You've already forked linux-packaging-mono
							
							
		
			
				
	
	
		
			664 lines
		
	
	
		
			29 KiB
		
	
	
	
		
			C#
		
	
	
	
	
	
			
		
		
	
	
			664 lines
		
	
	
		
			29 KiB
		
	
	
	
		
			C#
		
	
	
	
	
	
| //-----------------------------------------------------------------------------
 | |
| // Copyright (c) Microsoft Corporation.  All rights reserved.
 | |
| //-----------------------------------------------------------------------------
 | |
| 
 | |
| namespace System.IdentityModel.Tokens
 | |
| {
 | |
|     using System.Collections.Generic;
 | |
|     using System.Collections.ObjectModel;
 | |
|     using System.Globalization;
 | |
|     using System.IO;
 | |
|     using System.IdentityModel;
 | |
|     using System.IdentityModel.Claims;
 | |
|     using System.IdentityModel.Policy;
 | |
|     using System.IdentityModel.Selectors;
 | |
|     using System.Runtime;
 | |
|     using System.Runtime.InteropServices;
 | |
|     using System.Security;
 | |
|     using System.Security.Cryptography;
 | |
|     using System.Xml;
 | |
| 
 | |
|     public class SamlAssertion : ICanonicalWriterEndRootElementCallback
 | |
|     {
 | |
|         string assertionId = SamlConstants.AssertionIdPrefix + Guid.NewGuid().ToString();
 | |
|         string issuer;
 | |
|         DateTime issueInstant = DateTime.UtcNow.ToUniversalTime();
 | |
|         SamlConditions conditions;
 | |
|         SamlAdvice advice;
 | |
|         readonly ImmutableCollection<SamlStatement> statements = new ImmutableCollection<SamlStatement>();
 | |
|         ReadOnlyCollection<SecurityKey> cryptoList;
 | |
| 
 | |
|         SignedXml signature;
 | |
|         SigningCredentials signingCredentials;
 | |
|         SecurityKey verificationKey;
 | |
|         SecurityToken signingToken;
 | |
| 
 | |
|         HashStream hashStream;
 | |
|         XmlTokenStream tokenStream;
 | |
|         SecurityTokenSerializer keyInfoSerializer;
 | |
|         DictionaryManager dictionaryManager;
 | |
|         XmlTokenStream sourceData;
 | |
| 
 | |
|         bool isReadOnly = false;
 | |
| 
 | |
|         public SamlAssertion()
 | |
|         {
 | |
|         }
 | |
| 
 | |
|         public SamlAssertion(
 | |
|             string assertionId,
 | |
|             string issuer,
 | |
|             DateTime issueInstant,
 | |
|             SamlConditions samlConditions,
 | |
|             SamlAdvice samlAdvice,
 | |
|             IEnumerable<SamlStatement> samlStatements
 | |
|             )
 | |
|         {
 | |
|             if (string.IsNullOrEmpty(assertionId))
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SAMLAssertionIdRequired));
 | |
| 
 | |
|             if (!IsAssertionIdValid(assertionId))
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SAMLAssertionIDIsInvalid, assertionId));
 | |
| 
 | |
|             if (string.IsNullOrEmpty(issuer))
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SAMLAssertionIssuerRequired));
 | |
| 
 | |
|             if (samlStatements == null)
 | |
|             {
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("samlStatements");
 | |
|             }
 | |
| 
 | |
|             this.assertionId = assertionId;
 | |
|             this.issuer = issuer;
 | |
|             this.issueInstant = issueInstant.ToUniversalTime();
 | |
|             this.conditions = samlConditions;
 | |
|             this.advice = samlAdvice;
 | |
| 
 | |
|             foreach (SamlStatement samlStatement in samlStatements)
 | |
|             {
 | |
|                 if (samlStatement == null)
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SAMLEntityCannotBeNullOrEmpty, XD.SamlDictionary.Statement.Value));
 | |
| 
 | |
|                 this.statements.Add(samlStatement);
 | |
|             }
 | |
| 
 | |
|             if (this.statements.Count == 0)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SAMLAssertionRequireOneStatement));
 | |
|         }
 | |
| 
 | |
|         public int MinorVersion
 | |
|         {
 | |
|             get { return SamlConstants.MinorVersionValue; }
 | |
|         }
 | |
| 
 | |
|         public int MajorVersion
 | |
|         {
 | |
|             get { return SamlConstants.MajorVersionValue; }
 | |
|         }
 | |
| 
 | |
|         public string AssertionId
 | |
|         {
 | |
|             get { return this.assertionId; }
 | |
|             set
 | |
|             {
 | |
|                 if (isReadOnly)
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ObjectIsReadOnly)));
