1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
//
// SslnegoCookieResolver.cs
//
// Author:
// Atsushi Enomoto <atsushi@ximian.com>
//
// Copyright (C) 2007 Novell, Inc. http://www.novell.com
//
// Permission is hereby granted, free of charge, to any person obtaining
// a copy of this software and associated documentation files (the
// "Software"), to deal in the Software without restriction, including
// without limitation the rights to use, copy, modify, merge, publish,
// distribute, sublicense, and/or sell copies of the Software, and to
// permit persons to whom the Software is furnished to do so, subject to
// the following conditions:
//
// The above copyright notice and this permission notice shall be
// included in all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
using System;
using System.IO;
using System.Security.Cryptography.X509Certificates;
using System.Xml;
/*
LAMESPEC: The cookie value is encoded by
ServiceCredential.SecureConversationAuthentication.SecurityStateEncoder.
When a custom SecurityStateEncoder is used,
- at service side it is actually invoked,
- at client side it is impossible to specify such custom state decoder, so
it is treated as if the key is passed as is, and thus if it could raise
verification error (it is LAMESPEC, since if the custom state encoder is
pass-through it just works fine).
Raw Cookie data format (via pass-through SecurityStateEncoder)
<42 00 42 02 83 42 06 99> L[uuid-_________] bbbb-bb
<42 04 AD> (16bytes) <42 08 9E 1E> (43 bytes)
<C9 08 42 10 8F> (6 bytes)
<C9 08 42 14 8F> (6 bytes)
<C9 08 42 16 8F> (6 bytes)
<C9 08 01>
The uuid seems kept identical while one service is running (i.e. unique per ServiceHost).
Actually the raw octets corresponds to
XmlBinaryWriter output format, so it is likely.
So, it will be parsed as below:
42 00
42 02
83
42 06 99 2B 75 75 69 64 2D 31 65 38 33 62 63 37 39 2D 35 30 33 37 2D 34 61 32 30 2D 38 32 66 37 2D 64 32 39 37 31 34 61 30 32 62 37 66 2D 31 // UniqueId wsu:Id
42 04 AD 45 34 07 4E 38 D2 18 4D 8B 22 FD 6C E6 CE B2 17 // UniqueIdFromGuid ContextId
42 08 9E 1E CA AC F2 71 6E 61 99 DA FB 71 B2 A8 DC 51 36 5B CD F3 F9 60 D2 B6 67 BF 5D B0 CE ED 37 35 9F 02 DC 7D // Base64 Key
42 0E 8F F4 4C 9C 48 61 33 C9 08 // Int64 KeyCreation
42 10 8F F4 5C 48 1A B5 33 C9 08 // Int64 KeyExpiration
42 14 8F F4 4C 9C 48 61 33 C9 08 // Int64 CookieCreatation
42 16 8F F4 5C 48 1A B5 33 C9 08 // Int64 CookieExpiration
01
The actual XML looks like:
<n1><n2>1</n2><n4>uuid-950f764e-f6dc-4f5d-8df36699e28618cf-1</n4><n3>urn:uuid:a13aa8b0-f0b5-4a78-967e-fbd05459d882</n3><n5>W0I2qFT/H5ElE14l3wy8rqZHVvjbesvtshaLOdQdXyk=</n5><n8>633092852947500000</n8><n9>633093212947500000</n9><n11>633092852947500000</n11><n12>633093212947500000</n12></n1>
where n[x] are presumed names. They would be meaningful in MS implementation,
but as a binary XML array with preconfigured IXmlDictionary (sigh), it doesn't
matter.
n2 matches the context Identifier for SecurityContextToken.
n3 matches the u:Id for SecurityContextToken.
