//------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //------------------------------------------------------------ namespace System.ServiceModel { using System.Runtime; using System.ComponentModel; using System.Runtime.CompilerServices; using System.ServiceModel.Channels; using System.ServiceModel.Security; using System.ServiceModel.Security.Tokens; public sealed class MessageSecurityOverMsmq { internal const MessageCredentialType DefaultClientCredentialType = MessageCredentialType.Windows; MessageCredentialType clientCredentialType; SecurityAlgorithmSuite algorithmSuite; bool wasAlgorithmSuiteSet; public MessageSecurityOverMsmq() { clientCredentialType = DefaultClientCredentialType; algorithmSuite = SecurityAlgorithmSuite.Default; } [DefaultValue(MsmqDefaults.DefaultClientCredentialType)] public MessageCredentialType ClientCredentialType { get { return this.clientCredentialType; } set { if (!MessageCredentialTypeHelper.IsDefined(value)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value")); } this.clientCredentialType = value; } } [DefaultValue(typeof(SecurityAlgorithmSuite), System.ServiceModel.Configuration.ConfigurationStrings.Default)] public SecurityAlgorithmSuite AlgorithmSuite { get { return this.algorithmSuite; } set { if (value == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value"); } this.algorithmSuite = value; wasAlgorithmSuiteSet = true; } } internal bool WasAlgorithmSuiteSet { get { return this.wasAlgorithmSuiteSet; } } [MethodImpl(MethodImplOptions.NoInlining)] internal SecurityBindingElement CreateSecurityBindingElement() { SymmetricSecurityBindingElement result; bool isKerberosSelected = false; switch (this.clientCredentialType) { case MessageCredentialType.None: result = SecurityBindingElement.CreateAnonymousForCertificateBindingElement(); break; case MessageCredentialType.UserName: result = SecurityBindingElement.CreateUserNameForCertificateBindingElement(); break; case MessageCredentialType.Certificate: result = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(); break; case MessageCredentialType.Windows: result = SecurityBindingElement.CreateKerberosBindingElement(); isKerberosSelected = true; break; case MessageCredentialType.IssuedToken: result = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite)); break; default: Fx.Assert("unknown ClientCredentialType"); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } result.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; // set the algorithm suite and issued token params if required if (wasAlgorithmSuiteSet || !isKerberosSelected) { result.DefaultAlgorithmSuite = this.AlgorithmSuite; } else if (isKerberosSelected) { result.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault; } result.IncludeTimestamp = false; result.LocalServiceSettings.DetectReplays = false; result.LocalClientSettings.DetectReplays = false; return result; } internal static bool TryCreate(SecurityBindingElement sbe, out MessageSecurityOverMsmq messageSecurity) { messageSecurity = null; if (sbe == null) return false; SymmetricSecurityBindingElement ssbe = sbe as SymmetricSecurityBindingElement; if (ssbe == null) return false; if (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 && sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11) { return false; } // do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings if (ssbe.IncludeTimestamp) return false; bool isKerberosSelected = false; MessageCredentialType clientCredentialType; IssuedSecurityTokenParameters issuedParameters; if (SecurityBindingElement.IsAnonymousForCertificateBinding(sbe)) { clientCredentialType = MessageCredentialType.None; } else if (SecurityBindingElement.IsUserNameForCertificateBinding(sbe)) { clientCredentialType = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsMutualCertificateBinding(sbe)) { clientCredentialType = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsKerberosBinding(sbe)) { clientCredentialType = MessageCredentialType.Windows; isKerberosSelected = true; } else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(sbe, out issuedParameters)) { if (!IssuedSecurityTokenParameters.IsInfoCardParameters( issuedParameters, new SecurityStandardsManager( sbe.MessageSecurityVersion, new WSSecurityTokenSerializer( sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) return false; clientCredentialType = MessageCredentialType.IssuedToken; } else { return false; } messageSecurity = new MessageSecurityOverMsmq(); messageSecurity.ClientCredentialType = clientCredentialType; // set the algorithm suite and issued token params if required if (clientCredentialType != MessageCredentialType.IssuedToken && !isKerberosSelected) { messageSecurity.AlgorithmSuite = ssbe.DefaultAlgorithmSuite; } return true; } } }