 | |
| 
 | |
|                 if (string.IsNullOrEmpty(value))
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SAMLAssertionIdRequired));
 | |
| 
 | |
|                 this.assertionId = value;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         /// <summary>
 | |
|         /// Indicates whether this assertion was deserialized from XML source
 | |
|         /// and can re-emit the XML data unchanged.
 | |
|         /// </summary>
 | |
|         /// <remarks>
 | |
|         /// <para>
 | |
|         /// The default implementation preserves the source data when read using
 | |
|         /// Saml2AssertionSerializer.ReadAssertion and is willing to re-emit the
 | |
|         /// original data as long as the Id has not changed from the time that 
 | |
|         /// assertion was read.
 | |
|         /// </para>
 | |
|         /// <para>
 | |
|         /// Note that it is vitally important that SAML assertions with different
 | |
|         /// data have different IDs. If implementing a scheme whereby an assertion
 | |
|         /// "template" is loaded and certain bits of data are filled in, the Id 
 | |
|         /// must be changed.
 | |
|         /// </para>
 | |
|         /// </remarks>
 | |
|         /// <returns></returns>
 | |
|         public virtual bool CanWriteSourceData
 | |
|         {
 | |
|             get { return null != this.sourceData; }
 | |
|         }
 | |
| 
 | |
|         public string Issuer
 | |
|         {
 | |
|             get { return this.issuer; }
 | |
|             set
 | |
|             {
 | |
|                 if (isReadOnly)
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ObjectIsReadOnly)));
 | |
| 
 | |
|                 if (string.IsNullOrEmpty(value))
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SAMLAssertionIssuerRequired));
 | |
| 
 | |
|                 this.issuer = value;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public DateTime IssueInstant
 | |
|         {
 | |
|             get { return this.issueInstant; }
 | |
|             set
 | |
|             {
 | |
|                 if (isReadOnly)
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ObjectIsReadOnly)));
 | |
| 
 | |
|                 this.issueInstant = value;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public SamlConditions Conditions
 | |
|         {
 | |
|             get { return this.conditions; }
 | |
|             set
 | |
|             {
 | |
|                 if (isReadOnly)
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ObjectIsReadOnly)));
 | |
| 
 | |
|                 this.conditions = value;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public SamlAdvice Advice
 | |
|         {
 | |
|             get { return this.advice; }
 | |
|             set
 | |
|             {
 | |
|                 if (isReadOnly)
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ObjectIsReadOnly)));
 | |
| 
 | |
|                 this.advice = value;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public IList<SamlStatement> Statements
 | |
|         {
 | |
|             get
 | |
|             {
 | |
|                 return this.statements;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public SigningCredentials SigningCredentials
 | |
|         {
 | |
|             get { return this.signingCredentials; }
 | |
|             set
 | |
|             {
 | |
|                 if (isReadOnly)
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ObjectIsReadOnly)));
 | |
| 
 | |
|                 this.signingCredentials = value;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         internal SignedXml Signature
 | |
|         {
 | |
|             get { return this.signature; }
 | |
|         }
 | |
| 
 | |
|         internal SecurityKey SignatureVerificationKey
 | |
|         {
 | |
|             get { return this.verificationKey; }
 | |
|         }
 | |
| 
 | |
|         public SecurityToken SigningToken
 | |
|         {
 | |
|             get { return this.signingToken; }
 | |
|             set
 | |
|             {
 | |
|                 if (isReadOnly)
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ObjectIsReadOnly)));
 | |
| 
 | |
|                 this.signingToken = value;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public bool IsReadOnly
 | |
|         {
 | |
|             get { return this.isReadOnly; }
 | |
|         }
 | |
| 
 | |
|         internal ReadOnlyCollection<SecurityKey> SecurityKeys
