1 //-----------------------------------------------------------------------------
2 // Copyright (c) Microsoft Corporation. All rights reserved.
3 //-----------------------------------------------------------------------------
5 namespace System.ServiceModel.Security
7 using System.Collections.Generic;
8 using System.Collections.ObjectModel;
11 using System.ServiceModel;
12 using System.ServiceModel.Channels;
13 using System.ServiceModel.Description;
14 using System.ServiceModel.Security.Tokens;
17 abstract class WSSecurityPolicy
19 public static ContractDescription NullContract = new ContractDescription("null");
20 public static ServiceEndpoint NullServiceEndpoint = new ServiceEndpoint(NullContract);
21 public static XmlDocument doc = new XmlDocument();
22 public const string WsspPrefix = "sp";
23 public const string WspNamespace = MetadataStrings.WSPolicy.NamespaceUri; //@"http://schemas.xmlsoap.org/ws/2004/09/policy";
24 public const string Wsp15Namespace = MetadataStrings.WSPolicy.NamespaceUri15;
25 public const string WspPrefix = MetadataStrings.WSPolicy.Prefix; //"wsp";
26 public const string MsspNamespace = @"http://schemas.microsoft.com/ws/2005/07/securitypolicy";
27 public const string MsspPrefix = "mssp";
28 public const string PolicyName = MetadataStrings.WSPolicy.Elements.Policy; //"Policy";
29 public const string OptionalName = "Optional";
30 public const string TrueName = "true";
31 public const string FalseName = "false";
32 public const string SymmetricBindingName = "SymmetricBinding";
33 public const string AsymmetricBindingName = "AsymmetricBinding";
34 public const string TransportBindingName = "TransportBinding";
35 public const string OnlySignEntireHeadersAndBodyName = "OnlySignEntireHeadersAndBody";
36 public const string ProtectionTokenName = "ProtectionToken";
37 public const string InitiatorTokenName = "InitiatorToken";
38 public const string RecipientTokenName = "RecipientToken";
39 public const string TransportTokenName = "TransportToken";
40 public const string AlgorithmSuiteName = "AlgorithmSuite";
41 public const string LaxName = "Lax";
42 public const string LaxTsLastName = "LaxTsLast";
43 public const string LaxTsFirstName = "LaxTsFirst";
44 public const string StrictName = "Strict";
45 public const string IncludeTimestampName = "IncludeTimestamp";
46 public const string EncryptBeforeSigningName = "EncryptBeforeSigning";
47 public const string ProtectTokens = "ProtectTokens";
48 public const string EncryptSignatureName = "EncryptSignature";
49 public const string SignedSupportingTokensName = "SignedSupportingTokens";
50 public const string EndorsingSupportingTokensName = "EndorsingSupportingTokens";
51 public const string SignedEndorsingSupportingTokensName = "SignedEndorsingSupportingTokens";
52 public const string Wss10Name = "Wss10";
53 public const string MustSupportRefKeyIdentifierName = "MustSupportRefKeyIdentifier";
54 public const string MustSupportRefIssuerSerialName = "MustSupportRefIssuerSerial";
55 public const string MustSupportRefThumbprintName = "MustSupportRefThumbprint";
56 public const string MustSupportRefEncryptedKeyName = "MustSupportRefEncryptedKey";
57 public const string RequireSignatureConfirmationName = "RequireSignatureConfirmation";
58 public const string MustSupportIssuedTokensName = "MustSupportIssuedTokens";
59 public const string RequireClientEntropyName = "RequireClientEntropy";
60 public const string RequireServerEntropyName = "RequireServerEntropy";
61 public const string Wss11Name = "Wss11";
62 public const string Trust10Name = "Trust10";
63 public const string Trust13Name = "Trust13";
64 public const string RequireAppliesTo = "RequireAppliesTo";
65 public const string SignedPartsName = "SignedParts";
66 public const string EncryptedPartsName = "EncryptedParts";
67 public const string BodyName = "Body";
68 public const string HeaderName = "Header";
69 public const string NameName = "Name";
70 public const string NamespaceName = "Namespace";
71 public const string Basic128Name = "Basic128";
72 public const string Basic192Name = "Basic192";
73 public const string Basic256Name = "Basic256";
74 public const string TripleDesName = "TripleDes";
75 public const string Basic128Rsa15Name = "Basic128Rsa15";
76 public const string Basic192Rsa15Name = "Basic192Rsa15";
77 public const string Basic256Rsa15Name = "Basic256Rsa15";
78 public const string TripleDesRsa15Name = "TripleDesRsa15";
79 public const string Basic128Sha256Name = "Basic128Sha256";
80 public const string Basic192Sha256Name = "Basic192Sha256";
81 public const string Basic256Sha256Name = "Basic256Sha256";
82 public const string TripleDesSha256Name = "TripleDesSha256";
83 public const string Basic128Sha256Rsa15Name = "Basic128Sha256Rsa15";
84 public const string Basic192Sha256Rsa15Name = "Basic192Sha256Rsa15";
85 public const string Basic256Sha256Rsa15Name = "Basic256Sha256Rsa15";
86 public const string TripleDesSha256Rsa15Name = "TripleDesSha256Rsa15";
87 public const string IncludeTokenName = "IncludeToken";
88 public const string KerberosTokenName = "KerberosToken";
89 public const string X509TokenName = "X509Token";
90 public const string IssuedTokenName = "IssuedToken";
91 public const string UsernameTokenName = "UsernameToken";
92 public const string RsaTokenName = "RsaToken";
93 public const string KeyValueTokenName = "KeyValueToken";
94 public const string SpnegoContextTokenName = "SpnegoContextToken";
95 public const string SslContextTokenName = "SslContextToken";
96 public const string SecureConversationTokenName = "SecureConversationToken";
97 public const string WssGssKerberosV5ApReqToken11Name = "WssGssKerberosV5ApReqToken11";
98 public const string RequireDerivedKeysName = "RequireDerivedKeys";
99 public const string RequireIssuerSerialReferenceName = "RequireIssuerSerialReference";
100 public const string RequireKeyIdentifierReferenceName = "RequireKeyIdentifierReference";
101 public const string RequireThumbprintReferenceName = "RequireThumbprintReference";
102 public const string WssX509V3Token10Name = "WssX509V3Token10";
103 public const string WssUsernameToken10Name = "WssUsernameToken10";
104 public const string RequestSecurityTokenTemplateName = "RequestSecurityTokenTemplate";
105 public const string RequireExternalReferenceName = "RequireExternalReference";
106 public const string RequireInternalReferenceName = "RequireInternalReference";
107 public const string IssuerName = "Issuer";
108 public const string RequireClientCertificateName = "RequireClientCertificate";
109 public const string MustNotSendCancelName = "MustNotSendCancel";
110 public const string MustNotSendAmendName = "MustNotSendAmend";
111 public const string MustNotSendRenewName = "MustNotSendRenew";
112 public const string LayoutName = "Layout";
113 public const string BootstrapPolicyName = "BootstrapPolicy";
114 public const string HttpsTokenName = "HttpsToken";
115 public const string HttpBasicAuthenticationName = "HttpBasicAuthentication";
116 public const string HttpDigestAuthenticationName = "HttpDigestAuthentication";
118 bool _mustSupportRefKeyIdentifierName = false;
119 bool _mustSupportRefIssuerSerialName = false;
120 bool _mustSupportRefThumbprintName = false;
121 bool _protectionTokenHasAsymmetricKey = false;
123 public virtual XmlElement CreateWsspAssertion(string name)
125 return doc.CreateElement(WsspPrefix, name, this.WsspNamespaceUri);
128 public virtual bool IsWsspAssertion(XmlElement assertion)
130 return assertion.NamespaceURI == this.WsspNamespaceUri;
133 public virtual bool IsWsspAssertion(XmlElement assertion, string name)
135 return assertion.NamespaceURI == this.WsspNamespaceUri && assertion.LocalName == name;
138 public virtual bool IsMsspAssertion(XmlElement assertion, string name)
140 return assertion.NamespaceURI == MsspNamespace && assertion.LocalName == name;
143 public virtual bool TryImportWsspAssertion(ICollection<XmlElement> assertions, string name, out XmlElement assertion)
147 foreach (XmlElement e in assertions)
149 if (e.LocalName == name && e.NamespaceURI == this.WsspNamespaceUri)
152 assertions.Remove(e);
160 public virtual bool TryImportWsspAssertion(ICollection<XmlElement> assertions, string name)
162 return TryImportWsspAssertion(assertions, name, false);
165 public virtual bool TryImportWsspAssertion(ICollection<XmlElement> assertions, string name, bool isOptional)
167 foreach (XmlElement e in assertions)
169 if (e.LocalName == name && e.NamespaceURI == this.WsspNamespaceUri)
171 assertions.Remove(e);
179 public virtual XmlElement CreateMsspAssertion(string name)
181 return doc.CreateElement(MsspPrefix, name, MsspNamespace);
184 public virtual bool CanImportAssertion(ICollection<XmlElement> assertions)
186 foreach (XmlElement e in assertions)
188 if (e.NamespaceURI == this.WsspNamespaceUri || e.NamespaceURI == WSSecurityPolicy.MsspNamespace)
197 public abstract bool IsSecurityVersionSupported(MessageSecurityVersion version);
199 public abstract MessageSecurityVersion GetSupportedMessageSecurityVersion(SecurityVersion version);
201 public abstract string WsspNamespaceUri { get; }
203 public abstract TrustDriver TrustDriver { get; }
205 public virtual string AlwaysToRecipientUri
207 get { return this.WsspNamespaceUri + @"/IncludeToken/AlwaysToRecipient"; }
210 public virtual string NeverUri
212 get { return this.WsspNamespaceUri + @"/IncludeToken/Never"; }
215 public virtual string OnceUri
217 get { return this.WsspNamespaceUri + @"/IncludeToken/Once"; }
220 public virtual string AlwaysToInitiatorUri
222 get { return this.WsspNamespaceUri + @"/IncludeToken/AlwaysToInitiator"; }
225 public virtual bool TryImportMsspAssertion(ICollection<XmlElement> assertions, string name)
227 foreach (XmlElement e in assertions)
229 if (e.LocalName == name && e.NamespaceURI == MsspNamespace)
231 assertions.Remove(e);
239 public virtual XmlElement CreateWspPolicyWrapper(MetadataExporter exporter, params XmlElement[] nestedAssertions)
241 XmlElement result = doc.CreateElement(WspPrefix, PolicyName, exporter.PolicyVersion.Namespace);
243 if (nestedAssertions != null)
245 foreach (XmlElement e in nestedAssertions)
249 result.AppendChild(e);
257 public virtual XmlElement CreateWsspSignedPartsAssertion(MessagePartSpecification parts)
261 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parts");
272 result = CreateWsspAssertion(SignedPartsName);
273 if (parts.IsBodyIncluded)
275 result.AppendChild(CreateWsspAssertion(BodyName));
277 foreach (XmlQualifiedName header in parts.HeaderTypes)
279 result.AppendChild(CreateWsspHeaderAssertion(header));
285 public virtual XmlElement CreateWsspEncryptedPartsAssertion(MessagePartSpecification parts)
289 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parts");
300 result = CreateWsspAssertion(EncryptedPartsName);
301 if (parts.IsBodyIncluded)
303 result.AppendChild(CreateWsspAssertion(BodyName));
305 foreach (XmlQualifiedName header in parts.HeaderTypes)
307 result.AppendChild(CreateWsspHeaderAssertion(header));
313 public virtual MessagePartSpecification TryGetProtectedParts(XmlElement assertion)
315 MessagePartSpecification parts = new MessagePartSpecification();
317 foreach (XmlNode node in assertion.ChildNodes)
319 if (node.NodeType == XmlNodeType.Whitespace || node.NodeType == XmlNodeType.Comment)
323 else if (node is XmlElement)
325 XmlElement element = (XmlElement)node;
326 if (IsWsspAssertion(element, BodyName))
328 parts.IsBodyIncluded = true;
330 else if (IsWsspAssertion(element, HeaderName))
332 string name = element.GetAttribute(NameName);
333 string ns = element.GetAttribute(NamespaceName);
341 parts.HeaderTypes.Add(new XmlQualifiedName(name, ns));
359 public virtual bool TryImportWsspEncryptedPartsAssertion(ICollection<XmlElement> assertions, out MessagePartSpecification parts, out XmlElement assertion)
361 if (TryImportWsspAssertion(assertions, EncryptedPartsName, out assertion))
363 parts = TryGetProtectedParts(assertion);
370 return parts != null;
373 public virtual bool TryImportWsspSignedPartsAssertion(ICollection<XmlElement> assertions, out MessagePartSpecification parts, out XmlElement assertion)
375 if (TryImportWsspAssertion(assertions, SignedPartsName, out assertion))
377 parts = TryGetProtectedParts(assertion);
384 return parts != null;
387 public virtual XmlElement CreateWsspHeaderAssertion(XmlQualifiedName header)
389 XmlElement result = CreateWsspAssertion(HeaderName);
390 result.SetAttribute(NameName, header.Name);
391 result.SetAttribute(NamespaceName, header.Namespace);
396 public virtual XmlElement CreateWsspSymmetricBindingAssertion(MetadataExporter exporter, PolicyConversionContext policyContext, SymmetricSecurityBindingElement binding)
400 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding");
403 XmlElement result = CreateWsspAssertion(SymmetricBindingName);
405 CreateWspPolicyWrapper(
407 CreateWsspProtectionTokenAssertion(exporter, binding.ProtectionTokenParameters),
408 CreateWsspAlgorithmSuiteAssertion(exporter, binding.DefaultAlgorithmSuite),
