public TransactionChannelFactory(System.ServiceModel.TransactionProtocol transactionProtocol, BindingContext context, Dictionary <DirectionalAction, TransactionFlowOption> dictionary, bool allowWildcardAction) : base(context.Binding, context.BuildInnerChannelFactory <TChannel>())
{
this.dictionary = dictionary;
this.TransactionProtocol = transactionProtocol;
this.allowWildcardAction = allowWildcardAction;
this.standardsManager = SecurityStandardsHelper.CreateStandardsManager(this.TransactionProtocol);
}
public TransactionChannelListener(System.ServiceModel.TransactionProtocol transactionProtocol, IDefaultCommunicationTimeouts timeouts, Dictionary <DirectionalAction, TransactionFlowOption> dictionary, IChannelListener <TChannel> innerListener) : base(timeouts, innerListener)
{
this.dictionary = dictionary;
this.TransactionProtocol = transactionProtocol;
base.Acceptor = new TransactionChannelAcceptor <TChannel>((TransactionChannelListener <TChannel>) this, innerListener);
this.standardsManager = SecurityStandardsHelper.CreateStandardsManager(this.TransactionProtocol);
}
internal void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, SecurityKeyType issuedKeyType)
{
this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm));
this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm));
if (this._keyType == SecurityKeyType.BearerKey)
{
// As the client does not have a proof token in the Bearer case
// we don't have any specific algorithms to request for.
return;
}
string signWithAlgorithm = (this._keyType == SecurityKeyType.SymmetricKey) ? algorithmSuite.DefaultSymmetricSignatureAlgorithm : algorithmSuite.DefaultAsymmetricSignatureAlgorithm;
this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateSignWithElement(signWithAlgorithm));
string encryptWithAlgorithm;
if (issuedKeyType == SecurityKeyType.SymmetricKey)
{
encryptWithAlgorithm = algorithmSuite.DefaultEncryptionAlgorithm;
}
else
{
encryptWithAlgorithm = algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm;
}
this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptWithElement(encryptWithAlgorithm));
if (standardsManager.TrustVersion != TrustVersion.WSTrustFeb2005)
{
this._additionalRequestParameters.Insert(0, ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm));
}
return;
}
void IServiceBehavior.ApplyDispatchBehavior(System.ServiceModel.Description.ServiceDescription description, ServiceHostBase serviceHostBase)
{
if (description == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("description"));
}
if (serviceHostBase == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("serviceHostBase"));
}
if (this.serviceAuthenticationManager != null)
{
for (int i = 0; i < serviceHostBase.ChannelDispatchers.Count; i++)
{
ChannelDispatcher channelDispatcher = serviceHostBase.ChannelDispatchers[i] as ChannelDispatcher;
if ((channelDispatcher != null) && !ServiceMetadataBehavior.IsHttpGetMetadataDispatcher(description, channelDispatcher))
{
foreach (EndpointDispatcher dispatcher2 in channelDispatcher.Endpoints)
{
DispatchRuntime dispatchRuntime = dispatcher2.DispatchRuntime;
dispatchRuntime.ServiceAuthenticationManager = this.serviceAuthenticationManager;
ServiceEndpoint endpoint = this.FindMatchingServiceEndpoint(description, dispatcher2);
if ((endpoint != null) && this.IsSecureConversationBinding(endpoint.Binding))
{
SecurityStandardsManager configuredSecurityStandardsManager = this.GetConfiguredSecurityStandardsManager(endpoint.Binding);
dispatchRuntime.ServiceAuthenticationManager = new ServiceAuthenticationManagerWrapper(this.serviceAuthenticationManager, new string[] { configuredSecurityStandardsManager.SecureConversationDriver.CloseAction.Value });
}
}
}
}
}
}
internal static MessagePartSpecification GetIssuedTokenHeaderSpecification(SecurityStandardsManager standardsManager)
{
if (!standardsManager.TrustDriver.IsIssuedTokensSupported)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("TrustDriverVersionDoesNotSupportIssuedTokens")));
}
return(new MessagePartSpecification(new XmlQualifiedName[] { new XmlQualifiedName(standardsManager.TrustDriver.IssuedTokensHeaderName, standardsManager.TrustDriver.IssuedTokensHeaderNamespace) }));
}
public static IssuedSecurityTokenParameters CreateInfoCardParameters(SecurityStandardsManager standardsManager, SecurityAlgorithmSuite algorithm)
{
IssuedSecurityTokenParameters securityTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
securityTokenParameters.KeyType = SecurityKeyType.AsymmetricKey;
securityTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement(IssuedSecurityTokenParameters.wsidPPIClaim));
securityTokenParameters.IssuerAddress = (EndpointAddress)null;
securityTokenParameters.AddAlgorithmParameters(algorithm, standardsManager, securityTokenParameters.KeyType);
return(securityTokenParameters);
}
internal static IssuedSecurityTokenParameters CreateInfoCardParameters(SecurityStandardsManager standardsManager, SecurityAlgorithmSuite algorithm)
{
IssuedSecurityTokenParameters result = new IssuedSecurityTokenParameters(SecurityXXX2005Strings.SamlTokenType);
result.KeyType = SecurityKeyType.AsymmetricKey;
result.ClaimTypeRequirements.Add(new ClaimTypeRequirement(s_wsidPPIClaim));
result.IssuerAddress = null;
result.AddAlgorithmParameters(algorithm, standardsManager, result.KeyType);
return(result);
}
internal static MessagePartSpecification GetIssuedTokenHeaderSpecification(SecurityStandardsManager standardsManager)
{
MessagePartSpecification result;
if (standardsManager.TrustDriver.IsIssuedTokensSupported)
{
result = new MessagePartSpecification(new XmlQualifiedName(standardsManager.TrustDriver.IssuedTokensHeaderName, standardsManager.TrustDriver.IssuedTokensHeaderNamespace));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.TrustDriverVersionDoesNotSupportIssuedTokens)));
}
return(result);
}
public void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, SecurityKeyType issuedKeyType)
{
this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm));
this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm));
if (this.keyType == SecurityKeyType.BearerKey)
{
return;
}
string signatureAlgorithm = this.keyType == SecurityKeyType.SymmetricKey ? algorithmSuite.DefaultSymmetricSignatureAlgorithm : algorithmSuite.DefaultAsymmetricSignatureAlgorithm;
this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateSignWithElement(signatureAlgorithm));
string encryptionAlgorithm = issuedKeyType != SecurityKeyType.SymmetricKey ? algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm : algorithmSuite.DefaultEncryptionAlgorithm;
this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptWithElement(encryptionAlgorithm));
if (standardsManager.TrustVersion == TrustVersion.WSTrustFeb2005)
{
return;
}
this.additionalRequestParameters.Insert(0, ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm));
}
public static void CreateIssuedToken(Guid transactionId, string coordinationContextId, ProtocolVersion protocolVersion, out RequestSecurityTokenResponse issuedToken, out string sctId)
{
sctId = CoordinationContext.CreateNativeIdentifier(Guid.NewGuid());
byte[] key = DeriveIssuedTokenKey(transactionId, sctId);
DateTime utcNow = DateTime.UtcNow;
SecurityContextSecurityToken token = new SecurityContextSecurityToken(new UniqueId(sctId), key, utcNow, utcNow + TimeSpan.FromDays(36500.0));
BinarySecretSecurityToken token2 = new BinarySecretSecurityToken(key);
SecurityStandardsManager standardsManager = CreateStandardsManager(protocolVersion);
RequestSecurityTokenResponse response = new RequestSecurityTokenResponse(standardsManager)
{
TokenType = standardsManager.SecureConversationDriver.TokenTypeUri,
RequestedUnattachedReference = SecurityContextSecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.External),
RequestedAttachedReference = SecurityContextSecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.Internal),
RequestedSecurityToken = token,
RequestedProofToken = token2
};
DataContractSerializer serializer = IdentifierElementSerializer(protocolVersion);
ProtocolVersionHelper.AssertProtocolVersion(protocolVersion, typeof(CoordinationServiceSecurity), "CreateIssuedToken");
switch (protocolVersion)
{
case ProtocolVersion.Version10:
response.SetAppliesTo <IdentifierElement10>(new IdentifierElement10(coordinationContextId), serializer);
break;
case ProtocolVersion.Version11:
response.SetAppliesTo <IdentifierElement11>(new IdentifierElement11(coordinationContextId), serializer);
break;
}
response.MakeReadOnly();
if (DebugTrace.Verbose)
{
DebugTrace.Trace(TraceLevel.Verbose, "Created issued token with id {0} for transaction {1}", sctId, transactionId);
}
issuedToken = response;
}
// The method walks through the entire set of AdditionalRequestParameters and return the Claims Type requirement alone.
