public TransactionChannelFactory(System.ServiceModel.TransactionProtocol transactionProtocol, BindingContext context, Dictionary <DirectionalAction, TransactionFlowOption> dictionary, bool allowWildcardAction) : base(context.Binding, context.BuildInnerChannelFactory <TChannel>()) { this.dictionary = dictionary; this.TransactionProtocol = transactionProtocol; this.allowWildcardAction = allowWildcardAction; this.standardsManager = SecurityStandardsHelper.CreateStandardsManager(this.TransactionProtocol); }
public TransactionChannelListener(System.ServiceModel.TransactionProtocol transactionProtocol, IDefaultCommunicationTimeouts timeouts, Dictionary <DirectionalAction, TransactionFlowOption> dictionary, IChannelListener <TChannel> innerListener) : base(timeouts, innerListener) { this.dictionary = dictionary; this.TransactionProtocol = transactionProtocol; base.Acceptor = new TransactionChannelAcceptor <TChannel>((TransactionChannelListener <TChannel>) this, innerListener); this.standardsManager = SecurityStandardsHelper.CreateStandardsManager(this.TransactionProtocol); }
internal void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, SecurityKeyType issuedKeyType) { this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm)); this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm)); if (this._keyType == SecurityKeyType.BearerKey) { // As the client does not have a proof token in the Bearer case // we don't have any specific algorithms to request for. return; } string signWithAlgorithm = (this._keyType == SecurityKeyType.SymmetricKey) ? algorithmSuite.DefaultSymmetricSignatureAlgorithm : algorithmSuite.DefaultAsymmetricSignatureAlgorithm; this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateSignWithElement(signWithAlgorithm)); string encryptWithAlgorithm; if (issuedKeyType == SecurityKeyType.SymmetricKey) { encryptWithAlgorithm = algorithmSuite.DefaultEncryptionAlgorithm; } else { encryptWithAlgorithm = algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm; } this._additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptWithElement(encryptWithAlgorithm)); if (standardsManager.TrustVersion != TrustVersion.WSTrustFeb2005) { this._additionalRequestParameters.Insert(0, ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)); } return; }
void IServiceBehavior.ApplyDispatchBehavior(System.ServiceModel.Description.ServiceDescription description, ServiceHostBase serviceHostBase) { if (description == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("description")); } if (serviceHostBase == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("serviceHostBase")); } if (this.serviceAuthenticationManager != null) { for (int i = 0; i < serviceHostBase.ChannelDispatchers.Count; i++) { ChannelDispatcher channelDispatcher = serviceHostBase.ChannelDispatchers[i] as ChannelDispatcher; if ((channelDispatcher != null) && !ServiceMetadataBehavior.IsHttpGetMetadataDispatcher(description, channelDispatcher)) { foreach (EndpointDispatcher dispatcher2 in channelDispatcher.Endpoints) { DispatchRuntime dispatchRuntime = dispatcher2.DispatchRuntime; dispatchRuntime.ServiceAuthenticationManager = this.serviceAuthenticationManager; ServiceEndpoint endpoint = this.FindMatchingServiceEndpoint(description, dispatcher2); if ((endpoint != null) && this.IsSecureConversationBinding(endpoint.Binding)) { SecurityStandardsManager configuredSecurityStandardsManager = this.GetConfiguredSecurityStandardsManager(endpoint.Binding); dispatchRuntime.ServiceAuthenticationManager = new ServiceAuthenticationManagerWrapper(this.serviceAuthenticationManager, new string[] { configuredSecurityStandardsManager.SecureConversationDriver.CloseAction.Value }); } } } } } }
internal static MessagePartSpecification GetIssuedTokenHeaderSpecification(SecurityStandardsManager standardsManager) { if (!standardsManager.TrustDriver.IsIssuedTokensSupported) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("TrustDriverVersionDoesNotSupportIssuedTokens"))); } return(new MessagePartSpecification(new XmlQualifiedName[] { new XmlQualifiedName(standardsManager.TrustDriver.IssuedTokensHeaderName, standardsManager.TrustDriver.IssuedTokensHeaderNamespace) })); }
public static IssuedSecurityTokenParameters CreateInfoCardParameters(SecurityStandardsManager standardsManager, SecurityAlgorithmSuite algorithm) { IssuedSecurityTokenParameters securityTokenParameters = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"); securityTokenParameters.KeyType = SecurityKeyType.AsymmetricKey; securityTokenParameters.ClaimTypeRequirements.Add(new ClaimTypeRequirement(IssuedSecurityTokenParameters.wsidPPIClaim)); securityTokenParameters.IssuerAddress = (EndpointAddress)null; securityTokenParameters.AddAlgorithmParameters(algorithm, standardsManager, securityTokenParameters.KeyType); return(securityTokenParameters); }
internal static IssuedSecurityTokenParameters CreateInfoCardParameters(SecurityStandardsManager standardsManager, SecurityAlgorithmSuite algorithm) { IssuedSecurityTokenParameters result = new IssuedSecurityTokenParameters(SecurityXXX2005Strings.SamlTokenType); result.KeyType = SecurityKeyType.AsymmetricKey; result.ClaimTypeRequirements.Add(new ClaimTypeRequirement(s_wsidPPIClaim)); result.IssuerAddress = null; result.AddAlgorithmParameters(algorithm, standardsManager, result.KeyType); return(result); }
internal static MessagePartSpecification GetIssuedTokenHeaderSpecification(SecurityStandardsManager standardsManager) { MessagePartSpecification result; if (standardsManager.TrustDriver.IsIssuedTokensSupported) { result = new MessagePartSpecification(new XmlQualifiedName(standardsManager.TrustDriver.IssuedTokensHeaderName, standardsManager.TrustDriver.IssuedTokensHeaderNamespace)); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.TrustDriverVersionDoesNotSupportIssuedTokens))); } return(result); }
public void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, SecurityKeyType issuedKeyType) { this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm)); this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm)); if (this.keyType == SecurityKeyType.BearerKey) { return; } string signatureAlgorithm = this.keyType == SecurityKeyType.SymmetricKey ? algorithmSuite.DefaultSymmetricSignatureAlgorithm : algorithmSuite.DefaultAsymmetricSignatureAlgorithm; this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateSignWithElement(signatureAlgorithm)); string encryptionAlgorithm = issuedKeyType != SecurityKeyType.SymmetricKey ? algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm : algorithmSuite.DefaultEncryptionAlgorithm; this.additionalRequestParameters.Insert(0, standardsManager.TrustDriver.CreateEncryptWithElement(encryptionAlgorithm)); if (standardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) { return; } this.additionalRequestParameters.Insert(0, ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)); }
