public SecurityStandardsManager(System.ServiceModel.MessageSecurityVersion messageSecurityVersion, System.IdentityModel.Selectors.SecurityTokenSerializer tokenSerializer)
{
if (messageSecurityVersion == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("messageSecurityVersion"));
}
if (tokenSerializer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenSerializer");
}
this.messageSecurityVersion = messageSecurityVersion;
this.tokenSerializer = tokenSerializer;
if (messageSecurityVersion.SecureConversationVersion == System.ServiceModel.Security.SecureConversationVersion.WSSecureConversation13)
{
this.secureConversationDriver = new WSSecureConversationDec2005.DriverDec2005();
}
else
{
this.secureConversationDriver = new WSSecureConversationFeb2005.DriverFeb2005();
}
if ((this.SecurityVersion != System.ServiceModel.Security.SecurityVersion.WSSecurity10) && (this.SecurityVersion != System.ServiceModel.Security.SecurityVersion.WSSecurity11))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("messageSecurityVersion", System.ServiceModel.SR.GetString("MessageSecurityVersionOutOfRange")));
}
this.idManager = System.ServiceModel.Security.WSSecurityJan2004.IdManager.Instance;
this.wsUtilitySpecificationVersion = System.ServiceModel.Security.WSUtilitySpecificationVersion.Default;
if (messageSecurityVersion.MessageSecurityTokenVersion.TrustVersion == System.ServiceModel.Security.TrustVersion.WSTrust13)
{
this.trustDriver = new WSTrustDec2005.DriverDec2005(this);
}
else
{
this.trustDriver = new WSTrustFeb2005.DriverFeb2005(this);
}
}
public SecurityStandardsManager(MessageSecurityVersion messageSecurityVersion, SecurityTokenSerializer tokenSerializer)
{
if (messageSecurityVersion == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("messageSecurityVersion"));
if (tokenSerializer == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenSerializer");
this.messageSecurityVersion = messageSecurityVersion;
this.tokenSerializer = tokenSerializer;
if (messageSecurityVersion.SecureConversationVersion == SecureConversationVersion.WSSecureConversation13)
this.secureConversationDriver = new WSSecureConversationDec2005.DriverDec2005();
else
this.secureConversationDriver = new WSSecureConversationFeb2005.DriverFeb2005();
if (this.SecurityVersion == SecurityVersion.WSSecurity10 || this.SecurityVersion == SecurityVersion.WSSecurity11)
{
this.idManager = WSSecurityJan2004.IdManager.Instance;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("messageSecurityVersion", SR.GetString(SR.MessageSecurityVersionOutOfRange)));
}
this.wsUtilitySpecificationVersion = WSUtilitySpecificationVersion.Default;
if (messageSecurityVersion.MessageSecurityTokenVersion.TrustVersion == TrustVersion.WSTrust13)
this.trustDriver = new WSTrustDec2005.DriverDec2005(this);
else
this.trustDriver = new WSTrustFeb2005.DriverFeb2005(this);
}
public SecurityStandardsManager(System.ServiceModel.MessageSecurityVersion messageSecurityVersion, System.IdentityModel.Selectors.SecurityTokenSerializer tokenSerializer)
{
if (messageSecurityVersion == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("messageSecurityVersion"));
}
if (tokenSerializer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenSerializer");
}
this.messageSecurityVersion = messageSecurityVersion;
this.tokenSerializer = tokenSerializer;
if (messageSecurityVersion.SecureConversationVersion == System.ServiceModel.Security.SecureConversationVersion.WSSecureConversation13)
{
this.secureConversationDriver = new WSSecureConversationDec2005.DriverDec2005();
}
else
{
this.secureConversationDriver = new WSSecureConversationFeb2005.DriverFeb2005();
}
if ((this.SecurityVersion != System.ServiceModel.Security.SecurityVersion.WSSecurity10) && (this.SecurityVersion != System.ServiceModel.Security.SecurityVersion.WSSecurity11))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("messageSecurityVersion", System.ServiceModel.SR.GetString("MessageSecurityVersionOutOfRange")));
}
this.idManager = System.ServiceModel.Security.WSSecurityJan2004.IdManager.Instance;
this.wsUtilitySpecificationVersion = System.ServiceModel.Security.WSUtilitySpecificationVersion.Default;
if (messageSecurityVersion.MessageSecurityTokenVersion.TrustVersion == System.ServiceModel.Security.TrustVersion.WSTrust13)
{
this.trustDriver = new WSTrustDec2005.DriverDec2005(this);
}
else
{
this.trustDriver = new WSTrustFeb2005.DriverFeb2005(this);
}
}
public override bool IsSecurityVersionSupported(MessageSecurityVersion version)
{
if ((version != MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10) && (version != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11))
{
return (version == MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
}
return true;
}
internal SecurityBindingElement CreateMessageSecurity(bool isReliableSessionEnabled, MessageSecurityVersion version)
{
if ((this.mode != WSFederationHttpSecurityMode.Message) && (this.mode != WSFederationHttpSecurityMode.TransportWithMessageCredential))
{
return null;
}
return this.messageSecurity.CreateSecurityBindingElement(this.Mode == WSFederationHttpSecurityMode.TransportWithMessageCredential, isReliableSessionEnabled, version);
}
static MessageSecurityVersion()
{
#if !MOBILE && !XAMMAC_4_5
wss10_basic = new MessageSecurityVersionImpl(false, true, false);
wss11 = new MessageSecurityVersionImpl(true, false, false);
wss11_basic = new MessageSecurityVersionImpl(true, true, false);
wss10_2007_basic = new MessageSecurityVersionImpl(false, true, true);
wss11_2007_basic = new MessageSecurityVersionImpl(true, true, true);
wss11_2007 = new MessageSecurityVersionImpl(true, false, true);
#else
throw new NotImplementedException();
#endif
}
internal static bool TryCreate(SecurityBindingElement sbe, WSFederationHttpSecurityMode mode, HttpTransportSecurity transportSecurity, bool isReliableSessionEnabled, MessageSecurityVersion version, out WSFederationHttpSecurity security)
{
security = null;
FederatedMessageSecurityOverHttp messageSecurity = null;
if (sbe == null)
{
mode = WSFederationHttpSecurityMode.None;
}
else
{
mode &= WSFederationHttpSecurityMode.TransportWithMessageCredential | WSFederationHttpSecurityMode.Message;
if (!FederatedMessageSecurityOverHttp.TryCreate(sbe, mode == WSFederationHttpSecurityMode.TransportWithMessageCredential, isReliableSessionEnabled, version, out messageSecurity))
{
return false;
}
}
security = new WSFederationHttpSecurity(mode, messageSecurity);
return true;
}
void GetIssuerBindingSecurityVersion(Binding issuerBinding, MessageSecurityVersion issuedTokenParametersDefaultMessageSecurityVersion, SecurityBindingElement outerSecurityBindingElement, out MessageSecurityVersion messageSecurityVersion, out SecurityTokenSerializer tokenSerializer)
{
// Logic for setting version is:
// 1. use issuer SBE
// 2. use ITSP
// 3. use outer SBE
//
messageSecurityVersion = null;
if (issuerBinding != null)
{
BindingElementCollection bindingElements = issuerBinding.CreateBindingElements();
SecurityBindingElement securityBindingElement = bindingElements.Find <SecurityBindingElement>();
if (securityBindingElement != null)
{
messageSecurityVersion = securityBindingElement.MessageSecurityVersion;
}
}
if (messageSecurityVersion == null)
{
if (issuedTokenParametersDefaultMessageSecurityVersion != null)
{
messageSecurityVersion = issuedTokenParametersDefaultMessageSecurityVersion;
}
else if (outerSecurityBindingElement != null)
{
messageSecurityVersion = outerSecurityBindingElement.MessageSecurityVersion;
}
}
if (messageSecurityVersion == null)
{
messageSecurityVersion = MessageSecurityVersion.Default;
}
tokenSerializer = this.CreateSecurityTokenSerializer(messageSecurityVersion.SecurityTokenVersion);
}
// if any changes are made to this method, please reflect them in the corresponding TryCrete() method
internal SecurityBindingElement CreateMessageSecurity(bool isSecureTransportMode)
{
SecurityBindingElement result;
if (isSecureTransportMode)
{
MessageSecurityVersion version = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
