public override SecurityTokenProvider CreateSecurityTokenProvider(
SecurityTokenRequirement requirement)
{
SecurityTokenProvider result = null;
if (requirement.TokenType == SecurityTokenTypes.X509Certificate)
{
var direction = requirement.GetProperty<MessageDirection>(ServiceModelSecurityTokenRequirement.MessageDirectionProperty);
if (direction == MessageDirection.Output)
{
if (requirement.KeyUsage == SecurityKeyUsage.Signature)
result = new X509SecurityTokenProvider(this._credentials.ClientSigningCertificate);
else
result = new X509SecurityTokenProvider(this._credentials.ServiceEncryptingCertificate);
}
else
{
if (requirement.KeyUsage == SecurityKeyUsage.Signature)
result = new X509SecurityTokenProvider(this._credentials.ServiceSigningCertificate);
else
result = new X509SecurityTokenProvider(_credentials.ClientEncryptingCertificate);
}
}
else
{
result = base.CreateSecurityTokenProvider(requirement);
}
return result;
}
/// <summary>
/// Creates a security token authenticator based on the <see cref="T:System.IdentityModel.Selectors.SecurityTokenRequirement"/>.
/// </summary>
/// <param name="tokenRequirement">The <see cref="T:System.IdentityModel.Selectors.SecurityTokenRequirement"/>.</param>
/// <param name="outOfBandTokenResolver">When this method returns, contains a <see cref="T:System.IdentityModel.Selectors.SecurityTokenResolver"/>. This parameter is passed uninitialized.</param>
/// <returns>
/// The <see cref="T:System.IdentityModel.Selectors.SecurityTokenAuthenticator"/>.
/// </returns>
/// <exception cref="T:System.ArgumentNullException">
/// <paramref name="tokenRequirement"/> is null.</exception>
/// <exception cref="T:System.NotSupportedException">A security token authenticator cannot be created for the<paramref name=" tokenRequirement"/> that was passed in.</exception>
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(
SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement.TokenType == SecurityTokenTypes.UserName)
{
outOfBandTokenResolver = null;
// Get the current validator
UserNamePasswordValidator validator = ServiceCredentials.UserNameAuthentication.CustomUserNamePasswordValidator;
// Ensure that a validator exists
if (validator == null)
{
Trace.TraceWarning("Custom UserName Password Validator must be configued in web.config");
validator = new DefaultPersonnelValidator();
}
return new PersonnelUserNameTokenAuthenticator(validator);
}
// Return your implementation of the SecurityTokenAuthenticator, if required.
// This implementation delegates to the base class.
return base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator
(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
// Return your implementation of the SecurityTokenProvider based on the
// tokenRequirement argument.
SecurityTokenAuthenticator result;
if (tokenRequirement.TokenType == SecurityTokenTypes.UserName)
{
MessageDirection direction = tokenRequirement.GetProperty<MessageDirection>
(ServiceModelSecurityTokenRequirement.MessageDirectionProperty);
if (direction == MessageDirection.Input)
{
outOfBandTokenResolver = null;
result = new MySecurityTokenAuthenticator();
}
else
{
result = base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
}
else
{
result = base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
return result;
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (String.IsNullOrWhiteSpace(tokenRequirement.TokenType) ||
tokenRequirement.TokenType == SecurityTokenTypes.Saml ||
tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
SecurityBindingElement sbe = null;
if (!tokenRequirement.TryGetProperty<SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out sbe))
{
throw new InvalidOperationException("Could not retreive the Security Binding Element!");
}
// If the token requirement is for a SymmetricKey based token..