409 CreateWsspLayoutAssertion(exporter, binding.SecurityHeaderLayout),
410 CreateWsspIncludeTimestampAssertion(binding.IncludeTimestamp),
411 CreateWsspEncryptBeforeSigningAssertion(binding.MessageProtectionOrder),
412 CreateWsspEncryptSignatureAssertion(policyContext, binding),
413 CreateWsspProtectTokensAssertion(binding),
414 CreateWsspAssertion(OnlySignEntireHeadersAndBodyName)
420 public virtual bool TryGetNestedPolicyAlternatives(MetadataImporter importer, XmlElement assertion, out Collection<Collection<XmlElement>> alternatives)
424 XmlElement policyElement = null;
425 foreach (XmlNode node in assertion.ChildNodes)
427 if (node is XmlElement && node.LocalName == PolicyName && (node.NamespaceURI == WspNamespace || node.NamespaceURI == Wsp15Namespace))
429 policyElement = (XmlElement)node;
434 if (policyElement == null)
440 IEnumerable<IEnumerable<XmlElement>> enumerableAlternatives = importer.NormalizePolicy(new XmlElement[] { policyElement });
442 alternatives = new Collection<Collection<XmlElement>>();
443 foreach (IEnumerable<XmlElement> enumerableAlternative in enumerableAlternatives)
445 Collection<XmlElement> alternative = new Collection<XmlElement>();
446 alternatives.Add(alternative);
447 foreach (XmlElement e in enumerableAlternative)
454 return alternatives != null;
457 public virtual bool TryImportWsspSymmetricBindingAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, out SymmetricSecurityBindingElement binding, out XmlElement assertion)
461 Collection<Collection<XmlElement>> alternatives;
463 if (TryImportWsspAssertion(assertions, SymmetricBindingName, out assertion)
464 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
466 foreach (Collection<XmlElement> alternative in alternatives)
468 MessageProtectionOrder order;
470 binding = new SymmetricSecurityBindingElement();
471 if (TryImportWsspProtectionTokenAssertion(importer, policyContext, alternative, binding)
472 && TryImportWsspAlgorithmSuiteAssertion(importer, alternative, binding)
473 && TryImportWsspLayoutAssertion(importer, alternative, binding)
474 && TryImportWsspIncludeTimestampAssertion(alternative, binding)
475 && TryImportMessageProtectionOrderAssertions(alternative, out order)
476 && TryImportWsspProtectTokensAssertion(alternative, out protectTokens)
477 && TryImportWsspAssertion(alternative, OnlySignEntireHeadersAndBodyName, true)
478 && alternative.Count == 0)
480 binding.MessageProtectionOrder = order;
481 binding.ProtectTokens = protectTokens;
491 return binding != null;
494 public virtual XmlElement CreateWsspAsymmetricBindingAssertion(MetadataExporter exporter, PolicyConversionContext policyContext, AsymmetricSecurityBindingElement binding)
498 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding");
501 XmlElement result = CreateWsspAssertion(AsymmetricBindingName);
503 CreateWspPolicyWrapper(
505 CreateWsspInitiatorTokenAssertion(exporter, binding.InitiatorTokenParameters),
506 CreateWsspRecipientTokenAssertion(exporter, binding.RecipientTokenParameters),
507 CreateWsspAlgorithmSuiteAssertion(exporter, binding.DefaultAlgorithmSuite),
508 CreateWsspLayoutAssertion(exporter, binding.SecurityHeaderLayout),
509 CreateWsspIncludeTimestampAssertion(binding.IncludeTimestamp),
510 CreateWsspEncryptBeforeSigningAssertion(binding.MessageProtectionOrder),
511 CreateWsspEncryptSignatureAssertion(policyContext, binding),
512 CreateWsspProtectTokensAssertion(binding),
513 CreateWsspAssertion(OnlySignEntireHeadersAndBodyName)
519 public virtual bool TryImportWsspAsymmetricBindingAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, out AsymmetricSecurityBindingElement binding, out XmlElement assertion)
523 Collection<Collection<XmlElement>> alternatives;
525 if (TryImportWsspAssertion(assertions, AsymmetricBindingName, out assertion)
526 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
528 foreach (Collection<XmlElement> alternative in alternatives)
530 MessageProtectionOrder order;
532 binding = new AsymmetricSecurityBindingElement();
533 if (TryImportWsspInitiatorTokenAssertion(importer, policyContext, alternative, binding)
534 && TryImportWsspRecipientTokenAssertion(importer, policyContext, alternative, binding)
535 && TryImportWsspAlgorithmSuiteAssertion(importer, alternative, binding)
536 && TryImportWsspLayoutAssertion(importer, alternative, binding)
537 && TryImportWsspIncludeTimestampAssertion(alternative, binding)
538 && TryImportMessageProtectionOrderAssertions(alternative, out order)
539 && TryImportWsspProtectTokensAssertion(alternative, out protectTokens)
540 && TryImportWsspAssertion(alternative, OnlySignEntireHeadersAndBodyName, true)
541 && alternative.Count == 0)
543 binding.MessageProtectionOrder = order;
544 binding.ProtectTokens = protectTokens;
554 return binding != null;
557 public virtual XmlElement CreateWsspTransportBindingAssertion(MetadataExporter exporter, TransportSecurityBindingElement binding, XmlElement transportTokenAssertion)
559 XmlElement result = CreateWsspAssertion(TransportBindingName);
561 CreateWspPolicyWrapper(
563 CreateWsspTransportTokenAssertion(exporter, transportTokenAssertion),
564 CreateWsspAlgorithmSuiteAssertion(exporter, binding.DefaultAlgorithmSuite),
565 CreateWsspLayoutAssertion(exporter, binding.SecurityHeaderLayout),
566 CreateWsspIncludeTimestampAssertion(binding.IncludeTimestamp)
572 public virtual bool TryImportWsspTransportBindingAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, out TransportSecurityBindingElement binding, out XmlElement assertion)
576 Collection<Collection<XmlElement>> alternatives;
578 if (TryImportWsspAssertion(assertions, TransportBindingName, out assertion)
579 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
581 foreach (Collection<XmlElement> alternative in alternatives)
583 XmlElement transportTokenAssertion;
584 binding = new TransportSecurityBindingElement();
585 if (TryImportWsspTransportTokenAssertion(importer, alternative, out transportTokenAssertion)
586 && TryImportWsspAlgorithmSuiteAssertion(importer, alternative, binding)
587 && TryImportWsspLayoutAssertion(importer, alternative, binding)
588 && TryImportWsspIncludeTimestampAssertion(alternative, binding)
589 && alternative.Count == 0)
591 if (false == importer.State.ContainsKey(SecurityBindingElementImporter.InSecureConversationBootstrapBindingImportMode))
593 // The transportTokenAssertion should be consumed by the transport binding importer
594 // for all primary bindings. However, for secure conversation bootstrap bindings
595 // the bootstrap policy does not contain any transport assertions, so adding the
596 // transport token assertion to the collection of unimported assertions would
597 // increase the likelihood of policy import failure due to unrecognized assertions.
598 assertions.Add(transportTokenAssertion);
609 return binding != null;
612 public virtual XmlElement CreateWsspWssAssertion(MetadataExporter exporter, SecurityBindingElement binding)
616 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding");
619 if (binding.MessageSecurityVersion.SecurityVersion == SecurityVersion.WSSecurity10)
621 return CreateWsspWss10Assertion(exporter);
623 else if (binding.MessageSecurityVersion.SecurityVersion == SecurityVersion.WSSecurity11)
625 if (binding is SymmetricSecurityBindingElement)
627 return CreateWsspWss11Assertion(exporter, ((SymmetricSecurityBindingElement)binding).RequireSignatureConfirmation);
629 else if (binding is AsymmetricSecurityBindingElement)
631 return CreateWsspWss11Assertion(exporter, ((AsymmetricSecurityBindingElement)binding).RequireSignatureConfirmation);
635 return CreateWsspWss11Assertion(exporter, false);
644 public virtual bool TryImportWsspWssAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding, out XmlElement assertion)
648 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding");
650 if (assertions == null)
652 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("assertions");
656 Collection<Collection<XmlElement>> alternatives;
658 if (TryImportWsspAssertion(assertions, Wss10Name, out assertion))
660 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
662 foreach (Collection<XmlElement> alternative in alternatives)
664 TryImportWsspAssertion(alternative, MustSupportRefKeyIdentifierName);
665 TryImportWsspAssertion(alternative, MustSupportRefIssuerSerialName);
666 if (alternative.Count == 0)
668 binding.MessageSecurityVersion = this.GetSupportedMessageSecurityVersion(SecurityVersion.WSSecurity10);
679 else if (TryImportWsspAssertion(assertions, Wss11Name, out assertion))
681 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
683 foreach (Collection<XmlElement> alternative in alternatives)
685 TryImportWsspAssertion(alternative, MustSupportRefKeyIdentifierName);
686 TryImportWsspAssertion(alternative, MustSupportRefIssuerSerialName);
687 TryImportWsspAssertion(alternative, MustSupportRefThumbprintName);
688 TryImportWsspAssertion(alternative, MustSupportRefEncryptedKeyName);
689 bool requireSignatureConfirmation = TryImportWsspAssertion(alternative, RequireSignatureConfirmationName);
690 if (alternative.Count == 0)
692 binding.MessageSecurityVersion = this.GetSupportedMessageSecurityVersion(SecurityVersion.WSSecurity11);
693 if (binding is SymmetricSecurityBindingElement)
695 ((SymmetricSecurityBindingElement)binding).RequireSignatureConfirmation = requireSignatureConfirmation;
697 else if (binding is AsymmetricSecurityBindingElement)
699 ((AsymmetricSecurityBindingElement)binding).RequireSignatureConfirmation = requireSignatureConfirmation;
715 public virtual XmlElement CreateWsspWss10Assertion(MetadataExporter exporter)
717 XmlElement result = CreateWsspAssertion(Wss10Name);
719 CreateWspPolicyWrapper(
721 CreateWsspAssertionMustSupportRefKeyIdentifierName(),
722 CreateWsspAssertionMustSupportRefIssuerSerialName()
728 public virtual XmlElement CreateWsspWss11Assertion(MetadataExporter exporter, bool requireSignatureConfirmation)
730 XmlElement result = CreateWsspAssertion(Wss11Name);
732 CreateWspPolicyWrapper(
734 CreateWsspAssertionMustSupportRefKeyIdentifierName(),
735 CreateWsspAssertionMustSupportRefIssuerSerialName(),
736 CreateWsspAssertionMustSupportRefThumbprintName(),
737 CreateWsspAssertionMustSupportRefEncryptedKeyName(),
738 CreateWsspRequireSignatureConformationAssertion(requireSignatureConfirmation)
743 public virtual XmlElement CreateWsspAssertionMustSupportRefKeyIdentifierName()
745 if (_mustSupportRefKeyIdentifierName)
747 return CreateWsspAssertion(MustSupportRefKeyIdentifierName);
755 public virtual XmlElement CreateWsspAssertionMustSupportRefIssuerSerialName()
757 if (_mustSupportRefIssuerSerialName)
759 return CreateWsspAssertion(MustSupportRefIssuerSerialName);
767 public virtual XmlElement CreateWsspAssertionMustSupportRefThumbprintName()
769 if (_mustSupportRefThumbprintName)
771 return CreateWsspAssertion(MustSupportRefThumbprintName);
779 public virtual XmlElement CreateWsspAssertionMustSupportRefEncryptedKeyName()
781 // protectionTokenHasAsymmetricKey is only set to true for a SymmetricBindingElement having an asymmetric key
782 if (_protectionTokenHasAsymmetricKey)
784 return CreateWsspAssertion(MustSupportRefEncryptedKeyName);
792 public virtual XmlElement CreateWsspRequireSignatureConformationAssertion(bool requireSignatureConfirmation)
794 if (requireSignatureConfirmation)
796 return CreateWsspAssertion(RequireSignatureConfirmationName);
804 public abstract XmlElement CreateWsspTrustAssertion(MetadataExporter exporter, SecurityKeyEntropyMode keyEntropyMode);
806 public abstract bool TryImportWsspTrustAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding, out XmlElement assertion);
808 protected XmlElement CreateWsspTrustAssertion(string trustName, MetadataExporter exporter, SecurityKeyEntropyMode keyEntropyMode)
810 XmlElement result = CreateWsspAssertion(trustName);
812 CreateWspPolicyWrapper(
814 CreateWsspAssertion(MustSupportIssuedTokensName),
815 CreateWsspRequireClientEntropyAssertion(keyEntropyMode),
816 CreateWsspRequireServerEntropyAssertion(keyEntropyMode)
822 protected bool TryImportWsspTrustAssertion(string trustName, MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding, out XmlElement assertion)
826 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding");
828 if (assertions == null)
830 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("assertions");
834 Collection<Collection<XmlElement>> alternatives;
836 if (TryImportWsspAssertion(assertions, trustName, out assertion)
837 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
839 foreach (Collection<XmlElement> alternative in alternatives)
841 TryImportWsspAssertion(alternative, MustSupportIssuedTokensName);
842 bool requireClientEntropy = TryImportWsspAssertion(alternative, RequireClientEntropyName);
843 bool requireServerEntropy = TryImportWsspAssertion(alternative, RequireServerEntropyName);
844 if (trustName == Trust13Name)
846 // We are just reading this optional element.
