IssuedSecurityTokenProvider CreateIssuedTokenProvider(SecurityTokenRequirement requirement)
{
IssuedSecurityTokenProvider p =
new IssuedSecurityTokenProvider();
// FIXME: fill properties
EndpointAddress address;
if (requirement.TryGetProperty <EndpointAddress> (ReqType.IssuerAddressProperty, out address))
{
p.IssuerAddress = address;
}
if (requirement.TryGetProperty <EndpointAddress> (ReqType.TargetAddressProperty, out address))
{
p.TargetAddress = address;
}
Binding binding;
if (requirement.TryGetProperty <Binding> (ReqType.IssuerBindingProperty, out binding))
{
p.IssuerBinding = binding;
}
MessageSecurityVersion ver;
if (requirement.TryGetProperty <MessageSecurityVersion> (ReqType.MessageSecurityVersionProperty, out ver))
{
p.SecurityTokenSerializer = CreateSecurityTokenSerializer(ver.SecurityVersion);
}
SecurityAlgorithmSuite suite;
if (requirement.TryGetProperty <SecurityAlgorithmSuite> (ReqType.SecurityAlgorithmSuiteProperty, out suite))
{
p.SecurityAlgorithmSuite = suite;
}
return(p);
}
public static void Method_TryGetProperty_Return_TrueOrFalse()
{
SecurityTokenRequirement tokenrequirement = new SecurityTokenRequirement();
tokenrequirement.TokenType = SecurityTokenRequirement.TokenTypeProperty;
Assert.True(tokenrequirement.TryGetProperty(tokenrequirement.TokenType, out string valueIsTrue));
Assert.False(tokenrequirement.TryGetProperty("invalidproperty", out string valueIsFalse));
}
IssuedSecurityTokenProvider CreateIssuedProviderBase(SecurityTokenRequirement r)
{
IssuedSecurityTokenProvider p =
new IssuedSecurityTokenProvider();
p.TargetAddress = r.GetProperty <EndpointAddress> (ReqType.TargetAddressProperty);
// FIXME: use it somewhere, probably to build
// IssuerBinding. However, there is also IssuerBinding
// property. SecureConversationSecurityBindingElement
// as well.
SecurityBindingElement sbe =
r.GetProperty <SecurityBindingElement> (ReqType.SecurityBindingElementProperty);
// I doubt the binding is acquired this way ...
Binding binding;
if (!r.TryGetProperty <Binding> (ReqType.IssuerBindingProperty, out binding))
{
binding = new CustomBinding(sbe,
new TextMessageEncodingBindingElement(),
new HttpTransportBindingElement());
}
p.IssuerBinding = binding;
// not sure if it is used only for this purpose though ...
BindingContext ctx = r.GetProperty <BindingContext> (ReqType.IssuerBindingContextProperty);
foreach (IEndpointBehavior b in ctx.BindingParameters.FindAll <IEndpointBehavior> ())
{
p.IssuerChannelBehaviors.Add(b);
}
SecurityTokenVersion ver =
r.GetProperty <SecurityTokenVersion> (ReqType.MessageSecurityVersionProperty);
p.SecurityTokenSerializer =
CreateSecurityTokenSerializer(ver);
// seems like they are optional here ... (but possibly
// used later)
EndpointAddress address;
if (!r.TryGetProperty <EndpointAddress> (ReqType.IssuerAddressProperty, out address))
{
address = p.TargetAddress;
}
p.IssuerAddress = address;
// It is somehow not checked as mandatory ...
SecurityAlgorithmSuite suite = null;
r.TryGetProperty <SecurityAlgorithmSuite> (ReqType.SecurityAlgorithmSuiteProperty, out suite);
p.SecurityAlgorithmSuite = suite;
return(p);
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(
SecurityTokenRequirement tokenRequirement,
out SecurityTokenResolver outOfBandTokenResolver)
{
outOfBandTokenResolver = null;
if (tokenRequirement.TokenType == SecurityTokenTypes.UserName)
{
return(CreateUserNameAuthenticator(tokenRequirement));
}
if (tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)
{
return(CreateX509Authenticator(tokenRequirement));
}
if (tokenRequirement.TokenType == SecurityTokenTypes.Rsa)
{
return(new RsaSecurityTokenAuthenticator());
}
if (tokenRequirement.TokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
SecurityBindingElement binding;
if (!tokenRequirement.TryGetProperty <SecurityBindingElement> (ReqType.SecurityBindingElementProperty, out binding))
{
throw new ArgumentException("SecurityBindingElement is required in the security token requirement");
}
SecureConversationSecurityTokenParameters issuedParams;
if (!tokenRequirement.TryGetProperty <SecureConversationSecurityTokenParameters> (ReqType.IssuedSecurityTokenParametersProperty, out issuedParams))
{
throw new ArgumentException("IssuedSecurityTokenParameters are required in the security token requirement");
}
BindingContext issuerBC;
if (!tokenRequirement.TryGetProperty <BindingContext> (ReqType.IssuerBindingContextProperty, out issuerBC))
{
throw new ArgumentException("IssuerBindingContext is required in the security token requirement");
}
SecurityTokenVersion secVer;
if (!tokenRequirement.TryGetProperty <SecurityTokenVersion> (ReqType.MessageSecurityVersionProperty, out secVer))
{
throw new ArgumentException("MessageSecurityVersion property (of type SecurityTokenVersion) is required in the security token requirement");
}
// FIXME: get parameters from somewhere
SecurityContextSecurityTokenResolver resolver =
new SecurityContextSecurityTokenResolver(0x1000, true);
outOfBandTokenResolver = resolver;
SecurityContextSecurityTokenAuthenticator sc =
new SecurityContextSecurityTokenAuthenticator();
return(new SecureConversationSecurityTokenAuthenticator(tokenRequirement, sc, resolver));
}
throw new NotImplementedException("Not implemented token type: " + tokenRequirement.TokenType);
}
/// <summary>
/// Make use of this extensibility point for returning a custom SecurityTokenProvider when SAML tokens are specified in the tokenRequirement
/// </summary>
/// <param name="tokenRequirement">A SecurityTokenRequirement </param>
/// <returns>The appropriate SecurityTokenProvider</returns>
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement == null)
{
throw LogHelper.LogArgumentNullException(nameof(tokenRequirement));
}
// If the token requirement includes an issued security token parameter of type
// WsTrustTokenParameters, then tokens should be provided by a WsTrustChannelSecurityTokenProvider.
