/// <summary>
/// Creates the security token
/// </summary>
/// <param name="timeout">Maximum amount of time the method is supposed to take. Ignored in this implementation.</param>
/// <returns>A SecurityToken corresponding the SAML assertion and proof key specified at construction time</returns>
protected override SecurityToken GetTokenCore(TimeSpan timeout)
{
// Create a SamlSecurityToken from the provided assertion
SamlSecurityToken samlToken = new SamlSecurityToken(assertion);
// Create a SecurityTokenSerializer that will be used to serialize the SamlSecurityToken
WSSecurityTokenSerializer ser = new WSSecurityTokenSerializer();
// Create a memory stream to write the serialized token into
// Use an initial size of 64Kb
MemoryStream s = new MemoryStream(UInt16.MaxValue);
// Create an XmlWriter over the stream
XmlWriter xw = XmlWriter.Create(s);
// Write the SamlSecurityToken into the stream
ser.WriteToken(xw, samlToken);
// Seek back to the beginning of the stream
s.Seek(0, SeekOrigin.Begin);
// Load the serialized token into a DOM
XmlDocument dom = new XmlDocument();
dom.Load(s);
// Create a KeyIdentifierClause for the SamlSecurityToken
SamlAssertionKeyIdentifierClause samlKeyIdentifierClause = samlToken.CreateKeyIdentifierClause <SamlAssertionKeyIdentifierClause>();
// Return a GenericXmlToken from the XML for the SamlSecurityToken, the proof token, the valid from
// and valid until times from the assertion and the key identifier clause created above
return(new GenericXmlSecurityToken(dom.DocumentElement, proofToken, assertion.Conditions.NotBefore, assertion.Conditions.NotOnOrAfter, samlKeyIdentifierClause, samlKeyIdentifierClause, null));
}
private static void SerializeCachedToken(Stream stream, Uri target, Uri issuer, GenericXmlSecurityToken token)
{
XmlTextWriter xmlTextWriter = new XmlTextWriter(stream, Encoding.UTF8);
xmlTextWriter.WriteStartElement("Entry");
xmlTextWriter.WriteElementString("Target", target.AbsoluteUri);
xmlTextWriter.WriteElementString("Issuer", (issuer == null) ? "" : issuer.AbsoluteUri);
xmlTextWriter.WriteStartElement("Token");
xmlTextWriter.WriteStartElement("XML");
token.TokenXml.WriteTo(xmlTextWriter);
xmlTextWriter.WriteEndElement();
SymmetricSecurityKey symmetricSecurityKey = (SymmetricSecurityKey)token.SecurityKeys[0];
xmlTextWriter.WriteElementString("Key", Convert.ToBase64String(symmetricSecurityKey.GetSymmetricKey()));
xmlTextWriter.WriteElementString("Id", token.Id);
xmlTextWriter.WriteElementString("ValidFrom", Convert.ToString(token.ValidFrom));
xmlTextWriter.WriteElementString("ValidTo", Convert.ToString(token.ValidTo));
WSSecurityTokenSerializer wssecurityTokenSerializer = new WSSecurityTokenSerializer();
xmlTextWriter.WriteStartElement("InternalTokenReference");
wssecurityTokenSerializer.WriteKeyIdentifierClause(xmlTextWriter, token.InternalTokenReference);
xmlTextWriter.WriteEndElement();
xmlTextWriter.WriteStartElement("ExternalTokenReference");
wssecurityTokenSerializer.WriteKeyIdentifierClause(xmlTextWriter, token.ExternalTokenReference);
xmlTextWriter.WriteEndElement();
xmlTextWriter.WriteEndElement();
xmlTextWriter.WriteEndElement();
xmlTextWriter.Flush();
stream.Flush();
}
private static void PopulateCache(Dictionary <IssuedTokenCacheBase.Key, GenericXmlSecurityToken> cache, Stream stream)
{
XmlTextReader xmlTextReader = new XmlTextReader(stream);
while (xmlTextReader.IsStartElement("Entry"))
{
xmlTextReader.ReadStartElement();
Uri target = new Uri(xmlTextReader.ReadElementString("Target"));
string text = xmlTextReader.ReadElementString("Issuer");
Uri issuer = string.IsNullOrEmpty(text) ? null : new Uri(text);
xmlTextReader.ReadStartElement("Token");
xmlTextReader.ReadStartElement("XML");
XmlDocument xmlDocument = new XmlDocument();
XmlElement tokenXml = xmlDocument.ReadNode(xmlTextReader) as XmlElement;
xmlTextReader.ReadEndElement();
byte[] key = Convert.FromBase64String(xmlTextReader.ReadElementString("Key"));
xmlTextReader.ReadElementString("Id");
DateTime effectiveTime = Convert.ToDateTime(xmlTextReader.ReadElementString("ValidFrom"));
DateTime expirationTime = Convert.ToDateTime(xmlTextReader.ReadElementString("ValidTo"));
WSSecurityTokenSerializer wssecurityTokenSerializer = new WSSecurityTokenSerializer();
xmlTextReader.ReadStartElement("InternalTokenReference");
SecurityKeyIdentifierClause internalTokenReference = wssecurityTokenSerializer.ReadKeyIdentifierClause(xmlTextReader);
xmlTextReader.ReadEndElement();
xmlTextReader.ReadStartElement("ExternalTokenReference");
SecurityKeyIdentifierClause externalTokenReference = wssecurityTokenSerializer.ReadKeyIdentifierClause(xmlTextReader);
xmlTextReader.ReadEndElement();
xmlTextReader.ReadEndElement();
xmlTextReader.ReadEndElement();
List <IAuthorizationPolicy> list = new List <IAuthorizationPolicy>();
GenericXmlSecurityToken value = new GenericXmlSecurityToken(tokenXml, new BinarySecretSecurityToken(key), effectiveTime, expirationTime, internalTokenReference, externalTokenReference, new ReadOnlyCollection <IAuthorizationPolicy>(list));
cache.Add(new IssuedTokenCacheBase.Key(target, issuer), value);
}
}
protected override SecurityToken GetTokenCore(TimeSpan timeout)
{
SecurityToken securityToken;
SamlAssertion samlAssertion;
if (base.TokenRequirement.KeyType == SecurityKeyType.SymmetricKey)
{
securityToken = SamlSecurityTokenProvider.CreateSymmetricProofToken(base.TokenRequirement.KeySize);
samlAssertion = this.CreateSamlAssertionWithSymmetricKey((BinarySecretSecurityToken)securityToken);
}
else
{
if (base.TokenRequirement.KeyType != SecurityKeyType.AsymmetricKey)
{
