SspiNegotiationTokenProviderState CreateTlsSspiState(X509SecurityToken token)
{
X509Certificate2 clientCertificate;
if (token == null)
{
clientCertificate = null;
}
else
{
clientCertificate = token.Certificate;
}
TlsSspiNegotiation tlsNegotiation = null;
if (LocalAppContextSwitches.DisableUsingServicePointManagerSecurityProtocols)
{
tlsNegotiation = new TlsSspiNegotiation(String.Empty, SchProtocols.Ssl3Client | SchProtocols.TlsClient, clientCertificate);
}
else
{
var protocol = (SchProtocols)System.Net.ServicePointManager.SecurityProtocol & SchProtocols.ClientMask;
tlsNegotiation = new TlsSspiNegotiation(String.Empty, protocol, clientCertificate);
}
return(new SspiNegotiationTokenProviderState(tlsNegotiation));
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
TlsSspiNegotiation tlsNegotiation = (TlsSspiNegotiation)sspiNegotiation;
if (tlsNegotiation.IsValidContext == false)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)));
}
X509Certificate2 serverCert = tlsNegotiation.RemoteCertificate;
if (serverCert == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.ServerCertificateNotProvided)));
}
ReadOnlyCollection <IAuthorizationPolicy> authzPolicies;
if (this.ServerTokenAuthenticator != null)
{
X509SecurityToken certToken = new X509SecurityToken(serverCert, false);
authzPolicies = this.ServerTokenAuthenticator.ValidateToken(certToken);
}
else
{
authzPolicies = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
return(authzPolicies);
}
protected override SspiNegotiationTokenAuthenticatorState CreateSspiState(byte[] incomingBlob, string incomingValueTypeUri)
{
TlsSspiNegotiation sspiNegotiation = new TlsSspiNegotiation(SchProtocols.TlsServer | SchProtocols.Ssl3Server, this.serverToken.Certificate, this.ClientTokenAuthenticator != null);
if ((base.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005) && (this.NegotiationValueType.Value != incomingValueTypeUri))
{
sspiNegotiation.IncomingValueTypeUri = incomingValueTypeUri;
}
return new SspiNegotiationTokenAuthenticatorState(sspiNegotiation);
}
protected override BinaryNegotiation GetOutgoingBinaryNegotiation(ISspiNegotiation sspiNegotiation, byte[] outgoingBlob)
{
TlsSspiNegotiation negotiation = sspiNegotiation as TlsSspiNegotiation;
if (((base.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005) && (negotiation != null)) && (negotiation.IncomingValueTypeUri != null))
{
return(new BinaryNegotiation(negotiation.IncomingValueTypeUri, outgoingBlob));
}
return(base.GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob));
}
protected override SspiNegotiationTokenAuthenticatorState CreateSspiState(byte[] incomingBlob, string incomingValueTypeUri)
{
TlsSspiNegotiation sspiNegotiation = new TlsSspiNegotiation(SchProtocols.TlsServer | SchProtocols.Ssl3Server, this.serverToken.Certificate, this.ClientTokenAuthenticator != null);
if ((base.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005) && (this.NegotiationValueType.Value != incomingValueTypeUri))
{
sspiNegotiation.IncomingValueTypeUri = incomingValueTypeUri;
}
return(new SspiNegotiationTokenAuthenticatorState(sspiNegotiation));
}
SspiNegotiationTokenProviderState CreateTlsSspiState(X509SecurityToken token)
{
X509Certificate2 clientCertificate;
if (token == null)
{
clientCertificate = null;
}
else
{
clientCertificate = token.Certificate;
}
TlsSspiNegotiation tlsNegotiation = new TlsSspiNegotiation(String.Empty, SchProtocols.Ssl3Client | SchProtocols.TlsClient, clientCertificate);
return new SspiNegotiationTokenProviderState(tlsNegotiation);
}
protected override BinaryNegotiation GetOutgoingBinaryNegotiation(ISspiNegotiation sspiNegotiation, byte[] outgoingBlob)
{
TlsSspiNegotiation tlsNegotiation = sspiNegotiation as TlsSspiNegotiation;
// Echo only for TrustFeb2005 and ValueType mismatch
if (this.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005 &&
tlsNegotiation != null &&
tlsNegotiation.IncomingValueTypeUri != null)
{
return(new BinaryNegotiation(tlsNegotiation.IncomingValueTypeUri, outgoingBlob));
}
else
{
return(base.GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob));
}
}
SspiNegotiationTokenProviderState CreateTlsSspiState(X509SecurityToken token)
{
X509Certificate2 clientCertificate;
if (token == null)
{
clientCertificate = null;
