private SecurityTokenProvider CreateUncorrelatedDuplexSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement) { string tokenType = initiatorRequirement.TokenType; SecurityTokenProvider result = null; if (tokenType == SecurityTokenTypes.X509Certificate) { SecurityKeyUsage keyUsage = initiatorRequirement.KeyUsage; if (keyUsage == SecurityKeyUsage.Exchange) { if (ServiceCredentials.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.ClientCertificateNotProvidedOnServiceCredentials)); } result = new X509SecurityTokenProvider(ServiceCredentials.ClientCertificate.Certificate); } else { // this is a request for the server's own cert for signing result = CreateServerX509TokenProvider(); } } return(result); }
/// <summary> /// Publiczna, nadpisana metoda z klasy bazowej służąca do utworzenia dostawcy tokenu bezpieczeństwa na podstawie przekazanych wymagań dotyczących tokenu /// </summary> /// <param name="requirement">Wymagania dotyczące tokenu bezpieczeństwa</param> /// <returns>Dostawca tokenu bezpieczeństwa</returns> public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement requirement) { SecurityTokenProvider result; //Jeżeli wymagany jest token służący do zabezpieczenia warstwy transportu i jest to token powstały z certyfikatu X509 if (requirement.Properties.ContainsKey(ServiceModelSecurityTokenRequirement.TransportSchemeProperty) && requirement.TokenType == SecurityTokenTypes.X509Certificate) { //Utworzenie dostawcy tokena na podstawie certyfikatu TLS result = new X509SecurityTokenProvider( this.credentials.TransportCertificate); } //W przeciwnym razie jeżeli klucz przypisany do tokekena ma być użyty w celu wygenerowania cyfrowego podpisu i jest to token powstały z certyfikatu X509 else if (requirement.KeyUsage == SecurityKeyUsage.Signature && requirement.TokenType == SecurityTokenTypes.X509Certificate) { //Utworzenia dostawcy tokena na podstawie ceryfikatu WSS (Secure Websocket, certificate signing) result = new X509SecurityTokenProvider( this.credentials.ClientCertificate.Certificate); } //W przeciwnym wypadku utworzony zostanie dostawca tokenu bezpieczeństwa z wykorzystaniem metody z klasy bazowej else { result = base.CreateSecurityTokenProvider(requirement); } //Zwrócenie dostawcy tokenu bezpieczeństwa return(result); }
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } SecurityTokenProvider result = null; if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange) { #if FEATURE_CORECLR // X509Certificates // this is the uncorrelated duplex case if (_parent.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate); #endif } else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) { InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; string tokenType = initiatorRequirement.TokenType; if (IsIssuedSecurityTokenRequirement(initiatorRequirement)) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider (IsIssuedSecurityTokenRequirement(initiatorRequirement)"); } else if (tokenType == SecurityTokenTypes.X509Certificate) { if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - SecurityKeyUsage.Exchange"); } else { #if FEATURE_CORECLR if (_parent.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate); #else throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - Client certificate not supported in UAP"); #endif } } else if (tokenType == SecurityTokenTypes.UserName) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider SecurityTokenTypes.Username"); } } if ((result == null) && !tokenRequirement.IsOptionalToken) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement))); } return(result); }
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement) { ServiceModelSecurityTokenRequirement requirement = tokenRequirement as ServiceModelSecurityTokenRequirement; if (requirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } if (this.IsX509TokenRequirement(requirement)) { X509CertificateValidator validator; if (this.IsForConnectionValidator(requirement)) { SecurityTokenProvider provider = null; if (this.ssc != null) { provider = new X509SecurityTokenProvider(this.ssc.GetX509Certificate()); } else if (this.delegateManager != null) { requirement.Properties[SecurityTokenRequirement.PeerAuthenticationMode] = SecurityMode.Transport; requirement.TransportScheme = "net.p2p"; provider = this.delegateManager.CreateSecurityTokenProvider(tokenRequirement); } else if (this.credential.Certificate != null) { provider = new X509SecurityTokenProvider(this.credential.Certificate); } if ((provider == null) && (this.mode == PeerAuthenticationMode.Password)) { this.ssc = this.parent.GetCertificate(); provider = new X509SecurityTokenProvider(this.ssc.GetX509Certificate()); } return(provider); } if (this.delegateManager != null) { requirement.TransportScheme = "net.p2p"; requirement.Properties[SecurityTokenRequirement.PeerAuthenticationMode] = SecurityMode.Message; return(this.delegateManager.CreateSecurityTokenProvider(tokenRequirement)); } if (!this.credential.MessageSenderAuthentication.TryGetCertificateValidator(out validator)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("TokenType"); } return(new PeerX509TokenProvider(validator, this.credential.Certificate)); } if (!this.IsPasswordTokenRequirement(requirement)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("TokenType"); } return(this.GetPasswordTokenProvider()); }
public void CreateProviderX509() { SecurityTokenRequirement r = new InitiatorServiceModelSecurityTokenRequirement(); r.TokenType = SecurityTokenTypes.X509Certificate; def_c.ClientCredentials.ClientCertificate.Certificate = cert; X509SecurityTokenProvider p = def_c.CreateSecurityTokenProvider(r) as X509SecurityTokenProvider; Assert.IsNotNull(p, "#1"); }
public void CreateProviderX509() { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement(); r.TokenType = SecurityTokenTypes.X509Certificate; def_c.ServiceCredentials.ServiceCertificate.Certificate = new X509Certificate2("Test/Resources/test.pfx", "mono"); X509SecurityTokenProvider p = def_c.CreateSecurityTokenProvider(r) as X509SecurityTokenProvider; Assert.IsNotNull(p, "#1"); }
public void CreateProviderX509Recipient() { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement(); r.TokenType = SecurityTokenTypes.X509Certificate; r.KeyUsage = SecurityKeyUsage.Exchange; def_c.ClientCredentials.ClientCertificate.Certificate = cert; X509SecurityTokenProvider p = def_c.CreateSecurityTokenProvider(r) as X509SecurityTokenProvider; Assert.IsNotNull(p, "#1"); }
public void CreateProviderX509Initiator() { InitiatorServiceModelSecurityTokenRequirement r = new InitiatorServiceModelSecurityTokenRequirement(); r.TokenType = SecurityTokenTypes.X509Certificate; r.KeyUsage = SecurityKeyUsage.Exchange; // ClientCredential is somehow required ... def_c.ServiceCredentials.ServiceCertificate.Certificate = new X509Certificate2("Test/Resources/test.pfx", "mono"); X509SecurityTokenProvider p = def_c.CreateSecurityTokenProvider(r) as X509SecurityTokenProvider; Assert.IsNotNull(p, "#1"); }
public override SecurityTokenProvider CreateSecurityTokenProvider( SecurityTokenRequirement requirement) { SecurityTokenProvider result = null; if (requirement.TokenType == SecurityTokenTypes.X509Certificate) { MessageDirection direction = requirement. GetProperty <MessageDirection>( ServiceModelSecurityTokenRequirement. MessageDirectionProperty); if (direction == MessageDirection.Input) { if (requirement.KeyUsage == SecurityKeyUsage.Exchange) { result = new X509SecurityTokenProvider( credentials.ServiceEncryptingCertificate); } else { result = new X509SecurityTokenProvider( credentials.ClientSigningCertificate); } } else { if (requirement.KeyUsage == SecurityKeyUsage.Signature) { result = new X509SecurityTokenProvider( credentials.ServiceSigningCertificate); } else { result = new X509SecurityTokenProvider( credentials.ClientEncryptingCertificate); } } } else { result = base.CreateSecurityTokenProvider(requirement); } return(result); }
X509SecurityTokenProvider CreateX509SecurityTokenProvider(SecurityTokenRequirement requirement) { bool isInitiator; requirement.TryGetProperty <bool> (ReqType.IsInitiatorProperty, out isInitiator); // when it is initiator, then it is for MutualCertificateDuplex. X509Certificate2 cert; if (isInitiator) { cert = credentials.ClientCertificate.Certificate; if (cert == null) { throw new InvalidOperationException("Client certificate is not provided in ServiceCredentials."); } if (cert.PrivateKey == null) { throw new ArgumentException("Client certificate for MutualCertificateDuplex does not have a private key which is required for key exchange."); } } else { cert = credentials.ServiceCertificate.Certificate; if (cert == null) { throw new InvalidOperationException("Service certificate is not provided in ServiceCredentials."); } if (cert.PrivateKey == null) { throw new ArgumentException("Service certificate does not have a private key which is required for key exchange."); } } X509SecurityTokenProvider p = new X509SecurityTokenProvider(cert); return(p); }