throw new ArgumentOutOfRangeException("KeyType");
}
securityToken = SamlSecurityTokenProvider.CreateAsymmetricProofToken();
samlAssertion = this.CreateSamlAssertionWithAsymmetricKey(securityToken);
}
SamlSecurityToken samlSecurityToken = new SamlSecurityToken(samlAssertion);
XmlDocument xmlDocument = new XmlDocument();
using (XmlWriter xmlWriter = xmlDocument.CreateNavigator().AppendChild())
{
WSSecurityTokenSerializer wSSecurityTokenSerializer = new WSSecurityTokenSerializer();
wSSecurityTokenSerializer.WriteToken(xmlWriter, samlSecurityToken);
}
SamlAssertionKeyIdentifierClause samlAssertionKeyIdentifierClause = samlSecurityToken.CreateKeyIdentifierClause <SamlAssertionKeyIdentifierClause>();
return(new GenericXmlSecurityToken(xmlDocument.DocumentElement, securityToken, samlAssertion.Conditions.NotBefore, samlAssertion.Conditions.NotOnOrAfter, samlAssertionKeyIdentifierClause, samlAssertionKeyIdentifierClause, null));
}
protected override void OnWriteBodyContents(XmlDictionaryWriter writer)
{
writer.WriteStartElement("RequestSecurityTokenResponse", "http://schemas.xmlsoap.org/ws/2005/02/trust");
if (base.TokenType != null && base.TokenType.Length > 0)
{
writer.WriteStartElement("TokenType", "http://schemas.xmlsoap.org/ws/2005/02/trust");
writer.WriteString(base.TokenType);
writer.WriteEndElement();
}
WSSecurityTokenSerializer wssecurityTokenSerializer = new WSSecurityTokenSerializer();
if (this.RequestedSecurityToken != null)
{
writer.WriteStartElement("RequestedSecurityToken", "http://schemas.xmlsoap.org/ws/2005/02/trust");
wssecurityTokenSerializer.WriteToken(writer, this.RequestedSecurityToken);
writer.WriteEndElement();
}
if (this.RequestedAttachedReference != null)
{
writer.WriteStartElement("RequestedAttachedReference", "http://schemas.xmlsoap.org/ws/2005/02/trust");
wssecurityTokenSerializer.WriteKeyIdentifierClause(writer, this.RequestedAttachedReference);
writer.WriteEndElement();
}
if (this.RequestedUnattachedReference != null)
{
writer.WriteStartElement("RequestedUnattachedReference", "http://schemas.xmlsoap.org/ws/2005/02/trust");
wssecurityTokenSerializer.WriteKeyIdentifierClause(writer, this.RequestedUnattachedReference);
writer.WriteEndElement();
}
if (base.AppliesTo != null)
{
writer.WriteStartElement("AppliesTo", "http://schemas.xmlsoap.org/ws/2004/09/policy");
base.AppliesTo.WriteTo(AddressingVersion.WSAddressing10, writer);
writer.WriteEndElement();
}
if (this.RequestedProofToken != null)
{
writer.WriteStartElement("RequestedProofToken", "http://schemas.xmlsoap.org/ws/2005/02/trust");
wssecurityTokenSerializer.WriteToken(writer, this.RequestedProofToken);
writer.WriteEndElement();
}
if (this.IssuerEntropy != null && this.ComputeKey)
{
writer.WriteStartElement("RequestedProofToken", "http://schemas.xmlsoap.org/ws/2005/02/trust");
writer.WriteStartElement("ComputedKey", "http://schemas.xmlsoap.org/ws/2005/02/trust");
writer.WriteValue("http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1");
writer.WriteEndElement();
writer.WriteEndElement();
if (this.IssuerEntropy != null)
{
writer.WriteStartElement("Entropy", "http://schemas.xmlsoap.org/ws/2005/02/trust");
wssecurityTokenSerializer.WriteToken(writer, this.IssuerEntropy);
writer.WriteEndElement();
}
}
writer.WriteEndElement();
}
private static string SerializeToken(SamlAssertion assertion)
{
SamlSecurityToken token = new SamlSecurityToken(assertion);
SamlSerializer serializer = new SamlSerializer();
WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer();
StringWriter stringWriter = new StringWriter();
XmlTextWriter xmltextWriter = new XmlTextWriter(stringWriter);
serializer.WriteToken(token, xmltextWriter, tokenSerializer);
return(stringWriter.ToString());
}
protected override SecurityToken GetTokenCore(TimeSpan timeout)
{
SamlSecurityToken samlSecurityToken = new SamlSecurityToken(this.assertion);
WSSecurityTokenSerializer wssecurityTokenSerializer = new WSSecurityTokenSerializer();
MemoryStream memoryStream = new MemoryStream(65535);
XmlWriter writer = XmlWriter.Create(memoryStream);
wssecurityTokenSerializer.WriteToken(writer, samlSecurityToken);
memoryStream.Seek(0L, SeekOrigin.Begin);
XmlDocument xmlDocument = new XmlDocument();
xmlDocument.Load(memoryStream);
SamlAssertionKeyIdentifierClause samlAssertionKeyIdentifierClause = samlSecurityToken.CreateKeyIdentifierClause <SamlAssertionKeyIdentifierClause>();
return(new GenericXmlSecurityToken(xmlDocument.DocumentElement, this.proofToken, this.assertion.Conditions.NotBefore, this.assertion.Conditions.NotOnOrAfter, samlAssertionKeyIdentifierClause, samlAssertionKeyIdentifierClause, null));
}
/// <summary>
/// Validates a Kerberos WSS user token.
/// </summary>
private SecurityToken ParseAndVerifyKerberosToken(byte[] tokenData)
{
XmlDocument document = new XmlDocument();
XmlNodeReader reader = null;
try
{
document.InnerXml = new UTF8Encoding().GetString(tokenData).Trim();
reader = new XmlNodeReader(document.DocumentElement);
SecurityToken securityToken = new WSSecurityTokenSerializer().ReadToken(reader, null);
KerberosReceiverSecurityToken receiver = securityToken as KerberosReceiverSecurityToken;
KerberosSecurityTokenAuthenticator authenticator = new KerberosSecurityTokenAuthenticator();
if (authenticator.CanValidateToken(receiver))
{
authenticator.ValidateToken(receiver);
}
return(securityToken);
}
catch (Exception e)
{
// construct translation object with default text.
TranslationInfo info = new TranslationInfo(
"InvalidKerberosToken",
"en-US",
"'{0}' is not a valid Kerberos token.",
document.DocumentElement.LocalName);
// create an exception with a vendor defined sub-code.
