public DerivedKeySecurityToken (string id, string algorithm,
SecurityKeyIdentifierClause reference,
SymmetricSecurityKey referencedKey,
string name,
int? generation,
int? offset,
int? length,
string label,
byte [] nonce)
{
algorithm = algorithm ?? SecurityAlgorithms.Psha1KeyDerivation;
this.id = id;
this.algorithm = algorithm;
this.reference = reference;
this.generation = generation;
this.offset = offset;
this.length = length;
this.nonce = nonce;
this.name = name;
this.label = label;
SecurityKey key = new InMemorySymmetricSecurityKey (
referencedKey.GenerateDerivedKey (
algorithm,
Encoding.UTF8.GetBytes (label ?? Constants.WsscDefaultLabel),
nonce,
(length ?? 32) * 8,
offset ?? 0));
keys = new ReadOnlyCollection<SecurityKey> (
new SecurityKey [] {key});
}
internal DerivedKeySecurityToken(int generation, int offset, int length, string label, byte[] nonce, SecurityToken tokenToDerive, SecurityKeyIdentifierClause tokenToDeriveIdentifier, string derivationAlgorithm, string id)
{
this.length = -1;
this.offset = -1;
this.generation = -1;
this.Initialize(id, generation, offset, length, label, nonce, tokenToDerive, tokenToDeriveIdentifier, derivationAlgorithm, false);
}
/// <summary>
/// Inherited from <see cref="SecurityTokenResolver"/>.
/// </summary>
protected override bool TryResolveSecurityKeyCore( SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key )
{
if ( keyIdentifierClause == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "keyIdentifierClause" );
}
key = null;
X509RawDataKeyIdentifierClause rawDataClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if ( rawDataClause != null )
{
key = rawDataClause.CreateKey();
return true;
}
RsaKeyIdentifierClause rsaClause = keyIdentifierClause as RsaKeyIdentifierClause;
if ( rsaClause != null )
{
key = rsaClause.CreateKey();
return true;
}
if ( _wrappedTokenResolver.TryResolveSecurityKey( keyIdentifierClause, out key ) )
{
return true;
}
return false;
}
public override bool Matches (
SecurityKeyIdentifierClause keyIdentifierClause)
{
SecurityContextKeyIdentifierClause other =
keyIdentifierClause as SecurityContextKeyIdentifierClause;
return other != null && Matches (other.context, other.generation);
}
public override void WriteKeyIdentifierClauseCore(XmlDictionaryWriter writer, SecurityKeyIdentifierClause keyIdentifierClause)
{
EncryptedKeyIdentifierClause clause = keyIdentifierClause as EncryptedKeyIdentifierClause;
writer.WriteStartElement(XD.XmlEncryptionDictionary.Prefix.Value, XD.XmlEncryptionDictionary.EncryptedKey, this.NamespaceUri);
if (clause.EncryptionMethod != null)
{
writer.WriteStartElement(XD.XmlEncryptionDictionary.Prefix.Value, XD.XmlEncryptionDictionary.EncryptionMethod, this.NamespaceUri);
writer.WriteAttributeString(XD.XmlEncryptionDictionary.AlgorithmAttribute, null, clause.EncryptionMethod);
if (clause.EncryptionMethod == XD.SecurityAlgorithmDictionary.RsaOaepKeyWrap.Value)
{
writer.WriteStartElement("", XD.XmlSignatureDictionary.DigestMethod, XD.XmlSignatureDictionary.Namespace);
writer.WriteAttributeString(XD.XmlSignatureDictionary.Algorithm, null, "http://www.w3.org/2000/09/xmldsig#sha1");
writer.WriteEndElement();
}
writer.WriteEndElement();
}
if (clause.EncryptingKeyIdentifier != null)
{
this.tokenSerializer.WriteKeyIdentifier(writer, clause.EncryptingKeyIdentifier);
}
writer.WriteStartElement(XD.XmlEncryptionDictionary.Prefix.Value, XD.XmlEncryptionDictionary.CipherData, this.NamespaceUri);
writer.WriteStartElement(XD.XmlEncryptionDictionary.Prefix.Value, XD.XmlEncryptionDictionary.CipherValue, this.NamespaceUri);
byte[] encryptedKey = clause.GetEncryptedKey();
writer.WriteBase64(encryptedKey, 0, encryptedKey.Length);
writer.WriteEndElement();
writer.WriteEndElement();
if (clause.CarriedKeyName != null)
{
