Code:
/ WCF / WCF / 3.5.30729.1 / untmp / Orcas / SP / ndp / cdf / src / WCF / IdentityModel / System / IdentityModel / SecurityUtils.cs / 1 / SecurityUtils.cs
//------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//-----------------------------------------------------------
namespace System.IdentityModel
{
using Microsoft.Win32;
using System.Diagnostics;
using System.IdentityModel.Claims;
using System.IdentityModel.Policy;
using System.IdentityModel.Tokens;
using System.Text;
using System.Security.Principal;
using System.Security.Cryptography.X509Certificates;
using System.Collections.ObjectModel;
using System.Collections.Generic;
using System.Security;
using System.Security.Permissions;
static class SecurityUtils
{
public const string Identities = "Identities";
static int fipsAlgorithmPolicy = -1;
public const int WindowsVistaMajorNumber = 6;
static IIdentity anonymousIdentity;
internal static IIdentity AnonymousIdentity
{
get
{
if (anonymousIdentity == null)
anonymousIdentity = SecurityUtils.CreateIdentity(String.Empty);
return anonymousIdentity;
}
}
public static DateTime MaxUtcDateTime
{
get
{
// + and - TimeSpan.TicksPerDay is to compensate the DateTime.ParseExact (to localtime) overflow.
return new DateTime(DateTime.MaxValue.Ticks - TimeSpan.TicksPerDay, DateTimeKind.Utc);
}
}
public static DateTime MinUtcDateTime
{
get
{
// + and - TimeSpan.TicksPerDay is to compensate the DateTime.ParseExact (to localtime) overflow.
return new DateTime(DateTime.MinValue.Ticks + TimeSpan.TicksPerDay, DateTimeKind.Utc);
}
}
internal static IIdentity CreateIdentity(string name, string authenticationType)
{
return new GenericIdentity(name, authenticationType);
}
internal static IIdentity CreateIdentity(string name)
{
return new GenericIdentity(name);
}
internal static byte[] CloneBuffer(byte[] buffer)
{
return CloneBuffer(buffer, 0, buffer.Length);
}
internal static byte[] CloneBuffer(byte[] buffer, int offset, int len)
{
DiagnosticUtility.DebugAssert(offset >= 0, "Negative offset passed to CloneBuffer.");
DiagnosticUtility.DebugAssert(len >= 0, "Negative len passed to CloneBuffer.");
DiagnosticUtility.DebugAssert(buffer.Length - offset >= len, "Invalid parameters to CloneBuffer.");
byte[] copy = DiagnosticUtility.Utility.AllocateByteArray(len);
Buffer.BlockCopy(buffer, offset, copy, 0, len);
return copy;
}
internal static bool MatchesBuffer(byte[] src, byte[] dst)
{
return MatchesBuffer(src, 0, dst, 0);
}
internal static bool MatchesBuffer(byte[] src, int srcOffset, byte[] dst, int dstOffset)
{
DiagnosticUtility.DebugAssert(dstOffset >= 0, "Negative dstOffset passed to MatchesBuffer.");
DiagnosticUtility.DebugAssert(srcOffset >= 0, "Negative srcOffset passed to MatchesBuffer.");
// defensive programming
if ((dstOffset < 0) || (srcOffset < 0))
return false;
if (src == null || srcOffset >= src.Length)
return false;
if (dst == null || dstOffset >= dst.Length)
return false;
if ((src.Length - srcOffset) != (dst.Length - dstOffset))
return false;
for (int i = srcOffset, j = dstOffset; i < src.Length; i++, j++)
{
if (src[i] != dst[j])
return false;
}
return true;
}
internal static string GetCertificateId(X509Certificate2 certificate)
{
string certificateId = certificate.SubjectName.Name;
if (String.IsNullOrEmpty(certificateId))