throw new ServiceResultException(new ServiceResult(
e,
StatusCodes.BadIdentityTokenRejected,
"InvalidKerberosToken",
Namespaces.Hsl,
new LocalizedText(info)));
}
finally
{
if (reader != null)
{
reader.Close();
}
}
}
public Microsoft.ResourceManagement.WebServices.Client.ContextualSecurityToken GetContextTokenFromResponse(ContextMessageProperty context)
{
Microsoft.ResourceManagement.WebServices.Client.ContextualSecurityToken returnToken = null;
if (RequestedSecurityToken != null)
{
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(new XmlNodeReader(RequestedSecurityToken));
XmlNamespaceManager nsManager = new XmlNamespaceManager(xmlDoc.NameTable);
nsManager.AddNamespace("saml", "urn:oasis:names:tc:SAML:1.0:assertion");
DateTime effectiveTime = DateTime.Parse(
RequestedSecurityToken.SelectSingleNode(
"saml:Conditions/@NotBefore",
nsManager
).Value);
DateTime expirationTime = DateTime.Parse(
RequestedSecurityToken.SelectSingleNode(
"saml:Conditions/@NotOnOrAfter",
nsManager
).Value);
WSSecurityTokenSerializer serializer = new WSSecurityTokenSerializer();
SecurityToken requestedProofToken =
serializer.ReadToken(
new XmlNodeReader(this.RequestedProofToken),
new SecurityContextSecurityTokenResolver(Int32.MaxValue, false));
SecurityKeyIdentifierClause requestedUnattachedReference =
serializer.ReadKeyIdentifierClause(new XmlNodeReader(RequestedUnattachedReference));
SecurityKeyIdentifierClause requestedAttachedReference =
serializer.ReadKeyIdentifierClause(new XmlNodeReader(RequestedAttachedReference));
returnToken = new ContextualSecurityToken(
new GenericXmlSecurityToken(
RequestedSecurityToken,
requestedProofToken,
effectiveTime,
expirationTime,
requestedUnattachedReference,
requestedAttachedReference,
new ReadOnlyCollection <IAuthorizationPolicy>(new List <IAuthorizationPolicy>())
), context);
}
return(returnToken);
}
public static string SerializeSamlToken(SamlSecurityToken token)
{
var samlBuilder = new StringBuilder();
using (var writer = XmlWriter.Create(samlBuilder))
{
try
{
var keyInfoSerializer = new WSSecurityTokenSerializer();
keyInfoSerializer.WriteToken(writer, token);
Console.WriteLine("Saml Token Successfully Created");
}
catch (Exception)
{
Console.WriteLine("Failed to seralize token");
}
}
return(samlBuilder.ToString());
}
public static string SerializeToken(SecurityToken token, bool urlEncode = false)
{
StringBuilder sb = new StringBuilder();
if (token is GenericXmlSecurityToken)
{
WSSecurityTokenSerializer wss = new WSSecurityTokenSerializer(SecurityVersion.WSSecurity11);
XmlWriter writer = XmlWriter.Create(sb);
wss.WriteToken(writer, token);
}
else
{
SecurityTokenHandlerCollection handlers = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers;
handlers.WriteToken(new XmlTextWriter(new StringWriter(sb)), token);
}
string serialized = sb.ToString();
return(urlEncode ? HttpUtility.UrlEncode(serialized) : serialized);
}
static void PopulateCache(Dictionary <Key, GenericXmlSecurityToken> cache, Stream stream)
{
XmlTextReader reader = new XmlTextReader(stream);
while (reader.IsStartElement("Entry"))
{
reader.ReadStartElement();
Uri target = new Uri(reader.ReadElementString("Target"));
string issuerStr = reader.ReadElementString("Issuer");
Uri issuer = string.IsNullOrEmpty(issuerStr) ? null : new Uri(issuerStr);
reader.ReadStartElement("Token");
reader.ReadStartElement("XML");
XmlDocument doc = new XmlDocument();
XmlElement tokenXml = doc.ReadNode(reader) as XmlElement;
reader.ReadEndElement();
byte[] key = Convert.FromBase64String(reader.ReadElementString("Key"));
reader.ReadElementString("Id");
DateTime validFrom = Convert.ToDateTime(reader.ReadElementString("ValidFrom"));
DateTime validTo = Convert.ToDateTime(reader.ReadElementString("ValidTo"));
WSSecurityTokenSerializer serializer = new WSSecurityTokenSerializer();
reader.ReadStartElement("InternalTokenReference");
SecurityKeyIdentifierClause internalReference = serializer.ReadKeyIdentifierClause(reader);
reader.ReadEndElement();
reader.ReadStartElement("ExternalTokenReference");
SecurityKeyIdentifierClause externalReference = serializer.ReadKeyIdentifierClause(reader);
reader.ReadEndElement();
reader.ReadEndElement(); // token
reader.ReadEndElement(); // entry
List <IAuthorizationPolicy> policies = new List <IAuthorizationPolicy>();
GenericXmlSecurityToken token = new GenericXmlSecurityToken(tokenXml, new BinarySecretSecurityToken(key), validFrom, validTo, internalReference, externalReference,
new ReadOnlyCollection <IAuthorizationPolicy>(policies));
cache.Add(new Key(target, issuer), token);
}
}
internal static bool TryCreate(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version, out FederatedMessageSecurityOverHttp messageSecurity)
{
Fx.Assert(null != sbe, string.Empty);
messageSecurity = null;
// do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings
if (!sbe.IncludeTimestamp)
{
return(false);
}
if (sbe.SecurityHeaderLayout != SecurityProtocolFactory.defaultSecurityHeaderLayout)
{
return(false);
}
bool emitBspAttributes = true;
// Do not check MessageSecurityVersion: it maybe changed by the wrapper element and gets checked later in the SecuritySection.AreBindingsMatching()
SecurityBindingElement bootstrapSecurity;
bool establishSecurityContext = SecurityBindingElement.IsSecureConversationBinding(sbe, true, out bootstrapSecurity);
bootstrapSecurity = establishSecurityContext ? bootstrapSecurity : sbe;
if (isSecureTransportMode && !(bootstrapSecurity is TransportSecurityBindingElement))
{
return(false);
}
bool negotiateServiceCredential = DefaultNegotiateServiceCredential;
IssuedSecurityTokenParameters issuedTokenParameters;
if (isSecureTransportMode)
{
if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(bootstrapSecurity, out issuedTokenParameters))
{
return(false);
}
}
else
{
// We should have passed 'true' as RequireCancelation to be consistent with other standard bindings.
// However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy.
if (SecurityBindingElement.IsIssuedTokenForSslBinding(bootstrapSecurity, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11, out issuedTokenParameters))
{
negotiateServiceCredential = true;
}
else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(bootstrapSecurity, out issuedTokenParameters))
{
negotiateServiceCredential = false;
}
else
{
return(false);
}
}
if ((issuedTokenParameters.KeyType == SecurityKeyType.BearerKey) &&
(version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
return(false);
}
Collection <XmlElement> nonAlgorithmRequestParameters;
WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion,
version.TrustVersion,
version.SecureConversationVersion,
emitBspAttributes,
null, null, null);
SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer);
if (!issuedTokenParameters.DoAlgorithmsMatch(sbe.DefaultAlgorithmSuite,
versionSpecificStandardsManager,
out nonAlgorithmRequestParameters))
{
return(false);
}
messageSecurity = new FederatedMessageSecurityOverHttp();
messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite;
messageSecurity.NegotiateServiceCredential = negotiateServiceCredential;
messageSecurity.EstablishSecurityContext = establishSecurityContext;
messageSecurity.IssuedTokenType = issuedTokenParameters.TokenType;
messageSecurity.IssuerAddress = issuedTokenParameters.IssuerAddress;
messageSecurity.IssuerBinding = issuedTokenParameters.IssuerBinding;
messageSecurity.IssuerMetadataAddress = issuedTokenParameters.IssuerMetadataAddress;
messageSecurity.IssuedKeyType = issuedTokenParameters.KeyType;
foreach (ClaimTypeRequirement c in issuedTokenParameters.ClaimTypeRequirements)
{
messageSecurity.ClaimTypeRequirements.Add(c);
}
foreach (XmlElement p in nonAlgorithmRequestParameters)
{
messageSecurity.TokenRequestParameters.Add(p);
}
if (issuedTokenParameters.AlternativeIssuerEndpoints != null && issuedTokenParameters.AlternativeIssuerEndpoints.Count > 0)
{
return(false);
}
return(true);
}
// Methods of BodyWriter
/// <summary>
/// Writes out an XML representation of the instance.
