search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
disable broken tests on net_4_0
[mcs.git] / class / System.ServiceModel / System.ServiceModel.Security.Tokens / SslSecurityTokenAuthenticator.cs
blobae6cb82da386dbb0d22a0e18c52063488c7c64bf
1 //
2 // SslSecurityTokenAuthenticator.cs
3 //
4 // Author:
5 // Atsushi Enomoto <atsushi@ximian.com>
6 //
7 // Copyright (C) 2007 Novell, Inc. http://www.novell.com
8 //
9 // Permission is hereby granted, free of charge, to any person obtaining
10 // a copy of this software and associated documentation files (the
11 // "Software"), to deal in the Software without restriction, including
12 // without limitation the rights to use, copy, modify, merge, publish,
13 // distribute, sublicense, and/or sell copies of the Software, and to
14 // permit persons to whom the Software is furnished to do so, subject to
15 // the following conditions:
16 //
17 // The above copyright notice and this permission notice shall be
18 // included in all copies or substantial portions of the Software.
19 //
20 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
21 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
22 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
23 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
24 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
25 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
26 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
27 //
28 using System;
29 using System.Collections.Generic;
30 using System.Collections.ObjectModel;
31 using System.IO;
32 using System.Net.Security;
33 using System.IdentityModel.Policy;
34 using System.IdentityModel.Selectors;
35 using System.IdentityModel.Tokens;
36 using System.Security.Cryptography;
37 using System.Security.Cryptography.X509Certificates;
38 using System.Security.Cryptography.Xml;
39 using System.ServiceModel.Channels;
40 using System.ServiceModel.Description;
41 using System.ServiceModel.Security;
42 using System.ServiceModel.Security.Tokens;
43 using System.Xml;
44
45 using ReqType = System.ServiceModel.Security.Tokens.ServiceModelSecurityTokenRequirement;
46
47 namespace System.ServiceModel.Security.Tokens
48 {
49 // FIXME: implement all
50 class SslSecurityTokenAuthenticator : CommunicationSecurityTokenAuthenticator
51 {
52 ServiceCredentialsSecurityTokenManager manager;
53 SslAuthenticatorCommunicationObject comm;
54 bool mutual;
55
56 public SslSecurityTokenAuthenticator (
57 ServiceCredentialsSecurityTokenManager manager,
58 SecurityTokenRequirement r)
59 {
60 this.manager = manager;
61 mutual = (r.TokenType == ServiceModelSecurityTokenTypes.MutualSslnego);
62 comm = new SslAuthenticatorCommunicationObject (this);
63 }
64
65 public bool IsMutual {
66 get { return mutual; }
67 }
68
69 public ServiceCredentialsSecurityTokenManager Manager {
70 get { return manager; }
71 }
72
73 public override AuthenticatorCommunicationObject Communication {
74 get { return comm; }
75 }
76
77 protected override bool CanValidateTokenCore (SecurityToken token)
78 {
79 throw new NotImplementedException ();
80 }
81
82 protected override ReadOnlyCollection<IAuthorizationPolicy>
83 ValidateTokenCore (SecurityToken token)
84 {
85 throw new NotImplementedException ();
86 }
87 }
88
89 class SslAuthenticatorCommunicationObject : AuthenticatorCommunicationObject
90 {
91 SslSecurityTokenAuthenticator owner;
92
93 public SslAuthenticatorCommunicationObject (SslSecurityTokenAuthenticator owner)
94 {
95 this.owner = owner;
96 }
97
98 WSTrustSecurityTokenServiceProxy proxy;
99
100 protected internal override TimeSpan DefaultCloseTimeout {
101 get { throw new NotImplementedException (); }
102 }
103
104 protected internal override TimeSpan DefaultOpenTimeout {
105 get { throw new NotImplementedException (); }
106 }
107
108 public override Message ProcessNegotiation (Message request)
109 {
110 if (request.Headers.Action == Constants.WstIssueAction)
111 return ProcessClientHello (request);
112 else
113 return ProcessClientKeyExchange (request);
114 }
115
116 class TlsServerSessionInfo
117 {
118 public TlsServerSessionInfo (string context, TlsServerSession tls)
119 {
120 ContextId = context;
121 Tls = tls;
122 }
123
124 public string ContextId;
125 public TlsServerSession Tls;