if (tokenRequirement.TryGetProperty(IssuedSecurityTokenParametersProperty, out SecurityTokenParameters issuedSecurityTokenParameters) &&
issuedSecurityTokenParameters is WsTrustTokenParameters)
{
// pass issuedtokenRequirements
return(new WsTrustChannelSecurityTokenProvider(tokenRequirement)
{
ClientCredentials = _wsTrustChannelClientCredentials.ClientCredentials
});
}
// If the original ChannelFactory had a ClientCredentials instance, defer to that
else if (_wsTrustChannelClientCredentials.SecurityTokenManager != null)
{
return(_wsTrustChannelClientCredentials.SecurityTokenManager.CreateSecurityTokenProvider(tokenRequirement));
}
// This means ClientCredentials was replaced with WsTrustChannelClientCredentials in the ChannelFactory so defer
// to base class to create other token providers.
else
{
return(base.CreateSecurityTokenProvider(tokenRequirement));
}
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (String.IsNullOrWhiteSpace(tokenRequirement.TokenType) ||
tokenRequirement.TokenType == SecurityTokenTypes.Saml ||
tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
SecurityBindingElement sbe = null;
if (!tokenRequirement.TryGetProperty<SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out sbe))
{
throw new InvalidOperationException("Could not retreive the Security Binding Element!");
}
// If the token requirement is for a SymmetricKey based token..
if (tokenRequirement.KeyType != SecurityKeyType.AsymmetricKey) throw new NotSupportedException("Only Asymmetric keys are supported");
//TODO:Add more
IssuedSecurityTokenParameters sessionTokenParams = null;
if (sbe is AsymmetricSecurityBindingElement)
{
sessionTokenParams = (IssuedSecurityTokenParameters) ((AsymmetricSecurityBindingElement)sbe).InitiatorTokenParameters;
}
if (sbe is TransportSecurityBindingElement)
{
sessionTokenParams = (IssuedSecurityTokenParameters)((TransportSecurityBindingElement)sbe).EndpointSupportingTokenParameters.Endorsing[0];
}
return new SsoSecurityTokenProvider((SsoClientCredentials)ClientCredentials, sessionTokenParams);
}
else
{
// otherwise use base implementation
return base.CreateSecurityTokenProvider(tokenRequirement);
}
}
X509Certificate2 GetServiceCertificate(SecurityTokenRequirement requirement)
{
// try X509CertificateEndpointIdentity,
// ServiceCertificate.ScopedCertificate and
// ServiceCertificate.DefaultCertificate.
X509Certificate2 cert = null;
EndpointAddress address = null;
requirement.TryGetProperty(ReqType.TargetAddressProperty, out address);
if (address != null)
{
X509CertificateEndpointIdentity ident = address.Identity as X509CertificateEndpointIdentity;
if (ident != null && ident.Certificates.Count > 0)
{
cert = ident.Certificates [0];
}
if (cert == null)
{
credentials.ServiceCertificate.ScopedCertificates.TryGetValue(address.Uri, out cert);
}
}
if (cert == null)
{
cert = credentials.ServiceCertificate.DefaultCertificate;
}
return(cert);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement.TokenType == SecurityTokenTypes.Saml || tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
SamlAssertion samlAssertion = this.samlClientCredentials.Assertion;
SecurityToken securityToken = this.samlClientCredentials.ProofToken;
if (samlAssertion == null || securityToken == null)
{
SecurityBindingElement securityBindingElement = null;
SecurityAlgorithmSuite algoSuite = null;
if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out securityBindingElement))
{
algoSuite = securityBindingElement.DefaultAlgorithmSuite;
}
if (tokenRequirement.KeyType == SecurityKeyType.SymmetricKey)
{
securityToken = SamlUtilities.CreateSymmetricProofToken(tokenRequirement.KeySize);
samlAssertion = SamlUtilities.CreateSymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, new X509SecurityToken(this.samlClientCredentials.ClientCertificate.Certificate), new X509SecurityToken(this.samlClientCredentials.ServiceCertificate.DefaultCertificate), (BinarySecretSecurityToken)securityToken, algoSuite);
}
else
{
securityToken = SamlUtilities.CreateAsymmetricProofToken();
samlAssertion = SamlUtilities.CreateAsymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, securityToken, algoSuite);
}
}
return(new SamlSecurityTokenProvider(samlAssertion, securityToken));
}
return(base.CreateSecurityTokenProvider(tokenRequirement));
}
public static void Method_TryGetProperty_Invalid_Value_Throws()
{
SecurityTokenRequirement tokenrequirement = new SecurityTokenRequirement();
tokenrequirement.TokenType = SecurityTokenRequirement.TokenTypeProperty;
Assert.Throws <ArgumentException>(() => tokenrequirement.TryGetProperty(tokenrequirement.TokenType, out int Tvalue));
}
public void TryGetPropertyTypeMismatch ()
{
SecurityTokenRequirement r =
new SecurityTokenRequirement ();
r.Properties ["urn:foo"] = 1;
string s;
r.TryGetProperty<string> ("urn:foo", out s);
}
public static bool TryCreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, ClientCredentialsSecurityTokenManager clientCredentialsTokenManager, out SecurityTokenProvider provider)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
if (clientCredentialsTokenManager == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("clientCredentialsTokenManager");
}
provider = null;
if ((clientCredentialsTokenManager.ClientCredentials.SupportInteractive && ((null == clientCredentialsTokenManager.ClientCredentials.IssuedToken.LocalIssuerAddress) || (clientCredentialsTokenManager.ClientCredentials.IssuedToken.LocalIssuerBinding == null))) && clientCredentialsTokenManager.IsIssuedSecurityTokenRequirement(tokenRequirement))
{
ChannelParameterCollection parameters;
Uri uri;
int num;
InfoCardChannelParameter infocardChannelParameter = null;
if (tokenRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out parameters))
