private SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature)
{
TryResolveKeyIdentifier(keyIdentifier, resolver, true, out SecurityToken token);
if (token == null && !isPrimarySignature)
{
// check if there is a rsa key token authenticator
if (keyIdentifier.Count == 1)
{
if (keyIdentifier.TryFind <RsaKeyIdentifierClause>(out RsaKeyIdentifierClause rsaClause))
{
RsaSecurityTokenAuthenticator rsaAuthenticator = FindAllowedAuthenticator <RsaSecurityTokenAuthenticator>(false);
if (rsaAuthenticator != null)
{
token = new RsaSecurityToken(rsaClause.Rsa);
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = rsaAuthenticator.ValidateToken(token);
TokenTracker rsaTracker = GetSupportingTokenTracker(rsaAuthenticator, out SupportingTokenAuthenticatorSpecification spec);
if (rsaTracker == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, rsaAuthenticator)));
}
rsaTracker.RecordToken(token);
SecurityTokenAuthorizationPoliciesMapping.Add(token, authorizationPolicies);
}
}
}
}
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.Format(SR.UnableToResolveKeyInfoForVerifyingSignature, keyIdentifier, resolver)));
}
return(token);
}
private SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature)
{
SecurityToken token;
RsaKeyIdentifierClause clause;
TryResolveKeyIdentifier(keyIdentifier, resolver, true, out token);
if (((token == null) && !isPrimarySignature) && ((keyIdentifier.Count == 1) && keyIdentifier.TryFind <RsaKeyIdentifierClause>(out clause)))
{
RsaSecurityTokenAuthenticator tokenAuthenticator = base.FindAllowedAuthenticator <RsaSecurityTokenAuthenticator>(false);
if (tokenAuthenticator != null)
{
SupportingTokenAuthenticatorSpecification specification;
token = new RsaSecurityToken(clause.Rsa);
ReadOnlyCollection <IAuthorizationPolicy> onlys = tokenAuthenticator.ValidateToken(token);
TokenTracker supportingTokenTracker = base.GetSupportingTokenTracker(tokenAuthenticator, out specification);
if (supportingTokenTracker == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("UnknownTokenAuthenticatorUsedInTokenProcessing", new object[] { tokenAuthenticator })));
}
supportingTokenTracker.RecordToken(token);
base.SecurityTokenAuthorizationPoliciesMapping.Add(token, onlys);
}
}
if (token == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToResolveKeyInfoForVerifyingSignature", new object[] { keyIdentifier, resolver })));
}
return(token);
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
outOfBandTokenResolver = null;
SecurityTokenAuthenticator authenticator = null;
InitiatorServiceModelSecurityTokenRequirement requirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
if (requirement != null)
{
string tokenType = requirement.TokenType;
if (this.IsIssuedSecurityTokenRequirement(requirement))
{
return(new GenericXmlSecurityTokenAuthenticator());
}
if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (requirement.IsOutOfBandToken)
{
authenticator = new X509SecurityTokenAuthenticator(X509CertificateValidator.None);
}
else
{
authenticator = this.CreateServerX509TokenAuthenticator();
}
}
else if (tokenType == SecurityTokenTypes.Rsa)
{
authenticator = new RsaSecurityTokenAuthenticator();
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
authenticator = new KerberosRequestorSecurityTokenAuthenticator();
}
else if (((tokenType == ServiceModelSecurityTokenTypes.SecureConversation) || (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)) || ((tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) || (tokenType == ServiceModelSecurityTokenTypes.Spnego)))
{
authenticator = new GenericXmlSecurityTokenAuthenticator();
}
}
else if ((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && (tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate))
{
authenticator = this.CreateServerX509TokenAuthenticator();
}
if (authenticator == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement })));
}
return(authenticator);
}
public void CreateAuthenticatorRsa()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement();
r.TokenType = SecurityTokenTypes.Rsa;
SecurityTokenResolver resolver;
RsaSecurityTokenAuthenticator rsa =
def_c.CreateSecurityTokenAuthenticator(r, out resolver)
as RsaSecurityTokenAuthenticator;
Assert.IsNotNull(rsa, "#1");
Assert.IsNull(resolver, "#2"); // but probably non-null if there is RsaSecurityToken that could be somehow created from the credential.
