You've already forked linux-packaging-mono
							
							
		
			
				
	
	
		
			334 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			C#
		
	
	
	
	
	
			
		
		
	
	
			334 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			C#
		
	
	
	
	
	
| //------------------------------------------------------------
 | |
| // Copyright (c) Microsoft Corporation.  All rights reserved.
 | |
| //------------------------------------------------------------
 | |
| 
 | |
| namespace System.ServiceModel.Security
 | |
| {
 | |
|     using System.IdentityModel.Tokens;
 | |
|     using System.ServiceModel;
 | |
|     using System.IdentityModel.Selectors;
 | |
|     using System.ServiceModel.Security.Tokens;
 | |
|     using System.IO;
 | |
|     using System.Globalization;
 | |
|     using System.Security.Cryptography.X509Certificates;
 | |
| 
 | |
|     internal sealed class SecurityHeaderTokenResolver : SecurityTokenResolver, System.IdentityModel.IWrappedTokenKeyResolver
 | |
|     {
 | |
|         const int InitialTokenArraySize = 10;
 | |
|         int tokenCount;
 | |
|         SecurityTokenEntry[] tokens;
 | |
|         SecurityToken expectedWrapper;
 | |
|         SecurityTokenParameters expectedWrapperTokenParameters;
 | |
|         ReceiveSecurityHeader securityHeader;
 | |
| 
 | |
|         public SecurityHeaderTokenResolver()
 | |
|             : this(null)
 | |
|         {
 | |
|         }
 | |
| 
 | |
|         public SecurityHeaderTokenResolver(ReceiveSecurityHeader securityHeader)
 | |
|         {
 | |
|             this.tokens = new SecurityTokenEntry[InitialTokenArraySize];
 | |
|             this.securityHeader = securityHeader;
 | |
|         }
 | |
| 
 | |
|         public SecurityToken ExpectedWrapper
 | |
|         {
 | |
|             get { return this.expectedWrapper; }
 | |
|             set { this.expectedWrapper = value; }
 | |
|         }
 | |
| 
 | |
|         public SecurityTokenParameters ExpectedWrapperTokenParameters
 | |
|         {
 | |
|             get { return this.expectedWrapperTokenParameters; }
 | |
|             set { this.expectedWrapperTokenParameters = value; }
 | |
|         }
 | |
| 
 | |
|         public void Add(SecurityToken token)
 | |
|         {
 | |
|             Add(token, SecurityTokenReferenceStyle.Internal, null);
 | |
|         }
 | |
| 
 | |
|         public void Add(SecurityToken token, SecurityTokenReferenceStyle allowedReferenceStyle, SecurityTokenParameters tokenParameters)
 | |
|         {
 | |
|             if (token == null)
 | |
|             {
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
 | |
|             }
 | |
| 
 | |
|             if ((allowedReferenceStyle == SecurityTokenReferenceStyle.External) && (tokenParameters == null))
 | |
|             {
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.ResolvingExternalTokensRequireSecurityTokenParameters));
 | |
|             }
 | |
| 
 | |
|             EnsureCapacityToAddToken();
 | |
|             this.tokens[this.tokenCount++] = new SecurityTokenEntry(token, tokenParameters, allowedReferenceStyle);
 | |
|         }
 | |
| 
 | |
|         void EnsureCapacityToAddToken()
 | |
|         {
 | |
|             if (this.tokenCount == this.tokens.Length)
 | |
|             {
 | |
|                 SecurityTokenEntry[] newTokens = new SecurityTokenEntry[this.tokens.Length * 2];
 | |
|                 Array.Copy(this.tokens, 0, newTokens, 0, this.tokenCount);
 | |
|                 this.tokens = newTokens;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public bool CheckExternalWrapperMatch(SecurityKeyIdentifier keyIdentifier)
 | |
|         {
 | |
|             if (this.expectedWrapper == null || this.expectedWrapperTokenParameters == null)
 | |
|             {
 | |
|                 return false;
 | |
|             }
 | |
| 
 | |
|             for (int i = 0; i < keyIdentifier.Count; i++)
 | |
|             {
 | |
|                 if (this.expectedWrapperTokenParameters.MatchesKeyIdentifierClause(this.expectedWrapper, keyIdentifier[i], SecurityTokenReferenceStyle.External))
 | |
|                 {
 | |
