internal static SecurityToken ResolveSecurityToken(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver)
{
SecurityToken token = null;
if (tokenResolver != null)
{
tokenResolver.TryResolveToken(ski, out token);
}
if (token == null)
{
// Check if this is a RSA key.
RsaKeyIdentifierClause rsaClause;
if (ski.TryFind <RsaKeyIdentifierClause>(out rsaClause))
{
token = new RsaSecurityToken(rsaClause.Rsa);
}
}
if (token == null)
{
// Check if this is a X509RawDataKeyIdentifier Clause.
X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause;
if (ski.TryFind <X509RawDataKeyIdentifierClause>(out rawDataKeyIdentifierClause))
{
token = new X509SecurityToken(new X509Certificate2(rawDataKeyIdentifierClause.GetX509RawData()));
}
}
return(token);
}
/// <summary>
/// Constructs an encrypting credential based on the x509 token.
/// </summary>
/// <param name="token">The x509 security token.</param>
internal X509EncryptingCredentials(X509SecurityToken token)
: this(
token,
new SecurityKeyIdentifier(token.CreateKeyIdentifierClause<X509IssuerSerialKeyIdentifierClause>()),
SecurityAlgorithms.DefaultAsymmetricKeyWrapAlgorithm)
{
}
void Context_PostAuthenticateRequest(object sender, EventArgs e)
{
var context = ((HttpApplication)sender).Context;
// no need to call transformation if session already exists
if (FederatedAuthentication.SessionAuthenticationModule != null &&
FederatedAuthentication.SessionAuthenticationModule.ContainsSessionTokenCookie(context.Request.Cookies))
{
return;
}
var transformer = FederatedAuthentication.ServiceConfiguration.ClaimsAuthenticationManager;
if (transformer != null)
{
var principal = context.User as ClaimsPrincipal;
if (context.Request.ClientCertificate.IsPresent && context.Request.ClientCertificate.IsValid)
{
var cert = new X509Certificate2(context.Request.ClientCertificate.Certificate);
var token = new X509SecurityToken(cert);
var certId = new HttpsSecurityTokenHandler().ValidateToken(token).First();
principal.Identities.Add(certId);
}
var transformedPrincipal = transformer.Authenticate(context.Request.RawUrl, principal);
context.User = transformedPrincipal;
Thread.CurrentPrincipal = transformedPrincipal;
}
}
/// <summary>
/// Returns the issuer name of the given X509SecurityToken mapping the Certificate Thumbprint to
/// a name in the configured map.
/// </summary>
/// <param name="securityToken">SecurityToken for which the issuer name is requested.</param>
/// <returns>Issuer name if the token was registered, null otherwise.</returns>
/// <exception cref="ArgumentNullException">The input parameter 'securityToken' is null.</exception>
public override string GetIssuerName(SecurityToken securityToken)
{
if (securityToken == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("securityToken");
}
X509SecurityToken x509SecurityToken = securityToken as X509SecurityToken;
if (x509SecurityToken != null)
{
string thumbprint = x509SecurityToken.Certificate.Thumbprint;
if (_configuredTrustedIssuers.ContainsKey(thumbprint))
{
string issuerName = _configuredTrustedIssuers[thumbprint];
issuerName = string.IsNullOrEmpty(issuerName) ? x509SecurityToken.Certificate.Subject : issuerName;
if (TD.GetIssuerNameSuccessIsEnabled())
{
TD.GetIssuerNameSuccess(EventTraceActivity.GetFromThreadOrCreate(), issuerName, securityToken.Id);
}
return(issuerName);
}
}
if (TD.GetIssuerNameFailureIsEnabled())
{
TD.GetIssuerNameFailure(EventTraceActivity.GetFromThreadOrCreate(), securityToken.Id);
}
return(null);
}
public void MatchesKeyIdentifierClause ()
{
UniqueId id = new UniqueId ();
X509SecurityToken t = new X509SecurityToken (cert, id.ToString ());
LocalIdKeyIdentifierClause l =
new LocalIdKeyIdentifierClause (id.ToString ());
Assert.IsTrue (t.MatchesKeyIdentifierClause (l), "#1-1");
l = new LocalIdKeyIdentifierClause ("#" + id.ToString ());
Assert.IsFalse (t.MatchesKeyIdentifierClause (l), "#1-2");
X509ThumbprintKeyIdentifierClause h =
new X509ThumbprintKeyIdentifierClause (cert);
Assert.IsTrue (t.MatchesKeyIdentifierClause (h), "#2-1");
h = new X509ThumbprintKeyIdentifierClause (cert2);
Assert.IsFalse (t.MatchesKeyIdentifierClause (h), "#2-2");
X509IssuerSerialKeyIdentifierClause i =
new X509IssuerSerialKeyIdentifierClause (cert);
Assert.IsTrue (t.MatchesKeyIdentifierClause (i), "#3-1");
i = new X509IssuerSerialKeyIdentifierClause (cert2);
Assert.IsFalse (t.MatchesKeyIdentifierClause (i), "#3-2");
X509RawDataKeyIdentifierClause s =
new X509RawDataKeyIdentifierClause (cert);
Assert.IsTrue (t.MatchesKeyIdentifierClause (s), "#4-1");
s = new X509RawDataKeyIdentifierClause (cert2);
Assert.IsFalse (t.MatchesKeyIdentifierClause (s), "#4-2");
}
/// <summary>
/// Writes the X509SecurityToken to the given XmlWriter.
