1 //----------------------------------------------------------------------------- 2 // Copyright (c) Microsoft Corporation. All rights reserved. 3 //----------------------------------------------------------------------------- 4 5 namespace System.ServiceModel.Security 6 { 7 using System.Collections.Generic; 8 using System.Collections.ObjectModel; 9 using System.IO; 10 using System.Runtime; 11 using System.ServiceModel; 12 using System.ServiceModel.Channels; 13 using System.ServiceModel.Description; 14 using System.ServiceModel.Security.Tokens; 15 using System.Xml; 16 17 abstract class WSSecurityPolicy 18 { 19 public static ContractDescription NullContract = new ContractDescription("null"); 20 public static ServiceEndpoint NullServiceEndpoint = new ServiceEndpoint(NullContract); 21 public static XmlDocument doc = new XmlDocument(); 22 public const string WsspPrefix = "sp"; 23 public const string WspNamespace = MetadataStrings.WSPolicy.NamespaceUri; //@"http://schemas.xmlsoap.org/ws/2004/09/policy"; 24 public const string Wsp15Namespace = MetadataStrings.WSPolicy.NamespaceUri15; 25 public const string WspPrefix = MetadataStrings.WSPolicy.Prefix; //"wsp"; 26 public const string MsspNamespace = @"http://schemas.microsoft.com/ws/2005/07/securitypolicy"; 27 public const string MsspPrefix = "mssp"; 28 public const string PolicyName = MetadataStrings.WSPolicy.Elements.Policy; //"Policy"; 29 public const string OptionalName = "Optional"; 30 public const string TrueName = "true"; 31 public const string FalseName = "false"; 32 public const string SymmetricBindingName = "SymmetricBinding"; 33 public const string AsymmetricBindingName = "AsymmetricBinding"; 34 public const string TransportBindingName = "TransportBinding"; 35 public const string OnlySignEntireHeadersAndBodyName = "OnlySignEntireHeadersAndBody"; 36 public const string ProtectionTokenName = "ProtectionToken"; 37 public const string InitiatorTokenName = "InitiatorToken"; 38 public const string RecipientTokenName = "RecipientToken"; 39 public const string TransportTokenName = "TransportToken"; 40 public const string AlgorithmSuiteName = "AlgorithmSuite"; 41 public const string LaxName = "Lax"; 42 public const string LaxTsLastName = "LaxTsLast"; 43 public const string LaxTsFirstName = "LaxTsFirst"; 44 public const string StrictName = "Strict"; 45 public const string IncludeTimestampName = "IncludeTimestamp"; 46 public const string EncryptBeforeSigningName = "EncryptBeforeSigning"; 47 public const string ProtectTokens = "ProtectTokens"; 48 public const string EncryptSignatureName = "EncryptSignature"; 49 public const string SignedSupportingTokensName = "SignedSupportingTokens"; 50 public const string EndorsingSupportingTokensName = "EndorsingSupportingTokens"; 51 public const string SignedEndorsingSupportingTokensName = "SignedEndorsingSupportingTokens"; 52 public const string Wss10Name = "Wss10"; 53 public const string MustSupportRefKeyIdentifierName = "MustSupportRefKeyIdentifier"; 54 public const string MustSupportRefIssuerSerialName = "MustSupportRefIssuerSerial"; 55 public const string MustSupportRefThumbprintName = "MustSupportRefThumbprint"; 56 public const string MustSupportRefEncryptedKeyName = "MustSupportRefEncryptedKey"; 57 public const string RequireSignatureConfirmationName = "RequireSignatureConfirmation"; 58 public const string MustSupportIssuedTokensName = "MustSupportIssuedTokens"; 59 public const string RequireClientEntropyName = "RequireClientEntropy"; 60 public const string RequireServerEntropyName = "RequireServerEntropy"; 61 public const string Wss11Name = "Wss11"; 62 public const string Trust10Name = "Trust10"; 63 public const string Trust13Name = "Trust13"; 64 public const string RequireAppliesTo = "RequireAppliesTo"; 65 public const string SignedPartsName = "SignedParts"; 66 public const string EncryptedPartsName = "EncryptedParts"; 67 public const string BodyName = "Body"; 68 public const string HeaderName = "Header"; 69 public const string NameName = "Name"; 70 public const string NamespaceName = "Namespace"; 71 public const string Basic128Name = "Basic128"; 72 public const string Basic192Name = "Basic192"; 73 public const string Basic256Name = "Basic256"; 74 public const string TripleDesName = "TripleDes"; 75 public const string Basic128Rsa15Name = "Basic128Rsa15"; 76 public const string Basic192Rsa15Name = "Basic192Rsa15"; 77 public const string Basic256Rsa15Name = "Basic256Rsa15"; 78 public const string TripleDesRsa15Name = "TripleDesRsa15"; 79 public const string Basic128Sha256Name = "Basic128Sha256"; 80 public const string Basic192Sha256Name = "Basic192Sha256"; 81 public const string Basic256Sha256Name = "Basic256Sha256"; 82 public const string TripleDesSha256Name = "TripleDesSha256"; 83 public const string Basic128Sha256Rsa15Name = "Basic128Sha256Rsa15"; 84 public const string Basic192Sha256Rsa15Name = "Basic192Sha256Rsa15"; 85 public const string Basic256Sha256Rsa15Name = "Basic256Sha256Rsa15"; 86 public const string TripleDesSha256Rsa15Name = "TripleDesSha256Rsa15"; 87 public const string IncludeTokenName = "IncludeToken"; 88 public const string KerberosTokenName = "KerberosToken"; 89 public const string X509TokenName = "X509Token"; 90 public const string IssuedTokenName = "IssuedToken"; 91 public const string UsernameTokenName = "UsernameToken"; 92 public const string RsaTokenName = "RsaToken"; 93 public const string KeyValueTokenName = "KeyValueToken"; 94 public const string SpnegoContextTokenName = "SpnegoContextToken"; 95 public const string SslContextTokenName = "SslContextToken"; 96 public const string SecureConversationTokenName = "SecureConversationToken"; 97 public const string WssGssKerberosV5ApReqToken11Name = "WssGssKerberosV5ApReqToken11"; 98 public const string RequireDerivedKeysName = "RequireDerivedKeys"; 99 public const string RequireIssuerSerialReferenceName = "RequireIssuerSerialReference"; 100 public const string RequireKeyIdentifierReferenceName = "RequireKeyIdentifierReference"; 101 public const string RequireThumbprintReferenceName = "RequireThumbprintReference"; 102 public const string WssX509V3Token10Name = "WssX509V3Token10"; 103 public const string WssUsernameToken10Name = "WssUsernameToken10"; 104 public const string RequestSecurityTokenTemplateName = "RequestSecurityTokenTemplate"; 105 public const string RequireExternalReferenceName = "RequireExternalReference"; 106 public const string RequireInternalReferenceName = "RequireInternalReference"; 107 public const string IssuerName = "Issuer"; 108 public const string RequireClientCertificateName = "RequireClientCertificate"; 109 public const string MustNotSendCancelName = "MustNotSendCancel"; 110 public const string MustNotSendAmendName = "MustNotSendAmend"; 111 public const string MustNotSendRenewName = "MustNotSendRenew"; 112 public const string LayoutName = "Layout"; 113 public const string BootstrapPolicyName = "BootstrapPolicy"; 114 public const string HttpsTokenName = "HttpsToken"; 115 public const string HttpBasicAuthenticationName = "HttpBasicAuthentication"; 116 public const string HttpDigestAuthenticationName = "HttpDigestAuthentication"; 117 118 bool _mustSupportRefKeyIdentifierName = false; 119 bool _mustSupportRefIssuerSerialName = false; 120 bool _mustSupportRefThumbprintName = false; 121 bool _protectionTokenHasAsymmetricKey = false; 122 CreateWsspAssertion(string name)123 public virtual XmlElement CreateWsspAssertion(string name) 124 { 125 return doc.CreateElement(WsspPrefix, name, this.WsspNamespaceUri); 126 } 127 IsWsspAssertion(XmlElement assertion)128 public virtual bool IsWsspAssertion(XmlElement assertion) 129 { 130 return assertion.NamespaceURI == this.WsspNamespaceUri; 131 } 132 IsWsspAssertion(XmlElement assertion, string name)133 public virtual bool IsWsspAssertion(XmlElement assertion, string name) 134 { 135 return assertion.NamespaceURI == this.WsspNamespaceUri && assertion.LocalName == name; 136 } 137 IsMsspAssertion(XmlElement assertion, string name)138 public virtual bool IsMsspAssertion(XmlElement assertion, string name) 139 { 140 return assertion.NamespaceURI == MsspNamespace && assertion.LocalName == name; 141 } 142 TryImportWsspAssertion(ICollection<XmlElement> assertions, string name, out XmlElement assertion)143 public virtual bool TryImportWsspAssertion(ICollection<XmlElement> assertions, string name, out XmlElement assertion) 144 { 145 assertion = null; 146 147 foreach (XmlElement e in assertions) 148 { 149 if (e.LocalName == name && e.NamespaceURI == this.WsspNamespaceUri) 150 { 151 assertion = e; 152 assertions.Remove(e); 153 return true; 154 } 155 } 156 157 return false; 158 } 159 TryImportWsspAssertion(ICollection<XmlElement> assertions, string name)160 public virtual bool TryImportWsspAssertion(ICollection<XmlElement> assertions, string name) 161 { 162 return TryImportWsspAssertion(assertions, name, false); 163 } 164 TryImportWsspAssertion(ICollection<XmlElement> assertions, string name, bool isOptional)165 public virtual bool TryImportWsspAssertion(ICollection<XmlElement> assertions, string name, bool isOptional) 166 { 167 foreach (XmlElement e in assertions) 168 { 169 if (e.LocalName == name && e.NamespaceURI == this.WsspNamespaceUri) 170 { 171 assertions.Remove(e); 172 return true; 173 } 174 } 175 176 return isOptional; 177 } 178 CreateMsspAssertion(string name)179 public virtual XmlElement CreateMsspAssertion(string name) 180 { 181 return doc.CreateElement(MsspPrefix, name, MsspNamespace); 182 } 183 CanImportAssertion(ICollection<XmlElement> assertions)184 public virtual bool CanImportAssertion(ICollection<XmlElement> assertions) 185 { 186 foreach (XmlElement e in assertions) 187 { 188 if (e.NamespaceURI == this.WsspNamespaceUri || e.NamespaceURI == WSSecurityPolicy.MsspNamespace) 189 { 190 return true; 191 } 192 } 193 194 return false; 195 } 196 IsSecurityVersionSupported(MessageSecurityVersion version)197 public abstract bool IsSecurityVersionSupported(MessageSecurityVersion version); 198 GetSupportedMessageSecurityVersion(SecurityVersion version)199 public abstract MessageSecurityVersion GetSupportedMessageSecurityVersion(SecurityVersion version); 200 201 public abstract string WsspNamespaceUri { get; } 202 203 public abstract TrustDriver TrustDriver { get; } 204 205 public virtual string AlwaysToRecipientUri 206 { 207 get { return this.WsspNamespaceUri + @"/IncludeToken/AlwaysToRecipient"; } 208 } 209 210 public virtual string NeverUri 211 { 212 get { return this.WsspNamespaceUri + @"/IncludeToken/Never"; } 213 } 214 215 public virtual string OnceUri 216 { 217 get { return this.WsspNamespaceUri + @"/IncludeToken/Once"; } 218 } 219 220 public virtual string AlwaysToInitiatorUri 221 { 222 get { return this.WsspNamespaceUri + @"/IncludeToken/AlwaysToInitiator"; } 223 } 224 TryImportMsspAssertion(ICollection<XmlElement> assertions, string name)225 public virtual bool TryImportMsspAssertion(ICollection<XmlElement> assertions, string name) 226 { 227 foreach (XmlElement e in assertions) 228 { 229 if (e.LocalName == name && e.NamespaceURI == MsspNamespace) 230 { 231 assertions.Remove(e); 232 return true; 233 } 234 } 235 236 return false; 237 } 238 CreateWspPolicyWrapper(MetadataExporter exporter, params XmlElement[] nestedAssertions)239 public virtual XmlElement CreateWspPolicyWrapper(MetadataExporter exporter, params XmlElement[] nestedAssertions) 240 { 241 XmlElement result = doc.CreateElement(WspPrefix, PolicyName, exporter.PolicyVersion.Namespace); 242 243 if (nestedAssertions != null) 244 { 245 foreach (XmlElement e in nestedAssertions) 246 { 247 if (e != null) 248 { 249 result.AppendChild(e); 250 } 251 } 252 } 253 254 return result; 255 } 256 CreateWsspSignedPartsAssertion(MessagePartSpecification parts)257 public virtual XmlElement CreateWsspSignedPartsAssertion(MessagePartSpecification parts) 258 { 259 if (parts == null) 260 { 261 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parts"); 262 } 263 264 XmlElement result; 265 266 if (parts.IsEmpty()) 267 { 268 result = null; 269 } 270 else 271 { 272 result = CreateWsspAssertion(SignedPartsName); 273 if (parts.IsBodyIncluded) 274 { 275 result.AppendChild(CreateWsspAssertion(BodyName)); 276 } 277 foreach (XmlQualifiedName header in parts.HeaderTypes) 278 { 279 result.AppendChild(CreateWsspHeaderAssertion(header)); 280 } 281 } 282 return result; 283 } 284 CreateWsspEncryptedPartsAssertion(MessagePartSpecification parts)285 public virtual XmlElement CreateWsspEncryptedPartsAssertion(MessagePartSpecification parts) 286 { 287 if (parts == null) 288 { 289 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parts"); 290 } 291 292 XmlElement result; 293 294 if (parts.IsEmpty()) 295 { 296 result = null; 297 } 298 else 299 { 300 result = CreateWsspAssertion(EncryptedPartsName); 301 if (parts.IsBodyIncluded) 302 { 303 result.AppendChild(CreateWsspAssertion(BodyName)); 304 } 305 foreach (XmlQualifiedName header in parts.HeaderTypes) 306 { 307 result.AppendChild(CreateWsspHeaderAssertion(header)); 308 } 309 } 310 return result; 311 } 312 TryGetProtectedParts(XmlElement assertion)313 public virtual MessagePartSpecification TryGetProtectedParts(XmlElement assertion) 314 { 315 MessagePartSpecification parts = new MessagePartSpecification(); 316 317 foreach (XmlNode node in assertion.ChildNodes) 318 { 319 if (node.NodeType == XmlNodeType.Whitespace || node.NodeType == XmlNodeType.Comment) 320 { 321 continue; 322 } 323 else if (node is XmlElement) 324 { 325 XmlElement element = (XmlElement)node; 326 if (IsWsspAssertion(element, BodyName)) 327 { 328 parts.IsBodyIncluded = true; 329 } 330 else if (IsWsspAssertion(element, HeaderName)) 331 { 332 string name = element.GetAttribute(NameName); 333 string ns = element.GetAttribute(NamespaceName); 334 335 if (ns == null) 336 { 337 parts = null; 338 break; 339 } 340 341 parts.HeaderTypes.Add(new XmlQualifiedName(name, ns)); 342 } 343 else 344 { 345 parts = null; 346 break; 347 } 348 } 349 else 350 { 351 parts = null; 352 break; 353 } 354 } 355 356 return parts; 357 } 358 TryImportWsspEncryptedPartsAssertion(ICollection<XmlElement> assertions, out MessagePartSpecification parts, out XmlElement assertion)359 public virtual bool TryImportWsspEncryptedPartsAssertion(ICollection<XmlElement> assertions, out MessagePartSpecification parts, out XmlElement assertion) 360 { 361 if (TryImportWsspAssertion(assertions, EncryptedPartsName, out assertion)) 362 { 363 parts = TryGetProtectedParts(assertion); 364 } 365 else 366 { 367 parts = null; 368 } 369 370 return parts != null; 371 } 372 TryImportWsspSignedPartsAssertion(ICollection<XmlElement> assertions, out MessagePartSpecification parts, out XmlElement assertion)373 public virtual bool TryImportWsspSignedPartsAssertion(ICollection<XmlElement> assertions, out MessagePartSpecification parts, out XmlElement assertion) 374 { 375 if (TryImportWsspAssertion(assertions, SignedPartsName, out assertion)) 376 { 377 parts = TryGetProtectedParts(assertion); 378 } 379 else 380 { 381 parts = null; 382 } 383 384 return parts != null; 385 } 386 CreateWsspHeaderAssertion(XmlQualifiedName header)387 public virtual XmlElement CreateWsspHeaderAssertion(XmlQualifiedName header) 388 { 389 XmlElement result = CreateWsspAssertion(HeaderName); 390 result.SetAttribute(NameName, header.Name); 391 result.SetAttribute(NamespaceName, header.Namespace); 392 393 return result; 394 } 395 CreateWsspSymmetricBindingAssertion(MetadataExporter exporter, PolicyConversionContext policyContext, SymmetricSecurityBindingElement binding)396 public virtual XmlElement CreateWsspSymmetricBindingAssertion(MetadataExporter exporter, PolicyConversionContext policyContext, SymmetricSecurityBindingElement binding) 397 { 398 if (binding == null) 399 { 400 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding"); 401 } 402 403 XmlElement result = CreateWsspAssertion(SymmetricBindingName); 404 result.AppendChild( 405 CreateWspPolicyWrapper( 406 exporter, 407 CreateWsspProtectionTokenAssertion(exporter, binding.ProtectionTokenParameters), 408 CreateWsspAlgorithmSuiteAssertion(exporter, binding.DefaultAlgorithmSuite), 409 CreateWsspLayoutAssertion(exporter, binding.SecurityHeaderLayout), 410 CreateWsspIncludeTimestampAssertion(binding.IncludeTimestamp), 411 CreateWsspEncryptBeforeSigningAssertion(binding.MessageProtectionOrder), 412 CreateWsspEncryptSignatureAssertion(policyContext, binding), 413 CreateWsspProtectTokensAssertion(binding), 414 CreateWsspAssertion(OnlySignEntireHeadersAndBodyName) 415 )); 416 417 return result; 418 } 419 TryGetNestedPolicyAlternatives(MetadataImporter importer, XmlElement assertion, out Collection<Collection<XmlElement>> alternatives)420 public virtual bool TryGetNestedPolicyAlternatives(MetadataImporter importer, XmlElement assertion, out Collection<Collection<XmlElement>> alternatives) 421 { 422 alternatives = null; 423 424 XmlElement policyElement = null; 425 foreach (XmlNode node in assertion.ChildNodes) 426 { 427 if (node is XmlElement && node.LocalName == PolicyName && (node.NamespaceURI == WspNamespace || node.NamespaceURI == Wsp15Namespace)) 428 { 429 policyElement = (XmlElement)node; 430 break; 431 } 432 } 433 434 if (policyElement == null) 435 { 436 alternatives = null; 437 } 438 else 439 { 440 IEnumerable<IEnumerable<XmlElement>> enumerableAlternatives = importer.NormalizePolicy(new XmlElement[] { policyElement }); 441 442 alternatives = new Collection<Collection<XmlElement>>(); 443 foreach (IEnumerable<XmlElement> enumerableAlternative in enumerableAlternatives) 444 { 445 Collection<XmlElement> alternative = new Collection<XmlElement>(); 446 alternatives.Add(alternative); 447 foreach (XmlElement e in enumerableAlternative) 448 { 449 alternative.Add(e); 450 } 451 } 452 } 453 454 return alternatives != null; 455 } 456 TryImportWsspSymmetricBindingAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, out SymmetricSecurityBindingElement binding, out XmlElement assertion)457 public virtual bool TryImportWsspSymmetricBindingAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, out SymmetricSecurityBindingElement binding, out XmlElement assertion) 458 { 459 binding = null; 460 461 Collection<Collection<XmlElement>> alternatives; 462 463 if (TryImportWsspAssertion(assertions, SymmetricBindingName, out assertion) 464 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 465 { 466 foreach (Collection<XmlElement> alternative in alternatives) 467 { 468 MessageProtectionOrder order; 469 bool protectTokens; 470 binding = new SymmetricSecurityBindingElement(); 471 if (TryImportWsspProtectionTokenAssertion(importer, policyContext, alternative, binding) 472 && TryImportWsspAlgorithmSuiteAssertion(importer, alternative, binding) 473 && TryImportWsspLayoutAssertion(importer, alternative, binding) 474 && TryImportWsspIncludeTimestampAssertion(alternative, binding) 475 && TryImportMessageProtectionOrderAssertions(alternative, out order) 476 && TryImportWsspProtectTokensAssertion(alternative, out protectTokens) 477 && TryImportWsspAssertion(alternative, OnlySignEntireHeadersAndBodyName, true) 478 && alternative.Count == 0) 479 { 480 binding.MessageProtectionOrder = order; 481 binding.ProtectTokens = protectTokens; 482 break; 483 } 484 else 485 { 486 binding = null; 487 } 488 } 489 } 490 491 return binding != null; 492 } 493 CreateWsspAsymmetricBindingAssertion(MetadataExporter exporter, PolicyConversionContext policyContext, AsymmetricSecurityBindingElement binding)494 public virtual XmlElement CreateWsspAsymmetricBindingAssertion(MetadataExporter exporter, PolicyConversionContext policyContext, AsymmetricSecurityBindingElement binding) 495 { 496 if (binding == null) 497 { 498 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding"); 499 } 500 501 XmlElement result = CreateWsspAssertion(AsymmetricBindingName); 502 result.AppendChild( 503 CreateWspPolicyWrapper( 504 exporter, 505 CreateWsspInitiatorTokenAssertion(exporter, binding.InitiatorTokenParameters), 506 CreateWsspRecipientTokenAssertion(exporter, binding.RecipientTokenParameters), 507 CreateWsspAlgorithmSuiteAssertion(exporter, binding.DefaultAlgorithmSuite), 508 CreateWsspLayoutAssertion(exporter, binding.SecurityHeaderLayout), 509 CreateWsspIncludeTimestampAssertion(binding.IncludeTimestamp), 510 CreateWsspEncryptBeforeSigningAssertion(binding.MessageProtectionOrder), 511 CreateWsspEncryptSignatureAssertion(policyContext, binding), 512 CreateWsspProtectTokensAssertion(binding), 513 CreateWsspAssertion(OnlySignEntireHeadersAndBodyName) 514 )); 515 516 return result; 517 } 518 TryImportWsspAsymmetricBindingAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, out AsymmetricSecurityBindingElement binding, out XmlElement assertion)519 public virtual bool TryImportWsspAsymmetricBindingAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, out AsymmetricSecurityBindingElement binding, out XmlElement assertion) 520 { 521 binding = null; 522 523 Collection<Collection<XmlElement>> alternatives; 524 525 if (TryImportWsspAssertion(assertions, AsymmetricBindingName, out assertion) 526 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 527 { 528 foreach (Collection<XmlElement> alternative in alternatives) 529 { 530 MessageProtectionOrder order; 531 bool protectTokens; 532 binding = new AsymmetricSecurityBindingElement(); 533 if (TryImportWsspInitiatorTokenAssertion(importer, policyContext, alternative, binding) 534 && TryImportWsspRecipientTokenAssertion(importer, policyContext, alternative, binding) 535 && TryImportWsspAlgorithmSuiteAssertion(importer, alternative, binding) 536 && TryImportWsspLayoutAssertion(importer, alternative, binding) 537 && TryImportWsspIncludeTimestampAssertion(alternative, binding) 538 && TryImportMessageProtectionOrderAssertions(alternative, out order) 539 && TryImportWsspProtectTokensAssertion(alternative, out protectTokens) 540 && TryImportWsspAssertion(alternative, OnlySignEntireHeadersAndBodyName, true) 541 && alternative.Count == 0) 542 { 543 binding.MessageProtectionOrder = order; 544 binding.ProtectTokens = protectTokens; 545 break; 546 } 547 else 548 { 549 binding = null; 550 } 551 } 552 } 553 554 return binding != null; 555 } 556 CreateWsspTransportBindingAssertion(MetadataExporter exporter, TransportSecurityBindingElement binding, XmlElement transportTokenAssertion)557 public virtual XmlElement CreateWsspTransportBindingAssertion(MetadataExporter exporter, TransportSecurityBindingElement binding, XmlElement transportTokenAssertion) 558 { 559 XmlElement result = CreateWsspAssertion(TransportBindingName); 560 result.AppendChild( 561 CreateWspPolicyWrapper( 562 exporter, 563 CreateWsspTransportTokenAssertion(exporter, transportTokenAssertion), 564 CreateWsspAlgorithmSuiteAssertion(exporter, binding.DefaultAlgorithmSuite), 565 CreateWsspLayoutAssertion(exporter, binding.SecurityHeaderLayout), 566 CreateWsspIncludeTimestampAssertion(binding.IncludeTimestamp) 567 )); 568 569 return result; 570 } 571 TryImportWsspTransportBindingAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, out TransportSecurityBindingElement binding, out XmlElement assertion)572 public virtual bool TryImportWsspTransportBindingAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, out TransportSecurityBindingElement binding, out XmlElement assertion) 573 { 574 binding = null; 575 576 Collection<Collection<XmlElement>> alternatives; 577 578 if (TryImportWsspAssertion(assertions, TransportBindingName, out assertion) 579 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 580 { 581 foreach (Collection<XmlElement> alternative in alternatives) 582 { 583 XmlElement transportTokenAssertion; 584 binding = new TransportSecurityBindingElement(); 585 if (TryImportWsspTransportTokenAssertion(importer, alternative, out transportTokenAssertion) 586 && TryImportWsspAlgorithmSuiteAssertion(importer, alternative, binding) 587 && TryImportWsspLayoutAssertion(importer, alternative, binding) 588 && TryImportWsspIncludeTimestampAssertion(alternative, binding) 589 && alternative.Count == 0) 590 { 591 if (false == importer.State.ContainsKey(SecurityBindingElementImporter.InSecureConversationBootstrapBindingImportMode)) 592 { 593 // The transportTokenAssertion should be consumed by the transport binding importer 594 // for all primary bindings. However, for secure conversation bootstrap bindings 595 // the bootstrap policy does not contain any transport assertions, so adding the 596 // transport token assertion to the collection of unimported assertions would 597 // increase the likelihood of policy import failure due to unrecognized assertions. 598 assertions.Add(transportTokenAssertion); 599 } 600 break; 601 } 602 else 603 { 604 binding = null; 605 } 606 } 607 } 608 609 return binding != null; 610 } 611 CreateWsspWssAssertion(MetadataExporter exporter, SecurityBindingElement binding)612 public virtual XmlElement CreateWsspWssAssertion(MetadataExporter exporter, SecurityBindingElement binding) 613 { 614 if (binding == null) 615 { 616 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding"); 617 } 618 619 if (binding.MessageSecurityVersion.SecurityVersion == SecurityVersion.WSSecurity10) 620 { 621 return CreateWsspWss10Assertion(exporter); 622 } 623 else if (binding.MessageSecurityVersion.SecurityVersion == SecurityVersion.WSSecurity11) 624 { 625 if (binding is SymmetricSecurityBindingElement) 626 { 627 return CreateWsspWss11Assertion(exporter, ((SymmetricSecurityBindingElement)binding).RequireSignatureConfirmation); 628 } 629 else if (binding is AsymmetricSecurityBindingElement) 630 { 631 return CreateWsspWss11Assertion(exporter, ((AsymmetricSecurityBindingElement)binding).RequireSignatureConfirmation); 632 } 633 else 634 { 635 return CreateWsspWss11Assertion(exporter, false); 636 } 637 } 638 else 639 { 640 return null; 641 } 642 } 643 TryImportWsspWssAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding, out XmlElement assertion)644 public virtual bool TryImportWsspWssAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding, out XmlElement assertion) 645 { 646 if (binding == null) 647 { 648 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding"); 649 } 650 if (assertions == null) 651 { 652 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("assertions"); 653 } 654 655 bool result = true; 656 Collection<Collection<XmlElement>> alternatives; 657 658 if (TryImportWsspAssertion(assertions, Wss10Name, out assertion)) 659 { 660 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 661 { 662 foreach (Collection<XmlElement> alternative in alternatives) 663 { 664 TryImportWsspAssertion(alternative, MustSupportRefKeyIdentifierName); 665 TryImportWsspAssertion(alternative, MustSupportRefIssuerSerialName); 666 if (alternative.Count == 0) 667 { 668 binding.MessageSecurityVersion = this.GetSupportedMessageSecurityVersion(SecurityVersion.WSSecurity10); 669 result = true; 670 break; 671 } 672 else 673 { 674 result = false; 675 } 676 } 677 } 678 } 679 else if (TryImportWsspAssertion(assertions, Wss11Name, out assertion)) 680 { 681 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 682 { 683 foreach (Collection<XmlElement> alternative in alternatives) 684 { 685 TryImportWsspAssertion(alternative, MustSupportRefKeyIdentifierName); 686 TryImportWsspAssertion(alternative, MustSupportRefIssuerSerialName); 687 TryImportWsspAssertion(alternative, MustSupportRefThumbprintName); 688 TryImportWsspAssertion(alternative, MustSupportRefEncryptedKeyName); 689 bool requireSignatureConfirmation = TryImportWsspAssertion(alternative, RequireSignatureConfirmationName); 690 if (alternative.Count == 0) 691 { 692 binding.MessageSecurityVersion = this.GetSupportedMessageSecurityVersion(SecurityVersion.WSSecurity11); 693 if (binding is SymmetricSecurityBindingElement) 694 { 695 ((SymmetricSecurityBindingElement)binding).RequireSignatureConfirmation = requireSignatureConfirmation; 696 } 697 else if (binding is AsymmetricSecurityBindingElement) 698 { 699 ((AsymmetricSecurityBindingElement)binding).RequireSignatureConfirmation = requireSignatureConfirmation; 700 } 701 result = true; 702 break; 703 } 704 else 705 { 706 result = false; 707 } 708 } 709 } 710 } 711 712 return result; 713 } 714 CreateWsspWss10Assertion(MetadataExporter exporter)715 public virtual XmlElement CreateWsspWss10Assertion(MetadataExporter exporter) 716 { 717 XmlElement result = CreateWsspAssertion(Wss10Name); 718 result.AppendChild( 719 CreateWspPolicyWrapper( 720 exporter, 721 CreateWsspAssertionMustSupportRefKeyIdentifierName(), 722 CreateWsspAssertionMustSupportRefIssuerSerialName() 723 )); 724 725 return result; 726 } 727 CreateWsspWss11Assertion(MetadataExporter exporter, bool requireSignatureConfirmation)728 public virtual XmlElement CreateWsspWss11Assertion(MetadataExporter exporter, bool requireSignatureConfirmation) 729 { 730 XmlElement result = CreateWsspAssertion(Wss11Name); 731 result.AppendChild( 732 CreateWspPolicyWrapper( 733 exporter, 734 CreateWsspAssertionMustSupportRefKeyIdentifierName(), 735 CreateWsspAssertionMustSupportRefIssuerSerialName(), 736 CreateWsspAssertionMustSupportRefThumbprintName(), 737 CreateWsspAssertionMustSupportRefEncryptedKeyName(), 738 CreateWsspRequireSignatureConformationAssertion(requireSignatureConfirmation) 739 )); 740 741 return result; 742 } CreateWsspAssertionMustSupportRefKeyIdentifierName()743 public virtual XmlElement CreateWsspAssertionMustSupportRefKeyIdentifierName() 744 { 745 if (_mustSupportRefKeyIdentifierName) 746 { 747 return CreateWsspAssertion(MustSupportRefKeyIdentifierName); 748 } 749 else 750 { 751 return null; 752 } 753 } 754 CreateWsspAssertionMustSupportRefIssuerSerialName()755 public virtual XmlElement CreateWsspAssertionMustSupportRefIssuerSerialName() 756 { 757 if (_mustSupportRefIssuerSerialName) 758 { 759 return CreateWsspAssertion(MustSupportRefIssuerSerialName); 760 } 761 else 762 { 763 return null; 764 } 765 } 766 