/// <summary>
/// Gets the name of the issuer.
/// </summary>
/// <param name="securityToken">The security token.</param>
/// <returns></returns>
public override string GetIssuerName(SecurityToken securityToken)
{
if (securityToken == null)
{
Tracing.Error("SimpleIssuerNameRegistry: securityToken is null");
throw new ArgumentNullException("securityToken");
}
X509SecurityToken token = securityToken as X509SecurityToken;
if (token != null)
{
Tracing.Information("SimpleIssuerNameRegistry: X509 SubjectName: " + token.Certificate.SubjectName.Name);
Tracing.Information("SimpleIssuerNameRegistry: X509 Thumbprint : " + token.Certificate.Thumbprint);
return(token.Certificate.Thumbprint);
}
RsaSecurityToken token2 = securityToken as RsaSecurityToken;
if (token2 == null)
{
throw new SecurityTokenException(securityToken.GetType().FullName);
}
Tracing.Information("SimpleIssuerNameRegistry: RSA Key: " + token2.Rsa.ToXmlString(false));
return(token2.Rsa.ToXmlString(false));
}
private SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature)
{
SecurityToken token;
RsaKeyIdentifierClause clause;
TryResolveKeyIdentifier(keyIdentifier, resolver, true, out token);
if (((token == null) && !isPrimarySignature) && ((keyIdentifier.Count == 1) && keyIdentifier.TryFind <RsaKeyIdentifierClause>(out clause)))
{
RsaSecurityTokenAuthenticator tokenAuthenticator = base.FindAllowedAuthenticator <RsaSecurityTokenAuthenticator>(false);
if (tokenAuthenticator != null)
{
SupportingTokenAuthenticatorSpecification specification;
token = new RsaSecurityToken(clause.Rsa);
ReadOnlyCollection <IAuthorizationPolicy> onlys = tokenAuthenticator.ValidateToken(token);
TokenTracker supportingTokenTracker = base.GetSupportingTokenTracker(tokenAuthenticator, out specification);
if (supportingTokenTracker == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("UnknownTokenAuthenticatorUsedInTokenProcessing", new object[] { tokenAuthenticator })));
}
supportingTokenTracker.RecordToken(token);
base.SecurityTokenAuthorizationPoliciesMapping.Add(token, onlys);
}
}
if (token == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToResolveKeyInfoForVerifyingSignature", new object[] { keyIdentifier, resolver })));
}
return(token);
}
protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(
SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
RsaSecurityToken r = token as RsaSecurityToken;
return(r.CreateKeyIdentifierClause <RsaKeyIdentifierClause> ());
}
private bool TryResolveTokenFromIntrinsicKeyClause(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
token = null;
if (keyIdentifierClause is RsaKeyIdentifierClause)
{
token = new RsaSecurityToken(((RsaKeyIdentifierClause)keyIdentifierClause).Rsa);
return(true);
}
if (keyIdentifierClause is X509RawDataKeyIdentifierClause)
{
token = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData()), false);
return(true);
}
if (keyIdentifierClause is EncryptedKeyIdentifierClause)
{
SecurityToken token2;
EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause;
SecurityKeyIdentifier encryptingKeyIdentifier = keyClause.EncryptingKeyIdentifier;
if (base.TryResolveToken(encryptingKeyIdentifier, out token2))
{
token = System.ServiceModel.Security.SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, token2);
return(true);
}
}
return(false);
}
// This is to address RSACryptoServiceProvider finalizer exception issue
// Step 1. Create Rsa and force deterministic keypair gen in this calling context.
// Step 2. Cache if the calling thread is under impersonation context. The cache will
// be disposed on Close/Abort assuming same calling context thread as the one calling open.
RsaSecurityToken CreateAndCacheRsaSecurityToken()
{
RsaSecurityToken token;
// Cache only under impersonation context.
// 1) set cacheSize less than 0, to ignore this new behavior at all.
// 2) set cacheSize to 0, if token provider should not dispose issued tokens on close/abort.
// 3) other than that, the token provider will track and dispose issued tokens as much.
if (MaxRsaSecurityTokenCacheSize >= 0 && IsImpersonatedContext())
{
// This will force deterministic keypair gen in this context.
token = RsaSecurityToken.CreateSafeRsaSecurityToken(this.keySize);
if (MaxRsaSecurityTokenCacheSize > 0)
{
lock (this.rsaSecurityTokens)
{
// Remove/Dispose the first token if cache is full.