if (tokenRequirement.KeyType != SecurityKeyType.AsymmetricKey) throw new NotSupportedException("Only Asymmetric keys are supported");
//TODO:Add more
IssuedSecurityTokenParameters sessionTokenParams = null;
if (sbe is AsymmetricSecurityBindingElement)
{
sessionTokenParams = (IssuedSecurityTokenParameters) ((AsymmetricSecurityBindingElement)sbe).InitiatorTokenParameters;
}
if (sbe is TransportSecurityBindingElement)
{
sessionTokenParams = (IssuedSecurityTokenParameters)((TransportSecurityBindingElement)sbe).EndpointSupportingTokenParameters.Endorsing[0];
}
return new SsoSecurityTokenProvider((SsoClientCredentials)ClientCredentials, sessionTokenParams);
}
else
{
// otherwise use base implementation
return base.CreateSecurityTokenProvider(tokenRequirement);
}
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator (
SecurityTokenRequirement requirement,
out SecurityTokenResolver outOfBandTokenResolver)
{
outOfBandTokenResolver = null;
if (requirement.TokenType == SecurityTokenTypes.UserName)
return CreateUserNameAuthenticator (requirement);
if (requirement.TokenType == SecurityTokenTypes.X509Certificate)
return CreateX509Authenticator (requirement);
if (requirement.TokenType == SecurityTokenTypes.Rsa)
return new RsaSecurityTokenAuthenticator ();
if (requirement.TokenType == ServiceModelSecurityTokenTypes.SecureConversation) {
// FIXME: get parameters from somewhere
SecurityContextSecurityTokenResolver resolver =
new SecurityContextSecurityTokenResolver (0x1000, true);
outOfBandTokenResolver = resolver;
SecurityContextSecurityTokenAuthenticator sc =
new SecurityContextSecurityTokenAuthenticator ();
return new SecureConversationSecurityTokenAuthenticator (requirement, sc, resolver);
}
if (requirement.TokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
return CreateSslTokenAuthenticator (requirement);
if (requirement.TokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
return CreateSslTokenAuthenticator (requirement);
if (requirement.TokenType == ServiceModelSecurityTokenTypes.Spnego)
return CreateSpnegoTokenAuthenticator (requirement);
else
throw new NotImplementedException ("Not implemented token type: " + requirement.TokenType);
}
public SpnegoSecurityTokenAuthenticator (
ServiceCredentialsSecurityTokenManager manager,
SecurityTokenRequirement r)
{
this.manager = manager;
comm = new SpnegoAuthenticatorCommunicationObject (this);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
InitiatorServiceModelSecurityTokenRequirement requirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
if (requirement != null
&& requirement.TokenType == SecurityTokenTypes.X509Certificate
&& requirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && (requirement.KeyUsage == SecurityKeyUsage.Exchange))
{
X509Certificate2 defaultCertificate = null;
EndpointAddress targetAddress = requirement.TargetAddress;
if (targetAddress != null)
{
this.ClientCredentials.ServiceCertificate.ScopedCertificates.TryGetValue(targetAddress.Uri, out defaultCertificate);
}
if (defaultCertificate == null)
{
defaultCertificate = this.ClientCredentials.ServiceCertificate.DefaultCertificate;
}
if (((defaultCertificate == null) && (targetAddress.Identity != null)) && (targetAddress.Identity.GetType() == typeof(X509CertificateEndpointIdentity)))
{
defaultCertificate = ((X509CertificateEndpointIdentity)targetAddress.Identity).Certificates[0];
}
if (defaultCertificate == null)
{
isDummyServiceToken = true;
return new DummySecurityTokenProvider();
}
isDummyServiceToken = false;
return new X509SecurityTokenProvider(defaultCertificate);
}
return base.CreateSecurityTokenProvider(tokenRequirement);
}
/// <summary>
/// Gets a GenericXmlSecurityToken that wraps the provided issued token
/// with the authorization policies necessary.
/// </summary>
static GenericXmlSecurityToken WrapWithAuthPolicy(GenericXmlSecurityToken issuedToken,
SecurityTokenRequirement tokenRequirement)
{
EndpointIdentity endpointIdentity = null;
var issuedTokenRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
if (issuedTokenRequirement != null)
{
EndpointAddress targetAddress = issuedTokenRequirement.TargetAddress;
if (targetAddress.Uri.IsAbsoluteUri)
{
endpointIdentity = EndpointIdentity.CreateDnsIdentity(targetAddress.Uri.DnsSafeHost);
}
}
ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies
= GetServiceAuthorizationPolicies(endpointIdentity);
return new GenericXmlSecurityToken(issuedToken.TokenXml,
issuedToken.ProofToken,
issuedToken.ValidFrom,
issuedToken.ValidTo,
issuedToken.InternalTokenReference,
issuedToken.ExternalTokenReference,
authorizationPolicies);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
SecurityTokenProvider result = null;
if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
#if FEATURE_CORECLR // X509Certificates
// this is the uncorrelated duplex case
