlElement);
}
System.IdentityModel.XmlBuffer issuedTokenBuffer = GetIssuedTokenBuffer(rstrBuffer);
string context = null;
string tokenTypeUri = null;
int keySize = 0;
SecurityKeyIdentifierClause requestedAttachedReference = null;
SecurityKeyIdentifierClause requestedUnattachedReference = null;
bool computeKey = false;
DateTime created = DateTime.UtcNow;
DateTime expires = SecurityUtils.MaxUtcDateTime;
bool isRequestedTokenClosed = false;
for (int i = 0; i < rstrXml.Attributes.Count; ++i)
{
XmlAttribute attr = rstrXml.Attributes[i];
if (attr.LocalName == DriverDictionary.Context.Value)
{
context = attr.Value;
}
}
for (int i = 0; i < rstrXml.ChildNodes.Count; ++i)
{
XmlElement child = (rstrXml.ChildNodes[i] as XmlElement);
if (child != null)
{
if (child.LocalName == DriverDictionary.TokenType.Value && child.NamespaceURI == DriverDictionary.Namespace.Value)
tokenTypeUri = XmlHelper.ReadTextElementAsTrimmedString(child);
else if (child.LocalName == DriverDictionary.KeySize.Value && child.NamespaceURI == DriverDictionary.Namespace.Value)
keySize = Int32.Parse(XmlHelper.ReadTextElementAsTrimmedString(child), NumberFormatInfo.InvariantInfo);
else if (child.LocalName == DriverDictionary.RequestedProofToken.Value && child.NamespaceURI == DriverDictionary.Namespace.Value)
{
XmlElement proofXml = XmlHelper.GetChildElement(child);
if (proofXml.LocalName == DriverDictionary.ComputedKey.Value && proofXml.NamespaceURI == DriverDictionary.Namespace.Value)
{
string computedKeyAlgorithm = XmlHelper.ReadTextElementAsTrimmedString(proofXml);
if (computedKeyAlgorithm != this.DriverDictionary.Psha1ComputedKeyUri.Value)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.UnknownComputedKeyAlgorithm, computedKeyAlgorithm)));
}
computeKey = true;
}
}
else if (child.LocalName == DriverDictionary.Lifetime.Value && child.NamespaceURI == DriverDictionary.Namespace.Value)
{
XmlElement createdXml = XmlHelper.GetChildElement(child, UtilityStrings.CreatedElement, UtilityStrings.Namespace);
if (createdXml != null)
{
created = DateTime.ParseExact(XmlHelper.ReadTextElementAsTrimmedString(createdXml),
WSUtilitySpecificationVersion.AcceptedDateTimeFormats, DateTimeFormatInfo.InvariantInfo, DateTimeStyles.None).ToUniversalTime();
}
XmlElement expiresXml = XmlHelper.GetChildElement(child, UtilityStrings.ExpiresElement, UtilityStrings.Namespace);
if (expiresXml != null)
{
expires = DateTime.ParseExact(XmlHelper.ReadTextElementAsTrimmedString(expiresXml),
WSUtilitySpecificationVersion.AcceptedDateTimeFormats, DateTimeFormatInfo.InvariantInfo, DateTimeStyles.None).ToUniversalTime();
}
}
}
}
isRequestedTokenClosed = ReadRequestedTokenClosed(rstrXml);
ReadReferences(rstrXml, out requestedAttachedReference, out requestedUnattachedReference);
return new RequestSecurityTokenResponse(standardsManager, rstrXml, context, tokenTypeUri, keySize, requestedAttachedReference, requestedUnattachedReference,
computeKey, created, expires, isRequestedTokenClosed, issuedTokenBuffer);
}
public override RequestSecurityTokenResponseCollection CreateRequestSecurityTokenResponseCollection(XmlReader xmlReader)
{
XmlDictionaryReader reader = XmlDictionaryReader.CreateDictionaryReader(xmlReader);
List<RequestSecurityTokenResponse> rstrCollection = new List<RequestSecurityTokenResponse>(2);
string rootName = reader.Name;
reader.ReadStartElement(DriverDictionary.RequestSecurityTokenResponseCollection, DriverDictionary.Namespace);
while (reader.IsStartElement(DriverDictionary.RequestSecurityTokenResponse.Value, DriverDictionary.Namespace.Value))
{
RequestSecurityTokenResponse rstr = this.CreateRequestSecurityTokenResponse(reader);
rstrCollection.Add(rstr);
}
reader.ReadEndElement();
if (rstrCollection.Count == 0)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.NoRequestSecurityTokenResponseElements)));
return new RequestSecurityTokenResponseCollection(rstrCollection.AsReadOnly(), this.StandardsManager);
}
XmlElement GetAppliesToElement(XmlElement rootElement)
{
if (rootElement == null)
{
return null;
}
for (int i = 0; i < rootElement.ChildNodes.Count; ++i)
{
XmlElement elem = (rootElement.ChildNodes[i] as XmlElement);
if (elem != null)
{
if (elem.LocalName == DriverDictionary.AppliesTo.Value && elem.NamespaceURI == Namespaces.WSPolicy)
{
return elem;
}
}
}
return null;
}
T GetAppliesTo<T>(XmlElement rootXml, XmlObjectSerializer serializer)
{
XmlElement appliesToElement = GetAppliesToElement(rootXml);
if (appliesToElement != null)
{
using (XmlReader reader = new XmlNodeReader(appliesToElement))
{
reader.ReadStartElement();
lock (serializer)
{
return (T)serializer.ReadObject(reader);
}
}
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.NoAppliesToPresent)));
}
}
public override T GetAppliesTo<T>(RequestSecurityToken rst, XmlObjectSerializer serializer)
{
if (rst == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rst");
return GetAppliesTo<T>(rst.RequestSecurityTokenXml, serializer);
}
public override T GetAppliesTo<T>(RequestSecurityTokenResponse rstr, XmlObjectSerializer serializer)
{
if (rstr == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rstr");
return GetAppliesTo<T>(rstr.RequestSecurityTokenResponseXml, serializer);
}
public override bool IsAppliesTo(string localName, string namespaceUri)
{
return (localName == DriverDictionary.AppliesTo.Value && namespaceUri == Namespaces.WSPolicy);
}
void GetAppliesToQName(XmlElement rootElement, out string localName, out string namespaceUri)
{
localName = namespaceUri = null;
XmlElement appliesToElement = GetAppliesToElement(rootElement);
if (appliesToElement != null)
{
using (XmlReader reader = new XmlNodeReader(appliesToElement))
{
reader.ReadStartElement();
reader.MoveToContent();
