You've already forked linux-packaging-mono
							
							
		
			
				
	
	
		
			961 lines
		
	
	
		
			35 KiB
		
	
	
	
		
			C#
		
	
	
	
	
	
			
		
		
	
	
			961 lines
		
	
	
		
			35 KiB
		
	
	
	
		
			C#
		
	
	
	
	
	
| //------------------------------------------------------------
 | |
| // Copyright (c) Microsoft Corporation.  All rights reserved.
 | |
| //------------------------------------------------------------
 | |
| namespace System.ServiceModel.Channels
 | |
| {
 | |
|     using System.Collections.Generic;
 | |
|     using System.Collections.ObjectModel;
 | |
|     using System.Diagnostics;
 | |
|     using System.IdentityModel.Claims;
 | |
|     using System.IdentityModel.Policy;
 | |
|     using System.IdentityModel.Selectors;
 | |
|     using System.IdentityModel.Tokens;
 | |
|     using System.Runtime;
 | |
|     using System.Runtime.CompilerServices;
 | |
|     using System.Runtime.Serialization;
 | |
|     using System.Security.Cryptography;
 | |
|     using System.Security.Cryptography.X509Certificates;
 | |
|     using System.ServiceModel.Diagnostics;
 | |
|     using System.ServiceModel.Security;
 | |
|     using System.ServiceModel.Security.Tokens;
 | |
|     using System.Text;
 | |
|     using System.Xml;
 | |
| 
 | |
|     class PeerSecurityHelpers
 | |
|     {
 | |
|         public static byte[] ComputeHash(X509Certificate2 cert, string pwd)
 | |
|         {
 | |
|             RSACryptoServiceProvider keyProv = cert.PublicKey.Key as RSACryptoServiceProvider;
 | |
|             Fx.Assert(keyProv != null, "Remote Peer's credentials are invalid!");
 | |
|             byte[] key = keyProv.ExportCspBlob(false);
 | |
|             return ComputeHash(key, pwd);
 | |
|         }
 | |
| 
 | |
|         public static byte[] ComputeHash(Claim claim, string pwd)
 | |
|         {
 | |
|             RSACryptoServiceProvider provider = claim.Resource as RSACryptoServiceProvider;
 | |
|             if (provider == null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("claim");
 | |
|             using (provider)
 | |
|             {
 | |
|                 byte[] keyBlob = provider.ExportCspBlob(false);
 | |
|                 if (keyBlob == null)
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("key");
 | |
|                 return ComputeHash(keyBlob, pwd);
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public static byte[] ComputeHash(byte[] message, string pwd)
 | |
|         {
 | |
|             byte[] returnValue = null;
 | |
|             RuntimeHelpers.PrepareConstrainedRegions();
 | |
|             byte[] pwdBytes = null;
 | |
|             byte[] pwdHash = null;
 | |
|             byte[] tempBuffer = null;
 | |
|             try
 | |
|             {
 | |
|                 pwdBytes = UnicodeEncoding.Unicode.GetBytes(pwd.Trim());
 | |
|                 using (HMACSHA256 algo = new HMACSHA256(pwdBytes))
 | |
|                 {
 | |
|                     using (SHA256Managed sha = new SHA256Managed())
 | |
|                     {
 | |
|                         pwdHash = sha.ComputeHash(pwdBytes);
 | |
|                         tempBuffer = DiagnosticUtility.Utility.AllocateByteArray(checked(message.Length + pwdHash.Length));
 | |
|                         Array.Copy(pwdHash, tempBuffer, pwdHash.Length);
 | |
|                         Array.Copy(message, 0, tempBuffer, pwdHash.Length, message.Length);
 | |
| 
 | |
|                         returnValue = algo.ComputeHash(tempBuffer);
 | |
|                     }
 | |
|                 }
 | |
|             }
 | |
|             finally
 | |
|             {
 | |
|                 ArrayClear(pwdBytes);
 | |
|                 ArrayClear(pwdHash);
 | |
|                 ArrayClear(tempBuffer);
 | |
|             }
 | |
|             return returnValue;
 | |
|         }
 | |
| 
 | |
|         static void ArrayClear(byte[] buffer)
 | |
|         {
 | |
|             if (buffer != null)
 | |
|                 Array.Clear(buffer, 0, buffer.Length);
 | |
|         }
 | |
| 
 | |
|         public static bool Authenticate(Claim claim, string password, byte[] authenticator)
 | |
|         {
 | |
|             bool returnValue = false;
 | |
|             if (authenticator == null)
 | |
|                 return false;
 | |
|             byte[] hash = null;
 | |
|             RuntimeHelpers.PrepareConstrainedRegions();
 | |
|             try
 | |
|             {
 | |
|                 hash = ComputeHash(claim, password);
 | |
|                 if (hash.Length == authenticator.Length)
 | |
|                 {
 | |
|                     for (int i = 0; i < hash.Length; i++)
 | |
|                     {
 | |
|                         if (hash[i] != authenticator[i])
 | |
|                         {
 | |
|                             returnValue = false;
 | |
|                             break;
 | |
|                         }
 | |
|                     }
 | |
|                     returnValue = true;
 | |
|                 }
 | |
|             }
 | |
|             finally
 | |
|             {
 | |
|                 ArrayClear(hash);
 | |
|             }
 | |
| 
 | |
|             return returnValue;
 | |
|         }
 | |
| 
 | |
|         public static bool AuthenticateRequest(Claim claim, string password, Message message)