writer.WriteElementString(XD.XmlEncryptionDictionary.Prefix.Value, XD.XmlEncryptionDictionary.CarriedKeyName, this.NamespaceUri, clause.CarriedKeyName);
}
writer.WriteEndElement();
}
public override bool Matches (SecurityKeyIdentifierClause keyIdentifierClause)
{
InternalEncryptedKeyIdentifierClause kic = keyIdentifierClause as InternalEncryptedKeyIdentifierClause;
if (kic == null)
return false;
return Matches (kic.GetRawBuffer ());
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
GenericXmlSecurityKeyIdentifierClause that = keyIdentifierClause as GenericXmlSecurityKeyIdentifierClause;
// PreSharp
#pragma warning suppress 56506
return ReferenceEquals(this, that) || (that != null && that.Matches(this.ReferenceXml));
}
public override bool Matches (SecurityKeyIdentifierClause clause)
{
BinaryKeyIdentifierClause other =
clause as BinaryKeyIdentifierClause;
if (other == null)
return false;
return Matches (other.GetRawBuffer ());
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
RsaKeyIdentifierClause that = keyIdentifierClause as RsaKeyIdentifierClause;
// PreSharp Bug: Parameter 'that' to this public method must be validated: A null-dereference can occur here.
#pragma warning suppress 56506
return ReferenceEquals(this, that) || (that != null && that.Matches(this.rsa));
}
public override bool Matches (SecurityKeyIdentifierClause clause)
{
if (clause == null)
throw new ArgumentNullException ("clause");
LocalIdKeyIdentifierClause c =
clause as LocalIdKeyIdentifierClause;
return c != null && Matches (c.LocalId, c.OwnerType);
}
public override bool Matches (SecurityKeyIdentifierClause clause)
{
if (clause == null)
throw new ArgumentNullException ("clause");
KeyNameIdentifierClause knic =
clause as KeyNameIdentifierClause;
return knic != null && Matches (knic.KeyName);
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
SecurityContextKeyIdentifierClause that = keyIdentifierClause as SecurityContextKeyIdentifierClause;
// PreSharp
#pragma warning suppress 56506
return ReferenceEquals(this, that) || (that != null && that.Matches(this.contextId, this.generation));
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
SamlAssertionKeyIdentifierClause that = keyIdentifierClause as SamlAssertionKeyIdentifierClause;
// PreSharp
#pragma warning suppress 56506
return ReferenceEquals(this, that) || (that != null && that.Matches(this.assertionId));
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
LocalIdKeyIdentifierClause that = keyIdentifierClause as LocalIdKeyIdentifierClause;
// PreSharp
#pragma warning suppress 56506
return ReferenceEquals(this, that) || (that != null && that.Matches(this.localId, this.OwnerType));
}
public override bool Matches (SecurityKeyIdentifierClause clause)
{
if (clause == null)
throw new ArgumentNullException ("clause");
RsaKeyIdentifierClause rkic =
clause as RsaKeyIdentifierClause;
return rkic != null && Matches (rkic.Rsa);
}
public static string GetKeyIdentifierClauseXml (SecurityTokenSerializer serializer, XmlWriterSettings settings, SecurityKeyIdentifierClause item)
{
StringWriter sw = new StringWriter ();
using (XmlWriter xw = XmlWriter.Create (sw)) {
serializer.WriteKeyIdentifierClause (xw, item);
}
return sw.ToString ();
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
X509IssuerSerialKeyIdentifierClause that = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
// PreSharp
#pragma warning suppress 56506
return ReferenceEquals(this, that) || (that != null && that.Matches(this.issuerName, this.issuerSerialNumber));
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
EncryptedKeyIdentifierClause that = keyIdentifierClause as EncryptedKeyIdentifierClause;
// PreSharp Bug: Parameter 'that' to this public method must be validated: A null-dereference can occur here.