{
foreach (object obj2 in parameters)
{
if (obj2 is InfoCardChannelParameter)
{
infocardChannelParameter = (InfoCardChannelParameter)obj2;
break;
}
}
}
if ((infocardChannelParameter == null) || !infocardChannelParameter.RequiresInfoCard)
{
return(false);
}
EndpointAddress property = tokenRequirement.GetProperty <EndpointAddress>(ServiceModelSecurityTokenRequirement.TargetAddressProperty);
IssuedSecurityTokenParameters parameters2 = tokenRequirement.GetProperty <IssuedSecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
if (!tokenRequirement.TryGetProperty <Uri>(ServiceModelSecurityTokenRequirement.PrivacyNoticeUriProperty, out uri))
{
uri = null;
}
if (!tokenRequirement.TryGetProperty <int>(ServiceModelSecurityTokenRequirement.PrivacyNoticeVersionProperty, out num))
{
num = 0;
}
provider = CreateTokenProviderForNextLeg(tokenRequirement, property, parameters2.IssuerAddress, infocardChannelParameter.RelyingPartyIssuer, clientCredentialsTokenManager, infocardChannelParameter);
}
return(provider != null);
}
public void TryGetPropertyTypeBaseMatch ()
{
SecurityTokenRequirement r =
new SecurityTokenRequirement ();
r.Properties ["urn:foo"] = 1;
object o;
r.TryGetProperty<object> ("urn:foo", out o);
}
public WSTrustChannelSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
SecurityTokenRequirement = tokenRequirement ?? throw new ArgumentNullException(nameof(tokenRequirement));
SecurityTokenRequirement.TryGetProperty(SecurityAlgorithmSuiteProperty, out _securityAlgorithmSuite);
WSTrustTokenParameters = SecurityTokenRequirement.GetProperty <IssuedSecurityTokenParameters>(IssuedSecurityTokenParametersProperty) as WSTrustTokenParameters;
InitializeKeyEntropyMode();
SetInboundSerializationContext();
RequestContext = string.IsNullOrEmpty(WSTrustTokenParameters.RequestContext) ? Guid.NewGuid().ToString() : WSTrustTokenParameters.RequestContext;
}
public void TryGetPropertyTypeMismatch()
{
SecurityTokenRequirement r =
new SecurityTokenRequirement();
r.Properties ["urn:foo"] = 1;
string s;
r.TryGetProperty <string> ("urn:foo", out s);
}
public void TryGetPropertyTypeBaseMatch()
{
SecurityTokenRequirement r =
new SecurityTokenRequirement();
r.Properties ["urn:foo"] = 1;
object o;
r.TryGetProperty <object> ("urn:foo", out o);
}
public void TryGetPropertyTypeConvertible()
{
SecurityTokenRequirement r =
new SecurityTokenRequirement();
r.Properties ["urn:foo"] = 1;
double d;
r.TryGetProperty <double> ("urn:foo", out d);
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator (
SecurityTokenRequirement requirement,
out SecurityTokenResolver outOfBandTokenResolver)
{
outOfBandTokenResolver = null;
if (requirement.TokenType == SecurityTokenTypes.UserName)
return CreateUserNameAuthenticator (requirement);
if (requirement.TokenType == SecurityTokenTypes.X509Certificate)
return CreateX509Authenticator (requirement);
if (requirement.TokenType == SecurityTokenTypes.Rsa)
return new RsaSecurityTokenAuthenticator ();
if (requirement.TokenType == ServiceModelSecurityTokenTypes.SecureConversation) {
SecurityBindingElement binding;
if (!requirement.TryGetProperty<SecurityBindingElement> (ReqType.SecurityBindingElementProperty, out binding))
throw new ArgumentException ("SecurityBindingElement is required in the security token requirement");
SecureConversationSecurityTokenParameters issuedParams;
if (!requirement.TryGetProperty<SecureConversationSecurityTokenParameters> (ReqType.IssuedSecurityTokenParametersProperty, out issuedParams))
throw new ArgumentException ("IssuedSecurityTokenParameters are required in the security token requirement");
BindingContext issuerBC;
if (!requirement.TryGetProperty<BindingContext> (ReqType.IssuerBindingContextProperty, out issuerBC))
throw new ArgumentException ("IssuerBindingContext is required in the security token requirement");
SecurityTokenVersion secVer;
if (!requirement.TryGetProperty<SecurityTokenVersion> (ReqType.MessageSecurityVersionProperty, out secVer))
throw new ArgumentException ("MessageSecurityVersion property (of type SecurityTokenVersion) is required in the security token requirement");
// FIXME: get parameters from somewhere
SecurityContextSecurityTokenResolver resolver =
new SecurityContextSecurityTokenResolver (0x1000, true);
outOfBandTokenResolver = resolver;
SecurityContextSecurityTokenAuthenticator sc =
new SecurityContextSecurityTokenAuthenticator ();
return new SecureConversationSecurityTokenAuthenticator (requirement, sc, resolver);
}
if (requirement.TokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
return CreateSslTokenAuthenticator (requirement);
if (requirement.TokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
return CreateSslTokenAuthenticator (requirement);
if (requirement.TokenType == ServiceModelSecurityTokenTypes.Spnego)
return CreateSpnegoTokenAuthenticator (requirement);
else
throw new NotImplementedException ("Not implemented token type: " + requirement.TokenType);
}
/// <summary>
/// Creates the custom SecurityTokenProvider when SAML tokens are specified in the tokenRequirement
/// </summary>
/// <param name="tokenRequirement">A SecurityTokenRequirement </param>
/// <returns>The appropriate SecurityTokenProvider</returns>
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
// If token requirement matches SAML token return the custom SAML token provider
if (tokenRequirement.TokenType == SecurityTokenTypes.Saml ||
tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
// Retrieve the SAML assertion and proof token from the client credentials
SamlAssertion assertion = this.samlClientCredentials.Assertion;
SecurityToken prooftoken = this.samlClientCredentials.ProofToken;
// If either the assertion of proof token is null...
