Imported Upstream version 4.8.0.309

Former-commit-id: 5f9c6ae75f295e057a7d2971f3a6df4656fa8850

mcs/class/referencesource/System.ServiceModel/System/ServiceModel/Security/CryptoHelper.cs

@@ -17,6 +17,7 @@ namespace System.ServiceModel.Security
     using System.Text;
     using System.Xml;
     using System.Diagnostics;
+    using System.Diagnostics.CodeAnalysis;
     using System.Security.Cryptography;
 
     using Psha1DerivedKeyGenerator = System.IdentityModel.Psha1DerivedKeyGenerator;
@@ -57,6 +58,7 @@ namespace System.ServiceModel.Security
             return CryptoHelper.CreateHashAlgorithm(SecurityAlgorithms.Sha256Digest);
         }
 
+        [SuppressMessage("Microsoft.Security.Cryptography", "CA5354:DoNotUseSHA1", Justification = "Cannot change. Required as SOAP spec requires supporting SHA1.")]
         internal static HashAlgorithm CreateHashAlgorithm(string digestMethod)
         {
             object algorithmObject = CryptoAlgorithms.GetAlgorithmFromConfig(digestMethod);
@@ -86,6 +88,7 @@ namespace System.ServiceModel.Security
             }
         }
 
+        [SuppressMessage("Microsoft.Security.Cryptography", "CA5354:DoNotUseSHA1", Justification = "Cannot change. Required as SOAP spec requires supporting SHA1.")]
         internal static HashAlgorithm CreateHashForAsymmetricSignature(string signatureMethod)
         {
             object algorithmObject = CryptoAlgorithms.GetAlgorithmFromConfig(signatureMethod);

mcs/class/referencesource/System.ServiceModel/System/ServiceModel/Security/SecurityUtils.cs.REMOVED.git-id

@@ -0,0 +1 @@
+b62aceefcff29d0061ab33c65db191ab5faee7c8

mcs/class/referencesource/System.ServiceModel/System/ServiceModel/Security/TlsSspiNegotiation.cs

@@ -543,7 +543,14 @@ namespace System.ServiceModel.Security
             bool hasPrivateKey = false;
             try
             {
-                hasPrivateKey = certificate != null && certificate.PrivateKey != null;
+                if (System.ServiceModel.LocalAppContextSwitches.DisableCngCertificates)
+                {
+                    hasPrivateKey = certificate != null && certificate.PrivateKey != null;
+                }
+                else
+                {
+                    hasPrivateKey = certificate.HasPrivateKey && SecurityUtils.CanReadPrivateKey(certificate);
+                }
             }
             catch (SecurityException e)
             {

mcs/class/referencesource/System.ServiceModel/System/ServiceModel/Security/Tokens/IssuedSecurityTokenProvider.cs

@@ -461,7 +461,7 @@ namespace System.ServiceModel.Security.Tokens
 
             XmlDocument dom = new XmlDocument();
             dom.PreserveWhitespace = true;
-            dom.Load(stream);
+            dom.Load(new XmlTextReader(stream) { DtdProcessing = DtdProcessing.Prohibit });
             stream.Close();
 
             return dom.DocumentElement;

mcs/class/referencesource/System.ServiceModel/System/ServiceModel/Security/WSSecurityPolicy.cs.REMOVED.git-id

@@ -1 +1 @@
-e3d7cf18cc07d587f1e980a4e513774963b751e3
+417886dd3eba68ef6d147d84828ba4cd1efa0ae1

mcs/class/referencesource/System.ServiceModel/System/ServiceModel/Security/WSTrust.cs

@@ -1417,7 +1417,7 @@ namespace System.ServiceModel.Security
                     writer.Flush();
                     stream.Seek(0, SeekOrigin.Begin);
                     XmlNode skiNode;
-                    using (XmlDictionaryReader reader = XmlDictionaryReader.CreateDictionaryReader(new XmlTextReader(stream)))
+                    using (XmlDictionaryReader reader = XmlDictionaryReader.CreateDictionaryReader(new XmlTextReader(stream) { DtdProcessing = DtdProcessing.Prohibit }))
                     {
                         reader.MoveToContent();
                         skiNode = doc.ReadNode(reader);

mcs/class/referencesource/System.ServiceModel/System/ServiceModel/Security/WSTrustServiceContract.cs.REMOVED.git-id

@@ -1 +1 @@
-81df58a3069e5ff171d11fed73dc25d5fab47202
+1bd584b2806af9a18b3a131b41a8151545fe09e1