internal static XmlElement GetClaimTypeRequirement(Collection <XmlElement> additionalRequestParameters, SecurityStandardsManager standardsManager)
{
throw new NotImplementedException();
}
internal static bool IsInfoCardParameters(IssuedSecurityTokenParameters parameters, SecurityStandardsManager standardsManager)
{
if (parameters == null)
{
return(false);
}
if (parameters.TokenType != SecurityXXX2005Strings.SamlTokenType)
{
return(false);
}
if (parameters.KeyType != SecurityKeyType.AsymmetricKey)
{
return(false);
}
if (parameters.ClaimTypeRequirements.Count == 1)
{
ClaimTypeRequirement claimTypeRequirement = parameters.ClaimTypeRequirements[0] as ClaimTypeRequirement;
if (claimTypeRequirement == null)
{
return(false);
}
if (claimTypeRequirement.ClaimType != s_wsidPPIClaim)
{
return(false);
}
}
else if ((parameters.AdditionalRequestParameters != null) && (parameters.AdditionalRequestParameters.Count > 0))
{
// Check the AdditionalRequest Parameters to see if ClaimTypeRequirements got imported there.
bool claimTypeRequirementMatched = false;
XmlElement claimTypeRequirement = GetClaimTypeRequirement(parameters.AdditionalRequestParameters, standardsManager);
if (claimTypeRequirement != null && claimTypeRequirement.ChildNodes.Count == 1)
{
XmlElement claimTypeElement = claimTypeRequirement.ChildNodes[0] as XmlElement;
if (claimTypeElement != null)
{
XmlNode claimType = claimTypeElement.Attributes.GetNamedItem("Uri");
if (claimType != null && claimType.Value == s_wsidPPIClaim)
{
claimTypeRequirementMatched = true;
}
}
}
if (!claimTypeRequirementMatched)
{
return(false);
}
}
else
{
return(false);
}
if (parameters.IssuerAddress != null)
{
return(false);
}
if (parameters.AlternativeIssuerEndpoints != null && parameters.AlternativeIssuerEndpoints.Count > 0)
{
return(false);
}
return(true);
}
internal static bool TryCreate(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version, out FederatedMessageSecurityOverHttp messageSecurity)
{
Fx.Assert(null != sbe, string.Empty);
messageSecurity = null;
// do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings
if (!sbe.IncludeTimestamp)
{
return(false);
}
if (sbe.SecurityHeaderLayout != SecurityProtocolFactory.defaultSecurityHeaderLayout)
{
return(false);
}
bool emitBspAttributes = true;
// Do not check MessageSecurityVersion: it maybe changed by the wrapper element and gets checked later in the SecuritySection.AreBindingsMatching()
SecurityBindingElement bootstrapSecurity;
bool establishSecurityContext = SecurityBindingElement.IsSecureConversationBinding(sbe, true, out bootstrapSecurity);
bootstrapSecurity = establishSecurityContext ? bootstrapSecurity : sbe;
if (isSecureTransportMode && !(bootstrapSecurity is TransportSecurityBindingElement))
{
return(false);
}
bool negotiateServiceCredential = DefaultNegotiateServiceCredential;
IssuedSecurityTokenParameters issuedTokenParameters;
if (isSecureTransportMode)
{
if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(bootstrapSecurity, out issuedTokenParameters))
{
return(false);
}
}
else
{
// We should have passed 'true' as RequireCancelation to be consistent with other standard bindings.
// However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy.
if (SecurityBindingElement.IsIssuedTokenForSslBinding(bootstrapSecurity, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11, out issuedTokenParameters))
{
negotiateServiceCredential = true;
}
else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(bootstrapSecurity, out issuedTokenParameters))
{
negotiateServiceCredential = false;
}
else
{
return(false);
}
}
if ((issuedTokenParameters.KeyType == SecurityKeyType.BearerKey) &&
(version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
return(false);
}
Collection <XmlElement> nonAlgorithmRequestParameters;
WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion,
version.TrustVersion,
version.SecureConversationVersion,
emitBspAttributes,
null, null, null);
SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer);
if (!issuedTokenParameters.DoAlgorithmsMatch(sbe.DefaultAlgorithmSuite,
versionSpecificStandardsManager,
out nonAlgorithmRequestParameters))
{
return(false);
}
messageSecurity = new FederatedMessageSecurityOverHttp();
messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite;
messageSecurity.NegotiateServiceCredential = negotiateServiceCredential;
messageSecurity.EstablishSecurityContext = establishSecurityContext;
messageSecurity.IssuedTokenType = issuedTokenParameters.TokenType;
messageSecurity.IssuerAddress = issuedTokenParameters.IssuerAddress;
messageSecurity.IssuerBinding = issuedTokenParameters.IssuerBinding;
messageSecurity.IssuerMetadataAddress = issuedTokenParameters.IssuerMetadataAddress;
messageSecurity.IssuedKeyType = issuedTokenParameters.KeyType;
foreach (ClaimTypeRequirement c in issuedTokenParameters.ClaimTypeRequirements)
{
messageSecurity.ClaimTypeRequirements.Add(c);
}
foreach (XmlElement p in nonAlgorithmRequestParameters)
{
messageSecurity.TokenRequestParameters.Add(p);
}
if (issuedTokenParameters.AlternativeIssuerEndpoints != null && issuedTokenParameters.AlternativeIssuerEndpoints.Count > 0)
{
return(false);
}
return(true);
}
internal bool DoAlgorithmsMatch(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, out Collection <XmlElement> otherRequestParameters)
{
bool doesSignWithAlgorithmMatch = false;
bool doesEncryptWithAlgorithmMatch = false;
bool doesEncryptionAlgorithmMatch = false;
bool doesCanonicalizationAlgorithmMatch = false;
bool doesKeyWrapAlgorithmMatch = false;
otherRequestParameters = new Collection <XmlElement>();
bool trustNormalizationPerformed = false;
Collection <XmlElement> trustVersionNormalizedParameterCollection;
// For Trust 1.3 we move all the additional parameters into the secondaryParameters
// element. So the list contains just one element called SecondaryParameters that
// contains all the other elements as child elements.
