private void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, TrustVersion trustVersion, SecurityKeyType keyType, ref IssuedSecurityTokenParameters issuedParameters)
{
issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm));
issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm));
string signatureAlgorithm = null;
string encryptionAlgorithm = null;
switch (keyType)
{
case SecurityKeyType.SymmetricKey:
signatureAlgorithm = algorithmSuite.DefaultSymmetricSignatureAlgorithm;
encryptionAlgorithm = algorithmSuite.DefaultEncryptionAlgorithm;
break;
case SecurityKeyType.AsymmetricKey:
signatureAlgorithm = algorithmSuite.DefaultAsymmetricSignatureAlgorithm;
encryptionAlgorithm = algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm;
break;
case SecurityKeyType.BearerKey:
return;
default:
throw new ArgumentOutOfRangeException("keyType");
}
issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateSignWithElement(signatureAlgorithm));
issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptWithElement(encryptionAlgorithm));
if (trustVersion != TrustVersion.WSTrustFeb2005)
{
issuedParameters.AdditionalRequestParameters.Insert(0, CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm));
}
}
internal static bool DoAlgorithmsMatch(System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters issuedTokenParameters, SecurityAlgorithmSuite securityAlgorithmSuite, object versionSpecificStandardsManager, out Collection <XmlElement> nonAlgorithmRequestParameters)
{
object[] objArray = new object[] { securityAlgorithmSuite, versionSpecificStandardsManager, null };
bool flag = (bool)InvokeHelper.InvokeStaticMethod(typeof(System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters), "DoAlgorithmsMatch", objArray);
nonAlgorithmRequestParameters = objArray[2] as Collection <XmlElement>;
return(flag);
}
protected IssuedSecurityTokenParameters (IssuedSecurityTokenParameters source)
: base (source)
{
binding = source.binding;
issuer_address = source.issuer_address;
issuer_meta_address = source.issuer_meta_address;
key_size = source.key_size;
key_type = source.key_type;
token_type = source.token_type;
reqs = new Collection<ClaimTypeRequirement> (source.reqs);
additional_reqs = new Collection<XmlElement> (source.additional_reqs);
}
internal void ApplyConfiguration(IssuedSecurityTokenParameters parameters)
{
if (parameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("parameters"));
}
if (this.AdditionalRequestParameters != null)
{
foreach (XmlElementElement element in this.AdditionalRequestParameters)
{
parameters.AdditionalRequestParameters.Add(element.XmlElement);
}
}
if (this.ClaimTypeRequirements != null)
{
foreach (ClaimTypeElement element2 in this.ClaimTypeRequirements)
{
parameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement(element2.ClaimType, element2.IsOptional));
}
}
parameters.KeySize = this.KeySize;
parameters.KeyType = this.KeyType;
parameters.DefaultMessageSecurityVersion = this.DefaultMessageSecurityVersion;
if (!string.IsNullOrEmpty(this.TokenType))
{
parameters.TokenType = this.TokenType;
}
if (base.ElementInformation.Properties["issuer"].ValueOrigin != PropertyValueOrigin.Default)
{
this.Issuer.Validate();
parameters.IssuerAddress = ConfigLoader.LoadEndpointAddress(this.Issuer);
if (!string.IsNullOrEmpty(this.Issuer.Binding))
{
parameters.IssuerBinding = ConfigLoader.LookupBinding(this.Issuer.Binding, this.Issuer.BindingConfiguration, base.EvaluationContext);
}
}
if (base.ElementInformation.Properties["issuerMetadata"].ValueOrigin != PropertyValueOrigin.Default)
{
parameters.IssuerMetadataAddress = ConfigLoader.LoadEndpointAddress(this.IssuerMetadata);
}
}
/// <summary>
///
/// </summary>
/// <param name="transport"></param>
/// <returns></returns>
private static System.ServiceModel.Channels.Binding CreateBinding(TransportBindingElement transport)
{
TextMessageEncodingBindingElement encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.LocalClientSettings.IdentityVerifier = new DisabledDnsIdentityCheck();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
messageSecurity.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
messageSecurity.ProtectTokens = true;
initiator.UseStrTransform = true;
initiator.KeyType = SecurityKeyType.AsymmetricKey;
initiator.RequireDerivedKeys = false;
messageSecurity.InitiatorTokenParameters = initiator;
var customBinding = new CustomBinding(encodingBindingElement, messageSecurity, transport);
return customBinding;
}
public static void Main (string [] args)
{
SymmetricSecurityBindingElement sbe =
new SymmetricSecurityBindingElement ();
IssuedSecurityTokenParameters ip =
new IssuedSecurityTokenParameters ();
sbe.ProtectionTokenParameters = ip;
ip.ClaimTypeRequirements.Add (new ClaimTypeRequirement (
ClaimTypes.Email));
if (args.Length > 0) {
ip.IssuerAddress = new EndpointAddress (new Uri (args [0]),
new X509CertificateEndpointIdentity (new X509Certificate2 (args [1])));
}
ServiceHost host = new ServiceHost (typeof (Foo));
HttpTransportBindingElement hbe =
new HttpTransportBindingElement ();
CustomBinding binding = new CustomBinding (sbe, hbe);
binding.ReceiveTimeout = TimeSpan.FromSeconds (5);
host.AddServiceEndpoint ("IFoo",
binding, new Uri ("http://localhost:8080"));
ServiceCredentials cred = new ServiceCredentials ();
cred.ServiceCertificate.Certificate =
new X509Certificate2 ("test.pfx", "mono");
cred.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
cred.IssuedTokenAuthentication.AllowUntrustedRsaIssuers = true;
host.Description.Behaviors.Add (cred);
host.Description.Behaviors.Find<ServiceDebugBehavior> ()
.IncludeExceptionDetailInFaults = true;
ServiceMetadataBehavior smb = new ServiceMetadataBehavior ();
smb.HttpGetEnabled = true;
smb.HttpGetUrl = new Uri ("http://localhost:8080/wsdl");
host.Description.Behaviors.Add (smb);