if (_parent.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate);
#endif
}
else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
string tokenType = initiatorRequirement.TokenType;
if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider (IsIssuedSecurityTokenRequirement(initiatorRequirement)");
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - SecurityKeyUsage.Exchange");
}
else
{
#if FEATURE_CORECLR
if (_parent.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate);
#else
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - Client certificate not supported in UAP");
#endif
}
}
else if (tokenType == SecurityTokenTypes.UserName)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider SecurityTokenTypes.Username");
}
}
if ((result == null) && !tokenRequirement.IsOptionalToken)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
}
return result;
}
public SslSecurityTokenAuthenticator (
ServiceCredentialsSecurityTokenManager manager,
SecurityTokenRequirement r)
{
this.manager = manager;
mutual = (r.TokenType == ServiceModelSecurityTokenTypes.MutualSslnego);
comm = new SslAuthenticatorCommunicationObject (this);
}
protected override void InitializeSecurityTokenRequirement (SecurityTokenRequirement requirement)
{
if (requirement == null)
throw new ArgumentNullException ("requirement");
requirement.TokenType = SecurityTokenTypes.Kerberos;
requirement.RequireCryptographicToken = true;
requirement.KeyType = SecurityKeyType.SymmetricKey;
}
public void TryGetPropertyTypeBaseMatch ()
{
SecurityTokenRequirement r =
new SecurityTokenRequirement ();
r.Properties ["urn:foo"] = 1;
object o;
r.TryGetProperty<object> ("urn:foo", out o);
}
public void TryGetPropertyTypeMismatch ()
{
SecurityTokenRequirement r =
new SecurityTokenRequirement ();
r.Properties ["urn:foo"] = 1;
string s;
r.TryGetProperty<string> ("urn:foo", out s);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement.TokenType == "RequestedSecurityToken")
{
return new RequestedSecurityTokenProvider(this.Credentials);
}
return base.CreateSecurityTokenProvider(tokenRequirement);
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement.TokenType == CreditCardTokenConstants.CreditCardTokenType)
{
outOfBandTokenResolver = null;
return new CreditCardTokenAuthenticator(creditCardServiceCredentials.ValidCreditCards);
}
return base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
public void TryGetPropertyTypeConvertible()
{
SecurityTokenRequirement r =
new SecurityTokenRequirement();
r.Properties ["urn:foo"] = 1;
double d;
r.TryGetProperty <double> ("urn:foo", out d);
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement.TokenType == Constants.UsernameTokenType)
{
outOfBandTokenResolver = null;
return(new UsernameTokenAuthenticator(_userNameServiceCredentials.Validator));
}
return(base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver));
}
public override System.IdentityModel.Selectors.SecurityTokenAuthenticator CreateSecurityTokenAuthenticator( SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver )
{
if ( tokenRequirement.TokenType == Constants.UsernameTokenType )
{
outOfBandTokenResolver = null;
return new SecurityTokenAuthenticator( _serviceCredentials.Validator );
}
return base.CreateSecurityTokenAuthenticator( tokenRequirement, out outOfBandTokenResolver );
}
/// <summary>
/// This method creates the inner security token authenticator from the base class.
/// The wrapped token cache is initialized with this authenticator.
/// </summary>
SecurityTokenAuthenticator CreateInnerSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
SecurityTokenAuthenticator securityTokenAuthenticator = base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
SctClaimsHandler claimsHandler = new SctClaimsHandler(
_securityTokenHandlerCollection,
GetNormalizedEndpointId(tokenRequirement));
SetWrappedTokenCache(new WrappedTokenCache(_tokenCache, claimsHandler), securityTokenAuthenticator, null, claimsHandler);
return(securityTokenAuthenticator);
}
public void DefaultValues ()
{
SecurityTokenRequirement r =
new SecurityTokenRequirement ();
Assert.AreEqual (0, r.KeySize, "#1");
Assert.AreEqual (SecurityKeyType.SymmetricKey, r.KeyType, "#2");
Assert.AreEqual (SecurityKeyUsage.Signature, r.KeyUsage, "#3");
Assert.IsNull (r.TokenType, "#4");
Assert.AreEqual (false, r.RequireCryptographicToken, "#5");
}
/// <summary>
/// Creates a security token authenticator based on the <see cref="T:System.IdentityModel.Selectors.SecurityTokenRequirement"/>.
/// </summary>
/// <param name="tokenRequirement">The security token requirement.</param>
/// <param name="outOfBandTokenResolver">When this method returns, contains a <see cref="T:System.IdentityModel.Selectors.SecurityTokenResolver"/>. This parameter is passed uninitialized.</param>
/// <returns>
/// The security token authenticator.