847 TryImportWsspAssertion(alternative, RequireAppliesTo);
849 if (alternative.Count == 0)
851 if (requireClientEntropy)
853 if (requireServerEntropy)
855 binding.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
859 binding.KeyEntropyMode = SecurityKeyEntropyMode.ClientEntropy;
862 else if (requireServerEntropy)
864 binding.KeyEntropyMode = SecurityKeyEntropyMode.ServerEntropy;
880 public virtual XmlElement CreateWsspRequireClientEntropyAssertion(SecurityKeyEntropyMode keyEntropyMode)
882 if (keyEntropyMode == SecurityKeyEntropyMode.ClientEntropy || keyEntropyMode == SecurityKeyEntropyMode.CombinedEntropy)
884 return CreateWsspAssertion(RequireClientEntropyName);
892 public virtual XmlElement CreateWsspRequireServerEntropyAssertion(SecurityKeyEntropyMode keyEntropyMode)
894 if (keyEntropyMode == SecurityKeyEntropyMode.ServerEntropy || keyEntropyMode == SecurityKeyEntropyMode.CombinedEntropy)
896 return CreateWsspAssertion(RequireServerEntropyName);
904 public virtual Collection<XmlElement> CreateWsspSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted, Collection<SecurityTokenParameters> optionalEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing)
906 return CreateWsspSupportingTokensAssertion(exporter, signed, signedEncrypted, endorsing, signedEndorsing, optionalSigned, optionalSignedEncrypted, optionalEndorsing, optionalSignedEndorsing, null);
909 public virtual Collection<XmlElement> CreateWsspSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted, Collection<SecurityTokenParameters> optionalEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing, AddressingVersion addressingVersion)
911 Collection<XmlElement> supportingTokenAssertions = new Collection<XmlElement>();
913 // Signed Supporting Tokens
914 XmlElement supportingTokenAssertion = CreateWsspSignedSupportingTokensAssertion(exporter, signed, signedEncrypted, optionalSigned, optionalSignedEncrypted);
915 if (supportingTokenAssertion != null)
916 supportingTokenAssertions.Add(supportingTokenAssertion);
918 // Endorsing Supporting Tokens.
919 supportingTokenAssertion = CreateWsspEndorsingSupportingTokensAssertion(exporter, endorsing, optionalEndorsing, addressingVersion);
920 if (supportingTokenAssertion != null)
921 supportingTokenAssertions.Add(supportingTokenAssertion);
923 // Signed Endorsing Supporting Tokens.
924 supportingTokenAssertion = CreateWsspSignedEndorsingSupportingTokensAssertion(exporter, signedEndorsing, optionalSignedEndorsing, addressingVersion);
925 if (supportingTokenAssertion != null)
926 supportingTokenAssertions.Add(supportingTokenAssertion);
928 return supportingTokenAssertions;
931 protected XmlElement CreateWsspSignedSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted)
935 if ((signed == null || signed.Count == 0)
936 && (signedEncrypted == null || signedEncrypted.Count == 0)
937 && (optionalSigned == null || optionalSigned.Count == 0)
938 && (optionalSignedEncrypted == null || optionalSignedEncrypted.Count == 0))
944 XmlElement policy = CreateWspPolicyWrapper(exporter);
948 foreach (SecurityTokenParameters p in signed)
950 policy.AppendChild(CreateTokenAssertion(exporter, p));
953 if (signedEncrypted != null)
955 foreach (SecurityTokenParameters p in signedEncrypted)
957 policy.AppendChild(CreateTokenAssertion(exporter, p));
960 if (optionalSigned != null)
962 foreach (SecurityTokenParameters p in optionalSigned)
964 policy.AppendChild(CreateTokenAssertion(exporter, p, true));
967 if (optionalSignedEncrypted != null)
969 foreach (SecurityTokenParameters p in optionalSignedEncrypted)
971 policy.AppendChild(CreateTokenAssertion(exporter, p, true));
975 result = CreateWsspAssertion(SignedSupportingTokensName);
976 result.AppendChild(policy);
982 protected XmlElement CreateWsspEndorsingSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> optionalEndorsing, AddressingVersion addressingVersion)
984 return CreateWsspiSupportingTokensAssertion(exporter, endorsing, optionalEndorsing, addressingVersion, EndorsingSupportingTokensName);
987 protected XmlElement CreateWsspSignedEndorsingSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing, AddressingVersion addressingVersion)
989 return CreateWsspiSupportingTokensAssertion(exporter, signedEndorsing, optionalSignedEndorsing, addressingVersion, SignedEndorsingSupportingTokensName);
992 protected XmlElement CreateWsspiSupportingTokensAssertion(MetadataExporter exporter, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> optionalEndorsing, AddressingVersion addressingVersion, string assertionName)
995 bool hasAssymetricKey = false;
997 if ((endorsing == null || endorsing.Count == 0)
998 && (optionalEndorsing == null || optionalEndorsing.Count == 0))
1004 XmlElement policy = CreateWspPolicyWrapper(exporter);
1006 if (endorsing != null)
1008 foreach (SecurityTokenParameters p in endorsing)
1010 if (p.HasAsymmetricKey)
1011 hasAssymetricKey = true;
1013 policy.AppendChild(CreateTokenAssertion(exporter, p));
1016 if (optionalEndorsing != null)
1018 foreach (SecurityTokenParameters p in optionalEndorsing)
1020 if (p.HasAsymmetricKey)
1021 hasAssymetricKey = true;
1023 policy.AppendChild(CreateTokenAssertion(exporter, p, true));
1026 if (addressingVersion != null && AddressingVersion.None != addressingVersion)
1028 // only add assertion to sign the 'To' only if an assymetric key is found
1029 if (hasAssymetricKey)
1032 CreateWsspSignedPartsAssertion(
1033 new MessagePartSpecification(new XmlQualifiedName(AddressingStrings.To, addressingVersion.Namespace))));
1037 result = CreateWsspAssertion(assertionName);
1038 result.AppendChild(policy);
1044 public virtual bool TryImportWsspSupportingTokensAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted, Collection<SecurityTokenParameters> optionalEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing)
1046 XmlElement assertion;
1048 if (!TryImportWsspSignedSupportingTokensAssertion(
1055 optionalSignedEncrypted,
1057 && assertion != null)
1059 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
1062 if (!TryImportWsspEndorsingSupportingTokensAssertion(
1069 && assertion != null)
1071 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
1074 if (!TryImportWsspSignedEndorsingSupportingTokensAssertion(
1079 optionalSignedEndorsing,
1081 && assertion != null)
1083 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
1089 protected bool TryImportWsspSignedSupportingTokensAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, Collection<SecurityTokenParameters> signed, Collection<SecurityTokenParameters> signedEncrypted, Collection<SecurityTokenParameters> optionalSigned, Collection<SecurityTokenParameters> optionalSignedEncrypted, out XmlElement assertion)
1093 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("signed");
1095 if (signedEncrypted == null)
1097 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("signedEncrypted");
1099 if (optionalSigned == null)
1101 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("optionalSigned");
1103 if (optionalSignedEncrypted == null)
1105 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("optionalSignedEncrypted");
1110 Collection<Collection<XmlElement>> alternatives;
1112 if (TryImportWsspAssertion(assertions, SignedSupportingTokensName, out assertion)
1113 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
1115 foreach (Collection<XmlElement> alternative in alternatives)
1117 Collection<SecurityTokenParameters> signedSupportingTokens = new Collection<SecurityTokenParameters>();
1118 Collection<SecurityTokenParameters> optionalSignedSupportingTokens = new Collection<SecurityTokenParameters>();
1119 SecurityTokenParameters parameters;
1121 while (alternative.Count > 0 && TryImportTokenAssertion(importer, policyContext, alternative, out parameters, out isOptional))
1125 optionalSignedSupportingTokens.Add(parameters);
1129 signedSupportingTokens.Add(parameters);
1132 if (alternative.Count == 0)
1134 foreach (SecurityTokenParameters p in signedSupportingTokens)
1136 if (p is UserNameSecurityTokenParameters)
1138 signedEncrypted.Add(p);
1145 foreach (SecurityTokenParameters p in optionalSignedSupportingTokens)
1147 if (p is UserNameSecurityTokenParameters)
1149 optionalSignedEncrypted.Add(p);
1153 optionalSigned.Add(p);
1169 protected bool TryImportWsspEndorsingSupportingTokensAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, Collection<SecurityTokenParameters> endorsing, Collection<SecurityTokenParameters> optionalEndorsing, out XmlElement assertion)
1171 if (endorsing == null)
1173 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("endorsing");
1175 if (optionalEndorsing == null)
1177 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("optionalEndorsing");
1182 Collection<Collection<XmlElement>> alternatives;
1184 if (TryImportWsspAssertion(assertions, EndorsingSupportingTokensName, out assertion)
1185 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
1187 foreach (Collection<XmlElement> alternative in alternatives)
1189 MessagePartSpecification signedParts;
1190 if (!TryImportWsspSignedPartsAssertion(alternative, out signedParts, out assertion) && assertion != null)
1192 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
1195 Collection<SecurityTokenParameters> supportingTokens = new Collection<SecurityTokenParameters>();
1196 Collection<SecurityTokenParameters> optionalSupportingTokens = new Collection<SecurityTokenParameters>();
1197 SecurityTokenParameters parameters;
1199 while (alternative.Count > 0 && TryImportTokenAssertion(importer, policyContext, alternative, out parameters, out isOptional))
1203 optionalSupportingTokens.Add(parameters);
1207 supportingTokens.Add(parameters);
1210 if (alternative.Count == 0)
1212 foreach (SecurityTokenParameters p in supportingTokens)
1216 foreach (SecurityTokenParameters p in optionalSupportingTokens)
1218 optionalEndorsing.Add(p);
1233 protected bool TryImportWsspSignedEndorsingSupportingTokensAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, Collection<SecurityTokenParameters> signedEndorsing, Collection<SecurityTokenParameters> optionalSignedEndorsing, out XmlElement assertion)
1235 if (signedEndorsing == null)
1237 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("signedEndorsing");
1239 if (optionalSignedEndorsing == null)
1241 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("optionalSignedEndorsing");
1246 Collection<Collection<XmlElement>> alternatives;
1248 if (TryImportWsspAssertion(assertions, SignedEndorsingSupportingTokensName, out assertion)
1249 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
1251 foreach (Collection<XmlElement> alternative in alternatives)
1253 MessagePartSpecification signedParts;
1254 if (!TryImportWsspSignedPartsAssertion(alternative, out signedParts, out assertion) && assertion != null)
1256 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
1259 Collection<SecurityTokenParameters> supportingTokens = new Collection<SecurityTokenParameters>();
1260 Collection<SecurityTokenParameters> optionalSupportingTokens = new Collection<SecurityTokenParameters>();
1261 SecurityTokenParameters parameters;
1263 while (alternative.Count > 0 && TryImportTokenAssertion(importer, policyContext, alternative, out parameters, out isOptional))
1267 optionalSupportingTokens.Add(parameters);
1271 supportingTokens.Add(parameters);
1274 if (alternative.Count == 0)
1276 foreach (SecurityTokenParameters p in supportingTokens)
1278 signedEndorsing.Add(p);
1280 foreach (SecurityTokenParameters p in optionalSupportingTokens)
1282 optionalSignedEndorsing.Add(p);
1297 public virtual XmlElement CreateWsspEncryptSignatureAssertion(PolicyConversionContext policyContext, SecurityBindingElement binding)
1299 MessageProtectionOrder protectionOrder;
1300 if (binding is SymmetricSecurityBindingElement)
1302 protectionOrder = ((SymmetricSecurityBindingElement)binding).MessageProtectionOrder;
1306 protectionOrder = ((AsymmetricSecurityBindingElement)binding).MessageProtectionOrder;
1309 if (protectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature
1310 && ContainsEncryptionParts(policyContext, binding))
1312 return CreateWsspAssertion(EncryptSignatureName);
1320 // This api checks whether or not the message will or may contain Encrypted parts
1321 // to decide whether or not to emit sp:EncryptSignature on Binding assertion.