host.Open ();
Console.WriteLine ("Hit [CR] key to close ...");
Console.ReadLine ();
host.Close ();
}
protected IssuedSecurityTokenParameters(IssuedSecurityTokenParameters other) : base(other)
{
this.additionalRequestParameters = new Collection<XmlElement>();
this.alternativeIssuerEndpoints = new Collection<AlternativeIssuerEndpoint>();
this.claimTypeRequirements = new Collection<ClaimTypeRequirement>();
this.defaultMessageSecurityVersion = other.defaultMessageSecurityVersion;
this.issuerAddress = other.issuerAddress;
this.keyType = other.keyType;
this.tokenType = other.tokenType;
this.keySize = other.keySize;
foreach (XmlElement element in other.additionalRequestParameters)
{
this.additionalRequestParameters.Add((XmlElement) element.Clone());
}
foreach (ClaimTypeRequirement requirement in other.claimTypeRequirements)
{
this.claimTypeRequirements.Add(requirement);
}
if (other.issuerBinding != null)
{
this.issuerBinding = new CustomBinding(other.issuerBinding);
}
this.issuerMetadataAddress = other.issuerMetadataAddress;
}
protected IssuedSecurityTokenParameters(IssuedSecurityTokenParameters other)
: base(other)
{
this.defaultMessageSecurityVersion = other.defaultMessageSecurityVersion;
this.issuerAddress = other.issuerAddress;
this.keyType = other.keyType;
this.tokenType = other.tokenType;
this.keySize = other.keySize;
this.useStrTransform = other.useStrTransform;
foreach (XmlElement parameter in other.additionalRequestParameters)
{
this.additionalRequestParameters.Add((XmlElement)parameter.Clone());
}
foreach (ClaimTypeRequirement c in other.claimTypeRequirements)
{
this.claimTypeRequirements.Add(c);
}
if (other.issuerBinding != null)
{
this.issuerBinding = new CustomBinding(other.issuerBinding);
}
this.issuerMetadataAddress = other.issuerMetadataAddress;
}
internal static IssuedSecurityTokenParameters CreateInfoCardParameters(SecurityStandardsManager standardsManager, SecurityAlgorithmSuite algorithm)
{
IssuedSecurityTokenParameters parameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1") {
KeyType = SecurityKeyType.AsymmetricKey
};
parameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement(wsidPPIClaim));
parameters.IssuerAddress = null;
parameters.AddAlgorithmParameters(algorithm, standardsManager, parameters.KeyType);
return parameters;
}
internal static bool IsInfoCardParameters(IssuedSecurityTokenParameters parameters, SecurityStandardsManager standardsManager)
{
if (parameters == null)
{
return(false);
}
if (parameters.TokenType != SecurityXXX2005Strings.SamlTokenType)
{
return(false);
}
if (parameters.KeyType != SecurityKeyType.AsymmetricKey)
{
return(false);
}
if (parameters.ClaimTypeRequirements.Count == 1)
{
ClaimTypeRequirement claimTypeRequirement = parameters.ClaimTypeRequirements[0] as ClaimTypeRequirement;
if (claimTypeRequirement == null)
{
return(false);
}
if (claimTypeRequirement.ClaimType != wsidPPIClaim)
{
return(false);
}
}
else if ((parameters.AdditionalRequestParameters != null) && (parameters.AdditionalRequestParameters.Count > 0))
{
// Check the AdditionalRequest Parameters to see if ClaimTypeRequirements got imported there.
bool claimTypeRequirementMatched = false;
XmlElement claimTypeRequirement = GetClaimTypeRequirement(parameters.AdditionalRequestParameters, standardsManager);
if (claimTypeRequirement != null && claimTypeRequirement.ChildNodes.Count == 1)
{
XmlElement claimTypeElement = claimTypeRequirement.ChildNodes[0] as XmlElement;
if (claimTypeElement != null)
{
XmlNode claimType = claimTypeElement.Attributes.GetNamedItem("Uri");
if (claimType != null && claimType.Value == wsidPPIClaim)
{
claimTypeRequirementMatched = true;
}
}
}
if (!claimTypeRequirementMatched)
{
return(false);
}
}
else
{
return(false);
}
if (parameters.IssuerAddress != null)
{
return(false);
}
if (parameters.AlternativeIssuerEndpoints != null && parameters.AlternativeIssuerEndpoints.Count > 0)
{
return(false);
}
return(true);
}
public void SecureConvProviderOnlyWithIssuedParameters ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = ServiceModelSecurityTokenTypes.SecureConversation;
IssuedSecurityTokenParameters ip =
new IssuedSecurityTokenParameters ();
ip.IssuerAddress = new EndpointAddress ("http://localhost:8080");
ip.IssuerBinding = new WSHttpBinding ();
r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = ip;
def_c.CreateSecurityTokenProvider (r);
}
public virtual bool TryImportReferenceStyleAssertion(ICollection<XmlElement> assertions, IssuedSecurityTokenParameters parameters)
{
if (TryImportWsspAssertion(assertions, RequireExternalReferenceName))
{
parameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
}
else if (TryImportWsspAssertion(assertions, RequireInternalReferenceName))
{
parameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
}
return true;
}
public virtual bool TryImportWsspIssuedTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, XmlElement assertion, out SecurityTokenParameters parameters)
{
parameters = null;
SecurityTokenInclusionMode inclusionMode;
Collection<Collection<XmlElement>> alternatives;
EndpointAddress issuer;
EndpointAddress issuerMetadata;
Collection<XmlElement> requestSecurityTokenTemplate;
if (IsWsspAssertion(assertion, IssuedTokenName)
&& TryGetIncludeTokenValue(assertion, out inclusionMode)
&& TryGetIssuer(assertion, out issuer, out issuerMetadata)
&& TryGetRequestSecurityTokenTemplate(assertion, out requestSecurityTokenTemplate))
{
if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
{
foreach (Collection<XmlElement> alternative in alternatives)
{
IssuedSecurityTokenParameters issued = new IssuedSecurityTokenParameters();
parameters = issued;
if (TryImportWsspRequireDerivedKeysAssertion(alternative, issued)
&& TryImportReferenceStyleAssertion(alternative, issued)
&& alternative.Count == 0)
{
issued.InclusionMode = inclusionMode;