/// </summary>
/// <param name="writer">XmlWriter to write the token into.</param>
/// <param name="token">The SecurityToken of type X509SecurityToken to be written.</param>
/// <exception cref="ArgumentNullException">The parameter 'writer' or 'token' is null.</exception>
/// <exception cref="ArgumentException">The token is not of type X509SecurityToken.</exception>
public override void WriteToken(XmlWriter writer, SecurityToken token)
{
if (writer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
}
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
X509SecurityToken x509Token = token as X509SecurityToken;
if (x509Token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID0018, typeof(X509SecurityToken)));
}
writer.WriteStartElement(WSSecurity10Constants.Elements.BinarySecurityToken, WSSecurity10Constants.Namespace);
if (!String.IsNullOrEmpty(x509Token.Id))
{
writer.WriteAttributeString(WSSecurityUtilityConstants.Attributes.Id, WSSecurityUtilityConstants.Namespace, x509Token.Id);
}
writer.WriteAttributeString(WSSecurity10Constants.Attributes.ValueType, null, WSSecurity10Constants.X509TokenType);
writer.WriteAttributeString(WSSecurity10Constants.Attributes.EncodingType, WSSecurity10Constants.Base64EncodingType);
byte[] rawData = x509Token.Certificate.GetRawCertData();
writer.WriteBase64(rawData, 0, rawData.Length);
writer.WriteEndElement();
}
/// <summary>
/// Constructs an encrypting credential based on the x509 token.
/// </summary>
/// <param name="token">The x509 security token.</param>
internal X509EncryptingCredentials(X509SecurityToken token)
: this(
token,
new SecurityKeyIdentifier(token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>()),
SecurityAlgorithms.DefaultAsymmetricKeyWrapAlgorithm)
{
}
/// <summary>
/// Utility method to get a X509 Token from a given certificate
/// </summary>
/// <param name="storeName">Name of certificate store (e.g. My, TrustedPeople)</param>
/// <param name="storeLocation">Location of certificate store (e.g. LocalMachine, CurrentUser)</param>
/// <param name="subjectDistinguishedName">The Subject Distinguished Name of the certificate</param>
/// <returns>The corresponding X509 Token</returns>
public static X509SecurityToken GetX509TokenFromCert(StoreName storeName,
StoreLocation storeLocation,
string subjectDistinguishedName)
{
X509Certificate2 certificate = LookupCertificate(storeName, storeLocation, subjectDistinguishedName);
X509SecurityToken t = new X509SecurityToken(certificate);
return t;
}
/// <summary>
/// Constructor for X509SigningCredentials based on an x509 token and the security key identifier to be used.
/// It uses the token's public key, its default asymmetric signature algorithm and the specified security key identifier
/// </summary>
/// <param name="token">The x509 security token.</param>
/// <param name="ski">The security key identifier to be used.</param>
/// <param name="signatureAlgorithm">signature algorithm</param>
/// <param name="digestAlgorithm">digest algorithm</param>
internal X509SigningCredentials(X509SecurityToken token, SecurityKeyIdentifier ski, string signatureAlgorithm, string digestAlgorithm)
: base(token.SecurityKeys[0], signatureAlgorithm, digestAlgorithm, ski)
{
this.certificate = token.Certificate;
if (!this.certificate.HasPrivateKey)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID2057));
}
}
public void DefaultValues ()
{
UniqueId id = new UniqueId ();
X509SecurityToken t = new X509SecurityToken (cert, id.ToString ());
Assert.AreEqual (id.ToString (), t.Id, "#1");
Assert.AreEqual (cert, t.Certificate, "#2");
Assert.AreEqual (cert.NotBefore.ToUniversalTime (), t.ValidFrom, "#3");
Assert.AreEqual (cert.NotAfter.ToUniversalTime (), t.ValidTo, "#4");
Assert.AreEqual (1, t.SecurityKeys.Count, "#5");
}
private KeyDescriptor GetSigningKeyDescriptor()
{
var certificate = _options.SigningCertificate;
var clause = new X509SecurityToken(certificate).CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>();
var key = new KeyDescriptor(new SecurityKeyIdentifier(clause));
key.Use = KeyType.Signing;
return key;
}
WrappedKeySecurityToken GetReferent ()
{
string id = "referent";
byte [] key = new byte [32];
X509SecurityToken token = new X509SecurityToken (cert);
SecurityKeyIdentifierClause kic =
new X509ThumbprintKeyIdentifierClause (cert);
string alg = SecurityAlgorithms.RsaOaepKeyWrap;
return new WrappedKeySecurityToken (id, key, alg, token,
new SecurityKeyIdentifier (kic));
}
public void AddDecryptingToken(X509Certificate2 certificate) {
Contract.Requires<ArgumentNullException>(certificate != null);
Contract.Requires<ArgumentException>(certificate.HasPrivateKey);
var cert = new X509SecurityToken(certificate);
try {
this.AddDecryptingToken(cert);
} catch {
cert.Dispose();
throw;
}
}
public void Properties ()
{
X509ThumbprintKeyIdentifierClause ic =
new X509ThumbprintKeyIdentifierClause (cert);
Assert.AreEqual (cert.GetCertHash (), ic.GetX509Thumbprint (), "#1-1");
Assert.AreEqual (null, ic.ClauseType, "#1-2");