/// </summary>
/// <param name="writer">The writer to be used to write out the XML content</param>
protected override void OnWriteBodyContents(XmlDictionaryWriter writer)
{
// Write out the wst:RequestSecurityTokenResponse start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestSecurityTokenResponse, Constants.Trust.NamespaceUri);
// If we have a non-null, non-empty tokenType...
if (this.TokenType != null && this.TokenType.Length > 0)
{
// Write out the wst:TokenType start tag
writer.WriteStartElement(Constants.Trust.Elements.TokenType, Constants.Trust.NamespaceUri);
// Write out the tokenType string
writer.WriteString(this.TokenType);
writer.WriteEndElement(); // wst:TokenType
}
// Create a serializer that knows how to write out security tokens
WSSecurityTokenSerializer ser = new WSSecurityTokenSerializer();
// If we have a requestedSecurityToken...
if (this.requestedSecurityToken != null)
{
// Write out the wst:RequestedSecurityToken start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedSecurityToken, Constants.Trust.NamespaceUri);
// Write out the requested token using the serializer
ser.WriteToken(writer, requestedSecurityToken);
writer.WriteEndElement(); // wst:RequestedSecurityToken
}
// If we have a requestedAttachedReference...
if (this.requestedAttachedReference != null)
{
// Write out the wst:RequestedAttachedReference start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedAttachedReference, Constants.Trust.NamespaceUri);
// Write out the reference using the serializer
ser.WriteKeyIdentifierClause(writer, this.requestedAttachedReference);
writer.WriteEndElement(); // wst:RequestedAttachedReference
}
// If we have a requestedUnattachedReference...
if (this.requestedUnattachedReference != null)
{
// Write out the wst:RequestedUnattachedReference start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedUnattachedReference, Constants.Trust.NamespaceUri);
// Write out the reference using the serializer
ser.WriteKeyIdentifierClause(writer, this.requestedUnattachedReference);
writer.WriteEndElement(); // wst:RequestedAttachedReference
}
// If we have a non-null appliesTo
if (this.AppliesTo != null)
{
// Write out the wsp:AppliesTo start tag
writer.WriteStartElement(Constants.Policy.Elements.AppliesTo, Constants.Policy.NamespaceUri);
// Write the appliesTo in WS-Addressing 1.0 format
this.AppliesTo.WriteTo(AddressingVersion.WSAddressing10, writer);
writer.WriteEndElement(); // wsp:AppliesTo
}
// If the requestedProofToken is non-null, then the STS is providing all the key material...
if (this.requestedProofToken != null)
{
// Write the wst:RequestedProofToken start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedProofToken, Constants.Trust.NamespaceUri);
// Write the proof token using the serializer
ser.WriteToken(writer, requestedProofToken);
writer.WriteEndElement(); // wst:RequestedSecurityToken
}
// If issuerEntropy is non-null and computeKey is true, then combined entropy is being used...
if (this.issuerEntropy != null && this.computeKey)
{
// Write the wst:RequestedProofToken start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedProofToken, Constants.Trust.NamespaceUri);
// Write the wst:ComputeKey start tag
writer.WriteStartElement(Constants.Trust.Elements.ComputedKey, Constants.Trust.NamespaceUri);
// Write the PSHA1 algorithm value
writer.WriteValue(Constants.Trust.ComputedKeyAlgorithms.PSHA1);
writer.WriteEndElement(); // wst:ComputedKey
writer.WriteEndElement(); // wst:RequestedSecurityToken
// Write the wst:Entropy start tag
writer.WriteStartElement(Constants.Trust.Elements.Entropy, Constants.Trust.NamespaceUri);
// Write the issuerEntropy out using the serializer
ser.WriteToken(writer, this.issuerEntropy);
writer.WriteEndElement(); // wst:Entropy
}
writer.WriteEndElement(); // wst:RequestSecurityTokenResponse
}
/// <summary>
/// Build the contents of the SAML token
/// </summary>
/// <param name="writer"><b>XmlDictionaryWriter</b> to write the contents of this token to</param>
protected override void OnWriteBodyContents(XmlDictionaryWriter writer)
{
// Subject
SamlSubject subject = new SamlSubject();
if (this.useKey != null)
{
// Add the key and the Holder-Of-Key confirmation method
subject.KeyIdentifier = this.useKey;
subject.ConfirmationMethods.Add(SamlConstants.HolderOfKey);
}
else
{
// This is a bearer token
subject.ConfirmationMethods.Add(SamlConstants.SenderVouches);
}
// Attributes, statements, conditions, and assertions
List <SamlStatement> statements = new List <SamlStatement>();
List <SamlAttribute> attributes = GetTokenAttributes();
statements.Add(new SamlAuthenticationStatement(subject, Constants.Saml.AuthenticationMethods.Unspecified, DateTime.Now, null, null, null));
statements.Add(new SamlAttributeStatement(subject, attributes));
SamlConditions conditions = new SamlConditions(DateTime.Now, (DateTime.Now + TimeSpan.FromHours(8.0)));
SamlAssertion assertion = new SamlAssertion("uuid-" + Guid.NewGuid(), Program.Issuer, DateTime.Now, conditions, null, statements);
// Build the signing token
SecurityToken signingToken = new X509SecurityToken(Program.SigningCertificate);
SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(signingToken.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>());
SigningCredentials signingCredentials = new SigningCredentials(signingToken.SecurityKeys[0], SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest, keyIdentifier);
assertion.SigningCredentials = signingCredentials;
// Build the SAML token
SamlSecurityToken token = new SamlSecurityToken(assertion);
SecurityKeyIdentifierClause attachedReference = token.CreateKeyIdentifierClause <SamlAssertionKeyIdentifierClause>();
SecurityKeyIdentifierClause unattachedReference = token.CreateKeyIdentifierClause <SamlAssertionKeyIdentifierClause>();
//
// Write the XML
//
//writer = XmlDictionaryWriter.CreateTextWriter(File.CreateText("output.xml").BaseStream);
// RSTR
writer.WriteStartElement(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.RequestSecurityTokenResponse, Constants.WSTrust.NamespaceUri.Uri);
if (context != null)
{
writer.WriteAttributeString(Constants.WSTrust.Attributes.Context, context);
}
// TokenType
writer.WriteElementString(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.TokenType, Constants.WSTrust.NamespaceUri.Uri, Constants.WSTrust.TokenTypes.Saml10Assertion);
// RequestedSecurityToken (the SAML token)
SecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer();
writer.WriteStartElement(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.RequestedSecurityToken, Constants.WSTrust.NamespaceUri.Uri);
tokenSerializer.WriteToken(writer, token);
writer.WriteEndElement();
// RequestedAttachedReference
writer.WriteStartElement(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.RequestedAttachedReference, Constants.WSTrust.NamespaceUri.Uri);
tokenSerializer.WriteKeyIdentifierClause(writer, attachedReference);
writer.WriteEndElement();
// RequestedUnattachedReference
writer.WriteStartElement(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.RequestedUnattachedReference, Constants.WSTrust.NamespaceUri.Uri);
tokenSerializer.WriteKeyIdentifierClause(writer, unattachedReference);
writer.WriteEndElement();
// RequestedDisplayToken (display token)
string displayTokenNS = "http://schemas.xmlsoap.org/ws/2005/05/identity";
writer.WriteStartElement("wsid", "RequestedDisplayToken", displayTokenNS);
writer.WriteStartElement("wsid", "DisplayToken", displayTokenNS);
foreach (SamlAttribute attribute in attributes)
{
writer.WriteStartElement("wsid", "DisplayClaim", displayTokenNS);
writer.WriteAttributeString("Uri", attribute.Namespace + "/" + attribute.Name);
writer.WriteStartElement("wsid", "DisplayTag", displayTokenNS);
writer.WriteValue(attribute.Name);
writer.WriteEndElement();
writer.WriteStartElement("wsid", "Description", displayTokenNS);
writer.WriteValue(attribute.Namespace + "/" + attribute.Name);
writer.WriteEndElement();
foreach (string attributeValue in attribute.AttributeValues)
{
writer.WriteStartElement("wsid", "DisplayValue", displayTokenNS);
writer.WriteValue(attributeValue);
writer.WriteEndElement();
}
writer.WriteEndElement();
}
writer.WriteEndElement();
writer.WriteEndElement();
// RSTR End
writer.WriteEndElement();
//writer.Close();
}
public WSTrustSecurityTokenService()
{
serializer = WSSecurityTokenSerializer.DefaultInstance;
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode,
bool isReliableSession,
MessageSecurityVersion version)
{
if ((this.IssuedKeyType == SecurityKeyType.BearerKey) &&
(version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BearerKeyIncompatibleWithWSFederationHttpBinding)));
}
if (isReliableSession && !this.EstablishSecurityContext)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession)));
}
SecurityBindingElement result;
bool emitBspAttributes = true;
IssuedSecurityTokenParameters issuedParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding);
issuedParameters.IssuerMetadataAddress = this.issuerMetadataAddress;
issuedParameters.KeyType = this.IssuedKeyType;
if (this.IssuedKeyType == SecurityKeyType.SymmetricKey)
{
issuedParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength;
}
else
{
issuedParameters.KeySize = 0;
}
foreach (ClaimTypeRequirement c in this.claimTypeRequirements)
{
issuedParameters.ClaimTypeRequirements.Add(c);
}
foreach (XmlElement p in this.TokenRequestParameters)
{
issuedParameters.AdditionalRequestParameters.Add(p);
}
WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion,
version.TrustVersion,
version.SecureConversationVersion,
emitBspAttributes,
null, null, null);
SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer);
issuedParameters.AddAlgorithmParameters(this.AlgorithmSuite, versionSpecificStandardsManager, this.issuedKeyType);
SecurityBindingElement issuedTokenSecurity;
if (isSecureTransportMode)
{
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedParameters);
}
else
{
if (negotiateServiceCredential)
{
// We should have passed 'true' as RequireCancelation to be consistent with other standard bindings.