issued.IssuerAddress = issuer;
issued.IssuerMetadataAddress = issuerMetadata;
issued.SetRequestParameters(requestSecurityTokenTemplate, this.TrustDriver);
TokenIssuerPolicyResolver policyResolver = new TokenIssuerPolicyResolver(this.TrustDriver);
policyResolver.ResolveTokenIssuerPolicy(importer, policyContext, issued);
break;
}
else
{
parameters = null;
}
}
}
else
{
IssuedSecurityTokenParameters issued = new IssuedSecurityTokenParameters();
parameters = issued;
issued.InclusionMode = inclusionMode;
issued.IssuerAddress = issuer;
issued.IssuerMetadataAddress = issuerMetadata;
issued.SetRequestParameters(requestSecurityTokenTemplate, this.TrustDriver);
issued.RequireDerivedKeys = false;
}
}
return parameters != null;
}
public virtual bool TryImportWsspIssuedTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, XmlElement assertion, out SecurityTokenParameters parameters)
{
SecurityTokenInclusionMode mode;
EndpointAddress address;
EndpointAddress address2;
Collection<XmlElement> collection2;
parameters = null;
if ((this.IsWsspAssertion(assertion, "IssuedToken") && this.TryGetIncludeTokenValue(assertion, out mode)) && (this.TryGetIssuer(assertion, out address, out address2) && this.TryGetRequestSecurityTokenTemplate(assertion, out collection2)))
{
Collection<Collection<XmlElement>> collection;
if (this.TryGetNestedPolicyAlternatives(importer, assertion, out collection))
{
foreach (Collection<XmlElement> collection3 in collection)
{
IssuedSecurityTokenParameters parameters2 = new IssuedSecurityTokenParameters();
parameters = parameters2;
if ((this.TryImportWsspRequireDerivedKeysAssertion(collection3, parameters2) && this.TryImportReferenceStyleAssertion(collection3, parameters2)) && (collection3.Count == 0))
{
parameters2.InclusionMode = mode;
parameters2.IssuerAddress = address;
parameters2.IssuerMetadataAddress = address2;
parameters2.SetRequestParameters(collection2, this.TrustDriver);
new TokenIssuerPolicyResolver(this.TrustDriver).ResolveTokenIssuerPolicy(importer, policyContext, parameters2);
break;
}
parameters = null;
}
}
else
{
IssuedSecurityTokenParameters parameters3 = new IssuedSecurityTokenParameters();
parameters = parameters3;
parameters3.InclusionMode = mode;
parameters3.IssuerAddress = address;
parameters3.IssuerMetadataAddress = address2;
parameters3.SetRequestParameters(collection2, this.TrustDriver);
parameters3.RequireDerivedKeys = false;
}
}
return (parameters != null);
}
internal static bool IsIssuedTokenForSslBinding(System.ServiceModel.Channels.SecurityBindingElement bootstrapSecurity, bool p, out System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters infocardParameters)
{
object[] objArray = new object[] { bootstrapSecurity, p, null };
bool flag = (bool)InvokeHelper.InvokeStaticMethod(typeof(System.ServiceModel.Channels.SecurityBindingElement), "IsIssuedTokenForSslBinding", objArray);
infocardParameters = objArray[2] as System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters;
return(flag);
}
// based on WSHttpBinding.CreateMessageSecurity()
SecurityBindingElement CreateMessageSecurity ()
{
if (Security.Mode == SecurityMode.Transport ||
Security.Mode == SecurityMode.None)
return null;
SymmetricSecurityBindingElement element =
new SymmetricSecurityBindingElement ();
element.MessageSecurityVersion = MessageSecurityVersion.Default;
element.SetKeyDerivation (false);
switch (Security.Message.ClientCredentialType) {
case MessageCredentialType.Certificate:
element.EndpointSupportingTokenParameters.Endorsing.Add (
new X509SecurityTokenParameters ());
goto default;
case MessageCredentialType.IssuedToken:
IssuedSecurityTokenParameters istp =
new IssuedSecurityTokenParameters ();
// FIXME: issuer binding must be secure.
istp.IssuerBinding = new CustomBinding (
new TextMessageEncodingBindingElement (),
GetTransport ());
element.EndpointSupportingTokenParameters.Endorsing.Add (istp);
goto default;
case MessageCredentialType.UserName:
element.EndpointSupportingTokenParameters.SignedEncrypted.Add (
new UserNameSecurityTokenParameters ());
goto default;
case MessageCredentialType.Windows:
element.ProtectionTokenParameters =
new KerberosSecurityTokenParameters ();
break;
default: // including .None
X509SecurityTokenParameters p =
new X509SecurityTokenParameters ();
p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
element.ProtectionTokenParameters = p;
break;
}
return element;
}
internal static void AddAlgorithmParameters(System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters that, params object[] args)
{
InvokeHelper.InvokeInstanceMethod(typeof(System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters), that, "AddAlgorithmParameters", args);
}
protected override SecurityBindingElement CreateMessageSecurity ()
{
SymmetricSecurityBindingElement element =
new SymmetricSecurityBindingElement ();
element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
// if (!Security.Message.EstablishSecurityContext)
// element.SetKeyDerivation (false);
IssuedSecurityTokenParameters istp =
new IssuedSecurityTokenParameters ();
// FIXME: issuer binding must be secure.
istp.IssuerBinding = new CustomBinding (
new TextMessageEncodingBindingElement (),
GetTransport ());
element.EndpointSupportingTokenParameters.Endorsing.Add (istp);
if (Security.Message.NegotiateServiceCredential) {
element.ProtectionTokenParameters =
// FIXME: fill proper parameters
new SslSecurityTokenParameters (false, true);
} else {
element.ProtectionTokenParameters =
new X509SecurityTokenParameters ();
}
// if (!Security.Message.EstablishSecurityContext)
// return element;
// SecureConversation enabled
ChannelProtectionRequirements reqs =
new ChannelProtectionRequirements ();
// FIXME: fill the reqs
// FIXME: for TransportWithMessageCredential mode,
// return TransportSecurityBindingElement.