/// </returns>
/// <exception cref="T:System.ArgumentNullException">
/// <paramref name="tokenRequirement"/> is null.</exception>
///
/// <exception cref="T:System.NotSupportedException">A security token authenticator cannot be created for the <paramref name=" tokenRequirement"/> that was passed in.</exception>
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement.TokenType == SecurityTokenTypes.UserName)
{
outOfBandTokenResolver = null;
return(new UserNamePasswordSecurityTokenAuthenticator(ServiceCredentials.UserNameAuthentication.CustomUserNamePasswordValidator));
}
return(base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver));
}
public void TryGetPropertyTypeMismatch()
{
SecurityTokenRequirement r =
new SecurityTokenRequirement();
r.Properties ["urn:foo"] = 1;
string s;
r.TryGetProperty <string> ("urn:foo", out s);
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement.TokenType == Constants.CreditCardTokenType)
{
outOfBandTokenResolver = null;
return(new CreditCardTokenAuthenticator(creditCardServiceCredentials.CreditCardDataFile));
}
return(base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver));
}
public SecureConversationSecurityTokenAuthenticator(
SecurityTokenRequirement r,
SecurityContextSecurityTokenAuthenticator scAuth,
SecurityContextSecurityTokenResolver scResolver)
{
this.req = r;
this.sc_auth = scAuth;
this.sc_res = scResolver;
comm = new WsscAuthenticatorCommunicationObject();
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (base.IsIssuedSecurityTokenRequirement(tokenRequirement))
{
EndpointAddress property = tokenRequirement.GetProperty <EndpointAddress>(ServiceModelSecurityTokenRequirement.TargetAddressProperty);
IssuedSecurityTokenParameters parameters = tokenRequirement.GetProperty <IssuedSecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
return(InfoCardHelper.CreateTokenProviderForNextLeg(tokenRequirement, property, parameters.IssuerAddress, this.m_relyingPartyIssuer, this, this.m_infocardChannelParameter));
}
return(base.CreateSecurityTokenProvider(tokenRequirement));
}
public void TryGetPropertyTypeBaseMatch()
{
SecurityTokenRequirement r =
new SecurityTokenRequirement();
r.Properties ["urn:foo"] = 1;
object o;
r.TryGetProperty <object> ("urn:foo", out o);
}
// FIXME: it is far from done.
SecurityTokenProvider CreateSecureConversationProvider(SecurityTokenRequirement r)
{
IssuedSecurityTokenProvider p =
CreateIssuedProviderBase(r);
// FIXME: use it somewhere.
int keySize = r.KeySize;
return(p);
}
protected internal override void InitializeSecurityTokenRequirement(SecurityTokenRequirement requirement)
{
requirement.TokenType = ServiceModelSecurityTokenTypes.SecureConversation;
requirement.KeyType = SecurityKeyType.SymmetricKey;
requirement.RequireCryptographicToken = true;
requirement.Properties[ServiceModelSecurityTokenRequirement.SupportSecurityContextCancellationProperty] = RequireCancellation;
requirement.Properties[ServiceModelSecurityTokenRequirement.SecureConversationSecurityBindingElementProperty] = BootstrapSecurityBindingElement;
requirement.Properties[ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty] = IssuerBindingContext.Clone();
requirement.Properties[ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty] = Clone();
}
protected override void OnOpen(TimeSpan timeout)
{
if (!isClient)
{
SecurityTokenRequirement sspiTokenRequirement = TransportSecurityHelpers.CreateSspiTokenRequirement(this.Scheme, this.listenUri);
this.serverCredential =
TransportSecurityHelpers.GetSspiCredential(this.securityTokenManager, sspiTokenRequirement, timeout,
out this.extractGroupsForWindowsAccounts);
}
}
public override EndpointIdentity GetIdentityOfSelf()
{
if ((base.SecurityTokenManager is IEndpointIdentityProvider) && (this.AsymmetricTokenParameters != null))
{
SecurityTokenRequirement requirement = base.CreateRecipientSecurityTokenRequirement();
this.AsymmetricTokenParameters.InitializeSecurityTokenRequirement(requirement);
return(((IEndpointIdentityProvider)base.SecurityTokenManager).GetIdentityOfSelf(requirement));
}
return(base.GetIdentityOfSelf());
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement.TokenType == Constants.CustomTokenType)
{
outOfBandTokenResolver = null;
return(new CustomTokenAuthenticator());
}
return(base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver));
}
protected internal override void InitializeSecurityTokenRequirement(SecurityTokenRequirement requirement)
{
if (requirement == null)
{
throw new ArgumentNullException("requirement");
}
requirement.TokenType = SecurityTokenTypes.Rsa;
requirement.RequireCryptographicToken = true;
requirement.KeyType = SecurityKeyType.AsymmetricKey;
}