public override NameValueCollection Validate(TokenRequestMessage message) { if (!this.CanValidateMessage(message)) { throw new OAuthException(OAuthErrorCodes.UnsupportedGrantType, "This handler cannot validate this message."); } if (!message.Parameters[OAuthConstants.AssertionType].Equals("saml", StringComparison.OrdinalIgnoreCase)) { throw new OAuthException(OAuthErrorCodes.InvalidRequest, string.Format("Assertion format '{0}' not supported. Only Saml Supported", message.Parameters[OAuthConstants.AssertionType])); } string assertion = message.Parameters[OAuthConstants.Assertion]; if (assertion == null) { throw new OAuthException(OAuthErrorCodes.InvalidRequest, "Parameter 'assertion' is mandatory"); } this.EnsureClientExists(message); SecurityToken token = null; SecurityToken xtoken = null; using (var stringReader = new StringReader(assertion)) { var reader = XmlReader.Create(stringReader); if (!ServiceConfiguration.SecurityTokenHandlers.CanReadToken(reader)) { throw new OAuthException(OAuthErrorCodes.UnsupportedGrantType, "No Token handler defined can read this assertion"); } // TODO: this should be changed to be in config // CHANGE: matias: read decryption cert from servicecertificate instead of hardcoding localhost using (var xprovider = new X509SecurityTokenProvider(ServiceConfiguration.ServiceCertificate)) { xtoken = xprovider.GetToken(new TimeSpan(10, 1, 1)); } var outOfBandTokens = new Collection <SecurityToken>(); outOfBandTokens.Add(xtoken); // CHANGED: matias, don't validate certificate (should be read from service config) ServiceConfiguration.CertificateValidator = X509CertificateValidator.None; // encryptedtoken handler is 6 . Add the X509TOken which has the key to decrypt this token ServiceConfiguration.SecurityTokenHandlers[6].Configuration.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(outOfBandTokens), false); token = ServiceConfiguration.SecurityTokenHandlers.ReadToken(reader); } ClaimsIdentityCollection cc; try { cc = ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token); } catch (SecurityTokenException ex) { throw new OAuthException(OAuthErrorCodes.InvalidGrant, ex.Message, ex); } // CHANGE: matias: add CAM in order to be able to tranform claims IClaimsPrincipal principal = new ClaimsPrincipal(cc); if (ServiceConfiguration.ClaimsAuthenticationManager != null) { principal = ServiceConfiguration.ClaimsAuthenticationManager.Authenticate("replace", principal); } var collection = new NameValueCollection(); foreach (Claim claim in cc[0].Claims) { collection.Add(claim.ClaimType, claim.Value); } return(collection); }
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenRequirement)); } SecurityTokenProvider result = null; if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange) { // this is the uncorrelated duplex case if (ClientCredentials.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(ClientCredentials.ClientCertificate.Certificate, ClientCredentials.ClientCertificate.CloneCertificate); } else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) { InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; string tokenType = initiatorRequirement.TokenType; if (IsIssuedSecurityTokenRequirement(initiatorRequirement)) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider (IsIssuedSecurityTokenRequirement(initiatorRequirement)"); } else if (tokenType == SecurityTokenTypes.X509Certificate) { if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - SecurityKeyUsage.Exchange"); } else { if (ClientCredentials.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(ClientCredentials.ClientCertificate.Certificate, ClientCredentials.ClientCertificate.CloneCertificate); } } else if (tokenType == SecurityTokenTypes.Kerberos) { string spn = GetServicePrincipalName(initiatorRequirement); result = new KerberosSecurityTokenProviderWrapper( new KerberosSecurityTokenProvider(spn, ClientCredentials.