1322 // 1) (Optional)EndpointSupporting.
1323 // 2) (Optional)OperationSupporting.
1324 // 3) In/Out/Fault Message ProtectionLevel for each Operation.
1325 bool ContainsEncryptionParts(PolicyConversionContext policyContext, SecurityBindingElement security)
1327 // special case for RST/RSTR since we hard coded the security for them
1328 if (policyContext.Contract == NullContract)
1331 if (security.EndpointSupportingTokenParameters.SignedEncrypted.Count > 0 ||
1332 security.OptionalEndpointSupportingTokenParameters.SignedEncrypted.Count > 0)
1336 foreach (SupportingTokenParameters r in security.OperationSupportingTokenParameters.Values)
1338 if (r.SignedEncrypted.Count > 0)
1343 foreach (SupportingTokenParameters r in security.OptionalOperationSupportingTokenParameters.Values)
1345 if (r.SignedEncrypted.Count > 0)
1351 BindingParameterCollection bindingParameters = new BindingParameterCollection();
1352 bindingParameters.Add(ChannelProtectionRequirements.CreateFromContract(policyContext.Contract, policyContext.BindingElements.Find<SecurityBindingElement>().GetIndividualProperty<ISecurityCapabilities>(), false));
1353 ChannelProtectionRequirements protectionRequirements = SecurityBindingElement.ComputeProtectionRequirements(security, bindingParameters, policyContext.BindingElements, true);
1354 protectionRequirements.MakeReadOnly();
1356 WSSecurityPolicy sp = WSSecurityPolicy.GetSecurityPolicyDriver(security.MessageSecurityVersion);
1358 foreach (OperationDescription operation in policyContext.Contract.Operations)
1360 // export policy for application messages
1361 foreach (MessageDescription message in operation.Messages)
1363 MessagePartSpecification parts;
1364 ScopedMessagePartSpecification scopedParts;
1367 if (message.Direction == MessageDirection.Input)
1369 scopedParts = protectionRequirements.IncomingEncryptionParts;
1373 scopedParts = protectionRequirements.OutgoingEncryptionParts;
1376 if (scopedParts.TryGetParts(message.Action, out parts))
1378 if (!parts.IsEmpty())
1385 // export policy for faults
1386 foreach (FaultDescription fault in operation.Faults)
1388 MessagePartSpecification parts;
1391 if (protectionRequirements.OutgoingEncryptionParts.TryGetParts(fault.Action, out parts))
1393 if (!parts.IsEmpty())
1403 public virtual XmlElement CreateWsspEncryptBeforeSigningAssertion(MessageProtectionOrder protectionOrder)
1405 if (protectionOrder == MessageProtectionOrder.EncryptBeforeSign)
1407 return CreateWsspAssertion(EncryptBeforeSigningName);
1415 public virtual XmlElement CreateWsspProtectTokensAssertion(SecurityBindingElement sbe)
1417 if (sbe.ProtectTokens)
1419 return CreateWsspAssertion(ProtectTokens);
1428 public virtual bool TryImportMessageProtectionOrderAssertions(ICollection<XmlElement> assertions, out MessageProtectionOrder order)
1430 if (TryImportWsspAssertion(assertions, EncryptBeforeSigningName))
1432 order = MessageProtectionOrder.EncryptBeforeSign;
1434 else if (TryImportWsspAssertion(assertions, EncryptSignatureName))
1436 order = MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature;
1440 order = MessageProtectionOrder.SignBeforeEncrypt;
1446 public virtual XmlElement CreateWsspIncludeTimestampAssertion(bool includeTimestamp)
1448 if (includeTimestamp)
1450 return CreateWsspAssertion(IncludeTimestampName);
1458 public virtual bool TryImportWsspIncludeTimestampAssertion(ICollection<XmlElement> assertions, SecurityBindingElement binding)
1460 binding.IncludeTimestamp = TryImportWsspAssertion(assertions, IncludeTimestampName);
1464 public virtual bool TryImportWsspProtectTokensAssertion(ICollection<XmlElement> assertions, out bool protectTokens)
1466 if (TryImportWsspAssertion(assertions, ProtectTokens))
1468 protectTokens = true;
1472 protectTokens = false;
1478 public virtual XmlElement CreateWsspLayoutAssertion(MetadataExporter exporter, SecurityHeaderLayout layout)
1480 XmlElement result = CreateWsspAssertion(LayoutName);
1482 CreateWspPolicyWrapper(
1484 CreateLayoutAssertion(layout)
1490 public virtual bool TryImportWsspLayoutAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding)
1492 bool result = false;
1493 XmlElement assertion;
1495 if (TryImportWsspAssertion(assertions, LayoutName, out assertion))
1497 SecurityHeaderLayout layout;
1498 Collection<Collection<XmlElement>> alternatives;
1500 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
1502 foreach (Collection<XmlElement> alternative in alternatives)
1504 if (TryImportLayoutAssertion(alternative, out layout)
1505 && alternative.Count == 0)
1507 binding.SecurityHeaderLayout = layout;
1516 binding.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
1523 public virtual XmlElement CreateLayoutAssertion(SecurityHeaderLayout layout)
1528 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("layout"));
1529 case SecurityHeaderLayout.Lax:
1530 return CreateWsspAssertion(LaxName);
1531 case SecurityHeaderLayout.LaxTimestampFirst:
1532 return CreateWsspAssertion(LaxTsFirstName);
1533 case SecurityHeaderLayout.LaxTimestampLast:
1534 return CreateWsspAssertion(LaxTsLastName);
1535 case SecurityHeaderLayout.Strict:
1536 return CreateWsspAssertion(StrictName);
1540 public virtual bool TryImportLayoutAssertion(ICollection<XmlElement> assertions, out SecurityHeaderLayout layout)
1543 layout = SecurityHeaderLayout.Lax;
1545 if (TryImportWsspAssertion(assertions, LaxName))
1547 layout = SecurityHeaderLayout.Lax;
1549 else if (TryImportWsspAssertion(assertions, LaxTsFirstName))
1551 layout = SecurityHeaderLayout.LaxTimestampFirst;
1553 else if (TryImportWsspAssertion(assertions, LaxTsLastName))
1555 layout = SecurityHeaderLayout.LaxTimestampLast;
1557 else if (TryImportWsspAssertion(assertions, StrictName))
1559 layout = SecurityHeaderLayout.Strict;
1569 public virtual XmlElement CreateWsspAlgorithmSuiteAssertion(MetadataExporter exporter, SecurityAlgorithmSuite suite)
1571 XmlElement result = CreateWsspAssertion(AlgorithmSuiteName);
1573 CreateWspPolicyWrapper(
1575 CreateAlgorithmSuiteAssertion(suite)
1581 public virtual bool TryImportWsspAlgorithmSuiteAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding)
1583 SecurityAlgorithmSuite suite = null;
1584 XmlElement assertion;
1585 Collection<Collection<XmlElement>> alternatives;
1587 if (TryImportWsspAssertion(assertions, AlgorithmSuiteName, out assertion)
1588 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
1590 foreach (Collection<XmlElement> alternative in alternatives)
1592 if (TryImportAlgorithmSuiteAssertion(alternative, out suite)
1593 && alternative.Count == 0)
1595 binding.DefaultAlgorithmSuite = suite;
1605 return suite != null;
1608 public virtual XmlElement CreateAlgorithmSuiteAssertion(SecurityAlgorithmSuite suite)
1612 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("suite");
1617 if (suite == SecurityAlgorithmSuite.Basic256)
1618 result = CreateWsspAssertion(Basic256Name);
1619 else if (suite == SecurityAlgorithmSuite.Basic192)
1620 result = CreateWsspAssertion(Basic192Name);
1621 else if (suite == SecurityAlgorithmSuite.Basic128)
1622 result = CreateWsspAssertion(Basic128Name);
1623 else if (suite == SecurityAlgorithmSuite.TripleDes)
1624 result = CreateWsspAssertion(TripleDesName);
1625 else if (suite == SecurityAlgorithmSuite.Basic256Rsa15)
1626 result = CreateWsspAssertion(Basic256Rsa15Name);
1627 else if (suite == SecurityAlgorithmSuite.Basic192Rsa15)
1628 result = CreateWsspAssertion(Basic192Rsa15Name);
1629 else if (suite == SecurityAlgorithmSuite.Basic128Rsa15)
1630 result = CreateWsspAssertion(Basic128Rsa15Name);
1631 else if (suite == SecurityAlgorithmSuite.TripleDesRsa15)
1632 result = CreateWsspAssertion(TripleDesRsa15Name);
1633 else if (suite == SecurityAlgorithmSuite.Basic256Sha256)
1634 result = CreateWsspAssertion(Basic256Sha256Name);
1635 else if (suite == SecurityAlgorithmSuite.Basic192Sha256)
1636 result = CreateWsspAssertion(Basic192Sha256Name);
1637 else if (suite == SecurityAlgorithmSuite.Basic128Sha256)
1638 result = CreateWsspAssertion(Basic128Sha256Name);
1639 else if (suite == SecurityAlgorithmSuite.TripleDesSha256)
1640 result = CreateWsspAssertion(TripleDesSha256Name);
1641 else if (suite == SecurityAlgorithmSuite.Basic256Sha256Rsa15)
1642 result = CreateWsspAssertion(Basic256Sha256Rsa15Name);
1643 else if (suite == SecurityAlgorithmSuite.Basic192Sha256Rsa15)
1644 result = CreateWsspAssertion(Basic192Sha256Rsa15Name);
1645 else if (suite == SecurityAlgorithmSuite.Basic128Sha256Rsa15)
1646 result = CreateWsspAssertion(Basic128Sha256Rsa15Name);
1647 else if (suite == SecurityAlgorithmSuite.TripleDesSha256Rsa15)
1648 result = CreateWsspAssertion(TripleDesSha256Rsa15Name);
1651 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("suite"));
1657 public virtual bool TryImportAlgorithmSuiteAssertion(ICollection<XmlElement> assertions, out SecurityAlgorithmSuite suite)
1659 if (TryImportWsspAssertion(assertions, Basic256Name))
1660 suite = SecurityAlgorithmSuite.Basic256;
1661 else if (TryImportWsspAssertion(assertions, Basic192Name))
1662 suite = SecurityAlgorithmSuite.Basic192;
1663 else if (TryImportWsspAssertion(assertions, Basic128Name))
1664 suite = SecurityAlgorithmSuite.Basic128;
1665 else if (TryImportWsspAssertion(assertions, TripleDesName))
1666 suite = SecurityAlgorithmSuite.TripleDes;
1667 else if (TryImportWsspAssertion(assertions, Basic256Rsa15Name))
1668 suite = SecurityAlgorithmSuite.Basic256Rsa15;
1669 else if (TryImportWsspAssertion(assertions, Basic192Rsa15Name))
1670 suite = SecurityAlgorithmSuite.Basic192Rsa15;
1671 else if (TryImportWsspAssertion(assertions, Basic128Rsa15Name))
1672 suite = SecurityAlgorithmSuite.Basic128Rsa15;
1673 else if (TryImportWsspAssertion(assertions, TripleDesRsa15Name))
1674 suite = SecurityAlgorithmSuite.TripleDesRsa15;
1675 else if (TryImportWsspAssertion(assertions, Basic256Sha256Name))
1676 suite = SecurityAlgorithmSuite.Basic256Sha256;
1677 else if (TryImportWsspAssertion(assertions, Basic192Sha256Name))
1678 suite = SecurityAlgorithmSuite.Basic192Sha256;
1679 else if (TryImportWsspAssertion(assertions, Basic128Sha256Name))
1680 suite = SecurityAlgorithmSuite.Basic128Sha256;
1681 else if (TryImportWsspAssertion(assertions, TripleDesSha256Name))
1682 suite = SecurityAlgorithmSuite.TripleDesSha256;
1683 else if (TryImportWsspAssertion(assertions, Basic256Sha256Rsa15Name))
1684 suite = SecurityAlgorithmSuite.Basic256Sha256Rsa15;
1685 else if (TryImportWsspAssertion(assertions, Basic192Sha256Rsa15Name))
1686 suite = SecurityAlgorithmSuite.Basic192Sha256Rsa15;
1687 else if (TryImportWsspAssertion(assertions, Basic128Sha256Rsa15Name))
1688 suite = SecurityAlgorithmSuite.Basic128Sha256Rsa15;
1689 else if (TryImportWsspAssertion(assertions, TripleDesSha256Rsa15Name))
1690 suite = SecurityAlgorithmSuite.TripleDesSha256Rsa15;
1694 return suite != null;