if (assertion == null || prooftoken == null)
{
// ...get the SecurityBindingElement and then the specified algorithm suite
SecurityBindingElement sbe = null;
SecurityAlgorithmSuite sas = null;
if (tokenRequirement.TryGetProperty<SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out sbe))
{
sas = sbe.DefaultAlgorithmSuite;
}
// If the token requirement is for a SymmetricKey based token..
if (tokenRequirement.KeyType == SecurityKeyType.SymmetricKey)
{
// Create a symmetric proof token
prooftoken = SamlUtilities.CreateSymmetricProofToken(tokenRequirement.KeySize);
// and a corresponding assertion based on the claims specified in the client credentials
assertion = SamlUtilities.CreateSymmetricKeyBasedAssertion(this.samlClientCredentials.Claims,
new X509SecurityToken(samlClientCredentials.ClientCertificate.Certificate),
new X509SecurityToken(samlClientCredentials.ServiceCertificate.DefaultCertificate),
(BinarySecretSecurityToken)prooftoken,
sas);
}
// otherwise...
else
{
// Create an asymmetric proof token
prooftoken = SamlUtilities.CreateAsymmetricProofToken();
// and a corresponding assertion based on the claims specified in the client credentials
assertion = SamlUtilities.CreateAsymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, prooftoken, sas);
}
}
// Create a SamlSecurityTokenProvider based on the assertion and proof token
return new SamlSecurityTokenProvider(assertion, prooftoken);
}
// otherwise use base implementation
else
{
return base.CreateSecurityTokenProvider(tokenRequirement);
}
}
private static SecurityAlgorithmSuite GetSecurityAlgorithmSuite(SecurityTokenRequirement tokenRequirement)
{
SecurityAlgorithmSuite result = null;
SecurityBindingElement securityBindingElement;
if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out securityBindingElement))
{
result = securityBindingElement.DefaultAlgorithmSuite;
}
return(result);
}
protected internal bool IsIssuedSecurityTokenRequirement(
SecurityTokenRequirement requirement)
{
SecurityTokenParameters ret;
if (!requirement.TryGetProperty <SecurityTokenParameters> (ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty, out ret))
{
return(false);
}
return(ret is IssuedSecurityTokenParameters);
}
/// <summary>
/// Creates the custom SecurityTokenProvider when SAML tokens are specified in the tokenRequirement
/// </summary>
/// <param name="tokenRequirement">A SecurityTokenRequirement </param>
/// <returns>The appropriate SecurityTokenProvider</returns>
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
// If token requirement matches SAML token return the custom SAML token provider
if (tokenRequirement.TokenType == SecurityTokenTypes.Saml ||
tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
// Retrieve the SAML assertion and proof token from the client credentials
SamlAssertion assertion = this.samlClientCredentials.Assertion;
SecurityToken prooftoken = this.samlClientCredentials.ProofToken;
// If either the assertion of proof token is null...
if (assertion == null || prooftoken == null)
{
// ...get the SecurityBindingElement and then the specified algorithm suite
SecurityBindingElement sbe = null;
SecurityAlgorithmSuite sas = null;
if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out sbe))
{
sas = sbe.DefaultAlgorithmSuite;
}
// If the token requirement is for a SymmetricKey based token..
if (tokenRequirement.KeyType == SecurityKeyType.SymmetricKey)
{
// Create a symmetric proof token
prooftoken = SamlUtilities.CreateSymmetricProofToken(tokenRequirement.KeySize);
// and a corresponding assertion based on the claims specified in the client credentials
assertion = SamlUtilities.CreateSymmetricKeyBasedAssertion(this.samlClientCredentials.Claims,
new X509SecurityToken(samlClientCredentials.ClientCertificate.Certificate),
new X509SecurityToken(samlClientCredentials.ServiceCertificate.DefaultCertificate),
(BinarySecretSecurityToken)prooftoken,
sas);
}
// otherwise...
else
{
// Create an asymmetric proof token
prooftoken = SamlUtilities.CreateAsymmetricProofToken();
// and a corresponding assertion based on the claims specified in the client credentials
assertion = SamlUtilities.CreateAsymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, prooftoken, sas);
}
}
// Create a SamlSecurityTokenProvider based on the assertion and proof token
return(new SamlSecurityTokenProvider(assertion, prooftoken));
}
// otherwise use base implementation
else
{
return(base.CreateSecurityTokenProvider(tokenRequirement));
}
}
void InitializeAuthenticatorCommunicationObject(AuthenticatorCommunicationObject p, SecurityTokenRequirement r)
{
p.ListenUri = r.GetProperty <Uri> (ReqType.ListenUriProperty);
// FIXME: use it somewhere, probably to build
// IssuerBinding. However, there is also IssuerBinding
// property. SecureConversationSecurityBindingElement
// as well.
SecurityBindingElement sbe =
r.GetProperty <SecurityBindingElement> (ReqType.SecurityBindingElementProperty);
p.SecurityBindingElement = sbe;
/*
* // I doubt the binding is acquired this way ...
* Binding binding;
* if (!r.TryGetProperty<Binding> (ReqType.IssuerBindingProperty, out binding))
* binding = new CustomBinding (
* new TextMessageEncodingBindingElement (),
* new HttpTransportBindingElement ());
* p.IssuerBinding = binding;
*
* // not sure if it is used only for this purpose though ...
* BindingContext ctx = r.GetProperty<BindingContext> (ReqType.IssuerBindingContextProperty);
* foreach (IEndpointBehavior b in ctx.BindingParameters.FindAll<IEndpointBehavior> ())
* p.IssuerChannelBehaviors.Add (b);
*/
SecurityTokenVersion ver =
r.GetProperty <SecurityTokenVersion> (ReqType.MessageSecurityVersionProperty);
p.SecurityTokenSerializer =
CreateSecurityTokenSerializer(ver);
/*
* // seems like they are optional here ... (but possibly
* // used later)
* EndpointAddress address;
* if (!r.TryGetProperty<EndpointAddress> (ReqType.IssuerAddressProperty, out address))
* address = p.TargetAddress;
* p.IssuerAddress = address;
*/
// It is somehow not checked as mandatory ...