// The first token (if not disposed) will rely on GC for finalization.
if (this.rsaSecurityTokens.Count >= MaxRsaSecurityTokenCacheSize)
{
this.rsaSecurityTokens.RemoveAt(0);
}
this.rsaSecurityTokens.Add(token);
}
}
}
else
{
token = new RsaSecurityToken(new RSACryptoServiceProvider(this.keySize));
}
return(token);
}
private SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature)
{
TryResolveKeyIdentifier(keyIdentifier, resolver, true, out SecurityToken token);
if (token == null && !isPrimarySignature)
{
// check if there is a rsa key token authenticator
if (keyIdentifier.Count == 1)
{
if (keyIdentifier.TryFind <RsaKeyIdentifierClause>(out RsaKeyIdentifierClause rsaClause))
{
RsaSecurityTokenAuthenticator rsaAuthenticator = FindAllowedAuthenticator <RsaSecurityTokenAuthenticator>(false);
if (rsaAuthenticator != null)
{
token = new RsaSecurityToken(rsaClause.Rsa);
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = rsaAuthenticator.ValidateToken(token);
TokenTracker rsaTracker = GetSupportingTokenTracker(rsaAuthenticator, out SupportingTokenAuthenticatorSpecification spec);
if (rsaTracker == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, rsaAuthenticator)));
}
rsaTracker.RecordToken(token);
SecurityTokenAuthorizationPoliciesMapping.Add(token, authorizationPolicies);
}
}
}
}
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.Format(SR.UnableToResolveKeyInfoForVerifyingSignature, keyIdentifier, resolver)));
}
return(token);
}
public void ValidateJsonWebToken(string tokenString, SsoSettings settings, IList <string> audiences)
{
try
{
TokenString = tokenString;
SecurityToken securityToken;
log.DebugFormat("Jwt Validation securityAlgorithm={0}, audience[0]={1}, audience[1]={2}", settings.ValidationType, audiences[0], audiences[1]);
switch (settings.ValidationType)
{
case ValidationTypes.RSA_SHA256:
RSACryptoServiceProvider publicOnly = new RSACryptoServiceProvider();
//"<RSAKeyValue><Modulus>zeyPa4SwRb0IO+KMq20760ZmaUvy/qzecdOkRUNdNpdUe1E72Xt1WkAcWNu24/UeS3pETu08rVTqHJUMfhHcSKgL7LAk/MMj2inGFxop1LipGZSnqZhnjsfj1ERJL5eXs1O9hqyAcXvY4A2wo67qqv/lbHLKTW59W+YQkbIOVR4nQlbh1lK1TIY+oqK0J/5Ileb4QfERn0Rv/J/K0fy6VzLmVt+kg9MRNxYwnVsC3m5/kIu1fw3OpZxcaCC68SRqLLb/UXmaJM8NXYKkAkHKxT4DQqSk6KbFSQG6qi49Q34akohekzxjxmmGeoO5tsFCuMJofKAsBKKtOkLPaJD2rQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
publicOnly.FromXmlString(settings.PublicKey);
securityToken = new RsaSecurityToken(publicOnly);
break;
case ValidationTypes.HMAC_SHA256:
//var key = "zeyPa4SwRb0IO+KMq20760ZmaUvy/qzecdOkRUNdNpdUe1E72Xu24/UeS3pETu";
securityToken = new System.ServiceModel.Security.Tokens.BinarySecretSecurityToken(GetBytes(settings.PublicKey));
break;
case ValidationTypes.X509:
var certificate = new Certificate();
certificate.LoadCertificate(settings.PublicKey);
securityToken = new X509SecurityToken(certificate.Cert);
break;
default:
log.ErrorFormat("ValidationType has wrong value: {0}", settings.ValidationType);
throw new ArgumentException("ValidationType has wrong value");
}
TokenValidationParameters validationParams = new TokenValidationParameters
{
ValidIssuer = settings.Issuer,
ValidAudiences = audiences,
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
ValidateAudience = true,
ValidateActor = true,
IssuerSigningToken = securityToken
};
JwtSecurityTokenHandler recipientTokenHandler = new JwtSecurityTokenHandler
{
TokenLifetimeInMinutes = MaxClockSkew
};
SecurityToken validatedToken;
ClaimsPrincipalReceived = recipientTokenHandler.ValidateToken(TokenString, validationParams, out validatedToken);
JwtSecurityToken = validatedToken;
}
catch (Exception e)
{