1697 public virtual XmlElement CreateWsspProtectionTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters)
1699 XmlElement result = CreateWsspAssertion(ProtectionTokenName);
1702 CreateWspPolicyWrapper(
1704 CreateTokenAssertion(exporter, parameters)
1706 _protectionTokenHasAsymmetricKey = parameters.HasAsymmetricKey;
1711 public virtual bool TryImportWsspProtectionTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, SymmetricSecurityBindingElement binding)
1713 bool result = false;
1715 XmlElement assertion;
1716 Collection<Collection<XmlElement>> alternatives;
1717 if (TryImportWsspAssertion(assertions, ProtectionTokenName, out assertion)
1718 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
1720 foreach (Collection<XmlElement> alternative in alternatives)
1722 SecurityTokenParameters tokenParameters;
1724 if (TryImportTokenAssertion(importer, policyContext, alternative, out tokenParameters, out isOptional)
1725 && alternative.Count == 0)
1728 binding.ProtectionTokenParameters = tokenParameters;
1737 public virtual bool TryImportWsspInitiatorTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, AsymmetricSecurityBindingElement binding)
1739 bool result = false;
1741 XmlElement assertion;
1742 Collection<Collection<XmlElement>> alternatives;
1743 if (TryImportWsspAssertion(assertions, InitiatorTokenName, out assertion)
1744 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
1746 foreach (Collection<XmlElement> alternative in alternatives)
1748 SecurityTokenParameters tokenParameters;
1750 if (TryImportTokenAssertion(importer, policyContext, alternative, out tokenParameters, out isOptional)
1751 && alternative.Count == 0)
1754 binding.InitiatorTokenParameters = tokenParameters;
1763 public virtual bool TryImportWsspRecipientTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, AsymmetricSecurityBindingElement binding)
1765 bool result = false;
1767 XmlElement assertion;
1768 Collection<Collection<XmlElement>> alternatives;
1769 if (TryImportWsspAssertion(assertions, RecipientTokenName, out assertion)
1770 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
1772 foreach (Collection<XmlElement> alternative in alternatives)
1774 SecurityTokenParameters tokenParameters;
1776 if (TryImportTokenAssertion(importer, policyContext, alternative, out tokenParameters, out isOptional)
1777 && alternative.Count == 0)
1780 binding.RecipientTokenParameters = tokenParameters;
1789 public virtual XmlElement CreateWsspInitiatorTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters)
1791 XmlElement result = CreateWsspAssertion(InitiatorTokenName);
1794 CreateWspPolicyWrapper(
1796 CreateTokenAssertion(exporter, parameters)
1802 public virtual XmlElement CreateWsspRecipientTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters)
1804 XmlElement result = CreateWsspAssertion(RecipientTokenName);
1807 CreateWspPolicyWrapper(
1809 CreateTokenAssertion(exporter, parameters)
1815 public virtual XmlElement CreateWsspTransportTokenAssertion(MetadataExporter exporter, XmlElement transportTokenAssertion)
1817 if (transportTokenAssertion == null)
1819 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("transportTokenAssertion");
1822 XmlElement result = CreateWsspAssertion(TransportTokenName);
1825 CreateWspPolicyWrapper(
1827 (XmlElement)(doc.ImportNode(transportTokenAssertion, true))
1833 public virtual bool TryImportWsspTransportTokenAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, out XmlElement transportBindingAssertion)
1835 transportBindingAssertion = null;
1837 XmlElement assertion;
1838 Collection<Collection<XmlElement>> alternatives;
1839 if (TryImportWsspAssertion(assertions, TransportTokenName, out assertion)
1840 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)
1841 && alternatives.Count == 1
1842 && alternatives[0].Count == 1)
1844 // we cannot process choices of transport tokens due to the current contract between
1845 // security and transport binding element converters
1846 transportBindingAssertion = alternatives[0][0];
1849 return transportBindingAssertion != null;
1852 public virtual XmlElement CreateTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters)
1854 return CreateTokenAssertion(exporter, parameters, false);
1857 public virtual XmlElement CreateTokenAssertion(MetadataExporter exporter, SecurityTokenParameters parameters, bool isOptional)
1859 if (parameters == null)
1861 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parameters");
1866 if (parameters is KerberosSecurityTokenParameters)
1868 result = CreateWsspKerberosTokenAssertion(exporter, (KerberosSecurityTokenParameters)parameters);
1870 else if (parameters is X509SecurityTokenParameters)
1872 result = CreateWsspX509TokenAssertion(exporter, (X509SecurityTokenParameters)parameters);
1874 else if (parameters is UserNameSecurityTokenParameters)
1876 result = CreateWsspUsernameTokenAssertion(exporter, (UserNameSecurityTokenParameters)parameters);
1878 else if (parameters is IssuedSecurityTokenParameters)
1880 result = CreateWsspIssuedTokenAssertion(exporter, (IssuedSecurityTokenParameters)parameters);
1882 else if (parameters is SspiSecurityTokenParameters)
1884 result = CreateWsspSpnegoContextTokenAssertion(exporter, (SspiSecurityTokenParameters)parameters);
1886 else if (parameters is SslSecurityTokenParameters)
1888 result = CreateMsspSslContextTokenAssertion(exporter, (SslSecurityTokenParameters)parameters);
1890 else if (parameters is SecureConversationSecurityTokenParameters)
1892 result = CreateWsspSecureConversationTokenAssertion(exporter, (SecureConversationSecurityTokenParameters)parameters);
1894 else if (parameters is RsaSecurityTokenParameters)
1896 result = CreateWsspRsaTokenAssertion((RsaSecurityTokenParameters)parameters);
1900 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("parameters"));
1903 if (result != null && isOptional)
1905 result.SetAttribute(OptionalName, exporter.PolicyVersion.Namespace, TrueName);
1911 public virtual bool TryImportTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, Collection<XmlElement> assertions, out SecurityTokenParameters parameters, out bool isOptional)
1916 if (assertions.Count >= 1)
1918 XmlElement tokenAssertion = assertions[0];
1919 if (TryImportWsspKerberosTokenAssertion(importer, tokenAssertion, out parameters)
1920 || TryImportWsspX509TokenAssertion(importer, tokenAssertion, out parameters)
1921 || TryImportWsspUsernameTokenAssertion(importer, tokenAssertion, out parameters)
1922 || TryImportWsspIssuedTokenAssertion(importer, policyContext, tokenAssertion, out parameters)
1923 || TryImportWsspSpnegoContextTokenAssertion(importer, tokenAssertion, out parameters)
1924 || TryImportMsspSslContextTokenAssertion(importer, tokenAssertion, out parameters)
1925 || TryImportWsspSecureConversationTokenAssertion(importer, tokenAssertion, out parameters)
1926 || TryImportWsspRsaTokenAssertion(importer, tokenAssertion, out parameters))
1928 string optionalAttribute = tokenAssertion.GetAttribute(OptionalName, WspNamespace);
1930 if (String.IsNullOrEmpty(optionalAttribute))
1932 optionalAttribute = tokenAssertion.GetAttribute(OptionalName, Wsp15Namespace);
1937 isOptional = XmlUtil.IsTrue(optionalAttribute);
1939 catch ( Exception e )
1943 if (e is NullReferenceException)
1946 importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.UnsupportedBooleanAttribute, OptionalName, e.Message), false));
1950 assertions.RemoveAt(0);
1954 return (parameters != null);
1957 public virtual void SetIncludeTokenValue(XmlElement tokenAssertion, SecurityTokenInclusionMode inclusionMode)
1959 switch (inclusionMode)
1962 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("inclusionMode"));
1963 case SecurityTokenInclusionMode.AlwaysToInitiator:
1964 tokenAssertion.SetAttribute(IncludeTokenName, this.WsspNamespaceUri, AlwaysToInitiatorUri);
1966 case SecurityTokenInclusionMode.AlwaysToRecipient:
1967 tokenAssertion.SetAttribute(IncludeTokenName, this.WsspNamespaceUri, AlwaysToRecipientUri);
1969 case SecurityTokenInclusionMode.Never:
1970 tokenAssertion.SetAttribute(IncludeTokenName, this.WsspNamespaceUri, NeverUri);
1972 case SecurityTokenInclusionMode.Once:
1973 tokenAssertion.SetAttribute(IncludeTokenName, this.WsspNamespaceUri, OnceUri);
1978 public virtual bool TryGetIncludeTokenValue(XmlElement assertion, out SecurityTokenInclusionMode mode)
1980 string includeTokenUri = assertion.GetAttribute(IncludeTokenName, this.WsspNamespaceUri);
1982 if (includeTokenUri == AlwaysToInitiatorUri)
1984 mode = SecurityTokenInclusionMode.AlwaysToInitiator;
1987 else if (includeTokenUri == AlwaysToRecipientUri)
1989 mode = SecurityTokenInclusionMode.AlwaysToRecipient;
1992 else if (includeTokenUri == NeverUri)
1994 mode = SecurityTokenInclusionMode.Never;
1997 else if (includeTokenUri == OnceUri)
1999 mode = SecurityTokenInclusionMode.Once;
2004 mode = SecurityTokenInclusionMode.Never;
2009 public virtual XmlElement CreateWsspRequireDerivedKeysAssertion(bool requireDerivedKeys)
2011 if (requireDerivedKeys)
2013 return CreateWsspAssertion(RequireDerivedKeysName);
2021 public virtual bool TryImportWsspRequireDerivedKeysAssertion(ICollection<XmlElement> assertions, SecurityTokenParameters parameters)
2023 parameters.RequireDerivedKeys = TryImportWsspAssertion(assertions, RequireDerivedKeysName);
2027 public virtual XmlElement CreateWsspKerberosTokenAssertion(MetadataExporter exporter, KerberosSecurityTokenParameters parameters)
2029 XmlElement result = CreateWsspAssertion(KerberosTokenName);
2030 SetIncludeTokenValue(result, parameters.InclusionMode);
2032 CreateWspPolicyWrapper(
2034 CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys),
2035 CreateWsspAssertion(WssGssKerberosV5ApReqToken11Name)
2040 public virtual bool TryImportWsspKerberosTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)
2044 SecurityTokenInclusionMode inclusionMode;
2045 Collection<Collection<XmlElement>> alternatives;
2047 if (IsWsspAssertion(assertion, KerberosTokenName)
2048 && TryGetIncludeTokenValue(assertion, out inclusionMode))
2050 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
2052 foreach (Collection<XmlElement> alternative in alternatives)
2054 parameters = new KerberosSecurityTokenParameters();
2055 if (TryImportWsspRequireDerivedKeysAssertion(alternative, parameters)
2056 && TryImportWsspAssertion(alternative, WssGssKerberosV5ApReqToken11Name, true)
2057 && alternative.Count == 0)
2059 parameters.InclusionMode = inclusionMode;
2070 parameters = new KerberosSecurityTokenParameters();
2071 parameters.RequireDerivedKeys = false;
2072 parameters.InclusionMode = inclusionMode;
2076 return parameters != null;
2079 public virtual XmlElement CreateX509ReferenceStyleAssertion(X509KeyIdentifierClauseType referenceStyle)
2081 switch (referenceStyle)
2084 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("referenceStyle"));
