1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
|
//------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//------------------------------------------------------------
namespace System.IdentityModel
{
using System;
using System.Diagnostics;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using System.Xml;
using System.Runtime;
/// <summary>
/// Wraps a writer and generates a signature automatically when the envelope
/// is written completely. By default the generated signature is inserted as
/// the last element in the envelope. This can be modified by explicitily
/// calling WriteSignature to indicate the location inside the envelope where
/// the signature should be inserted.
/// </summary>
public sealed class EnvelopedSignatureWriter : DelegatingXmlDictionaryWriter
{
DictionaryManager _dictionaryManager;
XmlWriter _innerWriter;
SigningCredentials _signingCreds;
string _referenceId;
SecurityTokenSerializer _tokenSerializer;
HashStream _hashStream;
HashAlgorithm _hashAlgorithm;
int _elementCount;
MemoryStream _signatureFragment;
MemoryStream _endFragment;
bool _hasSignatureBeenMarkedForInsert;
MemoryStream _writerStream;
MemoryStream _preCanonicalTracingStream;
bool _disposed;
/// <summary>
/// Initializes an instance of <see cref="EnvelopedSignatureWriter"/>. The returned writer can be directly used
/// to write the envelope. The signature will be automatically generated when
/// the envelope is completed.
/// </summary>
/// <param name="innerWriter">Writer to wrap/</param>
/// <param name="signingCredentials">SigningCredentials to be used to generate the signature.</param>
/// <param name="referenceId">The reference Id of the envelope.</param>
/// <param name="securityTokenSerializer">SecurityTokenSerializer to serialize the signature KeyInfo.</param>
/// <exception cref="ArgumentNullException">One of he input parameter is null.</exception>
/// <exception cref="ArgumentException">The string 'referenceId' is either null or empty.</exception>
public EnvelopedSignatureWriter(XmlWriter innerWriter, SigningCredentials signingCredentials, string referenceId, SecurityTokenSerializer securityTokenSerializer)
{
if (innerWriter == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("innerWriter");
}
if (signingCredentials == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("signingCredentials");
}
if (string.IsNullOrEmpty(referenceId))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.ID0006), "referenceId"));
}
if (securityTokenSerializer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("securityTokenSerializer");
}
// Remember the user's writer here. We need to finally write out the signed XML
// into this writer.
_dictionaryManager = new DictionaryManager();
_innerWriter = innerWriter;
_signingCreds = signingCredentials;
_referenceId = referenceId;
_tokenSerializer = securityTokenSerializer;
_signatureFragment = new MemoryStream();
_endFragment = new MemoryStream();
_writerStream = new MemoryStream();
XmlDictionaryWriter effectiveWriter = XmlDictionaryWriter.CreateTextWriter(_writerStream, Encoding.UTF8, false);
// Initialize the base writer to the newly created writer. The user should write the XML
// to this.
base.InitializeInnerWriter(effectiveWriter);
_hashAlgorithm = CryptoHelper.CreateHashAlgorithm(_signingCreds.DigestAlgorithm);
_hashStream = new HashStream(_hashAlgorithm);
base.InnerWriter.StartCanonicalization(_hashStream, false, null);
//
// Add tracing for the un-canonicalized bytes
//
if (DiagnosticUtility.ShouldTraceVerbose)
{
_preCanonicalTracingStream = new MemoryStream();
base.InitializeTracingWriter(new XmlTextWriter(_preCanonicalTracingStream, Encoding.UTF8));
}
}
private void ComputeSignature()
{
PreDigestedSignedInfo signedInfo = new PreDigestedSignedInfo(_dictionaryManager);
signedInfo.AddEnvelopedSignatureTransform = true;
signedInfo.CanonicalizationMethod = XD.ExclusiveC14NDictionary.Namespace.Value;
signedInfo.SignatureMethod = _signingCreds.SignatureAlgorithm;
signedInfo.DigestMethod = _signingCreds.DigestAlgorithm;
signedInfo.AddReference(_referenceId, _hashStream.FlushHashAndGetValue(_preCanonicalTracingStream));
SignedXml signedXml = new SignedXml(signedInfo, _dictionaryManager, _tokenSerializer);
signedXml.ComputeSignature(_signingCreds.SigningKey);
signedXml.Signature.KeyIdentifier = _signingCreds.SigningKeyIdentifier;
signedXml.WriteTo(base.InnerWriter);
((IDisposable)_hashStream).Dispose();
_hashStream = null;
}
private void OnEndRootElement()
{
if (!_hasSignatureBeenMarkedForInsert)
{
// Default case. Signature is added as the last child element.
// We still have to compute the signature. Write end element as a different fragment.
