private void SignWithSupportingTokens()
{
SecurityToken[] endorsingTokens = ElementContainer.GetEndorsingSupportingTokens();
if (endorsingTokens != null)
{
for (int i = 0; i < endorsingTokens.Length; ++i)
{
SecurityToken source = endorsingTokens[i];
SecurityKeyIdentifierClause sourceKeyClause = _endorsingTokenParameters[i].CreateKeyIdentifierClause(source, GetTokenReferenceStyle(_endorsingTokenParameters[i]));
if (sourceKeyClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.TokenManagerCannotCreateTokenReference), Message);
}
SecurityToken signingToken;
SecurityKeyIdentifierClause signingKeyClause;
if (_endorsingTokenParameters[i].RequireDerivedKeys && !_endorsingTokenParameters[i].HasAsymmetricKey)
{
throw ExceptionHelper.PlatformNotSupported();
}
else
{
signingToken = source;
signingKeyClause = sourceKeyClause;
}
SignWithSupportingToken(signingToken, signingKeyClause);
}
}
SecurityToken[] signedEndorsingSupportingTokens = ElementContainer.GetSignedEndorsingSupportingTokens();
if (signedEndorsingSupportingTokens != null)
{
for (int i = 0; i < signedEndorsingSupportingTokens.Length; ++i)
{
SecurityToken source = signedEndorsingSupportingTokens[i];
SecurityKeyIdentifierClause sourceKeyClause = _signedEndorsingTokenParameters[i].CreateKeyIdentifierClause(source, GetTokenReferenceStyle(_signedEndorsingTokenParameters[i]));
if (sourceKeyClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.TokenManagerCannotCreateTokenReference), Message);
}
SecurityToken signingToken;
SecurityKeyIdentifierClause signingKeyClause;
if (_signedEndorsingTokenParameters[i].RequireDerivedKeys && !_signedEndorsingTokenParameters[i].HasAsymmetricKey)
{
throw ExceptionHelper.PlatformNotSupported(); // Derived keys not supported initially
}
else
{
signingToken = source;
signingKeyClause = sourceKeyClause;
}
SignWithSupportingToken(signingToken, signingKeyClause);
}
}
}
private void SignWithSupportingTokens()
{
SecurityToken[] endorsingTokens = ElementContainer.GetEndorsingSupportingTokens();
if (endorsingTokens != null)
{
for (int i = 0; i < endorsingTokens.Length; ++i)
{
SecurityToken source = endorsingTokens[i];
SecurityKeyIdentifierClause sourceKeyClause = _endorsingTokenParameters[i].CreateKeyIdentifierClause(source, GetTokenReferenceStyle(_endorsingTokenParameters[i]));
if (sourceKeyClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCannotCreateTokenReference)), Message);
}
SecurityToken signingToken;
SecurityKeyIdentifierClause signingKeyClause;
if (_endorsingTokenParameters[i].RequireDerivedKeys && !_endorsingTokenParameters[i].HasAsymmetricKey)
{
string derivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(StandardsManager.MessageSecurityVersion.SecureConversationVersion);
DerivedKeySecurityToken dkt = new DerivedKeySecurityToken(-1, 0,
AlgorithmSuite.GetSignatureKeyDerivationLength(source, StandardsManager.MessageSecurityVersion.SecureConversationVersion), null,
DerivedKeySecurityToken.DefaultNonceLength, source, sourceKeyClause, derivationAlgorithm, GenerateId());
signingToken = dkt;
signingKeyClause = new LocalIdKeyIdentifierClause(dkt.Id, dkt.GetType());