2085 case X509KeyIdentifierClauseType.IssuerSerial:
2086 _mustSupportRefIssuerSerialName = true;
2087 return CreateWsspAssertion(RequireIssuerSerialReferenceName);
2088 case X509KeyIdentifierClauseType.SubjectKeyIdentifier:
2089 _mustSupportRefKeyIdentifierName = true;
2090 return CreateWsspAssertion(RequireKeyIdentifierReferenceName);
2091 case X509KeyIdentifierClauseType.Thumbprint:
2092 _mustSupportRefThumbprintName = true;
2093 return CreateWsspAssertion(RequireThumbprintReferenceName);
2094 case X509KeyIdentifierClauseType.Any:
2095 _mustSupportRefIssuerSerialName = true;
2096 _mustSupportRefKeyIdentifierName = true;
2097 _mustSupportRefThumbprintName = true;
2102 public virtual bool TryImportX509ReferenceStyleAssertion(ICollection<XmlElement> assertions, X509SecurityTokenParameters parameters)
2104 if (TryImportWsspAssertion(assertions, RequireIssuerSerialReferenceName))
2106 parameters.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial;
2108 else if (TryImportWsspAssertion(assertions, RequireKeyIdentifierReferenceName))
2110 parameters.X509ReferenceStyle = X509KeyIdentifierClauseType.SubjectKeyIdentifier;
2112 else if (TryImportWsspAssertion(assertions, RequireThumbprintReferenceName))
2114 parameters.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint;
2120 public virtual XmlElement CreateWsspX509TokenAssertion(MetadataExporter exporter, X509SecurityTokenParameters parameters)
2122 XmlElement result = CreateWsspAssertion(X509TokenName);
2123 SetIncludeTokenValue(result, parameters.InclusionMode);
2125 CreateWspPolicyWrapper(
2127 CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys),
2128 CreateX509ReferenceStyleAssertion(parameters.X509ReferenceStyle),
2129 CreateWsspAssertion(WssX509V3Token10Name)
2134 public virtual bool TryImportWsspX509TokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)
2138 SecurityTokenInclusionMode inclusionMode;
2139 Collection<Collection<XmlElement>> alternatives;
2141 if (IsWsspAssertion(assertion, X509TokenName)
2142 && TryGetIncludeTokenValue(assertion, out inclusionMode))
2144 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
2146 foreach (Collection<XmlElement> alternative in alternatives)
2148 X509SecurityTokenParameters x509 = new X509SecurityTokenParameters();
2150 if (TryImportWsspRequireDerivedKeysAssertion(alternative, x509)
2151 && TryImportX509ReferenceStyleAssertion(alternative, x509)
2152 && TryImportWsspAssertion(alternative, WssX509V3Token10Name, true)
2153 && alternative.Count == 0)
2155 parameters.InclusionMode = inclusionMode;
2166 parameters = new X509SecurityTokenParameters();
2167 parameters.RequireDerivedKeys = false;
2168 parameters.InclusionMode = inclusionMode;
2172 return parameters != null;
2175 public virtual XmlElement CreateWsspUsernameTokenAssertion(MetadataExporter exporter, UserNameSecurityTokenParameters parameters)
2177 XmlElement result = CreateWsspAssertion(UsernameTokenName);
2178 SetIncludeTokenValue(result, parameters.InclusionMode);
2180 CreateWspPolicyWrapper(
2182 CreateWsspAssertion(WssUsernameToken10Name)
2187 public virtual bool TryImportWsspUsernameTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)
2191 SecurityTokenInclusionMode inclusionMode;
2192 Collection<Collection<XmlElement>> alternatives;
2194 if (IsWsspAssertion(assertion, UsernameTokenName)
2195 && TryGetIncludeTokenValue(assertion, out inclusionMode))
2197 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
2199 foreach (Collection<XmlElement> alternative in alternatives)
2201 if (TryImportWsspAssertion(alternative, WssUsernameToken10Name)
2202 && alternative.Count == 0)
2204 parameters = new UserNameSecurityTokenParameters();
2205 parameters.InclusionMode = inclusionMode;
2212 parameters = new UserNameSecurityTokenParameters();
2213 parameters.InclusionMode = inclusionMode;
2217 return parameters != null;
2220 public virtual XmlElement CreateWsspRsaTokenAssertion(RsaSecurityTokenParameters parameters)
2222 XmlElement result = CreateMsspAssertion(RsaTokenName);
2223 SetIncludeTokenValue(result, parameters.InclusionMode);
2227 public virtual bool TryImportWsspRsaTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)
2231 SecurityTokenInclusionMode inclusionMode;
2232 Collection<Collection<XmlElement>> alternatives;
2234 if (IsMsspAssertion(assertion, RsaTokenName)
2235 && TryGetIncludeTokenValue(assertion, out inclusionMode)
2236 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives) == false)
2238 parameters = new RsaSecurityTokenParameters();
2239 parameters.InclusionMode = inclusionMode;
2242 return parameters != null;
2245 public virtual XmlElement CreateReferenceStyleAssertion(SecurityTokenReferenceStyle referenceStyle)
2247 switch (referenceStyle)
2250 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("referenceStyle"));
2251 case SecurityTokenReferenceStyle.External:
2252 return CreateWsspAssertion(RequireExternalReferenceName);
2253 case SecurityTokenReferenceStyle.Internal:
2254 return CreateWsspAssertion(RequireInternalReferenceName);
2258 public virtual bool TryImportReferenceStyleAssertion(ICollection<XmlElement> assertions, IssuedSecurityTokenParameters parameters)
2260 if (TryImportWsspAssertion(assertions, RequireExternalReferenceName))
2262 parameters.ReferenceStyle = SecurityTokenReferenceStyle.External;
2264 else if (TryImportWsspAssertion(assertions, RequireInternalReferenceName))
2266 parameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
2272 public virtual XmlElement CreateWsspIssuerElement(EndpointAddress issuerAddress, EndpointAddress issuerMetadataAddress)
2275 if (issuerAddress == null && issuerMetadataAddress == null)
2281 EndpointAddress addressToSerialize;
2282 addressToSerialize = issuerAddress == null ? EndpointAddress.AnonymousAddress : issuerAddress;
2284 MemoryStream stream;
2287 if (issuerMetadataAddress != null)
2289 MetadataSet metadataSet = new MetadataSet();
2290 metadataSet.MetadataSections.Add(new MetadataSection(null, null, new MetadataReference(issuerMetadataAddress, AddressingVersion.WSAddressing10)));
2292 stream = new MemoryStream();
2293 writer = new XmlTextWriter(stream, System.Text.Encoding.UTF8);
2294 metadataSet.WriteTo(XmlDictionaryWriter.CreateDictionaryWriter(writer));
2296 stream.Seek(0, SeekOrigin.Begin);
2298 addressToSerialize = new EndpointAddress(
2299 addressToSerialize.Uri,
2300 addressToSerialize.Identity,
2301 addressToSerialize.Headers,
2302 XmlDictionaryReader.CreateDictionaryReader(XmlReader.Create(stream)),
2303 addressToSerialize.GetReaderAtExtensions());
2306 stream = new MemoryStream();
2307 writer = new XmlTextWriter(stream, System.Text.Encoding.UTF8);
2308 writer.WriteStartElement(IssuerName, this.WsspNamespaceUri);
2309 addressToSerialize.WriteContentsTo(AddressingVersion.WSAddressing10, writer);
2310 writer.WriteEndElement();
2312 stream.Seek(0, SeekOrigin.Begin);
2313 result = (XmlElement)doc.ReadNode(new XmlTextReader(stream) { DtdProcessing = DtdProcessing.Prohibit });
2318 public virtual bool TryGetIssuer(XmlElement assertion, out EndpointAddress issuer, out EndpointAddress issuerMetadata)
2322 issuerMetadata = null;
2324 foreach (XmlNode node in assertion.ChildNodes)
2326 if (node is XmlElement && IsWsspAssertion((XmlElement)node, IssuerName))
2330 issuer = EndpointAddress.ReadFrom(XmlDictionaryReader.CreateDictionaryReader(new XmlNodeReader(node)));
2331 XmlDictionaryReader metadataReader = issuer.GetReaderAtMetadata();
2332 if (metadataReader != null)
2334 while (metadataReader.MoveToContent() == XmlNodeType.Element)
2336 if (metadataReader.LocalName == MetadataStrings.MetadataExchangeStrings.Metadata
2337 && metadataReader.NamespaceURI == MetadataStrings.MetadataExchangeStrings.Namespace)
2339 MetadataSet metadataSet = MetadataSet.ReadFrom(metadataReader);
2340 foreach (MetadataSection section in metadataSet.MetadataSections)
2342 if (section.Metadata is MetadataReference)
2344 issuerMetadata = ((MetadataReference)section.Metadata).Address;
2352 metadataReader.Skip();
2361 if (e is NullReferenceException)
2372 public virtual XmlElement CreateWsspIssuedTokenAssertion(MetadataExporter exporter, IssuedSecurityTokenParameters parameters)
2374 XmlElement result = CreateWsspAssertion(IssuedTokenName);
2375 SetIncludeTokenValue(result, parameters.InclusionMode);
2376 XmlElement issuerAssertion = CreateWsspIssuerElement(parameters.IssuerAddress, parameters.IssuerMetadataAddress);
2377 if (issuerAssertion != null)
2379 result.AppendChild(issuerAssertion);
2381 XmlElement tokenTemplate = CreateWsspAssertion(RequestSecurityTokenTemplateName);
2382 TrustDriver driver = this.TrustDriver;
2383 foreach (XmlElement p in parameters.CreateRequestParameters(driver))
2385 tokenTemplate.AppendChild(doc.ImportNode(p, true));
2387 result.AppendChild(tokenTemplate);
2389 CreateWspPolicyWrapper(
2391 CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys),
2392 CreateReferenceStyleAssertion(parameters.ReferenceStyle)
2397 public virtual bool TryGetRequestSecurityTokenTemplate(XmlElement assertion, out Collection<XmlElement> requestParameters)
2399 requestParameters = null;
2401 foreach (XmlNode node in assertion.ChildNodes)
2403 if (node is XmlElement && IsWsspAssertion((XmlElement)node, RequestSecurityTokenTemplateName))
2405 requestParameters = new Collection<XmlElement>();
2406 foreach (XmlNode p in node.ChildNodes)
2408 if (p is XmlElement)
2410 requestParameters.Add((XmlElement)p);
2416 return requestParameters != null;
2419 public virtual bool TryImportWsspIssuedTokenAssertion(MetadataImporter importer, PolicyConversionContext policyContext, XmlElement assertion, out SecurityTokenParameters parameters)
2423 SecurityTokenInclusionMode inclusionMode;
2424 Collection<Collection<XmlElement>> alternatives;
2425 EndpointAddress issuer;
2426 EndpointAddress issuerMetadata;
2427 Collection<XmlElement> requestSecurityTokenTemplate;
2429 if (IsWsspAssertion(assertion, IssuedTokenName)
2430 && TryGetIncludeTokenValue(assertion, out inclusionMode)
2431 && TryGetIssuer(assertion, out issuer, out issuerMetadata)
2432 && TryGetRequestSecurityTokenTemplate(assertion, out requestSecurityTokenTemplate))
2434 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
2436 foreach (Collection<XmlElement> alternative in alternatives)
2438 IssuedSecurityTokenParameters issued = new IssuedSecurityTokenParameters();
2439 parameters = issued;
2440 if (TryImportWsspRequireDerivedKeysAssertion(alternative, issued)
2441 && TryImportReferenceStyleAssertion(alternative, issued)
2442 && alternative.Count == 0)
2444 issued.InclusionMode = inclusionMode;
2445 issued.IssuerAddress = issuer;
2446 issued.IssuerMetadataAddress = issuerMetadata;
2447 issued.SetRequestParameters(requestSecurityTokenTemplate, this.TrustDriver);
2449 TokenIssuerPolicyResolver policyResolver = new TokenIssuerPolicyResolver(this.TrustDriver);
