internal static SecurityToken ResolveSecurityToken(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver)
{
SecurityToken token = null;
if (tokenResolver != null)
{
tokenResolver.TryResolveToken(ski, out token);
}
if (token == null)
{
// Check if this is a RSA key.
RsaKeyIdentifierClause rsaClause;
if (ski.TryFind <RsaKeyIdentifierClause>(out rsaClause))
{
token = new RsaSecurityToken(rsaClause.Rsa);
}
}
if (token == null)
{
// Check if this is a X509RawDataKeyIdentifier Clause.
X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause;
if (ski.TryFind <X509RawDataKeyIdentifierClause>(out rawDataKeyIdentifierClause))
{
token = new X509SecurityToken(new X509Certificate2(rawDataKeyIdentifierClause.GetX509RawData()));
}
}
return(token);
}
public void TryResolveTokenNullClause()
{
SecurityTokenResolver r = GetResolver(true, new SecurityToken [0]);
SecurityToken token;
r.TryResolveToken((SecurityKeyIdentifierClause)null, out token);
}
public void TryResolveToken()
{
SecurityTokenResolver r = GetResolver(true, new SecurityToken [0]);
SecurityToken token;
Assert.IsFalse(r.TryResolveToken(new LocalIdKeyIdentifierClause("foo"), out token));
UserNameSecurityToken userName =
new UserNameSecurityToken("mono", "", "urn:foo");
LocalIdKeyIdentifierClause kic =
new LocalIdKeyIdentifierClause("urn:foo");
r = GetResolver(true, new SecurityToken [] { userName });
Assert.IsTrue(r.TryResolveToken(kic, out token));
r = GetResolver(false, new SecurityToken [] { userName });
Assert.IsFalse(r.TryResolveToken(kic, out token));
}
protected static bool TryResolveKeyIdentifier(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isFromSignature, out SecurityToken token)
{
if (keyIdentifier != null)
{
return(resolver.TryResolveToken(keyIdentifier, out token));
}
if (isFromSignature)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NoKeyInfoInSignatureToFindVerificationToken")));
}
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NoKeyInfoInEncryptedItemToFindDecryptingToken")));
}
protected static bool TryResolveKeyIdentifier(
SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isFromSignature, out SecurityToken token)
{
if (keyIdentifier == null)
{
if (isFromSignature)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.NoKeyInfoInSignatureToFindVerificationToken)));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.NoKeyInfoInEncryptedItemToFindDecryptingToken)));
}
}
return(resolver.TryResolveToken(keyIdentifier, out token));
}
internal static SecurityToken ResolveSecurityToken(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver)
{
SecurityToken token = null;
RsaKeyIdentifierClause clause;
X509RawDataKeyIdentifierClause clause2;
if (tokenResolver != null)
{
tokenResolver.TryResolveToken(ski, out token);
}
if ((token == null) && ski.TryFind <RsaKeyIdentifierClause>(out clause))
{
token = new RsaSecurityToken(clause.Rsa);
}
if ((token == null) && ski.TryFind <X509RawDataKeyIdentifierClause>(out clause2))
{
token = new X509SecurityToken(new X509Certificate2(clause2.GetX509RawData()));
}
return(token);
}
/// <summary>
/// Inherited from <see cref="SecurityTokenResolver"/>.