ElementContainer.AddEndorsingDerivedSupportingToken(dkt);
}
else
{
signingToken = source;
signingKeyClause = sourceKeyClause;
}
SignWithSupportingToken(signingToken, signingKeyClause);
}
}
SecurityToken[] signedEndorsingSupportingTokens = ElementContainer.GetSignedEndorsingSupportingTokens();
if (signedEndorsingSupportingTokens != null)
{
for (int i = 0; i < signedEndorsingSupportingTokens.Length; ++i)
{
SecurityToken source = signedEndorsingSupportingTokens[i];
SecurityKeyIdentifierClause sourceKeyClause = _signedEndorsingTokenParameters[i].CreateKeyIdentifierClause(source, GetTokenReferenceStyle(_signedEndorsingTokenParameters[i]));
if (sourceKeyClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCannotCreateTokenReference)), Message);
}
SecurityToken signingToken;
SecurityKeyIdentifierClause signingKeyClause;
if (_signedEndorsingTokenParameters[i].RequireDerivedKeys && !_signedEndorsingTokenParameters[i].HasAsymmetricKey)
{
string derivationAlgorithm = SecurityUtils.GetKeyDerivationAlgorithm(StandardsManager.MessageSecurityVersion.SecureConversationVersion);
DerivedKeySecurityToken dkt = new DerivedKeySecurityToken(-1, 0,
AlgorithmSuite.GetSignatureKeyDerivationLength(source, StandardsManager.MessageSecurityVersion.SecureConversationVersion), null,
DerivedKeySecurityToken.DefaultNonceLength, source, sourceKeyClause, derivationAlgorithm, GenerateId());
signingToken = dkt;
signingKeyClause = new LocalIdKeyIdentifierClause(dkt.Id, dkt.GetType());
ElementContainer.AddSignedEndorsingDerivedSupportingToken(dkt);
}
else
{
signingToken = source;
signingKeyClause = sourceKeyClause;
}
SignWithSupportingToken(signingToken, signingKeyClause);
}
}
}
protected override void OnWriteHeaderContents(XmlDictionaryWriter writer, MessageVersion messageVersion)
{
if (_basicSupportingTokenParameters != null && _basicSupportingTokenParameters.Count > 0 &&
RequireMessageProtection && !_basicTokenEncrypted)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.BasicTokenCannotBeWrittenWithoutEncryption), Message);
}
if (ElementContainer.Timestamp != null && Layout != SecurityHeaderLayout.LaxTimestampLast)
{
StandardsManager.WSUtilitySpecificationVersion.WriteTimestamp(writer, ElementContainer.Timestamp);
}
if (ElementContainer.PrerequisiteToken != null)
{
StandardsManager.SecurityTokenSerializer.WriteToken(writer, ElementContainer.PrerequisiteToken);
}
if (ElementContainer.SourceSigningToken != null)
{
if (ShouldSerializeToken(SigningTokenParameters, MessageDirection))
{
StandardsManager.SecurityTokenSerializer.WriteToken(writer, ElementContainer.SourceSigningToken);
// Implement Protect token
// NOTE: The spec says sign the primary token if it is not included in the message. But we currently are not supporting it
// as we do not support STR-Transform for external references. Hence we can not sign the token which is external ie not in the message.
// This only affects the messages from service to client where
// 1. allowSerializedSigningTokenOnReply is false.
// 2. SymmetricSecurityBindingElement with IssuedTokens binding where the issued token has a symmetric key.