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenRequirement));
}
string tokenType = tokenRequirement.TokenType;
outOfBandTokenResolver = null;
SecurityTokenAuthenticator result = null;
if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
// this is the uncorrelated duplex case in which the server is asking for
// an authenticator to validate its provisioned client certificate
if (tokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
return(new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false));
}
}
if (!(tokenRequirement is RecipientServiceModelSecurityTokenRequirement recipientRequirement))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
}
if (tokenType == SecurityTokenTypes.X509Certificate)
{
result = CreateClientX509TokenAuthenticator();
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
throw new PlatformNotSupportedException("KerberosSecurityTokenAuthenticator");
//result = new KerberosSecurityTokenAuthenticatorWrapper(
// new KerberosSecurityTokenAuthenticator(parent.WindowsAuthentication.IncludeWindowsGroups));
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (ServiceCredentials.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows)
{
throw new PlatformNotSupportedException("UserNamePasswordValidationMode.Windows");
//if (parent.UserNameAuthentication.CacheLogonTokens)
//{
// result = new WindowsUserNameCachingSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups,
// parent.UserNameAuthentication.MaxCachedLogonTokens, parent.UserNameAuthentication.CachedLogonTokenLifetime);
//}
//else
//{
// result = new WindowsUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups);
//}
}
else
{
result = new CustomUserNameSecurityTokenAuthenticator(ServiceCredentials.UserNameAuthentication.GetUserNamePasswordValidator());
}
}
else if (tokenType == SecurityTokenTypes.Rsa)
{
result = new RsaSecurityTokenAuthenticator();
}
else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
result = CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
result = CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if ((tokenType == SecurityTokenTypes.Saml) ||
(tokenType == SecurityXXX2005Strings.SamlTokenType) ||
(tokenType == SecurityJan2004Strings.SamlUri) ||
(tokenType == null && IsIssuedSecurityTokenRequirement(recipientRequirement)))
{
throw new PlatformNotSupportedException("SamlToken");
//result = CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
if (result == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
}
return(result);
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
string tokenType = tokenRequirement.TokenType;
outOfBandTokenResolver = null;
SecurityTokenAuthenticator authenticator = null;
if (((tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) && (tokenType == SecurityTokenTypes.X509Certificate)) && (tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange))
{
return(new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false));
}
RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if (recipientRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement })));
}
if (tokenType == SecurityTokenTypes.X509Certificate)
{
authenticator = this.CreateClientX509TokenAuthenticator();
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
authenticator = new KerberosSecurityTokenAuthenticatorWrapper(new KerberosSecurityTokenAuthenticator(this.parent.WindowsAuthentication.IncludeWindowsGroups));
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (this.parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows)
{
if (this.parent.UserNameAuthentication.CacheLogonTokens)
{
authenticator = new WindowsUserNameCachingSecurityTokenAuthenticator(this.parent.UserNameAuthentication.IncludeWindowsGroups, this.parent.UserNameAuthentication.MaxCachedLogonTokens, this.parent.UserNameAuthentication.CachedLogonTokenLifetime);
}
else
{
authenticator = new WindowsUserNameSecurityTokenAuthenticator(this.parent.UserNameAuthentication.IncludeWindowsGroups);
}
}
else
{
authenticator = new CustomUserNameSecurityTokenAuthenticator(this.parent.UserNameAuthentication.GetUserNamePasswordValidator());
}
}
else if (tokenType == SecurityTokenTypes.Rsa)
{
authenticator = new RsaSecurityTokenAuthenticator();
}
else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
authenticator = this.CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
authenticator = this.CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
authenticator = this.CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
authenticator = this.CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if (((tokenType == SecurityTokenTypes.Saml) || (tokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")) || ((tokenType == "urn:oasis:names:tc:SAML:1.0:assertion") || ((tokenType == null) && this.IsIssuedSecurityTokenRequirement(recipientRequirement))))
{
authenticator = this.CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
if (authenticator == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement })));
}
return(authenticator);
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
outOfBandTokenResolver = null;
SecurityTokenAuthenticator result = null;
InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
if (initiatorRequirement != null)
{
string tokenType = initiatorRequirement.TokenType;
if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
{
return(new GenericXmlSecurityTokenAuthenticator());
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (initiatorRequirement.IsOutOfBandToken)
{
// when the client side soap security asks for a token authenticator, its for doing
// identity checks on the out of band server certificate
result = new X509SecurityTokenAuthenticator(X509CertificateValidator.None);
}
else if (initiatorRequirement.PreferSslCertificateAuthenticator)
{
result = CreateServerSslX509TokenAuthenticator();
}
else
{
result = CreateServerX509TokenAuthenticator();
}
}
else if (tokenType == SecurityTokenTypes.Rsa)
{
result = new RsaSecurityTokenAuthenticator();
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
result = new KerberosRequestorSecurityTokenAuthenticator();
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation ||
tokenType == ServiceModelSecurityTokenTypes.MutualSslnego ||
tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego ||
tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
result = new GenericXmlSecurityTokenAuthenticator();
}
}
else if ((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)
{
// uncorrelated duplex case
result = CreateServerX509TokenAuthenticator();
}
if (result == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
}
return(result);
}