 | |
|         {
 | |
|             get
 | |
|             {
 | |
|                 return this.cryptoList;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public void MakeReadOnly()
 | |
|         {
 | |
|             if (!this.isReadOnly)
 | |
|             {
 | |
|                 if (this.conditions != null)
 | |
|                     this.conditions.MakeReadOnly();
 | |
| 
 | |
|                 if (this.advice != null)
 | |
|                     this.advice.MakeReadOnly();
 | |
| 
 | |
|                 foreach (SamlStatement statement in this.statements)
 | |
|                 {
 | |
|                     statement.MakeReadOnly();
 | |
|                 }
 | |
| 
 | |
|                 this.statements.MakeReadOnly();
 | |
| 
 | |
|                 if (this.cryptoList == null)
 | |
|                 {
 | |
|                     this.cryptoList = BuildCryptoList();
 | |
|                 }
 | |
| 
 | |
|                 this.isReadOnly = true;
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         /// <summary>
 | |
|         /// Captures the XML source data from an EnvelopedSignatureReader. 
 | |
|         /// </summary>
 | |
|         /// <remarks>
 | |
|         /// The EnvelopedSignatureReader that was used to read the data for this
 | |
|         /// assertion should be passed to this method after the </Assertion>
 | |
|         /// element has been read. This method will preserve the raw XML data
 | |
|         /// that was read, including the signature, so that it may be re-emitted
 | |
|         /// without changes and without the need to re-sign the data. See 
 | |
|         /// CanWriteSourceData and WriteSourceData.
 | |
|         /// </remarks>
 | |
|         /// <param name="reader"></param>
 | |
|         internal virtual void CaptureSourceData(EnvelopedSignatureReader reader)
 | |
|         {
 | |
|             if (null == reader)
 | |
|             {
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
 | |
|             }
 | |
| 
 | |
|             this.sourceData = reader.XmlTokens;
 | |
|         }
 | |
| 
 | |
|         protected void ReadSignature(XmlDictionaryReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver, SamlSerializer samlSerializer)
 | |
|         {
 | |
|             if (reader == null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
 | |
| 
 | |
|             if (samlSerializer == null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("samlSerializer");
 | |
| 
 | |
|             if (this.signature != null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SAMLSignatureAlreadyRead)));
 | |
| 
 | |
|             // If the reader cannot canonicalize then buffer the signature element to a canonicalizing reader.
 | |
|             XmlDictionaryReader effectiveReader = reader;
 | |
|             if (!effectiveReader.CanCanonicalize)
 | |
|             {
 | |
|                 MemoryStream stream = new MemoryStream();
 | |
|                 XmlDictionaryWriter writer = XmlDictionaryWriter.CreateBinaryWriter(stream, samlSerializer.DictionaryManager.ParentDictionary);
 | |
|                 writer.WriteNode(effectiveReader, false);
 | |
|                 writer.Flush();
 | |
|                 stream.Position = 0;
 | |
|                 effectiveReader = XmlDictionaryReader.CreateBinaryReader(stream.GetBuffer(), 0, (int)stream.Length, samlSerializer.DictionaryManager.ParentDictionary, reader.Quotas);
 | |
|                 effectiveReader.MoveToContent();
 | |
|                 writer.Close();
 | |
|             }
 | |
|             SignedXml signedXml = new SignedXml(new StandardSignedInfo(samlSerializer.DictionaryManager), samlSerializer.DictionaryManager, keyInfoSerializer);
 | |
|             signedXml.TransformFactory = ExtendedTransformFactory.Instance;
 | |
|             signedXml.ReadFrom(effectiveReader);
 | |
|             SecurityKeyIdentifier securityKeyIdentifier = signedXml.Signature.KeyIdentifier;
 | |
|             this.verificationKey = SamlSerializer.ResolveSecurityKey(securityKeyIdentifier, outOfBandTokenResolver);
 | |
|             if (this.verificationKey == null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLUnableToResolveSignatureKey, this.issuer)));
 | |
| 
 | |
|             this.signature = signedXml;
 | |
|             this.signingToken = SamlSerializer.ResolveSecurityToken(securityKeyIdentifier, outOfBandTokenResolver);
 | |