SecurityAlgorithmSuite suite = null;
r.TryGetProperty <SecurityAlgorithmSuite> (ReqType.SecurityAlgorithmSuiteProperty, out suite);
p.SecurityAlgorithmSuite = suite;
}
/// <summary>
/// Instantiates a <see cref="WSTrustChannelSecurityTokenProvider"/> that describe the parameters for a WSTrust request.
/// </summary>
/// <param name="tokenRequirement">the <see cref="SecurityTokenRequirement"/> that must contain a <see cref="WSTrustTokenParameters"/> as the <see cref="IssuedSecurityTokenParameters"/> property.</param>
/// <exception cref="ArgumentNullException">thrown if <paramref name="tokenRequirement"/> is null.</exception>
/// <exception cref="ArgumentException">thrown if <see cref="SecurityTokenRequirement.GetProperty{TValue}(string)"/> (IssuedSecurityTokenParameters) is not a <see cref="WSTrustTokenParameters"/>.</exception>
public WSTrustChannelSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
SecurityTokenRequirement = tokenRequirement ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelper(new ArgumentNullException(nameof(tokenRequirement)), EventLevel.Error);
SecurityTokenRequirement.TryGetProperty(SecurityAlgorithmSuiteProperty, out _securityAlgorithmSuite);
IssuedSecurityTokenParameters issuedSecurityTokenParameters = SecurityTokenRequirement.GetProperty <IssuedSecurityTokenParameters>(IssuedSecurityTokenParametersProperty);
WSTrustTokenParameters = issuedSecurityTokenParameters as WSTrustTokenParameters;
if (WSTrustTokenParameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelper(new ArgumentException(LogHelper.FormatInvariant(SR.GetResourceString(SR.IssuedSecurityTokenParametersIncorrectType), issuedSecurityTokenParameters), nameof(tokenRequirement)), EventLevel.Error);
}
_communicationObject = new WrapperSecurityCommunicationObject(this);
}
private SspiIssuanceChannelParameter GetSspiIssuanceChannelParameter(SecurityTokenRequirement initiatorRequirement)
{
ChannelParameterCollection parameters;
if (initiatorRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out parameters) && (parameters != null))
{
for (int i = 0; i < parameters.Count; i++)
{
if (parameters[i] is SspiIssuanceChannelParameter)
{
return((SspiIssuanceChannelParameter)parameters[i]);
}
}
}
return(null);
}
/// <summary>
/// Instantiates a <see cref="WSTrustChannelSecurityTokenProvider"/> that describe the parameters for a WSTrust request.
/// </summary>
/// <param name="tokenRequirement">the <see cref="SecurityTokenRequirement"/> that must contain a <see cref="WSTrustTokenParameters"/> as the <see cref="IssuedSecurityTokenParameters"/> property.</param>
/// <exception cref="ArgumentNullException">thrown if <paramref name="tokenRequirement"/> is null.</exception>
/// <exception cref="ArgumentException">thrown if <see cref="SecurityTokenRequirement.GetProperty{TValue}(string)"/> (IssuedSecurityTokenParameters) is not a <see cref="WSTrustTokenParameters"/>.</exception>
public WSTrustChannelSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
SecurityTokenRequirement = tokenRequirement ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelper(new ArgumentNullException(nameof(tokenRequirement)), System.Diagnostics.Tracing.EventLevel.Error);
SecurityTokenRequirement.TryGetProperty(SecurityAlgorithmSuiteProperty, out _securityAlgorithmSuite);
IssuedSecurityTokenParameters issuedSecurityTokenParameters = SecurityTokenRequirement.GetProperty <IssuedSecurityTokenParameters>(IssuedSecurityTokenParametersProperty);
WSTrustTokenParameters = issuedSecurityTokenParameters as WSTrustTokenParameters;
if (WSTrustTokenParameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelper(new ArgumentException(LogHelper.FormatInvariant("tokenRequirement.GetProperty<IssuedSecurityTokenParameters> must be of type: WSTrustTokenParameters. Was: '{0}.", issuedSecurityTokenParameters), nameof(tokenRequirement)), System.Diagnostics.Tracing.EventLevel.Error);
}
InitializeKeyEntropyMode();
SetInboundSerializationContext();
RequestContext = string.IsNullOrEmpty(WSTrustTokenParameters.RequestContext) ? Guid.NewGuid().ToString() : WSTrustTokenParameters.RequestContext;
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (String.IsNullOrWhiteSpace(tokenRequirement.TokenType) ||
tokenRequirement.TokenType == SecurityTokenTypes.Saml ||
tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
SecurityBindingElement sbe = null;
if (!tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out sbe))
{
throw new InvalidOperationException("Could not retreive the Security Binding Element!");
}
// If the token requirement is for a SymmetricKey based token..
if (tokenRequirement.KeyType != SecurityKeyType.AsymmetricKey)
{
throw new NotSupportedException("Only Asymmetric keys are supported");
}
//TODO:Add more
IssuedSecurityTokenParameters sessionTokenParams = null;
if (sbe is AsymmetricSecurityBindingElement)
{
sessionTokenParams = (IssuedSecurityTokenParameters)((AsymmetricSecurityBindingElement)sbe).InitiatorTokenParameters;
}
if (sbe is TransportSecurityBindingElement)
{
sessionTokenParams = (IssuedSecurityTokenParameters)((TransportSecurityBindingElement)sbe).EndpointSupportingTokenParameters.Endorsing[0];
}
return(new SsoSecurityTokenProvider((SsoClientCredentials)ClientCredentials, sessionTokenParams));
}
else
{
// otherwise use base implementation
return(base.CreateSecurityTokenProvider(tokenRequirement));
}
}
X509SecurityTokenProvider CreateX509SecurityTokenProvider(SecurityTokenRequirement requirement)
{
bool isInitiator;
requirement.TryGetProperty <bool> (ReqType.IsInitiatorProperty, out isInitiator);
// when it is initiator, then it is for MutualCertificateDuplex.