switch (this.clientCredentialType)
{
case BasicHttpMessageCredentialType.Certificate:
result = SecurityBindingElement.CreateCertificateOverTransportBindingElement(version);
break;
case BasicHttpMessageCredentialType.UserName:
result = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
result.MessageSecurityVersion = version;
break;
default:
Fx.Assert("Unsupported basic http message credential type");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
}
else
{
if (this.clientCredentialType != BasicHttpMessageCredentialType.Certificate)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BasicHttpMessageSecurityRequiresCertificate)));
}
result = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10, true);
}
result.DefaultAlgorithmSuite = this.AlgorithmSuite;
result.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
result.SetKeyDerivation(false);
result.DoNotEmitTrust = true;
return(result);
}
protected IssuedSecurityTokenParameters(IssuedSecurityTokenParameters other)
: base(other)
{
this.defaultMessageSecurityVersion = other.defaultMessageSecurityVersion;
this.issuerAddress = other.issuerAddress;
this.keyType = other.keyType;
this.tokenType = other.tokenType;
this.keySize = other.keySize;
this.useStrTransform = other.useStrTransform;
foreach (XmlElement parameter in other.additionalRequestParameters)
{
this.additionalRequestParameters.Add((XmlElement)parameter.Clone());
}
foreach (ClaimTypeRequirement c in other.claimTypeRequirements)
{
this.claimTypeRequirements.Add(c);
}
if (other.issuerBinding != null)
{
this.issuerBinding = new CustomBinding(other.issuerBinding);
}
this.issuerMetadataAddress = other.issuerMetadataAddress;
}
internal static bool TryCreate(SecurityBindingElement sbe,
WSFederationHttpSecurityMode mode,
HttpTransportSecurity transportSecurity,
bool isReliableSessionEnabled,
MessageSecurityVersion version,
out WSFederationHttpSecurity security)
{
security = null;
FederatedMessageSecurityOverHttp messageSecurity = null;
if (sbe == null)
{
mode = WSFederationHttpSecurityMode.None;
}
else
{
mode &= WSFederationHttpSecurityMode.Message | WSFederationHttpSecurityMode.TransportWithMessageCredential;
Fx.Assert(WSFederationHttpSecurityModeHelper.IsDefined(mode), string.Format("Invalid WSFederationHttpSecurityMode value: {0}", mode.ToString()));
if (!FederatedMessageSecurityOverHttp.TryCreate(sbe, mode == WSFederationHttpSecurityMode.TransportWithMessageCredential, isReliableSessionEnabled, version, out messageSecurity))
return false;
}
security = new WSFederationHttpSecurity(mode, messageSecurity);
return true;
}
protected IssuedSecurityTokenParameters(IssuedSecurityTokenParameters other) : base(other)
{
this.additionalRequestParameters = new Collection<XmlElement>();
this.alternativeIssuerEndpoints = new Collection<AlternativeIssuerEndpoint>();
this.claimTypeRequirements = new Collection<ClaimTypeRequirement>();
this.defaultMessageSecurityVersion = other.defaultMessageSecurityVersion;
this.issuerAddress = other.issuerAddress;
this.keyType = other.keyType;
this.tokenType = other.tokenType;
this.keySize = other.keySize;
foreach (XmlElement element in other.additionalRequestParameters)
{
this.additionalRequestParameters.Add((XmlElement) element.Clone());
}
foreach (ClaimTypeRequirement requirement in other.claimTypeRequirements)
{
this.claimTypeRequirements.Add(requirement);
}
if (other.issuerBinding != null)
{
this.issuerBinding = new CustomBinding(other.issuerBinding);
}
this.issuerMetadataAddress = other.issuerMetadataAddress;
}
public abstract bool IsSecurityVersionSupported(MessageSecurityVersion version);
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
SecurityBindingElement element;
SecurityBindingElement element3;
if ((this.IssuedKeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("BearerKeyIncompatibleWithWSFederationHttpBinding")));
}
if (isReliableSession && !this.EstablishSecurityContext)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecureConversationRequiredByReliableSession")));
}
bool emitBspRequiredAttributes = true;
IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding)
{
IssuerMetadataAddress = this.issuerMetadataAddress,
KeyType = this.IssuedKeyType
};
if (this.IssuedKeyType == SecurityKeyType.SymmetricKey)
{
issuedTokenParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength;
}
else
{
issuedTokenParameters.KeySize = 0;
}
foreach (ClaimTypeRequirement requirement in this.claimTypeRequirements)
{
issuedTokenParameters.ClaimTypeRequirements.Add(requirement);
}
foreach (XmlElement element2 in this.TokenRequestParameters)
{
issuedTokenParameters.AdditionalRequestParameters.Add(element2);
}
WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, emitBspRequiredAttributes, null, null, null);
SecurityStandardsManager standardsManager = new SecurityStandardsManager(version, tokenSerializer);
issuedTokenParameters.AddAlgorithmParameters(this.AlgorithmSuite, standardsManager, this.issuedKeyType);
if (isSecureTransportMode)
{
element3 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedTokenParameters);
}
else if (this.negotiateServiceCredential)
{
element3 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedTokenParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11);
}
else
{
element3 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedTokenParameters);
}
element3.MessageSecurityVersion = version;
element3.DefaultAlgorithmSuite = this.AlgorithmSuite;
if (this.EstablishSecurityContext)
{
element = SecurityBindingElement.CreateSecureConversationBindingElement(element3, true);
}
else
{
element = element3;
}
element.MessageSecurityVersion = version;
element.DefaultAlgorithmSuite = this.AlgorithmSuite;
element.IncludeTimestamp = true;
if (!isReliableSession)
{
element.LocalServiceSettings.ReconnectTransportOnFailure = false;
element.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
element.LocalServiceSettings.ReconnectTransportOnFailure = true;
element.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.establishSecurityContext)
{
element3.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime;
}
return(element);
}
static MessageSecurityVersion ()
{
#if !MOBILE && !XAMMAC_4_5
wss10_basic = new MessageSecurityVersionImpl (false, true, false);
wss11 = new MessageSecurityVersionImpl (true, false, false);
wss11_basic = new MessageSecurityVersionImpl (true, true, false);
wss10_2007_basic = new MessageSecurityVersionImpl (false, true, true);
wss11_2007_basic = new MessageSecurityVersionImpl (true, true, true);
wss11_2007 = new MessageSecurityVersionImpl (true, false, true);
#else
throw new NotImplementedException ();
#endif
}
internal SecurityBindingElement CreateMessageSecurity(bool isReliableSessionEnabled, MessageSecurityVersion version)
{
if (_mode == SecurityMode.Message || _mode == SecurityMode.TransportWithMessageCredential)
{
return(_messageSecurity.CreateSecurityBindingElement(this.Mode == SecurityMode.TransportWithMessageCredential, isReliableSessionEnabled, version));
}
else
{
return(null);
}
}
public static void AssertSecurityBindingElement (
SecurityAlgorithmSuite algorithm,
bool includeTimestamp,
SecurityKeyEntropyMode keyEntropyMode,
MessageSecurityVersion messageSecurityVersion,
SecurityHeaderLayout securityHeaderLayout,
// EndpointSupportingTokenParameters
int endorsing, int signed, int signedEncrypted, int signedEndorsing,
// LocalClientSettings
bool cacheCookies,
int renewalThresholdPercentage,
bool detectReplays,
SecurityBindingElement be, string label)
{
Assert.AreEqual (algorithm, be.DefaultAlgorithmSuite, label + ".DefaultAlgorithmSuite");
Assert.AreEqual (includeTimestamp, be.IncludeTimestamp, label + ".KeyEntropyMode");
Assert.AreEqual (keyEntropyMode,
be.KeyEntropyMode, label + "#3");
Assert.AreEqual (messageSecurityVersion,
be.MessageSecurityVersion, label + ".MessageSecurityVersion");
Assert.AreEqual (securityHeaderLayout,
be.SecurityHeaderLayout, label + ".SecurityHeaderLayout");
// FIXME: they should be extracted step by step...