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(ClientCredentials.Windows.ClientCredential))); } else if (tokenType == SecurityTokenTypes.UserName) { if (ClientCredentials.UserName.UserName == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.UserNamePasswordNotProvidedOnClientCredentials)); } result = new UserNameSecurityTokenProvider(ClientCredentials.UserName.UserName, ClientCredentials.UserName.Password); } else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential) { if (IsDigestAuthenticationScheme(initiatorRequirement)) { result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(ClientCredentials.HttpDigest.ClientCredential), true, TokenImpersonationLevel.Delegation); } else { #pragma warning disable 618 // to disable AllowNtlm obsolete warning. result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(ClientCredentials.Windows.ClientCredential), ClientCredentials.Windows.AllowNtlm, ClientCredentials.Windows.AllowedImpersonationLevel); #pragma warning restore 618 } } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { result = CreateSecureConversationSecurityTokenProvider(initiatorRequirement); } } if ((result == null) && !tokenRequirement.IsOptionalToken) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement))); } return(result); }
X509SecurityTokenProvider CreateX509SecurityTokenProvider(SecurityTokenRequirement requirement) { // - When the request is as an initiator, then // - if the purpose is key exchange, then // the initiator wants the service certificate // to encrypt the message with its public key. // - otherwise, the initiator wants the client // certificate to sign the message with the // private key. // - otherwise // - if the purpose is key exchange, then // the recipient wants the client certificate // to encrypt the message with its public key. // - otherwise, the recipient wants the service // certificate to sign the message with the // private key. bool isInitiator; if (!requirement.TryGetProperty <bool> (ReqType.IsInitiatorProperty, out isInitiator)) { isInitiator = false; } X509Certificate2 cert; bool isClient; if (isInitiator) { isClient = requirement.KeyUsage == SecurityKeyUsage.Signature; } else { if (!requirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty)) { throw new NotSupportedException(String.Format("Cannot create a security token provider from this requirement '{0}'", requirement)); } isClient = requirement.KeyUsage == SecurityKeyUsage.Exchange; } if (isClient) { cert = credentials.ClientCertificate.Certificate; } else { cert = GetServiceCertificate(requirement); } if (cert == null) { if (isClient) { throw new InvalidOperationException("Client certificate is not provided in ClientCredentials."); } else { throw new InvalidOperationException("Service certificate is not provided."); } } X509SecurityTokenProvider p = new X509SecurityTokenProvider(cert); return(p); }
internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard) { if (tokenRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } SecurityTokenProvider provider = null; if (disableInfoCard || !this.CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out provider)) { if (((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && (tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)) && (tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)) { if (this.parent.ClientCertificate.Certificate == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvidedOnClientCredentials"))); } provider = new X509SecurityTokenProvider(this.parent.ClientCertificate.Certificate); } else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) { InitiatorServiceModelSecurityTokenRequirement requirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; string tokenType = requirement.TokenType; if (this.IsIssuedSecurityTokenRequirement(requirement)) { provider = this.CreateIssuedSecurityTokenProvider(requirement); } else if (tokenType == SecurityTokenTypes.X509Certificate) { if (requirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && (requirement.KeyUsage == SecurityKeyUsage.Exchange)) { provider = this.CreateServerX509TokenProvider(requirement.TargetAddress); } else { if (this.parent.ClientCertificate.Certificate == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvidedOnClientCredentials"))); } provider = new X509SecurityTokenProvider(this.parent.ClientCertificate.Certificate); } } else if (tokenType == SecurityTokenTypes.Kerberos) { provider = new KerberosSecurityTokenProviderWrapper(new KerberosSecurityTokenProvider(this.GetServicePrincipalName(requirement), this.parent.Windows.AllowedImpersonationLevel, System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.Windows.ClientCredential)), this.GetCredentialsHandle(requirement)); } else if (tokenType == SecurityTokenTypes.UserName) { if (this.parent.UserName.UserName == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("UserNamePasswordNotProvidedOnClientCredentials"))); } provider = new