// However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy.
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11);
}
else
{
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedParameters);
}
}
issuedTokenSecurity.MessageSecurityVersion = version;
issuedTokenSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite;
if (this.EstablishSecurityContext)
{
result = SecurityBindingElement.CreateSecureConversationBindingElement(issuedTokenSecurity, true);
}
else
{
result = issuedTokenSecurity;
}
result.MessageSecurityVersion = version;
result.DefaultAlgorithmSuite = this.AlgorithmSuite;
result.IncludeTimestamp = true;
if (!isReliableSession)
{
result.LocalServiceSettings.ReconnectTransportOnFailure = false;
result.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
result.LocalServiceSettings.ReconnectTransportOnFailure = true;
result.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.establishSecurityContext)
{
// issue the transition SCT for a short duration only
issuedTokenSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime;
}
return(result);
}
private Collection <XmlElement> NormalizeAdditionalParameters(Collection <XmlElement> additionalParameters,
TrustDriver driver,
bool clientSideClaimTypeRequirementsSpecified)
{
// Ensure STS trust version is one of the currently supported versions: Feb 05 / Trust 1.3
Fx.Assert(((driver.StandardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) ||
(driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13)),
"Unsupported trust version specified for the STS.");
// We have a mismatch. Make a local copy of additionalParameters for making any potential modifications
// as part of normalization
Collection <XmlElement> tmpCollection = new Collection <XmlElement>();
foreach (XmlElement e in additionalParameters)
{
tmpCollection.Add(e);
}
// 1. For Trust 1.3 EncryptionAlgorithm, CanonicalizationAlgorithm and KeyWrapAlgorithm should not be
// specified as top-level element if "SecondaryParameters" element already specifies this.
if (driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13)
{
Fx.Assert(driver.GetType() == typeof(WSTrustDec2005.DriverDec2005), "Invalid Trust Driver specified for Trust 1.3.");
XmlElement encryptionAlgorithmElement = null;
XmlElement canonicalizationAlgorithmElement = null;
XmlElement keyWrapAlgorithmElement = null;
XmlElement secondaryParameter = null;
for (int i = 0; i < tmpCollection.Count; ++i)
{
if (driver.IsEncryptionAlgorithmElement(tmpCollection[i], out string algorithm))
{
encryptionAlgorithmElement = tmpCollection[i];
}
else if (driver.IsCanonicalizationAlgorithmElement(tmpCollection[i], out algorithm))
{
canonicalizationAlgorithmElement = tmpCollection[i];
}
else if (driver.IsKeyWrapAlgorithmElement(tmpCollection[i], out algorithm))
{
keyWrapAlgorithmElement = tmpCollection[i];
}
else if (((WSTrustDec2005.DriverDec2005)driver).IsSecondaryParametersElement(tmpCollection[i]))
{
secondaryParameter = tmpCollection[i];
}
}
if (secondaryParameter != null)
{
foreach (XmlNode node in secondaryParameter.ChildNodes)
{
if (node is XmlElement child)
{
if (driver.IsEncryptionAlgorithmElement(child, out string algorithm) && (encryptionAlgorithmElement != null))
{
tmpCollection.Remove(encryptionAlgorithmElement);
}
else if (driver.IsCanonicalizationAlgorithmElement(child, out algorithm) && (canonicalizationAlgorithmElement != null))
{
tmpCollection.Remove(canonicalizationAlgorithmElement);
}
else if (driver.IsKeyWrapAlgorithmElement(child, out algorithm) && (keyWrapAlgorithmElement != null))
{
tmpCollection.Remove(keyWrapAlgorithmElement);
}
}
}
}
}
// 2. Check for Mismatch.
// a. Trust Feb 2005 -> Trust 1.3. do the following,
// (i) Copy EncryptionAlgorithm and CanonicalizationAlgorithm as the top-level elements.
// Note, this is in contradiction to step 1. But we don't have a choice here as we cannot say from the
// Additional Parameters section in the config what came from the service and what came from the client.
// (ii) Convert SignWith and EncryptWith elements to Trust 1.3 namespace.
// b. For Trust 1.3 -> Trust Feb 2005, do the following,
// (i) Find EncryptionAlgorithm, CanonicalizationAlgorithm from inside the "SecondaryParameters" element.
// If found, then promote these as the top-level elements replacing the existing values.
// (ii) Convert the SignWith and EncryptWith elements to the Trust Feb 2005 namespace and drop the KeyWrapAlgorithm
// element.