// EndpointSupportingTokenParameters
SupportingTokenParameters tp = be.EndpointSupportingTokenParameters;
AssertSupportingTokenParameters (
endorsing, signed, signedEncrypted, signedEndorsing,
tp, label + ".Endpoint");
// OptionalEndpointSupportingTokenParameters
tp = be.OptionalEndpointSupportingTokenParameters;
Assert.IsNotNull (tp, label + "#3-0");
Assert.AreEqual (0, tp.Endorsing.Count, label + "#3-1");
Assert.AreEqual (0, tp.Signed.Count, label + "#3-2");
Assert.AreEqual (0, tp.SignedEncrypted.Count, label + "#3-3");
Assert.AreEqual (0, tp.SignedEndorsing.Count, label + "#3-4");
// OperationSupportingTokenParameters
IDictionary<string,SupportingTokenParameters> oper = be.OperationSupportingTokenParameters;
Assert.IsNotNull (oper, label + "#4-1");
Assert.AreEqual (0, oper.Count, label + "#4-2");
// OptionalOperationSupportingTokenParameters
oper = be.OptionalOperationSupportingTokenParameters;
Assert.IsNotNull (oper, label + "#5-1");
Assert.AreEqual (0, oper.Count, label + "#5-2");
// LocalClientSettings
LocalClientSecuritySettings lc =
be.LocalClientSettings;
AssertLocalClientSecuritySettings (
cacheCookies,
renewalThresholdPercentage,
detectReplays,
lc, "");
// FIXME: IdentityVerifier
Assert.AreEqual (TimeSpan.FromMinutes (5), lc.MaxClockSkew, label + "#7-5");
Assert.AreEqual (TimeSpan.MaxValue, lc.MaxCookieCachingTime, label + "#7-6");
Assert.AreEqual (true, lc.ReconnectTransportOnFailure, label + "#7-7");
Assert.AreEqual (900000, lc.ReplayCacheSize, label + "#7-8");
Assert.AreEqual (TimeSpan.FromMinutes (5), lc.ReplayWindow, label + "#7-9");
Assert.AreEqual (TimeSpan.FromHours (10), lc.SessionKeyRenewalInterval, label + "#7-10");
Assert.AreEqual (TimeSpan.FromMinutes (5), lc.SessionKeyRolloverInterval, label + "#7-11");
Assert.AreEqual (TimeSpan.FromMinutes (5), lc.TimestampValidityDuration, label + "#7-12");
// FIXME: LocalServiceSettings
}
public WSSecurityPolicy GetSecurityPolicyDriver(MessageSecurityVersion version)
{
for (int i = 0; i < this.drivers.Count; ++i)
{
if (this.drivers[i].IsSecurityVersionSupported(version))
{
return this.drivers[i];
}
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode,
bool isReliableSession,
MessageSecurityVersion version)
{
if ((this.IssuedKeyType == SecurityKeyType.BearerKey) &&
(version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BearerKeyIncompatibleWithWSFederationHttpBinding)));
}
if (isReliableSession && !this.EstablishSecurityContext)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession)));
}
SecurityBindingElement result;
bool emitBspAttributes = true;
IssuedSecurityTokenParameters issuedParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding);
issuedParameters.IssuerMetadataAddress = this.issuerMetadataAddress;
issuedParameters.KeyType = this.IssuedKeyType;
if (this.IssuedKeyType == SecurityKeyType.SymmetricKey)
{
issuedParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength;
}
else
{
issuedParameters.KeySize = 0;
}
foreach (ClaimTypeRequirement c in this.claimTypeRequirements)
{
issuedParameters.ClaimTypeRequirements.Add(c);
}
foreach (XmlElement p in this.TokenRequestParameters)
{
issuedParameters.AdditionalRequestParameters.Add(p);
}
WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion,
version.TrustVersion,
version.SecureConversationVersion,
emitBspAttributes,
null, null, null);
SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer);
issuedParameters.AddAlgorithmParameters(this.AlgorithmSuite, versionSpecificStandardsManager, this.issuedKeyType);
SecurityBindingElement issuedTokenSecurity;
if (isSecureTransportMode)
{
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedParameters);
}
else
{
if (negotiateServiceCredential)
{
// We should have passed 'true' as RequireCancelation to be consistent with other standard bindings.
// However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy.
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11);
}
else
{
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedParameters);
}
}
issuedTokenSecurity.MessageSecurityVersion = version;
issuedTokenSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite;
if (this.EstablishSecurityContext)
{
result = SecurityBindingElement.CreateSecureConversationBindingElement(issuedTokenSecurity, true);
}
else
{
result = issuedTokenSecurity;
}
result.MessageSecurityVersion = version;
result.DefaultAlgorithmSuite = this.AlgorithmSuite;
result.IncludeTimestamp = true;
if (!isReliableSession)
{
result.LocalServiceSettings.ReconnectTransportOnFailure = false;
result.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
result.LocalServiceSettings.ReconnectTransportOnFailure = true;
result.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.establishSecurityContext)
{
// issue the transition SCT for a short duration only
issuedTokenSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime;
}
return result;
}
internal static bool TryCreate(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version, out FederatedMessageSecurityOverHttp messageSecurity)
{
Fx.Assert(null != sbe, string.Empty);
messageSecurity = null;
// do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings
if (!sbe.IncludeTimestamp)
{
return(false);
}
if (sbe.SecurityHeaderLayout != SecurityProtocolFactory.defaultSecurityHeaderLayout)
{
return(false);
}
bool emitBspAttributes = true;
// Do not check MessageSecurityVersion: it maybe changed by the wrapper element and gets checked later in the SecuritySection.AreBindingsMatching()
SecurityBindingElement bootstrapSecurity;
bool establishSecurityContext = SecurityBindingElement.IsSecureConversationBinding(sbe, true, out bootstrapSecurity);
bootstrapSecurity = establishSecurityContext ? bootstrapSecurity : sbe;
if (isSecureTransportMode && !(bootstrapSecurity is TransportSecurityBindingElement))
{
return(false);
}
bool negotiateServiceCredential = DefaultNegotiateServiceCredential;
IssuedSecurityTokenParameters issuedTokenParameters;
if (isSecureTransportMode)
{
if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(bootstrapSecurity, out issuedTokenParameters))
{
return(false);
}
}
else
{
// We should have passed 'true' as RequireCancelation to be consistent with other standard bindings.