ic = new X509SecurityToken (cert).CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause> ();
Assert.AreEqual (cert.GetCertHash (), ic.GetX509Thumbprint (), "#2-1");
Assert.AreEqual (null, ic.ClauseType, "#2-2");
}
public void AddDecryptingToken(X509Certificate2 certificate) {
Requires.NotNull(certificate, "certificate");
Requires.True(certificate.HasPrivateKey, "certificate");
var cert = new X509SecurityToken(certificate);
try {
this.AddDecryptingToken(cert);
} catch {
cert.Dispose();
throw;
}
}
private static TokenValidationParameters GetValidationParameters()
{
var bytes = Convert.FromBase64String(_securityKey.Value);
var token = new X509SecurityToken(new X509Certificate2(bytes));
return new TokenValidationParameters
{
ValidAudience = _authority + "/resources",
ValidIssuer = _authority,
IssuerSigningKeyResolver = (arbitrarily, declaring, these, parameters) => { return token.SecurityKeys.First(); },
IssuerSigningToken = token
};
}
public X509CertTokenVerificationKey(X509Certificate2 cert)
{
lock (_lock)
{
if (_x509Certificate == null)
{
_x509Certificate = cert;
_securityToken = new X509SecurityToken(_x509Certificate);
base.RawBody = _x509Certificate.RawData;
}
}
}
SspiNegotiationTokenProviderState CreateTlsSspiState(X509SecurityToken token)
{
X509Certificate2 clientCertificate;
if (token == null)
{
clientCertificate = null;
}
else
{
clientCertificate = token.Certificate;
}
TlsSspiNegotiation tlsNegotiation = new TlsSspiNegotiation(String.Empty, SchProtocols.Ssl3Client | SchProtocols.TlsClient, clientCertificate);
return new SspiNegotiationTokenProviderState(tlsNegotiation);
}
/// <summary>
/// Validates the token using the wrapped token handler and generates IAuthorizationPolicy
/// wrapping the returned ClaimsIdentities.
/// </summary>
/// <param name="token">Token to be validated.</param>
/// <returns>Read-only collection of IAuthorizationPolicy</returns>
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore( SecurityToken token )
{
ReadOnlyCollection<ClaimsIdentity> identities = null;
try
{
identities = _wrappedX509SecurityTokenHandler.ValidateToken(token);
}
catch ( Exception ex )
{
if ( !_exceptionMapper.HandleSecurityTokenProcessingException( ex ) )
{
throw;
}
}
// tlsnego will dispose of the x509, when we write out the bootstrap we will get a dispose error.
bool shouldSaveBootstrapContext = SecurityTokenHandlerConfiguration.DefaultSaveBootstrapContext;
if ( _wrappedX509SecurityTokenHandler.Configuration != null )
{
shouldSaveBootstrapContext = _wrappedX509SecurityTokenHandler.Configuration.SaveBootstrapContext;
}
if ( shouldSaveBootstrapContext )
{
X509SecurityToken x509Token = token as X509SecurityToken;
SecurityToken tokenToCache;
if ( x509Token != null )
{
tokenToCache = new X509SecurityToken( x509Token.Certificate );
}
else
{
tokenToCache = token;
}
BootstrapContext bootstrapContext = new BootstrapContext(tokenToCache, _wrappedX509SecurityTokenHandler);
foreach (ClaimsIdentity identity in identities)
{
identity.BootstrapContext = bootstrapContext;
}
}
List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>(1);
policies.Add(new AuthorizationPolicy(identities));
return policies.AsReadOnly();
}
public override SecurityMessageProperty GetRemoteSecurity()
{
if (this.clientSecurity.TransportToken != null)
{
return this.clientSecurity;
}
if (this.clientCertificate != null)
{
SecurityToken token = new X509SecurityToken(this.clientCertificate);
ReadOnlyCollection<IAuthorizationPolicy> tokenPolicies = System.ServiceModel.Security.SecurityUtils.NonValidatingX509Authenticator.ValidateToken(token);
this.clientSecurity = new SecurityMessageProperty();
this.clientSecurity.TransportToken = new SecurityTokenSpecification(token, tokenPolicies);
this.clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies);
return this.clientSecurity;
}
return base.GetRemoteSecurity();
}
public override void OnAbort()
{
if (this.serverTokenProvider != null)
{
System.ServiceModel.Security.SecurityUtils.AbortTokenProviderIfRequired(this.serverTokenProvider);
this.serverTokenProvider = null;
}
if (this.clientTokenAuthenticator != null)
{
System.ServiceModel.Security.SecurityUtils.AbortTokenAuthenticatorIfRequired(this.clientTokenAuthenticator);
this.clientTokenAuthenticator = null;
}
if (this.serverToken != null)
{
this.serverToken = null;
}
base.OnAbort();
}
/// <summary>
/// Creates a SAML assertion based on a symmetric proof key
/// </summary>
/// <param name="claims">A ClaimSet containing the claims to be placed into the SAML assertion</param>
/// <param name="signatureToken">An X509SecurityToken that will be used to sign the SAML assertion</param>
/// <param name="encryptionToken">An X509SecurityToken that will be used to encrypt the proof key</param>
/// <param name="proofToken">A BinarySecretSecurityToken containing the proof key</param>
/// <param name="algoSuite">The algorithm suite to use when performing cryptographic operations</param>
/// <returns>A SAML assertion containing the passed in claims and proof key, signed by the provided signature token</returns>