// make an optimistic check to detect mismatched trust-versions between STS and RP
bool mismatch = (((driver.StandardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) &&
!CollectionContainsElementsWithTrustNamespace(additionalParameters, TrustFeb2005Strings.Namespace)) ||
((driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) &&
!CollectionContainsElementsWithTrustNamespace(additionalParameters, TrustDec2005Strings.Namespace)));
// if no mismatch, return unmodified collection
if (!mismatch)
{
return(tmpCollection);
}
// 2.a
// If we are talking to a Trust 1.3 STS, replace any Feb '05 algorithm parameters with their Trust 1.3 counterparts
if (driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13)
{
SecurityStandardsManager trustFeb2005StandardsManager = SecurityStandardsManager.DefaultInstance;
// the following cast is guaranteed to succeed
WSTrustFeb2005.DriverFeb2005 trustFeb2005Driver = (WSTrustFeb2005.DriverFeb2005)trustFeb2005StandardsManager.TrustDriver;
for (int i = 0; i < tmpCollection.Count; i++)
{
if (trustFeb2005Driver.IsSignWithElement(tmpCollection[i], out string algorithmParameter))
{
tmpCollection[i] = driver.CreateSignWithElement(algorithmParameter);
}
else if (trustFeb2005Driver.IsEncryptWithElement(tmpCollection[i], out algorithmParameter))
{
tmpCollection[i] = driver.CreateEncryptWithElement(algorithmParameter);
}
else if (trustFeb2005Driver.IsEncryptionAlgorithmElement(tmpCollection[i], out algorithmParameter))
{
tmpCollection[i] = driver.CreateEncryptionAlgorithmElement(algorithmParameter);
}
else if (trustFeb2005Driver.IsCanonicalizationAlgorithmElement(tmpCollection[i], out algorithmParameter))
{
tmpCollection[i] = driver.CreateCanonicalizationAlgorithmElement(algorithmParameter);
}
}
}
else
{
// 2.b
// We are talking to a Feb 05 STS. Filter out any SecondaryParameters element.
Collection <XmlElement> childrenToPromote = null;
WSSecurityTokenSerializer trust13Serializer = new WSSecurityTokenSerializer(SecurityVersion.WSSecurity11,
TrustVersion.WSTrust13,
SecureConversationVersion.WSSecureConversation13,
true, null, null, null);
SecurityStandardsManager trust13StandardsManager = new SecurityStandardsManager(MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12, trust13Serializer);
// the following cast is guaranteed to succeed
WSTrustDec2005.DriverDec2005 trust13Driver = (WSTrustDec2005.DriverDec2005)trust13StandardsManager.TrustDriver;
foreach (XmlElement parameter in tmpCollection)
{
// check if SecondaryParameters is present
if (trust13Driver.IsSecondaryParametersElement(parameter))
{
childrenToPromote = new Collection <XmlElement>();
// walk SecondaryParameters and collect any 'non-standard' children
foreach (XmlNode innerNode in parameter.ChildNodes)
{
if ((innerNode is XmlElement innerElement) && CanPromoteToRoot(innerElement, trust13Driver, clientSideClaimTypeRequirementsSpecified))
{
childrenToPromote.Add(innerElement);
}
}
// remove SecondaryParameters element
tmpCollection.Remove(parameter);
// we are done - break out of the loop
break;
}
}
// Probe of standard Trust elements and remember them.
if ((childrenToPromote != null) && (childrenToPromote.Count > 0))
{
XmlElement encryptionElement = null;
XmlElement canonicalizationElement = null;
XmlElement requiredClaimsElement = null;
Collection <XmlElement> processedElements = new Collection <XmlElement>();
foreach (XmlElement e in childrenToPromote)
{
if ((encryptionElement == null) && trust13Driver.IsEncryptionAlgorithmElement(e, out string encryptionAlgorithm))
{
encryptionElement = driver.CreateEncryptionAlgorithmElement(encryptionAlgorithm);
processedElements.Add(e);
}
else if ((canonicalizationElement == null) && trust13Driver.IsCanonicalizationAlgorithmElement(e, out string canonicalizationAlgoritm))
{
canonicalizationElement = driver.CreateCanonicalizationAlgorithmElement(canonicalizationAlgoritm);
processedElements.Add(e);
}
else if ((requiredClaimsElement == null) && trust13Driver.TryParseRequiredClaimsElement(e, out Collection <XmlElement> requiredClaims))
{
requiredClaimsElement = driver.CreateRequiredClaimsElement(requiredClaims);
processedElements.Add(e);
}
}
for (int i = 0; i < processedElements.Count; ++i)
{
childrenToPromote.Remove(processedElements[i]);
}
XmlElement keyWrapAlgorithmElement = null;
// Replace the appropriate elements.
for (int i = 0; i < tmpCollection.Count; ++i)
{
if (trust13Driver.IsSignWithElement(tmpCollection[i], out string algorithmParameter))
{
tmpCollection[i] = driver.CreateSignWithElement(algorithmParameter);
}
else if (trust13Driver.IsEncryptWithElement(tmpCollection[i], out algorithmParameter))
{
tmpCollection[i] = driver.CreateEncryptWithElement(algorithmParameter);
}
else if (trust13Driver.IsEncryptionAlgorithmElement(tmpCollection[i], out algorithmParameter) && (encryptionElement != null))
{
tmpCollection[i] = encryptionElement;
encryptionElement = null;
}
else if (trust13Driver.IsCanonicalizationAlgorithmElement(tmpCollection[i], out algorithmParameter) && (canonicalizationElement != null))
{
tmpCollection[i] = canonicalizationElement;
canonicalizationElement = null;
}
else if (trust13Driver.IsKeyWrapAlgorithmElement(tmpCollection[i], out algorithmParameter) && (keyWrapAlgorithmElement == null))
{
keyWrapAlgorithmElement = tmpCollection[i];
}
else if (trust13Driver.TryParseRequiredClaimsElement(tmpCollection[i], out Collection <XmlElement> reqClaims) && (requiredClaimsElement != null))
{
tmpCollection[i] = requiredClaimsElement;
requiredClaimsElement = null;
}
}
if (keyWrapAlgorithmElement != null)
{
// Remove KeyWrapAlgorithmElement as this is not define in Trust Feb 2005.
tmpCollection.Remove(keyWrapAlgorithmElement);
}
// Add the remaining elements to the additionaParameters list to the end.
if (encryptionElement != null)
{
tmpCollection.Add(encryptionElement);
}
if (canonicalizationElement != null)
{
tmpCollection.Add(canonicalizationElement);
}
if (requiredClaimsElement != null)
{
tmpCollection.Add(requiredClaimsElement);
}
if (childrenToPromote.Count > 0)
{
// There are some non-standard elements. Just bump them to the top-level element.
