private SecurityTokenProvider CreateUncorrelatedDuplexSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
{
string tokenType = initiatorRequirement.TokenType;
SecurityTokenProvider result = null;
if (tokenType == SecurityTokenTypes.X509Certificate)
{
SecurityKeyUsage keyUsage = initiatorRequirement.KeyUsage;
if (keyUsage == SecurityKeyUsage.Exchange)
{
if (ServiceCredentials.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.ClientCertificateNotProvidedOnServiceCredentials));
}
result = new X509SecurityTokenProvider(ServiceCredentials.ClientCertificate.Certificate);
}
else
{
// this is a request for the server's own cert for signing
result = CreateServerX509TokenProvider();
}
}
return(result);
}
/// <summary>
/// Publiczna, nadpisana metoda z klasy bazowej służąca do utworzenia dostawcy tokenu bezpieczeństwa na podstawie przekazanych wymagań dotyczących tokenu
/// </summary>
/// <param name="requirement">Wymagania dotyczące tokenu bezpieczeństwa</param>
/// <returns>Dostawca tokenu bezpieczeństwa</returns>
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement requirement)
{
SecurityTokenProvider result;
//Jeżeli wymagany jest token służący do zabezpieczenia warstwy transportu i jest to token powstały z certyfikatu X509
if (requirement.Properties.ContainsKey(ServiceModelSecurityTokenRequirement.TransportSchemeProperty) && requirement.TokenType == SecurityTokenTypes.X509Certificate)
{
//Utworzenie dostawcy tokena na podstawie certyfikatu TLS
result = new X509SecurityTokenProvider(
this.credentials.TransportCertificate);
}
//W przeciwnym razie jeżeli klucz przypisany do tokekena ma być użyty w celu wygenerowania cyfrowego podpisu i jest to token powstały z certyfikatu X509
else if (requirement.KeyUsage == SecurityKeyUsage.Signature && requirement.TokenType == SecurityTokenTypes.X509Certificate)
{
//Utworzenia dostawcy tokena na podstawie ceryfikatu WSS (Secure Websocket, certificate signing)
result = new X509SecurityTokenProvider(
this.credentials.ClientCertificate.Certificate);
}
//W przeciwnym wypadku utworzony zostanie dostawca tokenu bezpieczeństwa z wykorzystaniem metody z klasy bazowej
else
{
result = base.CreateSecurityTokenProvider(requirement);
}
//Zwrócenie dostawcy tokenu bezpieczeństwa
return(result);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
SecurityTokenProvider result = null;
if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
#if FEATURE_CORECLR // X509Certificates
// this is the uncorrelated duplex case
if (_parent.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate);
#endif
}
else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
string tokenType = initiatorRequirement.TokenType;
if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider (IsIssuedSecurityTokenRequirement(initiatorRequirement)");
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - SecurityKeyUsage.Exchange");
}
else
{
#if FEATURE_CORECLR
if (_parent.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate);
#else
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - Client certificate not supported in UAP");
#endif
}
}
else if (tokenType == SecurityTokenTypes.UserName)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider SecurityTokenTypes.Username");
}
}
if ((result == null) && !tokenRequirement.IsOptionalToken)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
}
return(result);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
ServiceModelSecurityTokenRequirement requirement = tokenRequirement as ServiceModelSecurityTokenRequirement;
if (requirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
if (this.IsX509TokenRequirement(requirement))
{
X509CertificateValidator validator;
if (this.IsForConnectionValidator(requirement))
{
SecurityTokenProvider provider = null;
if (this.ssc != null)
{
provider = new X509SecurityTokenProvider(this.ssc.GetX509Certificate());
}
else if (this.delegateManager != null)
{
requirement.Properties[SecurityTokenRequirement.PeerAuthenticationMode] = SecurityMode.Transport;
requirement.TransportScheme = "net.p2p";
provider = this.delegateManager.CreateSecurityTokenProvider(tokenRequirement);
}
else if (this.credential.Certificate != null)
{
provider = new X509SecurityTokenProvider(this.credential.Certificate);
}
if ((provider == null) && (this.mode == PeerAuthenticationMode.Password))
{
this.ssc = this.parent.GetCertificate();
provider = new X509SecurityTokenProvider(this.ssc.GetX509Certificate());
}
return(provider);
}
if (this.delegateManager != null)
{
requirement.TransportScheme = "net.p2p";
requirement.Properties[SecurityTokenRequirement.PeerAuthenticationMode] = SecurityMode.Message;
return(this.delegateManager.CreateSecurityTokenProvider(tokenRequirement));
}
if (!this.credential.MessageSenderAuthentication.TryGetCertificateValidator(out validator))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("TokenType");
}
return(new PeerX509TokenProvider(validator, this.credential.Certificate));
}
if (!this.IsPasswordTokenRequirement(requirement))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("TokenType");
}
return(this.GetPasswordTokenProvider());
}
public void CreateProviderX509()
{
SecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement();
r.TokenType = SecurityTokenTypes.X509Certificate;
def_c.ClientCredentials.ClientCertificate.Certificate = cert;
X509SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r)
as X509SecurityTokenProvider;
Assert.IsNotNull(p, "#1");
}
public void CreateProviderX509()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement();
r.TokenType = SecurityTokenTypes.X509Certificate;
def_c.ServiceCredentials.ServiceCertificate.Certificate =
new X509Certificate2("Test/Resources/test.pfx", "mono");
X509SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r)
as X509SecurityTokenProvider;
Assert.IsNotNull(p, "#1");
}
public void CreateProviderX509Recipient()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement();
r.TokenType = SecurityTokenTypes.X509Certificate;
r.KeyUsage = SecurityKeyUsage.Exchange;
def_c.ClientCredentials.ClientCertificate.Certificate = cert;
X509SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r)
as X509SecurityTokenProvider;
Assert.IsNotNull(p, "#1");
}
public void CreateProviderX509Initiator()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement();
r.TokenType = SecurityTokenTypes.X509Certificate;
r.KeyUsage = SecurityKeyUsage.Exchange;
// ClientCredential is somehow required ...