public SecureConversationSecurityTokenAuthenticator (
SecurityTokenRequirement r,
SecurityContextSecurityTokenAuthenticator scAuth,
SecurityContextSecurityTokenResolver scResolver)
{
this.req = r;
this.sc_auth = scAuth;
this.sc_res = scResolver;
comm = new WsscAuthenticatorCommunicationObject ();
}
public HttpReplyChannel (HttpChannelListener<IReplyChannel> listener)
: base (listener)
{
this.source = listener;
if (listener.SecurityTokenManager != null) {
var str = new SecurityTokenRequirement () { TokenType = SecurityTokenTypes.UserName };
security_token_authenticator = listener.SecurityTokenManager.CreateSecurityTokenAuthenticator (str, out security_token_resolver);
}
}
protected virtual WsTrustRequest CreateWsTrustRequest()
{
EndpointAddress target = SecurityTokenRequirement.GetProperty <EndpointAddress>(TargetAddressProperty);
int keySize;
string keyType;
switch (WsTrustTokenParameters.KeyType)
{
case SecurityKeyType.AsymmetricKey:
keySize = DefaultPublicKeySize;
keyType = _requestSerializationContext.TrustKeyTypes.PublicKey;
break;
case SecurityKeyType.SymmetricKey:
keySize = _securityAlgorithmSuite.DefaultSymmetricKeyLength;
keyType = _requestSerializationContext.TrustKeyTypes.Symmetric;
break;
case SecurityKeyType.BearerKey:
keySize = 0;
keyType = _requestSerializationContext.TrustKeyTypes.Bearer;
break;
default:
throw LogHelper.LogExceptionMessage(new NotSupportedException($"KeyType is not supported: '{0}'"));
}
Entropy entropy = null;
if (WsTrustTokenParameters.KeyType != SecurityKeyType.BearerKey &&
(KeyEntropyMode == SecurityKeyEntropyMode.ClientEntropy || KeyEntropyMode == SecurityKeyEntropyMode.CombinedEntropy))
{
byte[] entropyBytes = new byte[keySize / 8];
Psha1KeyGenerator.FillRandomBytes(entropyBytes);
entropy = new Entropy(new BinarySecret(entropyBytes));
}
var trustRequest = new WsTrustRequest(_requestSerializationContext.TrustActions.Issue)
{
AppliesTo = new AppliesTo(new EndpointReference(target.Uri.OriginalString)),
Context = RequestContext,
KeySizeInBits = keySize,
KeyType = keyType,
TokenType = SecurityTokenRequirement.TokenType,
WsTrustVersion = _requestSerializationContext.TrustVersion
};
if (entropy != null)
{
trustRequest.Entropy = entropy;
}
return(trustRequest);
}
/// <summary>
/// Creates a security token provider.
/// </summary>
/// <param name="tokenRequirement">The <see cref="T:System.IdentityModel.Selectors.SecurityTokenRequirement"/>.</param>
/// <returns>
/// The <see cref="T:System.IdentityModel.Selectors.SecurityTokenProvider"/>.
/// </returns>
/// <exception cref="T:System.ArgumentNullException">
/// <paramref name="tokenRequirement"/> is null.</exception>
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement.TokenType == SecurityTokenTypes.Saml ||
tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-issuedToken-profile-1.1#SAMLV1.1" ||
tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
return(new SamlSecurityTokenProvider(_credentials.SamlToken));
}
return(base.CreateSecurityTokenProvider(tokenRequirement));
}
public void DefaultValues()
{
SecurityTokenRequirement r =
new SecurityTokenRequirement();
Assert.AreEqual(0, r.KeySize, "#1");
Assert.AreEqual(SecurityKeyType.SymmetricKey, r.KeyType, "#2");
Assert.AreEqual(SecurityKeyUsage.Signature, r.KeyUsage, "#3");
Assert.IsNull(r.TokenType, "#4");
Assert.AreEqual(false, r.RequireCryptographicToken, "#5");
}
protected internal override void InitializeSecurityTokenRequirement(SecurityTokenRequirement requirement)
{
requirement.TokenType =
RequireClientCertificate ?
ServiceModelSecurityTokenTypes.MutualSslnego :
ServiceModelSecurityTokenTypes.AnonymousSslnego;
requirement.RequireCryptographicToken = true;
requirement.Properties [ReqType.SupportSecurityContextCancellationProperty] = RequireCancellation;
requirement.Properties [ReqType.IssuedSecurityTokenParametersProperty] = this.Clone();
requirement.KeyType = SecurityKeyType.SymmetricKey;
}
/// <summary>
/// Creates the custom SecurityTokenProvider when SAML tokens are specified in the tokenRequirement
/// </summary>
/// <param name="tokenRequirement">A SecurityTokenRequirement </param>
/// <returns>The appropriate SecurityTokenProvider</returns>
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
// If token requirement matches SAML token return the custom SAML token provider
if (tokenRequirement.TokenType == SecurityTokenTypes.Saml ||
tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
// Retrieve the SAML assertion and proof token from the client credentials
SamlAssertion assertion = this.samlClientCredentials.Assertion;
SecurityToken prooftoken = this.samlClientCredentials.ProofToken;
// If either the assertion of proof token is null...