 | |
|         {
 | |
|             PeerHashToken request = PeerRequestSecurityToken.CreateHashTokenFrom(message);
 | |
|             return request.Validate(claim, password);
 | |
|         }
 | |
| 
 | |
|         public static bool AuthenticateResponse(Claim claim, string password, Message message)
 | |
|         {
 | |
|             PeerHashToken request = PeerRequestSecurityTokenResponse.CreateHashTokenFrom(message);
 | |
|             return request.Validate(claim, password);
 | |
|         }
 | |
| 
 | |
|     }
 | |
| 
 | |
| 
 | |
|     internal class PeerIdentityClaim
 | |
|     {
 | |
|         const string resourceValue = "peer";
 | |
|         const string resourceRight = "peer";
 | |
|         public const string PeerClaimType = PeerStrings.Namespace + "/peer";
 | |
|         static internal Claim Claim()
 | |
|         {
 | |
|             return new Claim(PeerClaimType, resourceValue, resourceRight);
 | |
|         }
 | |
|         static internal bool IsMatch(EndpointIdentity identity)
 | |
|         {
 | |
|             return identity.IdentityClaim.ClaimType == PeerClaimType;
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     class PeerDoNothingSecurityProtocol : SecurityProtocol
 | |
|     {
 | |
|         public PeerDoNothingSecurityProtocol(SecurityProtocolFactory factory) : base(factory, null, null) { }
 | |
|         public override void SecureOutgoingMessage(ref Message message, TimeSpan timeout)
 | |
|         {
 | |
|         }
 | |
|         public override void VerifyIncomingMessage(ref Message request, TimeSpan timeout)
 | |
|         {
 | |
|             try
 | |
|             {
 | |
|                 int i = request.Headers.FindHeader(SecurityJan2004Strings.Security, SecurityJan2004Strings.Namespace);
 | |
|                 if (i >= 0)
 | |
|                 {
 | |
|                     request.Headers.AddUnderstood(i);
 | |
|                 }
 | |
|             }
 | |
|             catch (MessageHeaderException e)
 | |
|             {
 | |
|                 DiagnosticUtility.TraceHandledException(e, TraceEventType.Information);
 | |
|             }
 | |
|             catch (XmlException e)
 | |
|             {
 | |
|                 DiagnosticUtility.TraceHandledException(e, TraceEventType.Information);
 | |
|             }
 | |
|             catch (SerializationException e)
 | |
|             {
 | |
|                 DiagnosticUtility.TraceHandledException(e, TraceEventType.Information);
 | |
|             }
 | |
| 
 | |
|         }
 | |
| 
 | |
|         public override void OnAbort()
 | |
|         {
 | |
|         }
 | |
| 
 | |
|         public override void OnClose(TimeSpan timeout)
 | |
|         {
 | |
|         }
 | |
| 
 | |
|         public override void OnOpen(TimeSpan timeout)
 | |
|         {
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     class PeerDoNothingSecurityProtocolFactory : SecurityProtocolFactory
 | |
|     {
 | |
|         protected override SecurityProtocol OnCreateSecurityProtocol(EndpointAddress target, Uri via, object listenerSecurityState, TimeSpan timeout)
 | |
|         {
 | |
|             return new PeerDoNothingSecurityProtocol(this);
 | |
|         }
 | |
| 
 | |
|         public override void OnAbort()
 | |
|         {
 | |
|         }
 | |
| 
 | |
| 
 | |
|         public override void OnOpen(TimeSpan timeout)
 | |
|         {
 | |
|         }
 | |
| 
 | |
|         public override void OnClose(TimeSpan timeout)
 | |
|         {
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     class PeerIdentityVerifier : IdentityVerifier
 | |
|     {
 | |
|         public PeerIdentityVerifier() : base() { }
 | |
|         public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)
 | |
|         {
 | |
|             return true;
 | |
|         }
 | |
|         public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity)
 | |
|         {
 | |
|             if (reference == null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reference");
 | |
| 
 | |
|             identity = reference.Identity;
 | |
|             if (identity == null)
 | |
|             {
 | |
|                 identity = new PeerEndpointIdentity();
 | |
|             }
 | |
|             return true;
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     class PeerEndpointIdentity : EndpointIdentity
 | |
|     {
 | |
|         public PeerEndpointIdentity()
 | |
|             : base()
 | |
|         {
 | |
|             base.Initialize(PeerIdentityClaim.Claim());
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     class PeerX509TokenProvider : X509SecurityTokenProvider
 | |
|     {
 | |
|         X509CertificateValidator validator;
 | |
|         public PeerX509TokenProvider(X509CertificateValidator validator, X509Certificate2 credential)
 | |
|             : base(credential)
 | |
|         {
 | |
|             this.validator = validator;
 | |
|         }
 | |
| 
 | |
|         protected override SecurityToken GetTokenCore(TimeSpan timeout)
 | |
|         {
 | |
|             X509SecurityToken token = (X509SecurityToken)base.GetTokenCore(timeout);
 | |
|             if (validator != null)
 | |
|             {
 | |
|                 validator.Validate(token.Certificate);
 | |
|             }
 | |