localName = reader.LocalName;
namespaceUri = reader.NamespaceURI;
}
}
}
public override void GetAppliesToQName(RequestSecurityToken rst, out string localName, out string namespaceUri)
{
if (rst == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rst");
GetAppliesToQName(rst.RequestSecurityTokenXml, out localName, out namespaceUri);
}
public override void GetAppliesToQName(RequestSecurityTokenResponse rstr, out string localName, out string namespaceUri)
{
if (rstr == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rstr");
GetAppliesToQName(rstr.RequestSecurityTokenResponseXml, out localName, out namespaceUri);
}
public override byte[] GetAuthenticator(RequestSecurityTokenResponse rstr)
{
if (rstr != null && rstr.RequestSecurityTokenResponseXml != null && rstr.RequestSecurityTokenResponseXml.ChildNodes != null)
{
for (int i = 0; i < rstr.RequestSecurityTokenResponseXml.ChildNodes.Count; ++i)
{
XmlElement element = rstr.RequestSecurityTokenResponseXml.ChildNodes[i] as XmlElement;
if (element != null)
{
if (element.LocalName == DriverDictionary.Authenticator.Value && element.NamespaceURI == DriverDictionary.Namespace.Value)
{
XmlElement combinedHashElement = XmlHelper.GetChildElement(element);
if (combinedHashElement.LocalName == DriverDictionary.CombinedHash.Value && combinedHashElement.NamespaceURI == DriverDictionary.Namespace.Value)
{
string authenticatorString = XmlHelper.ReadTextElementAsTrimmedString(combinedHashElement);
return Convert.FromBase64String(authenticatorString);
}
}
}
}
}
return null;
}
public override BinaryNegotiation GetBinaryNegotiation(RequestSecurityTokenResponse rstr)
{
if (rstr == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rstr");
return GetBinaryNegotiation(rstr.RequestSecurityTokenResponseXml);
}
public override BinaryNegotiation GetBinaryNegotiation(RequestSecurityToken rst)
{
if (rst == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rst");
return GetBinaryNegotiation(rst.RequestSecurityTokenXml);
}
BinaryNegotiation GetBinaryNegotiation(XmlElement rootElement)
{
if (rootElement == null)
{
return null;
}
for (int i = 0; i < rootElement.ChildNodes.Count; ++i)
{
XmlElement elem = rootElement.ChildNodes[i] as XmlElement;
if (elem != null)
{
if (elem.LocalName == DriverDictionary.BinaryExchange.Value && elem.NamespaceURI == DriverDictionary.Namespace.Value)
{
return ReadBinaryNegotiation(elem);
}
}
}
return null;
}
public override SecurityToken GetEntropy(RequestSecurityToken rst, SecurityTokenResolver resolver)
{
if (rst == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rst");
return GetEntropy(rst.RequestSecurityTokenXml, resolver);
}
public override SecurityToken GetEntropy(RequestSecurityTokenResponse rstr, SecurityTokenResolver resolver)
{
if (rstr == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rstr");
return GetEntropy(rstr.RequestSecurityTokenResponseXml, resolver);
}
SecurityToken GetEntropy(XmlElement rootElement, SecurityTokenResolver resolver)
{
if (rootElement == null || rootElement.ChildNodes == null)
{
return null;
}
for (int i = 0; i < rootElement.ChildNodes.Count; ++i)
{
XmlElement element = rootElement.ChildNodes[i] as XmlElement;
if (element != null)
{
if (element.LocalName == DriverDictionary.Entropy.Value && element.NamespaceURI == DriverDictionary.Namespace.Value)
{
XmlElement tokenXml = XmlHelper.GetChildElement(element);
string valueTypeUri = element.GetAttribute(SecurityJan2004Strings.ValueType);
if (valueTypeUri.Length == 0)
valueTypeUri = null;
return standardsManager.SecurityTokenSerializer.ReadToken(new XmlNodeReader(tokenXml), resolver);
}
}
}
return null;
}
void GetIssuedAndProofXml(RequestSecurityTokenResponse rstr, out XmlElement issuedTokenXml, out XmlElement proofTokenXml)
{
issuedTokenXml = null;
proofTokenXml = null;
if ((rstr.RequestSecurityTokenResponseXml != null) && (rstr.RequestSecurityTokenResponseXml.ChildNodes != null))
{
for (int i = 0; i < rstr.RequestSecurityTokenResponseXml.ChildNodes.Count; ++i)
{
XmlElement elem = rstr.RequestSecurityTokenResponseXml.ChildNodes[i] as XmlElement;
if (elem != null)
{
if (elem.LocalName == DriverDictionary.RequestedSecurityToken.Value && elem.NamespaceURI == DriverDictionary.Namespace.Value)
{
if (issuedTokenXml != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.RstrHasMultipleIssuedTokens)));
}
issuedTokenXml = XmlHelper.GetChildElement(elem);
}
else if (elem.LocalName == DriverDictionary.RequestedProofToken.Value && elem.NamespaceURI == DriverDictionary.Namespace.Value)
{
if (proofTokenXml != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.RstrHasMultipleProofTokens)));
}
proofTokenXml = XmlHelper.GetChildElement(elem);
}
}
}
}
}
/// <summary>
/// The algorithm for computing the key is:
/// 1. If there is requestorEntropy:
/// a. If there is no <RequestedProofToken> use the requestorEntropy as the key
/// b. If there is a <RequestedProofToken> with a ComputedKeyUri, combine the client and server entropies
/// c. Anything else, throw
/// 2. If there is no requestorEntropy:
/// a. THere has to be a <RequestedProofToken> that contains the proof key
/// </summary>
public override GenericXmlSecurityToken GetIssuedToken(RequestSecurityTokenResponse rstr, SecurityTokenResolver resolver, IList<SecurityTokenAuthenticator> allowedAuthenticators, SecurityKeyEntropyMode keyEntropyMode, byte[] requestorEntropy, string expectedTokenType,
ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies, int defaultKeySize, bool isBearerKeyType)
{
SecurityKeyEntropyModeHelper.Validate(keyEntropyMode);
if (defaultKeySize < 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("defaultKeySize", SR.GetString(SR.ValueMustBeNonNegative)));
}
if (rstr == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rstr");