#pragma warning suppress 56506
return ReferenceEquals(this, that) || (that != null && that.Matches(this.GetRawBuffer(), this.encryptionMethod, this.carriedKeyName));
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
EncryptedKeyIdentifierClause that = keyIdentifierClause as EncryptedKeyIdentifierClause;
// PreSharp
#pragma warning suppress 56506
return ReferenceEquals(this, that) || (that != null && that.Matches(this.GetRawBuffer(), this.encryptionMethod, this.carriedKeyName));
}
public bool TryResolveSecurityKey(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
return this.TryResolveSecurityKeyCore(keyIdentifierClause, out key);
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
BinaryKeyIdentifierClause that = keyIdentifierClause as BinaryKeyIdentifierClause;
// PreSharp
#pragma warning suppress 56506
return ReferenceEquals(this, that) || (that != null && that.Matches(this.identificationData));
}
public bool CanWriteKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
return this.CanWriteKeyIdentifierClauseCore(keyIdentifierClause);
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
SamlAssertionDirectKeyIdentifierClause that = keyIdentifierClause as SamlAssertionDirectKeyIdentifierClause;
// PreSharp Bug: Parameter 'that' to this public method must be validated: A null-dereference can occur here.
#pragma warning suppress 56506
return (ReferenceEquals(this, that) || (that != null && that.SamlUri == this.SamlUri));
}
/// <summary>
/// Constructor to use when working with SecurityKeyIdentifierClauses
/// </summary>
/// <param name="securityKeyIdentifierClause">SecurityKeyIdentifierClause that represents a SecuriytKey</param>
/// <param name="securityTokenResolver">SecurityTokenResolver that can be resolved to a SecurityKey</param>
/// <exception cref="ArgumentNullException">Thrown if the 'clause' is null</exception>
public SecurityKeyElement(SecurityKeyIdentifierClause securityKeyIdentifierClause, SecurityTokenResolver securityTokenResolver)
{
if (securityKeyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("securityKeyIdentifierClause");
}
Initialize(new SecurityKeyIdentifier(securityKeyIdentifierClause), securityTokenResolver);
}
internal DerivedKeySecurityToken(int generation, int offset, int length, string label, int minNonceLength, SecurityToken tokenToDerive, SecurityKeyIdentifierClause tokenToDeriveIdentifier, string derivationAlgorithm, string id)
{
this.length = -1;
this.offset = -1;
this.generation = -1;
byte[] data = new byte[minNonceLength];
new RNGCryptoServiceProvider().GetBytes(data);
this.Initialize(id, generation, offset, length, label, data, tokenToDerive, tokenToDeriveIdentifier, derivationAlgorithm);
}
private bool MatchDirectReference(SecurityToken token, SecurityKeyIdentifierClause keyClause)
{
LocalIdKeyIdentifierClause keyIdentifierClause = keyClause as LocalIdKeyIdentifierClause;
if (keyIdentifierClause == null)
{
return false;
}
return token.MatchesKeyIdentifierClause(keyIdentifierClause);
}
public override SecurityKey ResolveKeyIdentifierClause(
SecurityKeyIdentifierClause keyIdentifierClause
) {
if( MatchesKeyIdentifierClause( keyIdentifierClause ) ) {
return GetKey();
}
return null;
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
if (keyIdentifierClause is CustomTokenKeyIdentifierClause)
{
return true;
}
return false;
}
protected override bool TryResolveTokenCore (
SecurityKeyIdentifierClause keyIdentifierClause,
out SecurityToken token)
{
token = null;
foreach (SecurityTokenResolver r in resolvers)
if (r != null && r.TryResolveToken (keyIdentifierClause, out token))
return true;
return false;
}
protected override bool TryResolveSecurityKeyCore (
SecurityKeyIdentifierClause keyIdentifierClause,
out SecurityKey key)
{
key = null;
foreach (SecurityTokenResolver r in resolvers)
if (r != null && r.TryResolveSecurityKey (keyIdentifierClause, out key))
return true;
return false;
}
public override Type GetTokenType(SecurityKeyIdentifierClause clause)
{
return(TokenType);
}
public override bool SupportsCore(SecurityKeyIdentifierClause clause)
{
return(clause is LocalIdKeyIdentifierClause);
}
public override bool SupportsCore(SecurityKeyIdentifierClause clause)
{
return(ClauseType.IsAssignableFrom(clause.GetType()));
}
public override Type GetTokenType(SecurityKeyIdentifierClause clause)
{
return(typeof(X509SecurityToken));
}
/// <summary>
/// Determines if this token matches the keyIdentifierClause.