certificateId = certificate.Thumbprint;
return certificateId;
}
internal static bool IsCurrentlyTimeEffective(DateTime effectiveTime, DateTime expirationTime, TimeSpan maxClockSkew)
{
DateTime curEffectiveTime = (effectiveTime < DateTime.MinValue.Add(maxClockSkew)) ? effectiveTime : effectiveTime.Subtract(maxClockSkew);
DateTime curExpirationTime = (expirationTime > DateTime.MaxValue.Subtract(maxClockSkew)) ? expirationTime : expirationTime.Add(maxClockSkew);
DateTime curTime = DateTime.UtcNow;
return (curEffectiveTime.ToUniversalTime() <= curTime) && (curTime < curExpirationTime.ToUniversalTime());
}
// Federal Information Processing Standards Publications
// at http://www.itl.nist.gov/fipspubs/geninfo.htm
internal static bool RequiresFipsCompliance
{
///
/// Critical - Calls an UnsafeNativeMethod and a Critical method (GetFipsAlgorithmPolicyKeyFromRegistry)
/// Safe - processes the return and just returns a bool, which is safe
///
[SecurityCritical, SecurityTreatAsSafe]
get
{
if (fipsAlgorithmPolicy == -1)
{
if (Environment.OSVersion.Version.Major >= WindowsVistaMajorNumber)
{
bool fipsEnabled;
#pragma warning suppress 56523 //
bool readPolicy = (CAPI.S_OK == CAPI.BCryptGetFipsAlgorithmMode(out fipsEnabled));
if (readPolicy && fipsEnabled)
fipsAlgorithmPolicy = 1;
else
fipsAlgorithmPolicy = 0;
}
else
{
fipsAlgorithmPolicy = GetFipsAlgorithmPolicyKeyFromRegistry();
if (fipsAlgorithmPolicy != 1)
fipsAlgorithmPolicy = 0;
}
}
return fipsAlgorithmPolicy == 1;
}
}
const string fipsPolicyRegistryKey = @"System\CurrentControlSet\Control\Lsa";
///
/// Critical - Asserts to get a value from the registry
///
[SecurityCritical]
[RegistryPermission(SecurityAction.Assert, Read = @"HKEY_LOCAL_MACHINE\" + fipsPolicyRegistryKey)]
static int GetFipsAlgorithmPolicyKeyFromRegistry()
{
int fipsAlgorithmPolicy = -1;
using (RegistryKey fipsAlgorithmPolicyKey = Registry.LocalMachine.OpenSubKey(fipsPolicyRegistryKey, false))
{
if (fipsAlgorithmPolicyKey != null)
{
object data = fipsAlgorithmPolicyKey.GetValue("FIPSAlgorithmPolicy");
if (data != null)
fipsAlgorithmPolicy = (int)data;
}
}
return fipsAlgorithmPolicy;
}
class SimpleAuthorizationContext : AuthorizationContext
{
SecurityUniqueId id;
UnconditionalPolicy policy;
IDictionary properties;
public SimpleAuthorizationContext(IList authorizationPolicies)
{
this.policy = (UnconditionalPolicy)authorizationPolicies[0];
Dictionary properties = new Dictionary();
if (this.policy.PrimaryIdentity != null && this.policy.PrimaryIdentity != SecurityUtils.AnonymousIdentity)
{
List identities = new List();
identities.Add(this.policy.PrimaryIdentity);
properties.Add(SecurityUtils.Identities, identities);
}
// Might need to port ReadOnlyDictionary?
this.properties = properties;
}
public override string Id
{
get
{
if (this.id == null)
this.id = SecurityUniqueId.Create();
return this.id.Value;
}
}
public override ReadOnlyCollection ClaimSets { get { return this.policy.Issuances; } }
public override DateTime ExpirationTime { get { return this.policy.ExpirationTime; } }
public override IDictionary Properties { get { return this.properties; } }
}
internal static AuthorizationContext CreateDefaultAuthorizationContext(IList authorizationPolicies)
{
AuthorizationContext authorizationContext;
// This is faster than Policy evaluation.