public static SamlAssertion CreateSymmetricKeyBasedAssertion(ClaimSet claims, X509SecurityToken signatureToken, X509SecurityToken encryptionToken, BinarySecretSecurityToken proofToken, SecurityAlgorithmSuite algoSuite)
{
// Check various input parameters
if (claims == null)
throw new ArgumentNullException("claims");
if (claims.Count == 0)
throw new ArgumentException("Provided ClaimSet must contain at least one claim");
if (proofToken == null)
throw new ArgumentNullException("proofToken");
if (signatureToken == null)
throw new ArgumentNullException("signatureToken");
if (encryptionToken == null)
throw new ArgumentNullException("encryptionToken");
if (proofToken == null)
throw new ArgumentNullException("proofToken");
if (algoSuite == null)
throw new ArgumentNullException("algoSuite");
// Get signing key and a key identifier for same
SecurityKey signatureKey = signatureToken.SecurityKeys[0];
SecurityKeyIdentifierClause signatureSkic = signatureToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>();
SecurityKeyIdentifier signatureKeyIdentifier = new SecurityKeyIdentifier(signatureSkic);
// Get encryption key and a key identifier for same
SecurityKey encryptionKey = encryptionToken.SecurityKeys[0];
SecurityKeyIdentifierClause encryptionSkic = encryptionToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>();
SecurityKeyIdentifier encryptionKeyIdentifier = new SecurityKeyIdentifier(encryptionSkic);
// Encrypt the proof key and create a key identifier for same
byte[] proofKey = proofToken.GetKeyBytes();
byte[] encryptedSecret = new byte[proofKey.Length];
encryptedSecret = encryptionKey.EncryptKey(algoSuite.DefaultAsymmetricKeyWrapAlgorithm, proofKey);
SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(new EncryptedKeyIdentifierClause(encryptedSecret, algoSuite.DefaultAsymmetricKeyWrapAlgorithm, encryptionKeyIdentifier));
// Create the assertion
return CreateAssertion(claims, signatureKey, signatureKeyIdentifier, proofKeyIdentifier, algoSuite);
}
public override void OnClose(TimeSpan timeout)
{
TimeoutHelper helper = new TimeoutHelper(timeout);
if (this.serverTokenProvider != null)
{
System.ServiceModel.Security.SecurityUtils.CloseTokenProviderIfRequired(this.serverTokenProvider, helper.RemainingTime());
this.serverTokenProvider = null;
}
if (this.clientTokenAuthenticator != null)
{
System.ServiceModel.Security.SecurityUtils.CloseTokenAuthenticatorIfRequired(this.clientTokenAuthenticator, helper.RemainingTime());
this.clientTokenAuthenticator = null;
}
if (this.serverToken != null)
{
this.serverToken = null;
}
base.OnClose(helper.RemainingTime());
}
internal static SecurityToken ResolveSecurityToken(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver)
{
SecurityToken token = null;
RsaKeyIdentifierClause clause;
X509RawDataKeyIdentifierClause clause2;
if (tokenResolver != null)
{
tokenResolver.TryResolveToken(ski, out token);
}
if ((token == null) && ski.TryFind <RsaKeyIdentifierClause>(out clause))
{
token = new RsaSecurityToken(clause.Rsa);
}
if ((token == null) && ski.TryFind <X509RawDataKeyIdentifierClause>(out clause2))
{
token = new X509SecurityToken(new X509Certificate2(clause2.GetX509RawData()));
}
return(token);
}
/// <summary>
/// Inherited from <see cref="SecurityTokenResolver"/>.
/// </summary>
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
token = null;
//
// Try raw X509
//
X509RawDataKeyIdentifierClause rawDataClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if (rawDataClause != null)
{
token = new X509SecurityToken(new X509Certificate2(rawDataClause.GetX509RawData()));
return(true);
}
//
// Try RSA
//
RsaKeyIdentifierClause rsaClause = keyIdentifierClause as RsaKeyIdentifierClause;
if (rsaClause != null)
{
token = new RsaSecurityToken(rsaClause.Rsa);
return(true);
}
if (_wrappedTokenResolver.TryResolveToken(keyIdentifierClause, out token))
{
return(true);
}
return(false);
}
/// <summary>
/// Constructs an encrypting credential based on the x509 token, key wrapping algorithm, and security key identifier.
/// </summary>
/// <param name="token">The x509 security token.</param>
/// <param name="ski">The security key identifier to be used.</param>
/// <param name="keyWrappingAlgorithm">The key wrapping al----htm.</param>
internal X509EncryptingCredentials(X509SecurityToken token, SecurityKeyIdentifier ski, string keyWrappingAlgorithm)
: base(token.SecurityKeys[0], ski, keyWrappingAlgorithm)
{
this.certificate = token.Certificate;
}
/// <summary>
/// Constructs an encrypting credential based on the x509 token and key wrapping algorithm.
/// </summary>
/// <param name="token">The x509 security token.</param>
/// <param name="keyWrappingAlgorithm">The key wrapping al----htm.</param>
internal X509EncryptingCredentials(X509SecurityToken token, string keyWrappingAlgorithm)
: this(token, new SecurityKeyIdentifier(token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>()), keyWrappingAlgorithm)
{
}
/// <summary>
/// Resolves the given SecurityKeyIdentifierClause to a SecurityToken.