public static void CreateIssuedToken(Guid transactionId, string coordinationContextId, ProtocolVersion protocolVersion, out RequestSecurityTokenResponse issuedToken, out string sctId) { sctId = CoordinationContext.CreateNativeIdentifier(Guid.NewGuid()); byte[] key = DeriveIssuedTokenKey(transactionId, sctId); DateTime utcNow = DateTime.UtcNow; SecurityContextSecurityToken token = new SecurityContextSecurityToken(new UniqueId(sctId), key, utcNow, utcNow + TimeSpan.FromDays(36500.0)); BinarySecretSecurityToken token2 = new BinarySecretSecurityToken(key); SecurityStandardsManager standardsManager = CreateStandardsManager(protocolVersion); RequestSecurityTokenResponse response = new RequestSecurityTokenResponse(standardsManager) { TokenType = standardsManager.SecureConversationDriver.TokenTypeUri, RequestedUnattachedReference = SecurityContextSecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.External), RequestedAttachedReference = SecurityContextSecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.Internal), RequestedSecurityToken = token, RequestedProofToken = token2 }; DataContractSerializer serializer = IdentifierElementSerializer(protocolVersion); ProtocolVersionHelper.AssertProtocolVersion(protocolVersion, typeof(CoordinationServiceSecurity), "CreateIssuedToken"); switch (protocolVersion) { case ProtocolVersion.Version10: response.SetAppliesTo <IdentifierElement10>(new IdentifierElement10(coordinationContextId), serializer); break; case ProtocolVersion.Version11: response.SetAppliesTo <IdentifierElement11>(new IdentifierElement11(coordinationContextId), serializer); break; } response.MakeReadOnly(); if (DebugTrace.Verbose) { DebugTrace.Trace(TraceLevel.Verbose, "Created issued token with id {0} for transaction {1}", sctId, transactionId); } issuedToken = response; }
// The method walks through the entire set of AdditionalRequestParameters and return the Claims Type requirement alone. internal static XmlElement GetClaimTypeRequirement(Collection <XmlElement> additionalRequestParameters, SecurityStandardsManager standardsManager) { throw new NotImplementedException(); }
internal static bool IsInfoCardParameters(IssuedSecurityTokenParameters parameters, SecurityStandardsManager standardsManager) { if (parameters == null) { return(false); } if (parameters.TokenType != SecurityXXX2005Strings.SamlTokenType) { return(false); } if (parameters.KeyType != SecurityKeyType.AsymmetricKey) { return(false); } if (parameters.ClaimTypeRequirements.Count == 1) { ClaimTypeRequirement claimTypeRequirement = parameters.ClaimTypeRequirements[0] as ClaimTypeRequirement; if (claimTypeRequirement == null) { return(false); } if (claimTypeRequirement.ClaimType != s_wsidPPIClaim) { return(false); } } else if ((parameters.AdditionalRequestParameters != null) && (parameters.AdditionalRequestParameters.Count > 0)) { // Check the AdditionalRequest Parameters to see if ClaimTypeRequirements got imported there. bool claimTypeRequirementMatched = false; XmlElement claimTypeRequirement = GetClaimTypeRequirement(parameters.AdditionalRequestParameters, standardsManager); if (claimTypeRequirement != null && claimTypeRequirement.ChildNodes.Count == 1) { XmlElement claimTypeElement = claimTypeRequirement.ChildNodes[0] as XmlElement; if (claimTypeElement != null) { XmlNode claimType = claimTypeElement.Attributes.GetNamedItem("Uri"); if (claimType != null && claimType.Value == s_wsidPPIClaim) { claimTypeRequirementMatched = true; } } } if (!claimTypeRequirementMatched) { return(false); } } else { return(false); } if (parameters.IssuerAddress != null) { return(false); } if (parameters.AlternativeIssuerEndpoints != null && parameters.AlternativeIssuerEndpoints.Count > 0) { return(false); } return(true); }
internal static bool TryCreate(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version, out FederatedMessageSecurityOverHttp messageSecurity) { Fx.Assert(null != sbe, string.Empty); messageSecurity = null; // do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings if (!sbe.IncludeTimestamp) { return(false); } if (sbe.SecurityHeaderLayout != SecurityProtocolFactory.defaultSecurityHeaderLayout) { return(false); } bool emitBspAttributes = true; // Do not check MessageSecurityVersion: it maybe changed by the wrapper element and gets checked later in the SecuritySection.AreBindingsMatching() SecurityBindingElement bootstrapSecurity; bool establishSecurityContext = SecurityBindingElement.IsSecureConversationBinding(sbe, true, out bootstrapSecurity); bootstrapSecurity = establishSecurityContext ? bootstrapSecurity : sbe; if (isSecureTransportMode && !(bootstrapSecurity is TransportSecurityBindingElement)) { return(false); } bool negotiateServiceCredential = DefaultNegotiateServiceCredential; IssuedSecurityTokenParameters issuedTokenParameters; if (isSecureTransportMode) { if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(bootstrapSecurity, out issuedTokenParameters)) { return(false); } } else { // We should have passed 'true' as RequireCancelation to be consistent with other standard bindings. // However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy. if (SecurityBindingElement.IsIssuedTokenForSslBinding(bootstrapSecurity, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11, out issuedTokenParameters)) { negotiateServiceCredential = true; } else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(bootstrapSecurity, out issuedTokenParameters)) { negotiateServiceCredential = false; } else { return(false); } } if ((issuedTokenParameters.KeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005)) { return(false); } Collection <XmlElement> nonAlgorithmRequestParameters; WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, emitBspAttributes, null, null, null); SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer); if (!issuedTokenParameters.DoAlgorithmsMatch(sbe.DefaultAlgorithmSuite, versionSpecificStandardsManager, out nonAlgorithmRequestParameters)) { return(false); } messageSecurity = new FederatedMessageSecurityOverHttp(); messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite; messageSecurity.NegotiateServiceCredential = negotiateServiceCredential; messageSecurity.EstablishSecurityContext = establishSecurityContext; messageSecurity.IssuedTokenType = issuedTokenParameters.TokenType; messageSecurity.IssuerAddress = issuedTokenParameters.IssuerAddress; messageSecurity.IssuerBinding = issuedTokenParameters.IssuerBinding; messageSecurity.IssuerMetadataAddress = issuedTokenParameters.IssuerMetadataAddress; messageSecurity.IssuedKeyType = issuedTokenParameters.KeyType; foreach (ClaimTypeRequirement c in issuedTokenParameters.ClaimTypeRequirements) { messageSecurity.ClaimTypeRequirements.Add(c); } foreach (XmlElement p in nonAlgorithmRequestParameters) { messageSecurity.TokenRequestParameters.Add(p); } if (issuedTokenParameters.AlternativeIssuerEndpoints != null && issuedTokenParameters.AlternativeIssuerEndpoints.Count > 0) { return(false); } return(true); }