|             if (this.signingToken == null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SamlSigningTokenNotFound)));
 | |
| 
 | |
|             if (!ReferenceEquals(reader, effectiveReader))
 | |
|                 effectiveReader.Close();
 | |
|         }
 | |
| 
 | |
|         void CheckObjectValidity()
 | |
|         {
 | |
|             if (string.IsNullOrEmpty(this.assertionId))
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAssertionIdRequired)));
 | |
| 
 | |
|             if (!IsAssertionIdValid(this.assertionId))
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAssertionIDIsInvalid, this.assertionId)));
 | |
| 
 | |
|             if (string.IsNullOrEmpty(this.issuer))
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAssertionIssuerRequired)));
 | |
| 
 | |
|             if (this.statements.Count == 0)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAssertionRequireOneStatement)));
 | |
|         }
 | |
| 
 | |
|         bool IsAssertionIdValid(string assertionId)
 | |
|         {
 | |
|             if (string.IsNullOrEmpty(assertionId))
 | |
|                 return false;
 | |
| 
 | |
|             // The first character of the Assertion ID should be a letter or a '_'
 | |
|             return (((assertionId[0] >= 'A') && (assertionId[0] <= 'Z')) ||
 | |
|                 ((assertionId[0] >= 'a') && (assertionId[0] <= 'z')) ||
 | |
|                 (assertionId[0] == '_'));
 | |
|         }
 | |
| 
 | |
|         ReadOnlyCollection<SecurityKey> BuildCryptoList()
 | |
|         {
 | |
|             List<SecurityKey> cryptoList = new List<SecurityKey>();
 | |
| 
 | |
|             for (int i = 0; i < this.statements.Count; ++i)
 | |
|             {
 | |
|                 SamlSubjectStatement statement = this.statements[i] as SamlSubjectStatement;
 | |
|                 if (statement != null)
 | |
|                 {
 | |
|                     bool skipCrypto = false;
 | |
|                     SecurityKey crypto = null;
 | |
|                     if (statement.SamlSubject != null)
 | |
|                         crypto = statement.SamlSubject.Crypto;
 | |
|                     InMemorySymmetricSecurityKey inMemorySymmetricSecurityKey = crypto as InMemorySymmetricSecurityKey;
 | |
|                     if (inMemorySymmetricSecurityKey != null)
 | |
|                     {
 | |
| 
 | |
|                         // Verify that you have not already added this to crypto list.
 | |
|                         for (int j = 0; j < cryptoList.Count; ++j)
 | |
|                         {
 | |
|                             if ((cryptoList[j] is InMemorySymmetricSecurityKey) && (cryptoList[j].KeySize == inMemorySymmetricSecurityKey.KeySize))
 | |
|                             {
 | |
|                                 byte[] key1 = ((InMemorySymmetricSecurityKey)cryptoList[j]).GetSymmetricKey();
 | |
|                                 byte[] key2 = inMemorySymmetricSecurityKey.GetSymmetricKey();
 | |
|                                 int k = 0;
 | |
|                                 for (k = 0; k < key1.Length; ++k)
 | |
|                                 {
 | |
|                                     if (key1[k] != key2[k])
 | |
|                                     {
 | |
|                                         break;
 | |
|                                     }
 | |
|                                 }
 | |
|                                 skipCrypto = (k == key1.Length);
 | |
|                             }
 | |
| 
 | |
|                             if (skipCrypto)
 | |
|                                 break;
 | |
|                         }
 | |
|                     }
 | |
|                     if (!skipCrypto && (crypto != null))
 | |
|                     {
 | |
|                         cryptoList.Add(crypto);
 | |
|                     }
 | |
|                 }
 | |
|             }
 | |
| 
 | |
|             return cryptoList.AsReadOnly();
 | |
| 
 | |
|         }
 | |
| 
 | |
|         void VerifySignature(SignedXml signature, SecurityKey signatureVerificationKey)
 | |
|         {
 | |
|             if (signature == null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("signature");
 | |
| 
 | |
|             if (signatureVerificationKey == null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("signatureVerificatonKey");
 | |
| 
 | |
|             signature.StartSignatureVerification(signatureVerificationKey);
 | |
|             signature.EnsureDigestValidity(this.assertionId, tokenStream);
 | |