if (assertion == null || prooftoken == null)
{
// ...get the SecurityBindingElement and then the specified algorithm suite
SecurityBindingElement sbe = null;
SecurityAlgorithmSuite sas = null;
if (tokenRequirement.TryGetProperty<SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out sbe))
{
sas = sbe.DefaultAlgorithmSuite;
}
// If the token requirement is for a SymmetricKey based token..
if (tokenRequirement.KeyType == SecurityKeyType.SymmetricKey)
{
// Create a symmetric proof token
prooftoken = SamlUtilities.CreateSymmetricProofToken(tokenRequirement.KeySize);
// and a corresponding assertion based on the claims specified in the client credentials
assertion = SamlUtilities.CreateSymmetricKeyBasedAssertion(this.samlClientCredentials.Claims,
new X509SecurityToken(samlClientCredentials.ClientCertificate.Certificate),
new X509SecurityToken(samlClientCredentials.ServiceCertificate.DefaultCertificate),
(BinarySecretSecurityToken)prooftoken,
sas);
}
// otherwise...
else
{
// Create an asymmetric proof token
prooftoken = SamlUtilities.CreateAsymmetricProofToken();
// and a corresponding assertion based on the claims specified in the client credentials
assertion = SamlUtilities.CreateAsymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, prooftoken, sas);
}
}
// Create a SamlSecurityTokenProvider based on the assertion and proof token
return new SamlSecurityTokenProvider(assertion, prooftoken);
}
// otherwise use base implementation
else
{
return base.CreateSecurityTokenProvider(tokenRequirement);
}
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (IsIssuedSecurityTokenRequirement(tokenRequirement))
{
return(new DurableIssuedSecurityTokenProvider((IssuedSecurityTokenProvider)base.CreateSecurityTokenProvider(tokenRequirement), this.cache));
}
else
{
return(base.CreateSecurityTokenProvider(tokenRequirement));
}
}
private static SecurityAlgorithmSuite GetSecurityAlgorithmSuite(SecurityTokenRequirement tokenRequirement)
{
SecurityAlgorithmSuite result = null;
SecurityBindingElement securityBindingElement;
if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out securityBindingElement))
{
result = securityBindingElement.DefaultAlgorithmSuite;
}
return(result);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (IsIssuedSecurityTokenRequirement(tokenRequirement))
{
return new DurableIssuedSecurityTokenProvider((IssuedSecurityTokenProvider)base.CreateSecurityTokenProvider(tokenRequirement), this.cache);
}
else
{
return base.CreateSecurityTokenProvider(tokenRequirement);
}
}
protected internal bool IsIssuedSecurityTokenRequirement(
SecurityTokenRequirement requirement)
{
SecurityTokenParameters ret;
if (!requirement.TryGetProperty <SecurityTokenParameters> (ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty, out ret))
{
return(false);
}
return(ret is IssuedSecurityTokenParameters);
}
protected internal override void InitializeSecurityTokenRequirement(SecurityTokenRequirement requirement)
{
// .NET somehow causes NRE. dunno why.
requirement.TokenType = ServiceModelSecurityTokenTypes.SecureConversation;
requirement.RequireCryptographicToken = true;
requirement.Properties [ReqType.SupportSecurityContextCancellationProperty] = RequireCancellation;
requirement.Properties [ReqType.SecureConversationSecurityBindingElementProperty] =
BootstrapSecurityBindingElement;
requirement.Properties [ReqType.IssuedSecurityTokenParametersProperty] = this.Clone();
requirement.KeyType = SecurityKeyType.SymmetricKey;
}
/// <summary>
/// Creates a security token provider.
/// </summary>
/// <param name="tokenRequirement">The <see cref="T:System.IdentityModel.Selectors.SecurityTokenRequirement"/>.</param>
/// <returns>
/// The <see cref="T:System.IdentityModel.Selectors.SecurityTokenProvider"/>.