internal bool DoAlgorithmsMatch(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, out Collection <XmlElement> otherRequestParameters) { bool doesSignWithAlgorithmMatch = false; bool doesEncryptWithAlgorithmMatch = false; bool doesEncryptionAlgorithmMatch = false; bool doesCanonicalizationAlgorithmMatch = false; bool doesKeyWrapAlgorithmMatch = false; otherRequestParameters = new Collection <XmlElement>(); bool trustNormalizationPerformed = false; Collection <XmlElement> trustVersionNormalizedParameterCollection; // For Trust 1.3 we move all the additional parameters into the secondaryParameters // element. So the list contains just one element called SecondaryParameters that // contains all the other elements as child elements. if ((standardsManager.TrustVersion == TrustVersion.WSTrust13) && (this.AdditionalRequestParameters.Count == 1) && (((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).IsSecondaryParametersElement(this.AdditionalRequestParameters[0]))) { trustNormalizationPerformed = true; trustVersionNormalizedParameterCollection = new Collection <XmlElement>(); foreach (XmlElement innerElement in this.AdditionalRequestParameters[0]) { trustVersionNormalizedParameterCollection.Add(innerElement); } } else { trustVersionNormalizedParameterCollection = this.AdditionalRequestParameters; } for (int i = 0; i < trustVersionNormalizedParameterCollection.Count; i++) { string algorithm; XmlElement element = trustVersionNormalizedParameterCollection[i]; if (standardsManager.TrustDriver.IsCanonicalizationAlgorithmElement(element, out algorithm)) { if (algorithmSuite.DefaultCanonicalizationAlgorithm != algorithm) { return(false); } doesCanonicalizationAlgorithmMatch = true; } else if (standardsManager.TrustDriver.IsSignWithElement(element, out algorithm)) { if ((this._keyType == SecurityKeyType.SymmetricKey && algorithm != algorithmSuite.DefaultSymmetricSignatureAlgorithm) || (this._keyType == SecurityKeyType.AsymmetricKey && algorithm != algorithmSuite.DefaultAsymmetricSignatureAlgorithm)) { return(false); } doesSignWithAlgorithmMatch = true; } else if (standardsManager.TrustDriver.IsEncryptWithElement(element, out algorithm)) { if ((this._keyType == SecurityKeyType.SymmetricKey && algorithm != algorithmSuite.DefaultEncryptionAlgorithm) || (this._keyType == SecurityKeyType.AsymmetricKey && algorithm != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)) { return(false); } doesEncryptWithAlgorithmMatch = true; } else if (standardsManager.TrustDriver.IsEncryptionAlgorithmElement(element, out algorithm)) { if (algorithm != algorithmSuite.DefaultEncryptionAlgorithm) { return(false); } doesEncryptionAlgorithmMatch = true; } else if (standardsManager.TrustDriver.IsKeyWrapAlgorithmElement(element, out algorithm)) { if (algorithm != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm) { return(false); } doesKeyWrapAlgorithmMatch = true; } else { otherRequestParameters.Add(element); } } // Undo normalization if performed // move all back into secondaryParameters if (trustNormalizationPerformed) { otherRequestParameters = this.AdditionalRequestParameters; } if (this._keyType == SecurityKeyType.BearerKey) { // As the client does not have a proof token in the Bearer case // we don't have any specific algorithms to request for. return(true); } if (standardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) { // For V1 compatibility check all algorithms return(doesSignWithAlgorithmMatch && doesCanonicalizationAlgorithmMatch && doesEncryptionAlgorithmMatch && doesEncryptWithAlgorithmMatch); } else { return(doesSignWithAlgorithmMatch && doesCanonicalizationAlgorithmMatch && doesEncryptionAlgorithmMatch && doesEncryptWithAlgorithmMatch && doesKeyWrapAlgorithmMatch); } }
private Collection <XmlElement> NormalizeAdditionalParameters(Collection <XmlElement> additionalParameters, TrustDriver driver, bool clientSideClaimTypeRequirementsSpecified) { Collection <XmlElement> collection = new Collection <XmlElement>(); foreach (XmlElement element in additionalParameters) { collection.Add(element); } if (driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) { XmlElement item = null; XmlElement element3 = null; XmlElement element4 = null; XmlElement element5 = null; for (int i = 0; i < collection.Count; i++) { string str; if (driver.IsEncryptionAlgorithmElement(collection[i], out str)) { item = collection[i]; } else if (driver.IsCanonicalizationAlgorithmElement(collection[i], out str)) { element3 = collection[i]; } else if (driver.IsKeyWrapAlgorithmElement(collection[i], out str)) { element4 = collection[i]; } else if (((WSTrustDec2005.DriverDec2005)driver).IsSecondaryParametersElement(collection[i])) { element5 = collection[i]; } } if (element5 != null) { foreach (System.Xml.XmlNode node in element5.ChildNodes) { XmlElement element6 = node as XmlElement; if (element6 != null) { string encryptionAlgorithm = null; if (driver.IsEncryptionAlgorithmElement(element6, out encryptionAlgorithm) && (item != null)) { collection.Remove(item); } else if (driver.IsCanonicalizationAlgorithmElement(element6, out encryptionAlgorithm) && (element3 != null)) { collection.Remove(element3); } else if (driver.IsKeyWrapAlgorithmElement(element6, out encryptionAlgorithm) && (element4 != null)) { collection.Remove(element4); } } } } } if (((driver.StandardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) && !this.CollectionContainsElementsWithTrustNamespace(additionalParameters, "http://schemas.xmlsoap.org/ws/2005/02/trust")) || ((driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) && !this.CollectionContainsElementsWithTrustNamespace(additionalParameters, "http://docs.oasis-open.org/ws-sx/ws-trust/200512"))) { if (driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) { WSTrustFeb2005.DriverFeb2005 feb = (WSTrustFeb2005.DriverFeb2005)SecurityStandardsManager.DefaultInstance.TrustDriver; for (int j = 0; j < collection.Count; j++) { string signatureAlgorithm = string.Empty; if (feb.IsSignWithElement(collection[j], out signatureAlgorithm)) { collection[j] = driver.CreateSignWithElement(signatureAlgorithm); } else if (feb.IsEncryptWithElement(collection[j], out signatureAlgorithm)) { collection[j] = driver.CreateEncryptWithElement(signatureAlgorithm); } else if (feb.IsEncryptionAlgorithmElement(collection[j], out signatureAlgorithm)) { collection[j] = driver.CreateEncryptionAlgorithmElement(signatureAlgorithm); } else if (feb.IsCanonicalizationAlgorithmElement(collection[j], out signatureAlgorithm)) { collection[j] = driver.CreateCanonicalizationAlgorithmElement(signatureAlgorithm); } } return(collection); } Collection <XmlElement> collection2 = null; WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(SecurityVersion.WSSecurity11, TrustVersion.WSTrust13, SecureConversationVersion.WSSecureConversation13, true, null, null, null); SecurityStandardsManager manager2 = new SecurityStandardsManager(MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12, tokenSerializer); WSTrustDec2005.DriverDec2005 trustDriver = (WSTrustDec2005.DriverDec2005)manager2.TrustDriver; foreach (XmlElement element7 in collection) { if (trustDriver.IsSecondaryParametersElement(element7)) { collection2 = new Collection <XmlElement>(); foreach (System.Xml.XmlNode node2 in element7.ChildNodes) { XmlElement innerElement = node2 as XmlElement; if ((innerElement != null) && this.CanPromoteToRoot(innerElement, trustDriver, clientSideClaimTypeRequirementsSpecified)) { collection2.Add(innerElement); } } collection.Remove(element7); break; } } if ((collection2 != null) && (collection2.Count > 0)) { XmlElement element9 = null; string str4 = string.Empty; XmlElement element10 = null; string canonicalizationAlgorithm = string.Empty; XmlElement element11 = null; Collection <XmlElement> requiredClaims = null; Collection <XmlElement> collection4 = new Collection <XmlElement>(); foreach (XmlElement element12 in collection2) { if ((element9 == null) && trustDriver.IsEncryptionAlgorithmElement(element12, out str4)) { element9 = driver.CreateEncryptionAlgorithmElement(str4); collection4.Add(element12); } else if ((element10 == null) && trustDriver.IsCanonicalizationAlgorithmElement(element12, out canonicalizationAlgorithm)) { element10 = driver.CreateCanonicalizationAlgorithmElement(canonicalizationAlgorithm); collection4.Add(element12); } else if ((element11 == null) && trustDriver.TryParseRequiredClaimsElement(element12, out requiredClaims)) { element11 = driver.CreateRequiredClaimsElement(requiredClaims); collection4.Add(element12); } } for (int k = 0; k < collection4.Count; k++) { collection2.Remove(collection4[k]); } XmlElement element13 = null; for (int m = 0; m < collection.Count; m++) { string str6; if (trustDriver.IsSignWithElement(collection[m], out str6)) { collection[m] = driver.CreateSignWithElement(str6); } else if (trustDriver.IsEncryptWithElement(collection[m], out str6)) { collection[m] = driver.CreateEncryptWithElement(str6); } else if (trustDriver.IsEncryptionAlgorithmElement(collection[m], out str6) && (element9 != null)) { collection[m] = element9; element9 = null; } else if (trustDriver.IsCanonicalizationAlgorithmElement(collection[m], out str6) && (element10 != null)) { collection[m] = element10; element10 = null; } else if (trustDriver.IsKeyWrapAlgorithmElement(collection[m], out str6) && (element13 == null)) { element13 = collection[m]; } else { Collection <XmlElement> collection5; if (trustDriver.TryParseRequiredClaimsElement(collection[m], out collection5) && (element11 != null)) { collection[m] = element11; element11 = null; } } } if (element13 != null) { collection.Remove(element13); } if (element9 != null) { collection.Add(element9); } if (element10 != null) { collection.Add(element10); } if (element11 != null) { collection.Add(element11); } if (collection2.Count <= 0) { return(collection); } for (int n = 0; n < collection2.Count; n++) { collection.Add(collection2[n]); } } } return(collection); }
// The method walks through the entire set of AdditionalRequestParameters and return the Claims Type requirement alone. internal static XmlElement GetClaimTypeRequirement(Collection <XmlElement> additionalRequestParameters, SecurityStandardsManager standardsManager) { foreach (XmlElement requestParameter in additionalRequestParameters) { if ((requestParameter.LocalName == ((CoreWCF.Security.WSTrust.Driver)standardsManager.TrustDriver).DriverDictionary.Claims.Value) && (requestParameter.NamespaceURI == ((CoreWCF.Security.WSTrust.Driver)standardsManager.TrustDriver).DriverDictionary.Namespace.Value)) { return(requestParameter); } if ((requestParameter.LocalName == DXD.TrustDec2005Dictionary.SecondaryParameters.Value) && (requestParameter.NamespaceURI == DXD.TrustDec2005Dictionary.Namespace.Value)) { Collection <XmlElement> secondaryParameters = new Collection <XmlElement>(); foreach (XmlNode node in requestParameter.ChildNodes) { if (node is XmlElement nodeAsElement) { secondaryParameters.Add(nodeAsElement); } } XmlElement claimTypeRequirement = GetClaimTypeRequirement(secondaryParameters, standardsManager); if (claimTypeRequirement != null) { return(claimTypeRequirement); } } } return(null); }
public static bool IsInfoCardParameters(IssuedSecurityTokenParameters parameters, SecurityStandardsManager standardsManager) { if (parameters == null || parameters.TokenType != "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" || parameters.KeyType != SecurityKeyType.AsymmetricKey) { return(false); } if (parameters.ClaimTypeRequirements.Count == 1) { ClaimTypeRequirement claimTypeRequirement = parameters.ClaimTypeRequirements[0]; if (claimTypeRequirement == null || claimTypeRequirement.ClaimType != IssuedSecurityTokenParameters.wsidPPIClaim) { return(false); } } else { if (parameters.AdditionalRequestParameters == null || parameters.AdditionalRequestParameters.Count <= 0) { return(false); } bool flag = false; XmlElement claimTypeRequirement = IssuedSecurityTokenParameters.GetClaimTypeRequirement(parameters.AdditionalRequestParameters, standardsManager); if (claimTypeRequirement != null && claimTypeRequirement.ChildNodes.Count == 1) { XmlElement childNode = claimTypeRequirement.ChildNodes[0] as XmlElement; if (childNode != null) { XmlNode namedItem = childNode.Attributes.GetNamedItem("Uri"); if (namedItem != null && namedItem.Value == IssuedSecurityTokenParameters.wsidPPIClaim) { flag = true; } } } if (!flag) { return(false); } } return(!(parameters.IssuerAddress != (EndpointAddress)null) && (parameters.AlternativeIssuerEndpoints == null || parameters.AlternativeIssuerEndpoints.Count <= 0)); }
