public UserNameCertificateBinding()
{
//add security
// var securityElement =
// SecurityBindingElement.CreateUserNameForCertificateBindingElement();
var securityElement = new SymmetricSecurityBindingElement();
var x509TokenParameters = new X509SecurityTokenParameters();
// how to find certificate
// this will be used by securitymanager to find the certificate when create x509security tokens
//x509TokenParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
//The token is never included in messages but is referenced. The token must be known to the recipient out of band
x509TokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
securityElement.ProtectionTokenParameters = x509TokenParameters;
securityElement.EndpointSupportingTokenParameters.
SignedEncrypted.Add(new UserNameSecurityTokenParameters());
securityElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
securityElement.RequireSignatureConfirmation = true;
Elements.Add(securityElement);
// Message Encoding
var textEncoding = new GZipMessageEncodingBindingElement();
textEncoding.MessageVersion = MessageVersion.Soap12WSAddressing10;
Elements.Add(textEncoding);
// Transport
Elements.Add(new HttpTransportBindingElement());
}
public static Binding ChangeMessageSecurityOptions(this Binding binding)
{
var customBinding = new CustomBinding(binding);
var minutes15 = TimeSpan.FromMinutes(15);
customBinding.ReceiveTimeout = minutes15;
customBinding.SendTimeout = minutes15;
var tokenParameters =
new X509SecurityTokenParameters
{
X509ReferenceStyle = X509KeyIdentifierClauseType.Any,
RequireDerivedKeys = false,
InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient
};
var securityBindingElement = customBinding.Elements.Find<AsymmetricSecurityBindingElement>();
securityBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
securityBindingElement.InitiatorTokenParameters = tokenParameters;
securityBindingElement.LocalClientSettings.DetectReplays = false;
securityBindingElement.IncludeTimestamp = false;
securityBindingElement.LocalClientSettings.TimestampValidityDuration = new TimeSpan(12, 0, 0);
return customBinding;
}
public static void Main ()
{
AsymmetricSecurityBindingElement sbe =
new AsymmetricSecurityBindingElement ();
//sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
//sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
//sbe.RequireSignatureConfirmation = true;
//sbe.LocalServiceSettings.DetectReplays = false;
//sbe.IncludeTimestamp = false;
sbe.RecipientTokenParameters =
new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
sbe.InitiatorTokenParameters =
new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
X509SecurityTokenParameters p =
new X509SecurityTokenParameters (X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
p.RequireDerivedKeys = false;
//sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
UserNameSecurityTokenParameters up =
new UserNameSecurityTokenParameters ();
sbe.EndpointSupportingTokenParameters.Signed.Add (up);
sbe.SetKeyDerivation (false);
sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
ServiceHost host = new ServiceHost (typeof (Foo));
HttpTransportBindingElement hbe =
new HttpTransportBindingElement ();
CustomBinding binding = new CustomBinding (sbe, hbe);
binding.ReceiveTimeout = TimeSpan.FromSeconds (5);
host.AddServiceEndpoint ("IFoo",
binding, new Uri ("http://localhost:8080"));
ServiceCredentials cred = new ServiceCredentials ();
cred.ServiceCertificate.Certificate =
new X509Certificate2 ("test.pfx", "mono");
cred.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
cred.UserNameAuthentication.UserNamePasswordValidationMode =
UserNamePasswordValidationMode.Custom;
cred.UserNameAuthentication.CustomUserNamePasswordValidator =
UserNamePasswordValidator.None;
host.Description.Behaviors.Add (cred);
host.Description.Behaviors.Find<ServiceDebugBehavior> ()
.IncludeExceptionDetailInFaults = true;
foreach (ServiceEndpoint se in host.Description.Endpoints)
se.Behaviors.Add (new StdErrInspectionBehavior ());
ServiceMetadataBehavior smb = new ServiceMetadataBehavior ();
smb.HttpGetEnabled = true;
smb.HttpGetUrl = new Uri ("http://localhost:8080/wsdl");
host.Description.Behaviors.Add (smb);
host.Open ();
Console.WriteLine ("Hit [CR] key to close ...");
Console.ReadLine ();
host.Close ();
}
public static Binding CreateCreditCardBinding()
{
HttpTransportBindingElement httpTransport = new HttpTransportBindingElement();
// the message security binding element will be configured to require a credit card
// token that is encrypted with the service's certificate
SymmetricSecurityBindingElement messageSecurity = new SymmetricSecurityBindingElement();
messageSecurity.EndpointSupportingTokenParameters.SignedEncrypted.Add(new CreditCardTokenParameters());
X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();
x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.Never;
messageSecurity.ProtectionTokenParameters = x509ProtectionParameters;