def_c.ServiceCredentials.ServiceCertificate.Certificate =
new X509Certificate2("Test/Resources/test.pfx", "mono");
X509SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r)
as X509SecurityTokenProvider;
Assert.IsNotNull(p, "#1");
}
public override SecurityTokenProvider CreateSecurityTokenProvider(
SecurityTokenRequirement requirement)
{
SecurityTokenProvider result = null;
if (requirement.TokenType == SecurityTokenTypes.X509Certificate)
{
MessageDirection direction = requirement.
GetProperty <MessageDirection>(
ServiceModelSecurityTokenRequirement.
MessageDirectionProperty);
if (direction == MessageDirection.Input)
{
if (requirement.KeyUsage == SecurityKeyUsage.Exchange)
{
result = new X509SecurityTokenProvider(
credentials.ServiceEncryptingCertificate);
}
else
{
result = new X509SecurityTokenProvider(
credentials.ClientSigningCertificate);
}
}
else
{
if (requirement.KeyUsage == SecurityKeyUsage.Signature)
{
result = new X509SecurityTokenProvider(
credentials.ServiceSigningCertificate);
}
else
{
result = new X509SecurityTokenProvider(
credentials.ClientEncryptingCertificate);
}
}
}
else
{
result = base.CreateSecurityTokenProvider(requirement);
}
return(result);
}
X509SecurityTokenProvider CreateX509SecurityTokenProvider(SecurityTokenRequirement requirement)
{
bool isInitiator;
requirement.TryGetProperty <bool> (ReqType.IsInitiatorProperty, out isInitiator);
// when it is initiator, then it is for MutualCertificateDuplex.
X509Certificate2 cert;
if (isInitiator)
{
cert = credentials.ClientCertificate.Certificate;
if (cert == null)
{
throw new InvalidOperationException("Client certificate is not provided in ServiceCredentials.");
}
if (cert.PrivateKey == null)
{
throw new ArgumentException("Client certificate for MutualCertificateDuplex does not have a private key which is required for key exchange.");
}
}
else
{
cert = credentials.ServiceCertificate.Certificate;
if (cert == null)
{
throw new InvalidOperationException("Service certificate is not provided in ServiceCredentials.");
}
if (cert.PrivateKey == null)
{
throw new ArgumentException("Service certificate does not have a private key which is required for key exchange.");
}
}
X509SecurityTokenProvider p =
new X509SecurityTokenProvider(cert);
return(p);
}
public override NameValueCollection Validate(TokenRequestMessage message)
{
if (!this.CanValidateMessage(message))
{
throw new OAuthException(OAuthErrorCodes.UnsupportedGrantType, "This handler cannot validate this message.");
}
if (!message.Parameters[OAuthConstants.AssertionType].Equals("saml", StringComparison.OrdinalIgnoreCase))
{
throw new OAuthException(OAuthErrorCodes.InvalidRequest, string.Format("Assertion format '{0}' not supported. Only Saml Supported", message.Parameters[OAuthConstants.AssertionType]));
}
string assertion = message.Parameters[OAuthConstants.Assertion];
if (assertion == null)
{
throw new OAuthException(OAuthErrorCodes.InvalidRequest, "Parameter 'assertion' is mandatory");
}
this.EnsureClientExists(message);
SecurityToken token = null;
SecurityToken xtoken = null;
using (var stringReader = new StringReader(assertion))
{
var reader = XmlReader.Create(stringReader);
if (!ServiceConfiguration.SecurityTokenHandlers.CanReadToken(reader))
{
throw new OAuthException(OAuthErrorCodes.UnsupportedGrantType, "No Token handler defined can read this assertion");
}
// TODO: this should be changed to be in config
// CHANGE: matias: read decryption cert from servicecertificate instead of hardcoding localhost
using (var xprovider = new X509SecurityTokenProvider(ServiceConfiguration.ServiceCertificate))
{
xtoken = xprovider.GetToken(new TimeSpan(10, 1, 1));
}
var outOfBandTokens = new Collection <SecurityToken>();
outOfBandTokens.Add(xtoken);
// CHANGED: matias, don't validate certificate (should be read from service config)
ServiceConfiguration.CertificateValidator = X509CertificateValidator.None;
