private void StartEncryption()
{
if (ElementContainer.SourceEncryptionToken == null)
{
return;
}
// determine the key identifier clause to use for the source
SecurityTokenReferenceStyle sourceEncryptingKeyReferenceStyle = GetTokenReferenceStyle(_encryptingTokenParameters);
bool encryptionTokenSerialized = sourceEncryptingKeyReferenceStyle == SecurityTokenReferenceStyle.Internal;
SecurityKeyIdentifierClause sourceEncryptingKeyIdentifierClause = _encryptingTokenParameters.CreateKeyIdentifierClause(ElementContainer.SourceEncryptionToken, sourceEncryptingKeyReferenceStyle);
if (sourceEncryptingKeyIdentifierClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.TokenManagerCannotCreateTokenReference), Message);
}
SecurityToken sourceToken;
SecurityKeyIdentifierClause sourceTokenIdentifierClause;
// if the source token cannot do symmetric crypto, create a wrapped key
if (!SecurityUtils.HasSymmetricSecurityKey(ElementContainer.SourceEncryptionToken))
{
int keyLength = Math.Max(128, AlgorithmSuite.DefaultSymmetricKeyLength);
CryptoHelper.ValidateSymmetricKeyLength(keyLength, AlgorithmSuite);
byte[] key = new byte[keyLength / 8];
CryptoHelper.FillRandomBytes(key);
AlgorithmSuite.GetKeyWrapAlgorithm(ElementContainer.SourceEncryptionToken, out string keyWrapAlgorithm, out XmlDictionaryString keyWrapAlgorithmDictionaryString);
WrappedKeySecurityToken wrappedKey = new WrappedKeySecurityToken(GenerateId(), key, keyWrapAlgorithm, keyWrapAlgorithmDictionaryString,
ElementContainer.SourceEncryptionToken, new SecurityKeyIdentifier(sourceEncryptingKeyIdentifierClause));
ElementContainer.WrappedEncryptionToken = wrappedKey;
sourceToken = wrappedKey;
sourceTokenIdentifierClause = new LocalIdKeyIdentifierClause(wrappedKey.Id, wrappedKey.GetType());
encryptionTokenSerialized = true;
}
else
{
sourceToken = ElementContainer.SourceEncryptionToken;
sourceTokenIdentifierClause = sourceEncryptingKeyIdentifierClause;
}
// determine if a key needs to be derived
SecurityKeyIdentifierClause encryptingKeyIdentifierClause;
// determine if a token needs to be derived
if (_encryptingTokenParameters.RequireDerivedKeys)
{
string derivationAlgorithm = AlgorithmSuite.GetEncryptionKeyDerivationAlgorithm(sourceToken, StandardsManager.MessageSecurityVersion.SecureConversationVersion);
string expectedDerivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(StandardsManager.MessageSecurityVersion.SecureConversationVersion);
if (derivationAlgorithm == expectedDerivationAlgorithm)
{
DerivedKeySecurityToken derivedEncryptingToken = new DerivedKeySecurityToken(-1, 0,
AlgorithmSuite.GetEncryptionKeyDerivationLength(sourceToken, StandardsManager.MessageSecurityVersion.SecureConversationVersion), null, DerivedKeySecurityToken.DefaultNonceLength, sourceToken, sourceTokenIdentifierClause, derivationAlgorithm, GenerateId());
_encryptingToken = ElementContainer.DerivedEncryptionToken = derivedEncryptingToken;
encryptingKeyIdentifierClause = new LocalIdKeyIdentifierClause(derivedEncryptingToken.Id, derivedEncryptingToken.GetType());
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.UnsupportedCryptoAlgorithm, derivationAlgorithm)));
}
}
else
{
_encryptingToken = sourceToken;
encryptingKeyIdentifierClause = sourceTokenIdentifierClause;
}
_skipKeyInfoForEncryption = encryptionTokenSerialized && EncryptedKeyContainsReferenceList && (_encryptingToken is WrappedKeySecurityToken) && _signThenEncrypt;
SecurityKeyIdentifier identifier;
if (_skipKeyInfoForEncryption)
{
identifier = null;
}
else
{
identifier = new SecurityKeyIdentifier(encryptingKeyIdentifierClause);
}
StartEncryptionCore(_encryptingToken, identifier);
}