return new CustomBinding(messageSecurity, httpTransport);
}
private static System.ServiceModel.Channels.Binding CreateBinding()
{
TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);
var httpTransport = new HttpTransportBindingElement();
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters = x509SecurityParamter;
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);
initiator.RequireDerivedKeys = false;
messageSecurity.InitiatorTokenParameters = initiator;
var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, httpTransport);
return customBinding;
}
public static void Main ()
{
Console.WriteLine ("WARNING!! This test is not configured enought to work fine on .NET either.");
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement ();
sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
sbe.RequireSignatureConfirmation = true;
//sbe.IncludeTimestamp = false;
sbe.ProtectionTokenParameters =
new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
X509SecurityTokenParameters p =
new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);
p.RequireDerivedKeys = false;
sbe.EndpointSupportingTokenParameters.Endorsing.Add (p);
//sbe.SetKeyDerivation (false);
//sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
ServiceHost host = new ServiceHost (typeof (Foo));
var mbe = new BinaryMessageEncodingBindingElement ();
var tbe = new TcpTransportBindingElement ();
CustomBinding binding = new CustomBinding (sbe, mbe, tbe);
binding.ReceiveTimeout = TimeSpan.FromSeconds (5);
host.AddServiceEndpoint ("IFoo",
binding, new Uri ("http://localhost:8080"));
ServiceCredentials cred = new ServiceCredentials ();
cred.ServiceCertificate.Certificate =
new X509Certificate2 ("test.pfx", "mono");
cred.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
host.Description.Behaviors.Add (cred);
host.Description.Behaviors.Find<ServiceDebugBehavior> ()
.IncludeExceptionDetailInFaults = true;
ServiceMetadataBehavior smb = new ServiceMetadataBehavior ();
smb.HttpGetEnabled = true;
smb.HttpGetUrl = new Uri ("http://localhost:8080/wsdl");
host.Description.Behaviors.Add (smb);
host.Open ();
Console.WriteLine ("Hit [CR] key to close ...");
Console.ReadLine ();
host.Close ();
}
public static Binding GetIssuedTokenBindingSSL()
{
var textmessageEncoding = new TextMessageEncodingBindingElement();
textmessageEncoding.WriteEncoding = Encoding.UTF8;
textmessageEncoding.MessageVersion = MessageVersion.Soap11WSAddressing10;
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
var x509SecurityParamter = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters = x509SecurityParamter;
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.RawDataKeyIdentifier, SecurityTokenInclusionMode.AlwaysToRecipient);
initiator.RequireDerivedKeys = false;
messageSecurity.InitiatorTokenParameters = initiator;
messageSecurity.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
return new CustomBinding(
messageSecurity,
textmessageEncoding,
new HttpsTransportBindingElement());
}
public static Binding CreateMultiFactorAuthenticationBinding()
{
HttpTransportBindingElement httpTransport = new HttpTransportBindingElement();
// the message security binding element will be configured to require 2 tokens:
// 1) A username-password encrypted with the service token
// 2) A client certificate used to sign the message
// Instantiate a binding element that will require the username/password token in the message (encrypted with the server cert)
SymmetricSecurityBindingElement messageSecurity = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
// Create supporting token parameters for the client X509 certificate.
X509SecurityTokenParameters clientX509SupportingTokenParameters = new X509SecurityTokenParameters();
// Specify that the supporting token is passed in message send by the client to the service
clientX509SupportingTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
// Turn off derived keys
clientX509SupportingTokenParameters.RequireDerivedKeys = false;
// Augment the binding element to require the client's X509 certificate as an endorsing token in the message
messageSecurity.EndpointSupportingTokenParameters.Endorsing.Add(clientX509SupportingTokenParameters);
// Create a CustomBinding based on the constructed security binding element.
return new CustomBinding(messageSecurity, httpTransport);
}
private SecurityBindingElement CreateSecurity()
{
AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement();
X509SecurityTokenParameters clientToken = new X509SecurityTokenParameters();
clientToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any;
clientToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
clientToken.RequireDerivedKeys = false;
clientToken.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
security.InitiatorTokenParameters = clientToken; //Creates an _unsigned_ binary token + signature that references the other binary token.