|             return token;
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     class PeerCertificateClientCredentials : SecurityCredentialsManager
 | |
|     {
 | |
|         X509Certificate2 selfCertificate;
 | |
|         X509CertificateValidator certificateValidator;
 | |
| 
 | |
|         public PeerCertificateClientCredentials(X509Certificate2 selfCertificate, X509CertificateValidator validator)
 | |
|         {
 | |
|             this.selfCertificate = selfCertificate;
 | |
|             this.certificateValidator = validator;
 | |
|         }
 | |
| 
 | |
|         public override SecurityTokenManager CreateSecurityTokenManager()
 | |
|         {
 | |
|             return new PeerCertificateClientCredentialsSecurityTokenManager(this);
 | |
|         }
 | |
| 
 | |
|         class PeerCertificateClientCredentialsSecurityTokenManager : SecurityTokenManager
 | |
|         {
 | |
|             PeerCertificateClientCredentials creds;
 | |
| 
 | |
|             public PeerCertificateClientCredentialsSecurityTokenManager(PeerCertificateClientCredentials creds)
 | |
|             {
 | |
|                 this.creds = creds;
 | |
|             }
 | |
| 
 | |
|             public override SecurityTokenSerializer CreateSecurityTokenSerializer(SecurityTokenVersion version)
 | |
|             {
 | |
|                 MessageSecurityTokenVersion messageVersion = (MessageSecurityTokenVersion)version;
 | |
|                 return new WSSecurityTokenSerializer(messageVersion.SecurityVersion, messageVersion.TrustVersion, messageVersion.SecureConversationVersion, messageVersion.EmitBspRequiredAttributes, null, null, null);
 | |
|             }
 | |
| 
 | |
|             public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
 | |
|             {
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
 | |
|             }
 | |
| 
 | |
|             public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement requirement)
 | |
|             {
 | |
|                 if (requirement == null)
 | |
|                 {
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("requirement");
 | |
|                 }
 | |
|                 if (requirement.TokenType == SecurityTokenTypes.X509Certificate && requirement.KeyUsage == SecurityKeyUsage.Signature)
 | |
|                 {
 | |
|                     return new PeerX509TokenProvider(this.creds.certificateValidator, this.creds.selfCertificate);
 | |
|                 }
 | |
|                 else
 | |
|                 {
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
 | |
|                 }
 | |
|             }
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     internal class PeerHashToken : SecurityToken
 | |
|     {
 | |
|         string id = SecurityUniqueId.Create().Value;
 | |
|         Uri status;
 | |
|         bool isValid;
 | |
|         ReadOnlyCollection<SecurityKey> keys;
 | |
|         internal const string TokenTypeString = PeerStrings.Namespace + "/peerhashtoken";
 | |
|         internal const string RequestTypeString = "http://schemas.xmlsoap.org/ws/2005/02/trust/Validate";
 | |
|         internal const string Action = "http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate";
 | |
|         public const string PeerNamespace = PeerStrings.Namespace;
 | |
|         public const string PeerTokenElementName = "PeerHashToken";
 | |
|         public const string PeerAuthenticatorElementName = "Authenticator";
 | |
|         public const string PeerPrefix = "peer";
 | |
|         static PeerHashToken invalid = new PeerHashToken();
 | |
| 
 | |
|         byte[] authenticator;
 | |
|         DateTime effectiveTime = DateTime.UtcNow;
 | |
|         DateTime expirationTime = DateTime.UtcNow.AddHours(10);
 | |
| 
 | |
|         PeerHashToken()
 | |
|         {
 | |
|             CheckValidity();
 | |
|         }
 | |
| 
 | |
|         public PeerHashToken(byte[] authenticator)
 | |
|         {
 | |
|             this.authenticator = authenticator;
 | |
|             CheckValidity();
 | |
|         }
 | |
| 
 | |
|         public PeerHashToken(X509Certificate2 certificate, string password)
 | |
|         {
 | |
|             this.authenticator = PeerSecurityHelpers.ComputeHash(certificate, password);
 | |
|             CheckValidity();
 | |
|         }
 | |
| 
 | |
|         public PeerHashToken(Claim claim, string password)
 | |
|         {
 | |
|             this.authenticator = PeerSecurityHelpers.ComputeHash(claim, password);
 | |
|             CheckValidity();
 | |
|         }
 | |
| 
 | |
|         public override string Id
 | |
|         {
 | |
|             get { return this.id; }
 | |
|         }
 | |
| 
 | |
|         public override DateTime ValidFrom
 | |
|         {
 | |
|             get { return this.effectiveTime; }
 | |
|         }
 | |
| 
 | |
|         public override DateTime ValidTo
 | |
|         {
 | |
|             get { return this.expirationTime; }
 | |
|         }
 | |
| 
 | |
|         public static PeerHashToken Invalid
 | |
|         {
 | |
|             get
 | |
|             {
 | |
|                 return invalid;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public override ReadOnlyCollection<SecurityKey> SecurityKeys
 | |
|         {
 | |
|             get
 | |
|             {