*/
namespace System.ServiceModel.Security.Tokens
{
internal class SslnegoCookieResolver
{
public static SecurityContextSecurityToken ResolveCookie (byte [] bytes, byte [] cookie)
{
string id = null;
UniqueId context = null;
DateTime validFrom = DateTime.MinValue,
validTo = DateTime.MaxValue,
keyEffective = DateTime.MinValue,
keyExpired = DateTime.MaxValue;
byte [] key = null;
X509Certificate2 cert = null;
X500DistinguishedName issuer = null;
XmlDictionary dic = new XmlDictionary ();
for (int i = 0; i < 30; i++)
dic.Add ("n" + i);
// FIXME: create proper quotas
XmlDictionaryReaderQuotas quotas =
new XmlDictionaryReaderQuotas ();
XmlDictionaryReader cr = XmlDictionaryReader.CreateBinaryReader (bytes, 0, bytes.Length, dic, quotas);
cr.MoveToContent (); // -> n1
cr.ReadStartElement ("n0", String.Empty);
do {
cr.MoveToContent ();
if (cr.NodeType == XmlNodeType.EndElement)
break;
if (cr.NodeType != XmlNodeType.Element)
throw new Exception ("Unxpected non-element content:" + cr.NodeType);
switch (cr.Name) {
case "n1":
// FIXME: some integer here
int n1 = cr.ReadElementContentAsInt ();
if (n1 != 1)
throw new Exception ("INTERNAL ERROR: there was unexpected n2 content: " + n1);
break;
case "n2":
context = cr.ReadElementContentAsUniqueId ();
break;
case "n3":
id = cr.ReadElementContentAsString ();
break;
case "n4":
key = cr.ReadElementContentAsBase64 ();
break;
case "n7":
validFrom = new DateTime (cr.ReadElementContentAsLong ());
break;
case "n8":
validTo = new DateTime (cr.ReadElementContentAsLong ());
break;
case "n10":
keyEffective = new DateTime (cr.ReadElementContentAsLong ());
break;
case "n11":
keyExpired = new DateTime (cr.ReadElementContentAsLong ());
break;
case "n13":
// <n18>X509Certificate</n18>
cr.Read ();
cr.MoveToContent ();
cert = new X509Certificate2 (cr.ReadElementContentAsBase64 ());
cr.ReadEndElement ();
break;
case "n15":
// <n16><n24 n25="IssuerName" /></n16>
cr.Read ();
cr.ReadStartElement ("n16", String.Empty);
issuer = new X500DistinguishedName (cr.GetAttribute ("n25"));
bool empty = cr.IsEmptyElement;
cr.ReadStartElement ("n24", String.Empty);
if (!empty)
cr.ReadEndElement (); // n24
cr.ReadEndElement (); // n16
cr.ReadEndElement (); // n15
break;
default:
throw new Exception ("INTERNAL ERROR: there was an unhandled element: " + cr.Name);
}
} while (true);
SecurityContextSecurityToken sct = new SecurityContextSecurityToken (
context, id, key, validFrom, validTo,
null, keyEffective, keyExpired, null);
sct.Cookie = cookie;
return sct;
}
public static byte [] CreateData (UniqueId contextId, UniqueId session, byte [] key, DateTime tokenSince, DateTime tokenUntil, DateTime keySince, DateTime keyUntil)
{
XmlDictionary dic = new XmlDictionary ();
for (int i = 0; i < 12; i++)
dic.Add ("n" + i);
MemoryStream ms = new MemoryStream ();
XmlDictionaryWriter w = XmlDictionaryWriter.CreateBinaryWriter (ms, dic);
XmlDictionaryString e = XmlDictionaryString.Empty;
w.WriteStartElement (dic.Add ("n0"), e);
w.WriteStartElement (dic.Add ("n1"), e);
w.WriteValue (1);
w.WriteEndElement ();
w.WriteStartElement (dic.Add ("n3"), e);
w.WriteValue (contextId);
w.WriteEndElement ();
w.WriteStartElement (dic.Add ("n2"), e);
w.WriteValue (contextId);
w.WriteEndElement ();
w.WriteStartElement (dic.Add ("n4"), e);
w.WriteBase64 (key, 0, key.Length);
w.WriteEndElement ();
w.WriteStartElement (dic.Add ("n7"), e);
w.WriteValue (tokenSince.Ticks);
w.WriteEndElement ();
w.WriteStartElement (dic.Add ("n8"), e);
w.WriteValue (tokenUntil.Ticks);
w.WriteEndElement ();
w.WriteStartElement (dic.Add ("n10"), e);
w.WriteValue (keySince.Ticks);
w.WriteEndElement ();
w.WriteStartElement (dic.Add ("n11"), e);
w.WriteValue (keyUntil.Ticks);
w.WriteEndElement ();
w.Close ();
return ms.ToArray ();
}
}
}
|