for (int i = 0; i < childrenToPromote.Count; ++i)
{
tmpCollection.Add(childrenToPromote[i]);
}
}
}
}
return(tmpCollection);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
SecurityBindingElement element;
SecurityBindingElement element3;
if ((this.IssuedKeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("BearerKeyIncompatibleWithWSFederationHttpBinding")));
}
if (isReliableSession && !this.EstablishSecurityContext)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecureConversationRequiredByReliableSession")));
}
bool emitBspRequiredAttributes = true;
IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding)
{
IssuerMetadataAddress = this.issuerMetadataAddress,
KeyType = this.IssuedKeyType
};
if (this.IssuedKeyType == SecurityKeyType.SymmetricKey)
{
issuedTokenParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength;
}
else
{
issuedTokenParameters.KeySize = 0;
}
foreach (ClaimTypeRequirement requirement in this.claimTypeRequirements)
{
issuedTokenParameters.ClaimTypeRequirements.Add(requirement);
}
foreach (XmlElement element2 in this.TokenRequestParameters)
{
issuedTokenParameters.AdditionalRequestParameters.Add(element2);
}
WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, emitBspRequiredAttributes, null, null, null);
SecurityStandardsManager standardsManager = new SecurityStandardsManager(version, tokenSerializer);
issuedTokenParameters.AddAlgorithmParameters(this.AlgorithmSuite, standardsManager, this.issuedKeyType);
if (isSecureTransportMode)
{
element3 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedTokenParameters);
}
else if (this.negotiateServiceCredential)
{
element3 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedTokenParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11);
}
else
{
element3 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedTokenParameters);
}
element3.MessageSecurityVersion = version;
element3.DefaultAlgorithmSuite = this.AlgorithmSuite;
if (this.EstablishSecurityContext)
{
element = SecurityBindingElement.CreateSecureConversationBindingElement(element3, true);
}
else
{
element = element3;
}
element.MessageSecurityVersion = version;
element.DefaultAlgorithmSuite = this.AlgorithmSuite;
element.IncludeTimestamp = true;
if (!isReliableSession)
{
element.LocalServiceSettings.ReconnectTransportOnFailure = false;
element.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
element.LocalServiceSettings.ReconnectTransportOnFailure = true;
element.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.establishSecurityContext)
{
element3.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime;
}
return(element);
}
internal static bool TryCreate(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version, out FederatedMessageSecurityOverHttp messageSecurity)
{
bool flag;
bool flag2;
bool flag3;
IssuedSecurityTokenParameters parameters;
Collection <XmlElement> collection;
messageSecurity = null;
if (sbe.IncludeTimestamp)
{
SecurityBindingElement element;
if (sbe.SecurityHeaderLayout != SecurityHeaderLayout.Strict)
{
return(false);
}
flag = true;
flag2 = SecurityBindingElement.IsSecureConversationBinding(sbe, true, out element);
element = flag2 ? element : sbe;
if (isSecureTransportMode && !(element is TransportSecurityBindingElement))
{
return(false);
}
flag3 = true;
if (isSecureTransportMode)
{
if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(element, out parameters))
{
return(false);
}
goto Label_0078;
}
if (SecurityBindingElement.IsIssuedTokenForSslBinding(element, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11, out parameters))
{
flag3 = true;
goto Label_0078;
}
if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(element, out parameters))
{
flag3 = false;
goto Label_0078;
}
}
return(false);
Label_0078:
if ((parameters.KeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
return(false);
}
WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, flag, null, null, null);
SecurityStandardsManager standardsManager = new SecurityStandardsManager(version, tokenSerializer);
if (!parameters.DoAlgorithmsMatch(sbe.DefaultAlgorithmSuite, standardsManager, out collection))
{
return(false);
}
messageSecurity = new FederatedMessageSecurityOverHttp();
messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite;
messageSecurity.NegotiateServiceCredential = flag3;
messageSecurity.EstablishSecurityContext = flag2;
messageSecurity.IssuedTokenType = parameters.TokenType;
messageSecurity.IssuerAddress = parameters.IssuerAddress;
messageSecurity.IssuerBinding = parameters.IssuerBinding;
messageSecurity.IssuerMetadataAddress = parameters.IssuerMetadataAddress;
messageSecurity.IssuedKeyType = parameters.KeyType;
foreach (ClaimTypeRequirement requirement in parameters.ClaimTypeRequirements)
{
messageSecurity.ClaimTypeRequirements.Add(requirement);
}
foreach (XmlElement element2 in collection)
{
messageSecurity.TokenRequestParameters.Add(element2);
}
if ((parameters.AlternativeIssuerEndpoints != null) && (parameters.AlternativeIssuerEndpoints.Count > 0))
{
return(false);
}
return(true);
}
private Collection <XmlElement> NormalizeAdditionalParameters(Collection <XmlElement> additionalParameters, TrustDriver driver, bool clientSideClaimTypeRequirementsSpecified)
{
Collection <XmlElement> collection = new Collection <XmlElement>();
foreach (XmlElement element in additionalParameters)
{
collection.Add(element);
}
if (driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13)
{
XmlElement item = null;
XmlElement element3 = null;
XmlElement element4 = null;
XmlElement element5 = null;
for (int i = 0; i < collection.Count; i++)
{
string str;
if (driver.IsEncryptionAlgorithmElement(collection[i], out str))
{
item = collection[i];
}
else if (driver.IsCanonicalizationAlgorithmElement(collection[i], out str))
{
element3 = collection[i];
}
else if (driver.IsKeyWrapAlgorithmElement(collection[i], out str))
{
element4 = collection[i];
}
else if (((WSTrustDec2005.DriverDec2005)driver).IsSecondaryParametersElement(collection[i]))
{
element5 = collection[i];
}
}
if (element5 != null)
{
foreach (System.Xml.XmlNode node in element5.ChildNodes)
{
XmlElement element6 = node as XmlElement;
if (element6 != null)
{
string encryptionAlgorithm = null;
if (driver.IsEncryptionAlgorithmElement(element6, out encryptionAlgorithm) && (item != null))
{
collection.Remove(item);
}
else if (driver.IsCanonicalizationAlgorithmElement(element6, out encryptionAlgorithm) && (element3 != null))
{
collection.Remove(element3);
}
else if (driver.IsKeyWrapAlgorithmElement(element6, out encryptionAlgorithm) && (element4 != null))
{
collection.Remove(element4);
}
}
}
}
}
if (((driver.StandardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) && !this.CollectionContainsElementsWithTrustNamespace(additionalParameters, "http://schemas.xmlsoap.org/ws/2005/02/trust")) || ((driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) && !this.CollectionContainsElementsWithTrustNamespace(additionalParameters, "http://docs.oasis-open.org/ws-sx/ws-trust/200512")))
{
if (driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13)
{
WSTrustFeb2005.DriverFeb2005 feb = (WSTrustFeb2005.DriverFeb2005)SecurityStandardsManager.DefaultInstance.TrustDriver;
for (int j = 0; j < collection.Count; j++)
{
string signatureAlgorithm = string.Empty;
if (feb.IsSignWithElement(collection[j], out signatureAlgorithm))
{
collection[j] = driver.CreateSignWithElement(signatureAlgorithm);
}
else if (feb.IsEncryptWithElement(collection[j], out signatureAlgorithm))
{
collection[j] = driver.CreateEncryptWithElement(signatureAlgorithm);
}
else if (feb.IsEncryptionAlgorithmElement(collection[j], out signatureAlgorithm))
{
collection[j] = driver.CreateEncryptionAlgorithmElement(signatureAlgorithm);
}
else if (feb.IsCanonicalizationAlgorithmElement(collection[j], out signatureAlgorithm))
{
collection[j] = driver.CreateCanonicalizationAlgorithmElement(signatureAlgorithm);
