Share via

2.2.20.6 SecurityHeader

  • Article

The optional SecurityHeader contains security information.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Flags

SenderIdSize

EncryptionKeySize

SignatureSize

SenderCertSize

ProviderInfoSize

SecurityData (variable)

...

Flags (2 bytes): A 16-bit unsigned short integer that contains a set of options that provides additional information about the packet. Any combination of these values is acceptable unless otherwise noted in the following table.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

ST

A

B

C

D

AS

E

F

G

H

ST (4 bits): Specifies the type of sender ID in the SecurityData field. This field MUST be set to one of the following values.

Value

Meaning

0x0

The SecurityData.SecurityID field is not present and the SenderIdSize field MUST be set to 0x0000.

0x1

The SecurityData.SecurityID field MUST contain the sender application security identifier (SID). The SID layout is specified in [MS-DTYP] section 2.4.2.2. The SubAuthority field of the SID packet is a variable-length array of unsigned 32-bit little-endian integers.

0x2

The SecurityData.SecurityID field MUST contain the queue manager GUID.

A - AU (1 bit): Indicates whether the message is authenticated. This field MUST be set to 0.

B - EB (1 bit): Indicates whether the body of the message is encrypted. If set, the MessagePropertiesHeader.MessageBody field MUST be encrypted by the sender and decrypted by the receiver.

For details about encryption on the sender side, see [MS-MQQB] section 3.1.7.1.5.

For details about decryption on the receiver side, see [MS-MQQB] section 3.1.5.8.3.

C - DE (1 bit): Indicates whether the default cryptographic provider is used.<19> When clear and SignatureSize is nonzero, the SecurityData.ProviderName MUST specify the name of the alternate provider.

D - AI (1 bit): Indicates whether the SecurityData field is present. If set, the header MUST include a SecurityData field.

AS (4 bits): Indicates the authentication signature type. This field MUST be set to 0.

E - X12 (1 bit): Unused bit field. This field SHOULD NOT be set when sent and MUST be ignored on receipt.

F - X13 (1 bit): Unused bit field. This field SHOULD NOT be set when sent and MUST be ignored on receipt.

G - X14 (1 bit): Unused bit field. This field SHOULD NOT be set when sent and MUST be ignored on receipt.

H - X15 (1 bit): Unused bit field. This field SHOULD NOT be set when sent and MUST be ignored on receipt.

SenderIdSize (2 bytes): A 16-bit unsigned integer that specifies the size of the SecurityData.SecurityID field. This value MUST be set to the size, in bytes, of the security identifier in the SecurityData.SecurityID field. This field has a valid range from 0x0000 to 0xFFFF, inclusive.

EncryptionKeySize (2 bytes): A 16-bit unsigned integer that specifies the size of the SecurityData.EncryptionKey field. This value MUST be set to the size, in bytes, of the encryption key in the SecurityData.EncryptionKey field. This field has a valid range from 0x0000 to 0xFFFF, inclusive.

SignatureSize (2 bytes): A 16-bit unsigned integer that specifies the size of the SecurityData.Signature field. This value MUST be set to the size, in bytes, of the sender signature in the SecurityData.Signature field. This field has a valid range from 0x0000 to 0xFFFF, inclusive.

SenderCertSize (4 bytes): A 32-bit unsigned integer that specifies the size of the SecurityData.SenderCert field. This value MUST be set to the size, in bytes, of the sender signature in the SecurityData.SenderCert field. This field has a valid range from 0x00000000 to a value 0x0000FFFF, inclusive.

ProviderInfoSize (4 bytes): A 32-bit unsigned integer that specifies the size of the SecurityData.ProviderInfo field. This value MUST be set to the size, in bytes, of the security provider information in the SecurityData.ProviderInfo field. This field has a valid range between 0x00000000 and the size limit imposed by the value of BaseHeader.PacketSize.

At least one of the fields SenderIdSize, EncryptionKeySize, SignatureSize, SenderCertSize, and ProviderInfoSize MUST be nonzero.