 | |
|                 if (null == this.keys)
 | |
|                 {
 | |
|                     this.keys = new ReadOnlyCollection<SecurityKey>(new List<SecurityKey>());
 | |
|                 }
 | |
|                 return this.keys;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public Uri Status
 | |
|         {
 | |
|             get
 | |
|             {
 | |
|                 return this.status;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public bool IsValid
 | |
|         {
 | |
|             get
 | |
|             {
 | |
|                 return this.isValid;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public bool Validate(Claim claim, string password)
 | |
|         {
 | |
|             if (!(this.authenticator != null))
 | |
|             {
 | |
|                 throw Fx.AssertAndThrow("Incorrect initialization");
 | |
|             }
 | |
|             bool result = PeerSecurityHelpers.Authenticate(claim, password, this.authenticator);
 | |
|             return result;
 | |
|         }
 | |
| 
 | |
|         void CheckValidity()
 | |
|         {
 | |
|             isValid = this.authenticator != null;
 | |
|             status = new Uri(isValid ? PeerRequestSecurityTokenResponse.ValidString : PeerRequestSecurityTokenResponse.InvalidString);
 | |
|         }
 | |
| 
 | |
|         public void Write(XmlWriter writer)
 | |
|         {
 | |
|             writer.WriteStartElement(PeerPrefix, PeerTokenElementName, PeerNamespace);
 | |
|             writer.WriteStartElement(PeerPrefix, PeerAuthenticatorElementName, PeerNamespace);
 | |
|             writer.WriteString(Convert.ToBase64String(this.authenticator));
 | |
|             writer.WriteEndElement();
 | |
|             writer.WriteEndElement();
 | |
|         }
 | |
| 
 | |
|         internal static PeerHashToken CreateFrom(XmlElement child)
 | |
|         {
 | |
|             byte[] auth = null;
 | |
|             foreach (XmlNode node in child.ChildNodes)
 | |
|             {
 | |
|                 XmlElement element = (XmlElement)node;
 | |
| 
 | |
|                 if (element == null || !PeerRequestSecurityToken.CompareWithNS(element.LocalName, element.NamespaceURI, PeerTokenElementName, PeerNamespace))
 | |
|                     continue;
 | |
|                 if (element.ChildNodes.Count != 1)
 | |
|                     break;
 | |
|                 XmlElement authElement = element.ChildNodes[0] as XmlElement;
 | |
|                 if (authElement == null || !PeerRequestSecurityToken.CompareWithNS(authElement.LocalName, authElement.NamespaceURI, PeerAuthenticatorElementName, PeerNamespace))
 | |
|                     break;
 | |
|                 try
 | |
|                 {
 | |
|                     auth = Convert.FromBase64String(XmlHelper.ReadTextElementAsTrimmedString(authElement));
 | |
|                     break;
 | |
|                 }
 | |
|                 catch (ArgumentNullException e)
 | |
|                 {
 | |
|                     DiagnosticUtility.TraceHandledException(e, TraceEventType.Information);
 | |
|                 }
 | |
|                 catch (FormatException e)
 | |
|                 {
 | |
|                     DiagnosticUtility.TraceHandledException(e, TraceEventType.Information);
 | |
|                 }
 | |
|             }
 | |
|             return new PeerHashToken(auth);
 | |
|         }
 | |
| 
 | |
|         public override bool Equals(object token)
 | |
|         {
 | |
|             PeerHashToken that = token as PeerHashToken;
 | |
|             if (that == null)
 | |
|                 return false;
 | |
|             if (Object.ReferenceEquals(that, this))
 | |
|                 return true;
 | |
|             if (this.authenticator != null && that.authenticator != null && this.authenticator.Length == that.authenticator.Length)
 | |
|             {
 | |
|                 for (int i = 0; i < this.authenticator.Length; i++)
 | |
|                 {
 | |
|                     if (this.authenticator[i] != that.authenticator[i])
 | |
|                         return false;
 | |
|                 }
 | |
|                 return true;
 | |
|             }
 | |
|             return false;
 | |
|         }
 | |
| 
 | |
|         public override int GetHashCode()
 | |
|         {
 | |
|             return isValid ? this.authenticator.GetHashCode() : 0;
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     class PeerSecurityTokenSerializer : WSSecurityTokenSerializer
 | |
|     {
 | |
|         public override SecurityKeyIdentifierClause CreateKeyIdentifierClauseFromTokenXml(XmlElement element, SecurityTokenReferenceStyle tokenReferenceStyle)
 | |
|         {
 | |
|             return null;
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     internal class PeerRequestSecurityToken : RequestSecurityToken
 | |
|     {
 | |
|         PeerHashToken token;
 | |
|         public const string TrustNamespace = TrustFeb2005Strings.Namespace;
 | |
|         public const string PeerNamespace = PeerStrings.Namespace;
 | |
|         public const string RequestElementName = "RequestSecurityToken";
 | |
|         public const string RequestedSecurityTokenElementName = "RequestedSecurityToken";
 | |
|         public const string PeerHashTokenElementName = "PeerHashToken";