if ((standardsManager.TrustVersion == TrustVersion.WSTrust13) &&
(this.AdditionalRequestParameters.Count == 1) &&
(((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).IsSecondaryParametersElement(this.AdditionalRequestParameters[0])))
{
trustNormalizationPerformed = true;
trustVersionNormalizedParameterCollection = new Collection <XmlElement>();
foreach (XmlElement innerElement in this.AdditionalRequestParameters[0])
{
trustVersionNormalizedParameterCollection.Add(innerElement);
}
}
else
{
trustVersionNormalizedParameterCollection = this.AdditionalRequestParameters;
}
for (int i = 0; i < trustVersionNormalizedParameterCollection.Count; i++)
{
string algorithm;
XmlElement element = trustVersionNormalizedParameterCollection[i];
if (standardsManager.TrustDriver.IsCanonicalizationAlgorithmElement(element, out algorithm))
{
if (algorithmSuite.DefaultCanonicalizationAlgorithm != algorithm)
{
return(false);
}
doesCanonicalizationAlgorithmMatch = true;
}
else if (standardsManager.TrustDriver.IsSignWithElement(element, out algorithm))
{
if ((this._keyType == SecurityKeyType.SymmetricKey && algorithm != algorithmSuite.DefaultSymmetricSignatureAlgorithm) ||
(this._keyType == SecurityKeyType.AsymmetricKey && algorithm != algorithmSuite.DefaultAsymmetricSignatureAlgorithm))
{
return(false);
}
doesSignWithAlgorithmMatch = true;
}
else if (standardsManager.TrustDriver.IsEncryptWithElement(element, out algorithm))
{
if ((this._keyType == SecurityKeyType.SymmetricKey && algorithm != algorithmSuite.DefaultEncryptionAlgorithm) ||
(this._keyType == SecurityKeyType.AsymmetricKey && algorithm != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm))
{
return(false);
}
doesEncryptWithAlgorithmMatch = true;
}
else if (standardsManager.TrustDriver.IsEncryptionAlgorithmElement(element, out algorithm))
{
if (algorithm != algorithmSuite.DefaultEncryptionAlgorithm)
{
return(false);
}
doesEncryptionAlgorithmMatch = true;
}
else if (standardsManager.TrustDriver.IsKeyWrapAlgorithmElement(element, out algorithm))
{
if (algorithm != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)
{
return(false);
}
doesKeyWrapAlgorithmMatch = true;
}
else
{
otherRequestParameters.Add(element);
}
}
// Undo normalization if performed
// move all back into secondaryParameters
if (trustNormalizationPerformed)
{
otherRequestParameters = this.AdditionalRequestParameters;
}
if (this._keyType == SecurityKeyType.BearerKey)
{
// As the client does not have a proof token in the Bearer case
// we don't have any specific algorithms to request for.
return(true);
}
if (standardsManager.TrustVersion == TrustVersion.WSTrustFeb2005)
{
// For V1 compatibility check all algorithms
return(doesSignWithAlgorithmMatch && doesCanonicalizationAlgorithmMatch && doesEncryptionAlgorithmMatch && doesEncryptWithAlgorithmMatch);
}
else
{
return(doesSignWithAlgorithmMatch && doesCanonicalizationAlgorithmMatch && doesEncryptionAlgorithmMatch && doesEncryptWithAlgorithmMatch && doesKeyWrapAlgorithmMatch);
}
}
private Collection <XmlElement> NormalizeAdditionalParameters(Collection <XmlElement> additionalParameters, TrustDriver driver, bool clientSideClaimTypeRequirementsSpecified)
{
Collection <XmlElement> collection = new Collection <XmlElement>();
foreach (XmlElement element in additionalParameters)
{
collection.Add(element);
}
if (driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13)
{
XmlElement item = null;
XmlElement element3 = null;
XmlElement element4 = null;
XmlElement element5 = null;
for (int i = 0; i < collection.Count; i++)
{
string str;
if (driver.IsEncryptionAlgorithmElement(collection[i], out str))
{
item = collection[i];
}
else if (driver.IsCanonicalizationAlgorithmElement(collection[i], out str))
{
element3 = collection[i];
}
else if (driver.IsKeyWrapAlgorithmElement(collection[i], out str))
{
element4 = collection[i];
}
else if (((WSTrustDec2005.DriverDec2005)driver).IsSecondaryParametersElement(collection[i]))
{
element5 = collection[i];
}
}
if (element5 != null)
{
foreach (System.Xml.XmlNode node in element5.ChildNodes)
{
XmlElement element6 = node as XmlElement;
if (element6 != null)
{
string encryptionAlgorithm = null;
if (driver.IsEncryptionAlgorithmElement(element6, out encryptionAlgorithm) && (item != null))
{
collection.Remove(item);
}
else if (driver.IsCanonicalizationAlgorithmElement(element6, out encryptionAlgorithm) && (element3 != null))
{
collection.Remove(element3);
}
else if (driver.IsKeyWrapAlgorithmElement(element6, out encryptionAlgorithm) && (element4 != null))
{
collection.Remove(element4);
}
}
}
}
}
if (((driver.StandardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) && !this.CollectionContainsElementsWithTrustNamespace(additionalParameters, "http://schemas.xmlsoap.org/ws/2005/02/trust")) || ((driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) && !this.CollectionContainsElementsWithTrustNamespace(additionalParameters, "http://docs.oasis-open.org/ws-sx/ws-trust/200512")))
{
if (driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13)
{
WSTrustFeb2005.DriverFeb2005 feb = (WSTrustFeb2005.DriverFeb2005)SecurityStandardsManager.DefaultInstance.TrustDriver;
for (int j = 0; j < collection.Count; j++)
{
string signatureAlgorithm = string.Empty;
if (feb.IsSignWithElement(collection[j], out signatureAlgorithm))
{
collection[j] = driver.CreateSignWithElement(signatureAlgorithm);
}
else if (feb.IsEncryptWithElement(collection[j], out signatureAlgorithm))
{
collection[j] = driver.CreateEncryptWithElement(signatureAlgorithm);
}
else if (feb.IsEncryptionAlgorithmElement(collection[j], out signatureAlgorithm))
{
collection[j] = driver.CreateEncryptionAlgorithmElement(signatureAlgorithm);
}
else if (feb.IsCanonicalizationAlgorithmElement(collection[j], out signatureAlgorithm))
{