if (authorizationPolicies != null && authorizationPolicies.Count == 1 && authorizationPolicies[0] is UnconditionalPolicy)
{
authorizationContext = new SimpleAuthorizationContext(authorizationPolicies);
}
// degenerate case
else if (authorizationPolicies == null || authorizationPolicies.Count <= 0)
{
return DefaultAuthorizationContext.Empty;
}
else
{
// there are some policies, run them until they are all done
DefaultEvaluationContext evaluationContext = new DefaultEvaluationContext();
object[] policyState = new object[authorizationPolicies.Count];
object done = new object();
int oldContextCount;
do
{
oldContextCount = evaluationContext.Generation;
for (int i = 0; i < authorizationPolicies.Count; i++)
{
if (policyState[i] == done)
continue;
IAuthorizationPolicy policy = authorizationPolicies[i];
if (policy == null)
{
policyState[i] = done;
continue;
}
if (policy.Evaluate(evaluationContext, ref policyState[i]))
{
policyState[i] = done;
if (DiagnosticUtility.ShouldTraceVerbose)
{
DiagnosticUtility.DiagnosticTrace.TraceEvent(TraceEventType.Verbose, System.ServiceModel.Diagnostics.TraceCode.AuthorizationPolicyEvaluated,
SR.GetString(SR.AuthorizationPolicyEvaluated, policy.Id));
}
}
}
} while (oldContextCount < evaluationContext.Generation);
authorizationContext = new DefaultAuthorizationContext(evaluationContext);
}
if (DiagnosticUtility.ShouldTraceInformation)
{
DiagnosticUtility.DiagnosticTrace.TraceEvent(TraceEventType.Information, System.ServiceModel.Diagnostics.TraceCode.AuthorizationContextCreated,
SR.GetString(SR.AuthorizationContextCreated, authorizationContext.Id));
}
return authorizationContext;
}
internal static string ClaimSetToString(ClaimSet claimSet)
{
StringBuilder sb = new StringBuilder();
sb.AppendLine("ClaimSet [");
for (int i = 0; i < claimSet.Count; i++)
{
Claim claim = claimSet[i];
if (claim != null)
{
sb.Append(" ");
sb.AppendLine(claim.ToString());
}
}
string prefix = "] by ";
ClaimSet issuer = claimSet;
do
{
// PreSharp Bug: A null-dereference can occur here.
#pragma warning suppress 56506 // issuer was just set to this.
issuer = issuer.Issuer;
sb.AppendFormat("{0}{1}", prefix, issuer == claimSet ? "Self" : (issuer.Count <= 0 ? "Unknown" : issuer[0].ToString()));
prefix = " -> ";
} while (issuer.Issuer != issuer);
return sb.ToString();
}
// This is the workaround, Since store.Certificates returns a full collection
// of certs in store. These are holding native resources.
internal static void ResetAllCertificates(X509Certificate2Collection certificates)
{
if (certificates != null)
{
for (int i = 0; i < certificates.Count; ++i)
{
certificates[i].Reset();
}
}
}
internal static byte[] DecodeHexString(string hexString)
{
hexString = hexString.Trim();
bool spaceSkippingMode = false;
int i = 0;
int length = hexString.Length;
if ((length >= 2) &&
(hexString[0] == '0') &&
((hexString[1] == 'x') || (hexString[1] == 'X')))
{
length = hexString.Length - 2;
i = 2;
}
if (length < 2)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new FormatException(SR.GetString(SR.InvalidHexString)));
byte[] sArray;
if (length >= 3 && hexString[i + 2] == ' ')
{
if (length % 3 != 2)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new FormatException(SR.GetString(SR.InvalidHexString)));
spaceSkippingMode = true;
// Each hex digit will take three spaces, except the first (hence the plus 1).
sArray = DiagnosticUtility.Utility.AllocateByteArray(length / 3 + 1);
}
else
{
if (length % 2 != 0)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new FormatException(SR.GetString(SR.InvalidHexString)));
spaceSkippingMode = false;
// Each hex digit will take two spaces
sArray = DiagnosticUtility.Utility.AllocateByteArray(length / 2);
}
int digit;
int rawdigit;
for (int j = 0; i < hexString.Length; i += 2, j++)
{
rawdigit = ConvertHexDigit(hexString[i]);
digit = ConvertHexDigit(hexString[i + 1]);
sArray[j] = (byte)(digit | (rawdigit << 4));
if (spaceSkippingMode)
i++;
}
return (sArray);
}
static int ConvertHexDigit(Char val)
{
if (val <= '9' && val >= '0')
return (val - '0');
else if (val >= 'a' && val <= 'f')
return ((val - 'a') + 10);
else if (val >= 'A' && val <= 'F')
return ((val - 'A') + 10);
else
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new FormatException(SR.GetString(SR.InvalidHexString)));
}
internal static ReadOnlyCollection CreateAuthorizationPolicies(ClaimSet claimSet)
{
return CreateAuthorizationPolicies(claimSet, SecurityUtils.MaxUtcDateTime);
}
internal static ReadOnlyCollection CreateAuthorizationPolicies(ClaimSet claimSet, DateTime expirationTime)
{
List policies = new List(1);