X509SecurityTokenParameters serverToken = new X509SecurityTokenParameters();
serverToken.X509ReferenceStyle = X509KeyIdentifierClauseType.Any;
serverToken.InclusionMode = SecurityTokenInclusionMode.Never;
serverToken.RequireDerivedKeys = false;
serverToken.ReferenceStyle = SecurityTokenReferenceStyle.External;
security.RecipientTokenParameters = serverToken; //Only to make asymetric binding work
security.EndpointSupportingTokenParameters.Signed.Add(clientToken); //Create a signed binary token + signature that does _not_ references other binary token.
//Later on the unsigned binary token is removed and the non referecing signature is removed. The signed token and referencing signature are linked.
security.EnableUnsecuredResponse = true;
security.IncludeTimestamp = true;
security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
security.SetKeyDerivation(false);
return security;
}
// It is problematic, but there is no option to disable establishing security context in this binding unlike WSHttpBinding...
SecurityBindingElement CreateMessageSecurity ()
{
if (Security.Mode == SecurityMode.Transport ||
Security.Mode == SecurityMode.None)
return null;
// FIXME: this is wrong. Could be Asymmetric, depends on Security.Message.AlgorithmSuite value.
SymmetricSecurityBindingElement element =
new SymmetricSecurityBindingElement ();
element.MessageSecurityVersion = MessageSecurityVersion.Default;
element.SetKeyDerivation (false);
switch (Security.Message.ClientCredentialType) {
case MessageCredentialType.Certificate:
element.EndpointSupportingTokenParameters.Endorsing.Add (
new X509SecurityTokenParameters ());
goto default;
case MessageCredentialType.IssuedToken:
IssuedSecurityTokenParameters istp =
new IssuedSecurityTokenParameters ();
// FIXME: issuer binding must be secure.
istp.IssuerBinding = new CustomBinding (
new TextMessageEncodingBindingElement (),
GetTransport ());
element.EndpointSupportingTokenParameters.Endorsing.Add (istp);
goto default;
case MessageCredentialType.UserName:
element.EndpointSupportingTokenParameters.SignedEncrypted.Add (
new UserNameSecurityTokenParameters ());
goto default;
case MessageCredentialType.Windows:
element.ProtectionTokenParameters =
new KerberosSecurityTokenParameters ();
break;
default: // including .None
X509SecurityTokenParameters p =
new X509SecurityTokenParameters ();
p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
element.ProtectionTokenParameters = p;
break;
}
// SecureConversation enabled
ChannelProtectionRequirements reqs =
new ChannelProtectionRequirements ();
// FIXME: fill the reqs
return SecurityBindingElement.CreateSecureConversationBindingElement (
// FIXME: requireCancellation
element, true, reqs);
}
private SecurityBindingElement CreateSecurityBindingElement()
{
CustomTextTraceSource ts = new CustomTextTraceSource("Common.WspCustomSecuredBinding.CreateSecurityBindingElement",
"MyTraceSource", System.Diagnostics.SourceLevels.Information);
AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement();
secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
//secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256;
secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
secBindingElement.IncludeTimestamp = true;
secBindingElement.SetKeyDerivation(false);
secBindingElement.AllowSerializedSigningTokenOnReply = true;
secBindingElement.RequireSignatureConfirmation = true;
// SAML assertion as a signed-encrypted supporting token
IssuedSecurityTokenParameters issuedTokenParameters =
new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
// Compliance with WSS SAML Token Profile 1.1
// Target .Net 3.5. Does not work with .Net 4
issuedTokenParameters.UseStrTransform = _enableStrTransform;
ts.TraceInformation("issuedTokenParameters.UseStrTransform = " + issuedTokenParameters.UseStrTransform.ToString());
// Using bearer key type which means no proof key
issuedTokenParameters.KeyType = SecurityKeyType.BearerKey;
issuedTokenParameters.KeySize = 0;
issuedTokenParameters.RequireDerivedKeys = false;
issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
//issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
// These claims are not really needed here. We are doing out of band requests!
