private static bool AreTokensEqual(SecurityToken outOfBandToken, SecurityToken replyToken)
{
// we support the serialized reply token legacy feature only for X509 certificates.
// in this case the thumbprint of the reply certificate must match the outofband certificate's thumbprint
if ((outOfBandToken is X509SecurityToken) && (replyToken is X509SecurityToken))
{
byte[] outOfBandCertificateThumbprint = ((X509SecurityToken)outOfBandToken).Certificate.GetCertHash();
byte[] replyCertificateThumbprint = ((X509SecurityToken)replyToken).Certificate.GetCertHash();
return(SecurityUtils.IsEqual(outOfBandCertificateThumbprint, replyCertificateThumbprint));
}
else
{
return(false);
}
}
internal SecurityToken ResolveToken(SecurityKeyIdentifierClause keyIdentifierClause, bool matchOnlyExternal, bool resolveIntrinsicKeyClause)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(keyIdentifierClause));
}
SecurityToken resolvedToken = null;
for (int i = 0; i < _tokenCount; i++)
{
if (matchOnlyExternal && _tokens[i].AllowedReferenceStyle != SecurityTokenReferenceStyle.External)
{
continue;
}
SecurityToken token = _tokens[i].Token;
if (_tokens[i].TokenParameters != null && _tokens[i].TokenParameters.MatchesKeyIdentifierClause(token, keyIdentifierClause, _tokens[i].AllowedReferenceStyle))
{
resolvedToken = token;
break;
}
else if (_tokens[i].TokenParameters == null)
{
// match it according to the allowed reference style
if (_tokens[i].AllowedReferenceStyle == SecurityTokenReferenceStyle.Internal && MatchDirectReference(token, keyIdentifierClause))
{
resolvedToken = token;
break;
}
}
}
if ((resolvedToken == null) && (keyIdentifierClause is X509RawDataKeyIdentifierClause) && (!matchOnlyExternal) && (resolveIntrinsicKeyClause))
{
resolvedToken = new X509SecurityToken(new X509Certificate2(((X509RawDataKeyIdentifierClause)keyIdentifierClause).GetX509RawData()));
}
byte[] derivationNonce = keyIdentifierClause.GetDerivationNonce();
if ((resolvedToken != null) && (derivationNonce != null))
{
// A Implicit Derived Key is specified. Create a derived key off of the resolve token.
if (SecurityUtils.GetSecurityKey<SymmetricSecurityKey>(resolvedToken) == null)
{
// The resolved token contains no Symmetric Security key and thus we cannot create
// a derived key off of it.
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.UnableToDeriveKeyFromKeyInfoClause, keyIdentifierClause, resolvedToken)));
}
int derivationLength = (keyIdentifierClause.DerivationLength == 0) ? DerivedKeySecurityToken.DefaultDerivedKeyLength : keyIdentifierClause.DerivationLength;
if (derivationLength > _securityHeader.MaxDerivedKeyLength)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.DerivedKeyLengthSpecifiedInImplicitDerivedKeyClauseTooLong, keyIdentifierClause.ToString(), derivationLength, _securityHeader.MaxDerivedKeyLength)));
}
bool alreadyDerived = false;
for (int i = 0; i < _tokenCount; ++i)
{
DerivedKeySecurityToken derivedKeyToken = _tokens[i].Token as DerivedKeySecurityToken;
if (derivedKeyToken != null)
{
if ((derivedKeyToken.Length == derivationLength) &&
(SecurityUtils.IsEqual(derivedKeyToken.Nonce, derivationNonce)) &&
(derivedKeyToken.TokenToDerive.MatchesKeyIdentifierClause(keyIdentifierClause)))
{
// This is a implcit derived key for which we have already derived the token.
resolvedToken = _tokens[i].Token;
alreadyDerived = true;
break;
}
}
}
if (!alreadyDerived)
{
string psha1Algorithm = SecurityUtils.GetKeyDerivationAlgorithm(_securityHeader.StandardsManager.MessageSecurityVersion.SecureConversationVersion);
resolvedToken = new DerivedKeySecurityToken(-1, 0, derivationLength, null, derivationNonce, resolvedToken, keyIdentifierClause, psha1Algorithm, SecurityUtils.GenerateId());
((DerivedKeySecurityToken)resolvedToken).InitializeDerivedKey(derivationLength);
Add(resolvedToken, SecurityTokenReferenceStyle.Internal, null);
_securityHeader.EnsureDerivedKeyLimitNotReached();
}
}
return resolvedToken;
}