CreateWsspAssertionMustSupportRefThumbprintName()767 public virtual XmlElement CreateWsspAssertionMustSupportRefThumbprintName() 768 { 769 if (_mustSupportRefThumbprintName) 770 { 771 return CreateWsspAssertion(MustSupportRefThumbprintName); 772 } 773 else 774 { 775 return null; 776 } 777 } 778 CreateWsspAssertionMustSupportRefEncryptedKeyName()779 public virtual XmlElement CreateWsspAssertionMustSupportRefEncryptedKeyName() 780 { 781 // protectionTokenHasAsymmetricKey is only set to true for a SymmetricBindingElement having an asymmetric key 782 if (_protectionTokenHasAsymmetricKey) 783 { 784 return CreateWsspAssertion(MustSupportRefEncryptedKeyName); 785 } 786 else 787 { 788 return null; 789 } 790 } 791 CreateWsspRequireSignatureConformationAssertion(bool requireSignatureConfirmation)792 public virtual XmlElement CreateWsspRequireSignatureConformationAssertion(bool requireSignatureConfirmation) 793 { 794 if (requireSignatureConfirmation) 795 { 796 return CreateWsspAssertion(RequireSignatureConfirmationName); 797 } 798 else 799 { 800 return null; 801 } 802 } 803 CreateWsspTrustAssertion(MetadataExporter exporter, SecurityKeyEntropyMode keyEntropyMode)804 public abstract XmlElement CreateWsspTrustAssertion(MetadataExporter exporter, SecurityKeyEntropyMode keyEntropyMode); 805 TryImportWsspTrustAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding, out XmlElement assertion)806 public abstract bool TryImportWsspTrustAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding, out XmlElement assertion); 807 CreateWsspTrustAssertion(string trustName, MetadataExporter exporter, SecurityKeyEntropyMode keyEntropyMode)808 protected XmlElement CreateWsspTrustAssertion(string trustName, MetadataExporter exporter, SecurityKeyEntropyMode keyEntropyMode) 809 { 810 XmlElement result = CreateWsspAssertion(trustName); 811 result.AppendChild( 812 CreateWspPolicyWrapper( 813 exporter, 814 CreateWsspAssertion(MustSupportIssuedTokensName), 815 CreateWsspRequireClientEntropyAssertion(keyEntropyMode), 816 CreateWsspRequireServerEntropyAssertion(keyEntropyMode) 817 )); 818 819 return result; 820 } 821 TryImportWsspTrustAssertion(string trustName, MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding, out XmlElement assertion)822 protected bool TryImportWsspTrustAssertion(string trustName, MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding, out XmlElement assertion) 823 { 824 if (binding == null) 825 { 826 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding"); 827 } 828 if (assertions == null) 829 { 830 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("assertions"); 831 } 832 833 bool result = true; 834 Collection<Collection<XmlElement>> alternatives; 835 836 if (TryImportWsspAssertion(assertions, trustName, out assertion) 837 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 838 { 839 foreach (Collection<XmlElement> alternative in alternatives) 840 { 841 TryImportWsspAssertion(alternative, MustSupportIssuedTokensName); 842 bool requireClientEntropy = TryImportWsspAssertion(alternative, RequireClientEntropyName); 843 bool requireServerEntropy = TryImportWsspAssertion(alternative, RequireServerEntropyName); 844 if (trustName == Trust13Name) 845 { 846 // We are just reading this optional element. 847 TryImportWsspAssertion(alternative, RequireAppliesTo); 848 } 849 if (alternative.Count == 0) 850 { 851 if (requireClientEntropy) 852 { 853 if (requireServerEntropy) 854 { 855 binding.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; 856 } 857 else 858 { 859 binding.KeyEntropyMode = SecurityKeyEntropyMode.ClientEntropy; 860 } 861 } 862 else if (requireServerEntropy) 863 { 864 binding.KeyEntropyMode = SecurityKeyEntropyMode.ServerEntropy; 865 } 866 867 result = true; 868 break; 869 } 870 else 871 { 872 result = false; 873 } 874 } 875 } 876 877 return result; 878 } 879 CreateWsspRequireClientEntropyAssertion(SecurityKeyEntropyMode keyEntropyMode)880 public virtual XmlElement CreateWsspRequireClientEntropyAssertion(SecurityKeyEntropyMode keyEntropyMode) 881 { 882 if (keyEntropyMode == SecurityKeyEntropyMode.ClientEntropy || keyEntropyMode == SecurityKeyEntropyMode.CombinedEntropy) 883 { 884 return CreateWsspAssertion(RequireClientEntropyName); 885 } 886 else 887 { 888 return null; 889 } 890 } 891 CreateWsspRequireServerEntropyAssertion(SecurityKeyEntropyMode keyEntropyMode)892 public virtual XmlElement CreateWsspRequireServerEntropyAssertion(SecurityKeyEntropyMode keyEntropyMode) 893 { 894 if (keyEntropyMode == SecurityKeyEntropyMode.ServerEntropy || keyEntropyMode == SecurityKeyEntropyMode.CombinedEntropy) 895 { 896 return CreateWsspAssertion(RequireServerEntropyName); 897 } 898 else 899 { 900 return null; 901 } 902 } 903 CreateWsspSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted, Collection<SecurityTokenParameters> optionalEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing)904 public virtual Collection<XmlElement> CreateWsspSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted, Collection<SecurityTokenParameters> optionalEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing) 905 { 906 return CreateWsspSupportingTokensAssertion(exporter, signed, signedEncrypted, endorsing, signedEndorsing, optionalSigned, optionalSignedEncrypted, optionalEndorsing, optionalSignedEndorsing, null); 907 } 908 CreateWsspSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted, Collection<SecurityTokenParameters> optionalEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing, AddressingVersion addressingVersion)909 public virtual Collection<XmlElement> CreateWsspSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted, Collection<SecurityTokenParameters> optionalEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing, AddressingVersion addressingVersion) 910 { 911 Collection<XmlElement> supportingTokenAssertions = new Collection<XmlElement>(); 912 913 // Signed Supporting Tokens 914 XmlElement supportingTokenAssertion = CreateWsspSignedSupportingTokensAssertion(exporter, signed, signedEncrypted, optionalSigned, optionalSignedEncrypted); 915 if (supportingTokenAssertion != null) 916 supportingTokenAssertions.Add(supportingTokenAssertion); 917 918 // Endorsing Supporting Tokens. 919 supportingTokenAssertion = CreateWsspEndorsingSupportingTokensAssertion(exporter, endorsing, optionalEndorsing, addressingVersion); 920 if (supportingTokenAssertion != null) 921 supportingTokenAssertions.Add(supportingTokenAssertion); 922 923 // Signed Endorsing Supporting Tokens. 924 supportingTokenAssertion = CreateWsspSignedEndorsingSupportingTokensAssertion(exporter, signedEndorsing, optionalSignedEndorsing, addressingVersion); 925 if (supportingTokenAssertion != null) 926 supportingTokenAssertions.Add(supportingTokenAssertion); 927 928 return supportingTokenAssertions; 929 } 930 CreateWsspSignedSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted)931 protected XmlElement CreateWsspSignedSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted) 932 { 933 XmlElement result; 934 935 if ((signed == null || signed.Count == 0) 936 && (signedEncrypted == null || signedEncrypted.Count == 0) 937 && (optionalSigned == null || optionalSigned.Count == 0) 938 && (optionalSignedEncrypted == null || optionalSignedEncrypted.Count == 0)) 939 { 940 result = null; 941 } 942 else 943 { 944 XmlElement policy = CreateWspPolicyWrapper(exporter); 945 946 if (signed != null) 947 { 948 foreach (SecurityTokenParameters p in signed) 949 { 950 policy.AppendChild(CreateTokenAssertion(exporter, p)); 951 } 952 } 953 if (signedEncrypted != null) 954 { 955 foreach (SecurityTokenParameters p in signedEncrypted) 956 { 957 policy.AppendChild(CreateTokenAssertion(exporter, p)); 958 } 959 } 960 if (optionalSigned != null) 961 { 962 foreach (SecurityTokenParameters p in optionalSigned) 963 { 964 policy.AppendChild(CreateTokenAssertion(exporter, p, true)); 965 } 966 } 967 if (optionalSignedEncrypted != null) 968 { 969 foreach (SecurityTokenParameters p in optionalSignedEncrypted) 970 { 971 policy.AppendChild(CreateTokenAssertion(exporter, p, true)); 972 } 973 } 974 975 result = CreateWsspAssertion(SignedSupportingTokensName); 976 result.AppendChild(policy); 977 } 978 979 return result; 980 } 981 CreateWsspEndorsingSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> optionalEndorsing, AddressingVersion addressingVersion)982 protected XmlElement CreateWsspEndorsingSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> optionalEndorsing, AddressingVersion addressingVersion) 983 { 984 return CreateWsspiSupportingTokensAssertion(exporter, endorsing, optionalEndorsing, addressingVersion, EndorsingSupportingTokensName); 985 } 986 CreateWsspSignedEndorsingSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing, AddressingVersion addressingVersion)987 protected XmlElement CreateWsspSignedEndorsingSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing, AddressingVersion addressingVersion) 988 { 989 return CreateWsspiSupportingTokensAssertion(exporter, signedEndorsing, optionalSignedEndorsing, addressingVersion, SignedEndorsingSupportingTokensName); 990 } 991 CreateWsspiSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> optionalEndorsing, AddressingVersion addressingVersion, string assertionName)992 protected XmlElement CreateWsspiSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> optionalEndorsing, AddressingVersion addressingVersion, string assertionName) 993 { 994 XmlElement result; 995 bool hasAssymetricKey = false; 996 997 if ((endorsing == null || endorsing.Count == 0) 998 && (optionalEndorsing == null || optionalEndorsing.Count == 0)) 999 { 1000 result = null; 1001 } 1002 else 1003 { 1004 XmlElement policy = CreateWspPolicyWrapper(exporter); 1005 1006 if (endorsing != null) 1007 { 1008 foreach (SecurityTokenParameters p in endorsing) 1009 { 1010 if (p.HasAsymmetricKey) 1011 hasAssymetricKey = true; 1012 1013 policy.AppendChild(CreateTokenAssertion(exporter, p)); 1014 } 1015 } 1016 if (optionalEndorsing != null) 1017 { 1018 foreach (SecurityTokenParameters p in optionalEndorsing) 1019 { 1020 if (p.HasAsymmetricKey) 1021 hasAssymetricKey = true; 1022 1023 policy.AppendChild(CreateTokenAssertion(exporter, p, true)); 1024 } 1025 } 1026 if (addressingVersion != null && AddressingVersion.None != addressingVersion) 1027 { 1028 // only add assertion to sign the 'To' only if an assymetric key is found 1029 if (hasAssymetricKey) 1030 { 1031 policy.AppendChild( 1032 CreateWsspSignedPartsAssertion( 1033 new MessagePartSpecification(new XmlQualifiedName(AddressingStrings.To, addressingVersion.Namespace)))); 1034 } 1035 } 1036 1037 result = CreateWsspAssertion(assertionName); 1038 result.AppendChild(policy); 1039 } 1040 1041 return result; 1042 } 1043 TryImportWsspSupportingTokensAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted, Collection<SecurityTokenParameters> optionalEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing)1044 public virtual bool TryImportWsspSupportingTokensAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted, Collection<SecurityTokenParameters> optionalEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing) 1045 { 1046 XmlElement assertion; 1047 1048 if (!TryImportWsspSignedSupportingTokensAssertion( 1049 importer, 1050 policyContext, 1051 assertions, 1052 signed, 1053 signedEncrypted, 1054 optionalSigned, 1055 optionalSignedEncrypted, 1056 out assertion) 1057 && assertion != null) 1058 { 1059 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UnsupportedSecurityPolicyAssertion, assertion.OuterXml))); 1060 } 1061 1062 if (!TryImportWsspEndorsingSupportingTokensAssertion( 1063 importer, 1064 policyContext, 1065 assertions, 1066 endorsing, 1067 optionalEndorsing, 1068 out assertion) 1069 && assertion != null) 1070 { 1071 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UnsupportedSecurityPolicyAssertion, assertion.OuterXml))); 1072 } 1073 1074 if (!TryImportWsspSignedEndorsingSupportingTokensAssertion( 1075 importer, 1076 policyContext, 1077 assertions, 1078 signedEndorsing, 1079 optionalSignedEndorsing, 1080 out assertion) 1081 && assertion != null) 1082 { 1083 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UnsupportedSecurityPolicyAssertion, assertion.OuterXml))); 1084 } 1085 1086 return true; 1087 } 1088 TryImportWsspSignedSupportingTokensAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted, out XmlElement assertion)1089 protected bool TryImportWsspSignedSupportingTokensAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted, out XmlElement assertion) 1090 { 1091 if (signed == null) 1092 { 1093 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("signed"); 1094 } 1095 if (signedEncrypted == null) 1096 { 1097 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("signedEncrypted"); 1098 } 1099 if (optionalSigned == null) 1100 { 1101 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("optionalSigned"); 1102 } 1103 if (optionalSignedEncrypted == null) 1104 { 1105 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("optionalSignedEncrypted"); 1106 } 1107 1108 bool result = true; 1109 1110 Collection<Collection<XmlElement>> alternatives; 1111 1112 if (TryImportWsspAssertion(assertions, SignedSupportingTokensName, out assertion) 1113 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 1114 { 1115 foreach (Collection<XmlElement> alternative in alternatives) 1116 { 1117 Collection<SecurityTokenParameters> signedSupportingTokens = new Collection<SecurityTokenParameters>(); 1118 Collection<SecurityTokenParameters> optionalSignedSupportingTokens = new Collection<SecurityTokenParameters>(); 1119 SecurityTokenParameters parameters; 1120 bool isOptional; 1121 while (alternative.Count > 0 && TryImportTokenAssertion(importer, policyContext, alternative, out parameters, out isOptional)) 1122 { 1123 if (isOptional) 1124 { 1125 optionalSignedSupportingTokens.Add(parameters); 1126 } 1127 else 1128 { 1129 signedSupportingTokens.Add(parameters); 1130 } 1131 } 1132 if (alternative.Count == 0) 1133 { 1134 foreach (SecurityTokenParameters p in signedSupportingTokens) 1135 { 1136 if (p is UserNameSecurityTokenParameters) 1137 { 1138 signedEncrypted.Add(p); 1139 } 1140 else 1141 { 1142 signed.Add(p); 1143 } 1144 } 1145 foreach (SecurityTokenParameters p in optionalSignedSupportingTokens) 1146 { 1147 if (p is UserNameSecurityTokenParameters) 1148 { 1149 optionalSignedEncrypted.Add(p); 1150 } 1151 else 1152 { 1153 optionalSigned.Add(p); 1154 } 1155 } 1156 result = true; 1157 break; 1158 } 1159 else 1160 { 1161 result = false; 1162 } 1163 } 1164 } 1165 1166 return result; 1167 } 1168 TryImportWsspEndorsingSupportingTokensAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> optionalEndorsing, out XmlElement assertion)1169 protected bool TryImportWsspEndorsingSupportingTokensAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> optionalEndorsing, out XmlElement assertion) 1170 { 1171 if (endorsing == null) 1172 { 1173 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("endorsing"); 