return SecurityBindingElement.CreateSecureConversationBindingElement (
// FIXME: requireCancellation
element, true, reqs);
}
private SecurityBindingElement CreateWSS11SecurityBindingElement()
{
AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement();
secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
// TEST
//secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Rsa15;
secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
secBindingElement.IncludeTimestamp = true;
secBindingElement.SetKeyDerivation(false);
secBindingElement.AllowSerializedSigningTokenOnReply = true;
secBindingElement.RequireSignatureConfirmation = false;
//WS2007HttpBinding stsBinding = new WS2007HttpBinding("wssuntBinding");
//CustomBinding stsBinding = new CustomBinding("ADS-CustomSecureTransport");
// TEMPORARILY DISABLED
// .Net 3.5
//string adsAddress = "http://ha50idp:8089/ADS-STS/Issue.svc";
// .Net 4.0
string adsAddress = "https://ha50idp:8543/ADS-STS/Issue.svc";
//IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0",
// new EndpointAddress(adsAddress), stsBinding);
IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
issuedTokenParameters.UseStrTransform = false;
issuedTokenParameters.KeyType = SecurityKeyType.BearerKey;
//issuedTokenParameters.KeyType = SecurityKeyType.AsymmetricKey;
//issuedTokenParameters.KeyType = SecurityKeyType.SymmetricKey;
// 256?
//issuedTokenParameters.KeySize = 256;
issuedTokenParameters.KeySize = 0;
// .Net 3.5
//string adsMexAddress = "http://ha50idp:8089/ADS-STS/Issue.svc/mex";
// .Net 4.0
//string adsMexAddress = "https://ha50idp:8543/ADS-STS/Issue.svc/mex";
//issuedTokenParameters.IssuerMetadataAddress = new EndpointAddress(adsMexAddress);
issuedTokenParameters.RequireDerivedKeys = false;
issuedTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
//issuedTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
// Claims
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:SurName"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:GivenName"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:EmailAddressText"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:TelephoneNumber"));
//issuedTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement("gfipm:2.0:user:FederationId"));
// THis is a test
//secBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(issuedTokenParameters);
// This is the right one
secBindingElement.EndpointSupportingTokenParameters.Signed.Add(issuedTokenParameters);
//secBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(issuedTokenParameters);
// need to put this in configuration
//X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Any;
X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.SubjectKeyIdentifier;
//X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.IssuerSerial;
//X509KeyIdentifierClauseType keyIdClauseType = X509KeyIdentifierClauseType.Thumbprint;
X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
SecurityTokenInclusionMode.AlwaysToRecipient);
initiatorTokenParameters.RequireDerivedKeys = false;
initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
initiatorTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
//initiatorTokenParameters.ReferenceStyle = (SecurityTokenReferenceStyle)X509KeyIdentifierClauseType.RawDataKeyIdentifier;
secBindingElement.InitiatorTokenParameters = initiatorTokenParameters;
X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(keyIdClauseType,
SecurityTokenInclusionMode.Never);
recipientTokenParameters.RequireDerivedKeys = false;
recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
recipientTokenParameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
secBindingElement.RecipientTokenParameters = recipientTokenParameters;
secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
return secBindingElement;
}
public virtual XmlElement CreateWsspIssuedTokenAssertion(MetadataExporter exporter, IssuedSecurityTokenParameters parameters)
{
XmlElement tokenAssertion = this.CreateWsspAssertion("IssuedToken");
this.SetIncludeTokenValue(tokenAssertion, parameters.InclusionMode);
XmlElement newChild = this.CreateWsspIssuerElement(parameters.IssuerAddress, parameters.IssuerMetadataAddress);
if (newChild != null)
{
tokenAssertion.AppendChild(newChild);
}
XmlElement element3 = this.CreateWsspAssertion("RequestSecurityTokenTemplate");
System.ServiceModel.Security.TrustDriver trustDriver = this.TrustDriver;
foreach (XmlElement element4 in parameters.CreateRequestParameters(trustDriver))
{
element3.AppendChild(doc.ImportNode(element4, true));
}
tokenAssertion.AppendChild(element3);
tokenAssertion.AppendChild(this.CreateWspPolicyWrapper(exporter, new XmlElement[] { this.CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys), this.CreateReferenceStyleAssertion(parameters.ReferenceStyle) }));
return tokenAssertion;
}
public void ResolveTokenIssuerPolicy(MetadataImporter importer, PolicyConversionContext policyContext, IssuedSecurityTokenParameters parameters)
{
if (policyContext == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("policyContext");
}
if (parameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parameters");
}
EndpointAddress address = (parameters.IssuerMetadataAddress != null) ? parameters.IssuerMetadataAddress : parameters.IssuerAddress;
if (((address != null) && !address.IsAnonymous) && !address.Uri.Equals(SelfIssuerUri))
{
int num = (int) importer.State["MaxPolicyRedirections"];
if (num <= 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("MaximumPolicyRedirectionsExceeded")));
}
num--;
MetadataExchangeClient client = null;
if ((importer.State != null) && importer.State.ContainsKey("MetadataExchangeClientKey"))
{
client = importer.State["MetadataExchangeClientKey"] as MetadataExchangeClient;
}
if (client == null)
{
client = new MetadataExchangeClient(address);
}
ServiceEndpointCollection serviceEndpoints = null;
MetadataSet metadata = null;
Exception exception = null;
try
{
metadata = client.GetMetadata(address);
}