X509Certificate2 cert;
if (isInitiator)
{
cert = credentials.ClientCertificate.Certificate;
if (cert == null)
{
throw new InvalidOperationException("Client certificate is not provided in ServiceCredentials.");
}
if (cert.PrivateKey == null)
{
throw new ArgumentException("Client certificate for MutualCertificateDuplex does not have a private key which is required for key exchange.");
}
}
else
{
cert = credentials.ServiceCertificate.Certificate;
if (cert == null)
{
throw new InvalidOperationException("Service certificate is not provided in ServiceCredentials.");
}
if (cert.PrivateKey == null)
{
throw new ArgumentException("Service certificate does not have a private key which is required for key exchange.");
}
}
X509SecurityTokenProvider p =
new X509SecurityTokenProvider(cert);
return(p);
}
/// <summary>
/// Looks for the first FederatedClientCredentialsParameters object in the ChannelParameterCollection
/// property on the tokenRequirement.
/// </summary>
internal FederatedClientCredentialsParameters FindFederatedChannelParameters(SecurityTokenRequirement tokenRequirement)
{
FederatedClientCredentialsParameters issuedTokenClientCredentialsParameters = null;
ChannelParameterCollection channelParameterCollection = null;
if (tokenRequirement.TryGetProperty <ChannelParameterCollection>(
ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty,
out channelParameterCollection))
{
if (channelParameterCollection != null)
{
foreach (object obj in channelParameterCollection)
{
issuedTokenClientCredentialsParameters = obj as FederatedClientCredentialsParameters;
if (issuedTokenClientCredentialsParameters != null)
{
break;
}
}
}
}
return(issuedTokenClientCredentialsParameters);
}
public void TryGetPropertyTypeConvertible ()
{
SecurityTokenRequirement r =
new SecurityTokenRequirement ();
r.Properties ["urn:foo"] = 1;
double d;
r.TryGetProperty<double> ("urn:foo", out d);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (IsIssuedSecurityTokenRequirement(tokenRequirement))
{
return(CreateIssuedTokenProvider(tokenRequirement));
}
bool isInitiator;
// huh, they are not constants but properties.
if (tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)
{
return(CreateX509SecurityTokenProvider(tokenRequirement));
}
else if (tokenRequirement.TokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
return(CreateSecureConversationProvider(tokenRequirement));
}
else if (tokenRequirement.TokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
if (tokenRequirement.TryGetProperty <bool> (ReqType.IsInitiatorProperty, out isInitiator) && isInitiator)
{
return(CreateSslnegoProvider(tokenRequirement));
}
}
else if (tokenRequirement.TokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
if (tokenRequirement.TryGetProperty <bool> (ReqType.IsInitiatorProperty, out isInitiator) && isInitiator)
{
return(CreateSslnegoProvider(tokenRequirement));
}
}
else if (tokenRequirement.TokenType == ServiceModelSecurityTokenTypes.SecurityContext)
{
// FIXME: implement
}
else if (tokenRequirement.TokenType == ServiceModelSecurityTokenTypes.Spnego)
{
return(CreateSpnegoProvider(tokenRequirement));
}
else if (tokenRequirement.TokenType == ServiceModelSecurityTokenTypes.SspiCredential)
{
// FIXME: implement
}
else if (tokenRequirement.TokenType == SecurityTokenTypes.Rsa)
{
// FIXME: implement
}
else if (tokenRequirement.TokenType == SecurityTokenTypes.Saml)
{
// FIXME: implement
}
else if (tokenRequirement.TokenType == SecurityTokenTypes.UserName)
{
return(CreateUserNameProvider(tokenRequirement));
}
else if (tokenRequirement.TokenType == SecurityTokenTypes.Kerberos)
{
return(CreateKerberosProvider(tokenRequirement));
}
throw new NotSupportedException(String.Format("Token type '{0}' is not supported", tokenRequirement.TokenType));
}
public override SecurityTokenProvider CreateSecurityTokenProvider (SecurityTokenRequirement requirement)
{
if (IsIssuedSecurityTokenRequirement (requirement))
return CreateIssuedTokenProvider (requirement);
bool isInitiator;
// huh, they are not constants but properties.
if (requirement.TokenType == SecurityTokenTypes.X509Certificate)
return CreateX509SecurityTokenProvider (requirement);
else if (requirement.TokenType == ServiceModelSecurityTokenTypes.SecureConversation)
return CreateSecureConversationProvider (requirement);
else if (requirement.TokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) {
if (requirement.TryGetProperty<bool> (ReqType.IsInitiatorProperty, out isInitiator) && isInitiator)
return CreateSslnegoProvider (requirement);
} else if (requirement.TokenType == ServiceModelSecurityTokenTypes.MutualSslnego) {
if (requirement.TryGetProperty<bool> (ReqType.IsInitiatorProperty, out isInitiator) && isInitiator)
return CreateSslnegoProvider (requirement);
} else if (requirement.TokenType == ServiceModelSecurityTokenTypes.SecurityContext) {
// FIXME: implement
} else if (requirement.TokenType == ServiceModelSecurityTokenTypes.Spnego) {
return CreateSpnegoProvider (requirement);
} else if (requirement.TokenType == ServiceModelSecurityTokenTypes.SspiCredential) {
// FIXME: implement
} else if (requirement.TokenType == SecurityTokenTypes.Rsa) {
// FIXME: implement
} else if (requirement.TokenType == SecurityTokenTypes.Saml) {
// FIXME: implement
} else if (requirement.TokenType == SecurityTokenTypes.UserName)
return CreateUserNameProvider (requirement);
else if (requirement.TokenType == SecurityTokenTypes.Kerberos) {
return CreateKerberosProvider (requirement);
}
throw new NotSupportedException (String.Format ("Token type '{0}' is not supported", requirement.TokenType));
}
X509SecurityTokenProvider CreateX509SecurityTokenProvider (SecurityTokenRequirement requirement)
{
bool isInitiator;
requirement.TryGetProperty<bool> (ReqType.IsInitiatorProperty, out isInitiator);
// when it is initiator, then it is for MutualCertificateDuplex.