1174 } 1175 if (optionalEndorsing == null) 1176 { 1177 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("optionalEndorsing"); 1178 } 1179 1180 bool result = true; 1181 1182 Collection<Collection<XmlElement>> alternatives; 1183 1184 if (TryImportWsspAssertion(assertions, EndorsingSupportingTokensName, out assertion) 1185 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 1186 { 1187 foreach (Collection<XmlElement> alternative in alternatives) 1188 { 1189 MessagePartSpecification signedParts; 1190 if (!TryImportWsspSignedPartsAssertion(alternative, out signedParts, out assertion) && assertion != null) 1191 { 1192 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UnsupportedSecurityPolicyAssertion, assertion.OuterXml))); 1193 } 1194 1195 Collection<SecurityTokenParameters> supportingTokens = new Collection<SecurityTokenParameters>(); 1196 Collection<SecurityTokenParameters> optionalSupportingTokens = new Collection<SecurityTokenParameters>(); 1197 SecurityTokenParameters parameters; 1198 bool isOptional; 1199 while (alternative.Count > 0 && TryImportTokenAssertion(importer, policyContext, alternative, out parameters, out isOptional)) 1200 { 1201 if (isOptional) 1202 { 1203 optionalSupportingTokens.Add(parameters); 1204 } 1205 else 1206 { 1207 supportingTokens.Add(parameters); 1208 } 1209 } 1210 if (alternative.Count == 0) 1211 { 1212 foreach (SecurityTokenParameters p in supportingTokens) 1213 { 1214 endorsing.Add(p); 1215 } 1216 foreach (SecurityTokenParameters p in optionalSupportingTokens) 1217 { 1218 optionalEndorsing.Add(p); 1219 } 1220 result = true; 1221 break; 1222 } 1223 else 1224 { 1225 result = false; 1226 } 1227 } 1228 } 1229 1230 return result; 1231 } 1232 TryImportWsspSignedEndorsingSupportingTokensAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing, out XmlElement assertion)1233 protected bool TryImportWsspSignedEndorsingSupportingTokensAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing, out XmlElement assertion) 1234 { 1235 if (signedEndorsing == null) 1236 { 1237 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("signedEndorsing"); 1238 } 1239 if (optionalSignedEndorsing == null) 1240 { 1241 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("optionalSignedEndorsing"); 1242 } 1243 1244 bool result = true; 1245 1246 Collection<Collection<XmlElement>> alternatives; 1247 1248 if (TryImportWsspAssertion(assertions, SignedEndorsingSupportingTokensName, out assertion) 1249 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 1250 { 1251 foreach (Collection<XmlElement> alternative in alternatives) 1252 { 1253 MessagePartSpecification signedParts; 1254 if (!TryImportWsspSignedPartsAssertion(alternative, out signedParts, out assertion) && assertion != null) 1255 { 1256 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UnsupportedSecurityPolicyAssertion, assertion.OuterXml))); 1257 } 1258 1259 Collection<SecurityTokenParameters> supportingTokens = new Collection<SecurityTokenParameters>(); 1260 Collection<SecurityTokenParameters> optionalSupportingTokens = new Collection<SecurityTokenParameters>(); 1261 SecurityTokenParameters parameters; 1262 bool isOptional; 1263 while (alternative.Count > 0 && TryImportTokenAssertion(importer, policyContext, alternative, out parameters, out isOptional)) 1264 { 1265 if (isOptional) 1266 { 1267 optionalSupportingTokens.Add(parameters); 1268 } 1269 else 1270 { 1271 supportingTokens.Add(parameters); 1272 } 1273 } 1274 if (alternative.Count == 0) 1275 { 1276 foreach (SecurityTokenParameters p in supportingTokens) 1277 { 1278 signedEndorsing.Add(p); 1279 } 1280 foreach (SecurityTokenParameters p in optionalSupportingTokens) 1281 { 1282 optionalSignedEndorsing.Add(p); 1283 } 1284 result = true; 1285 break; 1286 } 1287 else 1288 { 1289 result = false; 1290 } 1291 } 1292 } 1293 1294 return result; 1295 } 1296 CreateWsspEncryptSignatureAssertion(PolicyConversionContext policyContext, SecurityBindingElement binding)1297 public virtual XmlElement CreateWsspEncryptSignatureAssertion(PolicyConversionContext policyContext, SecurityBindingElement binding) 1298 { 1299 MessageProtectionOrder protectionOrder; 1300 if (binding is SymmetricSecurityBindingElement) 1301 { 1302 protectionOrder = ((SymmetricSecurityBindingElement)binding).MessageProtectionOrder; 1303 } 1304 else 1305 { 1306 protectionOrder = ((AsymmetricSecurityBindingElement)binding).MessageProtectionOrder; 1307 } 1308 1309 if (protectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature 1310 && ContainsEncryptionParts(policyContext, binding)) 1311 { 1312 return CreateWsspAssertion(EncryptSignatureName); 1313 } 1314 else 1315 { 1316 return null; 1317 } 1318 } 1319 1320 // This api checks whether or not the message will or may contain Encrypted parts 1321 // to decide whether or not to emit sp:EncryptSignature on Binding assertion. 1322 // 1) (Optional)EndpointSupporting. 1323 // 2) (Optional)OperationSupporting. 1324 // 3) In/Out/Fault Message ProtectionLevel for each Operation. ContainsEncryptionParts(PolicyConversionContext policyContext, SecurityBindingElement security)1325 bool ContainsEncryptionParts(PolicyConversionContext policyContext, SecurityBindingElement security) 1326 { 1327 // special case for RST/RSTR since we hard coded the security for them 1328 if (policyContext.Contract == NullContract) 1329 return true; 1330 1331 if (security.EndpointSupportingTokenParameters.SignedEncrypted.Count > 0 || 1332 security.OptionalEndpointSupportingTokenParameters.SignedEncrypted.Count > 0) 1333 { 1334 return true; 1335 } 1336 foreach (SupportingTokenParameters r in security.OperationSupportingTokenParameters.Values) 1337 { 1338 if (r.SignedEncrypted.Count > 0) 1339 { 1340 return true; 1341 } 1342 } 1343 foreach (SupportingTokenParameters r in security.OptionalOperationSupportingTokenParameters.Values) 1344 { 1345 if (r.SignedEncrypted.Count > 0) 1346 { 1347 return true; 1348 } 1349 } 1350 1351 BindingParameterCollection bindingParameters = new BindingParameterCollection(); 1352 bindingParameters.Add(ChannelProtectionRequirements.CreateFromContract(policyContext.Contract, policyContext.BindingElements.Find<SecurityBindingElement>().GetIndividualProperty<ISecurityCapabilities>(), false)); 1353 ChannelProtectionRequirements protectionRequirements = SecurityBindingElement.ComputeProtectionRequirements(security, bindingParameters, policyContext.BindingElements, true); 1354 protectionRequirements.MakeReadOnly(); 1355 1356 WSSecurityPolicy sp = WSSecurityPolicy.GetSecurityPolicyDriver(security.MessageSecurityVersion); 1357 1358 foreach (OperationDescription operation in policyContext.Contract.Operations) 1359 { 1360 // export policy for application messages 1361 foreach (MessageDescription message in operation.Messages) 1362 { 1363 MessagePartSpecification parts; 1364 ScopedMessagePartSpecification scopedParts; 1365 1366 // confidentiality 1367 if (message.Direction == MessageDirection.Input) 1368 { 1369 scopedParts = protectionRequirements.IncomingEncryptionParts; 1370 } 1371 else 1372 { 1373 scopedParts = protectionRequirements.OutgoingEncryptionParts; 1374 } 1375 1376 if (scopedParts.TryGetParts(message.Action, out parts)) 1377 { 1378 if (!parts.IsEmpty()) 1379 { 1380 return true; 1381 } 1382 } 1383 } 1384 1385 // export policy for faults 1386 foreach (FaultDescription fault in operation.Faults) 1387 { 1388 MessagePartSpecification parts; 1389 1390 // confidentiality 1391 if (protectionRequirements.OutgoingEncryptionParts.TryGetParts(fault.Action, out parts)) 1392 { 1393 if (!parts.IsEmpty()) 1394 { 1395 return true; 1396 } 1397 } 1398 } 1399 } 1400 return false; 1401 } 1402 CreateWsspEncryptBeforeSigningAssertion(MessageProtectionOrder protectionOrder)1403 public virtual XmlElement CreateWsspEncryptBeforeSigningAssertion(MessageProtectionOrder protectionOrder) 1404 { 1405 if (protectionOrder == MessageProtectionOrder.EncryptBeforeSign) 1406 { 1407 return CreateWsspAssertion(EncryptBeforeSigningName); 1408 } 1409 else 1410 { 1411 return null; 1412 } 1413 } 1414 CreateWsspProtectTokensAssertion(SecurityBindingElement sbe)1415 public virtual XmlElement CreateWsspProtectTokensAssertion(SecurityBindingElement sbe) 1416 { 1417 if (sbe.ProtectTokens) 1418 { 1419 return CreateWsspAssertion(ProtectTokens); 1420 } 1421 else 1422 { 1423 return null; 1424 } 1425 } 1426 1427 TryImportMessageProtectionOrderAssertions(ICollection<XmlElement> assertions, out MessageProtectionOrder order)1428 public virtual bool TryImportMessageProtectionOrderAssertions(ICollection<XmlElement> assertions, out MessageProtectionOrder order) 1429 { 1430 if (TryImportWsspAssertion(assertions, EncryptBeforeSigningName)) 1431 { 1432 order = MessageProtectionOrder.EncryptBeforeSign; 1433 } 1434 else if (TryImportWsspAssertion(assertions, EncryptSignatureName)) 1435 { 1436 order = MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature; 1437 } 1438 else 1439 { 1440 order = MessageProtectionOrder.SignBeforeEncrypt; 1441 } 1442 1443 return true; 1444 } 1445 CreateWsspIncludeTimestampAssertion(bool includeTimestamp)1446 public virtual XmlElement CreateWsspIncludeTimestampAssertion(bool includeTimestamp) 1447 { 1448 if (includeTimestamp) 1449 { 1450 return CreateWsspAssertion(IncludeTimestampName); 1451 } 1452 else 1453 { 1454 return null; 1455 } 1456 } 1457 TryImportWsspIncludeTimestampAssertion(ICollection<XmlElement> assertions, SecurityBindingElement binding)1458 public virtual bool TryImportWsspIncludeTimestampAssertion(ICollection<XmlElement> assertions, SecurityBindingElement binding) 1459 { 1460 binding.IncludeTimestamp = TryImportWsspAssertion(assertions, IncludeTimestampName); 1461 return true; 1462 } 1463 TryImportWsspProtectTokensAssertion(ICollection<XmlElement> assertions, out bool protectTokens)1464 public virtual bool TryImportWsspProtectTokensAssertion(ICollection<XmlElement> assertions, out bool protectTokens) 1465 { 1466 if (TryImportWsspAssertion(assertions, ProtectTokens)) 1467 { 1468 protectTokens = true; 1469 } 1470 else 1471 { 1472 protectTokens = false; 1473 } 1474 1475 return true; 1476 } 1477 CreateWsspLayoutAssertion(MetadataExporter exporter, SecurityHeaderLayout layout)1478 public virtual XmlElement CreateWsspLayoutAssertion(MetadataExporter exporter, SecurityHeaderLayout layout) 1479 { 1480 XmlElement result = CreateWsspAssertion(LayoutName); 1481 result.AppendChild( 1482 CreateWspPolicyWrapper( 1483 exporter, 1484 CreateLayoutAssertion(layout) 1485 )); 1486 1487 return result; 1488 } 1489 TryImportWsspLayoutAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding)1490 public virtual bool TryImportWsspLayoutAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding) 1491 { 1492 bool result = false; 1493 XmlElement assertion; 1494 1495 if (TryImportWsspAssertion(assertions, LayoutName, out assertion)) 1496 { 1497 SecurityHeaderLayout layout; 1498 Collection<Collection<XmlElement>> alternatives; 1499 1500 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 1501 { 1502 foreach (Collection<XmlElement> alternative in alternatives) 1503 { 1504 if (TryImportLayoutAssertion(alternative, out layout) 1505 && alternative.Count == 0) 1506 { 1507 binding.SecurityHeaderLayout = layout; 1508 result = true; 1509 break; 1510 } 1511 } 1512 } 1513 } 1514 else 1515 { 1516 binding.SecurityHeaderLayout = SecurityHeaderLayout.Lax; 1517 result = true; 1518 } 1519 1520 return result; 1521 } 1522 CreateLayoutAssertion(SecurityHeaderLayout layout)1523 public virtual XmlElement CreateLayoutAssertion(SecurityHeaderLayout layout) 1524 { 1525 switch (layout) 1526 { 1527 default: 1528 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("layout")); 1529 case SecurityHeaderLayout.Lax: 1530 return CreateWsspAssertion(LaxName); 1531 case SecurityHeaderLayout.LaxTimestampFirst: 1532 return CreateWsspAssertion(LaxTsFirstName); 1533 case SecurityHeaderLayout.LaxTimestampLast: 1534 return CreateWsspAssertion(LaxTsLastName); 1535 case SecurityHeaderLayout.Strict: 1536 return CreateWsspAssertion(StrictName); 1537 } 1538 } 1539 TryImportLayoutAssertion(ICollection<XmlElement> assertions, out SecurityHeaderLayout layout)1540 public virtual bool TryImportLayoutAssertion(ICollection<XmlElement> assertions, out SecurityHeaderLayout layout) 1541 { 1542 bool result = true; 1543 layout = SecurityHeaderLayout.Lax; 1544 1545 if (TryImportWsspAssertion(assertions, LaxName)) 1546 { 1547 layout = SecurityHeaderLayout.Lax; 1548 } 1549 else if (TryImportWsspAssertion(assertions, LaxTsFirstName)) 1550 { 1551 layout = SecurityHeaderLayout.LaxTimestampFirst; 1552 } 1553 else if (TryImportWsspAssertion(assertions, LaxTsLastName)) 1554 { 1555 layout = SecurityHeaderLayout.LaxTimestampLast; 1556 } 1557 else if (TryImportWsspAssertion(assertions, StrictName)) 1558 { 1559 layout = SecurityHeaderLayout.Strict; 1560 } 1561 else 1562 { 1563 result = false; 1564 } 1565 1566 return result; 1567 } 1568 CreateWsspAlgorithmSuiteAssertion(MetadataExporter exporter, SecurityAlgorithmSuite suite)1569 public virtual XmlElement CreateWsspAlgorithmSuiteAssertion(MetadataExporter exporter, SecurityAlgorithmSuite suite) 1570 { 1571 XmlElement result = CreateWsspAssertion(AlgorithmSuiteName); 1572 result.AppendChild( 1573 CreateWspPolicyWrapper( 1574 exporter, 1575 CreateAlgorithmSuiteAssertion(suite) 1576 )); 1577 1578 return result; 1579 } 1580 TryImportWsspAlgorithmSuiteAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding)1581 public virtual bool TryImportWsspAlgorithmSuiteAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding) 1582 { 1583 SecurityAlgorithmSuite suite = null; 1584 XmlElement assertion; 1585 Collection<Collection<XmlElement>> alternatives; 1586 1587 if (TryImportWsspAssertion(assertions, AlgorithmSuiteName, out assertion) 1588 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 1589 { 1590 foreach (Collection<XmlElement> alternative in alternatives) 1591 { 1592 if (TryImportAlgorithmSuiteAssertion(alternative, out suite) 1593 && alternative.Count == 0) 1594 { 1595 binding.DefaultAlgorithmSuite = suite; 1596 break; 1597 } 1598 else 1599 { 1600 suite = null; 1601 } 1602 } 1603 } 1604 1605 return suite != null; 1606 } 1607 CreateAlgorithmSuiteAssertion(SecurityAlgorithmSuite suite)1608 public virtual XmlElement CreateAlgorithmSuiteAssertion(SecurityAlgorithmSuite suite) 1609 { 1610 if (suite == null) 1611 { 1612 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("suite"); 1613 } 1614 1615 XmlElement result; 1616 1617 if (suite == SecurityAlgorithmSuite.Basic256) 1618 result = CreateWsspAssertion(Basic256Name); 1619 else if (suite == SecurityAlgorithmSuite.Basic192) 1620 result = CreateWsspAssertion(Basic192Name); 1621 else if (suite == SecurityAlgorithmSuite.Basic128) 1622 result = CreateWsspAssertion(Basic128Name); 1623 else if (suite == SecurityAlgorithmSuite.TripleDes) 1624 result = CreateWsspAssertion(TripleDesName); 1625 else if (suite == SecurityAlgorithmSuite.Basic256Rsa15) 