catch (Exception exception2)
{
if (Fx.IsFatal(exception2))
{
throw;
}
if (exception2 is NullReferenceException)
{
throw;
}
exception = exception2;
}
if (metadata == null)
{
try
{
metadata = client.GetMetadata(address.Uri, MetadataExchangeClientMode.HttpGet);
}
catch (Exception exception3)
{
if (Fx.IsFatal(exception3))
{
throw;
}
if (exception3 is NullReferenceException)
{
throw;
}
if (exception == null)
{
exception = exception3;
}
}
}
if (metadata == null)
{
if (exception != null)
{
importer.Errors.Add(new MetadataConversionError(System.ServiceModel.SR.GetString("UnableToObtainIssuerMetadata", new object[] { address, exception }), false));
}
}
else
{
WsdlImporter importer2;
WsdlImporter importer3 = importer as WsdlImporter;
if (importer3 != null)
{
importer2 = new WsdlImporter(metadata, importer.PolicyImportExtensions, importer3.WsdlImportExtensions);
}
else
{
importer2 = new WsdlImporter(metadata, importer.PolicyImportExtensions, null);
}
if ((importer.State != null) && importer.State.ContainsKey("MetadataExchangeClientKey"))
{
importer2.State.Add("MetadataExchangeClientKey", importer.State["MetadataExchangeClientKey"]);
}
importer2.State.Add("MaxPolicyRedirections", num);
serviceEndpoints = importer2.ImportAllEndpoints();
for (int i = 0; i < importer2.Errors.Count; i++)
{
MetadataConversionError error = importer2.Errors[i];
importer.Errors.Add(new MetadataConversionError(System.ServiceModel.SR.GetString("ErrorImportingIssuerMetadata", new object[] { address, InsertEllipsisIfTooLong(error.Message) }), error.IsWarning));
}
if (serviceEndpoints != null)
{
this.AddCompatibleFederationEndpoints(serviceEndpoints, parameters);
if ((parameters.AlternativeIssuerEndpoints != null) && (parameters.AlternativeIssuerEndpoints.Count > 0))
{
importer.Errors.Add(new MetadataConversionError(System.ServiceModel.SR.GetString("MultipleIssuerEndpointsFound", new object[] { address })));
}
}
}
}
}
private void AddCompatibleFederationEndpoints(ServiceEndpointCollection serviceEndpoints, IssuedSecurityTokenParameters parameters)
{
bool flag = (parameters.IssuerAddress != null) && !parameters.IssuerAddress.IsAnonymous;
foreach (ServiceEndpoint endpoint in serviceEndpoints)
{
TrustDriver trustDriver;
if (!this.TryGetTrustDriver(endpoint, out trustDriver))
{
trustDriver = this.trustDriver;
}
bool flag2 = false;
ContractDescription contract = endpoint.Contract;
for (int i = 0; i < contract.Operations.Count; i++)
{
OperationDescription description2 = contract.Operations[i];
bool flag3 = false;
bool flag4 = false;
for (int j = 0; j < description2.Messages.Count; j++)
{
MessageDescription description3 = description2.Messages[j];
if ((description3.Action == trustDriver.RequestSecurityTokenAction.Value) && (description3.Direction == MessageDirection.Input))
{
flag3 = true;
}
else if ((((trustDriver.StandardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) && (description3.Action == trustDriver.RequestSecurityTokenResponseAction.Value)) || ((trustDriver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) && (description3.Action == trustDriver.RequestSecurityTokenResponseFinalAction.Value))) && (description3.Direction == MessageDirection.Output))
{
flag4 = true;
}
}
if (flag3 && flag4)
{
flag2 = true;
break;
}
}
if (flag2 && (!flag || parameters.IssuerAddress.Uri.Equals(endpoint.Address.Uri)))
{
if (parameters.IssuerBinding == null)
{
parameters.IssuerAddress = endpoint.Address;
parameters.IssuerBinding = endpoint.Binding;
}
else
{
IssuedSecurityTokenParameters.AlternativeIssuerEndpoint item = new IssuedSecurityTokenParameters.AlternativeIssuerEndpoint {
IssuerAddress = endpoint.Address,
IssuerBinding = endpoint.Binding
};
parameters.AlternativeIssuerEndpoints.Add(item);
}
}
}
}
internal static bool IsInfoCardParameters(IssuedSecurityTokenParameters parameters, SecurityStandardsManager standardsManager)
{
if (parameters == null)
{
return false;
}
if (parameters.TokenType != "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
return false;
}
if (parameters.KeyType != SecurityKeyType.AsymmetricKey)
{
return false;
}
if (parameters.ClaimTypeRequirements.Count == 1)
{
ClaimTypeRequirement requirement = parameters.ClaimTypeRequirements[0];
if (requirement == null)
{
return false;
}
if (requirement.ClaimType != wsidPPIClaim)
{
return false;
}
}
else
{
if ((parameters.AdditionalRequestParameters == null) || (parameters.AdditionalRequestParameters.Count <= 0))
{
return false;
}
bool flag = false;
XmlElement claimTypeRequirement = GetClaimTypeRequirement(parameters.AdditionalRequestParameters, standardsManager);
if ((claimTypeRequirement != null) && (claimTypeRequirement.ChildNodes.Count == 1))
{
XmlElement element2 = claimTypeRequirement.ChildNodes[0] as XmlElement;
if (element2 != null)
{
System.Xml.XmlNode namedItem = element2.Attributes.GetNamedItem("Uri");
if ((namedItem != null) && (namedItem.Value == wsidPPIClaim))
{
flag = true;
}
}
}
if (!flag)
{
return false;
}
}
if (parameters.IssuerAddress != null)
{
return false;
}
if ((parameters.AlternativeIssuerEndpoints != null) && (parameters.AlternativeIssuerEndpoints.Count > 0))
{
return false;
}
return true;
}
internal static object GetAlternativeIssuerEndpoints(System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters issuedTokenParameters)
{
return(InvokeHelper.InvokeStaticGet(typeof(System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters), "AlternativeIssuerEndpoints"));
}
internal void InitializeFrom(IssuedSecurityTokenParameters source, bool initializeNestedBindings)
{
if (null == source)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("source");
SetPropertyValueIfNotDefaultValue(ConfigurationStrings.KeyType, source.KeyType);
if (source.KeySize > 0)
{
SetPropertyValueIfNotDefaultValue(ConfigurationStrings.KeySize, source.KeySize);
}
SetPropertyValueIfNotDefaultValue(ConfigurationStrings.TokenType, source.TokenType);
SetPropertyValueIfNotDefaultValue(ConfigurationStrings.UseStrTransform, source.UseStrTransform);