/// </summary>
/// <param name="keyIdentifierClause"><see cref="SecurityKeyIdentifierClause"/> to match.</param>
/// <returns>True if the keyIdentifierClause is matched. False otherwise.</returns>
public override bool MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
{
return(Saml2AssertionKeyIdentifierClause.Matches(this.Id, keyIdentifierClause) ||
base.MatchesKeyIdentifierClause(keyIdentifierClause));
}
public void WriteKeyIdentifierClause(XmlWriter writer, SecurityKeyIdentifierClause keyIdentifierClause)
{
throw new NotImplementedException();
}
/// <summary>
/// Inherited from <see cref="SecurityToken"/>.
/// </summary>
public override SecurityKey ResolveKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
{
return(_realToken.ResolveKeyIdentifierClause(keyIdentifierClause));
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
LocalIdKeyIdentifierClause that = keyIdentifierClause as LocalIdKeyIdentifierClause;
return(ReferenceEquals(this, that) || (that != null && that.Matches(_localId, this.OwnerType)));
}
public override bool Matches(SecurityKeyIdentifierClause clause)
{
throw new NotImplementedException();
}
/// <summary>
/// Serializes the given SecurityKeyIdentifierClause in a XmlWriter.
/// </summary>
/// <param name="writer">XmlWriter to write into.</param>
/// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to be written.</param>
protected override void WriteKeyIdentifierClauseCore(XmlWriter writer, SecurityKeyIdentifierClause keyIdentifierClause)
{
_securityTokenHandlers.WriteKeyIdentifierClause(writer, keyIdentifierClause);
}
public override bool MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
{
return(((this.internalTokenReference != null) && this.internalTokenReference.Matches(keyIdentifierClause)) || ((this.externalTokenReference != null) && this.externalTokenReference.Matches(keyIdentifierClause)));
}
public GenericXmlSecurityToken(XmlElement tokenXml, SecurityToken proofToken, DateTime effectiveTime, DateTime expirationTime, SecurityKeyIdentifierClause internalTokenReference, SecurityKeyIdentifierClause externalTokenReference, ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies)
{
if (tokenXml == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenXml");
}
this.id = GetId(tokenXml);
this.tokenXml = tokenXml;
this.proofToken = proofToken;
this.effectiveTime = effectiveTime.ToUniversalTime();
this.expirationTime = expirationTime.ToUniversalTime();
this.internalTokenReference = internalTokenReference;
this.externalTokenReference = externalTokenReference;
this.authorizationPolicies = authorizationPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
public override void WriteKeyIdentifierClauseCore(XmlDictionaryWriter writer, SecurityKeyIdentifierClause keyIdentifierClause)
{
for (int i = 0; i < StrEntries.Count; ++i)
{
if (StrEntries[i].SupportsCore(keyIdentifierClause))
{
writer.WriteStartElement(XD.SecurityJan2004Dictionary.Prefix.Value, XD.SecurityJan2004Dictionary.SecurityTokenReference, XD.SecurityJan2004Dictionary.Namespace);
StrEntries[i].WriteContent(writer, keyIdentifierClause);
writer.WriteEndElement();
return;
}
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.StandardsManagerCannotWriteObject, keyIdentifierClause.GetType())));
}
protected virtual void WriteKeyIdentifierClauseCore(XmlWriter writer, SecurityKeyIdentifierClause keyIdentifierClause)
{
throw new NotImplementedException();
}
/// <summary>
/// Returns a value that indicates whether the key identifier for this instance
/// is equivalent to the specified key identifier clause.
/// </summary>
/// <param name="keyIdentifierClause">A <see cref="SecurityKeyIdentifierClause"/> to compare to.</param>
/// <returns>'True' if keyIdentifierClause matches this. 'False' otherwise.</returns>
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
return(this.clause.Matches(keyIdentifierClause));
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
X509IssuerSerialKeyIdentifierClause objB = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
return(object.ReferenceEquals(this, objB) || ((objB != null) && objB.Matches(this.issuerName, this.issuerSerialNumber)));
}
public override bool SupportsCore(SecurityKeyIdentifierClause clause)
{
return(clause is X509IssuerSerialKeyIdentifierClause);
}
protected override bool TryResolveTokenCore(System.IdentityModel.Tokens.SecurityKeyIdentifierClause keyIdentifierClause, out System.IdentityModel.Tokens.SecurityToken token)
{
throw new NotImplementedException();
}
/// <summary>
/// Inherited from <see cref="SecurityToken"/>.
