private async Task <CertificateAuthenticationFailedContext> HandleFailureAsync(Exception error)
{
var authenticationFailedContext = new CertificateAuthenticationFailedContext(Context, Scheme, Options)
{
Exception = error
};
await Events.AuthenticationFailed(authenticationFailedContext);
return(authenticationFailedContext);
}
/// <inheritdoc />
public Task Fail(CertificateAuthenticationFailedContext context)
{
if (_logger.IsEnabled(LogLevel.Trace))
{
_logger.LogTrace("certificate failed to validate: \r\n" +
$"AuthenticationScheme: {context.Scheme}\r\n" +
$"Result: {context.Result}\r\n" +
$"Exception: {context.Exception}");
}
if (_logger.IsEnabled(LogLevel.Debug))
{
_logger.LogDebug($"certificate failed to validate: {context.Exception}");
}
return(Task.CompletedTask);
}
protected override async Task <AuthenticateResult> HandleAuthenticateAsync()
{
// You only get client certificates over HTTPS
if (!Context.Request.IsHttps)
{
return(AuthenticateResult.NoResult());
}
try
{
var clientCertificate = await Context.Connection.GetClientCertificateAsync();
// This should never be the case, as cert authentication happens long before ASP.NET kicks in.
if (clientCertificate == null)
{
Logger.NoCertificate();
return(AuthenticateResult.NoResult());
}
// If we have a self signed cert, and they're not allowed, exit early and not bother with
// any other validations.
if (clientCertificate.IsSelfSigned() && !Options.AllowedCertificateTypes.HasFlag(CertificateTypes.SelfSigned))
{
Logger.LogWarning("Self signed certificate rejected, subject was {0}", clientCertificate.Subject);
return(AuthenticateResult.Fail("Options do not allow self signed certificates."));
}
// If we have a chained cert, and they're not allowed, exit early and not bother with
// any other validations.
if (!clientCertificate.IsSelfSigned() && !Options.AllowedCertificateTypes.HasFlag(CertificateTypes.Chained))
{
Logger.CertificateRejected("Chained", clientCertificate.Subject);
return(AuthenticateResult.Fail("Options do not allow chained certificates."));
}
var chainPolicy = BuildChainPolicy(clientCertificate);
var chain = new X509Chain
{
ChainPolicy = chainPolicy
};
//// <variation>
var certificateIsValid = IsChainValid(chain, clientCertificate);
//// </variation>
if (!certificateIsValid)
{
var chainErrors = new List <string>();
foreach (var validationFailure in chain.ChainStatus)
{
chainErrors.Add($"{validationFailure.Status} {validationFailure.StatusInformation}");
}
Logger.CertificateFailedValidation(clientCertificate.Subject, chainErrors);
return(AuthenticateResult.Fail("Client certificate failed validation."));
}
var certificateValidatedContext = new CertificateValidatedContext(Context, Scheme, Options)
{
ClientCertificate = clientCertificate,
Principal = CreatePrincipal(clientCertificate)
};
await Events.CertificateValidated(certificateValidatedContext);
if (certificateValidatedContext.Result != null)
{
return(certificateValidatedContext.Result);
}
certificateValidatedContext.Success();
return(certificateValidatedContext.Result);
}
catch (Exception ex)
{
var authenticationFailedContext = new CertificateAuthenticationFailedContext(Context, Scheme, Options)
{
Exception = ex
};
await Events.AuthenticationFailed(authenticationFailedContext);
if (authenticationFailedContext.Result != null)
{
return(authenticationFailedContext.Result);
}
throw;
}
}
public Task CertificateAuthenticationFailed(CertificateAuthenticationFailedContext context)
{
context.Fail("Certificate Authentication Failed");
return(Task.CompletedTask);
}
/// <summary> /// Invoked when a certificate fails authentication. /// </summary> /// <param name="context"></param> /// <returns></returns> public virtual Task AuthenticationFailed(CertificateAuthenticationFailedContext context) => OnAuthenticationFailed(context);