// Claims
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:SurName"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:GivenName"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:EmailAddressText"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:TelephoneNumber"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:FederationId"));
// GFIPM S2S 6.4 User Authorization - Encrypted GFIPM User Assertion
//secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(issuedTokenParameters);
// For debug
secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters);
X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Thumbprint;
X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
SecurityTokenInclusionMode.AlwaysToRecipient);
initiatorTokenParameters.RequireDerivedKeys = false;
initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
//initiatorTokenParameters.ReferenceStyle = (SecurityTokenReferenceStyle)X509KeyIdentifierClauseType.RawDataKeyIdentifier;
secBindingElement.InitiatorTokenParameters = initiatorTokenParameters;
X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
SecurityTokenInclusionMode.AlwaysToInitiator);
recipientTokenParameters.RequireDerivedKeys = false;
recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator;
//recipientTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
secBindingElement.RecipientTokenParameters = recipientTokenParameters;
secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
//Set the Custom IdentityVerifier
secBindingElement.LocalClientSettings.IdentityVerifier = new Common.CustomIdentityVerifier();
//////////////////////////////////////////////////////////
return secBindingElement;
}
public virtual XmlElement CreateWsspX509TokenAssertion(MetadataExporter exporter, X509SecurityTokenParameters parameters)
{
XmlElement result = CreateWsspAssertion(X509TokenName);
SetIncludeTokenValue(result, parameters.InclusionMode);
result.AppendChild(
CreateWspPolicyWrapper(
exporter,
CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys),
CreateX509ReferenceStyleAssertion(parameters.X509ReferenceStyle),
CreateWsspAssertion(WssX509V3Token10Name)
));
return result;
}
public void SetKeyDerivation ()
{
AsymmetricSecurityBindingElement be;
X509SecurityTokenParameters p, p2;
be = new AsymmetricSecurityBindingElement ();
p = new X509SecurityTokenParameters ();
p2 = new X509SecurityTokenParameters ();
be.InitiatorTokenParameters = p;
be.RecipientTokenParameters = p2;
be.SetKeyDerivation (false);
Assert.AreEqual (false, p.RequireDerivedKeys, "#1");
Assert.AreEqual (false, p2.RequireDerivedKeys, "#2");
be = new AsymmetricSecurityBindingElement ();
p = new X509SecurityTokenParameters ();
p2 = new X509SecurityTokenParameters ();
be.SetKeyDerivation (false); // set in prior - makes no sense
be.InitiatorTokenParameters = p;
be.RecipientTokenParameters = p2;
Assert.AreEqual (true, p.RequireDerivedKeys, "#3");
Assert.AreEqual (true, p2.RequireDerivedKeys, "#4");
}
private SecurityBindingElement CreateSecurityBindingElement()
{
SymmetricSecurityBindingElement secBindingElement = new SymmetricSecurityBindingElement();
secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
// TEST
//secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Rsa15;
secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
secBindingElement.IncludeTimestamp = true;
secBindingElement.SetKeyDerivation(false);
//secBindingElement.RequireSignatureConfirmation = true;
//secBindingElement.AllowInsecureTransport = true;
//////////////////////////////////////////////////////////
SecurityBindingElement ssbe = (SecurityBindingElement)secBindingElement;
// Set the Custom IdentityVerifier
//ssbe.LocalClientSettings.IdentityVerifier = new Common.CustomIdentityVerifier();
//////////////////////////////////////////////////////////
X509SecurityTokenParameters protectTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint,
SecurityTokenInclusionMode.Never);
protectTokenParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
//X509SecurityTokenParameters protectTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
// SecurityTokenInclusionMode.Never);
protectTokenParameters.RequireDerivedKeys = false;
//protectTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
//protectTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
secBindingElement.ProtectionTokenParameters = protectTokenParameters;
UserNameSecurityTokenParameters userNameToken = new UserNameSecurityTokenParameters();
userNameToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(userNameToken);
//secBindingElement.EndpointSupportingTokenParameters.Signed.Add(userNameToken);
//secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
return secBindingElement;
}
protected X509SecurityTokenParameters (X509SecurityTokenParameters source)
: base (source)
{
reference_style = source.reference_style;
}
void SetKeyDerivationIncorrect (SecurityBindingElement be, string label)
{
X509SecurityTokenParameters p, p2;
p = new X509SecurityTokenParameters ();
p2 = new X509SecurityTokenParameters ();
// setting in prior - makes no sense
be.SetKeyDerivation (false);
be.EndpointSupportingTokenParameters.Endorsing.Add (p);
be.EndpointSupportingTokenParameters.Endorsing.Add (p2);
Assert.AreEqual (true, p.RequireDerivedKeys, label + "#5");
Assert.AreEqual (true, p2.RequireDerivedKeys, label + "#6");
}
protected X509SecurityTokenParameters(X509SecurityTokenParameters source)
: base(source)
{
reference_style = source.reference_style;
}
public void Validate(ServiceEndpoint endpoint)
{
StreamWriter file = new StreamWriter("c:\\temp\\WeatherStationService.SymmetricPolicyExtensionsBehavior - Validate.txt", true);
file.WriteLine("_________________________________________");
file.WriteLine("DateTime: " + DateTime.Now.ToString());
if (endpoint != null)
{
file.WriteLine("EndPoint: " + endpoint.Name);
if (endpoint.Behaviors != null)
{
foreach (IEndpointBehavior epb in endpoint.Behaviors)
{
file.WriteLine("EndPoint Behavior: " + epb.ToString());
}
}
}
file.Close();
//ClientCredentials cc = new ClientCredentials();
//ClientRuntime cr = new ClientRuntime();
//cc.ApplyClientBehavior(endpoint, cr);
//CustomBinding binding = new CustomBinding("CustomSecureBinding_BackendService");
CustomBinding binding = new CustomBinding();
SymmetricSecurityBindingElement secBindingElement = new SymmetricSecurityBindingElement();
//WS2007HttpBinding stsBinding = new WS2007HttpBinding("wssuntBinding");
CustomBinding stsBinding = new CustomBinding("ADS-CustomSecureTransport");
IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0",
new EndpointAddress("https://ha50idp:8543/ADS-STS/Issue.svc"), stsBinding);
issuedTokenParameters.KeyType = SecurityKeyType.AsymmetricKey;
// 256?