X509Certificate2 cert;
if (isInitiator) {
cert = credentials.ClientCertificate.Certificate;
if (cert == null)
throw new InvalidOperationException ("Client certificate is not provided in ServiceCredentials.");
if (cert.PrivateKey == null)
throw new ArgumentException ("Client certificate for MutualCertificateDuplex does not have a private key which is required for key exchange.");
} else {
cert = credentials.ServiceCertificate.Certificate;
if (cert == null)
throw new InvalidOperationException ("Service certificate is not provided in ServiceCredentials.");
if (cert.PrivateKey == null)
throw new ArgumentException ("Service certificate does not have a private key which is required for key exchange.");
}
X509SecurityTokenProvider p =
new X509SecurityTokenProvider (cert);
return p;
}
IssuedSecurityTokenProvider CreateIssuedProviderBase (SecurityTokenRequirement r)
{
IssuedSecurityTokenProvider p =
new IssuedSecurityTokenProvider ();
p.TargetAddress = r.GetProperty<EndpointAddress> (ReqType.TargetAddressProperty);
// FIXME: use it somewhere, probably to build
// IssuerBinding. However, there is also IssuerBinding
// property. SecureConversationSecurityBindingElement
// as well.
SecurityBindingElement sbe =
r.GetProperty<SecurityBindingElement> (ReqType.SecurityBindingElementProperty);
// I doubt the binding is acquired this way ...
Binding binding;
if (!r.TryGetProperty<Binding> (ReqType.IssuerBindingProperty, out binding))
binding = new CustomBinding (sbe,
new TextMessageEncodingBindingElement (),
new HttpTransportBindingElement ());
p.IssuerBinding = binding;
// not sure if it is used only for this purpose though ...
BindingContext ctx = r.GetProperty<BindingContext> (ReqType.IssuerBindingContextProperty);
foreach (IEndpointBehavior b in ctx.BindingParameters.FindAll<IEndpointBehavior> ())
p.IssuerChannelBehaviors.Add (b);
SecurityTokenVersion ver =
r.GetProperty<SecurityTokenVersion> (ReqType.MessageSecurityVersionProperty);
p.SecurityTokenSerializer =
CreateSecurityTokenSerializer (ver);
// seems like they are optional here ... (but possibly
// used later)
EndpointAddress address;
if (!r.TryGetProperty<EndpointAddress> (ReqType.IssuerAddressProperty, out address))
address = p.TargetAddress;
p.IssuerAddress = address;
// It is somehow not checked as mandatory ...
SecurityAlgorithmSuite suite = null;
r.TryGetProperty<SecurityAlgorithmSuite> (ReqType.SecurityAlgorithmSuiteProperty, out suite);
p.SecurityAlgorithmSuite = suite;
return p;
}
X509SecurityTokenProvider CreateX509SecurityTokenProvider (SecurityTokenRequirement requirement)
{
// - When the request is as an initiator, then
// - if the purpose is key exchange, then
// the initiator wants the service certificate
// to encrypt the message with its public key.
// - otherwise, the initiator wants the client
// certificate to sign the message with the
// private key.
// - otherwise
// - if the purpose is key exchange, then
// the recipient wants the client certificate
// to encrypt the message with its public key.
// - otherwise, the recipient wants the service
// certificate to sign the message with the
// private key.
bool isInitiator;
if (!requirement.TryGetProperty<bool> (ReqType.IsInitiatorProperty, out isInitiator))
isInitiator = false;
X509Certificate2 cert;
bool isClient;
if (isInitiator)
isClient = requirement.KeyUsage == SecurityKeyUsage.Signature;
else {
if (!requirement.Properties.ContainsKey (SecurityTokenRequirement.KeyUsageProperty))
throw new NotSupportedException (String.Format ("Cannot create a security token provider from this requirement '{0}'", requirement));
isClient = requirement.KeyUsage == SecurityKeyUsage.Exchange;
}
if (isClient)
cert = credentials.ClientCertificate.Certificate;
else
cert = GetServiceCertificate (requirement);
if (cert == null) {
if (isClient)
throw new InvalidOperationException ("Client certificate is not provided in ClientCredentials.");
else
throw new InvalidOperationException ("Service certificate is not provided.");
}
X509SecurityTokenProvider p =
new X509SecurityTokenProvider (cert);
return p;
}
X509Certificate2 GetServiceCertificate (SecurityTokenRequirement requirement)
{
// try X509CertificateEndpointIdentity,
// ServiceCertificate.ScopedCertificate and
// ServiceCertificate.DefaultCertificate.
X509Certificate2 cert = null;
EndpointAddress address = null;
requirement.TryGetProperty (ReqType.TargetAddressProperty, out address);
if (address != null) {
X509CertificateEndpointIdentity ident = address.Identity as X509CertificateEndpointIdentity;
if (ident != null && ident.Certificates.Count > 0)
cert = ident.Certificates [0];
if (cert == null)
credentials.ServiceCertificate.ScopedCertificates.TryGetValue (address.Uri, out cert);
}
if (cert == null)
cert = credentials.ServiceCertificate.DefaultCertificate;
return cert;
}
IssuedSecurityTokenProvider CreateIssuedTokenProvider (SecurityTokenRequirement requirement)
{
IssuedSecurityTokenProvider p =
new IssuedSecurityTokenProvider ();
// FIXME: fill properties
EndpointAddress address;
if (requirement.TryGetProperty<EndpointAddress> (ReqType.IssuerAddressProperty, out address))
p.IssuerAddress = address;
if (requirement.TryGetProperty<EndpointAddress> (ReqType.TargetAddressProperty, out address))
p.TargetAddress = address;
Binding binding;
if (requirement.TryGetProperty<Binding> (ReqType.IssuerBindingProperty, out binding))
p.IssuerBinding = binding;
MessageSecurityVersion ver;
if (requirement.TryGetProperty<MessageSecurityVersion> (ReqType.MessageSecurityVersionProperty, out ver))
p.SecurityTokenSerializer = CreateSecurityTokenSerializer (ver.SecurityTokenVersion);
SecurityAlgorithmSuite suite;
if (requirement.TryGetProperty<SecurityAlgorithmSuite> (ReqType.SecurityAlgorithmSuiteProperty, out suite))
p.SecurityAlgorithmSuite = suite;
return p;
}
// Summary:
// If interactive support is requested and an IssuedSecurityTokenParameters is specified this method
// will return an instance of an InfoCardTokenProvider.
