private void ReadToken(XmlDictionaryReader reader, int position, byte[] decryptedBuffer, SecurityToken encryptionToken, string idInEncryptedForm, TimeSpan timeout) { Fx.Assert((position == AppendPosition) == (decryptedBuffer == null), "inconsistent position, decryptedBuffer parameters"); Fx.Assert((position == AppendPosition) == (encryptionToken == null), "inconsistent position, encryptionToken parameters"); string localName = reader.LocalName; string namespaceUri = reader.NamespaceURI; string valueType = reader.GetAttribute(XD.SecurityJan2004Dictionary.ValueType, null); SecurityTokenAuthenticator usedTokenAuthenticator; SecurityToken token = ReadToken(reader, CombinedUniversalTokenResolver, _allowedAuthenticators, out usedTokenAuthenticator); if (token == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCouldNotReadToken, localName, namespaceUri, valueType)), Message); } DerivedKeySecurityToken derivedKeyToken = token as DerivedKeySecurityToken; if (derivedKeyToken != null) { EnsureDerivedKeyLimitNotReached(); derivedKeyToken.InitializeDerivedKey(MaxDerivedKeyLength); } if (usedTokenAuthenticator == _primaryTokenAuthenticator) { _allowedAuthenticators.Remove(usedTokenAuthenticator); } ReceiveSecurityHeaderBindingModes mode; TokenTracker supportingTokenTracker = null; if (usedTokenAuthenticator == _primaryTokenAuthenticator) { // this is the primary token. Add to resolver as such _universalTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, _primaryTokenParameters); _primaryTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, _primaryTokenParameters); if (_pendingSupportingTokenAuthenticator != null) { _allowedAuthenticators.Add(_pendingSupportingTokenAuthenticator); _pendingSupportingTokenAuthenticator = null; } _primaryTokenTracker.RecordToken(token); mode = ReceiveSecurityHeaderBindingModes.Primary; } else if (usedTokenAuthenticator == DerivedTokenAuthenticator) { if (token is DerivedKeySecurityTokenStub) { if (Layout == SecurityHeaderLayout.Strict) { DerivedKeySecurityTokenStub tmpToken = (DerivedKeySecurityTokenStub)token; throw TraceUtility.ThrowHelperError(new MessageSecurityException( SR.Format(SR.UnableToResolveKeyInfoClauseInDerivedKeyToken, tmpToken.TokenToDeriveIdentifier)), Message); } } else { AddDerivedKeyTokenToResolvers(token); } mode = ReceiveSecurityHeaderBindingModes.Unknown; } else { SupportingTokenAuthenticatorSpecification supportingTokenSpec; supportingTokenTracker = GetSupportingTokenTracker(usedTokenAuthenticator, out supportingTokenSpec); if (supportingTokenTracker == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, usedTokenAuthenticator))); } if (supportingTokenTracker.Token != null) { supportingTokenTracker = new TokenTracker(supportingTokenSpec); _supportingTokenTrackers.Add(supportingTokenTracker); } supportingTokenTracker.RecordToken(token); if (encryptionToken != null) { supportingTokenTracker.IsEncrypted = true; } bool isBasic; bool isSignedButNotBasic; SecurityTokenAttachmentModeHelper.Categorize(supportingTokenSpec.SecurityTokenAttachmentMode, out isBasic, out isSignedButNotBasic, out mode); if (isBasic) { if (!ExpectBasicTokens) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.BasicTokenNotExpected)); } // only basic tokens have to be part of the reference list. Encrypted Saml tokens dont for example if (RequireMessageProtection && encryptionToken != null) { throw ExceptionHelper.PlatformNotSupported(); } } if (isSignedButNotBasic && !ExpectSignedTokens) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.SignedSupportingTokenNotExpected)); } _universalTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, supportingTokenSpec.TokenParameters); } if (position == AppendPosition) { ElementManager.AppendToken(token, mode, supportingTokenTracker); } else { ElementManager.SetTokenAfterDecryption(position, token, mode, decryptedBuffer, supportingTokenTracker); } }