// However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy.
if (SecurityBindingElement.IsIssuedTokenForSslBinding(bootstrapSecurity, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11, out issuedTokenParameters))
{
negotiateServiceCredential = true;
}
else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(bootstrapSecurity, out issuedTokenParameters))
{
negotiateServiceCredential = false;
}
else
{
return(false);
}
}
if ((issuedTokenParameters.KeyType == SecurityKeyType.BearerKey) &&
(version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
return(false);
}
Collection <XmlElement> nonAlgorithmRequestParameters;
WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion,
version.TrustVersion,
version.SecureConversationVersion,
emitBspAttributes,
null, null, null);
SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer);
if (!issuedTokenParameters.DoAlgorithmsMatch(sbe.DefaultAlgorithmSuite,
versionSpecificStandardsManager,
out nonAlgorithmRequestParameters))
{
return(false);
}
messageSecurity = new FederatedMessageSecurityOverHttp();
messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite;
messageSecurity.NegotiateServiceCredential = negotiateServiceCredential;
messageSecurity.EstablishSecurityContext = establishSecurityContext;
messageSecurity.IssuedTokenType = issuedTokenParameters.TokenType;
messageSecurity.IssuerAddress = issuedTokenParameters.IssuerAddress;
messageSecurity.IssuerBinding = issuedTokenParameters.IssuerBinding;
messageSecurity.IssuerMetadataAddress = issuedTokenParameters.IssuerMetadataAddress;
messageSecurity.IssuedKeyType = issuedTokenParameters.KeyType;
foreach (ClaimTypeRequirement c in issuedTokenParameters.ClaimTypeRequirements)
{
messageSecurity.ClaimTypeRequirements.Add(c);
}
foreach (XmlElement p in nonAlgorithmRequestParameters)
{
messageSecurity.TokenRequestParameters.Add(p);
}
if (issuedTokenParameters.AlternativeIssuerEndpoints != null && issuedTokenParameters.AlternativeIssuerEndpoints.Count > 0)
{
return(false);
}
return(true);
}
private static SecurityStandardsManager CreateStandardsManager(MessageSecurityVersion securityVersion)
{
return new SecurityStandardsManager(securityVersion, new WSSecurityTokenSerializer(securityVersion.SecurityVersion, securityVersion.TrustVersion, securityVersion.SecureConversationVersion, false, null, null, null));
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode,
bool isReliableSession,
MessageSecurityVersion version)
{
if ((this.IssuedKeyType == SecurityKeyType.BearerKey) &&
(version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BearerKeyIncompatibleWithWSFederationHttpBinding)));
}
if (isReliableSession && !this.EstablishSecurityContext)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession)));
}
SecurityBindingElement result;
bool emitBspAttributes = true;
IssuedSecurityTokenParameters issuedParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding);
issuedParameters.IssuerMetadataAddress = this.issuerMetadataAddress;
issuedParameters.KeyType = this.IssuedKeyType;
if (this.IssuedKeyType == SecurityKeyType.SymmetricKey)
{
issuedParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength;
}
else
{
issuedParameters.KeySize = 0;
}
foreach (ClaimTypeRequirement c in this.claimTypeRequirements)
{
issuedParameters.ClaimTypeRequirements.Add(c);
}
foreach (XmlElement p in this.TokenRequestParameters)
{
issuedParameters.AdditionalRequestParameters.Add(p);
}
WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion,
version.TrustVersion,
version.SecureConversationVersion,
emitBspAttributes,
null, null, null);
SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer);
issuedParameters.AddAlgorithmParameters(this.AlgorithmSuite, versionSpecificStandardsManager, this.issuedKeyType);
SecurityBindingElement issuedTokenSecurity;
if (isSecureTransportMode)
{
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedParameters);
}
else
{
if (negotiateServiceCredential)
{
// We should have passed 'true' as RequireCancelation to be consistent with other standard bindings.
// However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy.
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11);
}
else
{
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedParameters);
}
}
issuedTokenSecurity.MessageSecurityVersion = version;
issuedTokenSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite;
if (this.EstablishSecurityContext)
{
result = SecurityBindingElement.CreateSecureConversationBindingElement(issuedTokenSecurity, true);
}
else
{
result = issuedTokenSecurity;
}
result.MessageSecurityVersion = version;
result.DefaultAlgorithmSuite = this.AlgorithmSuite;
result.IncludeTimestamp = true;
if (!isReliableSession)
{
result.LocalServiceSettings.ReconnectTransportOnFailure = false;
result.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
result.LocalServiceSettings.ReconnectTransportOnFailure = true;
result.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.establishSecurityContext)
{
// issue the transition SCT for a short duration only
issuedTokenSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime;
}
return(result);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
SecurityBindingElement element;
SecurityBindingElement element3;
if ((this.IssuedKeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("BearerKeyIncompatibleWithWSFederationHttpBinding")));
}
if (isReliableSession && !this.EstablishSecurityContext)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecureConversationRequiredByReliableSession")));
}
bool emitBspRequiredAttributes = true;
IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding) {
IssuerMetadataAddress = this.issuerMetadataAddress,
KeyType = this.IssuedKeyType
};
if (this.IssuedKeyType == SecurityKeyType.SymmetricKey)
{
issuedTokenParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength;
}
else
{
issuedTokenParameters.KeySize = 0;
}
foreach (ClaimTypeRequirement requirement in this.claimTypeRequirements)
{
issuedTokenParameters.ClaimTypeRequirements.Add(requirement);
}
foreach (XmlElement element2 in this.TokenRequestParameters)
{
issuedTokenParameters.AdditionalRequestParameters.Add(element2);
}
WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, emitBspRequiredAttributes, null, null, null);
SecurityStandardsManager standardsManager = new SecurityStandardsManager(version, tokenSerializer);
issuedTokenParameters.AddAlgorithmParameters(this.AlgorithmSuite, standardsManager, this.issuedKeyType);
if (isSecureTransportMode)
{
element3 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedTokenParameters);
}
else if (this.negotiateServiceCredential)
{
element3 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedTokenParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11);
}
else
{
element3 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedTokenParameters);
}
element3.MessageSecurityVersion = version;
element3.DefaultAlgorithmSuite = this.AlgorithmSuite;
if (this.EstablishSecurityContext)
{
element = SecurityBindingElement.CreateSecureConversationBindingElement(element3, true);
}
else
{
element = element3;
}
element.MessageSecurityVersion = version;
element.DefaultAlgorithmSuite = this.AlgorithmSuite;
element.IncludeTimestamp = true;
if (!isReliableSession)
{
element.LocalServiceSettings.ReconnectTransportOnFailure = false;
element.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
element.LocalServiceSettings.ReconnectTransportOnFailure = true;
element.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.establishSecurityContext)
{
element3.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator<SspiNegotiationTokenAuthenticatorState>.defaultServerIssuedTransitionTokenLifetime;
}
return element;
}
static MessageSecurityVersion()
{
wss10_basic = new MessageSecurityVersionImpl(false, true);
wss11 = new MessageSecurityVersionImpl(true, false);
wss11_basic = new MessageSecurityVersionImpl(true, true);
}
private void GetIssuerBindingSecurityVersion(Binding issuerBinding, MessageSecurityVersion issuedTokenParametersDefaultMessageSecurityVersion, SecurityBindingElement outerSecurityBindingElement, out MessageSecurityVersion messageSecurityVersion, out SecurityTokenSerializer tokenSerializer)
{
messageSecurityVersion = null;
if (issuerBinding != null)
{
SecurityBindingElement element = issuerBinding.CreateBindingElements().Find<SecurityBindingElement>();
if (element != null)
{
messageSecurityVersion = element.MessageSecurityVersion;
}
}
if (messageSecurityVersion == null)
{
if (issuedTokenParametersDefaultMessageSecurityVersion != null)
{
messageSecurityVersion = issuedTokenParametersDefaultMessageSecurityVersion;
}
else if (outerSecurityBindingElement != null)
{
messageSecurityVersion = outerSecurityBindingElement.MessageSecurityVersion;
}
}
if (messageSecurityVersion == null)
{
messageSecurityVersion = MessageSecurityVersion.Default;
}
tokenSerializer = this.CreateSecurityTokenSerializer(messageSecurityVersion.SecurityTokenVersion);
}
internal static bool TryCreate(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version, out FederatedMessageSecurityOverHttp messageSecurity)
{
Fx.Assert(null != sbe, string.Empty);
messageSecurity = null;
// do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings
if (!sbe.IncludeTimestamp)
return false;
if (sbe.SecurityHeaderLayout != SecurityProtocolFactory.defaultSecurityHeaderLayout)
return false;
bool emitBspAttributes = true;
// Do not check MessageSecurityVersion: it maybe changed by the wrapper element and gets checked later in the SecuritySection.AreBindingsMatching()
SecurityBindingElement bootstrapSecurity;
bool establishSecurityContext = SecurityBindingElement.IsSecureConversationBinding(sbe, true, out bootstrapSecurity);
bootstrapSecurity = establishSecurityContext ? bootstrapSecurity : sbe;
if (isSecureTransportMode && !(bootstrapSecurity is TransportSecurityBindingElement))
return false;
bool negotiateServiceCredential = DefaultNegotiateServiceCredential;
IssuedSecurityTokenParameters issuedTokenParameters;
if (isSecureTransportMode)
{
if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(bootstrapSecurity, out issuedTokenParameters))
return false;
}
else
{
// We should have passed 'true' as RequireCancelation to be consistent with other standard bindings.