/// </summary>
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
token = null;
//
// Try raw X509
//
X509RawDataKeyIdentifierClause rawDataClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if (rawDataClause != null)
{
token = new X509SecurityToken(new X509Certificate2(rawDataClause.GetX509RawData()));
return(true);
}
//
// Try RSA
//
RsaKeyIdentifierClause rsaClause = keyIdentifierClause as RsaKeyIdentifierClause;
if (rsaClause != null)
{
token = new RsaSecurityToken(rsaClause.Rsa);
return(true);
}
if (_wrappedTokenResolver.TryResolveToken(keyIdentifierClause, out token))
{
return(true);
}
return(false);
}
// xml format
//<DerivedKeyToken wsu:Id="..." wsse:Algorithm="..."> id required, alg optional (curr disallowed)
// <SecurityTokenReference>...</SecurityTokenReference> - required
// <Properties>...</Properties> - disallowed (optional in spec, but we disallow it)
// choice begin - (schema requires a choice - we allow neither on read - we always write one)
// <Generation>...</Generation> - optional
// <Offset>...</Offset> - optional
// choice end
// <Length>...</Length> - optional - default 32 on read (default specified in spec, not in schema - we always write it)
// <Label>...</Label> - optional
// <Nonce>...</Nonce> - required (optional in spec, but we require it)
//</DerivedKeyToken>
public virtual void ReadDerivedKeyTokenParameters(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver, out string id, out string derivationAlgorithm, out string label, out int length, out byte[] nonce, out int offset, out int generation, out SecurityKeyIdentifierClause tokenToDeriveIdentifier, out SecurityToken tokenToDerive)
{
if (tokenResolver == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenResolver");
}
id = reader.GetAttribute(CoreWCF.XD.UtilityDictionary.IdAttribute, CoreWCF.XD.UtilityDictionary.Namespace);
derivationAlgorithm = reader.GetAttribute(CoreWCF.XD.XmlSignatureDictionary.Algorithm, null);
if (derivationAlgorithm == null)
{
derivationAlgorithm = parent.DerivationAlgorithm;
}
reader.ReadStartElement();
tokenToDeriveIdentifier = null;
tokenToDerive = null;
if (reader.IsStartElement(CoreWCF.XD.SecurityJan2004Dictionary.SecurityTokenReference, CoreWCF.XD.SecurityJan2004Dictionary.Namespace))
{
tokenToDeriveIdentifier = parent.WSSecurityTokenSerializer.ReadKeyIdentifierClause(reader);
tokenResolver.TryResolveToken(tokenToDeriveIdentifier, out tokenToDerive);
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.Format(SR.DerivedKeyTokenRequiresTokenReference)));
}
// no support for properties
generation = -1;
if (reader.IsStartElement(parent.SerializerDictionary.Generation, parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
generation = reader.ReadContentAsInt();
reader.ReadEndElement();
if (generation < 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.Format(SR.DerivedKeyInvalidGenerationSpecified, generation)));
}
}
offset = -1;
if (reader.IsStartElement(parent.SerializerDictionary.Offset, parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
offset = reader.ReadContentAsInt();
reader.ReadEndElement();
if (offset < 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.Format(SR.DerivedKeyInvalidOffsetSpecified, offset)));
}
}
length = DerivedKeySecurityToken.DefaultDerivedKeyLength;
if (reader.IsStartElement(parent.SerializerDictionary.Length, parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
length = reader.ReadContentAsInt();
reader.ReadEndElement();
}
if ((offset == -1) && (generation == -1))
{
offset = 0;
}
// verify that the offset is not larger than the max allowed
DerivedKeySecurityToken.EnsureAcceptableOffset(offset, generation, length, this.maxKeyDerivationOffset);
label = null;
if (reader.IsStartElement(parent.SerializerDictionary.Label, parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
label = reader.ReadString();
reader.ReadEndElement();
}