 | |
| 
 | |
|         public PeerRequestSecurityToken(PeerHashToken token)
 | |
|             : base()
 | |
|         {
 | |
|             this.token = token;
 | |
|             this.TokenType = PeerHashToken.TokenTypeString;
 | |
|             this.RequestType = PeerHashToken.RequestTypeString;
 | |
|         }
 | |
| 
 | |
|         public PeerHashToken Token
 | |
|         {
 | |
|             get
 | |
|             {
 | |
|                 return this.token;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public static PeerHashToken CreateHashTokenFrom(Message message)
 | |
|         {
 | |
|             PeerHashToken token = PeerHashToken.Invalid;
 | |
|             XmlReader reader = message.GetReaderAtBodyContents();
 | |
|             RequestSecurityToken rst = RequestSecurityToken.CreateFrom(reader);
 | |
|             XmlElement rstXml = rst.RequestSecurityTokenXml;
 | |
|             if (rstXml != null)
 | |
|             {
 | |
| 
 | |
|                 //find the wrapper element
 | |
|                 foreach (XmlNode node in rst.RequestSecurityTokenXml.ChildNodes)
 | |
|                 {
 | |
|                     XmlElement element = (XmlElement)node;
 | |
|                     if (element == null || !PeerRequestSecurityToken.CompareWithNS(element.LocalName, element.NamespaceURI, PeerRequestSecurityToken.RequestedSecurityTokenElementName, TrustFeb2005Strings.Namespace))
 | |
|                         continue;
 | |
|                     token = PeerHashToken.CreateFrom(element);
 | |
|                 }
 | |
|             }
 | |
|             return token;
 | |
|         }
 | |
| 
 | |
|         public PeerRequestSecurityToken CreateFrom(X509Certificate2 credential, string password)
 | |
|         {
 | |
|             PeerHashToken token = new PeerHashToken(credential, password);
 | |
|             return new PeerRequestSecurityToken(token);
 | |
|         }
 | |
| 
 | |
| 
 | |
|         internal protected override void OnWriteCustomElements(XmlWriter writer)
 | |
|         {
 | |
|             if (!(token != null && token.IsValid))
 | |
|             {
 | |
|                 throw Fx.AssertAndThrow("Could not construct a valid RST without token!");
 | |
|             }
 | |
|             string wstprefix = writer.LookupPrefix(TrustNamespace);
 | |
| 
 | |
|             writer.WriteStartElement(wstprefix, TrustFeb2005Strings.RequestedSecurityToken, TrustFeb2005Strings.Namespace);
 | |
|             token.Write(writer);
 | |
|             writer.WriteEndElement();
 | |
|         }
 | |
| 
 | |
|         internal protected override void OnMakeReadOnly() { }
 | |
|         internal static bool CompareWithNS(string first, string firstNS, string second, string secondNS)
 | |
|         {
 | |
|             return ((String.Compare(first, second, StringComparison.Ordinal) == 0)
 | |
|                 && (String.Compare(firstNS, secondNS, StringComparison.OrdinalIgnoreCase) == 0));
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     class PeerRequestSecurityTokenResponse : RequestSecurityTokenResponse
 | |
|     {
 | |
|         public const string Action = "http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate";
 | |
|         public const string ValidString = "http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid";
 | |
|         public const string InvalidString = "http://schemas.xmlsoap.org/ws/2005/02/trust/status/invalid";
 | |
|         public const string StatusString = "Status";
 | |
|         public const string CodeString = "Code";
 | |
| 
 | |
|         PeerHashToken token;
 | |
|         bool isValid = false;
 | |
| 
 | |
|         public PeerRequestSecurityTokenResponse()
 | |
|             : this(null)
 | |
|         {
 | |
|         }
 | |
| 
 | |
|         public PeerRequestSecurityTokenResponse(PeerHashToken token)
 | |
|         {
 | |
|             this.token = token;
 | |
|             this.isValid = (token != null && token.IsValid);
 | |
|         }
 | |
| 
 | |
|         public PeerHashToken Token
 | |
|         {
 | |
|             get
 | |
|             {
 | |
|                 if (!(this.isValid))
 | |
|                 {
 | |
|                     throw Fx.AssertAndThrow("should not be called when the token is invalid!");
 | |
|                 }
 | |
|                 return this.token;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public bool IsValid
 | |
|         {
 | |
|             get
 | |
|             {
 | |
|                 return this.isValid;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public static PeerHashToken CreateHashTokenFrom(Message message)
 | |
|         {
 | |
|             PeerHashToken token = PeerHashToken.Invalid;
 | |
|             RequestSecurityTokenResponse response = RequestSecurityTokenResponse.CreateFrom(message.GetReaderAtBodyContents(), MessageSecurityVersion.Default, new PeerSecurityTokenSerializer());
 | |
|             if (String.Compare(response.TokenType, PeerHashToken.TokenTypeString, StringComparison.OrdinalIgnoreCase) != 0)
 | |
|             {
 | |
|                 return token;
 | |
|             }
 | |
|             XmlElement responseXml = response.RequestSecurityTokenResponseXml;
 | |
|             if (responseXml != null)
 | |