if (ShouldProtectTokens)
{
WriteSecurityTokenReferencyEntry(writer, ElementContainer.SourceSigningToken, SigningTokenParameters);
}
}
}
if (ElementContainer.DerivedSigningToken != null)
{
StandardsManager.SecurityTokenSerializer.WriteToken(writer, ElementContainer.DerivedSigningToken);
}
if (ElementContainer.SourceEncryptionToken != null && ElementContainer.SourceEncryptionToken != ElementContainer.SourceSigningToken && ShouldSerializeToken(_encryptingTokenParameters, MessageDirection))
{
StandardsManager.SecurityTokenSerializer.WriteToken(writer, ElementContainer.SourceEncryptionToken);
}
if (ElementContainer.WrappedEncryptionToken != null)
{
StandardsManager.SecurityTokenSerializer.WriteToken(writer, ElementContainer.WrappedEncryptionToken);
}
if (ElementContainer.DerivedEncryptionToken != null)
{
StandardsManager.SecurityTokenSerializer.WriteToken(writer, ElementContainer.DerivedEncryptionToken);
}
if (SignThenEncrypt)
{
if (ElementContainer.ReferenceList != null)
{
ElementContainer.ReferenceList.WriteTo(writer, ServiceModelDictionaryManager.Instance);
}
}
SecurityToken[] signedTokens = ElementContainer.GetSignedSupportingTokens();
if (signedTokens != null)
{
for (int i = 0; i < signedTokens.Length; ++i)
{
StandardsManager.SecurityTokenSerializer.WriteToken(writer, signedTokens[i]);
WriteSecurityTokenReferencyEntry(writer, signedTokens[i], _signedTokenParameters[i]);
}
}
SendSecurityHeaderElement[] basicTokensXml = ElementContainer.GetBasicSupportingTokens();
if (basicTokensXml != null)
{
for (int i = 0; i < basicTokensXml.Length; ++i)
{
basicTokensXml[i].Item.WriteTo(writer, ServiceModelDictionaryManager.Instance);
if (SignThenEncrypt)
{
WriteSecurityTokenReferencyEntry(writer, _basicTokens[i], _basicSupportingTokenParameters[i]);
}
}
}
SecurityToken[] endorsingTokens = ElementContainer.GetEndorsingSupportingTokens();
if (endorsingTokens != null)
{
for (int i = 0; i < endorsingTokens.Length; ++i)
{
if (ShouldSerializeToken(_endorsingTokenParameters[i], MessageDirection))
{
StandardsManager.SecurityTokenSerializer.WriteToken(writer, endorsingTokens[i]);
}
}
}
SecurityToken[] endorsingDerivedTokens = ElementContainer.GetEndorsingDerivedSupportingTokens();
if (endorsingDerivedTokens != null)
{
for (int i = 0; i < endorsingDerivedTokens.Length; ++i)
{
StandardsManager.SecurityTokenSerializer.WriteToken(writer, endorsingDerivedTokens[i]);
}
}
SecurityToken[] signedEndorsingTokens = ElementContainer.GetSignedEndorsingSupportingTokens();
if (signedEndorsingTokens != null)
{
for (int i = 0; i < signedEndorsingTokens.Length; ++i)
{
StandardsManager.SecurityTokenSerializer.WriteToken(writer, signedEndorsingTokens[i]);
WriteSecurityTokenReferencyEntry(writer, signedEndorsingTokens[i], _signedEndorsingTokenParameters[i]);
}
}
SecurityToken[] signedEndorsingDerivedTokens = ElementContainer.GetSignedEndorsingDerivedSupportingTokens();
if (signedEndorsingDerivedTokens != null)
{
for (int i = 0; i < signedEndorsingDerivedTokens.Length; ++i)
{
StandardsManager.SecurityTokenSerializer.WriteToken(writer, signedEndorsingDerivedTokens[i]);
}
}
SendSecurityHeaderElement[] signatureConfirmations = ElementContainer.GetSignatureConfirmations();
if (signatureConfirmations != null)
{
for (int i = 0; i < signatureConfirmations.Length; ++i)
{
signatureConfirmations[i].Item.WriteTo(writer, ServiceModelDictionaryManager.Instance);
}
}
if (ElementContainer.PrimarySignature != null && ElementContainer.PrimarySignature.Item != null)
{
ElementContainer.PrimarySignature.Item.WriteTo(writer, ServiceModelDictionaryManager.Instance);
}
SendSecurityHeaderElement[] endorsingSignatures = ElementContainer.GetEndorsingSignatures();
if (endorsingSignatures != null)
{
for (int i = 0; i < endorsingSignatures.Length; ++i)
{
endorsingSignatures[i].Item.WriteTo(writer, ServiceModelDictionaryManager.Instance);
}
}
if (!SignThenEncrypt)
{
if (ElementContainer.ReferenceList != null)
{
ElementContainer.ReferenceList.WriteTo(writer, ServiceModelDictionaryManager.Instance);
}
}
if (ElementContainer.Timestamp != null && Layout == SecurityHeaderLayout.LaxTimestampLast)
{
StandardsManager.WSUtilitySpecificationVersion.WriteTimestamp(writer, ElementContainer.Timestamp);
}
}