string tokenType;
if (rstr.TokenType != null)
{
if (expectedTokenType != null && expectedTokenType != rstr.TokenType)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BadIssuedTokenType, rstr.TokenType, expectedTokenType)));
}
tokenType = rstr.TokenType;
}
else
{
tokenType = expectedTokenType;
}
// search the response elements for licenseXml, proofXml, and lifetime
DateTime created = rstr.ValidFrom;
DateTime expires = rstr.ValidTo;
XmlElement proofXml;
XmlElement issuedTokenXml;
GetIssuedAndProofXml(rstr, out issuedTokenXml, out proofXml);
if (issuedTokenXml == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.NoLicenseXml)));
if (isBearerKeyType)
{
if (proofXml != null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BearerKeyTypeCannotHaveProofKey)));
return new GenericXmlSecurityToken(issuedTokenXml, null, created, expires, rstr.RequestedAttachedReference, rstr.RequestedUnattachedReference, authorizationPolicies);
}
SecurityToken proofToken;
SecurityToken entropyToken = GetEntropy(rstr, resolver);
if (keyEntropyMode == SecurityKeyEntropyMode.ClientEntropy)
{
if (requestorEntropy == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.EntropyModeRequiresRequestorEntropy, keyEntropyMode)));
}
// enforce that there is no entropy or proof token in the RSTR
if (proofXml != null || entropyToken != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.EntropyModeCannotHaveProofTokenOrIssuerEntropy, keyEntropyMode)));
}
proofToken = new BinarySecretSecurityToken(requestorEntropy);
}
else if (keyEntropyMode == SecurityKeyEntropyMode.ServerEntropy)
{
if (requestorEntropy != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.EntropyModeCannotHaveRequestorEntropy, keyEntropyMode)));
}
if (rstr.ComputeKey || entropyToken != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.EntropyModeCannotHaveComputedKey, keyEntropyMode)));
}
if (proofXml == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.EntropyModeRequiresProofToken, keyEntropyMode)));
}
string valueTypeUri = proofXml.GetAttribute(SecurityJan2004Strings.ValueType);
if (valueTypeUri.Length == 0)
valueTypeUri = null;
proofToken = standardsManager.SecurityTokenSerializer.ReadToken(new XmlNodeReader(proofXml), resolver);
}
else
{
if (!rstr.ComputeKey)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.EntropyModeRequiresComputedKey, keyEntropyMode)));
}
if (entropyToken == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.EntropyModeRequiresIssuerEntropy, keyEntropyMode)));
}
if (requestorEntropy == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.EntropyModeRequiresRequestorEntropy, keyEntropyMode)));
}
if (rstr.KeySize == 0 && defaultKeySize == 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.RstrKeySizeNotProvided)));
}
int issuedKeySize = (rstr.KeySize != 0) ? rstr.KeySize : defaultKeySize;
byte[] issuerEntropy;
if (entropyToken is BinarySecretSecurityToken)
issuerEntropy = ((BinarySecretSecurityToken)entropyToken).GetKeyBytes();
else if (entropyToken is WrappedKeySecurityToken)
issuerEntropy = ((WrappedKeySecurityToken)entropyToken).GetWrappedKey();
else
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.UnsupportedIssuerEntropyType)));
// compute the PSHA1 derived key
byte[] issuedKey = RequestSecurityTokenResponse.ComputeCombinedKey(requestorEntropy, issuerEntropy, issuedKeySize);
proofToken = new BinarySecretSecurityToken(issuedKey);
}
SecurityKeyIdentifierClause internalReference = rstr.RequestedAttachedReference;
SecurityKeyIdentifierClause externalReference = rstr.RequestedUnattachedReference;
return new BufferedGenericXmlSecurityToken(issuedTokenXml, proofToken, created, expires, internalReference, externalReference, authorizationPolicies, rstr.IssuedTokenBuffer);
}
public override GenericXmlSecurityToken GetIssuedToken(RequestSecurityTokenResponse rstr, string expectedTokenType,
ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies, RSA clientKey)
{
if (rstr == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("rstr"));
string tokenType;
if (rstr.TokenType != null)
{
if (expectedTokenType != null && expectedTokenType != rstr.TokenType)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BadIssuedTokenType, rstr.TokenType, expectedTokenType)));
}
tokenType = rstr.TokenType;
}
else
{
tokenType = expectedTokenType;
}
// search the response elements for licenseXml, proofXml, and lifetime
DateTime created = rstr.ValidFrom;
DateTime expires = rstr.ValidTo;
XmlElement proofXml;
XmlElement issuedTokenXml;
GetIssuedAndProofXml(rstr, out issuedTokenXml, out proofXml);
if (issuedTokenXml == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.NoLicenseXml)));
// enforce that there is no proof token in the RSTR
if (proofXml != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ProofTokenXmlUnexpectedInRstr)));
}
SecurityKeyIdentifierClause internalReference = rstr.RequestedAttachedReference;
SecurityKeyIdentifierClause externalReference = rstr.RequestedUnattachedReference;
SecurityToken proofToken = new RsaSecurityToken(clientKey);
return new BufferedGenericXmlSecurityToken(issuedTokenXml, proofToken, created, expires, internalReference, externalReference, authorizationPolicies, rstr.IssuedTokenBuffer);
}
public override bool IsAtRequestSecurityTokenResponse(XmlReader reader)
{
if (reader == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
return reader.IsStartElement(DriverDictionary.RequestSecurityTokenResponse.Value, DriverDictionary.Namespace.Value);
}
public override bool IsAtRequestSecurityTokenResponseCollection(XmlReader reader)
{
if (reader == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
return reader.IsStartElement(DriverDictionary.RequestSecurityTokenResponseCollection.Value, DriverDictionary.Namespace.Value);