|             signature.CompleteSignatureVerification();
 | |
|         }
 | |
| 
 | |
|         void ICanonicalWriterEndRootElementCallback.OnEndOfRootElement(XmlDictionaryWriter dictionaryWriter)
 | |
|         {
 | |
|             byte[] hashValue = this.hashStream.FlushHashAndGetValue();
 | |
| 
 | |
|             PreDigestedSignedInfo signedInfo = new PreDigestedSignedInfo(this.dictionaryManager);
 | |
|             signedInfo.AddEnvelopedSignatureTransform = true;
 | |
|             signedInfo.CanonicalizationMethod = SecurityAlgorithms.ExclusiveC14n;
 | |
|             signedInfo.SignatureMethod = this.signingCredentials.SignatureAlgorithm;
 | |
|             signedInfo.DigestMethod = this.signingCredentials.DigestAlgorithm;
 | |
|             signedInfo.AddReference(this.assertionId, hashValue);
 | |
| 
 | |
|             SignedXml signedXml = new SignedXml(signedInfo, this.dictionaryManager, this.keyInfoSerializer);
 | |
|             signedXml.ComputeSignature(this.signingCredentials.SigningKey);
 | |
|             signedXml.Signature.KeyIdentifier = this.signingCredentials.SigningKeyIdentifier;
 | |
|             signedXml.WriteTo(dictionaryWriter);
 | |
|         }
 | |
| 
 | |
|         public virtual void ReadXml(XmlDictionaryReader reader, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)
 | |
|         {
 | |
|             if (reader == null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("ReadXml"));
 | |
| 
 | |
|             if (samlSerializer == null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("samlSerializer"));
 | |
| 
 | |
|             XmlDictionaryReader dictionaryReader = XmlDictionaryReader.CreateDictionaryReader(reader);
 | |
|             WrappedReader wrappedReader = new WrappedReader(dictionaryReader);
 | |
| #pragma warning suppress 56506 // samlSerializer.DictionaryManager is never null.
 | |
|             SamlDictionary dictionary = samlSerializer.DictionaryManager.SamlDictionary;
 | |
| 
 | |
|             if (!wrappedReader.IsStartElement(dictionary.Assertion, dictionary.Namespace))
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLElementNotRecognized, wrappedReader.LocalName)));
 | |
| 
 | |
|             string attributeValue = wrappedReader.GetAttribute(dictionary.MajorVersion, null);
 | |
|             if (string.IsNullOrEmpty(attributeValue))
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAssertionMissingMajorVersionAttributeOnRead)));
 | |
|             int majorVersion = Int32.Parse(attributeValue, CultureInfo.InvariantCulture);
 | |
| 
 | |
|             attributeValue = wrappedReader.GetAttribute(dictionary.MinorVersion, null);
 | |
|             if (string.IsNullOrEmpty(attributeValue))
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAssertionMissingMinorVersionAttributeOnRead)));
 | |
| 
 | |
|             int minorVersion = Int32.Parse(attributeValue, CultureInfo.InvariantCulture);
 | |
| 
 | |
|             if ((majorVersion != SamlConstants.MajorVersionValue) || (minorVersion != SamlConstants.MinorVersionValue))
 | |
|             {
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLTokenVersionNotSupported, majorVersion, minorVersion, SamlConstants.MajorVersionValue, SamlConstants.MinorVersionValue)));
 | |
|             }
 | |
| 
 | |
|             attributeValue = wrappedReader.GetAttribute(dictionary.AssertionId, null);
 | |
|             if (string.IsNullOrEmpty(attributeValue))
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAssertionIdRequired)));
 | |
| 
 | |
|             if (!IsAssertionIdValid(attributeValue))
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAssertionIDIsInvalid, attributeValue)));
 | |
| 
 | |
|             this.assertionId = attributeValue;
 | |
| 
 | |
|             attributeValue = wrappedReader.GetAttribute(dictionary.Issuer, null);
 | |
|             if (string.IsNullOrEmpty(attributeValue))
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAssertionMissingIssuerAttributeOnRead)));
 | |
|             this.issuer = attributeValue;
 | |
| 
 | |
|             attributeValue = wrappedReader.GetAttribute(dictionary.IssueInstant, null);
 | |
|             if (!string.IsNullOrEmpty(attributeValue))
 | |
|                 this.issueInstant = DateTime.ParseExact(
 | |
|                     attributeValue, SamlConstants.AcceptedDateTimeFormats, DateTimeFormatInfo.InvariantInfo, DateTimeStyles.None).ToUniversalTime();
 | |
| 
 | |
|             wrappedReader.MoveToContent();