|                     return true;
 | |
|                 }
 | |
|             }
 | |
|             return false;
 | |
|         }
 | |
| 
 | |
|         internal SecurityToken ResolveToken(SecurityKeyIdentifier keyIdentifier, bool matchOnlyExternalTokens, bool resolveIntrinsicKeyClause)
 | |
|         {
 | |
|             if (keyIdentifier == null)
 | |
|             {
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier");
 | |
|             }
 | |
|             for (int i = 0; i < keyIdentifier.Count; i++)
 | |
|             {
 | |
|                 SecurityToken token = ResolveToken(keyIdentifier[i], matchOnlyExternalTokens, resolveIntrinsicKeyClause);
 | |
|                 if (token != null)
 | |
|                 {
 | |
|                     return token;
 | |
|                 }
 | |
|             }
 | |
|             return null;
 | |
|         }
 | |
| 
 | |
|         SecurityKey ResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, bool createIntrinsicKeys)
 | |
|         {
 | |
|             if (keyIdentifierClause == null)
 | |
|             {
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("keyIdentifierClause"));
 | |
|             }
 | |
| 
 | |
|             SecurityKey securityKey;
 | |
|             for (int i = 0; i < this.tokenCount; i++)
 | |
|             {
 | |
|                 securityKey = this.tokens[i].Token.ResolveKeyIdentifierClause(keyIdentifierClause);
 | |
|                 if (securityKey != null)
 | |
|                 {
 | |
|                     return securityKey;
 | |
|                 }
 | |
|             }
 | |
| 
 | |
|             if (createIntrinsicKeys)
 | |
|             {
 | |
|                 if (SecurityUtils.TryCreateKeyFromIntrinsicKeyClause(keyIdentifierClause, this, out securityKey))
 | |
|                 {
 | |
|                     return securityKey;
 | |
|                 }
 | |
|             }
 | |
| 
 | |
|             return null;
 | |
|         }
 | |
| 
 | |
|         bool MatchDirectReference(SecurityToken token, SecurityKeyIdentifierClause keyClause)
 | |
|         {
 | |
|             LocalIdKeyIdentifierClause localClause = keyClause as LocalIdKeyIdentifierClause;
 | |
|             if (localClause == null) return false;
 | |
|             return token.MatchesKeyIdentifierClause(localClause);
 | |
|         }
 | |
| 
 | |
|         internal SecurityToken ResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternal, bool resolveIntrinsicKeyClause)
 | |
|         {
 | |
|             if (keyIdentifierClause == null)
 | |
|             {
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
 | |
|             }
 | |
| 
 | |
|             SecurityToken resolvedToken = null;
 | |
|             for (int i = 0; i < this.tokenCount; i++)
 | |
|             {
 | |
|                 if (matchOnlyExternal && tokens[i].AllowedReferenceStyle != SecurityTokenReferenceStyle.External)
 | |
|                 {
 | |
|                     continue;
 | |
|                 }
 | |
| 
 | |
|                 SecurityToken token = tokens[i].Token;
 | |
|                 if (tokens[i].TokenParameters != null && tokens[i].TokenParameters.MatchesKeyIdentifierClause(token, keyIdentifierClause, tokens[i].AllowedReferenceStyle))
 | |
|                 {
 | |
|                     resolvedToken = token;
 | |
|                     break;
 | |
|                 }
 | |
|                 else if (tokens[i].TokenParameters == null)
 | |
|                 {
 | |
|                     // match it according to the allowed reference style
 | |
|                     if (tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.Internal && MatchDirectReference(token, keyIdentifierClause))
 | |
|                     {
 | |
|                         resolvedToken = token;
 | |
|                         break;
 | |
|                     }
 | |
|                 }
 | |
|             }
 | |
| 
 | |
|             if ((resolvedToken == null) && (keyIdentifierClause is EncryptedKeyIdentifierClause))
 | |
|             {
 | |
|                 EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause;
 | |