// However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy.
if (SecurityBindingElement.IsIssuedTokenForSslBinding(bootstrapSecurity, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11, out issuedTokenParameters))
negotiateServiceCredential = true;
else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(bootstrapSecurity, out issuedTokenParameters))
negotiateServiceCredential = false;
else
return false;
}
if ((issuedTokenParameters.KeyType == SecurityKeyType.BearerKey) &&
(version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
return false;
}
Collection<XmlElement> nonAlgorithmRequestParameters;
WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion,
version.TrustVersion,
version.SecureConversationVersion,
emitBspAttributes,
null, null, null);
SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer);
if (!issuedTokenParameters.DoAlgorithmsMatch(sbe.DefaultAlgorithmSuite,
versionSpecificStandardsManager,
out nonAlgorithmRequestParameters))
{
return false;
}
messageSecurity = new FederatedMessageSecurityOverHttp();
messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite;
messageSecurity.NegotiateServiceCredential = negotiateServiceCredential;
messageSecurity.EstablishSecurityContext = establishSecurityContext;
messageSecurity.IssuedTokenType = issuedTokenParameters.TokenType;
messageSecurity.IssuerAddress = issuedTokenParameters.IssuerAddress;
messageSecurity.IssuerBinding = issuedTokenParameters.IssuerBinding;
messageSecurity.IssuerMetadataAddress = issuedTokenParameters.IssuerMetadataAddress;
messageSecurity.IssuedKeyType = issuedTokenParameters.KeyType;
foreach (ClaimTypeRequirement c in issuedTokenParameters.ClaimTypeRequirements)
{
messageSecurity.ClaimTypeRequirements.Add(c);
}
foreach (XmlElement p in nonAlgorithmRequestParameters)
{
messageSecurity.TokenRequestParameters.Add(p);
}
if (issuedTokenParameters.AlternativeIssuerEndpoints != null && issuedTokenParameters.AlternativeIssuerEndpoints.Count > 0)
{
return false;
}
return true;
}
internal static bool TryCreate(SecurityBindingElement sbe, WSFederationHttpSecurityMode mode, HttpTransportSecurity transportSecurity, bool isReliableSessionEnabled, MessageSecurityVersion version, out WSFederationHttpSecurity security)
{
security = null;
FederatedMessageSecurityOverHttp messageSecurity = null;
if (sbe == null)
{
mode = WSFederationHttpSecurityMode.None;
}
else
{
mode &= WSFederationHttpSecurityMode.TransportWithMessageCredential | WSFederationHttpSecurityMode.Message;
if (!FederatedMessageSecurityOverHttp.TryCreate(sbe, mode == WSFederationHttpSecurityMode.TransportWithMessageCredential, isReliableSessionEnabled, version, out messageSecurity))
{
return(false);
}
}
security = new WSFederationHttpSecurity(mode, messageSecurity);
return(true);
}
internal static bool TryCreate(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version, out FederatedMessageSecurityOverHttp messageSecurity)
{
bool flag;
bool flag2;
bool flag3;
IssuedSecurityTokenParameters parameters;
Collection<XmlElement> collection;
messageSecurity = null;
if (sbe.IncludeTimestamp)
{
SecurityBindingElement element;
if (sbe.SecurityHeaderLayout != SecurityHeaderLayout.Strict)
{
return false;
}
flag = true;
flag2 = SecurityBindingElement.IsSecureConversationBinding(sbe, true, out element);
element = flag2 ? element : sbe;
if (isSecureTransportMode && !(element is TransportSecurityBindingElement))
{
return false;
}
flag3 = true;
if (isSecureTransportMode)
{
if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(element, out parameters))
{
return false;
}
goto Label_0078;
}
if (SecurityBindingElement.IsIssuedTokenForSslBinding(element, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11, out parameters))
{
flag3 = true;
goto Label_0078;
}
if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(element, out parameters))
{
flag3 = false;
goto Label_0078;
}
}
return false;
Label_0078:
if ((parameters.KeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
return false;
}
WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, flag, null, null, null);
SecurityStandardsManager standardsManager = new SecurityStandardsManager(version, tokenSerializer);
if (!parameters.DoAlgorithmsMatch(sbe.DefaultAlgorithmSuite, standardsManager, out collection))
{
return false;
}
messageSecurity = new FederatedMessageSecurityOverHttp();
messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite;
messageSecurity.NegotiateServiceCredential = flag3;
messageSecurity.EstablishSecurityContext = flag2;
messageSecurity.IssuedTokenType = parameters.TokenType;
messageSecurity.IssuerAddress = parameters.IssuerAddress;
messageSecurity.IssuerBinding = parameters.IssuerBinding;
messageSecurity.IssuerMetadataAddress = parameters.IssuerMetadataAddress;
messageSecurity.IssuedKeyType = parameters.KeyType;
foreach (ClaimTypeRequirement requirement in parameters.ClaimTypeRequirements)
{
messageSecurity.ClaimTypeRequirements.Add(requirement);
}
foreach (XmlElement element2 in collection)
{
messageSecurity.TokenRequestParameters.Add(element2);
}
if ((parameters.AlternativeIssuerEndpoints != null) && (parameters.AlternativeIssuerEndpoints.Count > 0))
{
return false;
}
return true;
}
public static void AssertAsymmetricSecurityBindingElement (
SecurityAlgorithmSuite algorithm,
bool includeTimestamp,
SecurityKeyEntropyMode keyEntropyMode,
MessageProtectionOrder messageProtectionOrder,
MessageSecurityVersion messageSecurityVersion,
bool requireSignatureConfirmation,
SecurityHeaderLayout securityHeaderLayout,
// EndpointSupportingTokenParameters
int endorsing, int signed, int signedEncrypted, int signedEndorsing,
// InitiatorTokenParameters
bool hasInitiatorTokenParameters,
SecurityTokenInclusionMode initiatorTokenInclusionMode,
SecurityTokenReferenceStyle initiatorTokenReferenceStyle,
bool initiatorTokenRequireDerivedKeys,
// RecipientTokenParameters
bool hasRecipientTokenParameters,
SecurityTokenInclusionMode recipientTokenInclusionMode,
SecurityTokenReferenceStyle recipientTokenReferenceStyle,
bool recipientTokenRequireDerivedKeys,
// LocalClientSettings
bool cacheCookies,
int renewalThresholdPercentage,
bool detectReplays,
AsymmetricSecurityBindingElement be, string label)
{
AssertSecurityBindingElement (
algorithm,
includeTimestamp,
keyEntropyMode,
messageSecurityVersion,
securityHeaderLayout,
// EndpointSupportingTokenParameters
endorsing, signed, signedEncrypted, signedEndorsing,
// LocalClientSettings
cacheCookies,
renewalThresholdPercentage,
detectReplays,
be, label);
Assert.AreEqual (messageProtectionOrder, be.MessageProtectionOrder, label + ".MessageProtectionOrder");
Assert.AreEqual (requireSignatureConfirmation, be.RequireSignatureConfirmation, label + ".RequireSignatureConfirmation");
if (!hasInitiatorTokenParameters)
Assert.IsNull (be.InitiatorTokenParameters, label + ".InitiatorTokenParameters (null)");
else
AssertSecurityTokenParameters (
initiatorTokenInclusionMode,
initiatorTokenReferenceStyle,
initiatorTokenRequireDerivedKeys,
be.InitiatorTokenParameters, label + ".InitiatorTokenParameters");
if (!hasRecipientTokenParameters)
Assert.IsNull (be.RecipientTokenParameters, label + ".RecipientTokenParameters (null)");
else
AssertSecurityTokenParameters (
recipientTokenInclusionMode,
recipientTokenReferenceStyle,
recipientTokenRequireDerivedKeys,