126 public MemoryStream Messages = new MemoryStream ();
127 }
128
129 Dictionary<string,TlsServerSessionInfo> sessions =
130 new Dictionary<string,TlsServerSessionInfo> ();
131
132 void AppendNegotiationMessageXml (XmlReader reader, TlsServerSessionInfo tlsInfo)
133 {
134 XmlDsigExcC14NTransform t = new XmlDsigExcC14NTransform ();
135 XmlDocument doc = new XmlDocument ();
136 doc.PreserveWhitespace = true;
137 reader.MoveToContent ();
138 doc.AppendChild (doc.ReadNode (reader));
139 t.LoadInput (doc);
140 MemoryStream stream = (MemoryStream) t.GetOutput ();
141 byte [] bytes = stream.ToArray ();
142 tlsInfo.Messages.Write (bytes, 0, bytes.Length);
143 }
144
145 Message ProcessClientHello (Message request)
146 {
147 // FIXME: use correct buffer size
148 MessageBuffer buffer = request.CreateBufferedCopy (0x10000);
149 WSTrustRequestSecurityTokenReader reader =
150 new WSTrustRequestSecurityTokenReader (buffer.CreateMessage ().GetReaderAtBodyContents (), SecurityTokenSerializer);
151 reader.Read ();
152
153 if (sessions.ContainsKey (reader.Value.Context))
154 throw new SecurityNegotiationException (String.Format ("The context '{0}' already exists in this SSL negotiation manager", reader.Value.Context));
155
156 TlsServerSession tls = new TlsServerSession (owner.Manager.ServiceCredentials.ServiceCertificate.Certificate, owner.IsMutual);
157 TlsServerSessionInfo tlsInfo = new TlsServerSessionInfo (
158 reader.Value.Context, tls);
159
160 AppendNegotiationMessageXml (buffer.CreateMessage ().GetReaderAtBodyContents (), tlsInfo);
161
162 tls.ProcessClientHello (reader.Value.BinaryExchange.Value);
163 WstRequestSecurityTokenResponse rstr =
164 new WstRequestSecurityTokenResponse (SecurityTokenSerializer);
165 rstr.Context = reader.Value.Context;
166 rstr.BinaryExchange = new WstBinaryExchange (Constants.WstBinaryExchangeValueTls);
167 rstr.BinaryExchange.Value = tls.ProcessServerHello ();
168
169 Message reply = Message.CreateMessage (request.Version, Constants.WstIssueReplyAction, rstr);
170 reply.Headers.RelatesTo = request.Headers.MessageId;
171
172 // FIXME: use correct buffer size
173 buffer = reply.CreateBufferedCopy (0x10000);
174 AppendNegotiationMessageXml (buffer.CreateMessage ().GetReaderAtBodyContents (), tlsInfo);
175
176 sessions [reader.Value.Context] = tlsInfo;
177
178 return buffer.CreateMessage ();
179 }
180
181 Message ProcessClientKeyExchange (Message request)
182 {
183 // FIXME: use correct buffer size
184 MessageBuffer buffer = request.CreateBufferedCopy (0x10000);
185 WSTrustRequestSecurityTokenResponseReader reader =
186 new WSTrustRequestSecurityTokenResponseReader (Constants.WstTlsnegoProofTokenType, buffer.CreateMessage ().GetReaderAtBodyContents (), SecurityTokenSerializer, null);
187 reader.Read ();
188
189 TlsServerSessionInfo tlsInfo;
190 if (!sessions.TryGetValue (reader.Value.Context, out tlsInfo))
191 throw new SecurityNegotiationException (String.Format ("The context '{0}' does not exist in this SSL negotiation manager", reader.Value.Context));
192 TlsServerSession tls = tlsInfo.Tls;
193
194 AppendNegotiationMessageXml (buffer.CreateMessage ().GetReaderAtBodyContents (), tlsInfo);
195 //Console.WriteLine (System.Text.Encoding.UTF8.GetString (tlsInfo.Messages.ToArray ()));
196
197 tls.ProcessClientKeyExchange (reader.Value.BinaryExchange.Value);
198
199 byte [] serverFinished = tls.ProcessServerFinished ();
200
201 // The shared key is computed as recommended in WS-Trust:
202 // P_SHA1(encrypted_key,SHA1(exc14n(RST..RSTRs))+"CK-HASH")
203 byte [] hash = SHA1.Create ().ComputeHash (tlsInfo.Messages.ToArray ());
204 byte [] key = tls.CreateHash (tls.MasterSecret, hash, "CK-HASH");
205 byte [] keyTlsApplied = tls.ProcessApplicationData (key);
206 foreach (byte b in hash) Console.Write ("{0:X02} ", b); Console.WriteLine ();
207 foreach (byte b in key) Console.Write ("{0:X02} ", b); Console.WriteLine ();
208
209 WstRequestSecurityTokenResponseCollection col =
210 new WstRequestSecurityTokenResponseCollection ();
211 WstRequestSecurityTokenResponse rstr =
212 new WstRequestSecurityTokenResponse (SecurityTokenSerializer);
213 rstr.Context = reader.Value.Context;
214 rstr.TokenType = Constants.WsscContextToken;
215 DateTime from = DateTime.Now;
216 // FIXME: not sure if arbitrary key is used here.