// Otherwise this method defers to the base implementation.
//
// Parameters
// parameters - The security token parameters associated with this ChannelFactory.
//
// Note
// The target and issuer information will not be available in this call
//
public static bool TryCreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, ClientCredentialsSecurityTokenManager clientCredentialsTokenManager, out SecurityTokenProvider provider)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
if (clientCredentialsTokenManager == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("clientCredentialsTokenManager");
}
provider = null;
if (!clientCredentialsTokenManager.ClientCredentials.SupportInteractive ||
(null != clientCredentialsTokenManager.ClientCredentials.IssuedToken.LocalIssuerAddress && null != clientCredentialsTokenManager.ClientCredentials.IssuedToken.LocalIssuerBinding) ||
!clientCredentialsTokenManager.IsIssuedSecurityTokenRequirement(tokenRequirement)
)
{
//IDT.TraceDebug("ICARDTOKPROV: Non Issued SecurityToken requirement submitted to InfoCardClientCredentialsSecurityTokenManager:\n{0}", tokenRequirement);
//IDT.TraceDebug("ICARDTOKPROV: Defering to the base class to create the token provider");
}
else
{
ChannelParameterCollection channelParameter;
InfoCardChannelParameter infocardChannelParameter = null;
if (tokenRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out channelParameter))
{
foreach (object obj in channelParameter)
{
if (obj is InfoCardChannelParameter)
{
infocardChannelParameter = (InfoCardChannelParameter)obj;
break;
}
}
}
if (null == infocardChannelParameter || !infocardChannelParameter.RequiresInfoCard)
{
return(false);
}
EndpointAddress target = tokenRequirement.GetProperty <EndpointAddress>(ServiceModelSecurityTokenRequirement.TargetAddressProperty);
IssuedSecurityTokenParameters issuedTokenParameters = tokenRequirement.GetProperty <IssuedSecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
Uri privacyNoticeLink;
if (!tokenRequirement.TryGetProperty <Uri>(ServiceModelSecurityTokenRequirement.PrivacyNoticeUriProperty, out privacyNoticeLink))
{
privacyNoticeLink = null;
}
int privacyNoticeVersion;
if (!tokenRequirement.TryGetProperty <int>(ServiceModelSecurityTokenRequirement.PrivacyNoticeVersionProperty, out privacyNoticeVersion))
{
privacyNoticeVersion = 0;
}
//
// This analysis of this chain indicates that interactive support will be required
// The InternalClientCredentials class handles that.
//
provider = CreateTokenProviderForNextLeg(tokenRequirement, target, issuedTokenParameters.IssuerAddress, infocardChannelParameter.RelyingPartyIssuer, clientCredentialsTokenManager, infocardChannelParameter);
}
return(provider != null);
}
X509SecurityTokenProvider CreateX509SecurityTokenProvider(SecurityTokenRequirement requirement)
{
// - When the request is as an initiator, then
// - if the purpose is key exchange, then
// the initiator wants the service certificate
// to encrypt the message with its public key.
// - otherwise, the initiator wants the client
// certificate to sign the message with the
// private key.
// - otherwise
// - if the purpose is key exchange, then
// the recipient wants the client certificate
// to encrypt the message with its public key.
// - otherwise, the recipient wants the service
// certificate to sign the message with the
// private key.
bool isInitiator;
if (!requirement.TryGetProperty <bool> (ReqType.IsInitiatorProperty, out isInitiator))
{
isInitiator = false;
}
X509Certificate2 cert;
bool isClient;
if (isInitiator)
{
isClient = requirement.KeyUsage == SecurityKeyUsage.Signature;
}
else
{
if (!requirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty))
{
throw new NotSupportedException(String.Format("Cannot create a security token provider from this requirement '{0}'", requirement));
}
isClient = requirement.KeyUsage == SecurityKeyUsage.Exchange;
}
if (isClient)
{
cert = credentials.ClientCertificate.Certificate;
}
else
{
cert = GetServiceCertificate(requirement);
}
if (cert == null)
{
if (isClient)
{
throw new InvalidOperationException("Client certificate is not provided in ClientCredentials.");
}
else
{
throw new InvalidOperationException("Service certificate is not provided.");
}
}
X509SecurityTokenProvider p =
new X509SecurityTokenProvider(cert);
return(p);
}
/// <summary>
/// Looks for the first FederatedClientCredentialsParameters object in the ChannelParameterCollection
/// property on the tokenRequirement.
/// </summary>
internal FederatedClientCredentialsParameters FindFederatedChannelParameters(SecurityTokenRequirement tokenRequirement)
{
FederatedClientCredentialsParameters issuedTokenClientCredentialsParameters = null;
ChannelParameterCollection channelParameterCollection = null;
if (tokenRequirement.TryGetProperty<ChannelParameterCollection>(
ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty,
out channelParameterCollection))
{
if (channelParameterCollection != null)
{
foreach (object obj in channelParameterCollection)
{
issuedTokenClientCredentialsParameters = obj as FederatedClientCredentialsParameters;
if (issuedTokenClientCredentialsParameters != null)
{
break;
}
}
}
}
return issuedTokenClientCredentialsParameters;
}
SspiIssuanceChannelParameter GetSspiIssuanceChannelParameter(SecurityTokenRequirement initiatorRequirement)
{
ChannelParameterCollection channelParameters;
if (initiatorRequirement.TryGetProperty<ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out channelParameters))
{
if (channelParameters != null)
{
for (int i = 0; i < channelParameters.Count; ++i)
{
if (channelParameters[i] is SspiIssuanceChannelParameter)
{
return (SspiIssuanceChannelParameter)channelParameters[i];
}
}
}
}
return null;
}
protected internal bool IsIssuedSecurityTokenRequirement (
SecurityTokenRequirement requirement)
{
SecurityTokenParameters ret;
if (!requirement.TryGetProperty<SecurityTokenParameters> (ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty, out ret))
return false;
return ret is IssuedSecurityTokenParameters;
}