internal static XmlElement GetClaimTypeRequirement(Collection <XmlElement> additionalRequestParameters, SecurityStandardsManager standardsManager) { foreach (XmlElement requestParameter in additionalRequestParameters) { if (requestParameter.LocalName == ((WSTrust.Driver)standardsManager.TrustDriver).DriverDictionary.Claims.Value && requestParameter.NamespaceURI == ((WSTrust.Driver)standardsManager.TrustDriver).DriverDictionary.Namespace.Value) { return(requestParameter); } if (requestParameter.LocalName == DXD.TrustDec2005Dictionary.SecondaryParameters.Value && requestParameter.NamespaceURI == DXD.TrustDec2005Dictionary.Namespace.Value) { Collection <XmlElement> additionalRequestParameters1 = new Collection <XmlElement>(); foreach (XmlNode childNode in requestParameter.ChildNodes) { XmlElement xmlElement = childNode as XmlElement; if (xmlElement != null) { additionalRequestParameters1.Add(xmlElement); } } XmlElement claimTypeRequirement = IssuedSecurityTokenParameters.GetClaimTypeRequirement(additionalRequestParameters1, standardsManager); if (claimTypeRequirement != null) { return(claimTypeRequirement); } } } return((XmlElement)null); }
public bool DoAlgorithmsMatch(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, out Collection <XmlElement> otherRequestParameters) { bool flag1 = false; bool flag2 = false; bool flag3 = false; bool flag4 = false; bool flag5 = false; otherRequestParameters = new Collection <XmlElement>(); bool flag6 = false; Collection <XmlElement> collection; if (standardsManager.TrustVersion == TrustVersion.WSTrust13 && this.AdditionalRequestParameters.Count == 1 && ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).IsSecondaryParametersElement(this.AdditionalRequestParameters[0])) { flag6 = true; collection = new Collection <XmlElement>(); foreach (XmlElement xmlElement in (XmlNode)this.AdditionalRequestParameters[0]) { collection.Add(xmlElement); } } else { collection = this.AdditionalRequestParameters; } for (int index = 0; index < collection.Count; ++index) { XmlElement element = collection[index]; string str; if (standardsManager.TrustDriver.IsCanonicalizationAlgorithmElement(element, out str)) { if (algorithmSuite.DefaultCanonicalizationAlgorithm != str) { return(false); } flag4 = true; } else if (standardsManager.TrustDriver.IsSignWithElement(element, out str)) { if (this.keyType == SecurityKeyType.SymmetricKey && str != algorithmSuite.DefaultSymmetricSignatureAlgorithm || this.keyType == SecurityKeyType.AsymmetricKey && str != algorithmSuite.DefaultAsymmetricSignatureAlgorithm) { return(false); } flag1 = true; } else if (standardsManager.TrustDriver.IsEncryptWithElement(element, out str)) { if (this.keyType == SecurityKeyType.SymmetricKey && str != algorithmSuite.DefaultEncryptionAlgorithm || this.keyType == SecurityKeyType.AsymmetricKey && str != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm) { return(false); } flag2 = true; } else if (standardsManager.TrustDriver.IsEncryptionAlgorithmElement(element, out str)) { if (str != algorithmSuite.DefaultEncryptionAlgorithm) { return(false); } flag3 = true; } else if (standardsManager.TrustDriver.IsKeyWrapAlgorithmElement(element, out str)) { if (str != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm) { return(false); } flag5 = true; } else { otherRequestParameters.Add(element); } } if (flag6) { otherRequestParameters = this.AdditionalRequestParameters; } if (this.keyType == SecurityKeyType.BearerKey) { return(true); } if (standardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) { return(flag1 & flag4 & flag3 & flag2); } return(flag1 & flag4 & flag3 & flag2 & flag5); }
internal void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, SecurityKeyType issuedKeyType) { throw new NotImplementedException(); }
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version) { if ((this.IssuedKeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BearerKeyIncompatibleWithWSFederationHttpBinding))); } if (isReliableSession && !this.EstablishSecurityContext) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession))); } SecurityBindingElement result; bool emitBspAttributes = true; IssuedSecurityTokenParameters issuedParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding); issuedParameters.IssuerMetadataAddress = this.issuerMetadataAddress; issuedParameters.KeyType = this.IssuedKeyType; if (this.IssuedKeyType == SecurityKeyType.SymmetricKey) { issuedParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength; } else { issuedParameters.KeySize = 0; } foreach (ClaimTypeRequirement c in this.claimTypeRequirements) { issuedParameters.ClaimTypeRequirements.Add(c); } foreach (XmlElement p in this.TokenRequestParameters) { issuedParameters.AdditionalRequestParameters.Add(p); } WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, emitBspAttributes, null, null, null); SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer); issuedParameters.AddAlgorithmParameters(this.AlgorithmSuite, versionSpecificStandardsManager, this.issuedKeyType); SecurityBindingElement issuedTokenSecurity; if (isSecureTransportMode) { issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedParameters); } else { if (negotiateServiceCredential) { // We should have passed 'true' as RequireCancelation to be consistent with other standard bindings. // However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy. issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11); } else { issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedParameters); } } issuedTokenSecurity.MessageSecurityVersion = version; issuedTokenSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite; if (this.EstablishSecurityContext) { result = SecurityBindingElement.CreateSecureConversationBindingElement(issuedTokenSecurity, true); } else { result = issuedTokenSecurity; } result.MessageSecurityVersion = version; result.DefaultAlgorithmSuite = this.AlgorithmSuite; result.IncludeTimestamp = true; if (!isReliableSession) { result.LocalServiceSettings.ReconnectTransportOnFailure = false; result.LocalClientSettings.ReconnectTransportOnFailure = false; } else { result.LocalServiceSettings.ReconnectTransportOnFailure = true; result.LocalClientSettings.ReconnectTransportOnFailure = true; } if (this.establishSecurityContext) { // issue the transition SCT for a short duration only issuedTokenSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime; } return(result); }