/// </summary>
/// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to resolve.</param>
/// <param name="token">The resolved SecurityToken.</param>
/// <returns>True if successfully resolved.</returns>
/// <exception cref="ArgumentNullException">The input argument 'keyIdentifierClause' is null.</exception>
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
token = null;
X509Store store = null;
X509Certificate2Collection certs = null;
try
{
store = new X509Store(this.storeName, this.storeLocation);
store.Open(OpenFlags.ReadOnly);
certs = store.Certificates;
foreach (X509Certificate2 cert in certs)
{
X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if (thumbprintKeyIdentifierClause != null && thumbprintKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return(true);
}
X509IssuerSerialKeyIdentifierClause issuerSerialKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if (issuerSerialKeyIdentifierClause != null && issuerSerialKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return(true);
}
X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if (subjectKeyIdentifierClause != null && subjectKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return(true);
}
X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if (rawDataKeyIdentifierClause != null && rawDataKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return(true);
}
}
}
finally
{
if (certs != null)
{
for (int i = 0; i < certs.Count; i++)
{
certs[i].Reset();
}
}
if (store != null)
{
store.Close();
}
}
return(false);
}
public virtual ClaimsPrincipal AuthenticateClientCertificate(X509Certificate2 certificate)
{
SecurityTokenHandlerCollection handlers;
var token = new X509SecurityToken(certificate);
if (Configuration.TryGetClientCertificateMapping(out handlers))
{
var identity = handlers.First().ValidateToken(token);
return new ClaimsPrincipal(identity);
}
return Principal.Anonymous;
}
private bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 certificate2 = new X509Certificate2(certificate);
SecurityToken token = new X509SecurityToken(certificate2, false);
ReadOnlyCollection<IAuthorizationPolicy> tokenPolicies = this.serverCertificateAuthenticator.ValidateToken(token);
this.serverSecurity = new SecurityMessageProperty();
this.serverSecurity.TransportToken = new SecurityTokenSpecification(token, tokenPolicies);
this.serverSecurity.ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies);
AuthorizationContext authorizationContext = this.serverSecurity.ServiceSecurityContext.AuthorizationContext;
this.parent.IdentityVerifier.EnsureOutgoingIdentity(base.RemoteAddress, base.Via, authorizationContext);
return true;
}
private static bool Matches(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey key, CertMatcher certMatcher, out SecurityToken token)
{
token = null;
if (certMatcher != null)
{
X509SecurityKey x509Key = key as X509SecurityKey;
if (x509Key != null)
{
if (certMatcher(x509Key.Certificate))
{
token = new X509SecurityToken(x509Key.Certificate);
return true;
}
}
else
{
X509AsymmetricSecurityKey x509AsymmKey = key as X509AsymmetricSecurityKey;
if (x509AsymmKey != null)
{
X509Certificate2 cert = _certFieldInfo.GetValue(x509AsymmKey) as X509Certificate2;
if (cert != null && certMatcher(cert))
{
token = new X509SecurityToken(cert);
return true;
}
}
}
}
return false;
}
/// <summary>
/// Updates properties in the <see cref="SecurityTokenHandlerConfiguration"/> objects for the
/// <see cref="SecurityTokenHandlerCollection"/> objects contained in
/// <see cref="IdentityConfiguration.SecurityTokenHandlerCollectionManager"/> to be consistent with the property
/// values on this <see cref="IdentityConfiguration"/> instance.
/// </summary>
/// <remarks>
/// This method should be invoked prior to using these token handlers
/// for token processing.
/// </remarks>
/// <exception cref="InvalidOperationException">If this method is invoked more than once.</exception>
public virtual void Initialize()
{
if (this.IsInitialized)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7009));
}
SecurityTokenHandlerCollection defaultCollection = this.SecurityTokenHandlers;
if (!object.ReferenceEquals(_serviceHandlerConfiguration, defaultCollection.Configuration))
{
//
// If someone has created their own new STHConfig and set it as default, leave that config alone.
//
TraceUtility.TraceString(TraceEventType.Information, SR.GetString(SR.ID4283));
this.IsInitialized = true;
return;
}
// Update the ServiceTokenResolver of the default TokenHandlerCollection's configuration, if serviceCertificate is set.
if (this.ServiceCertificate != null)
{
SecurityTokenResolver serviceCertificateResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection<SecurityToken>(
new SecurityToken[] { new X509SecurityToken(this.ServiceCertificate) }), false);
SecurityTokenResolver tokenResolver = this.SecurityTokenHandlers.Configuration.ServiceTokenResolver;
if ((tokenResolver != null) && (tokenResolver != EmptySecurityTokenResolver.Instance))
{
this.SecurityTokenHandlers.Configuration.ServiceTokenResolver = new AggregateTokenResolver(new SecurityTokenResolver[] { serviceCertificateResolver, tokenResolver });
}
else
{
this.SecurityTokenHandlers.Configuration.ServiceTokenResolver = serviceCertificateResolver;
}
}
SecurityTokenResolver configuredIssuerTokenResolver = this.IssuerTokenResolver;
if (this.IssuerTokenResolver == SecurityTokenHandlerConfiguration.DefaultIssuerTokenResolver)
{
//
// Add the known certificates from WCF's ServiceCredentials in front of
// the default issuer token resolver.
//
if (this.KnownIssuerCertificates != null)
{
int count = this.KnownIssuerCertificates.Count;
if (count > 0)
{
SecurityToken[] tokens = new SecurityToken[count];
for (int i = 0; i < count; i++)
{
tokens[i] = new X509SecurityToken(this.KnownIssuerCertificates[i]);
}
SecurityTokenResolver knownCertificateTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection<SecurityToken>(tokens), false);
this.IssuerTokenResolver = new AggregateTokenResolver(new SecurityTokenResolver[] { knownCertificateTokenResolver, configuredIssuerTokenResolver });
}
}
}
if (this.CertificateValidationMode != X509CertificateValidationMode.Custom)
{
defaultCollection.Configuration.CertificateValidator = X509Util.CreateCertificateValidator(defaultCollection.Configuration.CertificateValidationMode,
defaultCollection.Configuration.RevocationMode,
defaultCollection.Configuration.TrustedStoreLocation);
}
else if (object.ReferenceEquals(defaultCollection.Configuration.CertificateValidator, SecurityTokenHandlerConfiguration.DefaultCertificateValidator))
{
//
// If the mode is custom but the validator or still default, something has gone wrong.