policies.Add(new UnconditionalPolicy(claimSet, expirationTime));
return policies.AsReadOnly();
}
internal static string GenerateId()
{
return SecurityUniqueId.Create().Value;
}
internal static bool IsSupportedAlgorithm(string algorithm, SecurityToken token)
{
if (token.SecurityKeys == null)
{
return false;
}
for (int i = 0; i < token.SecurityKeys.Count; ++i)
{
if (token.SecurityKeys[i].IsSupportedAlgorithm(algorithm))
{
return true;
}
}
return false;
}
internal static IIdentity CloneIdentityIfNecessary(IIdentity identity)
{
if (identity != null)
{
WindowsIdentity wid = identity as WindowsIdentity;
if (wid != null)
{
return CloneWindowsIdentityIfNecessary(wid);
}
//X509Identity x509 = identity as X509Identity;
//if (x509 != null)
//{
// return x509.Clone();
//}
}
return identity;
}
///
/// Critical - calls two critical methods: UnsafeGetWindowsIdentityToken and UnsafeCreateWindowsIdentityFromToken
/// Safe - "clone" operation is considered safe despite using WindowsIdentity IntPtr token
/// must not let IntPtr token leak in or out
///
[SecurityCritical, SecurityTreatAsSafe]
internal static WindowsIdentity CloneWindowsIdentityIfNecessary(WindowsIdentity wid)
{
if (wid != null)
{
IntPtr token = UnsafeGetWindowsIdentityToken(wid);
if (token != IntPtr.Zero)
{
return UnsafeCreateWindowsIdentityFromToken(token);
}
}
return wid;
}
///
/// Critical - elevates in order to return the WindowsIdentity.Token property
/// caller must protect return value
///
[SecurityCritical]
[SecurityPermission(SecurityAction.Assert, UnmanagedCode = true)]
static IntPtr UnsafeGetWindowsIdentityToken(WindowsIdentity wid)
{
return wid.Token;
}
///
/// Critical - elevates in order to construct a WindowsIdentity instance from an IntPtr
/// caller must protect parameter return value
///
[SecurityCritical]
[SecurityPermission(SecurityAction.Assert, ControlPrincipal = true, UnmanagedCode = true)]
static WindowsIdentity UnsafeCreateWindowsIdentityFromToken(IntPtr token)
{
return new WindowsIdentity(token);
}
internal static ClaimSet CloneClaimSetIfNecessary(ClaimSet claimSet)
{
if (claimSet != null)
{
WindowsClaimSet wic = claimSet as WindowsClaimSet;
if (wic != null)
{
return wic.Clone();
}
//X509CertificateClaimSet x509 = claimSet as X509CertificateClaimSet;
//if (x509 != null)
//{
// return x509.Clone();
//}
}
return claimSet;
}
internal static ReadOnlyCollection CloneClaimSetsIfNecessary(ReadOnlyCollection claimSets)
{
if (claimSets != null)
{
bool clone = false;
for (int i = 0; i < claimSets.Count; ++i)
{
if (claimSets[i] is WindowsClaimSet)// || claimSets[i] is X509CertificateClaimSet)
{
clone = true;
break;
}
}
if (clone)
{
List ret = new List(claimSets.Count);
for (int i = 0; i < claimSets.Count; ++i)
{
ret.Add(SecurityUtils.CloneClaimSetIfNecessary(claimSets[i]));
}
return ret.AsReadOnly();
}
}
return claimSets;
}
internal static void DisposeClaimSetIfNecessary(ClaimSet claimSet)
{
if (claimSet != null)
{
SecurityUtils.DisposeIfNecessary(claimSet as WindowsClaimSet);
}
}
internal static void DisposeClaimSetsIfNecessary(ReadOnlyCollection claimSets)
{
if (claimSets != null)
{
for (int i = 0; i < claimSets.Count; ++i)
{
SecurityUtils.DisposeIfNecessary(claimSets[i] as WindowsClaimSet);
}
}
}
internal static ReadOnlyCollection CloneAuthorizationPoliciesIfNecessary(ReadOnlyCollection authorizationPolicies)
{
if (authorizationPolicies != null && authorizationPolicies.Count > 0)
{
bool clone = false;
for (int i = 0; i < authorizationPolicies.Count; ++i)
{
UnconditionalPolicy policy = authorizationPolicies[i] as UnconditionalPolicy;
if (policy != null && policy.IsDisposable)
{
clone = true;
break;
}
}
if (clone)
{
List ret = new List(authorizationPolicies.Count);
for (int i = 0; i < authorizationPolicies.Count; ++i)
{
UnconditionalPolicy policy = authorizationPolicies[i] as UnconditionalPolicy;
if (policy != null)
{
ret.Add(policy.Clone());
}
else
{
ret.Add(authorizationPolicies[i]);
}
}
return ret.AsReadOnly();
}
}
return authorizationPolicies;
}
public static void DisposeAuthorizationPoliciesIfNecessary(ReadOnlyCollection authorizationPolicies)
{
if (authorizationPolicies != null && authorizationPolicies.Count > 0)
{
for (int i = 0; i < authorizationPolicies.Count; ++i)
{
DisposeIfNecessary(authorizationPolicies[i] as UnconditionalPolicy);
}
}
}
public static void DisposeIfNecessary(IDisposable obj)
{
if (obj != null)
{
obj.Dispose();
}
}
}
static class EmptyReadOnlyCollection
{
public static ReadOnlyCollection Instance = new ReadOnlyCollection(new List());
}
}
// File provided for Reference Use Only by Microsoft Corporation (c) 2007.