|             {
 | |
|                 foreach (XmlElement child in responseXml.ChildNodes)
 | |
|                 {
 | |
|                     if (PeerRequestSecurityToken.CompareWithNS(child.LocalName, child.NamespaceURI, StatusString, TrustFeb2005Strings.Namespace))
 | |
|                     {
 | |
|                         if (child.ChildNodes.Count == 1)
 | |
|                         {
 | |
|                             XmlElement desc = (child.ChildNodes[0] as XmlElement);
 | |
|                             if (PeerRequestSecurityToken.CompareWithNS(desc.LocalName, desc.NamespaceURI, CodeString, TrustFeb2005Strings.Namespace))
 | |
|                             {
 | |
|                                 string code = XmlHelper.ReadTextElementAsTrimmedString(desc);
 | |
|                                 if (String.Compare(code, ValidString, StringComparison.OrdinalIgnoreCase) != 0)
 | |
|                                     break;
 | |
|                             }
 | |
|                         }
 | |
|                     }
 | |
|                     else if (PeerRequestSecurityToken.CompareWithNS(child.LocalName, child.NamespaceURI, TrustFeb2005Strings.RequestedSecurityToken, TrustFeb2005Strings.Namespace))
 | |
|                     {
 | |
|                         token = PeerHashToken.CreateFrom(child);
 | |
|                         break;
 | |
|                     }
 | |
|                 }
 | |
|             }
 | |
|             return token;
 | |
|         }
 | |
| 
 | |
|         public static RequestSecurityTokenResponse CreateFrom(X509Certificate2 credential, string password)
 | |
|         {
 | |
|             PeerHashToken token = new PeerHashToken(credential, password);
 | |
|             return new PeerRequestSecurityTokenResponse(token);
 | |
|         }
 | |
| 
 | |
|         internal protected override void OnWriteCustomElements(XmlWriter writer)
 | |
|         {
 | |
|             string wstprefix = writer.LookupPrefix(TrustFeb2005Strings.Namespace);
 | |
| 
 | |
|             writer.WriteStartElement(wstprefix, TrustFeb2005Strings.TokenType, TrustFeb2005Strings.Namespace);
 | |
|             writer.WriteString(PeerHashToken.TokenTypeString);
 | |
|             writer.WriteEndElement();
 | |
| 
 | |
|             writer.WriteStartElement(wstprefix, StatusString, TrustFeb2005Strings.Namespace);
 | |
|             writer.WriteStartElement(wstprefix, CodeString, TrustFeb2005Strings.Namespace);
 | |
|             if (!this.IsValid)
 | |
|                 writer.WriteString(InvalidString);
 | |
|             else
 | |
|                 writer.WriteString(ValidString);
 | |
|             writer.WriteEndElement();
 | |
|             writer.WriteEndElement();
 | |
|             if (this.IsValid)
 | |
|             {
 | |
|                 writer.WriteStartElement(wstprefix, PeerRequestSecurityToken.RequestedSecurityTokenElementName, TrustFeb2005Strings.Namespace);
 | |
|                 this.token.Write(writer);
 | |
|                 writer.WriteEndElement();
 | |
|             }
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     class PeerChannelAuthenticatorExtension : IExtension<IPeerNeighbor>
 | |
|     {
 | |
|         IPeerNeighbor host;
 | |
|         PeerSecurityManager securityManager;
 | |
|         PeerAuthState state;
 | |
|         EventArgs originalArgs;
 | |
|         EventHandler onSucceeded;
 | |
|         IOThreadTimer timer = null;
 | |
|         object thisLock = new object();
 | |
|         static TimeSpan Timeout = new TimeSpan(0, 2, 0);
 | |
|         string meshId;
 | |
| 
 | |
|         enum PeerAuthState
 | |
|         {
 | |
|             Created,
 | |
|             Authenticated,
 | |
|             Failed
 | |
|         }
 | |
| 
 | |
|         public PeerChannelAuthenticatorExtension(PeerSecurityManager securityManager, EventHandler onSucceeded, EventArgs args, string meshId)
 | |
|         {
 | |
|             this.securityManager = securityManager;
 | |
|             this.state = PeerAuthState.Created;
 | |
|             this.originalArgs = args;
 | |
|             this.onSucceeded = onSucceeded;
 | |
|             this.meshId = meshId;
 | |
|         }
 | |
| 
 | |
|         object ThisLock
 | |
|         {
 | |
|             get
 | |
|             {
 | |
|                 return this.thisLock;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public void Attach(IPeerNeighbor host)
 | |
|         {
 | |
|             Fx.AssertAndThrow(this.securityManager.AuthenticationMode == PeerAuthenticationMode.Password, "Invalid AuthenticationMode!");
 | |
|             Fx.AssertAndThrow(host != null, "unrecognized host!");
 | |
|             this.host = host;
 | |
|             this.timer = new IOThreadTimer(new Action<object>(OnTimeout), null, true);
 | |
|             this.timer.Set(Timeout);
 | |
|         }
 | |
| 
 | |
|         static public void OnNeighborClosed(IPeerNeighbor neighbor)
 | |
|         {
 | |
|             Fx.Assert(neighbor != null, "Neighbor must have a value");
 | |
|             PeerChannelAuthenticatorExtension ext = neighbor.Extensions.Find<PeerChannelAuthenticatorExtension>();
 | |
|             if (ext != null) neighbor.Extensions.Remove(ext);
 | |
|         }
 | |
| 
 | |
|         public void Detach(IPeerNeighbor host)