//
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4280)));
}
this.IsInitialized = true;
}
/// <summary>
/// Validates an <see cref="X509SecurityToken"/>.
/// </summary>
/// <param name="token">The <see cref="X509SecurityToken"/> to validate.</param>
/// <returns>A <see cref="ReadOnlyCollection{T}"/> of <see cref="ClaimsIdentity"/> representing the identities contained in the token.</returns>
/// <exception cref="ArgumentNullException">The parameter 'token' is null.</exception>
/// <exception cref="ArgumentException">The token is not assignable from <see cref="X509SecurityToken"/>.</exception>
/// <exception cref="InvalidOperationException">Configuration <see cref="SecurityTokenHandlerConfiguration"/>is null.</exception>
/// <exception cref="SecurityTokenValidationException">The current <see cref="X509CertificateValidator"/> was unable to validate the certificate in the Token.</exception>
/// <exception cref="InvalidOperationException">Configuration.IssuerNameRegistry is null.</exception>
/// <exception cref="SecurityTokenException">Configuration.IssuerNameRegistry return null when resolving the issuer of the certificate in the Token.</exception>
public override ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token)
{
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
X509SecurityToken x509Token = token as X509SecurityToken;
if (x509Token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID0018, typeof(X509SecurityToken)));
}
if (this.Configuration == null)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
try
{
// Validate the token.
try
{
this.CertificateValidator.Validate(x509Token.Certificate);
}
catch (SecurityTokenValidationException e)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.ID4257,
X509Util.GetCertificateId(x509Token.Certificate)), e));
}
if (this.Configuration.IssuerNameRegistry == null)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4277));
}
string issuer = X509Util.GetCertificateIssuerName(x509Token.Certificate, this.Configuration.IssuerNameRegistry);
if (String.IsNullOrEmpty(issuer))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID4175)));
}
ClaimsIdentity identity = null;
if (!mapToWindows)
{
identity = new ClaimsIdentity(AuthenticationTypes.X509);
// PARTIAL TRUST: will fail when adding claims, AddClaim is SecurityCritical.
identity.AddClaim(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.X509));
}
else
{
WindowsIdentity windowsIdentity;
X509WindowsSecurityToken x509WindowsSecurityToken = token as X509WindowsSecurityToken;
// if this is the case, then the user has already been mapped to a windows account, just return the identity after adding a couple of claims.
if (x509WindowsSecurityToken != null && x509WindowsSecurityToken.WindowsIdentity != null)
{
// X509WindowsSecurityToken is disposable, make a copy.
windowsIdentity = new WindowsIdentity(x509WindowsSecurityToken.WindowsIdentity.Token, x509WindowsSecurityToken.AuthenticationType);
}
else
{
// Ensure NT_AUTH chain policy for certificate account mapping
if (this.x509NTAuthChainTrustValidator == null)
{
lock (this.lockObject)
{
if (this.x509NTAuthChainTrustValidator == null)
{
this.x509NTAuthChainTrustValidator = new X509NTAuthChainTrustValidator();
}
}
}
this.x509NTAuthChainTrustValidator.Validate(x509Token.Certificate);
windowsIdentity = ClaimsHelper.CertificateLogon(x509Token.Certificate);
}
// PARTIAL TRUST: will fail when adding claims, AddClaim is SecurityCritical.
windowsIdentity.AddClaim(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.X509));
identity = windowsIdentity;
}
if (this.Configuration.SaveBootstrapContext)
{
identity.BootstrapContext = new BootstrapContext(token, this);
}
identity.AddClaim(new Claim(ClaimTypes.AuthenticationInstant, XmlConvert.ToString(DateTime.UtcNow, DateTimeFormats.Generated), ClaimValueTypes.DateTime));
identity.AddClaims(X509Util.GetClaimsFromCertificate(x509Token.Certificate, issuer));
this.TraceTokenValidationSuccess(token);
List <ClaimsIdentity> identities = new List <ClaimsIdentity>(1);
identities.Add(identity);
return(identities.AsReadOnly());
}
catch (Exception e)
{
if (Fx.IsFatal(e))
{
throw;
}
this.TraceTokenValidationFailure(token, e.Message);
throw e;
}
}
private KeyDescriptor GetEncryptionDescriptor(X509Certificate2 certificate)
{
var clause = new X509SecurityToken(certificate).CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>();
var key = new KeyDescriptor(new SecurityKeyIdentifier(clause));
key.Use = KeyType.Encryption;
return key;
}
/// <summary>
/// Inherited from <see cref="SecurityTokenResolver"/>.
/// </summary>
protected override bool TryResolveTokenCore( SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token )
{
if ( keyIdentifierClause == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "keyIdentifierClause" );
}
token = null;
//
// Try raw X509
//
X509RawDataKeyIdentifierClause rawDataClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if ( rawDataClause != null )
{
token = new X509SecurityToken( new X509Certificate2( rawDataClause.GetX509RawData() ) );
return true;
}
//
// Try RSA
//
RsaKeyIdentifierClause rsaClause = keyIdentifierClause as RsaKeyIdentifierClause;
if ( rsaClause != null )
{
token = new RsaSecurityToken( rsaClause.Rsa );
return true;
}
if ( _wrappedTokenResolver.TryResolveToken( keyIdentifierClause, out token ) )
{
return true;
}
return false;
}
/// <summary>
/// Creates a SAML token for the specified email address.