// encryptedtoken handler is 6 . Add the X509TOken which has the key to decrypt this token
ServiceConfiguration.SecurityTokenHandlers[6].Configuration.ServiceTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(outOfBandTokens), false);
token = ServiceConfiguration.SecurityTokenHandlers.ReadToken(reader);
}
ClaimsIdentityCollection cc;
try
{
cc = ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token);
}
catch (SecurityTokenException ex)
{
throw new OAuthException(OAuthErrorCodes.InvalidGrant, ex.Message, ex);
}
// CHANGE: matias: add CAM in order to be able to tranform claims
IClaimsPrincipal principal = new ClaimsPrincipal(cc);
if (ServiceConfiguration.ClaimsAuthenticationManager != null)
{
principal = ServiceConfiguration.ClaimsAuthenticationManager.Authenticate("replace", principal);
}
var collection = new NameValueCollection();
foreach (Claim claim in cc[0].Claims)
{
collection.Add(claim.ClaimType, claim.Value);
}
return(collection);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenRequirement));
}
SecurityTokenProvider result = null;
if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
// this is the uncorrelated duplex case
if (ClientCredentials.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(ClientCredentials.ClientCertificate.Certificate, ClientCredentials.ClientCertificate.CloneCertificate);
}
else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
string tokenType = initiatorRequirement.TokenType;
if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider (IsIssuedSecurityTokenRequirement(initiatorRequirement)");
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - SecurityKeyUsage.Exchange");
}
else
{
if (ClientCredentials.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(ClientCredentials.ClientCertificate.Certificate, ClientCredentials.ClientCertificate.CloneCertificate);
}
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
string spn = GetServicePrincipalName(initiatorRequirement);
result = new KerberosSecurityTokenProviderWrapper(
new KerberosSecurityTokenProvider(spn, ClientCredentials.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(ClientCredentials.Windows.ClientCredential)));
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (ClientCredentials.UserName.UserName == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.UserNamePasswordNotProvidedOnClientCredentials));
}
result = new UserNameSecurityTokenProvider(ClientCredentials.UserName.UserName, ClientCredentials.UserName.Password);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
{
if (IsDigestAuthenticationScheme(initiatorRequirement))
{
result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(ClientCredentials.HttpDigest.ClientCredential), true, TokenImpersonationLevel.Delegation);
}
else
{
#pragma warning disable 618 // to disable AllowNtlm obsolete warning.
result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(ClientCredentials.Windows.ClientCredential),
ClientCredentials.Windows.AllowNtlm,
ClientCredentials.Windows.AllowedImpersonationLevel);
#pragma warning restore 618
}
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
result = CreateSecureConversationSecurityTokenProvider(initiatorRequirement);
}
}
if ((result == null) && !tokenRequirement.IsOptionalToken)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
}
return(result);
}
X509SecurityTokenProvider CreateX509SecurityTokenProvider(SecurityTokenRequirement requirement)
{
// - When the request is as an initiator, then
// - if the purpose is key exchange, then
// the initiator wants the service certificate
// to encrypt the message with its public key.
// - otherwise, the initiator wants the client
// certificate to sign the message with the
// private key.
// - otherwise
// - if the purpose is key exchange, then
// the recipient wants the client certificate
// to encrypt the message with its public key.
// - otherwise, the recipient wants the service
// certificate to sign the message with the
// private key.