}
else
{
clientCertificate = token.Certificate;
}
TlsSspiNegotiation tlsNegotiation = new TlsSspiNegotiation(String.Empty, SchProtocols.Ssl3Client | SchProtocols.TlsClient, clientCertificate);
return(new SspiNegotiationTokenProviderState(tlsNegotiation));
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
TlsSspiNegotiation tlsNegotiation = (TlsSspiNegotiation)sspiNegotiation;
if (tlsNegotiation.IsValidContext == false)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)));
}
if (this.ClientTokenAuthenticator == null)
{
return(EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
X509Certificate2 clientCertificate = tlsNegotiation.RemoteCertificate;
if (clientCertificate == null)
{
// isAnonymous is false. So, fail the negotiation
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(SR.GetString(SR.ClientCertificateNotProvided)));
}
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
if (this.ClientTokenAuthenticator != null)
{
X509SecurityToken clientToken;
WindowsIdentity preMappedIdentity;
if (!this.MapCertificateToWindowsAccount || !tlsNegotiation.TryGetContextIdentity(out preMappedIdentity))
{
clientToken = new X509SecurityToken(clientCertificate);
}
else
{
clientToken = new X509WindowsSecurityToken(clientCertificate, preMappedIdentity, preMappedIdentity.AuthenticationType, true);
preMappedIdentity.Dispose();
}
authorizationPolicies = this.ClientTokenAuthenticator.ValidateToken(clientToken);
clientToken.Dispose();
}
else
{
authorizationPolicies = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
return(authorizationPolicies);
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
TlsSspiNegotiation negotiation = (TlsSspiNegotiation)sspiNegotiation;
if (!negotiation.IsValidContext)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation")));
}
X509Certificate2 remoteCertificate = negotiation.RemoteCertificate;
if (remoteCertificate == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("ServerCertificateNotProvided")));
}
if (this.ServerTokenAuthenticator != null)
{
X509SecurityToken token = new X509SecurityToken(remoteCertificate, false);
return(this.ServerTokenAuthenticator.ValidateToken(token));
}
return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
protected override SspiNegotiationTokenAuthenticatorState CreateSspiState(byte[] incomingBlob, string incomingValueTypeUri)
{
TlsSspiNegotiation tlsNegotiation = null;
if (LocalAppContextSwitches.DisableUsingServicePointManagerSecurityProtocols)
{
tlsNegotiation = new TlsSspiNegotiation(SchProtocols.TlsServer | SchProtocols.Ssl3Server,
this.serverToken.Certificate, this.ClientTokenAuthenticator != null);
}
else
{
var protocol = (SchProtocols)System.Net.ServicePointManager.SecurityProtocol & SchProtocols.ServerMask;
tlsNegotiation = new TlsSspiNegotiation(protocol, this.serverToken.Certificate, this.ClientTokenAuthenticator != null);
}
// Echo only for TrustFeb2005 and ValueType mismatch
if (this.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005 &&
this.NegotiationValueType.Value != incomingValueTypeUri)
{
tlsNegotiation.IncomingValueTypeUri = incomingValueTypeUri;
}
return(new SspiNegotiationTokenAuthenticatorState(tlsNegotiation));
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
X509SecurityToken token;
WindowsIdentity identity;
TlsSspiNegotiation negotiation = (TlsSspiNegotiation)sspiNegotiation;
if (!negotiation.IsValidContext)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation")));
}
if (this.ClientTokenAuthenticator == null)
{
return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
X509Certificate2 remoteCertificate = negotiation.RemoteCertificate;
if (remoteCertificate == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvided")));
}
if (this.ClientTokenAuthenticator == null)
{
return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
if (!this.MapCertificateToWindowsAccount || !negotiation.TryGetContextIdentity(out identity))
{
token = new X509SecurityToken(remoteCertificate);
}
else
{
token = new X509WindowsSecurityToken(remoteCertificate, identity, identity.AuthenticationType, true);
identity.Dispose();
}
ReadOnlyCollection <IAuthorizationPolicy> onlys = this.ClientTokenAuthenticator.ValidateToken(token);
token.Dispose();
return(onlys);
}