issuedTokenParameters.KeySize = 128;
issuedTokenParameters.IssuerMetadataAddress = new EndpointAddress("https://ha50idp:8543/ADS-STS/Issue.svc/mex");
issuedTokenParameters.RequireDerivedKeys = false;
issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
//
X509SecurityTokenParameters protectTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
protectTokenParameters.RequireDerivedKeys = false;
protectTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
//protectTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
secBindingElement.ProtectionTokenParameters = protectTokenParameters;
secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
//secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters);
secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters);
secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(protectTokenParameters);
secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
binding.Elements.Add(secBindingElement);
binding.Elements.Add(new MtomMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8));
//HttpsTransportBindingElement httpsBinding = new HttpsTransportBindingElement();
HttpTransportBindingElement httpsBinding = new HttpTransportBindingElement();
binding.Elements.Add(httpsBinding);
endpoint.Binding = binding;
}
protected override SecurityBindingElement CreateMessageSecurity ()
{
if (Security.Mode == SecurityMode.Transport ||
Security.Mode == SecurityMode.None)
return null;
SymmetricSecurityBindingElement element =
new SymmetricSecurityBindingElement ();
element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
element.RequireSignatureConfirmation = true;
switch (Security.Message.ClientCredentialType) {
case MessageCredentialType.Certificate:
X509SecurityTokenParameters p =
new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint);
p.RequireDerivedKeys = false;
element.EndpointSupportingTokenParameters.Endorsing.Add (p);
goto default;
case MessageCredentialType.IssuedToken:
IssuedSecurityTokenParameters istp =
new IssuedSecurityTokenParameters ();
// FIXME: issuer binding must be secure.
istp.IssuerBinding = new CustomBinding (
new TextMessageEncodingBindingElement (),
GetTransport ());
element.EndpointSupportingTokenParameters.Endorsing.Add (istp);
goto default;
case MessageCredentialType.UserName:
element.EndpointSupportingTokenParameters.SignedEncrypted.Add (
new UserNameSecurityTokenParameters ());
element.RequireSignatureConfirmation = false;
goto default;
case MessageCredentialType.Windows:
if (Security.Message.NegotiateServiceCredential) {
// No SSPI on Linux though...
element.ProtectionTokenParameters =
// FIXME: fill proper parameters
new SspiSecurityTokenParameters ();
} else {
// and no Kerberos ...