collection[j] = driver.CreateCanonicalizationAlgorithmElement(signatureAlgorithm);
}
}
return(collection);
}
Collection <XmlElement> collection2 = null;
WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(SecurityVersion.WSSecurity11, TrustVersion.WSTrust13, SecureConversationVersion.WSSecureConversation13, true, null, null, null);
SecurityStandardsManager manager2 = new SecurityStandardsManager(MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12, tokenSerializer);
WSTrustDec2005.DriverDec2005 trustDriver = (WSTrustDec2005.DriverDec2005)manager2.TrustDriver;
foreach (XmlElement element7 in collection)
{
if (trustDriver.IsSecondaryParametersElement(element7))
{
collection2 = new Collection <XmlElement>();
foreach (System.Xml.XmlNode node2 in element7.ChildNodes)
{
XmlElement innerElement = node2 as XmlElement;
if ((innerElement != null) && this.CanPromoteToRoot(innerElement, trustDriver, clientSideClaimTypeRequirementsSpecified))
{
collection2.Add(innerElement);
}
}
collection.Remove(element7);
break;
}
}
if ((collection2 != null) && (collection2.Count > 0))
{
XmlElement element9 = null;
string str4 = string.Empty;
XmlElement element10 = null;
string canonicalizationAlgorithm = string.Empty;
XmlElement element11 = null;
Collection <XmlElement> requiredClaims = null;
Collection <XmlElement> collection4 = new Collection <XmlElement>();
foreach (XmlElement element12 in collection2)
{
if ((element9 == null) && trustDriver.IsEncryptionAlgorithmElement(element12, out str4))
{
element9 = driver.CreateEncryptionAlgorithmElement(str4);
collection4.Add(element12);
}
else if ((element10 == null) && trustDriver.IsCanonicalizationAlgorithmElement(element12, out canonicalizationAlgorithm))
{
element10 = driver.CreateCanonicalizationAlgorithmElement(canonicalizationAlgorithm);
collection4.Add(element12);
}
else if ((element11 == null) && trustDriver.TryParseRequiredClaimsElement(element12, out requiredClaims))
{
element11 = driver.CreateRequiredClaimsElement(requiredClaims);
collection4.Add(element12);
}
}
for (int k = 0; k < collection4.Count; k++)
{
collection2.Remove(collection4[k]);
}
XmlElement element13 = null;
for (int m = 0; m < collection.Count; m++)
{
string str6;
if (trustDriver.IsSignWithElement(collection[m], out str6))
{
collection[m] = driver.CreateSignWithElement(str6);
}
else if (trustDriver.IsEncryptWithElement(collection[m], out str6))
{
collection[m] = driver.CreateEncryptWithElement(str6);
}
else if (trustDriver.IsEncryptionAlgorithmElement(collection[m], out str6) && (element9 != null))
{
collection[m] = element9;
element9 = null;
}
else if (trustDriver.IsCanonicalizationAlgorithmElement(collection[m], out str6) && (element10 != null))
{
collection[m] = element10;
element10 = null;
}
else if (trustDriver.IsKeyWrapAlgorithmElement(collection[m], out str6) && (element13 == null))
{
element13 = collection[m];
}
else
{
Collection <XmlElement> collection5;
if (trustDriver.TryParseRequiredClaimsElement(collection[m], out collection5) && (element11 != null))
{
collection[m] = element11;
element11 = null;
}
}
}
if (element13 != null)
{
collection.Remove(element13);
}
if (element9 != null)
{
collection.Add(element9);
}
if (element10 != null)
{
collection.Add(element10);
}
if (element11 != null)
{
collection.Add(element11);
}
if (collection2.Count <= 0)
{
return(collection);
}
for (int n = 0; n < collection2.Count; n++)
{
collection.Add(collection2[n]);
}
}
}
return(collection);
}
// The method walks through the entire set of AdditionalRequestParameters and return the Claims Type requirement alone.
internal static XmlElement GetClaimTypeRequirement(Collection <XmlElement> additionalRequestParameters, SecurityStandardsManager standardsManager)
{
foreach (XmlElement requestParameter in additionalRequestParameters)
{
if ((requestParameter.LocalName == ((CoreWCF.Security.WSTrust.Driver)standardsManager.TrustDriver).DriverDictionary.Claims.Value) &&
(requestParameter.NamespaceURI == ((CoreWCF.Security.WSTrust.Driver)standardsManager.TrustDriver).DriverDictionary.Namespace.Value))
{
return(requestParameter);
}
if ((requestParameter.LocalName == DXD.TrustDec2005Dictionary.SecondaryParameters.Value) &&
(requestParameter.NamespaceURI == DXD.TrustDec2005Dictionary.Namespace.Value))
{
Collection <XmlElement> secondaryParameters = new Collection <XmlElement>();
foreach (XmlNode node in requestParameter.ChildNodes)
{
if (node is XmlElement nodeAsElement)
{
secondaryParameters.Add(nodeAsElement);
}
}
XmlElement claimTypeRequirement = GetClaimTypeRequirement(secondaryParameters, standardsManager);
if (claimTypeRequirement != null)
{
return(claimTypeRequirement);
}
}
}
return(null);
}
public static bool IsInfoCardParameters(IssuedSecurityTokenParameters parameters, SecurityStandardsManager standardsManager)
{
if (parameters == null || parameters.TokenType != "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" || parameters.KeyType != SecurityKeyType.AsymmetricKey)
{
return(false);
}
if (parameters.ClaimTypeRequirements.Count == 1)
{
ClaimTypeRequirement claimTypeRequirement = parameters.ClaimTypeRequirements[0];
if (claimTypeRequirement == null || claimTypeRequirement.ClaimType != IssuedSecurityTokenParameters.wsidPPIClaim)
{
return(false);
}
}
else
{
if (parameters.AdditionalRequestParameters == null || parameters.AdditionalRequestParameters.Count <= 0)
{
return(false);
}
bool flag = false;
XmlElement claimTypeRequirement = IssuedSecurityTokenParameters.GetClaimTypeRequirement(parameters.AdditionalRequestParameters, standardsManager);
if (claimTypeRequirement != null && claimTypeRequirement.ChildNodes.Count == 1)
{
XmlElement childNode = claimTypeRequirement.ChildNodes[0] as XmlElement;
if (childNode != null)
{
XmlNode namedItem = childNode.Attributes.GetNamedItem("Uri");
if (namedItem != null && namedItem.Value == IssuedSecurityTokenParameters.wsidPPIClaim)