/// </summary>
public override bool MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
{
return(_realToken.MatchesKeyIdentifierClause(keyIdentifierClause));
}
public virtual bool CanWriteKeyIdentifierClause(SecurityKeyIdentifierClause securityKeyIdentifierClause)
{
return(false);
}
public virtual bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
return(ReferenceEquals(this, keyIdentifierClause));
}
protected override void WriteKeyIdentifierClauseCore(System.Xml.XmlWriter writer, System.IdentityModel.Tokens.SecurityKeyIdentifierClause keyIdentifierClause)
{
throw new NotImplementedException();
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
EncryptedKeyIdentifierClause that = keyIdentifierClause as EncryptedKeyIdentifierClause;
return(ReferenceEquals(this, that) || (that != null && that.Matches(GetRawBuffer(), _encryptionMethod, CarriedKeyName)));
}
public override Type GetTokenType(SecurityKeyIdentifierClause clause)
{
LocalIdKeyIdentifierClause localClause = clause as LocalIdKeyIdentifierClause;
return(localClause.OwnerType);
}
public virtual bool MatchesKeyIdentifierClause(
SecurityKeyIdentifierClause skiClause)
{
return(false);
}
/// <summary> /// When implemented in the derived class, the method checks if the given /// SecurityKeyIdentifierClause can be serialized. /// </summary> /// <param name="securityKeyIdentifierClause">SecurityKeyIdentifierClause to be serialized.</param> /// <returns>True if the SecurityKeyIdentifierClause can be serialized.</returns> public abstract bool CanWriteKeyIdentifierClause(SecurityKeyIdentifierClause securityKeyIdentifierClause);
protected override bool CanWriteKeyIdentifierClauseCore(System.IdentityModel.Tokens.SecurityKeyIdentifierClause keyIdentifierClause)
{
throw new NotImplementedException();
}
/// <summary> /// When implemented in the derived class will serialize the given SecurityKeyIdentifierClause /// to the XmlWriter. /// </summary> /// <param name="writer">XmlWriter to serialize the SecurityKeyIdenfierClause.</param> /// <param name="securityKeyIdentifierClause">SecurityKeyIdentifierClause to be serialized.</param> public abstract void WriteKeyIdentifierClause(XmlWriter writer, SecurityKeyIdentifierClause securityKeyIdentifierClause);
/// <summary>
/// Resolves the given SecurityKeyIdentifierClause to a SecurityToken.
/// </summary>
/// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to resolve.</param>
/// <param name="token">The resolved SecurityToken.</param>
/// <returns>True if successfully resolved.</returns>
/// <exception cref="ArgumentNullException">The input argument 'keyIdentifierClause' is null.</exception>
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
token = null;
X509Store store = null;
X509Certificate2Collection certs = null;
try
{
store = new X509Store(this.storeName, this.storeLocation);
store.Open(OpenFlags.ReadOnly);
certs = store.Certificates;
foreach (X509Certificate2 cert in certs)
{
X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if (thumbprintKeyIdentifierClause != null && thumbprintKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return(true);
}
X509IssuerSerialKeyIdentifierClause issuerSerialKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if (issuerSerialKeyIdentifierClause != null && issuerSerialKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return(true);
}
X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if (subjectKeyIdentifierClause != null && subjectKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return(true);
}
X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if (rawDataKeyIdentifierClause != null && rawDataKeyIdentifierClause.Matches(cert))
{
token = new X509SecurityToken(cert);
return(true);
}
}
}
finally
{
if (certs != null)
{
for (int i = 0; i < certs.Count; i++)
{
certs[i].Reset();
}
}
if (store != null)
{
store.Close();
}
}
return(false);
}
public string GetLocalTokenTypeUri(SecurityKeyIdentifierClause clause)
{
Type tokenType = GetTokenType(clause);
return(_tokenSerializer.GetTokenTypeUri(tokenType));
}