if (label != null && label.Length > this.maxKeyDerivationLabelLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.DerivedKeyTokenLabelTooLong, label.Length, this.maxKeyDerivationLabelLength)));
}
nonce = null;
reader.ReadStartElement(parent.SerializerDictionary.Nonce, parent.SerializerDictionary.Namespace);
nonce = reader.ReadContentAsBase64();
reader.ReadEndElement();
if (nonce != null && nonce.Length > this.maxKeyDerivationNonceLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.DerivedKeyTokenNonceTooLong, nonce.Length, this.maxKeyDerivationNonceLength)));
}
reader.ReadEndElement();
}
public virtual void ReadDerivedKeyTokenParameters(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver, out string id, out string derivationAlgorithm, out string label, out int length, out byte[] nonce, out int offset, out int generation, out SecurityKeyIdentifierClause tokenToDeriveIdentifier, out SecurityToken tokenToDerive)
{
if (tokenResolver == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenResolver");
}
id = reader.GetAttribute(XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace);
derivationAlgorithm = reader.GetAttribute(XD.XmlSignatureDictionary.Algorithm, (XmlDictionaryString)null);
if (derivationAlgorithm == null)
{
derivationAlgorithm = this.parent.DerivationAlgorithm;
}
reader.ReadStartElement();
tokenToDeriveIdentifier = (SecurityKeyIdentifierClause)null;
tokenToDerive = (SecurityToken)null;
if (!reader.IsStartElement(XD.SecurityJan2004Dictionary.SecurityTokenReference, XD.SecurityJan2004Dictionary.Namespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new XmlException(SR.GetString("DerivedKeyTokenRequiresTokenReference")));
}
tokenToDeriveIdentifier = this.parent.WSSecurityTokenSerializer.ReadKeyIdentifierClause((XmlReader)reader);
tokenResolver.TryResolveToken(tokenToDeriveIdentifier, out tokenToDerive);
generation = -1;
if (reader.IsStartElement(this.parent.SerializerDictionary.Generation, this.parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
generation = reader.ReadContentAsInt();
reader.ReadEndElement();
if (generation < 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new XmlException(SR.GetString("DerivedKeyInvalidGenerationSpecified", new object[1] {
(object)generation
})));
}
}
offset = -1;
if (reader.IsStartElement(this.parent.SerializerDictionary.Offset, this.parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
offset = reader.ReadContentAsInt();
reader.ReadEndElement();
if (offset < 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new XmlException(SR.GetString("DerivedKeyInvalidOffsetSpecified", new object[1] {
(object)offset
})));
}
}
length = 32;
if (reader.IsStartElement(this.parent.SerializerDictionary.Length, this.parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
length = reader.ReadContentAsInt();
reader.ReadEndElement();
}
if (offset == -1 && generation == -1)
{
offset = 0;
}
DerivedKeySecurityToken.EnsureAcceptableOffset(offset, generation, length, this.maxKeyDerivationOffset);
label = (string)null;
if (reader.IsStartElement(this.parent.SerializerDictionary.Label, this.parent.SerializerDictionary.Namespace))
{
reader.ReadStartElement();
label = reader.ReadString();
reader.ReadEndElement();
}
if (label != null && label.Length > this.maxKeyDerivationLabelLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning((Exception) new MessageSecurityException(SR.GetString("DerivedKeyTokenLabelTooLong", (object)label.Length, (object)this.maxKeyDerivationLabelLength)));
}
nonce = (byte[])null;
reader.ReadStartElement(this.parent.SerializerDictionary.Nonce, this.parent.SerializerDictionary.Namespace);
nonce = reader.ReadContentAsBase64();
reader.ReadEndElement();
if (nonce != null && nonce.Length > this.maxKeyDerivationNonceLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning((Exception) new MessageSecurityException(SR.GetString("DerivedKeyTokenNonceTooLong", (object)nonce.Length, (object)this.maxKeyDerivationNonceLength)));
}
reader.ReadEndElement();
}
/// <summary>
/// Reads the SessionSecurityToken from the given reader.