|                 SecurityKeyIdentifier wrappingTokenReference = keyClause.EncryptingKeyIdentifier;
 | |
|                 SecurityToken unwrappingToken;
 | |
|                 if (this.expectedWrapper != null 
 | |
|                     && CheckExternalWrapperMatch(wrappingTokenReference))
 | |
|                     unwrappingToken = this.expectedWrapper;
 | |
|                 else
 | |
|                     unwrappingToken = ResolveToken(wrappingTokenReference, true, resolveIntrinsicKeyClause);
 | |
|                 if (unwrappingToken != null)
 | |
|                 {
 | |
|                     resolvedToken = SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, unwrappingToken);
 | |
|                 }
 | |
|             }
 | |
| 
 | |
|             if ((resolvedToken == null) && (keyIdentifierClause is X509RawDataKeyIdentifierClause) && (!matchOnlyExternal) && (resolveIntrinsicKeyClause))
 | |
|             {
 | |
|                 resolvedToken = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData()));
 | |
|             }
 | |
| 
 | |
|             byte[] derivationNonce = keyIdentifierClause.GetDerivationNonce();
 | |
|             if ((resolvedToken != null) && (derivationNonce != null))
 | |
|             {
 | |
|                 // A Implicit Derived Key is specified. Create a derived key off of the resolve token.
 | |
|                 if (SecurityUtils.GetSecurityKey<SymmetricSecurityKey>(resolvedToken) == null)
 | |
|                 {
 | |
|                     // The resolved token contains no Symmetric Security key and thus we cannot create 
 | |
|                     // a derived key off of it.
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.UnableToDeriveKeyFromKeyInfoClause, keyIdentifierClause, resolvedToken)));
 | |
|                 }
 | |
| 
 | |
|                 int derivationLength = (keyIdentifierClause.DerivationLength == 0) ? DerivedKeySecurityToken.DefaultDerivedKeyLength : keyIdentifierClause.DerivationLength;
 | |
|                 if (derivationLength > this.securityHeader.MaxDerivedKeyLength)
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.DerivedKeyLengthSpecifiedInImplicitDerivedKeyClauseTooLong, keyIdentifierClause.ToString(), derivationLength, this.securityHeader.MaxDerivedKeyLength)));
 | |
|                 bool alreadyDerived = false;
 | |
|                 for (int i = 0; i < this.tokenCount; ++i)
 | |
|                 {
 | |
|                     DerivedKeySecurityToken derivedKeyToken = this.tokens[i].Token as DerivedKeySecurityToken;
 | |
|                     if (derivedKeyToken != null)
 | |
|                     {
 | |
|                         if ((derivedKeyToken.Length == derivationLength) &&
 | |
|                             (CryptoHelper.IsEqual(derivedKeyToken.Nonce, derivationNonce)) && 
 | |
|                             (derivedKeyToken.TokenToDerive.MatchesKeyIdentifierClause(keyIdentifierClause)))
 | |
|                         {
 | |
|                             // This is a implcit derived key for which we have already derived the
 | |
|                             // token.
 | |
|                             resolvedToken = this.tokens[i].Token;
 | |
|                             alreadyDerived = true;
 | |
|                             break;
 | |
|                         }
 | |
|                     }
 | |
|                 }
 | |
| 
 | |
|                 if (!alreadyDerived)
 | |
|                 {
 | |
|                     string psha1Algorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.securityHeader.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
 | |
| 
 | |
|                     resolvedToken = new DerivedKeySecurityToken(-1, 0, derivationLength, null, derivationNonce, resolvedToken, keyIdentifierClause, psha1Algorithm, SecurityUtils.GenerateId());
 | |
|                     ((DerivedKeySecurityToken)resolvedToken).InitializeDerivedKey(derivationLength);
 | |
|                     Add(resolvedToken, SecurityTokenReferenceStyle.Internal, null);
 | |
|                     this.securityHeader.EnsureDerivedKeyLimitNotReached();
 | |