/// </summary>
public static UserIdentity CreateSAMLToken(string emailAddress)
{
// Normally this would be done by a server that is capable of verifying that
// the user is a legimate holder of email address. Using a local certficate to
// signed the SAML token is a short cut that would never be done in a real system.
CertificateIdentifier userid = new CertificateIdentifier();
userid.StoreType = CertificateStoreType.Windows;
userid.StorePath = "LocalMachine\\My";
userid.SubjectName = "UA Sample Client";
X509Certificate2 certificate = userid.Find();
X509SecurityToken signingToken = new X509SecurityToken(certificate);
// Create list of confirmation strings
List<string> confirmations = new List<string>();
// Add holder-of-key string to list of confirmation strings
confirmations.Add("urn:oasis:names:tc:SAML:1.0:cm:bearer");
// Create SAML subject statement based on issuer member variable, confirmation string collection
// local variable and proof key identifier parameter
SamlSubject subject = new SamlSubject("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", null, emailAddress);
// Create a list of SAML attributes
List<SamlAttribute> attributes = new List<SamlAttribute>();
Claim claim = Claim.CreateNameClaim(emailAddress);
attributes.Add(new SamlAttribute(claim));
// Create list of SAML statements
List<SamlStatement> statements = new List<SamlStatement>();
// Add a SAML attribute statement to the list of statements. Attribute statement is based on
// subject statement and SAML attributes resulting from claims
statements.Add(new SamlAttributeStatement(subject, attributes));
// Create a valid from/until condition
DateTime validFrom = DateTime.UtcNow;
DateTime validTo = DateTime.UtcNow.AddHours(12);
SamlConditions conditions = new SamlConditions(validFrom, validTo);
// Create the SAML assertion
SamlAssertion assertion = new SamlAssertion(
"_" + Guid.NewGuid().ToString(),
signingToken.Certificate.Subject,
validFrom,
conditions,
null,
statements);
SecurityKey signingKey = new System.IdentityModel.Tokens.RsaSecurityKey((RSA)signingToken.Certificate.PrivateKey);
// Set the signing credentials for the SAML assertion
assertion.SigningCredentials = new SigningCredentials(
signingKey,
System.IdentityModel.Tokens.SecurityAlgorithms.RsaSha1Signature,
System.IdentityModel.Tokens.SecurityAlgorithms.Sha1Digest,
new SecurityKeyIdentifier(signingToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>()));
return new UserIdentity(new SamlSecurityToken(assertion));
}
private void ParseToken(string xmlToken, X509Certificate2 cert)
{
int skew = 300; // default to 5 minutes
string tokenskew = System.Configuration.ConfigurationManager.AppSettings["MaximumClockSkew"];
if (!string.IsNullOrEmpty(tokenskew))
skew = Int32.Parse(tokenskew);
XmlReader tokenReader = new XmlTextReader(new StringReader(xmlToken));
EncryptedData enc = new EncryptedData();
enc.TokenSerializer = WSSecurityTokenSerializer.DefaultInstance;
enc.ReadFrom(tokenReader);
List<SecurityToken> tokens = new List<SecurityToken>();
SecurityToken encryptingToken = new X509SecurityToken(cert);
tokens.Add(encryptingToken);
SecurityTokenResolver tokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), false);
SymmetricSecurityKey encryptingCrypto;
// an error here usually means that you have selected the wrong key.
encryptingCrypto = (SymmetricSecurityKey)tokenResolver.ResolveSecurityKey(enc.KeyIdentifier[0]);
SymmetricAlgorithm algorithm = encryptingCrypto.GetSymmetricAlgorithm(enc.EncryptionMethod);
byte[] decryptedData = enc.GetDecryptedBuffer(algorithm);
SecurityTokenSerializer tokenSerializer = WSSecurityTokenSerializer.DefaultInstance;
XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedData), Encoding.UTF8));
m_token = (SamlSecurityToken)tokenSerializer.ReadToken(reader, tokenResolver);
SamlSecurityTokenAuthenticator authenticator = new SamlSecurityTokenAuthenticator(new List<SecurityTokenAuthenticator>(
new SecurityTokenAuthenticator[]{
new RsaSecurityTokenAuthenticator(),
new X509SecurityTokenAuthenticator() }), new TimeSpan(0, 0, skew));
if (authenticator.CanValidateToken(m_token))
{
ReadOnlyCollection<IAuthorizationPolicy> policies = authenticator.ValidateToken(m_token);
m_authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies);
m_identityClaims = FindIdentityClaims(m_authorizationContext);
}
else
{
throw new Exception("Unable to validate the token.");
}
}
public SecurityTokenService(string issuerName)
{
issuer = issuerName;
issuerToken = GetToken(issuerName, StoreName.My, StoreLocation.LocalMachine);
}
internal override void Open(TimeSpan timeout)
{
TimeoutHelper helper = new TimeoutHelper(timeout);
base.Open(helper.RemainingTime());
if (this.clientCertificateProvider != null)
{
System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(this.clientCertificateProvider, helper.RemainingTime());
this.clientToken = (X509SecurityToken) this.clientCertificateProvider.GetToken(helper.RemainingTime());
}
}
/// <summary>
/// Resolves the given SecurityKeyIdentifierClause to a SecurityToken.