((IFragmentCapableXmlDictionaryWriter)base.InnerWriter).StartFragment(_endFragment, false);
base.WriteEndElement();
((IFragmentCapableXmlDictionaryWriter)base.InnerWriter).EndFragment();
}
else if (_hasSignatureBeenMarkedForInsert)
{
// Signature should be added to the middle between the start and element
// elements. Finish the end fragment and compute the signature and
// write the signature as a seperate fragment.
base.WriteEndElement();
((IFragmentCapableXmlDictionaryWriter)base.InnerWriter).EndFragment();
}
// Stop Canonicalization.
base.EndCanonicalization();
// Compute signature and write it into a seperate fragment.
((IFragmentCapableXmlDictionaryWriter)base.InnerWriter).StartFragment(_signatureFragment, false);
ComputeSignature();
((IFragmentCapableXmlDictionaryWriter)base.InnerWriter).EndFragment();
// Put all fragments together. The fragment before the signature is already written into the writer.
((IFragmentCapableXmlDictionaryWriter)base.InnerWriter).WriteFragment(_signatureFragment.GetBuffer(), 0, (int)_signatureFragment.Length);
((IFragmentCapableXmlDictionaryWriter)base.InnerWriter).WriteFragment(_endFragment.GetBuffer(), 0, (int)_endFragment.Length);
// _startFragment.Close();
_signatureFragment.Close();
_endFragment.Close();
_writerStream.Position = 0;
_hasSignatureBeenMarkedForInsert = false;
// Write the signed stream to the writer provided by the user.
// We are creating a Text Reader over a stream that we just wrote out. Hence, it is safe to
// create a XmlTextReader and not a XmlDictionaryReader.
// Note: reader will close _writerStream on Dispose.
XmlReader reader = XmlDictionaryReader.CreateTextReader(_writerStream, XmlDictionaryReaderQuotas.Max);
reader.MoveToContent();
_innerWriter.WriteNode(reader, false);
_innerWriter.Flush();
reader.Close();
base.Close();
}
/// <summary>
/// Sets the position of the signature within the envelope. Call this
/// method while writing the envelope to indicate at which point the
/// signature should be inserted.
/// </summary>
public void WriteSignature()
{
base.Flush();
if (_writerStream == null || _writerStream.Length == 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID6029)));
}
if (_signatureFragment.Length != 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID6030)));
}
Fx.Assert(_endFragment != null && _endFragment.Length == 0, SR.GetString(SR.ID8026));
// Capture the remaing as a seperate fragment.
((IFragmentCapableXmlDictionaryWriter)base.InnerWriter).StartFragment(_endFragment, false);
_hasSignatureBeenMarkedForInsert = true;
}
/// <summary>
/// Overrides the base class implementation. When the last element of the envelope is written
/// the signature is automatically computed over the envelope and the signature is inserted at
/// the appropriate position, if WriteSignature was explicitly called or is inserted at the
/// end of the envelope.
/// </summary>
public override void WriteEndElement()
{
_elementCount--;
if (_elementCount == 0)
{
base.Flush();
OnEndRootElement();
}
else
{
base.WriteEndElement();
}
}
/// <summary>
/// Overrides the base class implementation. When the last element of the envelope is written
/// the signature is automatically computed over the envelope and the signature is inserted at
/// the appropriate position, if WriteSignature was explicitly called or is inserted at the
/// end of the envelope.
/// </summary>
public override void WriteFullEndElement()
{
_elementCount--;
if (_elementCount == 0)
{
base.Flush();
OnEndRootElement();
}
else
{
base.WriteFullEndElement();
}
}
/// <summary>
/// Overrides the base class. Writes the specified start tag and associates
/// it with the given namespace.
/// </summary>
/// <param name="prefix">The namespace prefix of the element.</param>
/// <param name="localName">The local name of the element.</param>
/// <param name="ns">The namespace URI to associate with the element.</param>
public override void WriteStartElement(string prefix, string localName, string ns)
{
_elementCount++;
base.WriteStartElement(prefix, localName, ns);
}
#region IDisposable Members
/// <summary>
/// Releases the unmanaged resources used by the System.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter and optionally
/// releases the managed resources.
/// </summary>
/// <param name="disposing">
/// True to release both managed and unmanaged resources; false to release only unmanaged resources.
/// </param>
protected override void Dispose(bool disposing)
{
base.Dispose(disposing);
if (_disposed)
{
return;
}
if (disposing)
{
//
// Free all of our managed resources
//
if (_hashStream != null)
{
_hashStream.Dispose();
_hashStream = null;
}
if (_hashAlgorithm != null)
{
((IDisposable)_hashAlgorithm).Dispose();
_hashAlgorithm = null;
}
if (_signatureFragment != null)
{
_signatureFragment.Dispose();
_signatureFragment = null;
}
if (_endFragment != null)
{
_endFragment.Dispose();
_endFragment = null;
}
if (_writerStream != null)
{
_writerStream.Dispose();
_writerStream = null;
}
if (_preCanonicalTracingStream != null)
{
_preCanonicalTracingStream.Dispose();
_preCanonicalTracingStream = null;
}
}
// Free native resources, if any.
_disposed = true;
}
#endregion
}
}
|