 | |
|         {
 | |
| 
 | |
|             Fx.Assert(host != null, "unrecognized host!");
 | |
|             if (host.State < PeerNeighborState.Authenticated)
 | |
|             {
 | |
|                 OnFailed(host);
 | |
|             }
 | |
|             this.host = null;
 | |
|             this.timer.Cancel();
 | |
|         }
 | |
| 
 | |
|         void OnTimeout(object state)
 | |
|         {
 | |
|             IPeerNeighbor neighbor = host;
 | |
|             if (neighbor == null)
 | |
|                 return;
 | |
|             if (neighbor.State < PeerNeighborState.Authenticated)
 | |
|             {
 | |
|                 OnFailed(neighbor);
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public void InitiateHandShake()
 | |
|         {
 | |
|             IPeerNeighbor neighbor = host;
 | |
|             Message reply = null;
 | |
| 
 | |
|             Fx.Assert(host != null, "Cannot initiate security handshake without a host!");
 | |
| 
 | |
|             //send the RST message.
 | |
|             using (OperationContextScope scope = new OperationContextScope(new OperationContext((ServiceHostBase)null)))
 | |
|             {
 | |
|                 PeerHashToken token = this.securityManager.GetSelfToken();
 | |
|                 Message request = Message.CreateMessage(MessageVersion.Soap12WSAddressing10, TrustFeb2005Strings.RequestSecurityToken, new PeerRequestSecurityToken(token));
 | |
|                 bool fatal = false;
 | |
|                 try
 | |
|                 {
 | |
|                     reply = neighbor.RequestSecurityToken(request);
 | |
| 
 | |
|                     if (!(reply != null))
 | |
|                     {
 | |
|                         throw Fx.AssertAndThrow("SecurityHandshake return empty message!");
 | |
|                     }
 | |
|                     ProcessRstr(neighbor, reply, PeerSecurityManager.FindClaim(ServiceSecurityContext.Current));
 | |
|                 }
 | |
|                 catch (Exception e)
 | |
|                 {
 | |
|                     if (Fx.IsFatal(e))
 | |
|                     {
 | |
|                         fatal = true;
 | |
|                         throw;
 | |
|                     }
 | |
|                     DiagnosticUtility.TraceHandledException(e, TraceEventType.Information);
 | |
|                     this.state = PeerAuthState.Failed;
 | |
|                     if (DiagnosticUtility.ShouldTraceError)
 | |
|                     {
 | |
|                         ServiceSecurityContext context = ServiceSecurityContext.Current;
 | |
|                         ClaimSet claimSet = null;
 | |
|                         if (context != null && context.AuthorizationContext != null && context.AuthorizationContext.ClaimSets != null && context.AuthorizationContext.ClaimSets.Count > 0)
 | |
|                             claimSet = context.AuthorizationContext.ClaimSets[0];
 | |
|                         PeerAuthenticationFailureTraceRecord record = new PeerAuthenticationFailureTraceRecord(
 | |
|                                                                     meshId,
 | |
|                                                                     neighbor.ListenAddress.EndpointAddress.ToString(),
 | |
|                                                                     claimSet,
 | |
|                                                                     e);
 | |
|                         TraceUtility.TraceEvent(TraceEventType.Error,
 | |
|                             TraceCode.PeerNodeAuthenticationFailure, SR.GetString(SR.TraceCodePeerNodeAuthenticationFailure),
 | |
|                             record, this, null);
 | |
|                     }
 | |
|                     neighbor.Abort(PeerCloseReason.AuthenticationFailure, PeerCloseInitiator.LocalNode);
 | |
|                 }
 | |
|                 finally
 | |
|                 {
 | |
|                     if (!fatal)
 | |
|                         request.Close();
 | |
|                 }
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public Message ProcessRst(Message message, Claim claim)
 | |
|         {
 | |
|             IPeerNeighbor neighbor = host;
 | |
|             PeerRequestSecurityTokenResponse response = null;
 | |
|             Message reply = null;
 | |
| 
 | |
|             lock (ThisLock)
 | |
|             {
 | |
|                 if (this.state != PeerAuthState.Created || neighbor == null || neighbor.IsInitiator || neighbor.State != PeerNeighborState.Opened)
 | |
|                 {
 | |
|                     OnFailed(neighbor);
 | |
|                     return null;
 | |
|                 }
 | |
|             }
 | |
| 
 | |
|             try
 | |
|             {
 | |
|                 PeerHashToken receivedToken = PeerRequestSecurityToken.CreateHashTokenFrom(message);
 | |
|                 PeerHashToken expectedToken = securityManager.GetExpectedTokenForClaim(claim);
 | |
| 
 | |
|                 if (!expectedToken.Equals(receivedToken))
 | |
|                 {
 | |
|                     OnFailed(neighbor);
 | |
|                 }
 | |
|                 else
 | |
|                 {
 | |
|                     this.state = PeerAuthState.Authenticated;
 | |