}
public override bool IsRequestedSecurityTokenElement(string name, string nameSpace)
{
return (name == DriverDictionary.RequestedSecurityToken.Value && nameSpace == DriverDictionary.Namespace.Value);
}
public override bool IsRequestedProofTokenElement(string name, string nameSpace)
{
return (name == DriverDictionary.RequestedProofToken.Value && nameSpace == DriverDictionary.Namespace.Value);
}
public static BinaryNegotiation ReadBinaryNegotiation(XmlElement elem)
{
if (elem == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("elem");
// get the encoding and valueType attributes
string encodingUri = null;
string valueTypeUri = null;
byte[] negotiationData = null;
if (elem.Attributes != null)
{
for (int i = 0; i < elem.Attributes.Count; ++i)
{
XmlAttribute attr = elem.Attributes[i];
if (attr.LocalName == SecurityJan2004Strings.EncodingType && attr.NamespaceURI.Length == 0)
{
encodingUri = attr.Value;
if (encodingUri != base64Uri && encodingUri != hexBinaryUri)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.UnsupportedBinaryEncoding, encodingUri)));
}
}
else if (attr.LocalName == SecurityJan2004Strings.ValueType && attr.NamespaceURI.Length == 0)
{
valueTypeUri = attr.Value;
}
// ignore all other attributes
}
}
if (encodingUri == null)
{
XmlHelper.OnRequiredAttributeMissing("EncodingType", elem.Name);
}
if (valueTypeUri == null)
{
XmlHelper.OnRequiredAttributeMissing("ValueType", elem.Name);
}
string encodedBlob = XmlHelper.ReadTextElementAsTrimmedString(elem);
if (encodingUri == base64Uri)
{
negotiationData = Convert.FromBase64String(encodedBlob);
}
else
{
negotiationData = HexBinary.Parse(encodedBlob).Value;
}
return new BinaryNegotiation(valueTypeUri, negotiationData);
}
// Note in Apr2004, internal & external references aren't supported -
// our strategy is to see if there's a token reference (and use it for external ref) and backup is to scan the token xml to compute reference
protected virtual void ReadReferences(XmlElement rstrXml, out SecurityKeyIdentifierClause requestedAttachedReference,
out SecurityKeyIdentifierClause requestedUnattachedReference)
{
XmlElement issuedTokenXml = null;
requestedAttachedReference = null;
requestedUnattachedReference = null;
for (int i = 0; i < rstrXml.ChildNodes.Count; ++i)
{
XmlElement child = rstrXml.ChildNodes[i] as XmlElement;
if (child != null)
{
if (child.LocalName == DriverDictionary.RequestedSecurityToken.Value && child.NamespaceURI == DriverDictionary.Namespace.Value)
{
issuedTokenXml = XmlHelper.GetChildElement(child);
}
else if (child.LocalName == DriverDictionary.RequestedTokenReference.Value && child.NamespaceURI == DriverDictionary.Namespace.Value)
{
requestedUnattachedReference = GetKeyIdentifierXmlReferenceClause(XmlHelper.GetChildElement(child));
}
}
}
if (issuedTokenXml != null)
{
requestedAttachedReference = standardsManager.CreateKeyIdentifierClauseFromTokenXml(issuedTokenXml, SecurityTokenReferenceStyle.Internal);
if (requestedUnattachedReference == null)
{
try
{
requestedUnattachedReference = standardsManager.CreateKeyIdentifierClauseFromTokenXml(issuedTokenXml, SecurityTokenReferenceStyle.External);
}
catch (XmlException)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.TrustDriverIsUnableToCreatedNecessaryAttachedOrUnattachedReferences, issuedTokenXml.ToString())));
}
}
}
}
internal bool TryReadKeyIdentifierClause(XmlNodeReader reader, out SecurityKeyIdentifierClause keyIdentifierClause)
{
keyIdentifierClause = null;
try
{
keyIdentifierClause = standardsManager.SecurityTokenSerializer.ReadKeyIdentifierClause(reader);
}
catch (XmlException e)
{
if (Fx.IsFatal(e))
{
throw;
}
keyIdentifierClause = null;
return false;
}
catch (Exception e)
{
if (Fx.IsFatal(e))
{
throw;
}
keyIdentifierClause = null;
return false;
}
return true;
}
internal SecurityKeyIdentifierClause CreateGenericXmlSecurityKeyIdentifierClause(XmlNodeReader reader, XmlElement keyIdentifierReferenceXmlElement)
{
SecurityKeyIdentifierClause keyIdentifierClause = null;
XmlDictionaryReader localReader = XmlDictionaryReader.CreateDictionaryReader(reader);
string strId = localReader.GetAttribute(XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace);
keyIdentifierClause = new GenericXmlSecurityKeyIdentifierClause(keyIdentifierReferenceXmlElement);
if (!String.IsNullOrEmpty(strId))
{
keyIdentifierClause.Id = strId;
}
return keyIdentifierClause;
}
internal SecurityKeyIdentifierClause GetKeyIdentifierXmlReferenceClause(XmlElement keyIdentifierReferenceXmlElement)
{
SecurityKeyIdentifierClause keyIdentifierClause = null;
XmlNodeReader reader = new XmlNodeReader(keyIdentifierReferenceXmlElement);
if (!this.TryReadKeyIdentifierClause(reader, out keyIdentifierClause))
{
keyIdentifierClause = CreateGenericXmlSecurityKeyIdentifierClause(new XmlNodeReader(keyIdentifierReferenceXmlElement), keyIdentifierReferenceXmlElement);
}
return keyIdentifierClause;
}
protected virtual bool ReadRequestedTokenClosed(XmlElement rstrXml)
{
return false;
}
protected virtual void ReadTargets(XmlElement rstXml, out SecurityKeyIdentifierClause renewTarget, out SecurityKeyIdentifierClause closeTarget)
{
renewTarget = null;
closeTarget = null;
}
public override void OnRSTRorRSTRCMissingException()
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.ExpectedOneOfTwoElementsFromNamespace,
DriverDictionary.RequestSecurityTokenResponse, DriverDictionary.RequestSecurityTokenResponseCollection,
DriverDictionary.Namespace)));
}
void WriteAppliesTo(object appliesTo, Type appliesToType, XmlObjectSerializer serializer, XmlWriter xmlWriter)
{
XmlDictionaryWriter writer = XmlDictionaryWriter.CreateDictionaryWriter(xmlWriter);