2450 policyResolver.ResolveTokenIssuerPolicy(importer, policyContext, issued);
2462 IssuedSecurityTokenParameters issued = new IssuedSecurityTokenParameters();
2463 parameters = issued;
2464 issued.InclusionMode = inclusionMode;
2465 issued.IssuerAddress = issuer;
2466 issued.IssuerMetadataAddress = issuerMetadata;
2467 issued.SetRequestParameters(requestSecurityTokenTemplate, this.TrustDriver);
2468 issued.RequireDerivedKeys = false;
2472 return parameters != null;
2475 public virtual XmlElement CreateWsspMustNotSendCancelAssertion(bool requireCancel)
2479 XmlElement result = CreateWsspAssertion(MustNotSendCancelName);
2488 public virtual bool TryImportWsspMustNotSendCancelAssertion(ICollection<XmlElement> assertions, out bool requireCancellation)
2490 requireCancellation = !TryImportWsspAssertion(assertions, MustNotSendCancelName);
2494 public virtual XmlElement CreateWsspSpnegoContextTokenAssertion(MetadataExporter exporter, SspiSecurityTokenParameters parameters)
2496 XmlElement result = CreateWsspAssertion(SpnegoContextTokenName);
2497 SetIncludeTokenValue(result, parameters.InclusionMode);
2499 CreateWspPolicyWrapper(
2501 CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys),
2502 CreateWsspMustNotSendCancelAssertion(parameters.RequireCancellation)
2507 public virtual bool TryImportWsspSpnegoContextTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)
2511 SecurityTokenInclusionMode inclusionMode;
2512 Collection<Collection<XmlElement>> alternatives;
2514 if (IsWsspAssertion(assertion, SpnegoContextTokenName)
2515 && TryGetIncludeTokenValue(assertion, out inclusionMode))
2517 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
2519 foreach (Collection<XmlElement> alternative in alternatives)
2521 SspiSecurityTokenParameters sspi = new SspiSecurityTokenParameters();
2523 bool requireCancellation;
2524 if (TryImportWsspRequireDerivedKeysAssertion(alternative, sspi)
2525 && TryImportWsspMustNotSendCancelAssertion(alternative, out requireCancellation)
2526 && alternative.Count == 0)
2528 sspi.RequireCancellation = requireCancellation;
2529 sspi.InclusionMode = inclusionMode;
2540 parameters = new SspiSecurityTokenParameters();
2541 parameters.RequireDerivedKeys = false;
2542 parameters.InclusionMode = inclusionMode;
2546 return parameters != null;
2549 public abstract XmlElement CreateWsspHttpsTokenAssertion(MetadataExporter exporter, HttpsTransportBindingElement httpsBinding);
2551 public abstract bool TryImportWsspHttpsTokenAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, HttpsTransportBindingElement httpsBinding);
2553 public virtual bool ContainsWsspHttpsTokenAssertion(ICollection<XmlElement> assertions)
2555 return (PolicyConversionContext.FindAssertion(assertions, HttpsTokenName, this.WsspNamespaceUri, false) != null);
2558 public virtual XmlElement CreateMsspRequireClientCertificateAssertion(bool requireClientCertificate)
2560 if (requireClientCertificate)
2562 return CreateMsspAssertion(RequireClientCertificateName);
2570 public virtual bool TryImportMsspRequireClientCertificateAssertion(ICollection<XmlElement> assertions, SslSecurityTokenParameters parameters)
2572 parameters.RequireClientCertificate = TryImportMsspAssertion(assertions, RequireClientCertificateName);
2576 public virtual XmlElement CreateMsspSslContextTokenAssertion(MetadataExporter exporter, SslSecurityTokenParameters parameters)
2578 XmlElement result = CreateMsspAssertion(SslContextTokenName);
2579 SetIncludeTokenValue(result, parameters.InclusionMode);
2581 CreateWspPolicyWrapper(
2583 CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys),
2584 CreateWsspMustNotSendCancelAssertion(parameters.RequireCancellation),
2585 CreateMsspRequireClientCertificateAssertion(parameters.RequireClientCertificate)
2590 public virtual bool TryImportMsspSslContextTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)
2594 SecurityTokenInclusionMode inclusionMode;
2595 Collection<Collection<XmlElement>> alternatives;
2597 if (IsMsspAssertion(assertion, SslContextTokenName)
2598 && TryGetIncludeTokenValue(assertion, out inclusionMode))
2600 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
2602 foreach (Collection<XmlElement> alternative in alternatives)
2604 SslSecurityTokenParameters ssl = new SslSecurityTokenParameters();
2606 bool requireCancellation;
2607 if (TryImportWsspRequireDerivedKeysAssertion(alternative, ssl)
2608 && TryImportWsspMustNotSendCancelAssertion(alternative, out requireCancellation)
2609 && TryImportMsspRequireClientCertificateAssertion(alternative, ssl)
2610 && alternative.Count == 0)
2612 ssl.RequireCancellation = requireCancellation;
2613 ssl.InclusionMode = inclusionMode;
2624 parameters = new SslSecurityTokenParameters();
2625 parameters.RequireDerivedKeys = false;
2626 parameters.InclusionMode = inclusionMode;
2630 return parameters != null;
2633 public virtual XmlElement CreateWsspBootstrapPolicyAssertion(MetadataExporter exporter, SecurityBindingElement bootstrapSecurity)
2635 if (bootstrapSecurity == null)
2636 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("bootstrapBinding");
2638 WSSecurityPolicy sp = WSSecurityPolicy.GetSecurityPolicyDriver(bootstrapSecurity.MessageSecurityVersion);
2640 // create complete bootstrap binding
2642 CustomBinding bootstrapBinding = new CustomBinding(bootstrapSecurity);
2643 if (exporter.State.ContainsKey(SecurityPolicyStrings.SecureConversationBootstrapBindingElementsBelowSecurityKey))
2645 BindingElementCollection bindingElementsBelowSecurity = exporter.State[SecurityPolicyStrings.SecureConversationBootstrapBindingElementsBelowSecurityKey] as BindingElementCollection;
2646 if (bindingElementsBelowSecurity != null)
2648 foreach (BindingElement be in bindingElementsBelowSecurity)
2650 bootstrapBinding.Elements.Add(be);
2655 // generate policy for the "how" of security
2657 ServiceEndpoint bootstrapEndpoint = new ServiceEndpoint(NullContract);
2658 bootstrapEndpoint.Binding = bootstrapBinding;
2659 PolicyConversionContext policyContext = exporter.ExportPolicy(bootstrapEndpoint);
2661 // generate policy for the "what" of security (protection assertions)
2663 // hard-coded requirements in V1: sign and encrypt RST and RSTR body
2664 ChannelProtectionRequirements bootstrapProtection = new ChannelProtectionRequirements();
2665 bootstrapProtection.IncomingEncryptionParts.AddParts(new MessagePartSpecification(true));
2666 bootstrapProtection.OutgoingEncryptionParts.AddParts(new MessagePartSpecification(true));
2667 bootstrapProtection.IncomingSignatureParts.AddParts(new MessagePartSpecification(true));
2668 bootstrapProtection.OutgoingSignatureParts.AddParts(new MessagePartSpecification(true));
2670 // add boostrap binding protection requirements (e.g. addressing headers)
2671 ChannelProtectionRequirements cpr = bootstrapBinding.GetProperty<ChannelProtectionRequirements>(new BindingParameterCollection());
2674 bootstrapProtection.Add(cpr);
2677 // extract channel-scope protection requirements and union them across request and response
2678 MessagePartSpecification encryption = new MessagePartSpecification();
2679 encryption.Union(bootstrapProtection.IncomingEncryptionParts.ChannelParts);
2680 encryption.Union(bootstrapProtection.OutgoingEncryptionParts.ChannelParts);
2681 encryption.MakeReadOnly();
2682 MessagePartSpecification signature = new MessagePartSpecification();
2683 signature.Union(bootstrapProtection.IncomingSignatureParts.ChannelParts);
2684 signature.Union(bootstrapProtection.OutgoingSignatureParts.ChannelParts);
2685 signature.MakeReadOnly();
2687 // create final boostrap policy assertion
2689 XmlElement nestedPolicy = CreateWspPolicyWrapper(
2691 sp.CreateWsspSignedPartsAssertion(signature),
2692 sp.CreateWsspEncryptedPartsAssertion(encryption));
2693 foreach (XmlElement e in sp.FilterWsspPolicyAssertions(policyContext.GetBindingAssertions()))
2695 nestedPolicy.AppendChild(e);
2697 XmlElement result = CreateWsspAssertion(BootstrapPolicyName);
2698 result.AppendChild(nestedPolicy);
2703 public virtual ICollection<XmlElement> FilterWsspPolicyAssertions(ICollection<XmlElement> policyAssertions)
2705 Collection<XmlElement> result = new Collection<XmlElement>();
2707 foreach (XmlElement assertion in policyAssertions)
2708 if (IsWsspAssertion(assertion))
2709 result.Add(assertion);
2714 public virtual bool TryImportWsspBootstrapPolicyAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecureConversationSecurityTokenParameters parameters)
2716 bool result = false;
2718 XmlElement assertion;
2719 Collection<Collection<XmlElement>> alternatives;
2721 if (TryImportWsspAssertion(assertions, BootstrapPolicyName, out assertion)
2722 && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
2724 BindingElementCollection bindingElements;
2725 importer.State[SecurityBindingElementImporter.InSecureConversationBootstrapBindingImportMode] = SecurityBindingElementImporter.InSecureConversationBootstrapBindingImportMode;
2728 bindingElements = importer.ImportPolicy(NullServiceEndpoint, alternatives);
2729 if (importer.State.ContainsKey(SecurityBindingElementImporter.SecureConversationBootstrapEncryptionRequirements))
2731 MessagePartSpecification encryption = (MessagePartSpecification)importer.State[SecurityBindingElementImporter.SecureConversationBootstrapEncryptionRequirements];
2732 if (encryption.IsBodyIncluded != true)
2734 importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.UnsupportedSecureConversationBootstrapProtectionRequirements), false));
2735 bindingElements = null;
2738 if (importer.State.ContainsKey(SecurityBindingElementImporter.SecureConversationBootstrapSignatureRequirements))
2740 MessagePartSpecification signature = (MessagePartSpecification)importer.State[SecurityBindingElementImporter.SecureConversationBootstrapSignatureRequirements];
2741 if (signature.IsBodyIncluded != true)
2743 importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.UnsupportedSecureConversationBootstrapProtectionRequirements), false));
2744 bindingElements = null;
2750 importer.State.Remove(SecurityBindingElementImporter.InSecureConversationBootstrapBindingImportMode);
2751 if (importer.State.ContainsKey(SecurityBindingElementImporter.SecureConversationBootstrapEncryptionRequirements))
2752 importer.State.Remove(SecurityBindingElementImporter.SecureConversationBootstrapEncryptionRequirements);
2753 if (importer.State.ContainsKey(SecurityBindingElementImporter.SecureConversationBootstrapSignatureRequirements))
2754 importer.State.Remove(SecurityBindingElementImporter.SecureConversationBootstrapSignatureRequirements);
2756 if (bindingElements != null)
2758 parameters.BootstrapSecurityBindingElement = bindingElements.Find<SecurityBindingElement>();
2763 parameters.BootstrapSecurityBindingElement = null;
2764 return true; // Consider returning false here.