1626 result = CreateWsspAssertion(Basic256Rsa15Name); 1627 else if (suite == SecurityAlgorithmSuite.Basic192Rsa15) 1628 result = CreateWsspAssertion(Basic192Rsa15Name); 1629 else if (suite == SecurityAlgorithmSuite.Basic128Rsa15) 1630 result = CreateWsspAssertion(Basic128Rsa15Name); 1631 else if (suite == SecurityAlgorithmSuite.TripleDesRsa15) 1632 result = CreateWsspAssertion(TripleDesRsa15Name); 1633 else if (suite == SecurityAlgorithmSuite.Basic256Sha256) 1634 result = CreateWsspAssertion(Basic256Sha256Name); 1635 else if (suite == SecurityAlgorithmSuite.Basic192Sha256) 1636 result = CreateWsspAssertion(Basic192Sha256Name); 1637 else if (suite == SecurityAlgorithmSuite.Basic128Sha256) 1638 result = CreateWsspAssertion(Basic128Sha256Name); 1639 else if (suite == SecurityAlgorithmSuite.TripleDesSha256) 1640 result = CreateWsspAssertion(TripleDesSha256Name); 1641 else if (suite == SecurityAlgorithmSuite.Basic256Sha256Rsa15) 1642 result = CreateWsspAssertion(Basic256Sha256Rsa15Name); 1643 else if (suite == SecurityAlgorithmSuite.Basic192Sha256Rsa15) 1644 result = CreateWsspAssertion(Basic192Sha256Rsa15Name); 1645 else if (suite == SecurityAlgorithmSuite.Basic128Sha256Rsa15) 1646 result = CreateWsspAssertion(Basic128Sha256Rsa15Name); 1647 else if (suite == SecurityAlgorithmSuite.TripleDesSha256Rsa15) 1648 result = CreateWsspAssertion(TripleDesSha256Rsa15Name); 1649 else 1650 { 1651 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("suite")); 1652 } 1653 1654 return result; 1655 } 1656 TryImportAlgorithmSuiteAssertion(ICollection<XmlElement> assertions, out SecurityAlgorithmSuite suite)1657 public virtual bool TryImportAlgorithmSuiteAssertion(ICollection<XmlElement> assertions, out SecurityAlgorithmSuite suite) 1658 { 1659 if (TryImportWsspAssertion(assertions, Basic256Name)) 1660 suite = SecurityAlgorithmSuite.Basic256; 1661 else if (TryImportWsspAssertion(assertions, Basic192Name)) 1662 suite = SecurityAlgorithmSuite.Basic192; 1663 else if (TryImportWsspAssertion(assertions, Basic128Name)) 1664 suite = SecurityAlgorithmSuite.Basic128; 1665 else if (TryImportWsspAssertion(assertions, TripleDesName)) 1666 suite = SecurityAlgorithmSuite.TripleDes; 1667 else if (TryImportWsspAssertion(assertions, Basic256Rsa15Name)) 1668 suite = SecurityAlgorithmSuite.Basic256Rsa15; 1669 else if (TryImportWsspAssertion(assertions, Basic192Rsa15Name)) 1670 suite = SecurityAlgorithmSuite.Basic192Rsa15; 1671 else if (TryImportWsspAssertion(assertions, Basic128Rsa15Name)) 1672 suite = SecurityAlgorithmSuite.Basic128Rsa15; 1673 else if (TryImportWsspAssertion(assertions, TripleDesRsa15Name)) 1674 suite = SecurityAlgorithmSuite.TripleDesRsa15; 1675 else if (TryImportWsspAssertion(assertions, Basic256Sha256Name)) 1676 suite = SecurityAlgorithmSuite.Basic256Sha256; 1677 else if (TryImportWsspAssertion(assertions, Basic192Sha256Name)) 1678 suite = SecurityAlgorithmSuite.Basic192Sha256; 1679 else if (TryImportWsspAssertion(assertions, Basic128Sha256Name)) 1680 suite = SecurityAlgorithmSuite.Basic128Sha256; 1681 else if (TryImportWsspAssertion(assertions, TripleDesSha256Name)) 1682 suite = SecurityAlgorithmSuite.TripleDesSha256; 1683 else if (TryImportWsspAssertion(assertions, Basic256Sha256Rsa15Name)) 1684 suite = SecurityAlgorithmSuite.Basic256Sha256Rsa15; 1685 else if (TryImportWsspAssertion(assertions, Basic192Sha256Rsa15Name)) 1686 suite = SecurityAlgorithmSuite.Basic192Sha256Rsa15; 1687 else if (TryImportWsspAssertion(assertions, Basic128Sha256Rsa15Name)) 1688 suite = SecurityAlgorithmSuite.Basic128Sha256Rsa15; 1689 else if (TryImportWsspAssertion(assertions, TripleDesSha256Rsa15Name)) 1690 suite = SecurityAlgorithmSuite.TripleDesSha256Rsa15; 1691 else 1692 suite = null; 1693 1694 return suite != null; 1695 } 1696 CreateWsspProtectionTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters)1697 public virtual XmlElement CreateWsspProtectionTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters) 1698 { 1699 XmlElement result = CreateWsspAssertion(ProtectionTokenName); 1700 1701 result.AppendChild( 1702 CreateWspPolicyWrapper( 1703 exporter, 1704 CreateTokenAssertion(exporter, parameters) 1705 )); 1706 _protectionTokenHasAsymmetricKey = parameters.HasAsymmetricKey; 1707 1708 return result; 1709 } 1710 TryImportWsspProtectionTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, SymmetricSecurityBindingElement binding)1711 public virtual bool TryImportWsspProtectionTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, SymmetricSecurityBindingElement binding) 1712 { 1713 bool result = false; 1714 1715 XmlElement assertion; 1716 Collection<Collection<XmlElement>> alternatives; 1717 if (TryImportWsspAssertion(assertions, ProtectionTokenName, out assertion) 1718 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 1719 { 1720 foreach (Collection<XmlElement> alternative in alternatives) 1721 { 1722 SecurityTokenParameters tokenParameters; 1723 bool isOptional; 1724 if (TryImportTokenAssertion(importer, policyContext, alternative, out tokenParameters, out isOptional) 1725 && alternative.Count == 0) 1726 { 1727 result = true; 1728 binding.ProtectionTokenParameters = tokenParameters; 1729 break; 1730 } 1731 } 1732 } 1733 1734 return result; 1735 } 1736 TryImportWsspInitiatorTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, AsymmetricSecurityBindingElement binding)1737 public virtual bool TryImportWsspInitiatorTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, AsymmetricSecurityBindingElement binding) 1738 { 1739 bool result = false; 1740 1741 XmlElement assertion; 1742 Collection<Collection<XmlElement>> alternatives; 1743 if (TryImportWsspAssertion(assertions, InitiatorTokenName, out assertion) 1744 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 1745 { 1746 foreach (Collection<XmlElement> alternative in alternatives) 1747 { 1748 SecurityTokenParameters tokenParameters; 1749 bool isOptional; 1750 if (TryImportTokenAssertion(importer, policyContext, alternative, out tokenParameters, out isOptional) 1751 && alternative.Count == 0) 1752 { 1753 result = true; 1754 binding.InitiatorTokenParameters = tokenParameters; 1755 break; 1756 } 1757 } 1758 } 1759 1760 return result; 1761 } 1762 TryImportWsspRecipientTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, AsymmetricSecurityBindingElement binding)1763 public virtual bool TryImportWsspRecipientTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, AsymmetricSecurityBindingElement binding) 1764 { 1765 bool result = false; 1766 1767 XmlElement assertion; 1768 Collection<Collection<XmlElement>> alternatives; 1769 if (TryImportWsspAssertion(assertions, RecipientTokenName, out assertion) 1770 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 1771 { 1772 foreach (Collection<XmlElement> alternative in alternatives) 1773 { 1774 SecurityTokenParameters tokenParameters; 1775 bool isOptional; 1776 if (TryImportTokenAssertion(importer, policyContext, alternative, out tokenParameters, out isOptional) 1777 && alternative.Count == 0) 1778 { 1779 result = true; 1780 binding.RecipientTokenParameters = tokenParameters; 1781 break; 1782 } 1783 } 1784 } 1785 1786 return result; 1787 } 1788 CreateWsspInitiatorTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters)1789 public virtual XmlElement CreateWsspInitiatorTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters) 1790 { 1791 XmlElement result = CreateWsspAssertion(InitiatorTokenName); 1792 1793 result.AppendChild( 1794 CreateWspPolicyWrapper( 1795 exporter, 1796 CreateTokenAssertion(exporter, parameters) 1797 )); 1798 1799 return result; 1800 } 1801 CreateWsspRecipientTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters)1802 public virtual XmlElement CreateWsspRecipientTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters) 1803 { 1804 XmlElement result = CreateWsspAssertion(RecipientTokenName); 1805 1806 result.AppendChild( 1807 CreateWspPolicyWrapper( 1808 exporter, 1809 CreateTokenAssertion(exporter, parameters) 1810 )); 1811 1812 return result; 1813 } 1814 CreateWsspTransportTokenAssertion(MetadataExporter exporter, XmlElement transportTokenAssertion)1815 public virtual XmlElement CreateWsspTransportTokenAssertion(MetadataExporter exporter, XmlElement transportTokenAssertion) 1816 { 1817 if (transportTokenAssertion == null) 1818 { 1819 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("transportTokenAssertion"); 1820 } 1821 1822 XmlElement result = CreateWsspAssertion(TransportTokenName); 1823 1824 result.AppendChild( 1825 CreateWspPolicyWrapper( 1826 exporter, 1827 (XmlElement)(doc.ImportNode(transportTokenAssertion, true)) 1828 )); 1829 1830 return result; 1831 } 1832 TryImportWsspTransportTokenAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, out XmlElement transportBindingAssertion)1833 public virtual bool TryImportWsspTransportTokenAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, out XmlElement transportBindingAssertion) 1834 { 1835 transportBindingAssertion = null; 1836 1837 XmlElement assertion; 1838 Collection<Collection<XmlElement>> alternatives; 1839 if (TryImportWsspAssertion(assertions, TransportTokenName, out assertion) 1840 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives) 1841 && alternatives.Count == 1 1842 && alternatives[0].Count == 1) 1843 { 1844 // we cannot process choices of transport tokens due to the current contract between 1845 // security and transport binding element converters 1846 transportBindingAssertion = alternatives[0][0]; 1847 } 1848 1849 return transportBindingAssertion != null; 1850 } 1851 CreateTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters)1852 public virtual XmlElement CreateTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters) 1853 { 1854 return CreateTokenAssertion(exporter, parameters, false); 1855 } 1856 CreateTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters, bool isOptional)1857 public virtual XmlElement CreateTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters, bool isOptional) 1858 { 1859 if (parameters == null) 1860 { 1861 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parameters"); 1862 } 1863 1864 XmlElement result; 1865 1866 if (parameters is KerberosSecurityTokenParameters) 1867 { 1868 result = CreateWsspKerberosTokenAssertion(exporter, (KerberosSecurityTokenParameters)parameters); 1869 } 1870 else if (parameters is X509SecurityTokenParameters) 1871 { 1872 result = CreateWsspX509TokenAssertion(exporter, (X509SecurityTokenParameters)parameters); 1873 } 1874 else if (parameters is UserNameSecurityTokenParameters) 1875 { 1876 result = CreateWsspUsernameTokenAssertion(exporter, (UserNameSecurityTokenParameters)parameters); 1877 } 1878 else if (parameters is IssuedSecurityTokenParameters) 1879 { 1880 result = CreateWsspIssuedTokenAssertion(exporter, (IssuedSecurityTokenParameters)parameters); 1881 } 1882 else if (parameters is SspiSecurityTokenParameters) 1883 { 1884 result = CreateWsspSpnegoContextTokenAssertion(exporter, (SspiSecurityTokenParameters)parameters); 1885 } 1886 else if (parameters is SslSecurityTokenParameters) 1887 { 1888 result = CreateMsspSslContextTokenAssertion(exporter, (SslSecurityTokenParameters)parameters); 1889 } 1890 else if (parameters is SecureConversationSecurityTokenParameters) 1891 { 1892 result = CreateWsspSecureConversationTokenAssertion(exporter, (SecureConversationSecurityTokenParameters)parameters); 1893 } 1894 else if (parameters is RsaSecurityTokenParameters) 1895 { 1896 result = CreateWsspRsaTokenAssertion((RsaSecurityTokenParameters)parameters); 1897 } 1898 else 1899 { 1900 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("parameters")); 1901 } 1902 1903 if (result != null && isOptional) 1904 { 1905 result.SetAttribute(OptionalName, exporter.PolicyVersion.Namespace, TrueName); 1906 } 1907 1908 return result; 1909 } 1910 TryImportTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, Collection<XmlElement> assertions, out SecurityTokenParameters parameters, out bool isOptional)1911 public virtual bool TryImportTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, Collection<XmlElement> assertions, out SecurityTokenParameters parameters, out bool isOptional) 1912 { 1913 parameters = null; 1914 isOptional = false; 1915 1916 if (assertions.Count >= 1) 1917 { 1918 XmlElement tokenAssertion = assertions[0]; 1919 if (TryImportWsspKerberosTokenAssertion(importer, tokenAssertion, out parameters) 1920 || TryImportWsspX509TokenAssertion(importer, tokenAssertion, out parameters) 1921 || TryImportWsspUsernameTokenAssertion(importer, tokenAssertion, out parameters) 1922 || TryImportWsspIssuedTokenAssertion(importer, policyContext, tokenAssertion, out parameters) 1923 || TryImportWsspSpnegoContextTokenAssertion(importer, tokenAssertion, out parameters) 1924 || TryImportMsspSslContextTokenAssertion(importer, tokenAssertion, out parameters) 1925 || TryImportWsspSecureConversationTokenAssertion(importer, tokenAssertion, out parameters) 1926 || TryImportWsspRsaTokenAssertion(importer, tokenAssertion, out parameters)) 1927 { 1928 string optionalAttribute = tokenAssertion.GetAttribute(OptionalName, WspNamespace); 1929 1930 if (String.IsNullOrEmpty(optionalAttribute)) 1931 { 1932 optionalAttribute = tokenAssertion.GetAttribute(OptionalName, Wsp15Namespace); 1933 } 1934 1935 try 1936 { 1937 isOptional = XmlUtil.IsTrue(optionalAttribute); 1938 } 1939 catch ( Exception e ) 1940 { 1941 if (Fx.IsFatal(e)) 1942 throw; 1943 if (e is NullReferenceException) 1944 throw; 1945 1946 importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.UnsupportedBooleanAttribute, OptionalName, e.Message), false)); 1947 return false; 1948 } 1949 1950 assertions.RemoveAt(0); 1951 } 1952 } 1953 1954 return (parameters != null); 1955 } 1956 SetIncludeTokenValue(XmlElement tokenAssertion, SecurityTokenInclusionMode inclusionMode)1957 public virtual void SetIncludeTokenValue(XmlElement tokenAssertion, SecurityTokenInclusionMode inclusionMode) 1958 { 1959 switch (inclusionMode) 1960 { 1961 default: 1962 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("inclusionMode")); 1963 case SecurityTokenInclusionMode.AlwaysToInitiator: 1964 tokenAssertion.SetAttribute(IncludeTokenName, this.WsspNamespaceUri, AlwaysToInitiatorUri); 1965 break; 1966 case SecurityTokenInclusionMode.AlwaysToRecipient: 1967 tokenAssertion.SetAttribute(IncludeTokenName, this.WsspNamespaceUri, AlwaysToRecipientUri); 1968 break; 1969 case SecurityTokenInclusionMode.Never: 1970 tokenAssertion.SetAttribute(IncludeTokenName, this.WsspNamespaceUri, NeverUri); 1971 break; 1972 case SecurityTokenInclusionMode.Once: 1973 tokenAssertion.SetAttribute(IncludeTokenName, this.WsspNamespaceUri, OnceUri); 1974 break; 1975 } 1976 } 1977 TryGetIncludeTokenValue(XmlElement assertion, out SecurityTokenInclusionMode mode)1978 public virtual bool TryGetIncludeTokenValue(XmlElement assertion, out SecurityTokenInclusionMode mode) 1979 { 1980 string includeTokenUri = assertion.GetAttribute(IncludeTokenName, this.WsspNamespaceUri); 1981 1982 if (includeTokenUri == AlwaysToInitiatorUri) 1983 { 1984 mode = SecurityTokenInclusionMode.AlwaysToInitiator; 1985 return true; 1986 } 1987 else if (includeTokenUri == AlwaysToRecipientUri) 1988 { 1989 mode = SecurityTokenInclusionMode.AlwaysToRecipient; 1990 return true; 1991 } 1992 else if (includeTokenUri == NeverUri) 1993 { 1994 mode = SecurityTokenInclusionMode.Never; 1995 return true; 1996 } 1997 else if (includeTokenUri == OnceUri) 1998 { 1999 mode = SecurityTokenInclusionMode.Once; 2000 return true; 2001 } 2002 else 2003 { 2004 mode = SecurityTokenInclusionMode.Never; 2005 return false; 2006 } 2007 } 2008 CreateWsspRequireDerivedKeysAssertion(bool requireDerivedKeys)2009 public virtual XmlElement CreateWsspRequireDerivedKeysAssertion(bool requireDerivedKeys) 2010 { 2011 if (requireDerivedKeys) 2012 { 2013 return CreateWsspAssertion(RequireDerivedKeysName); 2014 } 2015 else 2016 { 2017 return null; 2018 } 2019 } 2020 TryImportWsspRequireDerivedKeysAssertion(ICollection<XmlElement> assertions, SecurityTokenParameters parameters)2021 public virtual bool TryImportWsspRequireDerivedKeysAssertion(ICollection<XmlElement> assertions, SecurityTokenParameters parameters) 2022 { 2023 parameters.RequireDerivedKeys = TryImportWsspAssertion(assertions, RequireDerivedKeysName); 2024 return true; 2025 } 2026 CreateWsspKerberosTokenAssertion(MetadataExporter exporter, KerberosSecurityTokenParameters parameters)2027 public virtual XmlElement CreateWsspKerberosTokenAssertion(MetadataExporter exporter, KerberosSecurityTokenParameters parameters) 2028 { 2029 XmlElement result = CreateWsspAssertion(KerberosTokenName); 2030 SetIncludeTokenValue(result, parameters.InclusionMode); 2031 result.AppendChild( 2032 CreateWspPolicyWrapper( 2033 exporter, 2034 CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys), 2035 CreateWsspAssertion(WssGssKerberosV5ApReqToken11Name) 2036 )); 2037 return result; 2038 } 2039 TryImportWsspKerberosTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)2040 public virtual bool TryImportWsspKerberosTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters) 2041 { 2042 parameters = null; 2043 2044 SecurityTokenInclusionMode inclusionMode; 2045 Collection<Collection<XmlElement>> alternatives; 2046 2047 if (IsWsspAssertion(assertion, KerberosTokenName) 2048 && TryGetIncludeTokenValue(assertion, out inclusionMode)) 2049 { 2050 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 2051 { 2052 foreach (Collection<XmlElement> alternative in alternatives) 2053 { 2054 parameters = new KerberosSecurityTokenParameters(); 2055 if (TryImportWsspRequireDerivedKeysAssertion(alternative, parameters) 2056 && TryImportWsspAssertion(alternative, WssGssKerberosV5ApReqToken11Name, true) 2057 && alternative.Count == 0) 2058 { 2059 parameters.InclusionMode = inclusionMode; 2060 break; 2061 } 2062 else 2063 { 2064 parameters = null; 2065 } 2066 } 2067 } 2068 else 2069 { 2070 parameters = new KerberosSecurityTokenParameters(); 2071 parameters.RequireDerivedKeys = false; 2072 parameters.InclusionMode = inclusionMode; 2073 } 2074 } 2075 2076 return parameters != null; 2077 } 2078 CreateX509ReferenceStyleAssertion(X509KeyIdentifierClauseType referenceStyle)2079 public virtual XmlElement CreateX509ReferenceStyleAssertion(X509KeyIdentifierClauseType referenceStyle) 2080 { 2081 switch (referenceStyle) 2082 { 2083 default: 2084 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("referenceStyle")); 2085 case X509KeyIdentifierClauseType.IssuerSerial: 2086 _mustSupportRefIssuerSerialName = true; 2087 return CreateWsspAssertion(RequireIssuerSerialReferenceName); 2088 case X509KeyIdentifierClauseType.SubjectKeyIdentifier: 2089 _mustSupportRefKeyIdentifierName = true; 2090 return CreateWsspAssertion(RequireKeyIdentifierReferenceName); 2091 case X509KeyIdentifierClauseType.Thumbprint: 2092 _mustSupportRefThumbprintName = true; 2093 return CreateWsspAssertion(RequireThumbprintReferenceName); 2094 case X509KeyIdentifierClauseType.Any: 2095 _mustSupportRefIssuerSerialName = true; 2096 _mustSupportRefKeyIdentifierName = true; 2097 _mustSupportRefThumbprintName = true; 2098 return null; 2099 } 2100 } 2101 TryImportX509ReferenceStyleAssertion(ICollection<XmlElement> assertions, X509SecurityTokenParameters parameters)2102 public virtual bool TryImportX509ReferenceStyleAssertion(ICollection<XmlElement> assertions, X509SecurityTokenParameters parameters) 2103 { 2104 if (TryImportWsspAssertion(assertions, RequireIssuerSerialReferenceName)) 2105 { 2106 parameters.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial; 2107 } 2108 else if (TryImportWsspAssertion(assertions, RequireKeyIdentifierReferenceName)) 2109 { 2110 parameters.X509ReferenceStyle = X509KeyIdentifierClauseType.SubjectKeyIdentifier; 2111 } 2112 else if (TryImportWsspAssertion(assertions, RequireThumbprintReferenceName)) 2113 { 2114 parameters.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint; 2115 } 2116 2117 return true; 2118 } 2119 CreateWsspX509TokenAssertion(MetadataExporter exporter, X509SecurityTokenParameters parameters)2120 public virtual XmlElement CreateWsspX509TokenAssertion(MetadataExporter exporter, X509SecurityTokenParameters parameters) 2121 { 2122 XmlElement result = CreateWsspAssertion(X509TokenName); 2123 SetIncludeTokenValue(result, parameters.InclusionMode); 2124 result.AppendChild( 2125 CreateWspPolicyWrapper( 2126 exporter, 2127 CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys), 2128 CreateX509ReferenceStyleAssertion(parameters.X509ReferenceStyle), 2129 CreateWsspAssertion(WssX509V3Token10Name) 2130 )); 2131 return result; 2132 } 2133 TryImportWsspX509TokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)2134 public virtual bool TryImportWsspX509TokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters) 2135 { 2136 parameters = null; 2137 2138 SecurityTokenInclusionMode inclusionMode; 2139 Collection<Collection<XmlElement>> alternatives; 2140 2141 if (IsWsspAssertion(assertion, X509TokenName) 2142 && TryGetIncludeTokenValue(assertion, out inclusionMode)) 2143 { 2144 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 2145 { 2146 foreach (Collection<XmlElement> alternative in alternatives) 2147 { 2148 X509SecurityTokenParameters x509 = new X509SecurityTokenParameters(); 2149 parameters = x509; 2150 if (TryImportWsspRequireDerivedKeysAssertion(alternative, x509) 2151 && TryImportX509ReferenceStyleAssertion(alternative, x509) 2152 && TryImportWsspAssertion(alternative, WssX509V3Token10Name, true) 2153 && alternative.Count == 0) 2154 { 2155 parameters.InclusionMode = inclusionMode; 2156 break; 2157 } 2158 else 2159 { 2160 parameters = null; 2161 } 2162 } 2163 } 2164 else 2165 { 2166 parameters = new X509SecurityTokenParameters(); 2167 parameters.RequireDerivedKeys = false; 2168 parameters.InclusionMode = inclusionMode; 2169 } 2170 } 2171 2172 return parameters != null; 2173 } 2174 CreateWsspUsernameTokenAssertion(MetadataExporter exporter, UserNameSecurityTokenParameters parameters)2175 public virtual XmlElement CreateWsspUsernameTokenAssertion(MetadataExporter exporter, UserNameSecurityTokenParameters parameters) 2176 { 2177 XmlElement result = CreateWsspAssertion(UsernameTokenName); 2178 SetIncludeTokenValue(result, parameters.InclusionMode); 2179 result.AppendChild( 2180 CreateWspPolicyWrapper( 2181 exporter, 2182 CreateWsspAssertion(WssUsernameToken10Name) 2183 )); 2184 return result; 2185 } 2186 TryImportWsspUsernameTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)2187 public virtual bool TryImportWsspUsernameTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters) 2188 { 2189 parameters = null; 2190 2191 SecurityTokenInclusionMode inclusionMode; 2192 Collection<Collection<XmlElement>> alternatives; 2193 2194 if (IsWsspAssertion(assertion, UsernameTokenName) 2195 && TryGetIncludeTokenValue(assertion, out inclusionMode)) 2196 { 2197 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 2198 { 2199 foreach (Collection<XmlElement> alternative in alternatives) 2200 { 2201 if (TryImportWsspAssertion(alternative, WssUsernameToken10Name) 2202 && alternative.Count == 0) 2203 { 2204 parameters = new UserNameSecurityTokenParameters(); 2205 parameters.InclusionMode = inclusionMode; 2206 break; 2207 } 2208 } 2209 } 2210 else 2211 { 2212 parameters = new UserNameSecurityTokenParameters(); 2213 parameters.InclusionMode = inclusionMode; 2214 } 2215 } 2216 2217 return parameters != null; 2218 } 2219 CreateWsspRsaTokenAssertion(RsaSecurityTokenParameters parameters)2220 public virtual XmlElement CreateWsspRsaTokenAssertion(RsaSecurityTokenParameters parameters) 2221 { 2222 XmlElement result = CreateMsspAssertion(RsaTokenName); 2223 SetIncludeTokenValue(result, parameters.InclusionMode); 2224 return result; 2225 } 2226 TryImportWsspRsaTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)2227 public virtual bool TryImportWsspRsaTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters) 2228 { 2229 parameters = null; 2230 2231 SecurityTokenInclusionMode inclusionMode; 2232 Collection<Collection<XmlElement>> alternatives; 2233 2234 if (IsMsspAssertion(assertion, RsaTokenName) 2235 && TryGetIncludeTokenValue(assertion, out inclusionMode) 2236 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives) == false) 2237 { 2238 parameters = new RsaSecurityTokenParameters(); 2239 parameters.InclusionMode = inclusionMode; 2240 } 2241 2242 return parameters != null; 2243 } 2244 CreateReferenceStyleAssertion(SecurityTokenReferenceStyle referenceStyle)2245 public virtual XmlElement CreateReferenceStyleAssertion(SecurityTokenReferenceStyle referenceStyle) 2246 { 2247 switch (referenceStyle) 2248 { 2249 default: 2250 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("referenceStyle")); 2251 case SecurityTokenReferenceStyle.External: 2252 return CreateWsspAssertion(RequireExternalReferenceName); 2253 case SecurityTokenReferenceStyle.Internal: 2254 return CreateWsspAssertion(RequireInternalReferenceName); 2255 } 2256 } 2257 TryImportReferenceStyleAssertion(ICollection<XmlElement> assertions, IssuedSecurityTokenParameters parameters)2258 public virtual bool TryImportReferenceStyleAssertion(ICollection<XmlElement> assertions, IssuedSecurityTokenParameters parameters) 2259 { 2260 if (TryImportWsspAssertion(assertions, RequireExternalReferenceName)) 2261 { 2262 parameters.ReferenceStyle = SecurityTokenReferenceStyle.External; 2263 } 2264 else if (TryImportWsspAssertion(assertions, RequireInternalReferenceName)) 2265 { 2266 parameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal; 2267 } 2268 2269 return true; 2270 } 2271 CreateWsspIssuerElement(EndpointAddress issuerAddress, EndpointAddress issuerMetadataAddress)2272 public virtual XmlElement CreateWsspIssuerElement(EndpointAddress issuerAddress, EndpointAddress issuerMetadataAddress) 2273 { 2274 XmlElement result; 2275 if (issuerAddress == null && issuerMetadataAddress == null) 2276 { 2277 result = null; 2278 } 2279 else 2280 { 2281 EndpointAddress addressToSerialize; 2282 addressToSerialize = issuerAddress == null ? EndpointAddress.AnonymousAddress : issuerAddress; 2283 2284 MemoryStream stream; 2285 XmlWriter writer; 2286 2287 if (issuerMetadataAddress != null) 2288 { 2289 MetadataSet metadataSet = new MetadataSet(); 2290 metadataSet.MetadataSections.Add(new MetadataSection(null, null, new MetadataReference(issuerMetadataAddress, AddressingVersion.WSAddressing10))); 2291 2292 stream = new MemoryStream(); 2293 writer = new XmlTextWriter(stream, System.Text.Encoding.UTF8); 2294 metadataSet.WriteTo(XmlDictionaryWriter.CreateDictionaryWriter(writer)); 2295 writer.Flush(); 2296 stream.Seek(0, SeekOrigin.Begin); 2297 2298 addressToSerialize = new EndpointAddress( 2299 addressToSerialize.Uri, 2300 addressToSerialize.Identity, 2301 addressToSerialize.Headers, 2302 XmlDictionaryReader.CreateDictionaryReader(XmlReader.Create(stream)), 2303 addressToSerialize.GetReaderAtExtensions()); 2304 } 2305 2306 stream = new MemoryStream(); 2307 writer = new XmlTextWriter(stream, System.Text.Encoding.UTF8); 2308 writer.WriteStartElement(IssuerName, this.WsspNamespaceUri); 2309 addressToSerialize.WriteContentsTo(AddressingVersion.WSAddressing10, writer); 2310 writer.WriteEndElement(); 2311 writer.Flush(); 2312 stream.Seek(0, SeekOrigin.Begin); 2313 result = (XmlElement)doc.ReadNode(new XmlTextReader(stream) { DtdProcessing = DtdProcessing.Prohibit }); 2314 } 2315 return result; 2316 } 2317 TryGetIssuer(XmlElement assertion, out EndpointAddress issuer, out EndpointAddress issuerMetadata)2318 public virtual bool TryGetIssuer(XmlElement assertion, out EndpointAddress issuer, out EndpointAddress issuerMetadata) 2319 { 2320 bool result = true; 2321 issuer = null; 2322 issuerMetadata = null; 2323 2324 foreach (XmlNode node in assertion.ChildNodes) 2325 { 2326 if (node is XmlElement && IsWsspAssertion((XmlElement)node, IssuerName)) 2327 { 2328 try 2329 { 2330 issuer = EndpointAddress.ReadFrom(XmlDictionaryReader.CreateDictionaryReader(new XmlNodeReader(node))); 2331 XmlDictionaryReader metadataReader = issuer.GetReaderAtMetadata(); 2332 if (metadataReader != null) 2333 { 2334 while (metadataReader.MoveToContent() == XmlNodeType.Element) 2335 { 2336 if (metadataReader.LocalName == MetadataStrings.MetadataExchangeStrings.Metadata 2337 && metadataReader.NamespaceURI == MetadataStrings.MetadataExchangeStrings.Namespace) 2338 { 2339 MetadataSet metadataSet = MetadataSet.ReadFrom(metadataReader); 2340 foreach (MetadataSection section in metadataSet.MetadataSections) 2341 { 2342 if (section.Metadata is MetadataReference) 2343 { 2344 issuerMetadata = ((MetadataReference)section.Metadata).Address; 2345 } 2346 } 2347 2348 break; 2349 } 2350 else 2351 { 2352 metadataReader.Skip(); 2353 } 2354 } 2355 } 2356 } 2357 catch (Exception e) 2358 { 2359 if (Fx.IsFatal(e)) 2360 throw; 2361 if (e is NullReferenceException) 2362 throw; 2363 result = false; 2364 } 2365 break; 2366 } 2367 } 2368 2369 return result; 2370 } 2371 CreateWsspIssuedTokenAssertion(MetadataExporter exporter, IssuedSecurityTokenParameters parameters)2372 public virtual XmlElement CreateWsspIssuedTokenAssertion(MetadataExporter exporter, IssuedSecurityTokenParameters parameters) 2373 { 2374 XmlElement result = CreateWsspAssertion(IssuedTokenName); 2375 SetIncludeTokenValue(result, parameters.InclusionMode); 2376 XmlElement issuerAssertion = CreateWsspIssuerElement(parameters.IssuerAddress, parameters.IssuerMetadataAddress); 2377 if (issuerAssertion != null) 2378 { 2379 result.AppendChild(issuerAssertion); 2380 } 2381 XmlElement tokenTemplate = CreateWsspAssertion(RequestSecurityTokenTemplateName); 2382 TrustDriver driver = this.TrustDriver; 2383 foreach (XmlElement p in parameters.CreateRequestParameters(driver)) 2384 { 2385 tokenTemplate.AppendChild(doc.ImportNode(p, true)); 2386 } 2387 result.AppendChild(tokenTemplate); 2388 result.AppendChild( 2389 