 | |
|             wrappedReader.Read();
 | |
| 
 | |
|             if (wrappedReader.IsStartElement(dictionary.Conditions, dictionary.Namespace))
 | |
|             {
 | |
|                 this.conditions = samlSerializer.LoadConditions(wrappedReader, keyInfoSerializer, outOfBandTokenResolver);
 | |
|                 if (this.conditions == null)
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLUnableToLoadCondtions)));
 | |
|             }
 | |
| 
 | |
|             if (wrappedReader.IsStartElement(dictionary.Advice, dictionary.Namespace))
 | |
|             {
 | |
|                 this.advice = samlSerializer.LoadAdvice(wrappedReader, keyInfoSerializer, outOfBandTokenResolver);
 | |
|                 if (this.advice == null)
 | |
|                     throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLUnableToLoadAdvice)));
 | |
|             }
 | |
| 
 | |
|             while (wrappedReader.IsStartElement())
 | |
|             {
 | |
| #pragma warning suppress 56506 // samlSerializer.DictionaryManager is never null.
 | |
|                 if (wrappedReader.IsStartElement(samlSerializer.DictionaryManager.XmlSignatureDictionary.Signature, samlSerializer.DictionaryManager.XmlSignatureDictionary.Namespace))
 | |
|                 {
 | |
|                     break;
 | |
|                 }
 | |
|                 else
 | |
|                 {
 | |
|                     SamlStatement statement = samlSerializer.LoadStatement(wrappedReader, keyInfoSerializer, outOfBandTokenResolver);
 | |
|                     if (statement == null)
 | |
|                         throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLUnableToLoadStatement)));
 | |
|                     this.statements.Add(statement);
 | |
|                 }
 | |
|             }
 | |
| 
 | |
|             if (this.statements.Count == 0)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAssertionRequireOneStatementOnRead)));
 | |
| 
 | |
|             if (wrappedReader.IsStartElement(samlSerializer.DictionaryManager.XmlSignatureDictionary.Signature, samlSerializer.DictionaryManager.XmlSignatureDictionary.Namespace))
 | |
|                 this.ReadSignature(wrappedReader, keyInfoSerializer, outOfBandTokenResolver, samlSerializer);
 | |
| 
 | |
|             wrappedReader.MoveToContent();
 | |
|             wrappedReader.ReadEndElement();
 | |
| 
 | |
|             this.tokenStream = wrappedReader.XmlTokens;
 | |
| 
 | |
|             if (this.signature != null)
 | |
|             {
 | |
|                 VerifySignature(this.signature, this.verificationKey);
 | |
|             }
 | |
| 
 | |
|             BuildCryptoList();
 | |
|         }
 | |
| 
 | |
|         internal void WriteTo(XmlWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer)
 | |
|         {
 | |
|             if (writer == null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
 | |
| 
 | |
|             if ((this.signingCredentials == null) && (this.signature == null))
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SamlAssertionMissingSigningCredentials)));
 | |
| 
 | |
|             XmlDictionaryWriter dictionaryWriter = XmlDictionaryWriter.CreateDictionaryWriter(writer);
 | |
| 
 | |
|             if (this.signingCredentials != null)
 | |
|             {
 | |
|                 using (HashAlgorithm hash = CryptoHelper.CreateHashAlgorithm(this.signingCredentials.DigestAlgorithm))
 | |
|                 {
 | |
|                     this.hashStream = new HashStream(hash);
 | |
|                     this.keyInfoSerializer = keyInfoSerializer;
 | |
|                     this.dictionaryManager = samlSerializer.DictionaryManager;
 | |
|                     SamlDelegatingWriter delegatingWriter = new SamlDelegatingWriter(dictionaryWriter, this.hashStream, this, samlSerializer.DictionaryManager.ParentDictionary);
 | |
|                     this.WriteXml(delegatingWriter, samlSerializer, keyInfoSerializer);
 | |
|                 }
 | |
|             }
 | |
|             else
 | |
|             {
 | |
|                 this.tokenStream.SetElementExclusion(null, null);
 | |
|                 this.tokenStream.WriteTo(dictionaryWriter, samlSerializer.DictionaryManager);
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         public virtual void WriteXml(XmlDictionaryWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer)
 | |
|         {
 | |
|             CheckObjectValidity();
 | |
| 
 | |