internal bool DoAlgorithmsMatch(SecurityAlgorithmSuite algorithmSuite, SecurityStandardsManager standardsManager, out Collection <XmlElement> otherRequestParameters) { Collection <XmlElement> additionalRequestParameters; bool flag = false; bool flag2 = false; bool flag3 = false; bool flag4 = false; bool flag5 = false; otherRequestParameters = new Collection <XmlElement>(); bool flag6 = false; if (((standardsManager.TrustVersion == TrustVersion.WSTrust13) && (this.AdditionalRequestParameters.Count == 1)) && ((WSTrustDec2005.DriverDec2005)standardsManager.TrustDriver).IsSecondaryParametersElement(this.AdditionalRequestParameters[0])) { flag6 = true; additionalRequestParameters = new Collection <XmlElement>(); foreach (XmlElement element in this.AdditionalRequestParameters[0]) { additionalRequestParameters.Add(element); } } else { additionalRequestParameters = this.AdditionalRequestParameters; } for (int i = 0; i < additionalRequestParameters.Count; i++) { string str; XmlElement element2 = additionalRequestParameters[i]; if (standardsManager.TrustDriver.IsCanonicalizationAlgorithmElement(element2, out str)) { if (algorithmSuite.DefaultCanonicalizationAlgorithm != str) { return(false); } flag4 = true; } else if (standardsManager.TrustDriver.IsSignWithElement(element2, out str)) { if (((this.keyType == SecurityKeyType.SymmetricKey) && (str != algorithmSuite.DefaultSymmetricSignatureAlgorithm)) || ((this.keyType == SecurityKeyType.AsymmetricKey) && (str != algorithmSuite.DefaultAsymmetricSignatureAlgorithm))) { return(false); } flag = true; } else if (standardsManager.TrustDriver.IsEncryptWithElement(element2, out str)) { if (((this.keyType == SecurityKeyType.SymmetricKey) && (str != algorithmSuite.DefaultEncryptionAlgorithm)) || ((this.keyType == SecurityKeyType.AsymmetricKey) && (str != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm))) { return(false); } flag2 = true; } else if (standardsManager.TrustDriver.IsEncryptionAlgorithmElement(element2, out str)) { if (str != algorithmSuite.DefaultEncryptionAlgorithm) { return(false); } flag3 = true; } else if (standardsManager.TrustDriver.IsKeyWrapAlgorithmElement(element2, out str)) { if (str != algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm) { return(false); } flag5 = true; } else { otherRequestParameters.Add(element2); } } if (flag6) { otherRequestParameters = this.AdditionalRequestParameters; } if (this.keyType == SecurityKeyType.BearerKey) { return(true); } if (standardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) { return(((flag && flag4) && flag3) && flag2); } return(((flag && flag4) && (flag3 && flag2)) && flag5); }
internal static XmlElement GetClaimTypeRequirement(Collection <XmlElement> additionalRequestParameters, SecurityStandardsManager standardsManager) { foreach (XmlElement element in additionalRequestParameters) { if ((element.LocalName == ((WSTrust.Driver)standardsManager.TrustDriver).DriverDictionary.Claims.Value) && (element.NamespaceURI == ((WSTrust.Driver)standardsManager.TrustDriver).DriverDictionary.Namespace.Value)) { return(element); } if ((element.LocalName == DXD.TrustDec2005Dictionary.SecondaryParameters.Value) && (element.NamespaceURI == DXD.TrustDec2005Dictionary.Namespace.Value)) { Collection <XmlElement> collection = new Collection <XmlElement>(); foreach (System.Xml.XmlNode node in element.ChildNodes) { XmlElement item = node as XmlElement; if (item != null) { collection.Add(item); } } XmlElement claimTypeRequirement = GetClaimTypeRequirement(collection, standardsManager); if (claimTypeRequirement != null) { return(claimTypeRequirement); } } } return(null); }
internal static bool TryCreate(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version, out FederatedMessageSecurityOverHttp messageSecurity) { bool flag; bool flag2; bool flag3; IssuedSecurityTokenParameters parameters; Collection <XmlElement> collection; messageSecurity = null; if (sbe.IncludeTimestamp) { SecurityBindingElement element; if (sbe.SecurityHeaderLayout != SecurityHeaderLayout.Strict) { return(false); } flag = true; flag2 = SecurityBindingElement.IsSecureConversationBinding(sbe, true, out element); element = flag2 ? element : sbe; if (isSecureTransportMode && !(element is TransportSecurityBindingElement)) { return(false); } flag3 = true; if (isSecureTransportMode) { if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(element, out parameters)) { return(false); } goto Label_0078; } if (SecurityBindingElement.IsIssuedTokenForSslBinding(element, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11, out parameters)) { flag3 = true; goto Label_0078; } if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(element, out parameters)) { flag3 = false; goto Label_0078; } } return(false); Label_0078: if ((parameters.KeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005)) { return(false); } WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, flag, null, null, null); SecurityStandardsManager standardsManager = new SecurityStandardsManager(version, tokenSerializer); if (!parameters.DoAlgorithmsMatch(sbe.DefaultAlgorithmSuite, standardsManager, out collection)) { return(false); } messageSecurity = new FederatedMessageSecurityOverHttp(); messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite; messageSecurity.NegotiateServiceCredential = flag3; messageSecurity.EstablishSecurityContext = flag2; messageSecurity.IssuedTokenType = parameters.TokenType; messageSecurity.IssuerAddress = parameters.IssuerAddress; messageSecurity.IssuerBinding = parameters.IssuerBinding; messageSecurity.IssuerMetadataAddress = parameters.IssuerMetadataAddress; messageSecurity.IssuedKeyType = parameters.KeyType; foreach (ClaimTypeRequirement requirement in parameters.ClaimTypeRequirements) { messageSecurity.ClaimTypeRequirements.Add(requirement); } foreach (XmlElement element2 in collection) { messageSecurity.TokenRequestParameters.Add(element2); } if ((parameters.AlternativeIssuerEndpoints != null) && (parameters.AlternativeIssuerEndpoints.Count > 0)) { return(false); } return(true); }