be.RecipientTokenParameters, label + ".RecipientTokenParameters");
}
void GetIssuerBindingSecurityVersion(Binding issuerBinding, MessageSecurityVersion issuedTokenParametersDefaultMessageSecurityVersion, SecurityBindingElement outerSecurityBindingElement, out MessageSecurityVersion messageSecurityVersion, out SecurityTokenSerializer tokenSerializer)
{
// Logic for setting version is:
// 1. use issuer SBE
// 2. use ITSP
// 3. use outer SBE
//
messageSecurityVersion = null;
if (issuerBinding != null)
{
BindingElementCollection bindingElements = issuerBinding.CreateBindingElements();
SecurityBindingElement securityBindingElement = bindingElements.Find<SecurityBindingElement>();
if (securityBindingElement != null)
{
messageSecurityVersion = securityBindingElement.MessageSecurityVersion;
}
}
if (messageSecurityVersion == null)
{
if (issuedTokenParametersDefaultMessageSecurityVersion != null)
{
messageSecurityVersion = issuedTokenParametersDefaultMessageSecurityVersion;
}
else if (outerSecurityBindingElement != null)
{
messageSecurityVersion = outerSecurityBindingElement.MessageSecurityVersion;
}
}
if (messageSecurityVersion == null)
{
messageSecurityVersion = MessageSecurityVersion.Default;
}
tokenSerializer = this.CreateSecurityTokenSerializer(messageSecurityVersion.SecurityTokenVersion);
}
protected HttpsRelayTransportBindingElement(HttpsRelayTransportBindingElement elementToBeCloned) : base(elementToBeCloned)
{
this.messageSecurityVersion = elementToBeCloned.MessageSecurityVersion;
}
internal IssuedSecurityTokenProvider(SafeFreeCredentials credentialsHandle)
{
this.federatedTokenProvider = new CoreFederatedTokenProvider(credentialsHandle);
this.messageSecurityVersion = System.ServiceModel.MessageSecurityVersion.Default;
}
public SecurityStandardsManager(MessageSecurityVersion messageSecurityVersion, SecurityTokenSerializer tokenSerializer)
{
throw ExceptionHelper.PlatformNotSupported();
}
protected HttpsTransportBindingElement(HttpsTransportBindingElement elementToBeCloned) : base(elementToBeCloned)
{
this.requireClientCertificate = elementToBeCloned.requireClientCertificate;
this.messageSecurityVersion = elementToBeCloned.messageSecurityVersion;
}
public Collection<XmlElement> CreateRequestParameters(MessageSecurityVersion messageSecurityVersion, SecurityTokenSerializer securityTokenSerializer)
{
return this.CreateRequestParameters(System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(messageSecurityVersion, securityTokenSerializer).TrustDriver);
}
internal SecurityBindingElement CreateMessageSecurity(bool isReliableSessionEnabled, MessageSecurityVersion version)
{
if (this.mode == SecurityMode.Message || this.mode == SecurityMode.TransportWithMessageCredential)
{
return this.messageSecurity.CreateSecurityBindingElement(this.Mode == SecurityMode.TransportWithMessageCredential, isReliableSessionEnabled, version);
}
else
{
return null;
}
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
if (isReliableSession)
{
throw ExceptionHelper.PlatformNotSupported(); // Reliable sessions
}
SecurityBindingElement result;
SecurityBindingElement oneShotSecurity;
bool isKerberosSelected = false;
//bool emitBspAttributes = true;
if (isSecureTransportMode)
{
switch (_clientCredentialType)
{
case MessageCredentialType.None:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.ClientCredentialTypeMustBeSpecifiedForMixedMode));
case MessageCredentialType.UserName:
oneShotSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
case MessageCredentialType.Certificate:
oneShotSecurity = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
break;
case MessageCredentialType.Windows:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
case MessageCredentialType.IssuedToken:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
default:
Fx.Assert("unknown ClientCredentialType");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
if (IsSecureConversationEnabled())
{
result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true);
}
else
{
result = oneShotSecurity;
}
}
else
{
throw ExceptionHelper.PlatformNotSupported();
}
// set the algorithm suite and issued token params if required
if (_wasAlgorithmSuiteSet || (!isKerberosSelected))
{
result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = AlgorithmSuite;
}
else if (isKerberosSelected)
{
throw ExceptionHelper.PlatformNotSupported();
}
result.IncludeTimestamp = true;
oneShotSecurity.MessageSecurityVersion = version;
result.MessageSecurityVersion = version;
if (!isReliableSession)
{
result.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
result.LocalClientSettings.ReconnectTransportOnFailure = true;
}
return(result);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode,
bool isReliableSession,
MessageSecurityVersion version)
{
throw new NotImplementedException();
}
internal static bool TryCreate(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version, out FederatedMessageSecurityOverHttp messageSecurity)
{
bool flag;
bool flag2;
bool flag3;
IssuedSecurityTokenParameters parameters;
Collection <XmlElement> collection;
messageSecurity = null;
if (sbe.IncludeTimestamp)
{
SecurityBindingElement element;
if (sbe.SecurityHeaderLayout != SecurityHeaderLayout.Strict)
{
return(false);
}
flag = true;
flag2 = SecurityBindingElement.IsSecureConversationBinding(sbe, true, out element);
element = flag2 ? element : sbe;
if (isSecureTransportMode && !(element is TransportSecurityBindingElement))
{
return(false);
}
flag3 = true;
if (isSecureTransportMode)
{
if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(element, out parameters))
{
return(false);
}
goto Label_0078;
}
if (SecurityBindingElement.IsIssuedTokenForSslBinding(element, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11, out parameters))
{
flag3 = true;
goto Label_0078;
}
if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(element, out parameters))
{
flag3 = false;
goto Label_0078;
}
}
return(false);
Label_0078:
if ((parameters.KeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
return(false);
}
WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, flag, null, null, null);
SecurityStandardsManager standardsManager = new SecurityStandardsManager(version, tokenSerializer);
if (!parameters.DoAlgorithmsMatch(sbe.DefaultAlgorithmSuite, standardsManager, out collection))
{
return(false);
}
messageSecurity = new FederatedMessageSecurityOverHttp();
messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite;
messageSecurity.NegotiateServiceCredential = flag3;
messageSecurity.EstablishSecurityContext = flag2;
messageSecurity.IssuedTokenType = parameters.TokenType;
messageSecurity.IssuerAddress = parameters.IssuerAddress;
messageSecurity.IssuerBinding = parameters.IssuerBinding;
messageSecurity.IssuerMetadataAddress = parameters.IssuerMetadataAddress;
messageSecurity.IssuedKeyType = parameters.KeyType;
foreach (ClaimTypeRequirement requirement in parameters.ClaimTypeRequirements)
{
messageSecurity.ClaimTypeRequirements.Add(requirement);
}
foreach (XmlElement element2 in collection)
{
messageSecurity.TokenRequestParameters.Add(element2);
}
if ((parameters.AlternativeIssuerEndpoints != null) && (parameters.AlternativeIssuerEndpoints.Count > 0))
{
return(false);
}
return(true);
}
internal SecurityBindingElement CreateMessageSecurity(bool isReliableSessionEnabled, MessageSecurityVersion version)