log.ErrorFormat("Jwt Validation error. {0}", e);
}
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
RsaSecurityToken rsaToken = (RsaSecurityToken)token;
List <Claim> claims = new List <Claim>(2);
claims.Add(new Claim(ClaimTypes.Rsa, rsaToken.Rsa, Rights.Identity));
claims.Add(Claim.CreateRsaClaim(rsaToken.Rsa));
DefaultClaimSet claimSet = new DefaultClaimSet(ClaimSet.Anonymous, claims);
List <IAuthorizationPolicy> policies = new List <IAuthorizationPolicy>(1);
policies.Add(new UnconditionalPolicy(claimSet, rsaToken.ValidTo));
return(policies.AsReadOnly());
}
public void ValidateJsonWebToken(string tokenString, SsoSettings settings, IList<string> audiences)
{
try
{
TokenString = tokenString;
SecurityToken securityToken;
_log.DebugFormat("JWT Validation securityAlgorithm={0}, audience[0]={1}, audience[1]={2}", settings.ValidationType, audiences[0], audiences[1]);
switch (settings.ValidationType)
{
case ValidationTypes.RSA_SHA256:
RSACryptoServiceProvider publicOnly = new RSACryptoServiceProvider();
//"<RSAKeyValue><Modulus>zeyPa4SwRb0IO+KMq20760ZmaUvy/qzecdOkRUNdNpdUe1E72Xt1WkAcWNu24/UeS3pETu08rVTqHJUMfhHcSKgL7LAk/MMj2inGFxop1LipGZSnqZhnjsfj1ERJL5eXs1O9hqyAcXvY4A2wo67qqv/lbHLKTW59W+YQkbIOVR4nQlbh1lK1TIY+oqK0J/5Ileb4QfERn0Rv/J/K0fy6VzLmVt+kg9MRNxYwnVsC3m5/kIu1fw3OpZxcaCC68SRqLLb/UXmaJM8NXYKkAkHKxT4DQqSk6KbFSQG6qi49Q34akohekzxjxmmGeoO5tsFCuMJofKAsBKKtOkLPaJD2rQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
publicOnly.FromXmlString(settings.PublicKey);
securityToken = new RsaSecurityToken(publicOnly);
break;
case ValidationTypes.HMAC_SHA256:
//var key = "zeyPa4SwRb0IO+KMq20760ZmaUvy/qzecdOkRUNdNpdUe1E72Xu24/UeS3pETu";
securityToken = new System.ServiceModel.Security.Tokens.BinarySecretSecurityToken(GetBytes(settings.PublicKey));
break;
case ValidationTypes.X509:
var certificate = new Certificate();
certificate.LoadCertificate(settings.PublicKey);
securityToken = new X509SecurityToken(certificate.cert);
break;
default:
_log.ErrorFormat("ValidationType has wrong value: {0}", settings.ValidationType);
throw new ArgumentException("ValidationType has wrong value");
}
TokenValidationParameters validationParams = new TokenValidationParameters();
validationParams.ValidIssuer = settings.Issuer;
validationParams.ValidAudiences = audiences;
validationParams.ValidateIssuer = true;
validationParams.ValidateIssuerSigningKey = true;
validationParams.ValidateAudience = true;
validationParams.ValidateActor = true;
validationParams.IssuerSigningToken = securityToken;
JwtSecurityTokenHandler recipientTokenHandler = new JwtSecurityTokenHandler();
recipientTokenHandler.TokenLifetimeInMinutes = MAX_CLOCK_SKEW;
SecurityToken validatedToken = null;
ClaimsPrincipalReceived = recipientTokenHandler.ValidateToken(TokenString, validationParams, out validatedToken);
JwtSecurityToken = validatedToken;
}
catch (Exception e)
{
_log.ErrorFormat("JWT Validation error. {0}", e);
}
}
ValidateTokenCore(SecurityToken token)
{
RsaSecurityToken rt = token as RsaSecurityToken;
if (rt == null)
{
throw new InvalidOperationException("Security token '{0}' cannot be validated by this security token authenticator.");
}
IAuthorizationPolicy policy =
new RsaAuthorizationPolicy(rt.Rsa);
return(new ReadOnlyCollection <IAuthorizationPolicy> (new IAuthorizationPolicy [] { policy }));
}
protected override void WriteTokenCore(XmlWriter w, SecurityToken token)
{
RsaSecurityToken r = token as RsaSecurityToken;
w.Flush();
if (r != null)
{
w.WriteRaw(r.Rsa.ToXmlString(false));
}
else
{
base.WriteTokenCore(w, token);
}
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
RsaSecurityToken token2 = (RsaSecurityToken)token;