private Collection <XmlElement> NormalizeAdditionalParameters(Collection <XmlElement> additionalParameters, TrustDriver driver, bool clientSideClaimTypeRequirementsSpecified) { // Ensure STS trust version is one of the currently supported versions: Feb 05 / Trust 1.3 Fx.Assert(((driver.StandardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) || (driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13)), "Unsupported trust version specified for the STS."); // We have a mismatch. Make a local copy of additionalParameters for making any potential modifications // as part of normalization Collection <XmlElement> tmpCollection = new Collection <XmlElement>(); foreach (XmlElement e in additionalParameters) { tmpCollection.Add(e); } // 1. For Trust 1.3 EncryptionAlgorithm, CanonicalizationAlgorithm and KeyWrapAlgorithm should not be // specified as top-level element if "SecondaryParameters" element already specifies this. if (driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) { Fx.Assert(driver.GetType() == typeof(WSTrustDec2005.DriverDec2005), "Invalid Trust Driver specified for Trust 1.3."); XmlElement encryptionAlgorithmElement = null; XmlElement canonicalizationAlgorithmElement = null; XmlElement keyWrapAlgorithmElement = null; XmlElement secondaryParameter = null; for (int i = 0; i < tmpCollection.Count; ++i) { if (driver.IsEncryptionAlgorithmElement(tmpCollection[i], out string algorithm)) { encryptionAlgorithmElement = tmpCollection[i]; } else if (driver.IsCanonicalizationAlgorithmElement(tmpCollection[i], out algorithm)) { canonicalizationAlgorithmElement = tmpCollection[i]; } else if (driver.IsKeyWrapAlgorithmElement(tmpCollection[i], out algorithm)) { keyWrapAlgorithmElement = tmpCollection[i]; } else if (((WSTrustDec2005.DriverDec2005)driver).IsSecondaryParametersElement(tmpCollection[i])) { secondaryParameter = tmpCollection[i]; } } if (secondaryParameter != null) { foreach (XmlNode node in secondaryParameter.ChildNodes) { if (node is XmlElement child) { if (driver.IsEncryptionAlgorithmElement(child, out string algorithm) && (encryptionAlgorithmElement != null)) { tmpCollection.Remove(encryptionAlgorithmElement); } else if (driver.IsCanonicalizationAlgorithmElement(child, out algorithm) && (canonicalizationAlgorithmElement != null)) { tmpCollection.Remove(canonicalizationAlgorithmElement); } else if (driver.IsKeyWrapAlgorithmElement(child, out algorithm) && (keyWrapAlgorithmElement != null)) { tmpCollection.Remove(keyWrapAlgorithmElement); } } } } } // 2. Check for Mismatch. // a. Trust Feb 2005 -> Trust 1.3. do the following, // (i) Copy EncryptionAlgorithm and CanonicalizationAlgorithm as the top-level elements. // Note, this is in contradiction to step 1. But we don't have a choice here as we cannot say from the // Additional Parameters section in the config what came from the service and what came from the client. // (ii) Convert SignWith and EncryptWith elements to Trust 1.3 namespace. // b. For Trust 1.3 -> Trust Feb 2005, do the following, // (i) Find EncryptionAlgorithm, CanonicalizationAlgorithm from inside the "SecondaryParameters" element. // If found, then promote these as the top-level elements replacing the existing values. // (ii) Convert the SignWith and EncryptWith elements to the Trust Feb 2005 namespace and drop the KeyWrapAlgorithm // element. // make an optimistic check to detect mismatched trust-versions between STS and RP bool mismatch = (((driver.StandardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) && !CollectionContainsElementsWithTrustNamespace(additionalParameters, TrustFeb2005Strings.Namespace)) || ((driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) && !CollectionContainsElementsWithTrustNamespace(additionalParameters, TrustDec2005Strings.Namespace))); // if no mismatch, return unmodified collection if (!mismatch) { return(tmpCollection); } // 2.a // If we are talking to a Trust 1.3 STS, replace any Feb '05 algorithm parameters with their Trust 1.3 counterparts if (driver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) { SecurityStandardsManager trustFeb2005StandardsManager = SecurityStandardsManager.DefaultInstance; // the following cast is guaranteed to succeed WSTrustFeb2005.DriverFeb2005 trustFeb2005Driver = (WSTrustFeb2005.DriverFeb2005)trustFeb2005StandardsManager.TrustDriver; for (int i = 0; i < tmpCollection.Count; i++) { if (trustFeb2005Driver.IsSignWithElement(tmpCollection[i], out string algorithmParameter)) { tmpCollection[i] = driver.CreateSignWithElement(algorithmParameter); } else if (trustFeb2005Driver.IsEncryptWithElement(tmpCollection[i], out algorithmParameter)) { tmpCollection[i] = driver.CreateEncryptWithElement(algorithmParameter); } else if (trustFeb2005Driver.IsEncryptionAlgorithmElement(tmpCollection[i], out algorithmParameter)) { tmpCollection[i] = driver.CreateEncryptionAlgorithmElement(algorithmParameter); } else if (trustFeb2005Driver.IsCanonicalizationAlgorithmElement(tmpCollection[i], out algorithmParameter)) { tmpCollection[i] = driver.CreateCanonicalizationAlgorithmElement(algorithmParameter); } } } else { // 2.b // We are talking to a Feb 05 STS. Filter out any SecondaryParameters element. Collection <XmlElement> childrenToPromote = null; WSSecurityTokenSerializer trust13Serializer = new WSSecurityTokenSerializer(SecurityVersion.WSSecurity11, TrustVersion.WSTrust13, SecureConversationVersion.WSSecureConversation13, true, null, null, null); SecurityStandardsManager trust13StandardsManager = new SecurityStandardsManager(MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12, trust13Serializer); // the following cast is guaranteed to succeed WSTrustDec2005.DriverDec2005 trust13Driver = (WSTrustDec2005.DriverDec2005)trust13StandardsManager.TrustDriver; foreach (XmlElement parameter in tmpCollection) { // check if SecondaryParameters is present if (trust13Driver.IsSecondaryParametersElement(parameter)) { childrenToPromote = new Collection <XmlElement>(); // walk SecondaryParameters and collect any 'non-standard' children foreach (XmlNode innerNode in parameter.ChildNodes) { if ((innerNode is XmlElement innerElement) && CanPromoteToRoot(innerElement, trust13Driver, clientSideClaimTypeRequirementsSpecified)) { childrenToPromote.Add(innerElement); } } // remove SecondaryParameters element tmpCollection.Remove(parameter); // we are done - break out of the loop break; } } // Probe of standard Trust elements and remember them. if ((childrenToPromote != null) && (childrenToPromote.Count > 0)) { XmlElement encryptionElement = null; XmlElement canonicalizationElement = null; XmlElement requiredClaimsElement = null; Collection <XmlElement> processedElements = new Collection <XmlElement>(); foreach (XmlElement e in childrenToPromote) { if ((encryptionElement == null) && trust13Driver.IsEncryptionAlgorithmElement(e, out string encryptionAlgorithm)) { encryptionElement = driver.CreateEncryptionAlgorithmElement(encryptionAlgorithm); processedElements.Add(e); } else