{
flag = true;
}
}
}
if (!flag)
{
return(false);
}
}
return(!(parameters.IssuerAddress != (EndpointAddress)null) && (parameters.AlternativeIssuerEndpoints == null || parameters.AlternativeIssuerEndpoints.Count <= 0));
}
internal static XmlElement GetClaimTypeRequirement(Collection <XmlElement> additionalRequestParameters, SecurityStandardsManager standardsManager)
{
foreach (XmlElement requestParameter in additionalRequestParameters)
{
if (requestParameter.LocalName == ((WSTrust.Driver)standardsManager.TrustDriver).DriverDictionary.Claims.Value && requestParameter.NamespaceURI == ((WSTrust.Driver)standardsManager.TrustDriver).DriverDictionary.Namespace.Value)
{
return(requestParameter);
}
if (requestParameter.LocalName == DXD.TrustDec2005Dictionary.SecondaryParameters.Value && requestParameter.NamespaceURI == DXD.TrustDec2005Dictionary.Namespace.Value)
{
Collection <XmlElement> additionalRequestParameters1 = new Collection <XmlElement>();
foreach (XmlNode childNode in requestParameter.ChildNodes)
{
XmlElement xmlElement = childNode as XmlElement;
if (xmlElement != null)
{
additionalRequestParameters1.Add(xmlElement);
}
}
XmlElement claimTypeRequirement = IssuedSecurityTokenParameters.GetClaimTypeRequirement(additionalRequestParameters1, standardsManager);
if (claimTypeRequirement != null)
{
return(claimTypeRequirement);
}
}
}
return((XmlElement)null);
}
public bool DoAlgorithmsMatch(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, out Collection <XmlElement> otherRequestParameters)
{
bool flag1 = false;
bool flag2 = false;
bool flag3 = false;
bool flag4 = false;
bool flag5 = false;
otherRequestParameters = new Collection <XmlElement>();
bool flag6 = false;
Collection <XmlElement> collection;
if (standardsManager.TrustVersion == TrustVersion.WSTrust13 && this.AdditionalRequestParameters.Count == 1 && ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).IsSecondaryParametersElement(this.AdditionalRequestParameters[0]))
{
flag6 = true;
collection = new Collection <XmlElement>();
foreach (XmlElement xmlElement in (XmlNode)this.AdditionalRequestParameters[0])
{
collection.Add(xmlElement);
}
}
else
{
collection = this.AdditionalRequestParameters;
}
for (int index = 0; index < collection.Count; ++index)
{
XmlElement element = collection[index];
string str;
if (standardsManager.TrustDriver.IsCanonicalizationAlgorithmElement(element, out str))
{
if (algorithmSuite.DefaultCanonicalizationAlgorithm != str)
{
return(false);
}
flag4 = true;
}
else if (standardsManager.TrustDriver.IsSignWithElement(element, out str))
{
if (this.keyType == SecurityKeyType.SymmetricKey && str != algorithmSuite.DefaultSymmetricSignatureAlgorithm || this.keyType == SecurityKeyType.AsymmetricKey && str != algorithmSuite.DefaultAsymmetricSignatureAlgorithm)
{
return(false);
}
flag1 = true;
}
else if (standardsManager.TrustDriver.IsEncryptWithElement(element, out str))
{
if (this.keyType == SecurityKeyType.SymmetricKey && str != algorithmSuite.DefaultEncryptionAlgorithm || this.keyType == SecurityKeyType.AsymmetricKey && str != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)
{
return(false);
}
flag2 = true;
}
else if (standardsManager.TrustDriver.IsEncryptionAlgorithmElement(element, out str))
{
if (str != algorithmSuite.DefaultEncryptionAlgorithm)
{
return(false);
}
flag3 = true;
}
else if (standardsManager.TrustDriver.IsKeyWrapAlgorithmElement(element, out str))
{
if (str != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)
{
return(false);
}
flag5 = true;
}
else
{
otherRequestParameters.Add(element);
}
}
if (flag6)
{
otherRequestParameters = this.AdditionalRequestParameters;
}
if (this.keyType == SecurityKeyType.BearerKey)
{
return(true);
}
if (standardsManager.TrustVersion == TrustVersion.WSTrustFeb2005)
{
return(flag1 & flag4 & flag3 & flag2);
}
return(flag1 & flag4 & flag3 & flag2 & flag5);
}
internal void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, SecurityKeyType issuedKeyType)
{
throw new NotImplementedException();
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode,
bool isReliableSession,
MessageSecurityVersion version)
{
if ((this.IssuedKeyType == SecurityKeyType.BearerKey) &&
(version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BearerKeyIncompatibleWithWSFederationHttpBinding)));
}
if (isReliableSession && !this.EstablishSecurityContext)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession)));
}
SecurityBindingElement result;
bool emitBspAttributes = true;
IssuedSecurityTokenParameters issuedParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding);
issuedParameters.IssuerMetadataAddress = this.issuerMetadataAddress;
issuedParameters.KeyType = this.IssuedKeyType;
if (this.IssuedKeyType == SecurityKeyType.SymmetricKey)
{
issuedParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength;
}
else
{
issuedParameters.KeySize = 0;
}
foreach (ClaimTypeRequirement c in this.claimTypeRequirements)
{
issuedParameters.ClaimTypeRequirements.Add(c);
}
foreach (XmlElement p in this.TokenRequestParameters)
{
issuedParameters.AdditionalRequestParameters.Add(p);
}
WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion,
version.TrustVersion,
version.SecureConversationVersion,
emitBspAttributes,
null, null, null);
SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer);
issuedParameters.AddAlgorithmParameters(this.AlgorithmSuite, versionSpecificStandardsManager, this.issuedKeyType);
SecurityBindingElement issuedTokenSecurity;
if (isSecureTransportMode)
{
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedParameters);
}
else
{
if (negotiateServiceCredential)
{
// We should have passed 'true' as RequireCancelation to be consistent with other standard bindings.
// However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy.
