private SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature)
 {
     TryResolveKeyIdentifier(keyIdentifier, resolver, true, out SecurityToken token);
     if (token == null && !isPrimarySignature)
     {
         // check if there is a rsa key token authenticator
         if (keyIdentifier.Count == 1)
         {
             if (keyIdentifier.TryFind <RsaKeyIdentifierClause>(out RsaKeyIdentifierClause rsaClause))
             {
                 RsaSecurityTokenAuthenticator rsaAuthenticator = FindAllowedAuthenticator <RsaSecurityTokenAuthenticator>(false);
                 if (rsaAuthenticator != null)
                 {
                     token = new RsaSecurityToken(rsaClause.Rsa);
                     ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = rsaAuthenticator.ValidateToken(token);
                     TokenTracker rsaTracker = GetSupportingTokenTracker(rsaAuthenticator, out SupportingTokenAuthenticatorSpecification spec);
                     if (rsaTracker == null)
                     {
                         throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, rsaAuthenticator)));
                     }
                     rsaTracker.RecordToken(token);
                     SecurityTokenAuthorizationPoliciesMapping.Add(token, authorizationPolicies);
                 }
             }
         }
     }
     if (token == null)
     {
         throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
                                                                       SR.Format(SR.UnableToResolveKeyInfoForVerifyingSignature, keyIdentifier, resolver)));
     }
     return(token);
 }
        private SecurityToken ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList <SecurityTokenAuthenticator> allowedTokenAuthenticators, out SecurityTokenAuthenticator usedTokenAuthenticator)
        {
            SecurityToken token = StandardsManager.SecurityTokenSerializer.ReadToken(reader, tokenResolver);

            if (token is DerivedKeySecurityTokenStub)
            {
                if (DerivedTokenAuthenticator == null)
                {
                    // No Authenticator registered for DerivedKeySecurityToken
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
                                                                                  SR.Format(SR.UnableToFindTokenAuthenticator, typeof(DerivedKeySecurityToken))));
                }

                // This is just the stub. Nothing to Validate. Set the usedTokenAuthenticator to
                // DerivedKeySecurityTokenAuthenticator.
                usedTokenAuthenticator = DerivedTokenAuthenticator;
                return(token);
            }

            for (int i = 0; i < allowedTokenAuthenticators.Count; ++i)
            {
                SecurityTokenAuthenticator tokenAuthenticator = allowedTokenAuthenticators[i];
                if (tokenAuthenticator.CanValidateToken(token))
                {
                    ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
                    authorizationPolicies = tokenAuthenticator.ValidateToken(token);
                    SecurityTokenAuthorizationPoliciesMapping.Add(token, authorizationPolicies);
                    usedTokenAuthenticator = tokenAuthenticator;
                    return(token);
                }
            }

            throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
                                                                          SR.Format(SR.UnableToFindTokenAuthenticator, token.GetType())));
        }