/// </returns>
/// <exception cref="T:System.ArgumentNullException">
/// <paramref name="tokenRequirement"/> is null.</exception>
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement.TokenType == SecurityTokenTypes.Saml ||
tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-issuedToken-profile-1.1#SAMLV1.1" ||
tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
return new SamlSecurityTokenProvider(_credentials.SamlToken);
}
return base.CreateSecurityTokenProvider(tokenRequirement);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
SecurityTokenProvider result = null;
if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
// this is the uncorrelated duplex case
if (_parent.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate);
}
else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
string tokenType = initiatorRequirement.TokenType;
if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider (IsIssuedSecurityTokenRequirement(initiatorRequirement)");
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - SecurityKeyUsage.Exchange");
}
else
{
if (_parent.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate);
}
}
else if (tokenType == SecurityTokenTypes.UserName)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider SecurityTokenTypes.Username");
}
}
if ((result == null) && !tokenRequirement.IsOptionalToken)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
}
return(result);
}
/// <summary>
/// Creates the custom SecurityTokenProvider when SAML tokens are specified in the tokenRequirement
/// </summary>
/// <param name="tokenRequirement">A SecurityTokenRequirement </param>
/// <returns>The appropriate SecurityTokenProvider</returns>
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
// If token requirement matches SAML token return the custom SAML token provider
if (tokenRequirement.TokenType == SecurityTokenTypes.Saml ||
tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
// Retrieve the SAML assertion and proof token from the client credentials
SamlAssertion assertion = this.samlClientCredentials.Assertion;
SecurityToken prooftoken = this.samlClientCredentials.ProofToken;
// If either the assertion of proof token is null...
if (assertion == null || prooftoken == null)
{
// ...get the SecurityBindingElement and then the specified algorithm suite
SecurityBindingElement sbe = null;
SecurityAlgorithmSuite sas = null;
if (tokenRequirement.TryGetProperty <SecurityBindingElement>("http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/SecurityBindingElement", out sbe))
{
sas = sbe.DefaultAlgorithmSuite;
}
// If the token requirement is for a SymmetricKey based token..
if (tokenRequirement.KeyType == SecurityKeyType.SymmetricKey)
{
// Create a symmetric proof token
prooftoken = SamlUtilities.CreateSymmetricProofToken(tokenRequirement.KeySize);
// and a corresponding assertion based on the claims specified in the client credentials
assertion = SamlUtilities.CreateSymmetricKeyBasedAssertion(this.samlClientCredentials.Claims,
new X509SecurityToken(samlClientCredentials.ClientCertificate.Certificate),
new X509SecurityToken(samlClientCredentials.ServiceCertificate.DefaultCertificate),
(BinarySecretSecurityToken)prooftoken,
sas);
}
// otherwise...
else
{
// Create an asymmetric proof token
prooftoken = SamlUtilities.CreateAsymmetricProofToken();
// and a corresponding assertion based on the claims specified in the client credentials
assertion = SamlUtilities.CreateAsymmetricKeyBasedAssertion(this.samlClientCredentials.Claims, prooftoken, sas);
}
}
// Create a SamlSecurityTokenProvider based on the assertion and proof token
return(new SamlSecurityTokenProvider(assertion, prooftoken));
}
// otherwise use base implementation
else
{
return(base.CreateSecurityTokenProvider(tokenRequirement));
}
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement.TokenType == SecurityTokenTypes.UserName)
{
outOfBandTokenResolver = null;
return new MyTokenAuthenticator();
}
else
{
return base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
}
// FIXME: it is far from done.
SecurityTokenProvider CreateSecureConversationProvider(SecurityTokenRequirement r)
{
IssuedSecurityTokenProvider p =
new IssuedSecurityTokenProvider();
InitializeProviderCommunicationObject(p.Communication, r);
// FIXME: use it somewhere.
int keySize = r.KeySize;
return(p);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
ServiceModelSecurityTokenRequirement requirement = tokenRequirement as ServiceModelSecurityTokenRequirement;
if (requirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
if (this.IsX509TokenRequirement(requirement))
{
X509CertificateValidator validator;
if (this.IsForConnectionValidator(requirement))
{
SecurityTokenProvider provider = null;
if (this.ssc != null)
{
provider = new X509SecurityTokenProvider(this.ssc.GetX509Certificate());
}
else if (this.delegateManager != null)
{
requirement.Properties[SecurityTokenRequirement.PeerAuthenticationMode] = SecurityMode.Transport;
requirement.TransportScheme = "net.p2p";
provider = this.delegateManager.CreateSecurityTokenProvider(tokenRequirement);
}
else if (this.credential.Certificate != null)
{
provider = new X509SecurityTokenProvider(this.credential.Certificate);
}
if ((provider == null) && (this.mode == PeerAuthenticationMode.Password))
{
this.ssc = this.parent.GetCertificate();
provider = new X509SecurityTokenProvider(this.ssc.GetX509Certificate());
}
return(provider);
}
if (this.delegateManager != null)
{
requirement.TransportScheme = "net.p2p";