if (source.IssuerAddress != null)
this.Issuer.InitializeFrom(source.IssuerAddress);
if (source.DefaultMessageSecurityVersion != null)
SetPropertyValueIfNotDefaultValue(ConfigurationStrings.DefaultMessageSecurityVersion, source.DefaultMessageSecurityVersion);
if (source.IssuerBinding != null && initializeNestedBindings)
{
this.Issuer.BindingConfiguration = this.Issuer.Address.ToString();
string bindingSectionName;
BindingsSection.TryAdd(this.Issuer.BindingConfiguration,
source.IssuerBinding,
out bindingSectionName);
this.Issuer.Binding = bindingSectionName;
}
if (source.IssuerMetadataAddress != null)
{
this.IssuerMetadata.InitializeFrom(source.IssuerMetadataAddress);
}
foreach (XmlElement element in source.AdditionalRequestParameters)
{
this.AdditionalRequestParameters.Add(new XmlElementElement(element));
}
foreach (ClaimTypeRequirement c in source.ClaimTypeRequirements)
{
this.ClaimTypeRequirements.Add(new ClaimTypeElement(c.ClaimType, c.IsOptional));
}
foreach (IssuedSecurityTokenParameters.AlternativeIssuerEndpoint alternativeIssuer in source.AlternativeIssuerEndpoints)
{
IssuedTokenParametersElement element = new IssuedTokenParametersElement();
element.Issuer.InitializeFrom(alternativeIssuer.IssuerAddress);
if (initializeNestedBindings)
{
element.Issuer.BindingConfiguration = element.Issuer.Address.ToString();
string bindingSectionName;
BindingsSection.TryAdd(element.Issuer.BindingConfiguration,
alternativeIssuer.IssuerBinding,
out bindingSectionName);
element.Issuer.Binding = bindingSectionName;
}
this.OptionalIssuedTokenParameters.Add(element);
}
}
internal static bool IsInfoCardParameters(IssuedSecurityTokenParameters parameters, SecurityStandardsManager standardsManager)
{
if (parameters == null)
{
return(false);
}
if (parameters.TokenType != "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
return(false);
}
if (parameters.KeyType != SecurityKeyType.AsymmetricKey)
{
return(false);
}
if (parameters.ClaimTypeRequirements.Count == 1)
{
ClaimTypeRequirement requirement = parameters.ClaimTypeRequirements[0];
if (requirement == null)
{
return(false);
}
if (requirement.ClaimType != wsidPPIClaim)
{
return(false);
}
}
else
{
if ((parameters.AdditionalRequestParameters == null) || (parameters.AdditionalRequestParameters.Count <= 0))
{
return(false);
}
bool flag = false;
XmlElement claimTypeRequirement = GetClaimTypeRequirement(parameters.AdditionalRequestParameters, standardsManager);
if ((claimTypeRequirement != null) && (claimTypeRequirement.ChildNodes.Count == 1))
{
XmlElement element2 = claimTypeRequirement.ChildNodes[0] as XmlElement;
if (element2 != null)
{
System.Xml.XmlNode namedItem = element2.Attributes.GetNamedItem("Uri");
if ((namedItem != null) && (namedItem.Value == wsidPPIClaim))
{
flag = true;
}
}
}
if (!flag)
{
return(false);
}
}
if (parameters.IssuerAddress != null)
{
return(false);
}
if ((parameters.AlternativeIssuerEndpoints != null) && (parameters.AlternativeIssuerEndpoints.Count > 0))
{
return(false);
}
return(true);
}
internal IssuedSecurityTokenParameters Create(bool createTemplateOnly, SecurityKeyType templateKeyType)
{
IssuedSecurityTokenParameters result = new IssuedSecurityTokenParameters();
if (!createTemplateOnly)
{
this.ApplyConfiguration(result);
}
else
{
result.KeyType = templateKeyType;
}
return result;
}
// It is problematic, but there is no option to disable establishing security context in this binding unlike WSHttpBinding...
SecurityBindingElement CreateMessageSecurity ()
{
if (Security.Mode == SecurityMode.Transport ||
Security.Mode == SecurityMode.None)
return null;
// FIXME: this is wrong. Could be Asymmetric, depends on Security.Message.AlgorithmSuite value.
SymmetricSecurityBindingElement element =
new SymmetricSecurityBindingElement ();
element.MessageSecurityVersion = MessageSecurityVersion.Default;
element.SetKeyDerivation (false);
switch (Security.Message.ClientCredentialType) {
case MessageCredentialType.Certificate:
element.EndpointSupportingTokenParameters.Endorsing.Add (
new X509SecurityTokenParameters ());
goto default;
case MessageCredentialType.IssuedToken:
IssuedSecurityTokenParameters istp =
new IssuedSecurityTokenParameters ();
// FIXME: issuer binding must be secure.
istp.IssuerBinding = new CustomBinding (
new TextMessageEncodingBindingElement (),
GetTransport ());
element.EndpointSupportingTokenParameters.Endorsing.Add (istp);
goto default;
case MessageCredentialType.UserName:
element.EndpointSupportingTokenParameters.SignedEncrypted.Add (
new UserNameSecurityTokenParameters ());
goto default;
case MessageCredentialType.Windows:
element.ProtectionTokenParameters =
new KerberosSecurityTokenParameters ();
break;
default: // including .None
X509SecurityTokenParameters p =
new X509SecurityTokenParameters ();
p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
element.ProtectionTokenParameters = p;
break;
}
// SecureConversation enabled
ChannelProtectionRequirements reqs =
new ChannelProtectionRequirements ();
// FIXME: fill the reqs
return SecurityBindingElement.CreateSecureConversationBindingElement (
// FIXME: requireCancellation
element, true, reqs);
}
internal static bool IsInfoCardParameters(System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters infocardParameters)
{
return((bool)InvokeHelper.InvokeStaticMethod(typeof(System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters), "IsInfocardParameters", null));
}
void AddCompatibleFederationEndpoints(ServiceEndpointCollection serviceEndpoints, IssuedSecurityTokenParameters parameters)
{
// check if an explicit issuer address has been specified. If so,add the endpoint corresponding to that address only. If not add all acceptable endpoints.
bool isIssuerSpecified = (parameters.IssuerAddress != null && !parameters.IssuerAddress.IsAnonymous);
foreach (ServiceEndpoint endpoint in serviceEndpoints)
{
TrustDriver trustDriver;
if (!TryGetTrustDriver(endpoint, out trustDriver))
{
// if endpoint does not have trustDriver, assume
// parent trustDriver.