}
}
return(collection);
}
Collection <XmlElement> collection2 = null;
WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(SecurityVersion.WSSecurity11, TrustVersion.WSTrust13, SecureConversationVersion.WSSecureConversation13, true, null, null, null);
SecurityStandardsManager manager2 = new SecurityStandardsManager(MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12, tokenSerializer);
WSTrustDec2005.DriverDec2005 trustDriver = (WSTrustDec2005.DriverDec2005)manager2.TrustDriver;
foreach (XmlElement element7 in collection)
{
if (trustDriver.IsSecondaryParametersElement(element7))
{
collection2 = new Collection <XmlElement>();
foreach (System.Xml.XmlNode node2 in element7.ChildNodes)
{
XmlElement innerElement = node2 as XmlElement;
if ((innerElement != null) && this.CanPromoteToRoot(innerElement, trustDriver, clientSideClaimTypeRequirementsSpecified))
{
collection2.Add(innerElement);
}
}
collection.Remove(element7);
break;
}
}
if ((collection2 != null) && (collection2.Count > 0))
{
XmlElement element9 = null;
string str4 = string.Empty;
XmlElement element10 = null;
string canonicalizationAlgorithm = string.Empty;
XmlElement element11 = null;
Collection <XmlElement> requiredClaims = null;
Collection <XmlElement> collection4 = new Collection <XmlElement>();
foreach (XmlElement element12 in collection2)
{
if ((element9 == null) && trustDriver.IsEncryptionAlgorithmElement(element12, out str4))
{
element9 = driver.CreateEncryptionAlgorithmElement(str4);
collection4.Add(element12);
}
else if ((element10 == null) && trustDriver.IsCanonicalizationAlgorithmElement(element12, out canonicalizationAlgorithm))
{
element10 = driver.CreateCanonicalizationAlgorithmElement(canonicalizationAlgorithm);
collection4.Add(element12);
}
else if ((element11 == null) && trustDriver.TryParseRequiredClaimsElement(element12, out requiredClaims))
{
element11 = driver.CreateRequiredClaimsElement(requiredClaims);
collection4.Add(element12);
}
}
for (int k = 0; k < collection4.Count; k++)
{
collection2.Remove(collection4[k]);
}
XmlElement element13 = null;
for (int m = 0; m < collection.Count; m++)
{
string str6;
if (trustDriver.IsSignWithElement(collection[m], out str6))
{
collection[m] = driver.CreateSignWithElement(str6);
}
else if (trustDriver.IsEncryptWithElement(collection[m], out str6))
{
collection[m] = driver.CreateEncryptWithElement(str6);
}
else if (trustDriver.IsEncryptionAlgorithmElement(collection[m], out str6) && (element9 != null))
{
collection[m] = element9;
element9 = null;
}
else if (trustDriver.IsCanonicalizationAlgorithmElement(collection[m], out str6) && (element10 != null))
{
collection[m] = element10;
element10 = null;
}
else if (trustDriver.IsKeyWrapAlgorithmElement(collection[m], out str6) && (element13 == null))
{
element13 = collection[m];
}
else
{
Collection <XmlElement> collection5;
if (trustDriver.TryParseRequiredClaimsElement(collection[m], out collection5) && (element11 != null))
{
collection[m] = element11;
element11 = null;
}
}
}
if (element13 != null)
{
collection.Remove(element13);
}
if (element9 != null)
{
collection.Add(element9);
}
if (element10 != null)
{
collection.Add(element10);
}
if (element11 != null)
{
collection.Add(element11);
}
if (collection2.Count <= 0)
{
return(collection);
}
for (int n = 0; n < collection2.Count; n++)
{
collection.Add(collection2[n]);
}
}
}
return(collection);
}
// Methods of BodyWriter
protected override void OnWriteBodyContents(XmlDictionaryWriter writer)
{
writer.WriteStartElement(Constants.Trust.Elements.RequestSecurityTokenResponse, Constants.Trust.NamespaceUri);
if (this.TokenType != null && this.TokenType.Length > 0)
{
writer.WriteStartElement(Constants.Trust.Elements.TokenType, Constants.Trust.NamespaceUri);
writer.WriteString(this.TokenType);
writer.WriteEndElement(); // wst:TokenType
}
WSSecurityTokenSerializer ser = new WSSecurityTokenSerializer();
if (this.RequestedSecurityToken != null)
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedSecurityToken, Constants.Trust.NamespaceUri);
ser.WriteToken(writer, this.RequestedSecurityToken);
writer.WriteEndElement(); // wst:RequestedSecurityToken
}
if (this.RequestedAttachedReference != null)
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedAttachedReference, Constants.Trust.NamespaceUri);
ser.WriteKeyIdentifierClause(writer, this.RequestedAttachedReference);
writer.WriteEndElement(); // wst:RequestedAttachedReference
}
if (this.RequestedUnattachedReference != null)
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedUnattachedReference, Constants.Trust.NamespaceUri);
ser.WriteKeyIdentifierClause(writer, this.RequestedUnattachedReference);
writer.WriteEndElement(); // wst:RequestedAttachedReference
}
if (this.AppliesTo != null)
{
writer.WriteStartElement(Constants.Policy.Elements.AppliesTo, Constants.Policy.NamespaceUri);
this.AppliesTo.WriteTo(AddressingVersion.WSAddressing10, writer);
writer.WriteEndElement(); // wsp:AppliesTo
}
if (this.RequestedProofToken != null)// Issuer entropy; write RPT only
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedProofToken, Constants.Trust.NamespaceUri);
ser.WriteToken(writer, this.RequestedProofToken);
writer.WriteEndElement(); // wst:RequestedSecurityToken
}
if (this.IssuerEntropy != null && this.ComputeKey) // Combined entropy; write RPT and Entropy
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedProofToken, Constants.Trust.NamespaceUri);
writer.WriteStartElement(Constants.Trust.Elements.ComputedKey, Constants.Trust.NamespaceUri);
writer.WriteValue(Constants.Trust.ComputedKeyAlgorithms.PSHA1);
writer.WriteEndElement(); // wst:ComputedKey
writer.WriteEndElement(); // wst:RequestedSecurityToken
if (this.IssuerEntropy != null)
{
writer.WriteStartElement(Constants.Trust.Elements.Entropy, Constants.Trust.NamespaceUri);
ser.WriteToken(writer, this.IssuerEntropy);
writer.WriteEndElement(); // wst:Entropy
}
}
writer.WriteEndElement(); // wst:RequestSecurityTokenResponse
}
/// <summary cref="IUserIdentity.GetIdentityToken" />
public UserIdentityToken GetIdentityToken()
{
// check for anonymous.
if (m_token == null)
{
AnonymousIdentityToken token = new AnonymousIdentityToken();
token.PolicyId = m_policyId;
return(token);
}
// return a user name token.
UserNameSecurityToken usernameToken = m_token as UserNameSecurityToken;
if (usernameToken != null)
{
UserNameIdentityToken token = new UserNameIdentityToken();
token.PolicyId = m_policyId;
token.UserName = usernameToken.UserName;
token.DecryptedPassword = usernameToken.Password;
return(token);
}
// return an X509 token.
X509SecurityToken x509Token = m_token as X509SecurityToken;
if (x509Token != null)
{
X509IdentityToken token = new X509IdentityToken();
token.PolicyId = m_policyId;
token.CertificateData = x509Token.Certificate.GetRawCertData();
token.Certificate = x509Token.Certificate;
return(token);
}
// handle SAML token.
SamlSecurityToken samlToken = m_token as SamlSecurityToken;
if (samlToken != null)
{
MemoryStream ostrm = new MemoryStream();
XmlTextWriter writer = new XmlTextWriter(ostrm, new UTF8Encoding());
try
{
SamlSerializer serializer = new SamlSerializer();
serializer.WriteToken(samlToken, writer, WSSecurityTokenSerializer.DefaultInstance);
}
finally
{
writer.Close();
}
IssuedIdentityToken wssToken = new IssuedIdentityToken();
wssToken.PolicyId = m_policyId;
wssToken.DecryptedTokenData = ostrm.ToArray();
return(wssToken);
}
// return a WSS token by default.
if (m_token != null)
{
MemoryStream ostrm = new MemoryStream();
XmlWriter writer = new XmlTextWriter(ostrm, new UTF8Encoding());
try
{
WSSecurityTokenSerializer serializer = new WSSecurityTokenSerializer();
serializer.WriteToken(writer, m_token);
}
finally
{
writer.Close();
}
IssuedIdentityToken wssToken = new IssuedIdentityToken();
wssToken.PolicyId = m_policyId;
wssToken.DecryptedTokenData = ostrm.ToArray();
return(wssToken);
}
return(null);
}