writer.WriteStartElement(Namespaces.WSPolicyPrefix, DriverDictionary.AppliesTo.Value, Namespaces.WSPolicy);
lock (serializer)
{
serializer.WriteObject(writer, appliesTo);
}
writer.WriteEndElement();
}
public void WriteBinaryNegotiation(BinaryNegotiation negotiation, XmlWriter xmlWriter)
{
if (negotiation == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("negotiation");
XmlDictionaryWriter writer = XmlDictionaryWriter.CreateDictionaryWriter(xmlWriter);
negotiation.WriteTo(writer, this.DriverDictionary.Prefix.Value,
this.DriverDictionary.BinaryExchange, this.DriverDictionary.Namespace,
XD.SecurityJan2004Dictionary.ValueType, null);
}
public override void WriteRequestSecurityToken(RequestSecurityToken rst, XmlWriter xmlWriter)
{
if (rst == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rst");
}
if (xmlWriter == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("xmlWriter");
}
XmlDictionaryWriter writer = XmlDictionaryWriter.CreateDictionaryWriter(xmlWriter);
if (rst.IsReceiver)
{
rst.WriteTo(writer);
return;
}
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.RequestSecurityToken, DriverDictionary.Namespace);
XmlHelper.AddNamespaceDeclaration(writer, DriverDictionary.Prefix.Value, DriverDictionary.Namespace);
if (rst.Context != null)
writer.WriteAttributeString(DriverDictionary.Context, null, rst.Context);
rst.OnWriteCustomAttributes(writer);
if (rst.TokenType != null)
{
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.TokenType, DriverDictionary.Namespace);
writer.WriteString(rst.TokenType);
writer.WriteEndElement();
}
if (rst.RequestType != null)
{
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.RequestType, DriverDictionary.Namespace);
writer.WriteString(rst.RequestType);
writer.WriteEndElement();
}
if (rst.AppliesTo != null)
{
WriteAppliesTo(rst.AppliesTo, rst.AppliesToType, rst.AppliesToSerializer, writer);
}
SecurityToken entropyToken = rst.GetRequestorEntropy();
if (entropyToken != null)
{
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.Entropy, DriverDictionary.Namespace);
standardsManager.SecurityTokenSerializer.WriteToken(writer, entropyToken);
writer.WriteEndElement();
}
if (rst.KeySize != 0)
{
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.KeySize, DriverDictionary.Namespace);
writer.WriteValue(rst.KeySize);
writer.WriteEndElement();
}
BinaryNegotiation negotiationData = rst.GetBinaryNegotiation();
if (negotiationData != null)
WriteBinaryNegotiation(negotiationData, writer);
WriteTargets(rst, writer);
if (rst.RequestProperties != null)
{
foreach (XmlElement property in rst.RequestProperties)
{
property.WriteTo(writer);
}
}
rst.OnWriteCustomElements(writer);
writer.WriteEndElement();
}
protected virtual void WriteTargets(RequestSecurityToken rst, XmlDictionaryWriter writer)
{
}
// Note in Apr2004, internal & external references aren't supported - our strategy is to generate the external ref as the TokenReference.
protected virtual void WriteReferences(RequestSecurityTokenResponse rstr, XmlDictionaryWriter writer)
{
if (rstr.RequestedUnattachedReference != null)
{
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.RequestedTokenReference, DriverDictionary.Namespace);
standardsManager.SecurityTokenSerializer.WriteKeyIdentifierClause(writer, rstr.RequestedUnattachedReference);
writer.WriteEndElement();
}
}
protected virtual void WriteRequestedTokenClosed(RequestSecurityTokenResponse rstr, XmlDictionaryWriter writer)
{
}
public override void WriteRequestSecurityTokenResponse(RequestSecurityTokenResponse rstr, XmlWriter xmlWriter)
{
if (rstr == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rstr");
if (xmlWriter == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("xmlWriter");
XmlDictionaryWriter writer = XmlDictionaryWriter.CreateDictionaryWriter(xmlWriter);
if (rstr.IsReceiver)
{
rstr.WriteTo(writer);
return;
}
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.RequestSecurityTokenResponse, DriverDictionary.Namespace);
if (rstr.Context != null)
{
writer.WriteAttributeString(DriverDictionary.Context, null, rstr.Context);
}
// define WSUtility at the top level to avoid multiple definitions below
XmlHelper.AddNamespaceDeclaration(writer, UtilityStrings.Prefix, XD.UtilityDictionary.Namespace);
rstr.OnWriteCustomAttributes(writer);
if (rstr.TokenType != null)
writer.WriteElementString(DriverDictionary.Prefix.Value, DriverDictionary.TokenType, DriverDictionary.Namespace, rstr.TokenType);
if (rstr.RequestedSecurityToken != null)
{
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.RequestedSecurityToken, DriverDictionary.Namespace);
standardsManager.SecurityTokenSerializer.WriteToken(writer, rstr.RequestedSecurityToken);
writer.WriteEndElement();
}
if (rstr.AppliesTo != null)
{
WriteAppliesTo(rstr.AppliesTo, rstr.AppliesToType, rstr.AppliesToSerializer, writer);
}
WriteReferences(rstr, writer);
if (rstr.ComputeKey || rstr.RequestedProofToken != null)
{
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.RequestedProofToken, DriverDictionary.Namespace);
if (rstr.ComputeKey)
{
writer.WriteElementString(DriverDictionary.Prefix.Value, DriverDictionary.ComputedKey, DriverDictionary.Namespace, DriverDictionary.Psha1ComputedKeyUri.Value);
}
else
{
standardsManager.SecurityTokenSerializer.WriteToken(writer, rstr.RequestedProofToken);
}
writer.WriteEndElement();
}
SecurityToken entropyToken = rstr.GetIssuerEntropy();
if (entropyToken != null)
{
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.Entropy, DriverDictionary.Namespace);
standardsManager.SecurityTokenSerializer.WriteToken(writer, entropyToken);
writer.WriteEndElement();
}
// To write out the lifetime, the following algorithm is used
// 1. If the lifetime is explicitly set, write it out.