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11);
}
else
{
issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedParameters);
}
}
issuedTokenSecurity.MessageSecurityVersion = version;
issuedTokenSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite;
if (this.EstablishSecurityContext)
{
result = SecurityBindingElement.CreateSecureConversationBindingElement(issuedTokenSecurity, true);
}
else
{
result = issuedTokenSecurity;
}
result.MessageSecurityVersion = version;
result.DefaultAlgorithmSuite = this.AlgorithmSuite;
result.IncludeTimestamp = true;
if (!isReliableSession)
{
result.LocalServiceSettings.ReconnectTransportOnFailure = false;
result.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
result.LocalServiceSettings.ReconnectTransportOnFailure = true;
result.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.establishSecurityContext)
{
// issue the transition SCT for a short duration only
issuedTokenSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime;
}
return(result);
}
internal bool DoAlgorithmsMatch(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, out Collection <XmlElement> otherRequestParameters)
{
Collection <XmlElement> additionalRequestParameters;
bool flag = false;
bool flag2 = false;
bool flag3 = false;
bool flag4 = false;
bool flag5 = false;
otherRequestParameters = new Collection <XmlElement>();
bool flag6 = false;
if (((standardsManager.TrustVersion == TrustVersion.WSTrust13) && (this.AdditionalRequestParameters.Count == 1)) && ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).IsSecondaryParametersElement(this.AdditionalRequestParameters[0]))
{
flag6 = true;
additionalRequestParameters = new Collection <XmlElement>();
foreach (XmlElement element in this.AdditionalRequestParameters[0])
{
additionalRequestParameters.Add(element);
}
}
else
{
additionalRequestParameters = this.AdditionalRequestParameters;
}
for (int i = 0; i < additionalRequestParameters.Count; i++)
{
string str;
XmlElement element2 = additionalRequestParameters[i];
if (standardsManager.TrustDriver.IsCanonicalizationAlgorithmElement(element2, out str))
{
if (algorithmSuite.DefaultCanonicalizationAlgorithm != str)
{
return(false);
}
flag4 = true;
}
else if (standardsManager.TrustDriver.IsSignWithElement(element2, out str))
{
if (((this.keyType == SecurityKeyType.SymmetricKey) && (str != algorithmSuite.DefaultSymmetricSignatureAlgorithm)) || ((this.keyType == SecurityKeyType.AsymmetricKey) && (str != algorithmSuite.DefaultAsymmetricSignatureAlgorithm)))
{
return(false);
}
flag = true;
}
else if (standardsManager.TrustDriver.IsEncryptWithElement(element2, out str))
{
if (((this.keyType == SecurityKeyType.SymmetricKey) && (str != algorithmSuite.DefaultEncryptionAlgorithm)) || ((this.keyType == SecurityKeyType.AsymmetricKey) && (str != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)))
{
return(false);
}
flag2 = true;
}
else if (standardsManager.TrustDriver.IsEncryptionAlgorithmElement(element2, out str))
{
if (str != algorithmSuite.DefaultEncryptionAlgorithm)
{
return(false);
}
flag3 = true;
}
else if (standardsManager.TrustDriver.IsKeyWrapAlgorithmElement(element2, out str))
{
if (str != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)
{
return(false);
}
flag5 = true;
}
else
{
otherRequestParameters.Add(element2);
}
}
if (flag6)
{
otherRequestParameters = this.AdditionalRequestParameters;
}
if (this.keyType == SecurityKeyType.BearerKey)
{
return(true);
}
if (standardsManager.TrustVersion == TrustVersion.WSTrustFeb2005)
{
return(((flag && flag4) && flag3) && flag2);
}
return(((flag && flag4) && (flag3 && flag2)) && flag5);
}
internal static XmlElement GetClaimTypeRequirement(Collection <XmlElement> additionalRequestParameters, SecurityStandardsManager standardsManager)
{
foreach (XmlElement element in additionalRequestParameters)
{
if ((element.LocalName == ((WSTrust.Driver)standardsManager.TrustDriver).DriverDictionary.Claims.Value) && (element.NamespaceURI == ((WSTrust.Driver)standardsManager.TrustDriver).DriverDictionary.Namespace.Value))
{
return(element);
}
if ((element.LocalName == DXD.TrustDec2005Dictionary.SecondaryParameters.Value) && (element.NamespaceURI == DXD.TrustDec2005Dictionary.Namespace.Value))
{
Collection <XmlElement> collection = new Collection <XmlElement>();
foreach (System.Xml.XmlNode node in element.ChildNodes)
{
XmlElement item = node as XmlElement;
if (item != null)
{
collection.Add(item);
}
}
XmlElement claimTypeRequirement = GetClaimTypeRequirement(collection, standardsManager);
if (claimTypeRequirement != null)
{
return(claimTypeRequirement);
}
}
}
return(null);
}
internal static bool TryCreate(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version, out FederatedMessageSecurityOverHttp messageSecurity)
{
bool flag;
bool flag2;
bool flag3;
IssuedSecurityTokenParameters parameters;
Collection <XmlElement> collection;
messageSecurity = null;
if (sbe.IncludeTimestamp)
{
SecurityBindingElement element;
if (sbe.SecurityHeaderLayout != SecurityHeaderLayout.Strict)
{
return(false);
}
flag = true;
flag2 = SecurityBindingElement.IsSecureConversationBinding(sbe, true, out element);
element = flag2 ? element : sbe;
if (isSecureTransportMode && !(element is TransportSecurityBindingElement))
{
return(false);
}
flag3 = true;
if (isSecureTransportMode)
{
if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(element, out parameters))
{
return(false);
}
goto Label_0078;
}
if (SecurityBindingElement.IsIssuedTokenForSslBinding(element, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11, out parameters))
{
flag3 = true;
goto Label_0078;
}
if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(element, out parameters))
{
flag3 = false;
goto Label_0078;
}
}
return(false);
Label_0078:
if ((parameters.KeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
return(false);
}
WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, flag, null, null, null);
SecurityStandardsManager standardsManager = new SecurityStandardsManager(version, tokenSerializer);
if (!parameters.DoAlgorithmsMatch(sbe.DefaultAlgorithmSuite, standardsManager, out collection))
{
return(false);
}
messageSecurity = new FederatedMessageSecurityOverHttp();
messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite;
messageSecurity.NegotiateServiceCredential = flag3;
messageSecurity.EstablishSecurityContext = flag2;
messageSecurity.IssuedTokenType = parameters.TokenType;
messageSecurity.IssuerAddress = parameters.IssuerAddress;
messageSecurity.IssuerBinding = parameters.IssuerBinding;
messageSecurity.IssuerMetadataAddress = parameters.IssuerMetadataAddress;
messageSecurity.IssuedKeyType = parameters.KeyType;
foreach (ClaimTypeRequirement requirement in parameters.ClaimTypeRequirements)
{
messageSecurity.ClaimTypeRequirements.Add(requirement);
}
foreach (XmlElement element2 in collection)
{
messageSecurity.TokenRequestParameters.Add(element2);
}
if ((parameters.AlternativeIssuerEndpoints != null) && (parameters.AlternativeIssuerEndpoints.Count > 0))
{
return(false);
}
return(true);
}
private Collection <XmlElement> NormalizeAdditionalParameters(Collection <XmlElement> additionalParameters,
TrustDriver driver,
bool clientSideClaimTypeRequirementsSpecified)
{
// Ensure STS trust version is one of the currently supported versions: Feb 05 / Trust 1.3
Fx.Assert(((driver.StandardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) ||
(driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13)),
"Unsupported trust version specified for the STS.");
// We have a mismatch. Make a local copy of additionalParameters for making any potential modifications
// as part of normalization
Collection <XmlElement> tmpCollection = new Collection <XmlElement>();
foreach (XmlElement e in additionalParameters)
{
tmpCollection.Add(e);
}
// 1. For Trust 1.3 EncryptionAlgorithm, CanonicalizationAlgorithm and KeyWrapAlgorithm should not be
// specified as top-level element if "SecondaryParameters" element already specifies this.