element.ProtectionTokenParameters =
new KerberosSecurityTokenParameters ();
}
break;
default: // including .None
if (Security.Message.NegotiateServiceCredential) {
element.ProtectionTokenParameters =
// FIXME: fill proper parameters
new SslSecurityTokenParameters (false, true);
} else {
element.ProtectionTokenParameters =
new X509SecurityTokenParameters (X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never);
element.ProtectionTokenParameters.RequireDerivedKeys = true;
}
break;
}
if (!Security.Message.EstablishSecurityContext)
return element;
// SecureConversation enabled
ChannelProtectionRequirements reqs =
new ChannelProtectionRequirements ();
// FIXME: fill the reqs
return SecurityBindingElement.CreateSecureConversationBindingElement (
// FIXME: requireCancellation
element, true, reqs);
}
protected X509SecurityTokenParameters(X509SecurityTokenParameters other)
{
Contract.Requires(other != null);
}
protected X509SecurityTokenParameters(X509SecurityTokenParameters other)
{
Contract.Requires(other != null);
}
public virtual bool TryImportWsspX509TokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)
{
SecurityTokenInclusionMode mode;
parameters = null;
if (this.IsWsspAssertion(assertion, "X509Token") && this.TryGetIncludeTokenValue(assertion, out mode))
{
Collection<Collection<XmlElement>> collection;
if (this.TryGetNestedPolicyAlternatives(importer, assertion, out collection))
{
foreach (Collection<XmlElement> collection2 in collection)
{
X509SecurityTokenParameters parameters2 = new X509SecurityTokenParameters();
parameters = parameters2;
if ((this.TryImportWsspRequireDerivedKeysAssertion(collection2, parameters2) && this.TryImportX509ReferenceStyleAssertion(collection2, parameters2)) && (this.TryImportWsspAssertion(collection2, "WssX509V3Token10", true) && (collection2.Count == 0)))
{
parameters.InclusionMode = mode;
break;
}
parameters = null;
}
}
else
{
parameters = new X509SecurityTokenParameters();
parameters.RequireDerivedKeys = false;
parameters.InclusionMode = mode;
}
}
return (parameters != null);
}
void SetKeyDerivationCorrect (SecurityBindingElement be, string label)
{
X509SecurityTokenParameters p, p2;
p = new X509SecurityTokenParameters ();
p2 = new X509SecurityTokenParameters ();
Assert.AreEqual (true, p.RequireDerivedKeys, label + "#1");
Assert.AreEqual (true, p2.RequireDerivedKeys, label + "#2");
be.EndpointSupportingTokenParameters.Endorsing.Add (p);
be.EndpointSupportingTokenParameters.Endorsing.Add (p2);
be.SetKeyDerivation (false);
Assert.AreEqual (false, p.RequireDerivedKeys, label + "#3");
Assert.AreEqual (false, p2.RequireDerivedKeys, label + "#4");
}
public virtual XmlElement CreateWsspX509TokenAssertion(MetadataExporter exporter, X509SecurityTokenParameters parameters)
{
XmlElement tokenAssertion = this.CreateWsspAssertion("X509Token");
this.SetIncludeTokenValue(tokenAssertion, parameters.InclusionMode);
tokenAssertion.AppendChild(this.CreateWspPolicyWrapper(exporter, new XmlElement[] { this.CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys), this.CreateX509ReferenceStyleAssertion(parameters.X509ReferenceStyle), this.CreateWsspAssertion("WssX509V3Token10") }));
return tokenAssertion;
}
public void GetPropertySecurityCapabilities ()
{
ISecurityCapabilities c;
RsaSecurityTokenParameters rsa =
new RsaSecurityTokenParameters ();
UserNameSecurityTokenParameters user =
new UserNameSecurityTokenParameters ();
X509SecurityTokenParameters x509 =
new X509SecurityTokenParameters ();
SecureConversationSecurityTokenParameters sc1 =
new SecureConversationSecurityTokenParameters ();
sc1.BootstrapSecurityBindingElement =
new SymmetricSecurityBindingElement (); // empty
SecureConversationSecurityTokenParameters sc2 =
new SecureConversationSecurityTokenParameters ();
sc2.BootstrapSecurityBindingElement =
new SymmetricSecurityBindingElement (x509);
SecureConversationSecurityTokenParameters sc3 =
new SecureConversationSecurityTokenParameters ();
sc3.BootstrapSecurityBindingElement =
new AsymmetricSecurityBindingElement (null, x509);
SecureConversationSecurityTokenParameters sc4 =
new SecureConversationSecurityTokenParameters ();
sc4.BootstrapSecurityBindingElement =
new AsymmetricSecurityBindingElement (x509, null);
// no parameters
c = GetSecurityCapabilities (
new SymmetricSecurityBindingElement ());
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
false, false, false, c, "#1");
// x509 parameters for both
c = GetSecurityCapabilities (
new SymmetricSecurityBindingElement (x509));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, true, c, "#2");
// no initiator parameters
c = GetSecurityCapabilities (
new AsymmetricSecurityBindingElement (x509, null));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
false, false, true, c, "#3");
// no recipient parameters
c = GetSecurityCapabilities (
new AsymmetricSecurityBindingElement (null, x509));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, false, c, "#4");
// initiator does not support identity
c = GetSecurityCapabilities (
new AsymmetricSecurityBindingElement (x509, rsa));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, false, true, c, "#5");
// recipient does not support server auth
c = GetSecurityCapabilities (
new AsymmetricSecurityBindingElement (user, x509));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, false, c, "#6");
// secureconv with no symm. bootstrap params
c = GetSecurityCapabilities (
new SymmetricSecurityBindingElement (sc1));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
false, false, false, c, "#7");
// secureconv with x509 symm. bootstrap params
c = GetSecurityCapabilities (
new SymmetricSecurityBindingElement (sc2));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, true, c, "#8");
// secureconv with x509 initiator bootstrap params
c = GetSecurityCapabilities (
new SymmetricSecurityBindingElement (sc3));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
true, true, false, c, "#9");
// secureconv with x509 recipient bootstrap params
c = GetSecurityCapabilities (
new SymmetricSecurityBindingElement (sc4));
AssertSecurityCapabilities (
ProtectionLevel.EncryptAndSign,
ProtectionLevel.EncryptAndSign,
false, false, true, c, "#10");
// FIXME: find out such cases that returns other ProtectionLevel values.
