/// <summary> /// Creates an instance of <see cref="SamlSecurityTokenRequirement"/> /// <param name="element">The XmlElement from which the instance is to be loaded.</param> /// </summary> public SamlSecurityTokenRequirement(XmlElement element) { if (element == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("element"); } if (element.LocalName != ConfigurationStrings.SamlSecurityTokenRequirement) { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7000, ConfigurationStrings.SamlSecurityTokenRequirement, element.LocalName)); } bool foundCustomX509Validator = false; X509RevocationMode revocationMode = DefaultRevocationMode; X509CertificateValidationMode certificateValidationMode = DefaultValidationMode; StoreLocation trustedStoreLocation = DefaultStoreLocation; string customValidator = null; foreach (XmlAttribute attribute in element.Attributes) { if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.MapToWindows)) { bool outMapToWindows = false; if (!bool.TryParse(attribute.Value, out outMapToWindows)) { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7022, attribute.Value)); } this.MapToWindows = outMapToWindows; } else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.IssuerCertificateValidator)) { customValidator = attribute.Value.ToString(); } else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.IssuerCertificateRevocationMode)) { foundCustomX509Validator = true; string revocationModeString = attribute.Value.ToString(); if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeNoCheck)) { revocationMode = X509RevocationMode.NoCheck; } else if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeOffline)) { revocationMode = X509RevocationMode.Offline; } else if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeOnline)) { revocationMode = X509RevocationMode.Online; } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, element.LocalName))); } } else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.IssuerCertificateValidationMode)) { foundCustomX509Validator = true; string validationModeString = attribute.Value.ToString(); if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeChainTrust)) { certificateValidationMode = X509CertificateValidationMode.ChainTrust; } else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModePeerOrChainTrust)) { certificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust; } else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModePeerTrust)) { certificateValidationMode = X509CertificateValidationMode.PeerTrust; } else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeNone)) { certificateValidationMode = X509CertificateValidationMode.None; } else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeCustom)) { certificateValidationMode = X509CertificateValidationMode.Custom; } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, element.LocalName))); } } else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.IssuerCertificateTrustedStoreLocation)) { foundCustomX509Validator = true; string trustedStoreLocationString = attribute.Value.ToString(); if (StringComparer.OrdinalIgnoreCase.Equals(trustedStoreLocationString, ConfigurationStrings.X509TrustedStoreLocationCurrentUser)) { trustedStoreLocation = StoreLocation.CurrentUser; } else if (StringComparer.OrdinalIgnoreCase.Equals(trustedStoreLocationString, ConfigurationStrings.X509TrustedStoreLocationLocalMachine)) { trustedStoreLocation = StoreLocation.LocalMachine; } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, element.LocalName))); } } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7004, attribute.LocalName, element.LocalName))); } } List <XmlElement> configElements = XmlUtil.GetXmlElements(element.ChildNodes); foreach (XmlElement childElement in configElements) { if (StringComparer.Ordinal.Equals(childElement.LocalName, ConfigurationStrings.NameClaimType)) { if (childElement.Attributes.Count != 1 || !StringComparer.Ordinal.Equals(childElement.Attributes[0].LocalName, ConfigurationStrings.Value)) { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7001, String.Format(System.Globalization.CultureInfo.InvariantCulture, "{0}/{1}", element.LocalName, childElement.LocalName), ConfigurationStrings.Value)); } this.NameClaimType = childElement.Attributes[0].Value; } else if (StringComparer.Ordinal.Equals(childElement.LocalName, ConfigurationStrings.RoleClaimType)) { if (childElement.Attributes.Count != 1 || !StringComparer.Ordinal.Equals(childElement.Attributes[0].LocalName, ConfigurationStrings.Value)) { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7001, String.Format(System.Globalization.CultureInfo.InvariantCulture, "{0}/{1}", element.LocalName, childElement.LocalName), ConfigurationStrings.Value)); } this.RoleClaimType = childElement.Attributes[0].Value; } else { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7002, childElement.LocalName, ConfigurationStrings.SamlSecurityTokenRequirement)); } } if (certificateValidationMode == X509CertificateValidationMode.Custom) { if (string.IsNullOrEmpty(customValidator)) { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7028)); } Type customValidatorType = Type.GetType(customValidator, true); if (customValidatorType == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("value", SR.GetString(SR.ID7007, customValidatorType)); } _certificateValidator = CustomTypeElement.Resolve <X509CertificateValidator>(new CustomTypeElement(customValidatorType)); } else if (foundCustomX509Validator) { _certificateValidator = X509Util.CreateCertificateValidator(certificateValidationMode, revocationMode, trustedStoreLocation); } }
/// <summary> /// Load custom configuration from Xml /// </summary> /// <param name="customConfigElements">XmlElement to custom configuration.</param> /// <exception cref="ArgumentNullException">The param 'customConfigElements' is null.</exception> /// <exception cref="InvalidOperationException">Custom configuration specified was invalid.</exception> public override void LoadCustomConfiguration(XmlNodeList customConfigElements) { if (customConfigElements == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("customConfigElements"); } List <XmlElement> configNodes = XmlUtil.GetXmlElements(customConfigElements); bool foundValidConfig = false; bool foundCustomX509Validator = false; X509RevocationMode revocationMode = defaultRevocationMode; X509CertificateValidationMode certificateValidationMode = defaultValidationMode; StoreLocation trustedStoreLocation = defaultStoreLocation; string customValidator = null; foreach (XmlElement customConfigElement in configNodes) { if (!StringComparer.Ordinal.Equals(customConfigElement.LocalName, ConfigurationStrings.X509SecurityTokenHandlerRequirement)) { continue; } if (foundValidConfig) { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7026, ConfigurationStrings.X509SecurityTokenHandlerRequirement)); } foreach (XmlAttribute attribute in customConfigElement.Attributes) { if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.MapToWindows)) { mapToWindows = XmlConvert.ToBoolean(attribute.Value.ToLowerInvariant()); } else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.X509CertificateValidator)) { customValidator = attribute.Value.ToString(); } else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.X509CertificateRevocationMode)) { foundCustomX509Validator = true; string revocationModeString = attribute.Value.ToString(); if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeNoCheck)) { revocationMode = X509RevocationMode.NoCheck; } else if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeOffline)) { revocationMode = X509RevocationMode.Offline; } else if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeOnline)) { revocationMode = X509RevocationMode.Online; } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, customConfigElement.LocalName))); } } else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.X509CertificateValidationMode)) { foundCustomX509Validator = true; string validationModeString = attribute.Value.ToString(); if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeChainTrust)) { certificateValidationMode = X509CertificateValidationMode.ChainTrust; } else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModePeerOrChainTrust)) { certificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust; } else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModePeerTrust)) { certificateValidationMode = X509CertificateValidationMode.PeerTrust; } else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeNone)) { certificateValidationMode = X509CertificateValidationMode.None; } else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeCustom)) { certificateValidationMode = X509CertificateValidationMode.Custom; } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, customConfigElement.LocalName))); } } else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.X509TrustedStoreLocation)) { foundCustomX509Validator = true; string trustedStoreLocationString = attribute.Value.ToString(); if (StringComparer.OrdinalIgnoreCase.Equals(trustedStoreLocationString, ConfigurationStrings.X509TrustedStoreLocationCurrentUser)) { trustedStoreLocation = StoreLocation.CurrentUser; } else if (StringComparer.OrdinalIgnoreCase.Equals(trustedStoreLocationString, ConfigurationStrings.X509TrustedStoreLocationLocalMachine)) { trustedStoreLocation = StoreLocation.LocalMachine; } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, customConfigElement.LocalName))); } } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7004, attribute.LocalName, customConfigElement.LocalName))); } } foundValidConfig = true; } if (certificateValidationMode == X509CertificateValidationMode.Custom) { if (String.IsNullOrEmpty(customValidator)) { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7028)); } Type customValidatorType = Type.GetType(customValidator, true); if (customValidatorType == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("value", SR.GetString(SR.ID7007, customValidatorType)); } certificateValidator = CustomTypeElement.Resolve <X509CertificateValidator>(new CustomTypeElement(customValidatorType)); } else if (foundCustomX509Validator) { certificateValidator = X509Util.CreateCertificateValidator(certificateValidationMode, revocationMode, trustedStoreLocation); } }
/// <summary> /// Updates properties in the <see cref="SecurityTokenHandlerConfiguration"/> objects for the /// <see cref="SecurityTokenHandlerCollection"/> objects contained in /// <see cref="IdentityConfiguration.SecurityTokenHandlerCollectionManager"/> to be consistent with the property /// values on this <see cref="IdentityConfiguration"/> instance. /// </summary> /// <remarks> /// This method should be invoked prior to using these token handlers /// for token processing. /// </remarks> /// <exception cref="InvalidOperationException">If this method is invoked more than once.</exception> public virtual void Initialize() { if (this.IsInitialized) { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7009)); } SecurityTokenHandlerCollection defaultCollection = this.SecurityTokenHandlers; if (!object.ReferenceEquals(_serviceHandlerConfiguration, defaultCollection.Configuration)) { // // If someone has created their own new STHConfig and set it as default, leave that config alone. // TraceUtility.TraceString(TraceEventType.Information, SR.GetString(SR.ID4283)); this.IsInitialized = true; return; } // Update the ServiceTokenResolver of the default TokenHandlerCollection's configuration, if serviceCertificate is set. if (this.ServiceCertificate != null) { SecurityTokenResolver serviceCertificateResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>( new SecurityToken[] { new X509SecurityToken(this.ServiceCertificate) }), false); SecurityTokenResolver tokenResolver = this.SecurityTokenHandlers.Configuration.ServiceTokenResolver; if ((tokenResolver != null) && (tokenResolver != EmptySecurityTokenResolver.Instance)) { this.SecurityTokenHandlers.Configuration.ServiceTokenResolver = new AggregateTokenResolver(new SecurityTokenResolver[] { serviceCertificateResolver, tokenResolver }); } else { this.SecurityTokenHandlers.Configuration.ServiceTokenResolver = serviceCertificateResolver; } } SecurityTokenResolver configuredIssuerTokenResolver = this.IssuerTokenResolver; if (this.IssuerTokenResolver == SecurityTokenHandlerConfiguration.DefaultIssuerTokenResolver) { // // Add the known certificates from WCF's ServiceCredentials in front of // the default issuer token resolver. // if (this.KnownIssuerCertificates != null) { int count = this.KnownIssuerCertificates.Count; if (count > 0) { SecurityToken[] tokens = new SecurityToken[count]; for (int i = 0; i < count; i++) { tokens[i] = new X509SecurityToken(this.KnownIssuerCertificates[i]); } SecurityTokenResolver knownCertificateTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(tokens), false); this.IssuerTokenResolver = new AggregateTokenResolver(new SecurityTokenResolver[] { knownCertificateTokenResolver, configuredIssuerTokenResolver }); } } } if (this.CertificateValidationMode != X509CertificateValidationMode.Custom) { defaultCollection.Configuration.CertificateValidator = X509Util.CreateCertificateValidator(defaultCollection.Configuration.CertificateValidationMode, defaultCollection.Configuration.RevocationMode, defaultCollection.Configuration.TrustedStoreLocation); } else if (object.ReferenceEquals(defaultCollection.Configuration.CertificateValidator, SecurityTokenHandlerConfiguration.DefaultCertificateValidator)) { // // If the mode is custom but the validator or still default, something has gone wrong. // throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4280))); } this.IsInitialized = true; }