List <Claim> claims = new List <Claim>(2)
{
new Claim(ClaimTypes.Rsa, token2.Rsa, Rights.Identity),
Claim.CreateRsaClaim(token2.Rsa)
};
DefaultClaimSet issuance = new DefaultClaimSet(ClaimSet.Anonymous, claims);
return(new List <IAuthorizationPolicy>(1)
{
new UnconditionalPolicy(issuance, token2.ValidTo)
}.AsReadOnly());
}
protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(
SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
if (token == null)
{
throw new ArgumentNullException("token");
}
RsaSecurityToken rt = token as RsaSecurityToken;
if (rt == null)
{
throw new NotSupportedException(String.Format("Cannot create a key identifier clause from this security token '{0}'", token));
}
return(new RsaKeyIdentifierClause(rt.Rsa));
}
private RsaSecurityToken CreateAndCacheRsaSecurityToken()
{
if ((MaxRsaSecurityTokenCacheSize >= 0) && this.IsImpersonatedContext())
{
RsaSecurityToken item = RsaSecurityToken.CreateSafeRsaSecurityToken(this.keySize);
if (MaxRsaSecurityTokenCacheSize <= 0)
{
return(item);
}
lock (this.rsaSecurityTokens)
{
if (this.rsaSecurityTokens.Count >= MaxRsaSecurityTokenCacheSize)
{
this.rsaSecurityTokens.RemoveAt(0);
}
this.rsaSecurityTokens.Add(item);
return(item);
}
}
return(new RsaSecurityToken(new RSACryptoServiceProvider(this.keySize)));
}
// Methods of BodyWriter
/// <summary>
/// Writes out an XML representation of the instance.
/// </summary>
/// <param name="writer">The writer to be used to write out the XML content</param>
protected override void OnWriteBodyContents(XmlDictionaryWriter writer)
{
// Write out the wst:RequestSecurityToken start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestSecurityToken, Constants.Trust.NamespaceUri);
// If we have a non-null, non-empty tokenType...
if (this.tokenType != null && this.tokenType.Length > 0)
{
// Write out the wst:TokenType start tag
writer.WriteStartElement(Constants.Trust.Elements.TokenType, Constants.Trust.NamespaceUri);
// Write out the tokenType string
writer.WriteString(this.tokenType);
writer.WriteEndElement(); // wst:TokenType
}
// If we have a non-null, non-empty requestType...
if (this.requestType != null && this.requestType.Length > 0)
{
// Write out the wst:RequestType start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestType, Constants.Trust.NamespaceUri);
// Write out the requestType string
writer.WriteString(this.requestType);
writer.WriteEndElement(); // wst:RequestType
}
// If we have a non-null appliesTo
if (this.appliesTo != null)
{
// Write out the wsp:AppliesTo start tag
writer.WriteStartElement(Constants.Policy.Elements.AppliesTo, Constants.Policy.NamespaceUri);
// Write the appliesTo in WS-Addressing 1.0 format
this.appliesTo.WriteTo(AddressingVersion.WSAddressing10, writer);
writer.WriteEndElement(); // wsp:AppliesTo
}
if (this.requestorEntropy != null)
{
writer.WriteStartElement(Constants.Trust.Elements.Entropy, Constants.Trust.NamespaceUri);
BinarySecretSecurityToken bsst = this.requestorEntropy as BinarySecretSecurityToken;
if (bsst != null)
{
writer.WriteStartElement(Constants.Trust.Elements.BinarySecret, Constants.Trust.NamespaceUri);
byte[] key = bsst.GetKeyBytes();
writer.WriteBase64(key, 0, key.Length);
writer.WriteEndElement(); // wst:BinarySecret
}
writer.WriteEndElement(); // wst:Entropy
}
if (this.keyType != null && this.keyType.Length > 0)
{
writer.WriteStartElement(Constants.Trust.Elements.KeyType, Constants.Trust.NamespaceUri);
writer.WriteString(this.keyType);
writer.WriteEndElement(); // wst:KeyType
}
if (this.keySize > 0)
{
writer.WriteStartElement(Constants.Trust.Elements.KeySize, Constants.Trust.NamespaceUri);