if (driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13)
{
Fx.Assert(driver.GetType() == typeof(WSTrustDec2005.DriverDec2005), "Invalid Trust Driver specified for Trust 1.3.");
XmlElement encryptionAlgorithmElement = null;
XmlElement canonicalizationAlgorithmElement = null;
XmlElement keyWrapAlgorithmElement = null;
XmlElement secondaryParameter = null;
for (int i = 0; i < tmpCollection.Count; ++i)
{
if (driver.IsEncryptionAlgorithmElement(tmpCollection[i], out string algorithm))
{
encryptionAlgorithmElement = tmpCollection[i];
}
else if (driver.IsCanonicalizationAlgorithmElement(tmpCollection[i], out algorithm))
{
canonicalizationAlgorithmElement = tmpCollection[i];
}
else if (driver.IsKeyWrapAlgorithmElement(tmpCollection[i], out algorithm))
{
keyWrapAlgorithmElement = tmpCollection[i];
}
else if (((WSTrustDec2005.DriverDec2005)driver).IsSecondaryParametersElement(tmpCollection[i]))
{
secondaryParameter = tmpCollection[i];
}
}
if (secondaryParameter != null)
{
foreach (XmlNode node in secondaryParameter.ChildNodes)
{
if (node is XmlElement child)
{
if (driver.IsEncryptionAlgorithmElement(child, out string algorithm) && (encryptionAlgorithmElement != null))
{
tmpCollection.Remove(encryptionAlgorithmElement);
}
else if (driver.IsCanonicalizationAlgorithmElement(child, out algorithm) && (canonicalizationAlgorithmElement != null))
{
tmpCollection.Remove(canonicalizationAlgorithmElement);
}
else if (driver.IsKeyWrapAlgorithmElement(child, out algorithm) && (keyWrapAlgorithmElement != null))
{
tmpCollection.Remove(keyWrapAlgorithmElement);
}
}
}
}
}
// 2. Check for Mismatch.
// a. Trust Feb 2005 -> Trust 1.3. do the following,
// (i) Copy EncryptionAlgorithm and CanonicalizationAlgorithm as the top-level elements.
// Note, this is in contradiction to step 1. But we don't have a choice here as we cannot say from the
// Additional Parameters section in the config what came from the service and what came from the client.
// (ii) Convert SignWith and EncryptWith elements to Trust 1.3 namespace.
// b. For Trust 1.3 -> Trust Feb 2005, do the following,
// (i) Find EncryptionAlgorithm, CanonicalizationAlgorithm from inside the "SecondaryParameters" element.
// If found, then promote these as the top-level elements replacing the existing values.
// (ii) Convert the SignWith and EncryptWith elements to the Trust Feb 2005 namespace and drop the KeyWrapAlgorithm
// element.
// make an optimistic check to detect mismatched trust-versions between STS and RP
bool mismatch = (((driver.StandardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) &&
!CollectionContainsElementsWithTrustNamespace(additionalParameters, TrustFeb2005Strings.Namespace)) ||
((driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) &&
!CollectionContainsElementsWithTrustNamespace(additionalParameters, TrustDec2005Strings.Namespace)));
// if no mismatch, return unmodified collection
if (!mismatch)
{
return(tmpCollection);
}
// 2.a
// If we are talking to a Trust 1.3 STS, replace any Feb '05 algorithm parameters with their Trust 1.3 counterparts
if (driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13)
{
SecurityStandardsManager trustFeb2005StandardsManager = SecurityStandardsManager.DefaultInstance;
// the following cast is guaranteed to succeed
WSTrustFeb2005.DriverFeb2005 trustFeb2005Driver = (WSTrustFeb2005.DriverFeb2005)trustFeb2005StandardsManager.TrustDriver;
for (int i = 0; i < tmpCollection.Count; i++)
{
if (trustFeb2005Driver.IsSignWithElement(tmpCollection[i], out string algorithmParameter))
{
tmpCollection[i] = driver.CreateSignWithElement(algorithmParameter);
}
else if (trustFeb2005Driver.IsEncryptWithElement(tmpCollection[i], out algorithmParameter))
{
tmpCollection[i] = driver.CreateEncryptWithElement(algorithmParameter);
}
else if (trustFeb2005Driver.IsEncryptionAlgorithmElement(tmpCollection[i], out algorithmParameter))
{
tmpCollection[i] = driver.CreateEncryptionAlgorithmElement(algorithmParameter);
}
else if (trustFeb2005Driver.IsCanonicalizationAlgorithmElement(tmpCollection[i], out algorithmParameter))
{
tmpCollection[i] = driver.CreateCanonicalizationAlgorithmElement(algorithmParameter);
}
}
}
else
{
// 2.b
// We are talking to a Feb 05 STS. Filter out any SecondaryParameters element.
Collection <XmlElement> childrenToPromote = null;
WSSecurityTokenSerializer trust13Serializer = new WSSecurityTokenSerializer(SecurityVersion.WSSecurity11,
TrustVersion.WSTrust13,
SecureConversationVersion.WSSecureConversation13,
true, null, null, null);
SecurityStandardsManager trust13StandardsManager = new SecurityStandardsManager(MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12, trust13Serializer);
// the following cast is guaranteed to succeed
WSTrustDec2005.DriverDec2005 trust13Driver = (WSTrustDec2005.DriverDec2005)trust13StandardsManager.TrustDriver;
foreach (XmlElement parameter in tmpCollection)
{
// check if SecondaryParameters is present
if (trust13Driver.IsSecondaryParametersElement(parameter))
{
childrenToPromote = new Collection <XmlElement>();
// walk SecondaryParameters and collect any 'non-standard' children
foreach (XmlNode innerNode in parameter.ChildNodes)
{
if ((innerNode is XmlElement innerElement) && CanPromoteToRoot(innerElement, trust13Driver, clientSideClaimTypeRequirementsSpecified))
{
childrenToPromote.Add(innerElement);
}
}
// remove SecondaryParameters element
tmpCollection.Remove(parameter);
// we are done - break out of the loop
break;
}
}
// Probe of standard Trust elements and remember them.