}
private SecurityBindingElement CreateWSS11SecurityBindingElement()
{
AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement();
secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
// TEST
//secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Rsa15;
secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
secBindingElement.IncludeTimestamp = true;
secBindingElement.SetKeyDerivation(false);
secBindingElement.AllowSerializedSigningTokenOnReply = true;
secBindingElement.RequireSignatureConfirmation = false;
//WS2007HttpBinding stsBinding = new WS2007HttpBinding("wssuntBinding");
//CustomBinding stsBinding = new CustomBinding("ADS-CustomSecureTransport");
// TEMPORARILY DISABLED
// .Net 3.5
//string adsAddress = "http://ha50idp:8089/ADS-STS/Issue.svc";
// .Net 4.0
string adsAddress = "https://ha50idp:8543/ADS-STS/Issue.svc";
//IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0",
// new EndpointAddress(adsAddress), stsBinding);
IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
issuedTokenParameters.UseStrTransform = false;
issuedTokenParameters.KeyType = SecurityKeyType.BearerKey;
//issuedTokenParameters.KeyType = SecurityKeyType.AsymmetricKey;
//issuedTokenParameters.KeyType = SecurityKeyType.SymmetricKey;
// 256?
//issuedTokenParameters.KeySize = 256;
issuedTokenParameters.KeySize = 0;
// .Net 3.5
//string adsMexAddress = "http://ha50idp:8089/ADS-STS/Issue.svc/mex";
// .Net 4.0
//string adsMexAddress = "https://ha50idp:8543/ADS-STS/Issue.svc/mex";
//issuedTokenParameters.IssuerMetadataAddress = new EndpointAddress(adsMexAddress);
issuedTokenParameters.RequireDerivedKeys = false;
issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
//issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
// Claims
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:SurName"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:GivenName"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:EmailAddressText"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:TelephoneNumber"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:FederationId"));
// THis is a test
//secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(issuedTokenParameters);
// This is the right one
secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters);
//secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(issuedTokenParameters);
// need to put this in configuration
//X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Any;
X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.SubjectKeyIdentifier;
//X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.IssuerSerial;
//X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Thumbprint;
X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
SecurityTokenInclusionMode.AlwaysToRecipient);
initiatorTokenParameters.RequireDerivedKeys = false;
initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
initiatorTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
//initiatorTokenParameters.ReferenceStyle = (SecurityTokenReferenceStyle)X509KeyIdentifierClauseType.RawDataKeyIdentifier;
secBindingElement.InitiatorTokenParameters = initiatorTokenParameters;
X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
SecurityTokenInclusionMode.Never);
recipientTokenParameters.RequireDerivedKeys = false;
recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
recipientTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
secBindingElement.RecipientTokenParameters = recipientTokenParameters;
secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
return secBindingElement;
}
protected X509SecurityTokenParameters(X509SecurityTokenParameters other) : base(other)
{
this.x509ReferenceStyle = other.x509ReferenceStyle;
}
private SecurityBindingElement CreateWSS10SecurityBindingElement()
{
AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement();
secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
secBindingElement.IncludeTimestamp = true;
secBindingElement.SetKeyDerivation(false);
secBindingElement.AllowSerializedSigningTokenOnReply = true;
secBindingElement.RequireSignatureConfirmation = false;
X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
SecurityTokenInclusionMode.AlwaysToRecipient);
initiatorTokenParameters.RequireDerivedKeys = false;
initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
secBindingElement.InitiatorTokenParameters = initiatorTokenParameters;