writer.WriteValue(this.keySize);
writer.WriteEndElement(); // wst:KeySize
}
if (this.proofKey != null && this.IsProofKeyAsymmetric())
{
writer.WriteStartElement(Constants.Trust.Elements.UseKey, Constants.Trust.NamespaceUri);
writer.WriteStartElement(Constants.XmlDSig.Elements.KeyInfo, Constants.XmlDSig.NamespaceUri);
writer.WriteStartElement(Constants.XmlDSig.Elements.KeyValue, Constants.XmlDSig.NamespaceUri);
RsaSecurityToken rsa = proofKey as RsaSecurityToken;
if (rsa != null)
{
RSAParameters p = rsa.Rsa.ExportParameters(false);
writer.WriteStartElement(Constants.XmlDSig.Elements.RsaKeyValue, Constants.XmlDSig.NamespaceUri);
writer.WriteStartElement(Constants.XmlDSig.Elements.Modulus, Constants.XmlDSig.NamespaceUri);
byte[] modulus = p.Modulus;
writer.WriteBase64(modulus, 0, modulus.Length);
writer.WriteEndElement(); // ds:Modulus
writer.WriteStartElement(Constants.XmlDSig.Elements.Exponent, Constants.XmlDSig.NamespaceUri);
byte[] exp = p.Exponent;
writer.WriteBase64(exp, 0, exp.Length);
writer.WriteEndElement(); // ds:Exponent
writer.WriteEndElement(); // ds:RsaKeyValue
}
writer.WriteEndElement(); // ds:KeyValue
writer.WriteEndElement(); // ds:KeyInfo
writer.WriteEndElement(); // wst:UseKey
}
if (this.claimReqs != null && this.claimReqs.Count > 0)
{
writer.WriteStartElement(Constants.Trust.Elements.Claims, Constants.Trust.NamespaceUri);
foreach (ClaimTypeRequirement ctr in this.claimReqs)
{
writer.WriteStartElement(Constants.IdentityModel.Elements.Claim, Constants.IdentityModel.NamespaceUri);
writer.WriteAttributeString(Constants.IdentityModel.Attributes.Uri, ctr.ClaimType);
if (ctr.IsOptional)
{
writer.WriteAttributeString(Constants.IdentityModel.Attributes.Optional, "true");
}
writer.WriteEndElement(); // wsid:Claim
}
writer.WriteEndElement(); // wst:Claims
}
writer.WriteEndElement(); // wst:RequestSecurityToken
}
// This method assumes that the XmlReader is positioned on the start tag of ds:RsaKeyValue
private static SecurityToken ProcessRsaKeyValueElement(XmlReader xr)
{
int initialDepth = xr.Depth;
if (xr.IsEmptyElement)
throw new Exception("ds:RsaKeyValue element was empty. Unable to create SecurityToken object");
SecurityToken st = null;
StringBuilder rsaXmlString = new StringBuilder();
rsaXmlString.Append("<RSAKeyValue>");
while (xr.Read())
{
// Process element start tags
if (XmlNodeType.Element == xr.NodeType)
{
// Process XMLDSIG elements
if (Constants.XmlDSig.NamespaceUri == xr.NamespaceURI)
{
if (Constants.XmlDSig.Elements.Modulus == xr.LocalName &&
!xr.IsEmptyElement)
{
rsaXmlString.Append("<Modulus>");
xr.Read();
rsaXmlString.Append(xr.ReadContentAsString());
rsaXmlString.Append("</Modulus>");
}
else if (Constants.XmlDSig.Elements.Exponent == xr.LocalName &&
!xr.IsEmptyElement)
{
rsaXmlString.Append("<Exponent>");
xr.Read();
rsaXmlString.Append(xr.ReadContentAsString());
rsaXmlString.Append("</Exponent>");
}
else
{
Console.WriteLine("Not processing element: {0}:{1}", xr.NamespaceURI, xr.LocalName);
}
}
else
{
Console.WriteLine("Not processing element: {0}:{1}", xr.NamespaceURI, xr.LocalName);
}
}
if (Constants.XmlDSig.Elements.RsaKeyValue == xr.LocalName &&
Constants.XmlDSig.NamespaceUri == xr.NamespaceURI &&
xr.Depth == initialDepth &&
XmlNodeType.EndElement == xr.NodeType)
break;
}
rsaXmlString.Append("</RSAKeyValue>");
RSA key = RSA.Create();
key.FromXmlString(rsaXmlString.ToString());
st = new RsaSecurityToken(key);
return st;
}
public FederatedTokenProviderState(RsaSecurityToken rsaToken)
: base(null)
{
this.rsaToken = rsaToken;
}
/// <summary>
/// Inherited from <see cref="SecurityTokenResolver"/>.