// 2. Else, if a token/tokenbuilder has been set, use the lifetime in that.
// 3. Else do not serialize lifetime
if (rstr.IsLifetimeSet || rstr.RequestedSecurityToken != null)
{
DateTime effectiveTime = SecurityUtils.MinUtcDateTime;
DateTime expirationTime = SecurityUtils.MaxUtcDateTime;
if (rstr.IsLifetimeSet)
{
effectiveTime = rstr.ValidFrom.ToUniversalTime();
expirationTime = rstr.ValidTo.ToUniversalTime();
}
else if (rstr.RequestedSecurityToken != null)
{
effectiveTime = rstr.RequestedSecurityToken.ValidFrom.ToUniversalTime();
expirationTime = rstr.RequestedSecurityToken.ValidTo.ToUniversalTime();
}
// write out the lifetime
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.Lifetime, DriverDictionary.Namespace);
// write out Created
writer.WriteStartElement(XD.UtilityDictionary.Prefix.Value, XD.UtilityDictionary.CreatedElement, XD.UtilityDictionary.Namespace);
writer.WriteString(effectiveTime.ToString("yyyy-MM-ddTHH:mm:ss.fffZ", CultureInfo.InvariantCulture.DateTimeFormat));
writer.WriteEndElement(); // wsu:Created
// write out Expires
writer.WriteStartElement(XD.UtilityDictionary.Prefix.Value, XD.UtilityDictionary.ExpiresElement, XD.UtilityDictionary.Namespace);
writer.WriteString(expirationTime.ToString("yyyy-MM-ddTHH:mm:ss.fffZ", CultureInfo.InvariantCulture.DateTimeFormat));
writer.WriteEndElement(); // wsu:Expires
writer.WriteEndElement(); // wsse:Lifetime
}
byte[] authenticator = rstr.GetAuthenticator();
if (authenticator != null)
{
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.Authenticator, DriverDictionary.Namespace);
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.CombinedHash, DriverDictionary.Namespace);
writer.WriteBase64(authenticator, 0, authenticator.Length);
writer.WriteEndElement();
writer.WriteEndElement();
}
if (rstr.KeySize > 0)
{
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.KeySize, DriverDictionary.Namespace);
writer.WriteValue(rstr.KeySize);
writer.WriteEndElement();
}
WriteRequestedTokenClosed(rstr, writer);
BinaryNegotiation negotiationData = rstr.GetBinaryNegotiation();
if (negotiationData != null)
WriteBinaryNegotiation(negotiationData, writer);
rstr.OnWriteCustomElements(writer);
writer.WriteEndElement();
}
public override void WriteRequestSecurityTokenResponseCollection(RequestSecurityTokenResponseCollection rstrCollection, XmlWriter xmlWriter)
{
if (rstrCollection == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rstrCollection");
XmlDictionaryWriter writer = XmlDictionaryWriter.CreateDictionaryWriter(xmlWriter);
writer.WriteStartElement(DriverDictionary.Prefix.Value, DriverDictionary.RequestSecurityTokenResponseCollection, DriverDictionary.Namespace);
foreach (RequestSecurityTokenResponse rstr in rstrCollection.RstrCollection)
{
rstr.WriteTo(writer);
}
writer.WriteEndElement();
}
protected void SetProtectionLevelForFederation(OperationDescriptionCollection operations)
{
foreach (OperationDescription operation in operations)
{
foreach (MessageDescription message in operation.Messages)
{
if (message.Body.Parts.Count > 0)
{
foreach (MessagePartDescription part in message.Body.Parts)
{
part.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;
}
}
if (OperationFormatter.IsValidReturnValue(message.Body.ReturnValue))
{
message.Body.ReturnValue.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;
}
}
}
}
public override bool TryParseKeySizeElement(XmlElement element, out int keySize)
{
if (element == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("element");
if (element.LocalName == this.DriverDictionary.KeySize.Value
&& element.NamespaceURI == this.DriverDictionary.Namespace.Value)
{
keySize = Int32.Parse(XmlHelper.ReadTextElementAsTrimmedString(element), NumberFormatInfo.InvariantInfo);
return true;
}
keySize = 0;
return false;
}
public override XmlElement CreateKeySizeElement(int keySize)
{
if (keySize < 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("keySize", SR.GetString(SR.ValueMustBeNonNegative)));
}
XmlDocument doc = new XmlDocument();
XmlElement result = doc.CreateElement(this.DriverDictionary.Prefix.Value, this.DriverDictionary.KeySize.Value,
this.DriverDictionary.Namespace.Value);
result.AppendChild(doc.CreateTextNode(keySize.ToString(System.Globalization.CultureInfo.InvariantCulture.NumberFormat)));
return result;
}
public override XmlElement CreateKeyTypeElement(SecurityKeyType keyType)
{
if (keyType == SecurityKeyType.SymmetricKey)
return CreateSymmetricKeyTypeElement();
else if (keyType == SecurityKeyType.AsymmetricKey)
return CreatePublicKeyTypeElement();
else
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UnableToCreateKeyTypeElementForUnknownKeyType, keyType.ToString())));
}
public override bool TryParseKeyTypeElement(XmlElement element, out SecurityKeyType keyType)
{
if (element == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("element");
if (TryParseSymmetricKeyElement(element))
{
keyType = SecurityKeyType.SymmetricKey;
return true;
}
else if (TryParsePublicKeyElement(element))
{
keyType = SecurityKeyType.AsymmetricKey;
return true;
}
keyType = SecurityKeyType.SymmetricKey;
return false;
}
public bool TryParseSymmetricKeyElement(XmlElement element)
{
if (element == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("element");
return element.LocalName == this.DriverDictionary.KeyType.Value
&& element.NamespaceURI == this.DriverDictionary.Namespace.Value
&& element.InnerText == this.DriverDictionary.SymmetricKeyType.Value;
}
XmlElement CreateSymmetricKeyTypeElement()
{
XmlDocument doc = new XmlDocument();
XmlElement result = doc.CreateElement(this.DriverDictionary.Prefix.Value, this.DriverDictionary.KeyType.Value,
this.DriverDictionary.Namespace.Value);
result.AppendChild(doc.CreateTextNode(this.DriverDictionary.SymmetricKeyType.Value));
return result;
}
bool TryParsePublicKeyElement(XmlElement element)
{
if (element == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("element");
return element.LocalName == this.DriverDictionary.KeyType.Value
&& element.NamespaceURI == this.DriverDictionary.Namespace.Value
&& element.InnerText == this.DriverDictionary.PublicKeyType.Value;
}