217 SecurityContextSecurityToken sct = SecurityContextSecurityToken.CreateCookieSecurityContextToken (
218 // Create a new context.
219 // (do not use sslnego context here.)
220 new UniqueId (),
221 "uuid-" + Guid.NewGuid (),
222 key,
223 from,
224 // FIXME: use LocalServiceSecuritySettings.NegotiationTimeout
225 from.AddHours (8),
226 null,
227 owner.Manager.ServiceCredentials.SecureConversationAuthentication.SecurityStateEncoder);
228 rstr.RequestedSecurityToken = sct;
229 // without this ProcessApplicationData(), .NET seems
230 // to fail recovering the key.
231 rstr.RequestedProofToken = keyTlsApplied;
232 rstr.RequestedAttachedReference = new LocalIdKeyIdentifierClause (sct.Id);
233 rstr.RequestedUnattachedReference = new SecurityContextKeyIdentifierClause (sct.ContextId, null);
234 WstLifetime lt = new WstLifetime ();
235 lt.Created = from;
236 lt.Expires = from.Add (SecurityBindingElement.LocalServiceSettings.IssuedCookieLifetime);
237 rstr.Lifetime = lt;
238 rstr.BinaryExchange = new WstBinaryExchange (Constants.WstBinaryExchangeValueTls);
239 rstr.BinaryExchange.Value = serverFinished;
240
241 col.Responses.Add (rstr);
242
243 // Authenticator is mandatory for MS sslnego.
244 rstr = new WstRequestSecurityTokenResponse (SecurityTokenSerializer);
245 rstr.Context = reader.Value.Context;
246 rstr.Authenticator = tls.CreateHash (key, hash, "AUTH-HASH");
247 col.Responses.Add (rstr);
248
249 sessions.Remove (reader.Value.Context);
250
251 // FIXME: get correct tokenRequestor address (probably identity authorized?)
252 if (owner.IssuedSecurityTokenHandler != null)
253 owner.IssuedSecurityTokenHandler (sct, request.Headers.ReplyTo);
254
255 return Message.CreateMessage (request.Version, Constants.WstIssueReplyAction, col);
256 }
257
258 protected override void OnAbort ()
259 {
260 throw new NotImplementedException ();
261 }
262
263 protected override void OnOpen (TimeSpan timeout)
264 {
265 if (State == CommunicationState.Opened)
266 throw new InvalidOperationException ("Already opened.");
267
268 EnsureProperties ();
269
270 proxy = new WSTrustSecurityTokenServiceProxy (
271 IssuerBinding, IssuerAddress);
272 }
273
274 protected override IAsyncResult OnBeginOpen (TimeSpan timeout, AsyncCallback callback, object state)
275 {
276 throw new NotImplementedException ();
277 }
278
279 protected override void OnEndOpen (IAsyncResult result)
280 {
281 throw new NotImplementedException ();
282 }
283
284 protected override void OnClose (TimeSpan timeout)
285 {
286 if (proxy != null)
287 proxy.Close ();
288 }
289
290 protected override IAsyncResult OnBeginClose (TimeSpan timeout, AsyncCallback callback, object state)
291 {
292 throw new NotImplementedException ();
293 }
294
295 protected override void OnEndClose (IAsyncResult result)
296 {
297 throw new NotImplementedException ();
298 }
299 }
300 }
git-svn mirror of mcs