CreateWspPolicyWrapper( 2390 exporter, 2391 CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys), 2392 CreateReferenceStyleAssertion(parameters.ReferenceStyle) 2393 )); 2394 return result; 2395 } 2396 TryGetRequestSecurityTokenTemplate(XmlElement assertion, out Collection<XmlElement> requestParameters)2397 public virtual bool TryGetRequestSecurityTokenTemplate(XmlElement assertion, out Collection<XmlElement> requestParameters) 2398 { 2399 requestParameters = null; 2400 2401 foreach (XmlNode node in assertion.ChildNodes) 2402 { 2403 if (node is XmlElement && IsWsspAssertion((XmlElement)node, RequestSecurityTokenTemplateName)) 2404 { 2405 requestParameters = new Collection<XmlElement>(); 2406 foreach (XmlNode p in node.ChildNodes) 2407 { 2408 if (p is XmlElement) 2409 { 2410 requestParameters.Add((XmlElement)p); 2411 } 2412 } 2413 } 2414 } 2415 2416 return requestParameters != null; 2417 } 2418 TryImportWsspIssuedTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, XmlElement assertion, out SecurityTokenParameters parameters)2419 public virtual bool TryImportWsspIssuedTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, XmlElement assertion, out SecurityTokenParameters parameters) 2420 { 2421 parameters = null; 2422 2423 SecurityTokenInclusionMode inclusionMode; 2424 Collection<Collection<XmlElement>> alternatives; 2425 EndpointAddress issuer; 2426 EndpointAddress issuerMetadata; 2427 Collection<XmlElement> requestSecurityTokenTemplate; 2428 2429 if (IsWsspAssertion(assertion, IssuedTokenName) 2430 && TryGetIncludeTokenValue(assertion, out inclusionMode) 2431 && TryGetIssuer(assertion, out issuer, out issuerMetadata) 2432 && TryGetRequestSecurityTokenTemplate(assertion, out requestSecurityTokenTemplate)) 2433 { 2434 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 2435 { 2436 foreach (Collection<XmlElement> alternative in alternatives) 2437 { 2438 IssuedSecurityTokenParameters issued = new IssuedSecurityTokenParameters(); 2439 parameters = issued; 2440 if (TryImportWsspRequireDerivedKeysAssertion(alternative, issued) 2441 && TryImportReferenceStyleAssertion(alternative, issued) 2442 && alternative.Count == 0) 2443 { 2444 issued.InclusionMode = inclusionMode; 2445 issued.IssuerAddress = issuer; 2446 issued.IssuerMetadataAddress = issuerMetadata; 2447 issued.SetRequestParameters(requestSecurityTokenTemplate, this.TrustDriver); 2448 2449 TokenIssuerPolicyResolver policyResolver = new TokenIssuerPolicyResolver(this.TrustDriver); 2450 policyResolver.ResolveTokenIssuerPolicy(importer, policyContext, issued); 2451 2452 break; 2453 } 2454 else 2455 { 2456 parameters = null; 2457 } 2458 } 2459 } 2460 else 2461 { 2462 IssuedSecurityTokenParameters issued = new IssuedSecurityTokenParameters(); 2463 parameters = issued; 2464 issued.InclusionMode = inclusionMode; 2465 issued.IssuerAddress = issuer; 2466 issued.IssuerMetadataAddress = issuerMetadata; 2467 issued.SetRequestParameters(requestSecurityTokenTemplate, this.TrustDriver); 2468 issued.RequireDerivedKeys = false; 2469 } 2470 } 2471 2472 return parameters != null; 2473 } 2474 CreateWsspMustNotSendCancelAssertion(bool requireCancel)2475 public virtual XmlElement CreateWsspMustNotSendCancelAssertion(bool requireCancel) 2476 { 2477 if (!requireCancel) 2478 { 2479 XmlElement result = CreateWsspAssertion(MustNotSendCancelName); 2480 return result; 2481 } 2482 else 2483 { 2484 return null; 2485 } 2486 } 2487 TryImportWsspMustNotSendCancelAssertion(ICollection<XmlElement> assertions, out bool requireCancellation)2488 public virtual bool TryImportWsspMustNotSendCancelAssertion(ICollection<XmlElement> assertions, out bool requireCancellation) 2489 { 2490 requireCancellation = !TryImportWsspAssertion(assertions, MustNotSendCancelName); 2491 return true; 2492 } 2493 CreateWsspSpnegoContextTokenAssertion(MetadataExporter exporter, SspiSecurityTokenParameters parameters)2494 public virtual XmlElement CreateWsspSpnegoContextTokenAssertion(MetadataExporter exporter, SspiSecurityTokenParameters parameters) 2495 { 2496 XmlElement result = CreateWsspAssertion(SpnegoContextTokenName); 2497 SetIncludeTokenValue(result, parameters.InclusionMode); 2498 result.AppendChild( 2499 CreateWspPolicyWrapper( 2500 exporter, 2501 CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys), 2502 CreateWsspMustNotSendCancelAssertion(parameters.RequireCancellation) 2503 )); 2504 return result; 2505 } 2506 TryImportWsspSpnegoContextTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)2507 public virtual bool TryImportWsspSpnegoContextTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters) 2508 { 2509 parameters = null; 2510 2511 SecurityTokenInclusionMode inclusionMode; 2512 Collection<Collection<XmlElement>> alternatives; 2513 2514 if (IsWsspAssertion(assertion, SpnegoContextTokenName) 2515 && TryGetIncludeTokenValue(assertion, out inclusionMode)) 2516 { 2517 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 2518 { 2519 foreach (Collection<XmlElement> alternative in alternatives) 2520 { 2521 SspiSecurityTokenParameters sspi = new SspiSecurityTokenParameters(); 2522 parameters = sspi; 2523 bool requireCancellation; 2524 if (TryImportWsspRequireDerivedKeysAssertion(alternative, sspi) 2525 && TryImportWsspMustNotSendCancelAssertion(alternative, out requireCancellation) 2526 && alternative.Count == 0) 2527 { 2528 sspi.RequireCancellation = requireCancellation; 2529 sspi.InclusionMode = inclusionMode; 2530 break; 2531 } 2532 else 2533 { 2534 parameters = null; 2535 } 2536 } 2537 } 2538 else 2539 { 2540 parameters = new SspiSecurityTokenParameters(); 2541 parameters.RequireDerivedKeys = false; 2542 parameters.InclusionMode = inclusionMode; 2543 } 2544 } 2545 2546 return parameters != null; 2547 } 2548 CreateWsspHttpsTokenAssertion(MetadataExporter exporter, HttpsTransportBindingElement httpsBinding)2549 public abstract XmlElement CreateWsspHttpsTokenAssertion(MetadataExporter exporter, HttpsTransportBindingElement httpsBinding); 2550 TryImportWsspHttpsTokenAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, HttpsTransportBindingElement httpsBinding)2551 public abstract bool TryImportWsspHttpsTokenAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, HttpsTransportBindingElement httpsBinding); 2552 ContainsWsspHttpsTokenAssertion(ICollection<XmlElement> assertions)2553 public virtual bool ContainsWsspHttpsTokenAssertion(ICollection<XmlElement> assertions) 2554 { 2555 return (PolicyConversionContext.FindAssertion(assertions, HttpsTokenName, this.WsspNamespaceUri, false) != null); 2556 } 2557 CreateMsspRequireClientCertificateAssertion(bool requireClientCertificate)2558 public virtual XmlElement CreateMsspRequireClientCertificateAssertion(bool requireClientCertificate) 2559 { 2560 if (requireClientCertificate) 2561 { 2562 return CreateMsspAssertion(RequireClientCertificateName); 2563 } 2564 else 2565 { 2566 return null; 2567 } 2568 } 2569 TryImportMsspRequireClientCertificateAssertion(ICollection<XmlElement> assertions, SslSecurityTokenParameters parameters)2570 public virtual bool TryImportMsspRequireClientCertificateAssertion(ICollection<XmlElement> assertions, SslSecurityTokenParameters parameters) 2571 { 2572 parameters.RequireClientCertificate = TryImportMsspAssertion(assertions, RequireClientCertificateName); 2573 return true; 2574 } 2575 CreateMsspSslContextTokenAssertion(MetadataExporter exporter, SslSecurityTokenParameters parameters)2576 public virtual XmlElement CreateMsspSslContextTokenAssertion(MetadataExporter exporter, SslSecurityTokenParameters parameters) 2577 { 2578 XmlElement result = CreateMsspAssertion(SslContextTokenName); 2579 SetIncludeTokenValue(result, parameters.InclusionMode); 2580 result.AppendChild( 2581 CreateWspPolicyWrapper( 2582 exporter, 2583 CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys), 2584 CreateWsspMustNotSendCancelAssertion(parameters.RequireCancellation), 2585 CreateMsspRequireClientCertificateAssertion(parameters.RequireClientCertificate) 2586 )); 2587 return result; 2588 } 2589 TryImportMsspSslContextTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)2590 public virtual bool TryImportMsspSslContextTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters) 2591 { 2592 parameters = null; 2593 2594 SecurityTokenInclusionMode inclusionMode; 2595 Collection<Collection<XmlElement>> alternatives; 2596 2597 if (IsMsspAssertion(assertion, SslContextTokenName) 2598 && TryGetIncludeTokenValue(assertion, out inclusionMode)) 2599 { 2600 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 2601 { 2602 foreach (Collection<XmlElement> alternative in alternatives) 2603 { 2604 SslSecurityTokenParameters ssl = new SslSecurityTokenParameters(); 2605 parameters = ssl; 2606 bool requireCancellation; 2607 if (TryImportWsspRequireDerivedKeysAssertion(alternative, ssl) 2608 && TryImportWsspMustNotSendCancelAssertion(alternative, out requireCancellation) 2609 && TryImportMsspRequireClientCertificateAssertion(alternative, ssl) 2610 && alternative.Count == 0) 2611 { 2612 ssl.RequireCancellation = requireCancellation; 2613 ssl.InclusionMode = inclusionMode; 2614 break; 2615 } 2616 else 2617 { 2618 parameters = null; 2619 } 2620 } 2621 } 2622 else 2623 { 2624 parameters = new SslSecurityTokenParameters(); 2625 parameters.RequireDerivedKeys = false; 2626 parameters.InclusionMode = inclusionMode; 2627 } 2628 } 2629 2630 return parameters != null; 2631 } 2632 CreateWsspBootstrapPolicyAssertion(MetadataExporter exporter, SecurityBindingElement bootstrapSecurity)2633 public virtual XmlElement CreateWsspBootstrapPolicyAssertion(MetadataExporter exporter, SecurityBindingElement bootstrapSecurity) 2634 { 2635 if (bootstrapSecurity == null) 2636 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("bootstrapBinding"); 2637 2638 WSSecurityPolicy sp = WSSecurityPolicy.GetSecurityPolicyDriver(bootstrapSecurity.MessageSecurityVersion); 2639 2640 // create complete bootstrap binding 2641 2642 CustomBinding bootstrapBinding = new CustomBinding(bootstrapSecurity); 2643 if (exporter.State.ContainsKey(SecurityPolicyStrings.SecureConversationBootstrapBindingElementsBelowSecurityKey)) 2644 { 2645 BindingElementCollection bindingElementsBelowSecurity = exporter.State[SecurityPolicyStrings.SecureConversationBootstrapBindingElementsBelowSecurityKey] as BindingElementCollection; 2646 if (bindingElementsBelowSecurity != null) 2647 { 2648 foreach (BindingElement be in bindingElementsBelowSecurity) 2649 { 2650 bootstrapBinding.Elements.Add(be); 2651 } 2652 } 2653 } 2654 2655 // generate policy for the "how" of security 2656 2657 ServiceEndpoint bootstrapEndpoint = new ServiceEndpoint(NullContract); 2658 bootstrapEndpoint.Binding = bootstrapBinding; 2659 PolicyConversionContext policyContext = exporter.ExportPolicy(bootstrapEndpoint); 2660 2661 // generate policy for the "what" of security (protection assertions) 2662 2663 // hard-coded requirements in V1: sign and encrypt RST and RSTR body 2664 ChannelProtectionRequirements bootstrapProtection = new ChannelProtectionRequirements(); 2665 bootstrapProtection.IncomingEncryptionParts.AddParts(new MessagePartSpecification(true)); 2666 bootstrapProtection.OutgoingEncryptionParts.AddParts(new MessagePartSpecification(true)); 2667 bootstrapProtection.IncomingSignatureParts.AddParts(new MessagePartSpecification(true)); 2668 bootstrapProtection.OutgoingSignatureParts.AddParts(new MessagePartSpecification(true)); 2669 2670 // add boostrap binding protection requirements (e.g. addressing headers) 2671 ChannelProtectionRequirements cpr = bootstrapBinding.GetProperty<ChannelProtectionRequirements>(new BindingParameterCollection()); 2672 if (cpr != null) 2673 { 2674 bootstrapProtection.Add(cpr); 2675 } 2676 2677 // extract channel-scope protection requirements and union them across request and response 2678 MessagePartSpecification encryption = new MessagePartSpecification(); 2679 encryption.Union(bootstrapProtection.IncomingEncryptionParts.ChannelParts); 2680 encryption.Union(bootstrapProtection.OutgoingEncryptionParts.ChannelParts); 2681 encryption.MakeReadOnly(); 2682 MessagePartSpecification signature = new MessagePartSpecification(); 2683 signature.Union(bootstrapProtection.IncomingSignatureParts.ChannelParts); 2684 signature.Union(bootstrapProtection.OutgoingSignatureParts.ChannelParts); 2685 signature.MakeReadOnly(); 2686 2687 // create final boostrap policy assertion 2688 2689 XmlElement nestedPolicy = CreateWspPolicyWrapper( 2690 exporter, 2691 sp.CreateWsspSignedPartsAssertion(signature), 2692 sp.CreateWsspEncryptedPartsAssertion(encryption)); 2693 foreach (XmlElement e in sp.FilterWsspPolicyAssertions(policyContext.GetBindingAssertions())) 2694 { 2695 nestedPolicy.AppendChild(e); 2696 } 2697 XmlElement result = CreateWsspAssertion(BootstrapPolicyName); 2698 result.AppendChild(nestedPolicy); 2699 2700 return result; 2701 } 2702 FilterWsspPolicyAssertions(ICollection<XmlElement> policyAssertions)2703 public virtual ICollection<XmlElement> FilterWsspPolicyAssertions(ICollection<XmlElement> policyAssertions) 2704 { 2705 Collection<XmlElement> result = new Collection<XmlElement>(); 2706 2707 foreach (XmlElement assertion in policyAssertions) 2708 if (IsWsspAssertion(assertion)) 2709 result.Add(assertion); 2710 2711 return result; 2712 } 2713 TryImportWsspBootstrapPolicyAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecureConversationSecurityTokenParameters parameters)2714 public virtual bool TryImportWsspBootstrapPolicyAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecureConversationSecurityTokenParameters parameters) 2715 { 2716 bool result = false; 2717 2718 XmlElement assertion; 2719 Collection<Collection<XmlElement>> alternatives; 2720 2721 if (TryImportWsspAssertion(assertions, BootstrapPolicyName, out assertion) 2722 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 2723 { 2724 BindingElementCollection bindingElements; 2725 importer.State[SecurityBindingElementImporter.InSecureConversationBootstrapBindingImportMode] = SecurityBindingElementImporter.InSecureConversationBootstrapBindingImportMode; 2726 try 2727 { 2728 bindingElements = importer.ImportPolicy(NullServiceEndpoint, alternatives); 2729 if (importer.State.ContainsKey(SecurityBindingElementImporter.SecureConversationBootstrapEncryptionRequirements)) 2730 { 2731 MessagePartSpecification encryption = (MessagePartSpecification)importer.State[SecurityBindingElementImporter.SecureConversationBootstrapEncryptionRequirements]; 2732 if (encryption.IsBodyIncluded != true) 2733 { 2734 importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.UnsupportedSecureConversationBootstrapProtectionRequirements), false)); 2735 bindingElements = null; 2736 } 2737 } 2738 if (importer.State.ContainsKey(SecurityBindingElementImporter.SecureConversationBootstrapSignatureRequirements)) 2739 { 2740 MessagePartSpecification signature = (MessagePartSpecification)importer.State[SecurityBindingElementImporter.SecureConversationBootstrapSignatureRequirements]; 