{
if ((this.mode != WSFederationHttpSecurityMode.Message) && (this.mode != WSFederationHttpSecurityMode.TransportWithMessageCredential))
{
return(null);
}
return(this.messageSecurity.CreateSecurityBindingElement(this.Mode == WSFederationHttpSecurityMode.TransportWithMessageCredential, isReliableSessionEnabled, version));
}
internal static bool TryCreate(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version, out FederatedMessageSecurityOverHttp messageSecurity)
{
throw new NotImplementedException();
}
internal static Collection<RequestSecurityTokenResponse> ExtractIssuances(Message message, MessageSecurityVersion version, WSSecurityTokenSerializer tokenSerializer, string[] actors, XmlQualifiedName expectedAppliesToQName)
{
return ExtractIssuances(message, new SecurityStandardsManager(version, tokenSerializer), actors, expectedAppliesToQName);
}
public static WSSecurityPolicy GetSecurityPolicyDriver(MessageSecurityVersion version)
{
SecurityPolicyManager policyManager = new SecurityPolicyManager();
return policyManager.GetSecurityPolicyDriver(version);
}
public IssuedTokensHeader(RequestSecurityTokenResponse tokenIssuance, MessageSecurityVersion version, SecurityTokenSerializer tokenSerializer)
: this(tokenIssuance, new SecurityStandardsManager(version, tokenSerializer))
{
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
if (isReliableSession && !this.IsSecureConversationEnabled())
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession)));
}
SecurityBindingElement result;
SecurityBindingElement oneShotSecurity;
bool isKerberosSelected = false;
bool emitBspAttributes = true;
if (isSecureTransportMode)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCredentialTypeMustBeSpecifiedForMixedMode)));
case MessageCredentialType.UserName:
oneShotSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
case MessageCredentialType.Certificate:
oneShotSecurity = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
break;
case MessageCredentialType.Windows:
oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
break;
case MessageCredentialType.IssuedToken:
oneShotSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite));
break;
default:
Fx.Assert("unknown ClientCredentialType");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
if (this.IsSecureConversationEnabled())
{
result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true);
}
else
{
result = oneShotSecurity;
}
}
else
{
if (negotiateServiceCredential)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
break;
case MessageCredentialType.UserName:
oneShotSecurity = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
break;
case MessageCredentialType.Certificate:
oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
break;
case MessageCredentialType.Windows:
oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
break;
case MessageCredentialType.IssuedToken:
oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite), true);
break;
default:
Fx.Assert("unknown ClientCredentialType");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
}
else
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
oneShotSecurity = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
break;
case MessageCredentialType.UserName:
oneShotSecurity = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
break;
case MessageCredentialType.Certificate:
oneShotSecurity = SecurityBindingElement.CreateMutualCertificateBindingElement();
break;
case MessageCredentialType.Windows:
oneShotSecurity = SecurityBindingElement.CreateKerberosBindingElement();
isKerberosSelected = true;
break;
case MessageCredentialType.IssuedToken:
oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite));
break;
default:
Fx.Assert("unknown ClientCredentialType");
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
}
if (this.IsSecureConversationEnabled())
{
result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true);
}
else
{
result = oneShotSecurity;
}
}
// set the algorithm suite and issued token params if required
if (wasAlgorithmSuiteSet || (!isKerberosSelected))
{
result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite;
}
else if (isKerberosSelected)
{
result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
}
result.IncludeTimestamp = true;
oneShotSecurity.MessageSecurityVersion = version;
result.MessageSecurityVersion = version;
if (!isReliableSession)
{
result.LocalServiceSettings.ReconnectTransportOnFailure = false;
result.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
result.LocalServiceSettings.ReconnectTransportOnFailure = true;
result.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.IsSecureConversationEnabled())
{
// issue the transition SCT for a short duration only
oneShotSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime;
}
return(result);
}
static MessageSecurityVersion ()
{
wss10_basic = new MessageSecurityVersionImpl (false, true, false);
wss11 = new MessageSecurityVersionImpl (true, false, false);
wss11_basic = new MessageSecurityVersionImpl (true, true, false);
wss10_2007_basic = new MessageSecurityVersionImpl (false, true, true);
wss11_2007_basic = new MessageSecurityVersionImpl (true, true, true);
wss11_2007 = new MessageSecurityVersionImpl (true, false, true);
}
private void GetIssuerBindingSecurityVersion(Binding issuerBinding, MessageSecurityVersion issuedTokenParametersDefaultMessageSecurityVersion, SecurityBindingElement outerSecurityBindingElement, out MessageSecurityVersion messageSecurityVersion, out SecurityTokenSerializer tokenSerializer)
{
messageSecurityVersion = null;
if (issuerBinding != null)
{
SecurityBindingElement element = issuerBinding.CreateBindingElements().Find <SecurityBindingElement>();
if (element != null)
{
messageSecurityVersion = element.MessageSecurityVersion;
}
}
if (messageSecurityVersion == null)
{
if (issuedTokenParametersDefaultMessageSecurityVersion != null)
{
messageSecurityVersion = issuedTokenParametersDefaultMessageSecurityVersion;
}
else if (outerSecurityBindingElement != null)
{
messageSecurityVersion = outerSecurityBindingElement.MessageSecurityVersion;
}
}
if (messageSecurityVersion == null)
{
messageSecurityVersion = MessageSecurityVersion.Default;
}
tokenSerializer = this.CreateSecurityTokenSerializer(messageSecurityVersion.SecurityTokenVersion);
}
public virtual void OnOpen(TimeSpan timeout)
{
if (this.SecurityBindingElement == null)
{
this.OnPropertySettingsError("SecurityBindingElement", true);
}
if (this.SecurityTokenManager == null)
{
this.OnPropertySettingsError("SecurityTokenManager", true);
}
this.messageSecurityVersion = this.standardsManager.MessageSecurityVersion;
TimeoutHelper helper = new TimeoutHelper(timeout);
this.expectOutgoingMessages = this.ActAsInitiator || this.SupportsRequestReply;
this.expectIncomingMessages = !this.ActAsInitiator || this.SupportsRequestReply;
if (!this.actAsInitiator)
{
this.AddSupportingTokenAuthenticators(this.securityBindingElement.EndpointSupportingTokenParameters, false, (IList <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification);
this.AddSupportingTokenAuthenticators(this.securityBindingElement.OptionalEndpointSupportingTokenParameters, true, (IList <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification);
foreach (string str in this.securityBindingElement.OperationSupportingTokenParameters.Keys)
