private bool ResolvesToSigningToken(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key, out SecurityToken token)
{
token = null;
key = null;
CertMatcher certMatcher = null;
// for SAML tokens the highest probability are certs, with RawData first
X509RawDataKeyIdentifierClause rawCertKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if (rawCertKeyIdentifierClause != null)
{
certMatcher = rawCertKeyIdentifierClause.Matches;
}
else
{
X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if (subjectKeyIdentifierClause != null)
{
certMatcher = subjectKeyIdentifierClause.Matches;
}
else
{
X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if (thumbprintKeyIdentifierClause != null)
{
certMatcher = thumbprintKeyIdentifierClause.Matches;
}
else
{
X509IssuerSerialKeyIdentifierClause issuerKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if (issuerKeyIdentifierClause != null)
{
certMatcher = issuerKeyIdentifierClause.Matches;
}
}
}
}
if (_validationParameters.IssuerSigningKeyResolver != null)
{
key = _validationParameters.IssuerSigningKeyResolver(token: _securityToken, securityToken: null, keyIdentifier: new SecurityKeyIdentifier(keyIdentifierClause), validationParameters: _validationParameters);
if (key != null)
{
this.IsKeyMatched = true;
}
}
if (_validationParameters.IssuerSigningKey != null)
{
if (Matches(keyIdentifierClause, _validationParameters.IssuerSigningKey, certMatcher, out token))
{
key = _validationParameters.IssuerSigningKey;
this.IsKeyMatched = true;
}
}
if (_validationParameters.IssuerSigningKeys != null)
{
foreach (SecurityKey securityKey in _validationParameters.IssuerSigningKeys)
{
if (Matches(keyIdentifierClause, securityKey, certMatcher, out token))
{
key = securityKey;
this.IsKeyMatched = true;
break;
}
}
}
if (_validationParameters.IssuerSigningToken != null)
{
if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause))
{
token = _validationParameters.IssuerSigningToken;
key = token.SecurityKeys[0];
this.IsKeyMatched = true;
}
}
if (_validationParameters.IssuerSigningTokens != null)
{
foreach (SecurityToken issuerToken in _validationParameters.IssuerSigningTokens)
{
if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause))
{
token = issuerToken;
key = token.SecurityKeys[0];
this.IsKeyMatched = true;
break;
}
}
}
return(this.IsKeyMatched);
}
private static bool Matches(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey key, CertMatcher certMatcher, out SecurityToken token)
{
token = null;
if (certMatcher != null)
{
X509SecurityKey x509Key = key as X509SecurityKey;
if (x509Key != null)
{
if (certMatcher(x509Key.Certificate))
{
token = new X509SecurityToken(x509Key.Certificate);
return true;
}
}
else
{
X509AsymmetricSecurityKey x509AsymmKey = key as X509AsymmetricSecurityKey;
if (x509AsymmKey != null)
{
X509Certificate2 cert = _certFieldInfo.GetValue(x509AsymmKey) as X509Certificate2;
if (cert != null && certMatcher(cert))
{
token = new X509SecurityToken(cert);
return true;
}
}
}
}
return false;
}
private static bool Matches(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey key, CertMatcher certMatcher, out SecurityToken token)
{
token = null;
if (certMatcher != null)
{
X509SecurityKey x509Key = key as X509SecurityKey;
if (x509Key != null)
{
if (certMatcher(x509Key.Certificate))
{
token = new X509SecurityToken(x509Key.Certificate);
return(true);
}
}
else
{
X509AsymmetricSecurityKey x509AsymmKey = key as X509AsymmetricSecurityKey;
if (x509AsymmKey != null)
{
X509Certificate2 cert = _certFieldInfo.GetValue(x509AsymmKey) as X509Certificate2;
if (cert != null && certMatcher(cert))
{
token = new X509SecurityToken(cert);
return(true);
}
}
}
}
return(false);
}