XmlElement CreatePublicKeyTypeElement()
{
XmlDocument doc = new XmlDocument();
XmlElement result = doc.CreateElement(this.DriverDictionary.Prefix.Value, this.DriverDictionary.KeyType.Value,
this.DriverDictionary.Namespace.Value);
result.AppendChild(doc.CreateTextNode(this.DriverDictionary.PublicKeyType.Value));
return result;
}
public override bool TryParseTokenTypeElement(XmlElement element, out string tokenType)
{
if (element == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("element");
if (element.LocalName == this.DriverDictionary.TokenType.Value
&& element.NamespaceURI == this.DriverDictionary.Namespace.Value)
{
tokenType = element.InnerText;
return true;
}
tokenType = null;
return false;
}
public override XmlElement CreateTokenTypeElement(string tokenTypeUri)
{
if (tokenTypeUri == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenTypeUri");
}
XmlDocument doc = new XmlDocument();
XmlElement result = doc.CreateElement(this.DriverDictionary.Prefix.Value, this.DriverDictionary.TokenType.Value,
this.DriverDictionary.Namespace.Value);
result.AppendChild(doc.CreateTextNode(tokenTypeUri));
return result;
}
public override XmlElement CreateUseKeyElement(SecurityKeyIdentifier keyIdentifier, SecurityStandardsManager standardsManager)
{
if (keyIdentifier == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier");
}
if (standardsManager == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("standardsManager");
}
XmlDocument doc = new XmlDocument();
XmlElement result = doc.CreateElement(this.DriverDictionary.UseKey.Value, this.DriverDictionary.Namespace.Value);
MemoryStream stream = new MemoryStream();
using (XmlDictionaryWriter writer = XmlDictionaryWriter.CreateDictionaryWriter(new XmlTextWriter(stream, Encoding.UTF8)))
{
#pragma warning suppress 56506 // standardsManager.SecurityTokenSerializer can never be null.
standardsManager.SecurityTokenSerializer.WriteKeyIdentifier(writer, keyIdentifier);
writer.Flush();
stream.Seek(0, SeekOrigin.Begin);
XmlNode skiNode;
using (XmlDictionaryReader reader = XmlDictionaryReader.CreateDictionaryReader(new XmlTextReader(stream) { DtdProcessing = DtdProcessing.Prohibit }))
{
reader.MoveToContent();
skiNode = doc.ReadNode(reader);
}
result.AppendChild(skiNode);
}
return result;
}
public override XmlElement CreateSignWithElement(string signatureAlgorithm)
{
if (signatureAlgorithm == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("signatureAlgorithm");
}
XmlDocument doc = new XmlDocument();
XmlElement result = doc.CreateElement(this.DriverDictionary.Prefix.Value, this.DriverDictionary.SignWith.Value,
this.DriverDictionary.Namespace.Value);
result.AppendChild(doc.CreateTextNode(signatureAlgorithm));
return result;
}
internal override bool IsSignWithElement(XmlElement element, out string signatureAlgorithm)
{
return CheckElement(element, this.DriverDictionary.SignWith.Value, this.DriverDictionary.Namespace.Value, out signatureAlgorithm);
}
public override XmlElement CreateEncryptWithElement(string encryptionAlgorithm)
{
if (encryptionAlgorithm == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("encryptionAlgorithm");
}
XmlDocument doc = new XmlDocument();
XmlElement result = doc.CreateElement(this.DriverDictionary.Prefix.Value, this.DriverDictionary.EncryptWith.Value,
this.DriverDictionary.Namespace.Value);
result.AppendChild(doc.CreateTextNode(encryptionAlgorithm));
return result;
}
public override XmlElement CreateEncryptionAlgorithmElement(string encryptionAlgorithm)
{
if (encryptionAlgorithm == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("encryptionAlgorithm");
}
XmlDocument doc = new XmlDocument();
XmlElement result = doc.CreateElement(this.DriverDictionary.Prefix.Value, this.DriverDictionary.EncryptionAlgorithm.Value,
this.DriverDictionary.Namespace.Value);
result.AppendChild(doc.CreateTextNode(encryptionAlgorithm));
return result;
}
internal override bool IsEncryptWithElement(XmlElement element, out string encryptWithAlgorithm)
{
return CheckElement(element, this.DriverDictionary.EncryptWith.Value, this.DriverDictionary.Namespace.Value, out encryptWithAlgorithm);
}
internal override bool IsEncryptionAlgorithmElement(XmlElement element, out string encryptionAlgorithm)
{
return CheckElement(element, this.DriverDictionary.EncryptionAlgorithm.Value, this.DriverDictionary.Namespace.Value, out encryptionAlgorithm);
}
public override XmlElement CreateComputedKeyAlgorithmElement(string algorithm)
{
if (algorithm == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("algorithm");
}
XmlDocument doc = new XmlDocument();
XmlElement result = doc.CreateElement(this.DriverDictionary.Prefix.Value, this.DriverDictionary.ComputedKeyAlgorithm.Value,
this.DriverDictionary.Namespace.Value);
result.AppendChild(doc.CreateTextNode(algorithm));
return result;
}
public override XmlElement CreateCanonicalizationAlgorithmElement(string algorithm)
{
if (algorithm == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("algorithm");
}
XmlDocument doc = new XmlDocument();
XmlElement result = doc.CreateElement(this.DriverDictionary.Prefix.Value, this.DriverDictionary.CanonicalizationAlgorithm.Value,
this.DriverDictionary.Namespace.Value);
result.AppendChild(doc.CreateTextNode(algorithm));
return result;
}
internal override bool IsCanonicalizationAlgorithmElement(XmlElement element, out string canonicalizationAlgorithm)
{
return CheckElement(element, this.DriverDictionary.CanonicalizationAlgorithm.Value, this.DriverDictionary.Namespace.Value, out canonicalizationAlgorithm);
}
public override bool TryParseRequiredClaimsElement(XmlElement element, out System.Collections.ObjectModel.Collection<XmlElement> requiredClaims)
{
if (element == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("element");
if (element.LocalName == this.DriverDictionary.Claims.Value
&& element.NamespaceURI == this.DriverDictionary.Namespace.Value)
{
requiredClaims = new System.Collections.ObjectModel.Collection<XmlElement>();
foreach (XmlNode node in element.ChildNodes)
if (node is XmlElement)
{
// PreSharp Bug: Parameter 'requiredClaims' to this public method must be validated: A null-dereference can occur here.