2741 if (signature.IsBodyIncluded != true) 2742 { 2743 importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.UnsupportedSecureConversationBootstrapProtectionRequirements), false)); 2744 bindingElements = null; 2745 } 2746 } 2747 } 2748 finally 2749 { 2750 importer.State.Remove(SecurityBindingElementImporter.InSecureConversationBootstrapBindingImportMode); 2751 if (importer.State.ContainsKey(SecurityBindingElementImporter.SecureConversationBootstrapEncryptionRequirements)) 2752 importer.State.Remove(SecurityBindingElementImporter.SecureConversationBootstrapEncryptionRequirements); 2753 if (importer.State.ContainsKey(SecurityBindingElementImporter.SecureConversationBootstrapSignatureRequirements)) 2754 importer.State.Remove(SecurityBindingElementImporter.SecureConversationBootstrapSignatureRequirements); 2755 } 2756 if (bindingElements != null) 2757 { 2758 parameters.BootstrapSecurityBindingElement = bindingElements.Find<SecurityBindingElement>(); 2759 return true; 2760 } 2761 else 2762 { 2763 parameters.BootstrapSecurityBindingElement = null; 2764 return true; // Consider returning false here. 2765 } 2766 } 2767 2768 return result; 2769 } 2770 CreateWsspSecureConversationTokenAssertion(MetadataExporter exporter, SecureConversationSecurityTokenParameters parameters)2771 public virtual XmlElement CreateWsspSecureConversationTokenAssertion(MetadataExporter exporter, SecureConversationSecurityTokenParameters parameters) 2772 { 2773 XmlElement result = CreateWsspAssertion(SecureConversationTokenName); 2774 SetIncludeTokenValue(result, parameters.InclusionMode); 2775 result.AppendChild( 2776 CreateWspPolicyWrapper( 2777 exporter, 2778 CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys), 2779 CreateWsspMustNotSendCancelAssertion(parameters.RequireCancellation), 2780 CreateWsspBootstrapPolicyAssertion(exporter, parameters.BootstrapSecurityBindingElement) 2781 )); 2782 return result; 2783 } 2784 TryImportWsspSecureConversationTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)2785 public virtual bool TryImportWsspSecureConversationTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters) 2786 { 2787 parameters = null; 2788 2789 SecurityTokenInclusionMode inclusionMode; 2790 Collection<Collection<XmlElement>> alternatives; 2791 2792 if (IsWsspAssertion(assertion, SecureConversationTokenName) 2793 && TryGetIncludeTokenValue(assertion, out inclusionMode)) 2794 { 2795 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) 2796 { 2797 foreach (Collection<XmlElement> alternative in alternatives) 2798 { 2799 SecureConversationSecurityTokenParameters sc = new SecureConversationSecurityTokenParameters(); 2800 parameters = sc; 2801 bool requireCancellation; 2802 if (TryImportWsspRequireDerivedKeysAssertion(alternative, sc) 2803 && TryImportWsspMustNotSendCancelAssertion(alternative, out requireCancellation) 2804 && TryImportWsspBootstrapPolicyAssertion(importer, alternative, sc) 2805 && alternative.Count == 0) 2806 { 2807 sc.RequireCancellation = requireCancellation; 2808 sc.InclusionMode = inclusionMode; 2809 break; 2810 } 2811 else 2812 { 2813 parameters = null; 2814 } 2815 } 2816 } 2817 else 2818 { 2819 parameters = new SecureConversationSecurityTokenParameters(); 2820 parameters.InclusionMode = inclusionMode; 2821 parameters.RequireDerivedKeys = false; 2822 } 2823 } 2824 2825 return parameters != null; 2826 } 2827 2828 class TokenIssuerPolicyResolver 2829 { 2830 const string WSIdentityNamespace = @"http://schemas.xmlsoap.org/ws/2005/05/identity"; 2831 static readonly Uri SelfIssuerUri = new Uri(WSIdentityNamespace + "/issuer/self"); 2832 2833 TrustDriver trustDriver; 2834 TokenIssuerPolicyResolver(TrustDriver driver)2835 public TokenIssuerPolicyResolver(TrustDriver driver) 2836 { 2837 this.trustDriver = driver; 2838 } 2839 ResolveTokenIssuerPolicy(MetadataImporter importer, PolicyConversionContext policyContext, IssuedSecurityTokenParameters parameters)2840 public void ResolveTokenIssuerPolicy(MetadataImporter importer, PolicyConversionContext policyContext, IssuedSecurityTokenParameters parameters) 2841 { 2842 if (policyContext == null) 2843 { 2844 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("policyContext"); 2845 } 2846 if (parameters == null) 2847 { 2848 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parameters"); 2849 } 2850 2851 EndpointAddress mexAddress = (parameters.IssuerMetadataAddress != null) ? parameters.IssuerMetadataAddress : parameters.IssuerAddress; 2852 if (mexAddress == null || mexAddress.IsAnonymous || mexAddress.Uri.Equals(SelfIssuerUri)) 2853 { 2854 return; 2855 } 2856 int maximumRedirections = (int)importer.State[SecurityBindingElementImporter.MaxPolicyRedirectionsKey]; 2857 2858 if (maximumRedirections <= 0) 2859 { 2860 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.MaximumPolicyRedirectionsExceeded))); 2861 } 2862 --maximumRedirections; 2863 2864 // 2865 // Try to retrieve the proxy from the importer.State bag so that we can have secure mex 2866 // and it fails, then we can create a default one 2867 // 2868 MetadataExchangeClient policyFetcher = null; 2869 if ((importer.State != null) && (importer.State.ContainsKey(MetadataExchangeClient.MetadataExchangeClientKey))) 2870 { 2871 policyFetcher = importer.State[MetadataExchangeClient.MetadataExchangeClientKey] as MetadataExchangeClient; 2872 } 2873 2874 if (policyFetcher == null) 2875 policyFetcher = new MetadataExchangeClient(mexAddress); 2876 2877 ServiceEndpointCollection federationEndpoints = null; 2878 MetadataSet metadataSet = null; 2879 Exception mexException = null; 2880 try 2881 { 2882 metadataSet = policyFetcher.GetMetadata(mexAddress); 2883 } 2884 catch (Exception e) 2885 { 2886 if (Fx.IsFatal(e)) 2887 throw; 2888 if (e is NullReferenceException) 2889 throw; 2890 2891 mexException = e; 2892 } 2893 2894 // 2895 // DCR 6729: Try the http get option here if mex failed. 2896 // 2897 if (metadataSet == null ) 2898 { 2899 try 2900 { 2901 metadataSet = policyFetcher.GetMetadata(mexAddress.Uri, MetadataExchangeClientMode.HttpGet); 2902 } 2903 catch (Exception e) 2904 { 2905 if (Fx.IsFatal(e)) 2906 throw; 2907 if (e is NullReferenceException) 2908 throw; 2909 2910 if (mexException == null) 2911 mexException = e; 2912 } 2913 } 2914 2915 if (metadataSet == null) 2916 { 2917 // 2918 // we could not retrieve the metadata from the issuer for some reason 2919 // 2920 if (mexException != null) 2921 importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.UnableToObtainIssuerMetadata, mexAddress, mexException), false)); 2922 2923 return; 2924 } 2925 WsdlImporter wsdlImporter; 2926 // NOTE: Microsoft, Policy import/export is seperate from WSDL however, this policy importer 2927 // invokes the WsdlImporter. In the event that the current MetadataImporter is a WsdlImporter, 2928 // we should use it's collection of extensions for the import process. Other wise 2929 WsdlImporter currentWsdlImporter = importer as WsdlImporter; 2930 if (currentWsdlImporter != null) 2931 { 2932 wsdlImporter = new WsdlImporter(metadataSet, importer.PolicyImportExtensions, currentWsdlImporter.WsdlImportExtensions); 2933 } 2934 else 2935 { 2936 wsdlImporter = new WsdlImporter(metadataSet, importer.PolicyImportExtensions, null); 2937 } 2938 2939 // 2940 // Copy the State from the first importer to the second one so that the state can be passed to the second round wsdl retrieval 2941 // 2942 if ((importer.State != null) && (importer.State.ContainsKey(MetadataExchangeClient.MetadataExchangeClientKey))) 2943 { 2944 wsdlImporter.State.Add(MetadataExchangeClient.MetadataExchangeClientKey, importer.State[MetadataExchangeClient.MetadataExchangeClientKey]); 2945 } 2946 2947 wsdlImporter.State.Add(SecurityBindingElementImporter.MaxPolicyRedirectionsKey, maximumRedirections); 2948 2949 federationEndpoints = wsdlImporter.ImportAllEndpoints(); 2950 2951 // copy all the import errors into the current metadata importer 2952 for (int i = 0; i < wsdlImporter.Errors.Count; ++i) 2953 { 2954 MetadataConversionError error = wsdlImporter.Errors[i]; 2955 importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.ErrorImportingIssuerMetadata, mexAddress, InsertEllipsisIfTooLong(error.Message)), error.IsWarning)); 2956 } 2957 2958 if (federationEndpoints != null) 2959 { 2960 AddCompatibleFederationEndpoints(federationEndpoints, parameters); 2961 if (parameters.AlternativeIssuerEndpoints != null && parameters.AlternativeIssuerEndpoints.Count > 0) 2962 { 2963 importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.MultipleIssuerEndpointsFound, mexAddress))); 2964 } 2965 } 2966 } 2967 InsertEllipsisIfTooLong(string message)2968 static string InsertEllipsisIfTooLong(string message) 2969 { 2970 const int MaxLength = 1024; 2971 const string Ellipsis = "...."; 2972 2973 if (message != null && message.Length > MaxLength) 2974 { 2975 return String.Format(System.Globalization.CultureInfo.InvariantCulture, "{0}{1}{2}", 2976 message.Substring(0, (MaxLength - Ellipsis.Length) / 2), 2977 Ellipsis, 2978 message.Substring(message.Length - (MaxLength - Ellipsis.Length) / 2)); 2979 } 2980 return message; 2981 } 2982 AddCompatibleFederationEndpoints(ServiceEndpointCollection serviceEndpoints, IssuedSecurityTokenParameters parameters)2983 void AddCompatibleFederationEndpoints(ServiceEndpointCollection serviceEndpoints, IssuedSecurityTokenParameters parameters) 2984 { 2985 // check if an explicit issuer address has been specified. If so,add the endpoint corresponding to that address only. If not add all acceptable endpoints. 2986 2987 bool isIssuerSpecified = (parameters.IssuerAddress != null && !parameters.IssuerAddress.IsAnonymous); 2988 foreach (ServiceEndpoint endpoint in serviceEndpoints) 2989 { 2990 TrustDriver trustDriver; 2991 if (!TryGetTrustDriver(endpoint, out trustDriver)) 2992 { 2993 // if endpoint does not have trustDriver, assume 2994 // parent trustDriver. 2995 trustDriver = this.trustDriver; 2996 } 2997 bool isFederationContract = false; 2998 ContractDescription contract = endpoint.Contract; 2999 for (int j = 0; j < contract.Operations.Count; ++j) 3000 { 3001 OperationDescription operation = contract.Operations[j]; 3002 bool hasIncomingRst = false; 3003 bool hasOutgoingRstr = false; 3004 for (int k = 0; k < operation.Messages.Count; ++k) 3005 { 3006 MessageDescription message = operation.Messages[k]; 3007 if (message.Action == trustDriver.RequestSecurityTokenAction.Value && message.Direction == MessageDirection.Input) 3008 { 3009 hasIncomingRst = true; 3010 } 3011 else if ((((trustDriver.StandardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) && (message.Action == trustDriver.RequestSecurityTokenResponseAction.Value)) || 3012 ((trustDriver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) && (message.Action == trustDriver.RequestSecurityTokenResponseFinalAction.Value))) && 3013 message.Direction == MessageDirection.Output) 3014 { 3015 hasOutgoingRstr = true; 3016 } 3017 } 3018 if (hasIncomingRst && hasOutgoingRstr) 3019 { 3020 isFederationContract = true; 3021 break; 3022 } 3023 } 3024 if (isFederationContract) 3025 { 3026 // skip if it is not an acceptable endpoint 3027 if (isIssuerSpecified && !parameters.IssuerAddress.Uri.Equals(endpoint.Address.Uri)) 3028 { 3029 continue; 3030 } 3031 3032 if (parameters.IssuerBinding == null) 3033 { 3034 parameters.IssuerAddress = endpoint.Address; 3035 parameters.IssuerBinding = endpoint.Binding; 3036 } 3037 else 3038 { 3039 IssuedSecurityTokenParameters.AlternativeIssuerEndpoint endpointInfo = new IssuedSecurityTokenParameters.AlternativeIssuerEndpoint(); 3040 endpointInfo.IssuerAddress = endpoint.Address; 3041 endpointInfo.IssuerBinding = endpoint.Binding; 3042 parameters.AlternativeIssuerEndpoints.Add(endpointInfo); 3043 } 3044 } 3045 } 3046 } 3047 TryGetTrustDriver(ServiceEndpoint endpoint, out TrustDriver trustDriver)3048 bool TryGetTrustDriver(ServiceEndpoint endpoint, out TrustDriver trustDriver) 3049 { 3050 SecurityBindingElement sbe = endpoint.Binding.CreateBindingElements().Find<SecurityBindingElement>(); 3051 trustDriver = null; 3052 if (sbe != null) 3053 { 3054 MessageSecurityVersion messageSecurityVersion = sbe.MessageSecurityVersion; 3055 if (messageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005) 3056 { 3057 trustDriver = new WSTrustFeb2005.DriverFeb2005(new SecurityStandardsManager(messageSecurityVersion, WSSecurityTokenSerializer.DefaultInstance)); 3058 } 3059 else if (messageSecurityVersion.TrustVersion == TrustVersion.WSTrust13) 3060 { 3061 trustDriver = new WSTrustDec2005.DriverDec2005(new SecurityStandardsManager(messageSecurityVersion, WSSecurityTokenSerializer.DefaultInstance)); 3062 } 3063 } 3064 return trustDriver != null; 3065 } 3066 } 3067 TryGetSecurityPolicyDriver(ICollection<XmlElement> assertions, out WSSecurityPolicy securityPolicy)3068 public static bool TryGetSecurityPolicyDriver(ICollection<XmlElement> assertions, out WSSecurityPolicy securityPolicy) 3069 { 3070 SecurityPolicyManager policyManager = new SecurityPolicyManager(); 3071 return policyManager.TryGetSecurityPolicyDriver(assertions, out securityPolicy); 3072 } 3073 GetSecurityPolicyDriver(MessageSecurityVersion version)3074 public static WSSecurityPolicy GetSecurityPolicyDriver(MessageSecurityVersion version) 3075 { 3076 SecurityPolicyManager policyManager = new SecurityPolicyManager(); 3077 return policyManager.GetSecurityPolicyDriver(version); 3078 } 3079 3080 class SecurityPolicyManager 3081 { 3082 List<WSSecurityPolicy> drivers; 3083 SecurityPolicyManager()3084 public SecurityPolicyManager() 3085 { 3086 this.drivers = new List<WSSecurityPolicy>(); 3087 Initialize(); 3088 } 3089 Initialize()3090 public void Initialize() 3091 { 3092 this.drivers.Add(new WSSecurityPolicy11()); 3093 this.drivers.Add(new WSSecurityPolicy12()); 3094 } 3095 TryGetSecurityPolicyDriver(ICollection<XmlElement> assertions, out WSSecurityPolicy securityPolicy)3096 public bool TryGetSecurityPolicyDriver(ICollection<XmlElement> assertions, out WSSecurityPolicy securityPolicy) 3097 { 3098 securityPolicy = null; 3099 3100 for (int i = 0; i < this.drivers.Count; ++i) 3101 { 3102 if (this.drivers[i].CanImportAssertion(assertions)) 3103 { 3104 securityPolicy = this.drivers[i]; 3105 return true; 3106 } 3107 } 3108 3109 return false; 3110 } 3111 GetSecurityPolicyDriver(MessageSecurityVersion version)3112 public WSSecurityPolicy GetSecurityPolicyDriver(MessageSecurityVersion version) 3113 { 3114 for (int i = 0; i < this.drivers.Count; ++i) 3115 { 3116 if (this.drivers[i].IsSecurityVersionSupported(version)) 3117 { 3118 return this.drivers[i]; 3119 } 3120 } 3121 3122 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); 3123 } 3124 3125 } 3126 } 3127 3128 static class SecurityPolicyStrings 3129 { 3130 public const string SecureConversationBootstrapBindingElementsBelowSecurityKey = "SecureConversationBootstrapBindingElementsBelowSecurityKey"; 3131 } 3132 3133 } 3134