2771 public virtual XmlElement CreateWsspSecureConversationTokenAssertion(MetadataExporter exporter, SecureConversationSecurityTokenParameters parameters)
2773 XmlElement result = CreateWsspAssertion(SecureConversationTokenName);
2774 SetIncludeTokenValue(result, parameters.InclusionMode);
2776 CreateWspPolicyWrapper(
2778 CreateWsspRequireDerivedKeysAssertion(parameters.RequireDerivedKeys),
2779 CreateWsspMustNotSendCancelAssertion(parameters.RequireCancellation),
2780 CreateWsspBootstrapPolicyAssertion(exporter, parameters.BootstrapSecurityBindingElement)
2785 public virtual bool TryImportWsspSecureConversationTokenAssertion(MetadataImporter importer, XmlElement assertion, out SecurityTokenParameters parameters)
2789 SecurityTokenInclusionMode inclusionMode;
2790 Collection<Collection<XmlElement>> alternatives;
2792 if (IsWsspAssertion(assertion, SecureConversationTokenName)
2793 && TryGetIncludeTokenValue(assertion, out inclusionMode))
2795 if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives))
2797 foreach (Collection<XmlElement> alternative in alternatives)
2799 SecureConversationSecurityTokenParameters sc = new SecureConversationSecurityTokenParameters();
2801 bool requireCancellation;
2802 if (TryImportWsspRequireDerivedKeysAssertion(alternative, sc)
2803 && TryImportWsspMustNotSendCancelAssertion(alternative, out requireCancellation)
2804 && TryImportWsspBootstrapPolicyAssertion(importer, alternative, sc)
2805 && alternative.Count == 0)
2807 sc.RequireCancellation = requireCancellation;
2808 sc.InclusionMode = inclusionMode;
2819 parameters = new SecureConversationSecurityTokenParameters();
2820 parameters.InclusionMode = inclusionMode;
2821 parameters.RequireDerivedKeys = false;
2825 return parameters != null;
2828 class TokenIssuerPolicyResolver
2830 const string WSIdentityNamespace = @"http://schemas.xmlsoap.org/ws/2005/05/identity";
2831 static readonly Uri SelfIssuerUri = new Uri(WSIdentityNamespace + "/issuer/self");
2833 TrustDriver trustDriver;
2835 public TokenIssuerPolicyResolver(TrustDriver driver)
2837 this.trustDriver = driver;
2840 public void ResolveTokenIssuerPolicy(MetadataImporter importer, PolicyConversionContext policyContext, IssuedSecurityTokenParameters parameters)
2842 if (policyContext == null)
2844 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("policyContext");
2846 if (parameters == null)
2848 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parameters");
2851 EndpointAddress mexAddress = (parameters.IssuerMetadataAddress != null) ? parameters.IssuerMetadataAddress : parameters.IssuerAddress;
2852 if (mexAddress == null || mexAddress.IsAnonymous || mexAddress.Uri.Equals(SelfIssuerUri))
2856 int maximumRedirections = (int)importer.State[SecurityBindingElementImporter.MaxPolicyRedirectionsKey];
2858 if (maximumRedirections <= 0)
2860 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.MaximumPolicyRedirectionsExceeded)));
2862 --maximumRedirections;
2865 // Try to retrieve the proxy from the importer.State bag so that we can have secure mex
2866 // and it fails, then we can create a default one
2868 MetadataExchangeClient policyFetcher = null;
2869 if ((importer.State != null) && (importer.State.ContainsKey(MetadataExchangeClient.MetadataExchangeClientKey)))
2871 policyFetcher = importer.State[MetadataExchangeClient.MetadataExchangeClientKey] as MetadataExchangeClient;
2874 if (policyFetcher == null)
2875 policyFetcher = new MetadataExchangeClient(mexAddress);
2877 ServiceEndpointCollection federationEndpoints = null;
2878 MetadataSet metadataSet = null;
2879 Exception mexException = null;
2882 metadataSet = policyFetcher.GetMetadata(mexAddress);
2888 if (e is NullReferenceException)
2895 // DCR 6729: Try the http get option here if mex failed.
2897 if (metadataSet == null )
2901 metadataSet = policyFetcher.GetMetadata(mexAddress.Uri, MetadataExchangeClientMode.HttpGet);
2907 if (e is NullReferenceException)
2910 if (mexException == null)
2915 if (metadataSet == null)
2918 // we could not retrieve the metadata from the issuer for some reason
2920 if (mexException != null)
2921 importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.UnableToObtainIssuerMetadata, mexAddress, mexException), false));
2925 WsdlImporter wsdlImporter;
2926 // NOTE: [....], Policy import/export is seperate from WSDL however, this policy importer
2927 // invokes the WsdlImporter. In the event that the current MetadataImporter is a WsdlImporter,
2928 // we should use it's collection of extensions for the import process. Other wise
2929 WsdlImporter currentWsdlImporter = importer as WsdlImporter;
2930 if (currentWsdlImporter != null)
2932 wsdlImporter = new WsdlImporter(metadataSet, importer.PolicyImportExtensions, currentWsdlImporter.WsdlImportExtensions);
2936 wsdlImporter = new WsdlImporter(metadataSet, importer.PolicyImportExtensions, null);
2940 // Copy the State from the first importer to the second one so that the state can be passed to the second round wsdl retrieval
2942 if ((importer.State != null) && (importer.State.ContainsKey(MetadataExchangeClient.MetadataExchangeClientKey)))
2944 wsdlImporter.State.Add(MetadataExchangeClient.MetadataExchangeClientKey, importer.State[MetadataExchangeClient.MetadataExchangeClientKey]);
2947 wsdlImporter.State.Add(SecurityBindingElementImporter.MaxPolicyRedirectionsKey, maximumRedirections);
2949 federationEndpoints = wsdlImporter.ImportAllEndpoints();
2951 // copy all the import errors into the current metadata importer
2952 for (int i = 0; i < wsdlImporter.Errors.Count; ++i)
2954 MetadataConversionError error = wsdlImporter.Errors[i];
2955 importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.ErrorImportingIssuerMetadata, mexAddress, InsertEllipsisIfTooLong(error.Message)), error.IsWarning));
2958 if (federationEndpoints != null)
2960 AddCompatibleFederationEndpoints(federationEndpoints, parameters);
2961 if (parameters.AlternativeIssuerEndpoints != null && parameters.AlternativeIssuerEndpoints.Count > 0)
2963 importer.Errors.Add(new MetadataConversionError(SR.GetString(SR.MultipleIssuerEndpointsFound, mexAddress)));
2968 static string InsertEllipsisIfTooLong(string message)
2970 const int MaxLength = 1024;
2971 const string Ellipsis = "....";
2973 if (message != null && message.Length > MaxLength)
2975 return String.Format(System.Globalization.CultureInfo.InvariantCulture, "{0}{1}{2}",
2976 message.Substring(0, (MaxLength - Ellipsis.Length) / 2),
2978 message.Substring(message.Length - (MaxLength - Ellipsis.Length) / 2));
2983 void AddCompatibleFederationEndpoints(ServiceEndpointCollection serviceEndpoints, IssuedSecurityTokenParameters parameters)
2985 // check if an explicit issuer address has been specified. If so,add the endpoint corresponding to that address only. If not add all acceptable endpoints.
2987 bool isIssuerSpecified = (parameters.IssuerAddress != null && !parameters.IssuerAddress.IsAnonymous);
2988 foreach (ServiceEndpoint endpoint in serviceEndpoints)
2990 TrustDriver trustDriver;
2991 if (!TryGetTrustDriver(endpoint, out trustDriver))
2993 // if endpoint does not have trustDriver, assume
2994 // parent trustDriver.
2995 trustDriver = this.trustDriver;
2997 bool isFederationContract = false;
2998 ContractDescription contract = endpoint.Contract;
2999 for (int j = 0; j < contract.Operations.Count; ++j)
3001 OperationDescription operation = contract.Operations[j];
3002 bool hasIncomingRst = false;
3003 bool hasOutgoingRstr = false;
3004 for (int k = 0; k < operation.Messages.Count; ++k)
3006 MessageDescription message = operation.Messages[k];
3007 if (message.Action == trustDriver.RequestSecurityTokenAction.Value && message.Direction == MessageDirection.Input)
3009 hasIncomingRst = true;
3011 else if ((((trustDriver.StandardsManager.TrustVersion == TrustVersion.WSTrustFeb2005) && (message.Action == trustDriver.RequestSecurityTokenResponseAction.Value)) ||
3012 ((trustDriver.StandardsManager.TrustVersion == TrustVersion.WSTrust13) && (message.Action == trustDriver.RequestSecurityTokenResponseFinalAction.Value))) &&
3013 message.Direction == MessageDirection.Output)
3015 hasOutgoingRstr = true;
3018 if (hasIncomingRst && hasOutgoingRstr)
3020 isFederationContract = true;
3024 if (isFederationContract)
3026 // skip if it is not an acceptable endpoint
3027 if (isIssuerSpecified && !parameters.IssuerAddress.Uri.Equals(endpoint.Address.Uri))
3032 if (parameters.IssuerBinding == null)
3034 parameters.IssuerAddress = endpoint.Address;
3035 parameters.IssuerBinding = endpoint.Binding;
3039 IssuedSecurityTokenParameters.AlternativeIssuerEndpoint endpointInfo = new IssuedSecurityTokenParameters.AlternativeIssuerEndpoint();
3040 endpointInfo.IssuerAddress = endpoint.Address;
3041 endpointInfo.IssuerBinding = endpoint.Binding;
3042 parameters.AlternativeIssuerEndpoints.Add(endpointInfo);
3048 bool TryGetTrustDriver(ServiceEndpoint endpoint, out TrustDriver trustDriver)
3050 SecurityBindingElement sbe = endpoint.Binding.CreateBindingElements().Find<SecurityBindingElement>();
3054 MessageSecurityVersion messageSecurityVersion = sbe.MessageSecurityVersion;
3055 if (messageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005)
3057 trustDriver = new WSTrustFeb2005.DriverFeb2005(new SecurityStandardsManager(messageSecurityVersion, WSSecurityTokenSerializer.DefaultInstance));
3059 else if (messageSecurityVersion.TrustVersion == TrustVersion.WSTrust13)
3061 trustDriver = new WSTrustDec2005.DriverDec2005(new SecurityStandardsManager(messageSecurityVersion, WSSecurityTokenSerializer.DefaultInstance));
3064 return trustDriver != null;
3068 public static bool TryGetSecurityPolicyDriver(ICollection<XmlElement> assertions, out WSSecurityPolicy securityPolicy)
3070 SecurityPolicyManager policyManager = new SecurityPolicyManager();
3071 return policyManager.TryGetSecurityPolicyDriver(assertions, out securityPolicy);
3074 public static WSSecurityPolicy GetSecurityPolicyDriver(MessageSecurityVersion version)
3076 SecurityPolicyManager policyManager = new SecurityPolicyManager();
3077 return policyManager.GetSecurityPolicyDriver(version);
3080 class SecurityPolicyManager
3082 List<WSSecurityPolicy> drivers;
3084 public SecurityPolicyManager()
3086 this.drivers = new List<WSSecurityPolicy>();
3090 public void Initialize()
3092 this.drivers.Add(new WSSecurityPolicy11());
3093 this.drivers.Add(new WSSecurityPolicy12());
3096 public bool TryGetSecurityPolicyDriver(ICollection<XmlElement> assertions, out WSSecurityPolicy securityPolicy)
3098 securityPolicy = null;
3100 for (int i = 0; i < this.drivers.Count; ++i)
3102 if (this.drivers[i].CanImportAssertion(assertions))
3104 securityPolicy = this.drivers[i];
3112 public WSSecurityPolicy GetSecurityPolicyDriver(MessageSecurityVersion version)
3114 for (int i = 0; i < this.drivers.Count; ++i)
3116 if (this.drivers[i].IsSecurityVersionSupported(version))
3118 return this.drivers[i];
3122 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
3128 static class SecurityPolicyStrings
3130 public const string SecureConversationBootstrapBindingElementsBelowSecurityKey = "SecureConversationBootstrapBindingElementsBelowSecurityKey";