UserNameSecurityTokenProvider(this.parent.UserName.UserName, this.parent.UserName.Password); } else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential) { if (this.IsDigestAuthenticationScheme(requirement)) { provider = new SspiSecurityTokenProvider(System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.HttpDigest.ClientCredential), true, this.parent.HttpDigest.AllowedImpersonationLevel); } else { provider = new SspiSecurityTokenProvider(System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.Windows.ClientCredential), this.parent.Windows.AllowNtlm, this.parent.Windows.AllowedImpersonationLevel); } } else if (tokenType == ServiceModelSecurityTokenTypes.Spnego) { provider = this.CreateSpnegoTokenProvider(requirement); } else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego) { provider = this.CreateTlsnegoTokenProvider(requirement, true); } else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) { provider = this.CreateTlsnegoTokenProvider(requirement, false); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { provider = this.CreateSecureConversationSecurityTokenProvider(requirement); } } } if (provider == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateProviderForRequirement", new object[] { tokenRequirement }))); } return(provider); }
internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } SecurityTokenProvider result = null; if (disableInfoCard || !CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out result)) { if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange) { // this is the uncorrelated duplex case if (parent.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate); } else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) { InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; #pragma warning suppress 56506 // initiatorRequirement will never be null due to the preceding 'is' validation. string tokenType = initiatorRequirement.TokenType; if (IsIssuedSecurityTokenRequirement(initiatorRequirement)) { FederatedClientCredentialsParameters additionalParameters = this.FindFederatedChannelParameters(tokenRequirement); if (additionalParameters != null && additionalParameters.IssuedSecurityToken != null) { return(new SimpleSecurityTokenProvider(additionalParameters.IssuedSecurityToken, tokenRequirement)); } result = CreateIssuedSecurityTokenProvider(initiatorRequirement, additionalParameters); } else if (tokenType == SecurityTokenTypes.X509Certificate) { if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange) { result = CreateServerX509TokenProvider(initiatorRequirement.TargetAddress); } else { if (parent.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate); } } else if (tokenType == SecurityTokenTypes.Kerberos) { string spn = GetServicePrincipalName(initiatorRequirement); result = new KerberosSecurityTokenProviderWrapper( new KerberosSecurityTokenProvider(spn, parent.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential)), GetCredentialsHandle(initiatorRequirement)); } else if (tokenType == SecurityTokenTypes.UserName) { if (parent.UserName.UserName == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UserNamePasswordNotProvidedOnClientCredentials))); } result = new UserNameSecurityTokenProvider(parent.UserName.UserName, parent.UserName.Password); } else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential) { if (IsDigestAuthenticationScheme(initiatorRequirement)) { result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.HttpDigest.ClientCredential), true, parent.HttpDigest.AllowedImpersonationLevel); } else { #pragma warning disable 618 // to disable AllowNtlm obsolete wanring. result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential), parent.Windows.AllowNtlm, parent.Windows.AllowedImpersonationLevel); #pragma warning restore 618 } } else if (tokenType == ServiceModelSecurityTokenTypes.Spnego) { result = CreateSpnegoTokenProvider(initiatorRequirement); } else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego) { result = CreateTlsnegoTokenProvider(initiatorRequirement, true); } else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) { result = CreateTlsnegoTokenProvider(initiatorRequirement, false); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { result = CreateSecureConversationSecurityTokenProvider(initiatorRequirement); } } } if ((result == null) && !tokenRequirement.IsOptionalToken) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement))); } return(result); }