{
Collection <SupportingTokenAuthenticatorSpecification> authenticatorSpecList = new Collection <SupportingTokenAuthenticatorSpecification>();
this.AddSupportingTokenAuthenticators(this.securityBindingElement.OperationSupportingTokenParameters[str], false, authenticatorSpecList);
this.scopedSupportingTokenAuthenticatorSpecification.Add(str, authenticatorSpecList);
}
foreach (string str2 in this.securityBindingElement.OptionalOperationSupportingTokenParameters.Keys)
{
Collection <SupportingTokenAuthenticatorSpecification> collection2;
ICollection <SupportingTokenAuthenticatorSpecification> is2;
if (this.scopedSupportingTokenAuthenticatorSpecification.TryGetValue(str2, out is2))
{
collection2 = (Collection <SupportingTokenAuthenticatorSpecification>)is2;
}
else
{
collection2 = new Collection <SupportingTokenAuthenticatorSpecification>();
this.scopedSupportingTokenAuthenticatorSpecification.Add(str2, collection2);
}
this.AddSupportingTokenAuthenticators(this.securityBindingElement.OptionalOperationSupportingTokenParameters[str2], true, collection2);
}
if (!this.channelSupportingTokenAuthenticatorSpecification.IsReadOnly)
{
if (this.channelSupportingTokenAuthenticatorSpecification.Count == 0)
{
this.channelSupportingTokenAuthenticatorSpecification = EmptyTokenAuthenticators;
}
else
{
this.expectSupportingTokens = true;
foreach (SupportingTokenAuthenticatorSpecification specification in this.channelSupportingTokenAuthenticatorSpecification)
{
System.ServiceModel.Security.SecurityUtils.OpenTokenAuthenticatorIfRequired(specification.TokenAuthenticator, helper.RemainingTime());
if (((specification.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing) || (specification.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)) && (specification.TokenParameters.RequireDerivedKeys && !specification.TokenParameters.HasAsymmetricKey))
{
this.expectKeyDerivation = true;
}
SecurityTokenAttachmentMode securityTokenAttachmentMode = specification.SecurityTokenAttachmentMode;
switch (securityTokenAttachmentMode)
{
case SecurityTokenAttachmentMode.SignedEncrypted:
case SecurityTokenAttachmentMode.Signed:
case SecurityTokenAttachmentMode.SignedEndorsing:
this.expectChannelSignedTokens = true;
if (securityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEncrypted)
{
this.expectChannelBasicTokens = true;
}
break;
}
if ((securityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing) || (securityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing))
{
this.expectChannelEndorsingTokens = true;
}
}
this.channelSupportingTokenAuthenticatorSpecification = new ReadOnlyCollection <SupportingTokenAuthenticatorSpecification>((Collection <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification);
}
}
this.VerifyTypeUniqueness(this.channelSupportingTokenAuthenticatorSpecification);
this.MergeSupportingTokenAuthenticators(helper.RemainingTime());
}
if (this.DetectReplays)
{
if (!this.SupportsReplayDetection)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("DetectReplays", System.ServiceModel.SR.GetString("SecurityProtocolCannotDoReplayDetection", new object[] { this }));
}
if ((this.MaxClockSkew == TimeSpan.MaxValue) || (this.ReplayWindow == TimeSpan.MaxValue))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("NoncesCachedInfinitely")));
}
this.nonceCache = new System.ServiceModel.Security.NonceCache((this.ReplayWindow + this.MaxClockSkew) + this.MaxClockSkew, this.MaxCachedNonces);
}
this.derivedKeyTokenAuthenticator = new NonValidatingSecurityTokenAuthenticator <DerivedKeySecurityToken>();
}
internal static bool TryCreate(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version, out FederatedMessageSecurityOverHttp messageSecurity)
{
messageSecurity = null;
//Currently dotnet-svcutil don't support FederationHttpBinding, do nothing here
return(false);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
SecurityBindingElement element;
SecurityBindingElement element2;
if (isReliableSession && !this.IsSecureConversationEnabled())
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecureConversationRequiredByReliableSession")));
}
bool flag = false;
bool emitBspRequiredAttributes = true;
if (!isSecureTransportMode)
{
if (this.negotiateServiceCredential)
{
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true);
goto Label_01DA;
case MessageCredentialType.Windows:
element2 = SecurityBindingElement.CreateSspiNegotiationBindingElement(true);
goto Label_01DA;
case MessageCredentialType.UserName:
element2 = SecurityBindingElement.CreateUserNameForSslBindingElement(true);
goto Label_01DA;
case MessageCredentialType.Certificate:
element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true);
goto Label_01DA;
case MessageCredentialType.IssuedToken:
element2 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite), true);
goto Label_01DA;
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
element2 = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
goto Label_01DA;
case MessageCredentialType.Windows:
element2 = SecurityBindingElement.CreateKerberosBindingElement();
flag = true;
goto Label_01DA;
case MessageCredentialType.UserName:
element2 = SecurityBindingElement.CreateUserNameForCertificateBindingElement();
goto Label_01DA;
case MessageCredentialType.Certificate:
element2 = SecurityBindingElement.CreateMutualCertificateBindingElement();
goto Label_01DA;
case MessageCredentialType.IssuedToken:
element2 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite));
goto Label_01DA;
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
switch (this.clientCredentialType)
{
case MessageCredentialType.None:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCredentialTypeMustBeSpecifiedForMixedMode")));
case MessageCredentialType.Windows:
element2 = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true);
break;
case MessageCredentialType.UserName:
element2 = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
break;
case MessageCredentialType.Certificate:
element2 = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
break;
case MessageCredentialType.IssuedToken:
element2 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite));
break;
default:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
if (this.IsSecureConversationEnabled())
{
element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true);
}
else
{
element = element2;
}
goto Label_01EE;
Label_01DA:
if (this.IsSecureConversationEnabled())
{
element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true);
}
else
{
element = element2;
}
Label_01EE:
if (this.wasAlgorithmSuiteSet || !flag)
{
element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = this.AlgorithmSuite;
}
else if (flag)
{
element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault;
}
element.IncludeTimestamp = true;
element2.MessageSecurityVersion = version;
element.MessageSecurityVersion = version;
if (!isReliableSession)
{
element.LocalServiceSettings.ReconnectTransportOnFailure = false;
element.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
element.LocalServiceSettings.ReconnectTransportOnFailure = true;
element.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.IsSecureConversationEnabled())
{
element2.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime;
}
return(element);
}