if ((childrenToPromote != null) && (childrenToPromote.Count > 0))
{
XmlElement encryptionElement = null;
XmlElement canonicalizationElement = null;
XmlElement requiredClaimsElement = null;
Collection <XmlElement> processedElements = new Collection <XmlElement>();
foreach (XmlElement e in childrenToPromote)
{
if ((encryptionElement == null) && trust13Driver.IsEncryptionAlgorithmElement(e, out string encryptionAlgorithm))
{
encryptionElement = driver.CreateEncryptionAlgorithmElement(encryptionAlgorithm);
processedElements.Add(e);
}
else if ((canonicalizationElement == null) && trust13Driver.IsCanonicalizationAlgorithmElement(e, out string canonicalizationAlgoritm))
{
canonicalizationElement = driver.CreateCanonicalizationAlgorithmElement(canonicalizationAlgoritm);
processedElements.Add(e);
}
else if ((requiredClaimsElement == null) && trust13Driver.TryParseRequiredClaimsElement(e, out Collection <XmlElement> requiredClaims))
{
requiredClaimsElement = driver.CreateRequiredClaimsElement(requiredClaims);
processedElements.Add(e);
}
}
for (int i = 0; i < processedElements.Count; ++i)
{
childrenToPromote.Remove(processedElements[i]);
}
XmlElement keyWrapAlgorithmElement = null;
// Replace the appropriate elements.
for (int i = 0; i < tmpCollection.Count; ++i)
{
if (trust13Driver.IsSignWithElement(tmpCollection[i], out string algorithmParameter))
{
tmpCollection[i] = driver.CreateSignWithElement(algorithmParameter);
}
else if (trust13Driver.IsEncryptWithElement(tmpCollection[i], out algorithmParameter))
{
tmpCollection[i] = driver.CreateEncryptWithElement(algorithmParameter);
}
else if (trust13Driver.IsEncryptionAlgorithmElement(tmpCollection[i], out algorithmParameter) && (encryptionElement != null))
{
tmpCollection[i] = encryptionElement;
encryptionElement = null;
}
else if (trust13Driver.IsCanonicalizationAlgorithmElement(tmpCollection[i], out algorithmParameter) && (canonicalizationElement != null))
{
tmpCollection[i] = canonicalizationElement;
canonicalizationElement = null;
}
else if (trust13Driver.IsKeyWrapAlgorithmElement(tmpCollection[i], out algorithmParameter) && (keyWrapAlgorithmElement == null))
{
keyWrapAlgorithmElement = tmpCollection[i];
}
else if (trust13Driver.TryParseRequiredClaimsElement(tmpCollection[i], out Collection <XmlElement> reqClaims) && (requiredClaimsElement != null))
{
tmpCollection[i] = requiredClaimsElement;
requiredClaimsElement = null;
}
}
if (keyWrapAlgorithmElement != null)
{
// Remove KeyWrapAlgorithmElement as this is not define in Trust Feb 2005.
tmpCollection.Remove(keyWrapAlgorithmElement);
}
// Add the remaining elements to the additionaParameters list to the end.
if (encryptionElement != null)
{
tmpCollection.Add(encryptionElement);
}
if (canonicalizationElement != null)
{
tmpCollection.Add(canonicalizationElement);
}
if (requiredClaimsElement != null)
{
tmpCollection.Add(requiredClaimsElement);
}
if (childrenToPromote.Count > 0)
{
// There are some non-standard elements. Just bump them to the top-level element.
for (int i = 0; i < childrenToPromote.Count; ++i)
{
tmpCollection.Add(childrenToPromote[i]);
}
}
}
}
return(tmpCollection);
}
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version)
{
SecurityBindingElement element;
SecurityBindingElement element3;
if ((this.IssuedKeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("BearerKeyIncompatibleWithWSFederationHttpBinding")));
}
if (isReliableSession && !this.EstablishSecurityContext)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecureConversationRequiredByReliableSession")));
}
bool emitBspRequiredAttributes = true;
IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding)
{
IssuerMetadataAddress = this.issuerMetadataAddress,
KeyType = this.IssuedKeyType
};
if (this.IssuedKeyType == SecurityKeyType.SymmetricKey)
{
issuedTokenParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength;
}
else
{
issuedTokenParameters.KeySize = 0;
}
foreach (ClaimTypeRequirement requirement in this.claimTypeRequirements)
{
issuedTokenParameters.ClaimTypeRequirements.Add(requirement);
}
foreach (XmlElement element2 in this.TokenRequestParameters)
{
issuedTokenParameters.AdditionalRequestParameters.Add(element2);
}
WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, emitBspRequiredAttributes, null, null, null);
SecurityStandardsManager standardsManager = new SecurityStandardsManager(version, tokenSerializer);
issuedTokenParameters.AddAlgorithmParameters(this.AlgorithmSuite, standardsManager, this.issuedKeyType);
if (isSecureTransportMode)
{
element3 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedTokenParameters);
}
else if (this.negotiateServiceCredential)
{
element3 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedTokenParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11);
}
else
{
element3 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedTokenParameters);
}
element3.MessageSecurityVersion = version;
element3.DefaultAlgorithmSuite = this.AlgorithmSuite;
if (this.EstablishSecurityContext)
{
element = SecurityBindingElement.CreateSecureConversationBindingElement(element3, true);
}
else
{
element = element3;
}
element.MessageSecurityVersion = version;
element.DefaultAlgorithmSuite = this.AlgorithmSuite;
element.IncludeTimestamp = true;
if (!isReliableSession)
{
element.LocalServiceSettings.ReconnectTransportOnFailure = false;
element.LocalClientSettings.ReconnectTransportOnFailure = false;
}
else
{
element.LocalServiceSettings.ReconnectTransportOnFailure = true;
element.LocalClientSettings.ReconnectTransportOnFailure = true;
}
if (this.establishSecurityContext)
{
element3.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime;
}
return(element);
}
internal static bool IsInfoCardParameters(IssuedSecurityTokenParameters parameters, SecurityStandardsManager standardsManager)
{
if (parameters == null)
{
return(false);
}
if (parameters.TokenType != "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
return(false);
}
if (parameters.KeyType != SecurityKeyType.AsymmetricKey)
{
return(false);
}
if (parameters.ClaimTypeRequirements.Count == 1)
{
ClaimTypeRequirement requirement = parameters.ClaimTypeRequirements[0];
if (requirement == null)
{
return(false);
}
if (requirement.ClaimType != wsidPPIClaim)
{
return(false);
}
}
else
{
if ((parameters.AdditionalRequestParameters == null) || (parameters.AdditionalRequestParameters.Count <= 0))
{
return(false);
}
bool flag = false;
XmlElement claimTypeRequirement = GetClaimTypeRequirement(parameters.AdditionalRequestParameters, standardsManager);
if ((claimTypeRequirement != null) && (claimTypeRequirement.ChildNodes.Count == 1))
{
XmlElement element2 = claimTypeRequirement.ChildNodes[0] as XmlElement;
if (element2 != null)
{
System.Xml.XmlNode namedItem = element2.Attributes.GetNamedItem("Uri");
if ((namedItem != null) && (namedItem.Value == wsidPPIClaim))
{
flag = true;
}
}
}
if (!flag)
{
return(false);
}
}
if (parameters.IssuerAddress != null)
{
return(false);
}
if ((parameters.AlternativeIssuerEndpoints != null) && (parameters.AlternativeIssuerEndpoints.Count > 0))
{
return(false);
}
return(true);
}