if ((canonicalizationElement == null) && trust13Driver.IsCanonicalizationAlgorithmElement(e, out string canonicalizationAlgoritm)) { canonicalizationElement = driver.CreateCanonicalizationAlgorithmElement(canonicalizationAlgoritm); processedElements.Add(e); } else if ((requiredClaimsElement == null) && trust13Driver.TryParseRequiredClaimsElement(e, out Collection <XmlElement> requiredClaims)) { requiredClaimsElement = driver.CreateRequiredClaimsElement(requiredClaims); processedElements.Add(e); } } for (int i = 0; i < processedElements.Count; ++i) { childrenToPromote.Remove(processedElements[i]); } XmlElement keyWrapAlgorithmElement = null; // Replace the appropriate elements. for (int i = 0; i < tmpCollection.Count; ++i) { if (trust13Driver.IsSignWithElement(tmpCollection[i], out string algorithmParameter)) { tmpCollection[i] = driver.CreateSignWithElement(algorithmParameter); } else if (trust13Driver.IsEncryptWithElement(tmpCollection[i], out algorithmParameter)) { tmpCollection[i] = driver.CreateEncryptWithElement(algorithmParameter); } else if (trust13Driver.IsEncryptionAlgorithmElement(tmpCollection[i], out algorithmParameter) && (encryptionElement != null)) { tmpCollection[i] = encryptionElement; encryptionElement = null; } else if (trust13Driver.IsCanonicalizationAlgorithmElement(tmpCollection[i], out algorithmParameter) && (canonicalizationElement != null)) { tmpCollection[i] = canonicalizationElement; canonicalizationElement = null; } else if (trust13Driver.IsKeyWrapAlgorithmElement(tmpCollection[i], out algorithmParameter) && (keyWrapAlgorithmElement == null)) { keyWrapAlgorithmElement = tmpCollection[i]; } else if (trust13Driver.TryParseRequiredClaimsElement(tmpCollection[i], out Collection <XmlElement> reqClaims) && (requiredClaimsElement != null)) { tmpCollection[i] = requiredClaimsElement; requiredClaimsElement = null; } } if (keyWrapAlgorithmElement != null) { // Remove KeyWrapAlgorithmElement as this is not define in Trust Feb 2005. tmpCollection.Remove(keyWrapAlgorithmElement); } // Add the remaining elements to the additionaParameters list to the end. if (encryptionElement != null) { tmpCollection.Add(encryptionElement); } if (canonicalizationElement != null) { tmpCollection.Add(canonicalizationElement); } if (requiredClaimsElement != null) { tmpCollection.Add(requiredClaimsElement); } if (childrenToPromote.Count > 0) { // There are some non-standard elements. Just bump them to the top-level element. for (int i = 0; i < childrenToPromote.Count; ++i) { tmpCollection.Add(childrenToPromote[i]); } } } } return(tmpCollection); }
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version) { SecurityBindingElement element; SecurityBindingElement element3; if ((this.IssuedKeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("BearerKeyIncompatibleWithWSFederationHttpBinding"))); } if (isReliableSession && !this.EstablishSecurityContext) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecureConversationRequiredByReliableSession"))); } bool emitBspRequiredAttributes = true; IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding) { IssuerMetadataAddress = this.issuerMetadataAddress, KeyType = this.IssuedKeyType }; if (this.IssuedKeyType == SecurityKeyType.SymmetricKey) { issuedTokenParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength; } else { issuedTokenParameters.KeySize = 0; } foreach (ClaimTypeRequirement requirement in this.claimTypeRequirements) { issuedTokenParameters.ClaimTypeRequirements.Add(requirement); } foreach (XmlElement element2 in this.TokenRequestParameters) { issuedTokenParameters.AdditionalRequestParameters.Add(element2); } WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, emitBspRequiredAttributes, null, null, null); SecurityStandardsManager standardsManager = new SecurityStandardsManager(version, tokenSerializer); issuedTokenParameters.AddAlgorithmParameters(this.AlgorithmSuite, standardsManager, this.issuedKeyType); if (isSecureTransportMode) { element3 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedTokenParameters); } else if (this.negotiateServiceCredential) { element3 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedTokenParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11); } else { element3 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedTokenParameters); } element3.MessageSecurityVersion = version; element3.DefaultAlgorithmSuite = this.AlgorithmSuite; if (this.EstablishSecurityContext) { element = SecurityBindingElement.CreateSecureConversationBindingElement(element3, true); } else { element = element3; } element.MessageSecurityVersion = version; element.DefaultAlgorithmSuite = this.AlgorithmSuite; element.IncludeTimestamp = true; if (!isReliableSession) { element.LocalServiceSettings.ReconnectTransportOnFailure = false; element.LocalClientSettings.ReconnectTransportOnFailure = false; } else { element.LocalServiceSettings.ReconnectTransportOnFailure = true; element.LocalClientSettings.ReconnectTransportOnFailure = true; } if (this.establishSecurityContext) { element3.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime; } return(element); }
internal static bool IsInfoCardParameters(IssuedSecurityTokenParameters parameters, SecurityStandardsManager standardsManager) { if (parameters == null) { return(false); } if (parameters.TokenType != "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1") { return(false); } if (parameters.KeyType != SecurityKeyType.AsymmetricKey) { return(false); } if (parameters.ClaimTypeRequirements.Count == 1) { ClaimTypeRequirement requirement = parameters.ClaimTypeRequirements[0]; if (requirement == null) { return(false); } if (requirement.ClaimType != wsidPPIClaim) { return(false); } } else { if ((parameters.AdditionalRequestParameters == null) || (parameters.AdditionalRequestParameters.Count <= 0)) { return(false); } bool flag = false; XmlElement claimTypeRequirement = GetClaimTypeRequirement(parameters.AdditionalRequestParameters, standardsManager); if ((claimTypeRequirement != null) && (claimTypeRequirement.ChildNodes.Count == 1)) { XmlElement element2 = claimTypeRequirement.ChildNodes[0] as XmlElement; if (element2 != null) { System.Xml.XmlNode namedItem = element2.Attributes.GetNamedItem("Uri"); if ((namedItem != null) && (namedItem.Value == wsidPPIClaim)) { flag = true; } } } if (!flag) { return(false); } } if (parameters.IssuerAddress != null) { return(false); } if ((parameters.AlternativeIssuerEndpoints != null) && (parameters.AlternativeIssuerEndpoints.Count > 0)) { return(false); } return(true); }