trustDriver = this.trustDriver;
}
bool isFederationContract = false;
ContractDescription contract = endpoint.Contract;
for (int j = 0; j < contract.Operations.Count; ++j)
{
OperationDescription operation = contract.Operations[j];
bool hasIncomingRst = false;
bool hasOutgoingRstr = false;
for (int k = 0; k < operation.Messages.Count; ++k)
{
MessageDescription message = operation.Messages[k];
if (message.Action == trustDriver.RequestSecurityTokenAction.Value && message.Direction == MessageDirection.Input)
{
hasIncomingRst = true;
}
else if ((((trustDriver.StandardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) && (message.Action == trustDriver.RequestSecurityTokenResponseAction.Value)) ||
((trustDriver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) && (message.Action == trustDriver.RequestSecurityTokenResponseFinalAction.Value))) &&
message.Direction == MessageDirection.Output)
{
hasOutgoingRstr = true;
}
}
if (hasIncomingRst && hasOutgoingRstr)
{
isFederationContract = true;
break;
}
}
if (isFederationContract)
{
// skip if it is not an acceptable endpoint
if (isIssuerSpecified && !parameters.IssuerAddress.Uri.Equals(endpoint.Address.Uri))
{
continue;
}
if (parameters.IssuerBinding == null)
{
parameters.IssuerAddress = endpoint.Address;
parameters.IssuerBinding = endpoint.Binding;
}
else
{
IssuedSecurityTokenParameters.AlternativeIssuerEndpoint endpointInfo = new IssuedSecurityTokenParameters.AlternativeIssuerEndpoint();
endpointInfo.IssuerAddress = endpoint.Address;
endpointInfo.IssuerBinding = endpoint.Binding;
parameters.AlternativeIssuerEndpoints.Add(endpointInfo);
}
}
}
}
protected IssuedSecurityTokenParameters(IssuedSecurityTokenParameters other)
{
Contract.Requires(other != null);
}
public void CreateIssuedTokenForCertificateBindingElement1 ()
{
IssuedSecurityTokenParameters tp =
new IssuedSecurityTokenParameters ();
SymmetricSecurityBindingElement be =
SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement (tp);
SecurityAssert.AssertSymmetricSecurityBindingElement (
SecurityAlgorithmSuite.Default,
true, // IncludeTimestamp
SecurityKeyEntropyMode.CombinedEntropy,
MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature,
MessageSecurityVersion.Default,
true, // RequireSignatureConfirmation
SecurityHeaderLayout.Strict,
// EndpointSupportingTokenParameters: endorsing, signed, signedEncrypted, signedEndorsing (by count)
1, 0, 0, 0,
// ProtectionTokenParameters
true, SecurityTokenInclusionMode.Never, SecurityTokenReferenceStyle.Internal, true,
// LocalClientSettings
true, 60, true,
be, "");
// test ProtectionTokenParameters
X509SecurityTokenParameters ptp =
be.ProtectionTokenParameters
as X509SecurityTokenParameters;
Assert.IsNotNull (ptp, "#2-1");
SecurityAssert.AssertSecurityTokenParameters (
SecurityTokenInclusionMode.Never,
SecurityTokenReferenceStyle.Internal,
true, ptp, "Protection");
Assert.AreEqual (X509KeyIdentifierClauseType.Thumbprint, ptp.X509ReferenceStyle, "#2-2");
Assert.AreEqual (tp, be.EndpointSupportingTokenParameters.Endorsing [0], "EndpointParams.Endorsing[0]");
}
public virtual XmlElement CreateWsspIssuedTokenAssertion(MetadataExporter exporter, IssuedSecurityTokenParameters parameters)
{
XmlElement result = CreateWsspAssertion(IssuedTokenName);
SetIncludeTokenValue(result, parameters.InclusionMode);
XmlElement issuerAssertion = CreateWsspIssuerElement(parameters.IssuerAddress, parameters.IssuerMetadataAddress);
if (issuerAssertion != null)
{
result.AppendChild(issuerAssertion);
}
XmlElement tokenTemplate = CreateWsspAssertion(RequestSecurityTokenTemplateName);
TrustDriver driver = this.TrustDriver;
foreach (XmlElement p in parameters.CreateRequestParameters(driver))
{
tokenTemplate.AppendChild(doc.ImportNode(p, true));
}
result.AppendChild(tokenTemplate);
result.AppendChild(
CreateWspPolicyWrapper(
exporter,
CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys),
CreateReferenceStyleAssertion(parameters.ReferenceStyle)
));
return result;
}
public void CreateIssuedTokenBindingElement1 ()
{
IssuedSecurityTokenParameters tp =
new IssuedSecurityTokenParameters ();
SymmetricSecurityBindingElement be =
SecurityBindingElement.CreateIssuedTokenBindingElement (tp);
SecurityAssert.AssertSymmetricSecurityBindingElement (
SecurityAlgorithmSuite.Default,
true, // IncludeTimestamp
SecurityKeyEntropyMode.CombinedEntropy,
MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature,
MessageSecurityVersion.Default,
false, // RequireSignatureConfirmation
SecurityHeaderLayout.Strict,
// EndpointSupportingTokenParameters: endorsing, signed, signedEncrypted, signedEndorsing (by count)
0, 0, 0, 0,
// ProtectionTokenParameters
true, SecurityTokenInclusionMode.AlwaysToRecipient, SecurityTokenReferenceStyle.Internal, true,
// LocalClientSettings
true, 60, true,
be, "");
// test ProtectionTokenParameters
Assert.AreEqual (tp, be.ProtectionTokenParameters, "#2-1");
SecurityAssert.AssertSecurityTokenParameters (
SecurityTokenInclusionMode.AlwaysToRecipient,
SecurityTokenReferenceStyle.Internal,
true, tp, "Protection");
}
public void ResolveTokenIssuerPolicy(MetadataImporter importer, PolicyConversionContext policyContext, IssuedSecurityTokenParameters parameters)
{
if (policyContext == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("policyContext");
}
if (parameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parameters");
}
EndpointAddress mexAddress = (parameters.IssuerMetadataAddress != null) ? parameters.IssuerMetadataAddress : parameters.IssuerAddress;
if (mexAddress == null || mexAddress.IsAnonymous || mexAddress.Uri.Equals(SelfIssuerUri))
{
return;
}
int maximumRedirections = (int)importer.State[SecurityBindingElementImporter.MaxPolicyRedirectionsKey];
if (maximumRedirections <= 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.MaximumPolicyRedirectionsExceeded)));
}
--maximumRedirections;
//
// Try to retrieve the proxy from the importer.State bag so that we can have secure mex
// and it fails, then we can create a default one
//
MetadataExchangeClient policyFetcher = null;
if ((importer.State != null) && (importer.State.ContainsKey(MetadataExchangeClient.MetadataExchangeClientKey)))
{
policyFetcher = importer.State[MetadataExchangeClient.MetadataExchangeClientKey] as MetadataExchangeClient;
}
if (policyFetcher == null)
policyFetcher = new MetadataExchangeClient(mexAddress);
ServiceEndpointCollection federationEndpoints = null;
MetadataSet metadataSet = null;
Exception mexException = null;
try
{
metadataSet = policyFetcher.GetMetadata(mexAddress);
}
catch (Exception e)
{
if (Fx.IsFatal(e))
throw;
if (e is NullReferenceException)
throw;
mexException = e;
}
//
// DCR 6729: Try the http get option here if mex failed.