/// </summary>
protected override bool TryResolveTokenCore( SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token )
{
if ( keyIdentifierClause == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "keyIdentifierClause" );
}
token = null;
//
// Try raw X509
//
X509RawDataKeyIdentifierClause rawDataClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if ( rawDataClause != null )
{
token = new X509SecurityToken( new X509Certificate2( rawDataClause.GetX509RawData() ) );
return true;
}
//
// Try RSA
//
RsaKeyIdentifierClause rsaClause = keyIdentifierClause as RsaKeyIdentifierClause;
if ( rsaClause != null )
{
token = new RsaSecurityToken( rsaClause.Rsa );
return true;
}
if ( _wrappedTokenResolver.TryResolveToken( keyIdentifierClause, out token ) )
{
return true;
}
return false;
}
public void WriteRsaSecurityToken ()
{
StringWriter sw = new StringWriter ();
RSA rsa = (RSA) cert.PublicKey.Key;
RsaSecurityToken t = new RsaSecurityToken (rsa, "urn:rsa:1");
using (XmlWriter w = XmlWriter.Create (sw, GetWriterSettings ())) {
WSSecurityTokenSerializer.DefaultInstance.WriteToken (w, t);
}
}
internal static SecurityToken ResolveSecurityToken(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver)
{
SecurityToken token = null;
if (tokenResolver != null)
{
tokenResolver.TryResolveToken(ski, out token);
}
if (token == null)
{
// Check if this is a RSA key.
RsaKeyIdentifierClause rsaClause;
if (ski.TryFind<RsaKeyIdentifierClause>(out rsaClause))
token = new RsaSecurityToken(rsaClause.Rsa);
}
if (token == null)
{
// Check if this is a X509RawDataKeyIdentifier Clause.
X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause;
if (ski.TryFind<X509RawDataKeyIdentifierClause>(out rawDataKeyIdentifierClause))
token = new X509SecurityToken(new X509Certificate2(rawDataKeyIdentifierClause.GetX509RawData()));
}
return token;
}
private bool TryResolveTokenFromIntrinsicKeyClause(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
token = null;
if (keyIdentifierClause is RsaKeyIdentifierClause)
{
token = new RsaSecurityToken(((RsaKeyIdentifierClause) keyIdentifierClause).Rsa);
return true;
}
if (keyIdentifierClause is X509RawDataKeyIdentifierClause)
{
token = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause) keyIdentifierClause).GetX509RawData()), false);
return true;
}
if (keyIdentifierClause is EncryptedKeyIdentifierClause)
{
SecurityToken token2;
EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause) keyIdentifierClause;
SecurityKeyIdentifier encryptingKeyIdentifier = keyClause.EncryptingKeyIdentifier;
if (base.TryResolveToken(encryptingKeyIdentifier, out token2))
{
token = System.ServiceModel.Security.SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, token2);
return true;
}
}
return false;
}
SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature)
{
SecurityToken token;
TryResolveKeyIdentifier(keyIdentifier, resolver, true, out token);
if (token == null && !isPrimarySignature)
{
// check if there is a rsa key token authenticator
if (keyIdentifier.Count == 1)
{
RsaKeyIdentifierClause rsaClause;
if (keyIdentifier.TryFind<RsaKeyIdentifierClause>(out rsaClause))
{
RsaSecurityTokenAuthenticator rsaAuthenticator = FindAllowedAuthenticator<RsaSecurityTokenAuthenticator>(false);
if (rsaAuthenticator != null)
{
token = new RsaSecurityToken(rsaClause.Rsa);
ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies = rsaAuthenticator.ValidateToken(token);
SupportingTokenAuthenticatorSpecification spec;
TokenTracker rsaTracker = GetSupportingTokenTracker(rsaAuthenticator, out spec);
if (rsaTracker == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, rsaAuthenticator)));
}