bool isInitiator;
if (!requirement.TryGetProperty <bool> (ReqType.IsInitiatorProperty, out isInitiator))
{
isInitiator = false;
}
X509Certificate2 cert;
bool isClient;
if (isInitiator)
{
isClient = requirement.KeyUsage == SecurityKeyUsage.Signature;
}
else
{
if (!requirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty))
{
throw new NotSupportedException(String.Format("Cannot create a security token provider from this requirement '{0}'", requirement));
}
isClient = requirement.KeyUsage == SecurityKeyUsage.Exchange;
}
if (isClient)
{
cert = credentials.ClientCertificate.Certificate;
}
else
{
cert = GetServiceCertificate(requirement);
}
if (cert == null)
{
if (isClient)
{
throw new InvalidOperationException("Client certificate is not provided in ClientCredentials.");
}
else
{
throw new InvalidOperationException("Service certificate is not provided.");
}
}
X509SecurityTokenProvider p =
new X509SecurityTokenProvider(cert);
return(p);
}
internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard)
{
if (tokenRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
SecurityTokenProvider provider = null;
if (disableInfoCard || !this.CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out provider))
{
if (((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && (tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)) && (tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange))
{
if (this.parent.ClientCertificate.Certificate == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvidedOnClientCredentials")));
}
provider = new X509SecurityTokenProvider(this.parent.ClientCertificate.Certificate);
}
else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
InitiatorServiceModelSecurityTokenRequirement requirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
string tokenType = requirement.TokenType;
if (this.IsIssuedSecurityTokenRequirement(requirement))
{
provider = this.CreateIssuedSecurityTokenProvider(requirement);
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (requirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && (requirement.KeyUsage == SecurityKeyUsage.Exchange))
{
provider = this.CreateServerX509TokenProvider(requirement.TargetAddress);
}
else
{
if (this.parent.ClientCertificate.Certificate == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvidedOnClientCredentials")));
}
provider = new X509SecurityTokenProvider(this.parent.ClientCertificate.Certificate);
}
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
provider = new KerberosSecurityTokenProviderWrapper(new KerberosSecurityTokenProvider(this.GetServicePrincipalName(requirement), this.parent.Windows.AllowedImpersonationLevel, System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.Windows.ClientCredential)), this.GetCredentialsHandle(requirement));
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (this.parent.UserName.UserName == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("UserNamePasswordNotProvidedOnClientCredentials")));
}
provider = new UserNameSecurityTokenProvider(this.parent.UserName.UserName, this.parent.UserName.Password);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
{
if (this.IsDigestAuthenticationScheme(requirement))
{
provider = new SspiSecurityTokenProvider(System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.HttpDigest.ClientCredential), true, this.parent.HttpDigest.AllowedImpersonationLevel);
}
else
{
provider = new SspiSecurityTokenProvider(System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.Windows.ClientCredential), this.parent.Windows.AllowNtlm, this.parent.Windows.AllowedImpersonationLevel);
}
}
else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
provider = this.CreateSpnegoTokenProvider(requirement);
}
else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
provider = this.CreateTlsnegoTokenProvider(requirement, true);
}
else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
provider = this.CreateTlsnegoTokenProvider(requirement, false);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
provider = this.CreateSecureConversationSecurityTokenProvider(requirement);
}
}
}
if (provider == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateProviderForRequirement", new object[] { tokenRequirement })));
}
return(provider);
}
internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
SecurityTokenProvider result = null;
if (disableInfoCard || !CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out result))
{
if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
// this is the uncorrelated duplex case
if (parent.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate);
}
else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
#pragma warning suppress 56506 // initiatorRequirement will never be null due to the preceding 'is' validation.
string tokenType = initiatorRequirement.TokenType;
if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
{
FederatedClientCredentialsParameters additionalParameters = this.FindFederatedChannelParameters(tokenRequirement);
if (additionalParameters != null && additionalParameters.IssuedSecurityToken != null)
{
return(new SimpleSecurityTokenProvider(additionalParameters.IssuedSecurityToken, tokenRequirement));
}
result = CreateIssuedSecurityTokenProvider(initiatorRequirement, additionalParameters);
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
result = CreateServerX509TokenProvider(initiatorRequirement.TargetAddress);
}
else
{
if (parent.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate);
}
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
string spn = GetServicePrincipalName(initiatorRequirement);
result = new KerberosSecurityTokenProviderWrapper(
new KerberosSecurityTokenProvider(spn, parent.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential)),
GetCredentialsHandle(initiatorRequirement));
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (parent.UserName.UserName == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UserNamePasswordNotProvidedOnClientCredentials)));
}
result = new UserNameSecurityTokenProvider(parent.UserName.UserName, parent.UserName.Password);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
{
if (IsDigestAuthenticationScheme(initiatorRequirement))
{
result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.HttpDigest.ClientCredential), true, parent.HttpDigest.AllowedImpersonationLevel);
}
else
{
#pragma warning disable 618 // to disable AllowNtlm obsolete wanring.
result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential),
parent.Windows.AllowNtlm,
parent.Windows.AllowedImpersonationLevel);
#pragma warning restore 618
}
}
else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
result = CreateSpnegoTokenProvider(initiatorRequirement);
}
else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
result = CreateTlsnegoTokenProvider(initiatorRequirement, true);
}
else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
result = CreateTlsnegoTokenProvider(initiatorRequirement, false);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
result = CreateSecureConversationSecurityTokenProvider(initiatorRequirement);
}
}
}
if ((result == null) && !tokenRequirement.IsOptionalToken)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
}
return(result);
}
