6 files changed, 24 insertions, 5 deletions

diff --git a/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionsInteropHelperOPTests.cs b/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionsInteropHelperOPTests.cs
index ffbadc8..7aac025 100644
--- a/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionsInteropHelperOPTests.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionsInteropHelperOPTests.cs
@@ -49,6 +49,12 @@ namespace DotNetOpenAuth.Test.OpenId.Extensions {
 			Assert.AreSame(sregResponse, extensions.Single());
 		}
 
+		[TestMethod]
+		public void NegativeResponse() {
+			this.request.IsAuthenticated = false;
+			ExtensionsInteropHelper.ConvertSregToMatchRequest(this.request);
+		}
+
 		/// <summary>
 		/// Verifies sreg coming in is seen as sreg.
 		/// </summary>
diff --git a/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionsInteropHelperRPRequestTests.cs b/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionsInteropHelperRPRequestTests.cs
index 181c023..44a629a 100644
--- a/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionsInteropHelperRPRequestTests.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionsInteropHelperRPRequestTests.cs
@@ -4,7 +4,7 @@
 // </copyright>
 //-----------------------------------------------------------------------
 
-namespace DotNetOpenAuth.Test.OpenId {
+namespace DotNetOpenAuth.Test.OpenId.Extensions {
 	using System.Collections.ObjectModel;
 	using System.Linq;
 	using DotNetOpenAuth.OpenId;
diff --git a/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionsInteropHelperRPResponseTests.cs b/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionsInteropHelperRPResponseTests.cs
index 9074f75..7b528d0 100644
--- a/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionsInteropHelperRPResponseTests.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionsInteropHelperRPResponseTests.cs
@@ -4,7 +4,7 @@
 // </copyright>
 //-----------------------------------------------------------------------
 
-namespace DotNetOpenAuth.Test.OpenId {
+namespace DotNetOpenAuth.Test.OpenId.Extensions {
 	using System.Collections.Generic;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId;
diff --git a/src/DotNetOpenAuth/OAuth/ChannelElements/OAuthChannel.cs b/src/DotNetOpenAuth/OAuth/ChannelElements/OAuthChannel.cs
index ed41183..dc59b56 100644
--- a/src/DotNetOpenAuth/OAuth/ChannelElements/OAuthChannel.cs
+++ b/src/DotNetOpenAuth/OAuth/ChannelElements/OAuthChannel.cs
@@ -146,7 +146,11 @@ namespace DotNetOpenAuth.OAuth.ChannelElements {
 				ContentType contentType = new ContentType(request.Headers[HttpRequestHeader.ContentType]);
 				if (string.Equals(contentType.MediaType, HttpFormUrlEncoded, StringComparison.Ordinal)) {
 					foreach (string key in request.Form) {
-						fields.Add(key, request.Form[key]);
+						if (key != null) {
+							fields.Add(key, request.Form[key]);
+						} else {
+							Logger.OAuth.WarnFormat("Ignoring query string parameter '{0}' since it isn't a standard name=value parameter.", request.Form[key]);
+						}
 					}
 				}
 			}
diff --git a/src/DotNetOpenAuth/OpenId/Extensions/ExtensionsInteropHelper.cs b/src/DotNetOpenAuth/OpenId/Extensions/ExtensionsInteropHelper.cs
index 9e7ccd2..338c480 100644
--- a/src/DotNetOpenAuth/OpenId/Extensions/ExtensionsInteropHelper.cs
+++ b/src/DotNetOpenAuth/OpenId/Extensions/ExtensionsInteropHelper.cs
@@ -176,9 +176,9 @@ namespace DotNetOpenAuth.OpenId.Extensions {
 		/// </remarks>
 		internal static void ConvertSregToMatchRequest(this Provider.IHostProcessedRequest request) {
 			var req = (Provider.HostProcessedRequest)request;
-			var response = (IProtocolMessageWithExtensions)req.Response;
+			var response = req.Response as IProtocolMessageWithExtensions; // negative responses don't support extensions.
 			var sregRequest = request.GetExtension<ClaimsRequest>();
-			if (sregRequest != null) {
+			if (sregRequest != null && response != null) {
 				if (sregRequest.Synthesized) {
 					var axRequest = request.GetExtension<FetchRequest>();
 					ErrorUtilities.VerifyInternal(axRequest != null, "How do we have a synthesized Sreg request without an AX request?");
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/AssociationManager.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/AssociationManager.cs
index 7d30a3f..e1440cd 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/AssociationManager.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/AssociationManager.cs
@@ -10,6 +10,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 	using System.Diagnostics.Contracts;
 	using System.Linq;
 	using System.Net;
+	using System.Security;
 	using System.Text;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.ChannelElements;
@@ -222,6 +223,14 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 				// the exception so that auth may continue in dumb mode.
 				Logger.OpenId.ErrorFormat("An error occurred while trying to create an association with {0}.  {1}", provider.Uri, ex);
 				return null;
+			} catch (VerificationException ex) {
+				// See Trac ticket #163.  In partial trust host environments, the
+				// Diffie-Hellman implementation we're using for HTTP OP endpoints
+				// sometimes causes the CLR to throw:
+				// "VerificationException: Operation could destabilize the runtime."
+				// Just give up and use dumb mode in this case.
+				Logger.OpenId.ErrorFormat("VerificationException occurred while trying to create an association with {0}.  {1}", provider.Endpoint, ex);
+				return null;
 			}
 		}
 	}