private void ReadToken(XmlDictionaryReader reader, int position, byte[] decryptedBuffer,
SecurityToken encryptionToken, string idInEncryptedForm, TimeSpan timeout)
{
Fx.Assert((position == AppendPosition) == (decryptedBuffer == null), "inconsistent position, decryptedBuffer parameters");
Fx.Assert((position == AppendPosition) == (encryptionToken == null), "inconsistent position, encryptionToken parameters");
string localName = reader.LocalName;
string namespaceUri = reader.NamespaceURI;
string valueType = reader.GetAttribute(XD.SecurityJan2004Dictionary.ValueType, null);
SecurityTokenAuthenticator usedTokenAuthenticator;
SecurityToken token = ReadToken(reader, CombinedUniversalTokenResolver, _allowedAuthenticators, out usedTokenAuthenticator);
if (token == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCouldNotReadToken, localName, namespaceUri, valueType)), Message);
}
DerivedKeySecurityToken derivedKeyToken = token as DerivedKeySecurityToken;
if (derivedKeyToken != null)
{
EnsureDerivedKeyLimitNotReached();
derivedKeyToken.InitializeDerivedKey(MaxDerivedKeyLength);
}
if (usedTokenAuthenticator == _primaryTokenAuthenticator)
{
_allowedAuthenticators.Remove(usedTokenAuthenticator);
}
ReceiveSecurityHeaderBindingModes mode;
TokenTracker supportingTokenTracker = null;
if (usedTokenAuthenticator == _primaryTokenAuthenticator)
{
// this is the primary token. Add to resolver as such
_universalTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, _primaryTokenParameters);
_primaryTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, _primaryTokenParameters);
if (_pendingSupportingTokenAuthenticator != null)
{
_allowedAuthenticators.Add(_pendingSupportingTokenAuthenticator);
_pendingSupportingTokenAuthenticator = null;
}
_primaryTokenTracker.RecordToken(token);
mode = ReceiveSecurityHeaderBindingModes.Primary;
}
else if (usedTokenAuthenticator == DerivedTokenAuthenticator)
{
if (token is DerivedKeySecurityTokenStub)
{
if (Layout == SecurityHeaderLayout.Strict)
{
DerivedKeySecurityTokenStub tmpToken = (DerivedKeySecurityTokenStub)token;
throw TraceUtility.ThrowHelperError(new MessageSecurityException(
SR.Format(SR.UnableToResolveKeyInfoClauseInDerivedKeyToken, tmpToken.TokenToDeriveIdentifier)), Message);
}
}
else
{
AddDerivedKeyTokenToResolvers(token);
}
mode = ReceiveSecurityHeaderBindingModes.Unknown;
}
else
{
SupportingTokenAuthenticatorSpecification supportingTokenSpec;
supportingTokenTracker = GetSupportingTokenTracker(usedTokenAuthenticator, out supportingTokenSpec);
if (supportingTokenTracker == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, usedTokenAuthenticator)));
}
if (supportingTokenTracker.Token != null)
{
supportingTokenTracker = new TokenTracker(supportingTokenSpec);
_supportingTokenTrackers.Add(supportingTokenTracker);
}
supportingTokenTracker.RecordToken(token);
if (encryptionToken != null)
{
supportingTokenTracker.IsEncrypted = true;
}
bool isBasic;
bool isSignedButNotBasic;
SecurityTokenAttachmentModeHelper.Categorize(supportingTokenSpec.SecurityTokenAttachmentMode, out isBasic, out isSignedButNotBasic, out mode);
if (isBasic)
{
if (!ExpectBasicTokens)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.BasicTokenNotExpected));
}
// only basic tokens have to be part of the reference list. Encrypted Saml tokens dont for example
if (RequireMessageProtection && encryptionToken != null)
{
throw ExceptionHelper.PlatformNotSupported();
}
}
if (isSignedButNotBasic && !ExpectSignedTokens)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.SignedSupportingTokenNotExpected));
}
_universalTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, supportingTokenSpec.TokenParameters);
}
if (position == AppendPosition)
{
ElementManager.AppendToken(token, mode, supportingTokenTracker);
}
else
{
ElementManager.SetTokenAfterDecryption(position, token, mode, decryptedBuffer, supportingTokenTracker);
}
}