//
if (metadataSet == null )
{
try
{
metadataSet = policyFetcher.GetMetadata(mexAddress.Uri, MetadataExchangeClientMode.HttpGet);
}
catch (Exception e)
{
if (Fx.IsFatal(e))
throw;
if (e is NullReferenceException)
throw;
if (mexException == null)
mexException = e;
}
}
if (metadataSet == null)
{
//
// we could not retrieve the metadata from the issuer for some reason
//
if (mexException != null)
importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.UnableToObtainIssuerMetadata, mexAddress, mexException), false));
return;
}
WsdlImporter wsdlImporter;
// NOTE: [....], Policy import/export is seperate from WSDL however, this policy importer
// invokes the WsdlImporter. In the event that the current MetadataImporter is a WsdlImporter,
// we should use it's collection of extensions for the import process. Other wise
WsdlImporter currentWsdlImporter = importer as WsdlImporter;
if (currentWsdlImporter != null)
{
wsdlImporter = new WsdlImporter(metadataSet, importer.PolicyImportExtensions, currentWsdlImporter.WsdlImportExtensions);
}
else
{
wsdlImporter = new WsdlImporter(metadataSet, importer.PolicyImportExtensions, null);
}
//
// Copy the State from the first importer to the second one so that the state can be passed to the second round wsdl retrieval
//
if ((importer.State != null) && (importer.State.ContainsKey(MetadataExchangeClient.MetadataExchangeClientKey)))
{
wsdlImporter.State.Add(MetadataExchangeClient.MetadataExchangeClientKey, importer.State[MetadataExchangeClient.MetadataExchangeClientKey]);
}
wsdlImporter.State.Add(SecurityBindingElementImporter.MaxPolicyRedirectionsKey, maximumRedirections);
federationEndpoints = wsdlImporter.ImportAllEndpoints();
// copy all the import errors into the current metadata importer
for (int i = 0; i < wsdlImporter.Errors.Count; ++i)
{
MetadataConversionError error = wsdlImporter.Errors[i];
importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.ErrorImportingIssuerMetadata, mexAddress, InsertEllipsisIfTooLong(error.Message)), error.IsWarning));
}
if (federationEndpoints != null)
{
AddCompatibleFederationEndpoints(federationEndpoints, parameters);
if (parameters.AlternativeIssuerEndpoints != null && parameters.AlternativeIssuerEndpoints.Count > 0)
{
importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.MultipleIssuerEndpointsFound, mexAddress)));
}
}
}
protected override SecurityBindingElement CreateSecurityBindingElement()
{
SecurityBindingElement element;
IssuedSecurityTokenParameters issuedParameters = new IssuedSecurityTokenParameters(this._tokenType, this._issuerAddress, this._issuerBinding)
{
KeyType = this._keyType,
IssuerMetadataAddress = this._issuerMetadataAddress
};
if (this._keyType == SecurityKeyType.SymmetricKey)
{
issuedParameters.KeySize = this._algorithmSuite.DefaultSymmetricKeyLength;
}
else
{
issuedParameters.KeySize = 0;
}
if (this._claimTypeRequirements != null)
{
foreach (ClaimTypeRequirement requirement in this._claimTypeRequirements)
{
issuedParameters.ClaimTypeRequirements.Add(requirement);
}
}
this.AddAlgorithmParameters(this._algorithmSuite, base.TrustVersion, this._keyType, ref issuedParameters);
if (SecurityMode.Message == base.SecurityMode)
{
element = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedParameters);
}
else
{
if (SecurityMode.TransportWithMessageCredential != base.SecurityMode)
{
throw new InvalidOperationException("ID3226");
}
element = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedParameters);
}
element.DefaultAlgorithmSuite = this._algorithmSuite;
element.IncludeTimestamp = true;
return element;
}
public void CreateRequestParameters ()
{
IssuedSecurityTokenParameters p =
new IssuedSecurityTokenParameters ();
p.ClaimTypeRequirements.Add (new ClaimTypeRequirement (ClaimTypes.Name, true));
p.AdditionalRequestParameters.Add (new XmlDocument ()
.CreateElement ("AdditionalFoo"));
Collection<XmlElement> c = p.CreateRequestParameters (
MessageSecurityVersion.Default,
WSSecurityTokenSerializer.DefaultInstance);
StringWriter sw = new StringWriter ();
XmlWriterSettings settings = new XmlWriterSettings ();
settings.OmitXmlDeclaration = true;
foreach (XmlElement el in c) {
XmlWriter w = XmlWriter.Create (sw, settings);
el.WriteTo (w);
w.Close ();
}
string expected = @"<t:KeyType xmlns:t='http://schemas.xmlsoap.org/ws/2005/02/trust'>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType><t:Claims xmlns:t='http://schemas.xmlsoap.org/ws/2005/02/trust'><wsid:ClaimType Uri='http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' Optional='true' xmlns:wsid='http://schemas.xmlsoap.org/ws/2005/05/identity' /></t:Claims><AdditionalFoo />";
Assert.AreEqual (expected.Replace ('\'', '"'), sw.ToString ());
}
protected IssuedSecurityTokenParameters(IssuedSecurityTokenParameters other)
{
Contract.Requires(other != null);
}