X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
SecurityTokenInclusionMode.Never);
recipientTokenParameters.RequireDerivedKeys = false;
recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
secBindingElement.RecipientTokenParameters = recipientTokenParameters;
//secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters);
//secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(protectTokenParameters);
//secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
return secBindingElement;
}
protected X509SecurityTokenParameters(X509SecurityTokenParameters other)
: base(other)
{
this.x509ReferenceStyle = other.x509ReferenceStyle;
}
// based on WSHttpBinding.CreateMessageSecurity()
SecurityBindingElement CreateMessageSecurity ()
{
if (Security.Mode == SecurityMode.Transport ||
Security.Mode == SecurityMode.None)
return null;
SymmetricSecurityBindingElement element =
new SymmetricSecurityBindingElement ();
element.MessageSecurityVersion = MessageSecurityVersion.Default;
element.SetKeyDerivation (false);
switch (Security.Message.ClientCredentialType) {
case MessageCredentialType.Certificate:
element.EndpointSupportingTokenParameters.Endorsing.Add (
new X509SecurityTokenParameters ());
goto default;
case MessageCredentialType.IssuedToken:
IssuedSecurityTokenParameters istp =
new IssuedSecurityTokenParameters ();
// FIXME: issuer binding must be secure.
istp.IssuerBinding = new CustomBinding (
new TextMessageEncodingBindingElement (),
GetTransport ());
element.EndpointSupportingTokenParameters.Endorsing.Add (istp);
goto default;
case MessageCredentialType.UserName:
element.EndpointSupportingTokenParameters.SignedEncrypted.Add (
new UserNameSecurityTokenParameters ());
goto default;
case MessageCredentialType.Windows:
element.ProtectionTokenParameters =
new KerberosSecurityTokenParameters ();
break;
default: // including .None
X509SecurityTokenParameters p =
new X509SecurityTokenParameters ();
p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
element.ProtectionTokenParameters = p;
break;
}
return element;
}
public virtual bool TryImportX509ReferenceStyleAssertion(ICollection<XmlElement> assertions, X509SecurityTokenParameters parameters)
{
if (TryImportWsspAssertion(assertions, RequireIssuerSerialReferenceName))
{
parameters.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial;
}
else if (TryImportWsspAssertion(assertions, RequireKeyIdentifierReferenceName))
{
parameters.X509ReferenceStyle = X509KeyIdentifierClauseType.SubjectKeyIdentifier;
}
else if (TryImportWsspAssertion(assertions, RequireThumbprintReferenceName))
{
parameters.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
}
return true;
}
public void SetKeyDerivation ()
{
SymmetricSecurityBindingElement be;
X509SecurityTokenParameters p;
be = new SymmetricSecurityBindingElement ();
p = new X509SecurityTokenParameters ();
be.ProtectionTokenParameters = p;
be.SetKeyDerivation (false);
Assert.AreEqual (false, p.RequireDerivedKeys, "#1");
be = new SymmetricSecurityBindingElement ();
p = new X509SecurityTokenParameters ();
be.SetKeyDerivation (false); // set in prior - makes no sense
be.ProtectionTokenParameters = p;
Assert.AreEqual (true, p.RequireDerivedKeys, "#2");
}
public virtual bool TryImportWsspX509TokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)
{
parameters = null;
SecurityTokenInclusionMode inclusionMode;
Collection<Collection<XmlElement>> alternatives;
if (IsWsspAssertion(assertion, X509TokenName)
&& TryGetIncludeTokenValue(assertion, out inclusionMode))
{
if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
{
foreach (Collection<XmlElement> alternative in alternatives)
{
X509SecurityTokenParameters x509 = new X509SecurityTokenParameters();
parameters = x509;
if (TryImportWsspRequireDerivedKeysAssertion(alternative, x509)
&& TryImportX509ReferenceStyleAssertion(alternative, x509)
&& TryImportWsspAssertion(alternative, WssX509V3Token10Name, true)
&& alternative.Count == 0)
{
parameters.InclusionMode = inclusionMode;
break;
}
else
{
parameters = null;
}
}
}
else
{
parameters = new X509SecurityTokenParameters();
parameters.RequireDerivedKeys = false;
parameters.InclusionMode = inclusionMode;
}
}
return parameters != null;
}
protected X509SecurityTokenParameters(X509SecurityTokenParameters other)
: base(other)
{
reference_style = other.reference_style;
}