/// </summary>
/// <param name="reader">XmlReader over the SessionSecurityToken.</param>
/// <param name="tokenResolver">SecurityTokenResolver that can used to resolve SessionSecurityToken.</param>
/// <returns>An instance of <see cref="SessionSecurityToken"/>.</returns>
/// <exception cref="ArgumentNullException">The input argument 'reader' is null.</exception>
/// <exception cref="SecurityTokenException">The 'reader' is not positioned at a SessionSecurityToken
/// or the SessionSecurityToken cannot be read.</exception>
public override SecurityToken ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)
{
if (reader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
}
if (tokenResolver == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenResolver");
}
byte[] encodedCookie = null;
SysUniqueId contextId = null;
SysUniqueId keyGeneration = null;
string ns = null;
string identifier = null;
string instance = null;
SecurityToken securityContextToken = null;
SessionDictionary dictionary = SessionDictionary.Instance;
XmlDictionaryReader dicReader = XmlDictionaryReader.CreateDictionaryReader(reader);
if (dicReader.IsStartElement(WSSecureConversationFeb2005Constants.ElementNames.Name, WSSecureConversationFeb2005Constants.Namespace))
{
ns = WSSecureConversationFeb2005Constants.Namespace;
identifier = WSSecureConversationFeb2005Constants.ElementNames.Identifier;
instance = WSSecureConversationFeb2005Constants.ElementNames.Instance;
}
else if (dicReader.IsStartElement(WSSecureConversation13Constants.ElementNames.Name, WSSecureConversation13Constants.Namespace))
{
ns = WSSecureConversation13Constants.Namespace;
identifier = WSSecureConversation13Constants.ElementNames.Identifier;
instance = WSSecureConversation13Constants.ElementNames.Instance;
}
else
{
//
// Something is wrong
//
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(
SR.GetString(SR.ID4230, WSSecureConversationFeb2005Constants.ElementNames.Name, dicReader.Name)));
}
string id = dicReader.GetAttribute(WSUtilityConstants.Attributes.IdAttribute, WSUtilityConstants.NamespaceURI);
dicReader.ReadFullStartElement();
if (!dicReader.IsStartElement(identifier, ns))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(
SR.GetString(SR.ID4230, WSSecureConversation13Constants.ElementNames.Identifier, dicReader.Name)));
}
contextId = dicReader.ReadElementContentAsUniqueId();
if (contextId == null || string.IsNullOrEmpty(contextId.ToString()))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID4242)));
}
//
// The token can be a renewed token, in which case we need to know the
// instance id, which will be the secondary key to the context id for
// cache lookups
//
if (dicReader.IsStartElement(instance, ns))
{
keyGeneration = dicReader.ReadElementContentAsUniqueId();
}
if (dicReader.IsStartElement(CookieElementName, CookieNamespace))
{
// Get the token from the Cache, which is returned as an SCT
SecurityToken cachedToken = null;
SecurityContextKeyIdentifierClause sctClause = null;
if (keyGeneration == null)
{
sctClause = new SecurityContextKeyIdentifierClause(contextId);
}
else
{
sctClause = new SecurityContextKeyIdentifierClause(contextId, keyGeneration);
}
tokenResolver.TryResolveToken(sctClause, out cachedToken);
if (cachedToken != null)
{
securityContextToken = cachedToken;
dicReader.Skip();
}
else
{
//
// CookieMode
//
encodedCookie = dicReader.ReadElementContentAsBase64();
if (encodedCookie == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID4237)));
}
//
// appply transforms
//
byte[] decodedCookie = ApplyTransforms(encodedCookie, false);
using (MemoryStream ms = new MemoryStream(decodedCookie))
{
BinaryFormatter formatter = new BinaryFormatter();
securityContextToken = formatter.Deserialize(ms) as SecurityToken;
}
SessionSecurityToken sessionToken = securityContextToken as SessionSecurityToken;
if (sessionToken != null && sessionToken.ContextId != contextId)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID4229, sessionToken.ContextId, contextId)));
}
if (sessionToken != null && sessionToken.Id != id)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID4227, sessionToken.Id, id)));
}
}
}
else
{
//
// SessionMode
//
// Get the token from the Cache.
SecurityToken cachedToken = null;
SecurityContextKeyIdentifierClause sctClause = null;
if (keyGeneration == null)
{
sctClause = new SecurityContextKeyIdentifierClause(contextId);
}
else
{
sctClause = new SecurityContextKeyIdentifierClause(contextId, keyGeneration);
}
tokenResolver.TryResolveToken(sctClause, out cachedToken);
if (cachedToken != null)
{
securityContextToken = cachedToken;
}
}
dicReader.ReadEndElement();
if (securityContextToken == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID4243)));
}
return(securityContextToken);
}