rsaTracker.RecordToken(token);
SecurityTokenAuthorizationPoliciesMapping.Add(token, authorizationPolicies);
}
}
}
}
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToResolveKeyInfoForVerifyingSignature, keyIdentifier, resolver)));
}
return token;
}
private SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature)
{
SecurityToken token;
RsaKeyIdentifierClause clause;
TryResolveKeyIdentifier(keyIdentifier, resolver, true, out token);
if (((token == null) && !isPrimarySignature) && ((keyIdentifier.Count == 1) && keyIdentifier.TryFind<RsaKeyIdentifierClause>(out clause)))
{
RsaSecurityTokenAuthenticator tokenAuthenticator = base.FindAllowedAuthenticator<RsaSecurityTokenAuthenticator>(false);
if (tokenAuthenticator != null)
{
SupportingTokenAuthenticatorSpecification specification;
token = new RsaSecurityToken(clause.Rsa);
ReadOnlyCollection<IAuthorizationPolicy> onlys = tokenAuthenticator.ValidateToken(token);
TokenTracker supportingTokenTracker = base.GetSupportingTokenTracker(tokenAuthenticator, out specification);
if (supportingTokenTracker == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("UnknownTokenAuthenticatorUsedInTokenProcessing", new object[] { tokenAuthenticator })));
}
supportingTokenTracker.RecordToken(token);
base.SecurityTokenAuthorizationPoliciesMapping.Add(token, onlys);
}
}
if (token == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToResolveKeyInfoForVerifyingSignature", new object[] { keyIdentifier, resolver })));
}
return token;
}
// This method assumes that the XmlReader is positioned on the start tag of ds:RsaKeyValue
private static SecurityToken ProcessRsaKeyValueElement(XmlReader xr)
{
int initialDepth = xr.Depth;
if (xr.IsEmptyElement)
{
throw new Exception("ds:RsaKeyValue element was empty. Unable to create SecurityToken object");
}
SecurityToken st = null;
StringBuilder rsaXmlString = new StringBuilder();
rsaXmlString.Append("<RSAKeyValue>");
while (xr.Read())
{
// Process element start tags
if (XmlNodeType.Element == xr.NodeType)
{
// Process XMLDSIG elements
if (Constants.XmlDSig.NamespaceUri == xr.NamespaceURI)
{
if (Constants.XmlDSig.Elements.Modulus == xr.LocalName &&
!xr.IsEmptyElement)
{
rsaXmlString.Append("<Modulus>");
xr.Read();
rsaXmlString.Append(xr.ReadContentAsString());
rsaXmlString.Append("</Modulus>");
}
else if (Constants.XmlDSig.Elements.Exponent == xr.LocalName &&
!xr.IsEmptyElement)
{
rsaXmlString.Append("<Exponent>");
xr.Read();
rsaXmlString.Append(xr.ReadContentAsString());
rsaXmlString.Append("</Exponent>");
}
else
{
Console.WriteLine("Not processing element: {0}:{1}", xr.NamespaceURI, xr.LocalName);
}
}
else
{
Console.WriteLine("Not processing element: {0}:{1}", xr.NamespaceURI, xr.LocalName);
}
}
if (Constants.XmlDSig.Elements.RsaKeyValue == xr.LocalName &&
Constants.XmlDSig.NamespaceUri == xr.NamespaceURI &&
xr.Depth == initialDepth &&
XmlNodeType.EndElement == xr.NodeType)
{
break;
}
}
rsaXmlString.Append("</RSAKeyValue>");
RSA key = RSA.Create();
key.FromXmlString(rsaXmlString.ToString());
st = new RsaSecurityToken(key);
return(st);
}
internal static SecurityToken ResolveSecurityToken(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver)
{
SecurityToken token = null;
RsaKeyIdentifierClause clause;
X509RawDataKeyIdentifierClause clause2;
if (tokenResolver != null)
{
tokenResolver.TryResolveToken(ski, out token);
}
if ((token == null) && ski.TryFind<RsaKeyIdentifierClause>(out clause))
{
token = new RsaSecurityToken(clause.Rsa);
}
if ((token == null) && ski.TryFind<X509RawDataKeyIdentifierClause>(out clause2))
{
token = new X509SecurityToken(new X509Certificate2(clause2.GetX509RawData()));
}
return token;
}