|                     PeerHashToken selfToken = securityManager.GetSelfToken();
 | |
|                     response = new PeerRequestSecurityTokenResponse(selfToken);
 | |
|                     reply = Message.CreateMessage(MessageVersion.Soap12WSAddressing10, TrustFeb2005Strings.RequestSecurityTokenResponse, response);
 | |
|                     OnAuthenticated();
 | |
|                 }
 | |
|             }
 | |
|             catch (Exception e)
 | |
|             {
 | |
|                 if (Fx.IsFatal(e)) throw;
 | |
|                 DiagnosticUtility.TraceHandledException(e, TraceEventType.Information);
 | |
|                 OnFailed(neighbor);
 | |
|             }
 | |
|             return reply;
 | |
|         }
 | |
| 
 | |
|         public void ProcessRstr(IPeerNeighbor neighbor, Message message, Claim claim)
 | |
|         {
 | |
|             PeerHashToken receivedToken = PeerRequestSecurityTokenResponse.CreateHashTokenFrom(message);
 | |
| 
 | |
|             if (!receivedToken.IsValid)
 | |
|             {
 | |
|                 OnFailed(neighbor);
 | |
|             }
 | |
|             else
 | |
|             {
 | |
|                 PeerHashToken expectedToken = securityManager.GetExpectedTokenForClaim(claim);
 | |
|                 if (!expectedToken.Equals(receivedToken))
 | |
|                     OnFailed(neighbor);
 | |
|                 else
 | |
|                     OnAuthenticated();
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public void OnAuthenticated()
 | |
|         {
 | |
|             IPeerNeighbor neighbor = null;
 | |
|             lock (ThisLock)
 | |
|             {
 | |
|                 this.timer.Cancel();
 | |
|                 neighbor = this.host;
 | |
|                 this.state = PeerAuthState.Authenticated;
 | |
|             }
 | |
|             if (neighbor == null)
 | |
|                 return;
 | |
|             neighbor.TrySetState(PeerNeighborState.Authenticated);
 | |
|             onSucceeded(neighbor, originalArgs);
 | |
|         }
 | |
| 
 | |
|         void OnFailed(IPeerNeighbor neighbor)
 | |
|         {
 | |
|             lock (ThisLock)
 | |
|             {
 | |
|                 this.state = PeerAuthState.Failed;
 | |
|                 this.timer.Cancel();
 | |
|                 this.host = null;
 | |
|             }
 | |
|             if (DiagnosticUtility.ShouldTraceError)
 | |
|             {
 | |
|                 PeerAuthenticationFailureTraceRecord record = null;
 | |
|                 String remoteUri = "";
 | |
|                 PeerNodeAddress remoteAddress = neighbor.ListenAddress;
 | |
|                 if (remoteAddress != null)
 | |
|                 {
 | |
|                     remoteUri = remoteAddress.EndpointAddress.ToString();
 | |
|                 }
 | |
|                 OperationContext opContext = OperationContext.Current;
 | |
|                 if (opContext != null)
 | |
|                 {
 | |
|                     remoteUri = opContext.IncomingMessageProperties.Via.ToString();
 | |
|                     ServiceSecurityContext secContext = opContext.ServiceSecurityContext;
 | |
|                     if (secContext != null)
 | |
|                     {
 | |
|                         record = new PeerAuthenticationFailureTraceRecord(
 | |
|                             meshId,
 | |
|                             remoteUri,
 | |
|                             secContext.AuthorizationContext.ClaimSets[0], null);
 | |
| 
 | |
|                         if (DiagnosticUtility.ShouldTraceError)
 | |
|                         {
 | |
|                             TraceUtility.TraceEvent(
 | |
|                                 TraceEventType.Error,
 | |
|                                 TraceCode.PeerNodeAuthenticationFailure,
 | |
|                                 SR.GetString(SR.TraceCodePeerNodeAuthenticationFailure),
 | |
|                                 record,
 | |
|                                 this,
 | |
|                                 null);
 | |
|                         }
 | |
|                     }
 | |
|                 }
 | |
|                 else
 | |
|                 {
 | |
|                     record = new PeerAuthenticationFailureTraceRecord(meshId, remoteUri);
 | |
|                     if (DiagnosticUtility.ShouldTraceError)
 | |
|                     {
 | |
|                         TraceUtility.TraceEvent(TraceEventType.Error,
 | |
|                                                 TraceCode.PeerNodeAuthenticationTimeout,
 | |
|                                                 SR.GetString(SR.TraceCodePeerNodeAuthenticationTimeout),
 | |
|                                                 record,
 | |
|                                                 this,
 | |
|                                                 null);
 | |
|                     }
 | |
|                 }
 | |
|             }
 | |
|             neighbor.Abort(PeerCloseReason.AuthenticationFailure, PeerCloseInitiator.LocalNode);
 | |
|         }
 | |
|     }
 | |
| }
 | |
| 
 | |
| namespace System.ServiceModel.Channels
 | |
| {
 | |
|     internal enum PeerAuthenticationMode
 | |
|     {
 | |
|         None = 0,
 | |
|         Password = 1,
 | |
|         MutualCertificate = 2
 | |
|     }
 | |
| }
 | |
| 
 | |
| 
 | |
| 
 | |
| 
 |