|             if (writer == null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
 | |
| 
 | |
|             if (samlSerializer == null)
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("samlSerializer"));
 | |
| 
 | |
| #pragma warning suppress 56506 // samlSerializer.DictionaryManager is never null.
 | |
|             SamlDictionary dictionary = samlSerializer.DictionaryManager.SamlDictionary;
 | |
| 
 | |
|             try
 | |
|             {
 | |
|                 writer.WriteStartElement(dictionary.PreferredPrefix.Value, dictionary.Assertion, dictionary.Namespace);
 | |
| 
 | |
|                 writer.WriteStartAttribute(dictionary.MajorVersion, null);
 | |
|                 writer.WriteValue(SamlConstants.MajorVersionValue);
 | |
|                 writer.WriteEndAttribute();
 | |
|                 writer.WriteStartAttribute(dictionary.MinorVersion, null);
 | |
|                 writer.WriteValue(SamlConstants.MinorVersionValue);
 | |
|                 writer.WriteEndAttribute();
 | |
|                 writer.WriteStartAttribute(dictionary.AssertionId, null);
 | |
|                 writer.WriteString(this.assertionId);
 | |
|                 writer.WriteEndAttribute();
 | |
|                 writer.WriteStartAttribute(dictionary.Issuer, null);
 | |
|                 writer.WriteString(this.issuer);
 | |
|                 writer.WriteEndAttribute();
 | |
|                 writer.WriteStartAttribute(dictionary.IssueInstant, null);
 | |
|                 writer.WriteString(this.issueInstant.ToString(SamlConstants.GeneratedDateTimeFormat, CultureInfo.InvariantCulture));
 | |
|                 writer.WriteEndAttribute();
 | |
| 
 | |
|                 // Write out conditions
 | |
|                 if (this.conditions != null)
 | |
|                 {
 | |
|                     this.conditions.WriteXml(writer, samlSerializer, keyInfoSerializer);
 | |
|                 }
 | |
| 
 | |
|                 // Write out advice if there is one
 | |
|                 if (this.advice != null)
 | |
|                 {
 | |
|                     this.advice.WriteXml(writer, samlSerializer, keyInfoSerializer);
 | |
|                 }
 | |
| 
 | |
|                 for (int i = 0; i < this.statements.Count; i++)
 | |
|                 {
 | |
|                     this.statements[i].WriteXml(writer, samlSerializer, keyInfoSerializer);
 | |
|                 }
 | |
| 
 | |
|                 writer.WriteEndElement();
 | |
|             }
 | |
|             catch (Exception e)
 | |
|             {
 | |
|                 // Always immediately rethrow fatal exceptions.
 | |
|                 if (Fx.IsFatal(e)) throw;
 | |
| 
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SAMLTokenNotSerialized), e));
 | |
|             }
 | |
|         }
 | |
| 
 | |
|         /// <summary>
 | |
|         /// Writes the source data, if available.
 | |
|         /// </summary>
 | |
|         /// <exception cref="InvalidOperationException">When no source data is available</exception>
 | |
|         /// <param name="writer"></param>
 | |
|         public virtual void WriteSourceData(XmlWriter writer)
 | |
|         {
 | |
|             if (!this.CanWriteSourceData)
 | |
|             {
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
 | |
|                     new InvalidOperationException(SR.GetString(SR.ID4140)));
 | |
|             }
 | |
| 
 | |
|             // This call will properly just reuse the existing writer if it already qualifies
 | |
|             XmlDictionaryWriter dictionaryWriter = XmlDictionaryWriter.CreateDictionaryWriter(writer);
 | |
|             this.sourceData.SetElementExclusion(null, null);
 | |
|             this.sourceData.GetWriter().WriteTo(dictionaryWriter, null );
 | |
|         }
 | |
| 
 | |
|         static internal void AddSamlClaimTypes(ICollection<Type> knownClaimTypes)
 | |
|         {
 | |
|             if (knownClaimTypes == null)
 | |
|             {
 | |
|                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("knownClaimTypes");
 | |
|             }
 | |
|             knownClaimTypes.Add(typeof(SamlAuthorizationDecisionClaimResource));
 | |
|             knownClaimTypes.Add(typeof(SamlAuthenticationClaimResource));
 | |
|             knownClaimTypes.Add(typeof(SamlAccessDecision));
 | |
|             knownClaimTypes.Add(typeof(SamlAuthorityBinding));
 | |
|             knownClaimTypes.Add(typeof(SamlNameIdentifierClaimResource));
 | |
|         }
 | |
|     }
 | |
| }
 |