void ValidateDigestsOfTargetsInSecurityHeader(StandardSignedInfo signedInfo, SecurityTimestamp timestamp, bool isPrimarySignature, object signatureTarget, string id) { Fx.Assert(!isPrimarySignature || (isPrimarySignature && (signatureTarget == null)), "For primary signature we try to validate all the references."); for (int i = 0; i < signedInfo.ReferenceCount; i++) { Reference reference = signedInfo[i]; this.AlgorithmSuite.EnsureAcceptableDigestAlgorithm(reference.DigestMethod); string referredId = reference.ExtractReferredId(); if (isPrimarySignature || (id == referredId)) { if (timestamp != null && timestamp.Id == referredId && !reference.TransformChain.NeedsInclusiveContext && timestamp.DigestAlgorithm == reference.DigestMethod && timestamp.GetDigest() != null) { reference.EnsureDigestValidity(referredId, timestamp.GetDigest()); this.ElementManager.SetTimestampSigned(referredId); } else { if (signatureTarget != null) { reference.EnsureDigestValidity(id, signatureTarget); } else { int tokenIndex = -1; XmlDictionaryReader reader = null; if (reference.IsStrTranform()) { if (this.ElementManager.TryGetTokenElementIndexFromStrId(referredId, out tokenIndex)) { ReceiveSecurityHeaderEntry entry; this.ElementManager.GetElementEntry(tokenIndex, out entry); bool isSignedToken = (entry.bindingMode == ReceiveSecurityHeaderBindingModes.Signed) || (entry.bindingMode == ReceiveSecurityHeaderBindingModes.SignedEndorsing); // This means it is a protected(signed)primary token. if (!this.ElementManager.IsPrimaryTokenSigned) { this.ElementManager.IsPrimaryTokenSigned = entry.bindingMode == ReceiveSecurityHeaderBindingModes.Primary && entry.elementCategory == ReceiveSecurityHeaderElementCategory.Token; } this.ElementManager.SetSigned(tokenIndex); // We pass true if it is a signed supporting token, signed primary token or a SignedEndorsing token. We pass false if it is a SignedEncrypted Token. reader = this.ElementManager.GetReader(tokenIndex, isSignedToken); } } else { reader = this.ElementManager.GetSignatureVerificationReader(referredId, this.EncryptBeforeSignMode); } if (reader != null) { reference.EnsureDigestValidity(referredId, reader); reader.Close(); } } } if (!isPrimarySignature) { // We were given an id to verify and we have verified it. So just break out // of the loop. break; } } } // This check makes sure that if RequireSignedPrimaryToken is true (ProtectTokens is enabled on sbe) then the incoming message // should have the primary signature over the primary(signing)token. if (isPrimarySignature && this.RequireSignedPrimaryToken && !this.ElementManager.IsPrimaryTokenSigned) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.SupportingTokenIsNotSigned, new IssuedSecurityTokenParameters()))); } // NOTE: On both client and server side, WCF quietly consumes protected tokens even if protect token is not enabled on sbe. // To change this behaviour add another check below and throw appropriate exception message. }