requirement.Properties[SecurityTokenRequirement.PeerAuthenticationMode] = SecurityMode.Message;
return(this.delegateManager.CreateSecurityTokenProvider(tokenRequirement));
}
if (!this.credential.MessageSenderAuthentication.TryGetCertificateValidator(out validator))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("TokenType");
}
return(new PeerX509TokenProvider(validator, this.credential.Certificate));
}
if (!this.IsPasswordTokenRequirement(requirement))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("TokenType");
}
return(this.GetPasswordTokenProvider());
}
protected override void InitializeSecurityTokenRequirement(SecurityTokenRequirement requirement)
{
if (requirement == null)
{
throw new ArgumentNullException();
}
requirement.TokenType = ServiceModelSecurityTokenTypes.Spnego;
requirement.RequireCryptographicToken = true;
requirement.Properties [ReqType.SupportSecurityContextCancellationProperty] = RequireCancellation;
requirement.Properties [ReqType.IssuedSecurityTokenParametersProperty] = this.Clone();
requirement.KeyType = SecurityKeyType.SymmetricKey;
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement requirement)
{
if (requirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("requirement");
}
if ((requirement.TokenType != SecurityTokenTypes.X509Certificate) || (requirement.KeyUsage != SecurityKeyUsage.Signature))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
return new PeerX509TokenProvider(this.creds.certificateValidator, this.creds.selfCertificate);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement requirement)
{
if (requirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("requirement");
}
if ((requirement.TokenType != SecurityTokenTypes.X509Certificate) || (requirement.KeyUsage != SecurityKeyUsage.Signature))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
return(new PeerX509TokenProvider(this.creds.certificateValidator, this.creds.selfCertificate));
}
protected internal override void InitializeSecurityTokenRequirement(SecurityTokenRequirement requirement)
{
requirement.TokenType = ServiceModelSecurityTokenTypes.Spnego;
requirement.RequireCryptographicToken = true;
requirement.KeyType = SecurityKeyType.SymmetricKey;
requirement.Properties[ServiceModelSecurityTokenRequirement.SupportSecurityContextCancellationProperty] = this.RequireCancellation;
if (this.IssuerBindingContext != null)
{
requirement.Properties[ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty] = this.IssuerBindingContext.Clone();
}
requirement.Properties[ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty] = base.Clone();
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (string.Equals(tokenRequirement.TokenType, SecurityTokenTypes.Saml, StringComparison.OrdinalIgnoreCase) || string.Equals(tokenRequirement.TokenType, "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1", StringComparison.OrdinalIgnoreCase))
{
if (this.cachedSecurityTokenProvider == null)
{
this.cachedSecurityTokenProvider = new SamlSecurityTokenProvider(this.samlClientCredentials);
}
return(this.cachedSecurityTokenProvider);
}
return(base.CreateSecurityTokenProvider(tokenRequirement));
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
InitiatorServiceModelSecurityTokenRequirement requirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
if (isDummyServiceToken
&& requirement != null
&& requirement.TokenType == SecurityTokenTypes.X509Certificate
&& requirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && (requirement.KeyUsage == SecurityKeyUsage.Exchange))
{
outOfBandTokenResolver = null;
return new DummySecurityTokenAuthenticator(requirement.TargetAddress.Uri);
}
return base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
// if token requirement matches username token return custom username token provider
// otherwise use base implementation
if (tokenRequirement.TokenType == SecurityTokenTypes.UserName)
{
return new MyUserNameTokenProvider();
}
else
{
return base.CreateSecurityTokenProvider(tokenRequirement);
}
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement.TokenType == SecurityTokenTypes.UserName)
{
outOfBandTokenResolver = null;
// Get the current validator
UserNamePasswordValidator validator =
ServiceCredentials.UserNameAuthentication.CustomUserNamePasswordValidator;
return new CustomSecurityTokenAuthenticator(validator);
}
return base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
// handle this token for Custom
if (tokenRequirement.TokenType == Constants.CreditCardTokenType)
return new CreditCardTokenProvider(this.creditCardClientCredentials.CreditCardInfo);
// return server cert
else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
if (tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)
{
return new X509SecurityTokenProvider(creditCardClientCredentials.ServiceCertificate.DefaultCertificate);
}
}
return base.CreateSecurityTokenProvider(tokenRequirement);
}
internal protected bool IsIssuedSecurityTokenRequirement(SecurityTokenRequirement requirement)
{
if (requirement != null && requirement.Properties.ContainsKey(ServiceModelSecurityTokenRequirement.IssuerAddressProperty))
{
// handle all issued token requirements except for spnego, tlsnego and secure conversation
if (requirement.TokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego || requirement.TokenType == ServiceModelSecurityTokenTypes.MutualSslnego
|| requirement.TokenType == ServiceModelSecurityTokenTypes.SecureConversation || requirement.TokenType == ServiceModelSecurityTokenTypes.Spnego)
{
return false;
}
else
{
return true;
}
}
return false;
}