SecurityData (variable): An optional variable-length array of bytes containing additional security information. This field MUST contain the security information specified in the Flags field.

The data appears in the order specified below. Each field MUST be aligned up to the next 4-byte boundary. The size of each field is specified by the corresponding SenderIdSize, EncryptionKeySize, SignatureSize, SenderCertSize, and ProviderInfoSize fields. An item with a size of zero occupies no space in the SecurityData array.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

SecurityID (variable)

...

EncryptionKey (variable)

...

Signature (variable)

...

SenderCert (variable)

...

ProviderInfo (variable)

...

SecurityID (variable): Contains the sender SID or the sending queue manager GUID. This field MUST be set to the queue manager GUID when the packet is sent and signed by the queue manager.

EncryptionKey (variable): Sender symmetrical encryption key.

Signature (variable): The packet digital signature. The type of signature is specified by the MSMQ version as described in the following table and the hash algorithm is specified by the MessagePropertiesHeader.HashAlgorithm field.

MSMQ Version

Signature Type

MSMQ 1.0

The SecurityData.Signature field is an MSMQ 1.0 digital signature. If the SecurityData.Flags.ST field is set to 1, the SecurityData.SecurityID field MUST contain the sender application security identifier.

If the SecurityData.Flags.ST field is set to 2, it specifies that the message is signed with Sender ID as the Signature. If set, the SecurityData.SecurityID field MUST contain the queue manager GUID.

The signature MUST be a hash of the MSMQ 1.0 Digital Signature Properties (section 2.5.1).

MSMQ 2.0

The SecurityData.Signature field is an MSMQ 2.0 digital signature. The signature MUST be a hash of the MSMQ 2.0 Digital Signature Properties (section 2.5.2).

MSMQ 3.0, MSMQ 4.0, MSMQ 5.0, or MSMQ 6.0

The SecurityData.Signature field is an MSMQ 3.0 digital signature. The signature MUST be a hash of the MSMQ 3.0 Digital Signature Properties (section 2.5.3).

The hash algorithm that is used to compute the SecurityData.Signature field is specified by the MessagePropertiesHeader.HashAlgorithm field.

For details about signature and hash computations on the sender side, see [MS-MQQB] section 3.1.7.1.4.

For details about authentication on the receiver side, see [MS-MQQB] section 3.1.5.8.3.

SenderCert (variable): Sender X.509 digital certificate. Details are as specified in [RFC3280]. The public key that is contained in the certificate has the following structure.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

0x06

0x02

0x00

Key Type

...

0x52

0x53

0x41

0x31

Length in bits

...

Public Exponent

...

Modulus (variable)

...

Key Type (4 bytes): This MUST be set to 0x00002400 for RSA signing keys and 0x0000A400 for RSA encryption keys.

Length in bits (4 bytes): This 32-bit unsigned number MUST be the length of the RSA modulus. It MUST contain the length, in bits, of the Modulus field.

Public Exponent (4 bytes): This MUST be a 32-bit unsigned integer. It MUST be the public exponent of the RSA key pair, referred to as e in [RFC8017] section 2.

Modulus (variable): This MUST be the RSA modulus, referred to as defined in [RFC8017] section 2. This field MUST be a multiple of 8 bits in length and MUST append padding bits needed to ensure this requirement. Padding bits MUST be set to zero. The public key SHOULD<20> be stored in the directory.

ProviderInfo (variable): Contains the information of the alternative provider used to produce the signature.<21> If the Flags.DE bit is clear and the ProviderInfoSize is nonzero, this field MUST be set; otherwise it MUST NOT be included in the SecurityData field. The layout of this field is as follows.<22>


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

ProviderType

ProviderName (variable)

...

ProviderType (4 bytes): A 32-bit unsigned integer that indicates the type of the alternative provider used to produce the signature.

ProviderName (variable): A null-terminated Unicode string that contains the name of the alternative provider used to produce the signature.