#pragma warning suppress 56506
requiredClaims.Add((XmlElement)node);
}
return true;
}
requiredClaims = null;
return false;
}
public override XmlElement CreateRequiredClaimsElement(IEnumerable<XmlElement> claimsList)
{
if (claimsList == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("claimsList");
}
XmlDocument doc = new XmlDocument();
XmlElement result = doc.CreateElement(this.DriverDictionary.Prefix.Value, this.DriverDictionary.Claims.Value,
this.DriverDictionary.Namespace.Value);
foreach (XmlElement claimElement in claimsList)
{
XmlElement element = (XmlElement)doc.ImportNode(claimElement, true);
result.AppendChild(element);
}
return result;
}
internal static void ValidateRequestedKeySize(int keySize, SecurityAlgorithmSuite algorithmSuite)
{
if ((keySize % 8 == 0) && algorithmSuite.IsSymmetricKeyLengthSupported(keySize))
{
return;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidKeyLengthRequested, keySize)));
}
}
static void ValidateRequestorEntropy(SecurityToken entropy, SecurityKeyEntropyMode mode)
{
if ((mode == SecurityKeyEntropyMode.ClientEntropy || mode == SecurityKeyEntropyMode.CombinedEntropy)
&& (entropy == null))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new InvalidOperationException(SR.GetString(SR.EntropyModeRequiresRequestorEntropy, mode)));
}
if (mode == SecurityKeyEntropyMode.ServerEntropy && entropy != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new InvalidOperationException(SR.GetString(SR.EntropyModeCannotHaveRequestorEntropy, mode)));
}
}
internal static void ProcessRstAndIssueKey(RequestSecurityToken requestSecurityToken, SecurityTokenResolver resolver, SecurityKeyEntropyMode keyEntropyMode, SecurityAlgorithmSuite algorithmSuite, out int issuedKeySize, out byte[] issuerEntropy, out byte[] proofKey,
out SecurityToken proofToken)
{
SecurityToken requestorEntropyToken = requestSecurityToken.GetRequestorEntropy(resolver);
ValidateRequestorEntropy(requestorEntropyToken, keyEntropyMode);
byte[] requestorEntropy;
if (requestorEntropyToken != null)
{
if (requestorEntropyToken is BinarySecretSecurityToken)
{
BinarySecretSecurityToken skToken = (BinarySecretSecurityToken)requestorEntropyToken;
requestorEntropy = skToken.GetKeyBytes();
}
else if (requestorEntropyToken is WrappedKeySecurityToken)
{
requestorEntropy = ((WrappedKeySecurityToken)requestorEntropyToken).GetWrappedKey();
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new InvalidOperationException(SR.GetString(SR.TokenCannotCreateSymmetricCrypto, requestorEntropyToken)));
}
}
else
{
requestorEntropy = null;
}
if (keyEntropyMode == SecurityKeyEntropyMode.ClientEntropy)
{
if (requestorEntropy != null)
{
// validate that the entropy length matches the algorithm suite
ValidateRequestedKeySize(requestorEntropy.Length * 8, algorithmSuite);
}
proofKey = requestorEntropy;
issuerEntropy = null;
issuedKeySize = 0;
proofToken = null;
}
else
{
if (requestSecurityToken.KeySize != 0)
{
ValidateRequestedKeySize(requestSecurityToken.KeySize, algorithmSuite);
issuedKeySize = requestSecurityToken.KeySize;
}
else
{
issuedKeySize = algorithmSuite.DefaultSymmetricKeyLength;
}
RNGCryptoServiceProvider random = new RNGCryptoServiceProvider();
if (keyEntropyMode == SecurityKeyEntropyMode.ServerEntropy)
{
proofKey = new byte[issuedKeySize / 8];
// proof key is completely issued by the server
random.GetNonZeroBytes(proofKey);
issuerEntropy = null;
proofToken = new BinarySecretSecurityToken(proofKey);
}
else
{
issuerEntropy = new byte[issuedKeySize / 8];
random.GetNonZeroBytes(issuerEntropy);
proofKey = RequestSecurityTokenResponse.ComputeCombinedKey(requestorEntropy, issuerEntropy, issuedKeySize);
proofToken = null;
}
}
}
}
protected static bool CheckElement(XmlElement element, string name, string ns, out string value)
{
value = null;
if (element.LocalName != name || element.NamespaceURI != ns)
return false;
if (element.FirstChild is XmlText)
{
value = ((XmlText)element.FirstChild).Value;
return true;
}
return false;
}
}
}
|