|                 }
 | |
|             }
 | |
| 
 | |
|             return resolvedToken;
 | |
|         }
 | |
| 
 | |
|         public override string ToString()
 | |
|         {
 | |
|             using (StringWriter writer = new StringWriter(CultureInfo.InvariantCulture))
 | |
|             {
 | |
|                 writer.WriteLine("SecurityTokenResolver");
 | |
|                 writer.WriteLine("    (");
 | |
|                 writer.WriteLine("    TokenCount = {0},", this.tokenCount);
 | |
|                 for (int i = 0; i < this.tokenCount; i++)
 | |
|                 {
 | |
|                     writer.WriteLine("    TokenEntry[{0}] = (AllowedReferenceStyle={1}, Token={2}, Parameters={3})",
 | |
|                         i, this.tokens[i].AllowedReferenceStyle, this.tokens[i].Token.GetType(), tokens[i].TokenParameters);
 | |
|                 }
 | |
|                 writer.WriteLine("    )");
 | |
|                 return writer.ToString();
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         protected override bool TryResolveTokenCore(SecurityKeyIdentifier keyIdentifier, out SecurityToken token)
 | |
|         {
 | |
|             token = ResolveToken(keyIdentifier, false, true);
 | |
|             return token != null;
 | |
|         }
 | |
| 
 | |
|         internal bool TryResolveToken(SecurityKeyIdentifier keyIdentifier, bool matchOnlyExternalTokens, bool resolveIntrinsicKeyClause, out SecurityToken token)
 | |
|         {
 | |
|             token = ResolveToken(keyIdentifier, matchOnlyExternalTokens, resolveIntrinsicKeyClause);
 | |
|             return token != null;
 | |
|         }
 | |
| 
 | |
|         protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
 | |
|         {
 | |
|             token = ResolveToken(keyIdentifierClause, false, true);
 | |
|             return token != null;
 | |
|         }
 | |
| 
 | |
|         internal bool TryResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternalTokens, bool resolveIntrinsicKeyClause, out SecurityToken token)
 | |
|         {
 | |
|             token = ResolveToken(keyIdentifierClause, matchOnlyExternalTokens, resolveIntrinsicKeyClause);
 | |
|             return token != null;
 | |
|         }
 | |
| 
 | |
|         internal bool TryResolveSecurityKey(SecurityKeyIdentifierClause keyIdentifierClause, bool createIntrinsicKeys, out SecurityKey key)
 | |
|         {
 | |
|             if (keyIdentifierClause == null)
 | |
|             {
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
 | |
|             }
 | |
|             key = this.ResolveSecurityKeyCore(keyIdentifierClause, createIntrinsicKeys);
 | |
|             return key != null;
 | |
|         }
 | |
| 
 | |
|         protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key)
 | |
|         {
 | |
|             key = ResolveSecurityKeyCore(keyIdentifierClause, true);
 | |
|             return key != null;
 | |
|         }
 | |
| 
 | |
|         struct SecurityTokenEntry
 | |
|         {
 | |
|             SecurityTokenParameters tokenParameters;
 | |
|             SecurityToken token;
 | |
|             SecurityTokenReferenceStyle allowedReferenceStyle;
 | |
| 
 | |
|             public SecurityTokenEntry(SecurityToken token, SecurityTokenParameters tokenParameters, SecurityTokenReferenceStyle allowedReferenceStyle)
 | |
|             {
 | |
|                 this.token = token;
 | |
|                 this.tokenParameters = tokenParameters;
 | |
|                 this.allowedReferenceStyle = allowedReferenceStyle; 
 | |
|             }
 | |
| 
 | |
|             public SecurityToken Token
 | |
|             {
 | |
|                 get { return this.token; }
 | |
|             }
 | |
| 
 | |
|             public SecurityTokenParameters TokenParameters
 | |
|             {
 | |
|                 get { return this.tokenParameters; }
 | |
|             }
 | |
| 
 | |
|             public SecurityTokenReferenceStyle AllowedReferenceStyle
 | |
|             {
 | |
|                 get { return this.allowedReferenceStyle; }
 | |
|             }
 | |
|         }
 | |
|     }
 | |
| }
 |