/// </summary>
/// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to resolve.</param>
/// <param name="token">The resolved SecurityToken.</param>
/// <returns>True if successfully resolved.</returns>
/// <exception cref="ArgumentNullException">The input argument 'keyIdentifierClause' is null.</exception>
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
token = null;
X509Store store = null;
X509Certificate2Collection certs = null;
try
{
store = new X509Store(this.storeName, this.storeLocation);
store.Open(OpenFlags.ReadOnly);
certs = store.Certificates;
foreach (X509Certificate2 cert in certs)
{
X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if (thumbprintKeyIdentifierClause != null && thumbprintKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return true;
}
X509IssuerSerialKeyIdentifierClause issuerSerialKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if (issuerSerialKeyIdentifierClause != null && issuerSerialKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return true;
}
X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if (subjectKeyIdentifierClause != null && subjectKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return true;
}
X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if (rawDataKeyIdentifierClause != null && rawDataKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return true;
}
}
}
finally
{
if (certs != null)
{
for (int i = 0; i < certs.Count; i++)
{
certs[i].Reset();
}
}
if (store != null)
{
store.Close();
}
}
return false;
}
internal SecurityToken ResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternal, bool resolveIntrinsicKeyClause)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
SecurityToken resolvedToken = null;
for (int i = 0; i < this.tokenCount; i++)
{
if (matchOnlyExternal && tokens[i].AllowedReferenceStyle != SecurityTokenReferenceStyle.External)
{
continue;
}
SecurityToken token = tokens[i].Token;
if (tokens[i].TokenParameters != null && tokens[i].TokenParameters.MatchesKeyIdentifierClause(token, keyIdentifierClause, tokens[i].AllowedReferenceStyle))
{
resolvedToken = token;
break;
}
else if (tokens[i].TokenParameters == null)
{
// match it according to the allowed reference style
if (tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.Internal && MatchDirectReference(token, keyIdentifierClause))
{
resolvedToken = token;
break;
}
}
}
if ((resolvedToken == null) && (keyIdentifierClause is EncryptedKeyIdentifierClause))
{
EncryptedKeyIdentifierClause keyClause = (EncryptedKeyIdentifierClause)keyIdentifierClause;
SecurityKeyIdentifier wrappingTokenReference = keyClause.EncryptingKeyIdentifier;
SecurityToken unwrappingToken;
if (this.expectedWrapper != null
&& CheckExternalWrapperMatch(wrappingTokenReference))
unwrappingToken = this.expectedWrapper;
else
unwrappingToken = ResolveToken(wrappingTokenReference, true, resolveIntrinsicKeyClause);
if (unwrappingToken != null)
{
resolvedToken = SecurityUtils.CreateTokenFromEncryptedKeyClause(keyClause, unwrappingToken);
}
}
if ((resolvedToken == null) && (keyIdentifierClause is X509RawDataKeyIdentifierClause) && (!matchOnlyExternal) && (resolveIntrinsicKeyClause))
{
resolvedToken = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData()));
}
byte[] derivationNonce = keyIdentifierClause.GetDerivationNonce();
if ((resolvedToken != null) && (derivationNonce != null))
{
// A Implicit Derived Key is specified. Create a derived key off of the resolve token.
if (SecurityUtils.GetSecurityKey<SymmetricSecurityKey>(resolvedToken) == null)
{
// The resolved token contains no Symmetric Security key and thus we cannot create
// a derived key off of it.
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.UnableToDeriveKeyFromKeyInfoClause, keyIdentifierClause, resolvedToken)));
}
int derivationLength = (keyIdentifierClause.DerivationLength == 0) ? DerivedKeySecurityToken.DefaultDerivedKeyLength : keyIdentifierClause.DerivationLength;
if (derivationLength > this.securityHeader.MaxDerivedKeyLength)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.DerivedKeyLengthSpecifiedInImplicitDerivedKeyClauseTooLong, keyIdentifierClause.ToString(), derivationLength, this.securityHeader.MaxDerivedKeyLength)));
bool alreadyDerived = false;
for (int i = 0; i < this.tokenCount; ++i)
{
DerivedKeySecurityToken derivedKeyToken = this.tokens[i].Token as DerivedKeySecurityToken;
if (derivedKeyToken != null)
{
if ((derivedKeyToken.Length == derivationLength) &&
(CryptoHelper.IsEqual(derivedKeyToken.Nonce, derivationNonce)) &&
(derivedKeyToken.TokenToDerive.MatchesKeyIdentifierClause(keyIdentifierClause)))
{
// This is a implcit derived key for which we have already derived the
// token.
resolvedToken = this.tokens[i].Token;
alreadyDerived = true;
break;
}
}
}
if (!alreadyDerived)
{
string psha1Algorithm = SecurityUtils.GetKeyDerivationAlgorithm(this.securityHeader.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
resolvedToken = new DerivedKeySecurityToken(-1, 0, derivationLength, null, derivationNonce, resolvedToken, keyIdentifierClause, psha1Algorithm, SecurityUtils.GenerateId());
((DerivedKeySecurityToken)resolvedToken).InitializeDerivedKey(derivationLength);
Add(resolvedToken, SecurityTokenReferenceStyle.Internal, null);
this.securityHeader.EnsureDerivedKeyLimitNotReached();
}
}
return resolvedToken;
}