// Copyright (c) Microsoft Corporation. All rights reserved.
Link Menu
This book is available now!
Buy at Amazon US or
Buy at Amazon UK
- AnimatedTypeHelpers.cs
- StreamReader.cs
- FileDialogPermission.cs
- DecimalAnimationBase.cs
- ClientRequest.cs
- SafeLibraryHandle.cs
- CallbackHandler.cs
- ByteKeyFrameCollection.cs
- Propagator.Evaluator.cs
- DataControlField.cs
- LineMetrics.cs
- IncrementalReadDecoders.cs
- XamlStream.cs
- Application.cs
- LogReservationCollection.cs
- OdbcRowUpdatingEvent.cs
- SqlMethodAttribute.cs
- ObjectStorage.cs
- NativeWindow.cs
- elementinformation.cs
- DynamicDataManager.cs
- ThreadExceptionDialog.cs
- SiteMapProvider.cs
- PathFigure.cs
- WebPartAddingEventArgs.cs
- adornercollection.cs
- CqlIdentifiers.cs
- PropertyValueUIItem.cs
- RegularExpressionValidator.cs
- ValidatedControlConverter.cs
- Int32KeyFrameCollection.cs
- CssClassPropertyAttribute.cs
- CodeTypeParameter.cs
- Separator.cs
- EventTrigger.cs
- LocalizableResourceBuilder.cs
- __ComObject.cs
- DesignerForm.cs
- RowCache.cs
- HttpHeaderCollection.cs
- MainMenu.cs
- EmissiveMaterial.cs
- GenericIdentity.cs
- httpstaticobjectscollection.cs
- StyleModeStack.cs
- Parameter.cs
- LoginUtil.cs
- shaper.cs
- AssemblyAssociatedContentFileAttribute.cs
- DesignSurfaceCollection.cs
- sqlnorm.cs
- XmlDataDocument.cs
- Internal.cs
- nulltextcontainer.cs
- Regex.cs
- LoginNameDesigner.cs
- ElementAction.cs
- MetadataItemEmitter.cs
- VirtualizedCellInfoCollection.cs
- OracleColumn.cs
- CustomPopupPlacement.cs
- securestring.cs
- HttpNamespaceReservationInstallComponent.cs
- InputElement.cs
- MemberMaps.cs
- AmbientEnvironment.cs
- NamespaceListProperty.cs
- EtwTrace.cs
- CompiledQueryCacheEntry.cs
- XPathSingletonIterator.cs
- SqlClientMetaDataCollectionNames.cs
- TreeChangeInfo.cs
- CallbackHandler.cs
- CompositeFontFamily.cs
- Group.cs
- XmlBoundElement.cs
- _Events.cs
- SSmlParser.cs
- ResourceKey.cs
- JsonServiceDocumentSerializer.cs
- AnnotationService.cs
- EntityContainerAssociationSetEnd.cs
- SmiContext.cs
- EntitySqlQueryCacheEntry.cs
- DictionaryTraceRecord.cs
- TargetFrameworkAttribute.cs
- MultilineStringConverter.cs
- NodeLabelEditEvent.cs
- CodeGotoStatement.cs
- ClientFormsIdentity.cs
- HttpWrapper.cs
- AuthorizationRuleCollection.cs
- X509Utils.cs
- SqlCommandSet.cs
- DataObjectEventArgs.cs
- EntityCollection.cs
- ProfilePropertySettingsCollection.cs
- ResumeStoryboard.cs
- TimeoutValidationAttribute.cs
- SpeakInfo.cs