public void XmlHelpers_IsSignedBy_ChecksDigestAlgorithmStrength()
{
var xml = "<xml ID=\"MyXml\" />";
var xmlDoc = XmlHelpers.FromString(xml);
var sx = new SignedXml(xmlDoc);
var reference = new Reference
{
Uri = "#MyXml",
DigestMethod = SignedXml.XmlDsigSHA1Url
};
reference.AddTransform(new XmlDsigExcC14NTransform());
reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
sx.AddReference(reference);
sx.SigningKey = ((RSACryptoServiceProvider)SignedXmlHelper.TestCert.PrivateKey)
.GetSha256EnabledRSACryptoServiceProvider();
sx.SignedInfo.SignatureMethod = SignedXml.XmlDsigRSASHA256Url;
sx.ComputeSignature();
xmlDoc.DocumentElement.AppendChild(sx.GetXml());
var keyClause = new X509RawDataKeyIdentifierClause(SignedXmlHelper.TestCert);
xmlDoc.DocumentElement.Invoking(x =>
x.IsSignedByAny(Enumerable.Repeat(keyClause, 1), false, SignedXml.XmlDsigRSASHA256Url))
.ShouldThrow <InvalidSignatureException>()
.WithMessage("*digest*weak*");
}
/// <summary>
/// Returns the collection of certificates that the STS uses to sign tokens.
/// </summary>
/// <returns>The collection of certificates.</returns>
private IEnumerable <X509Certificate2> ReadStsSigningCertificates(SecurityTokenServiceDescriptor stsDescriptor)
{
List <X509Certificate2> stsCertificates = new List <X509Certificate2>();
if (stsDescriptor != null && stsDescriptor.Keys != null)
{
Collection <KeyDescriptor> keyDescriptors = (Collection <KeyDescriptor>)stsDescriptor.Keys;
if (keyDescriptors != null && keyDescriptors.Count > 0)
{
foreach (KeyDescriptor keyDescriptor in keyDescriptors)
{
if (keyDescriptor.KeyInfo != null && (keyDescriptor.Use == KeyType.Signing || keyDescriptor.Use == KeyType.Unspecified))
{
SecurityKeyIdentifier kid = keyDescriptor.KeyInfo;
X509RawDataKeyIdentifierClause clause = null;
kid.TryFind <X509RawDataKeyIdentifierClause>(out clause);
if (clause != null)
{
X509Certificate2 certificate = new X509Certificate2(clause.GetX509RawData());
stsCertificates.Add(certificate);
}
}
}
}
}
return(stsCertificates);
}
public override SecurityKeyIdentifierClause ReadKeyIdentifierClauseCore(XmlDictionaryReader reader)
{
SecurityKeyIdentifierClause clause = null;
reader.ReadStartElement(XD.XmlSignatureDictionary.X509Data, this.NamespaceUri);
while (reader.IsStartElement())
{
if ((clause == null) && reader.IsStartElement(XD.XmlSignatureDictionary.X509Certificate, this.NamespaceUri))
{
X509Certificate2 certificate = null;
if (!System.ServiceModel.Security.SecurityUtils.TryCreateX509CertificateFromRawData(reader.ReadElementContentAsBase64(), out certificate))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("InvalidX509RawData")));
}
clause = new X509RawDataKeyIdentifierClause(certificate);
}
else if ((clause == null) && reader.IsStartElement("X509SKI", this.NamespaceUri.ToString()))
{
clause = new X509SubjectKeyIdentifierClause(reader.ReadElementContentAsBase64());
}
else
{
reader.Skip();
}
}
reader.ReadEndElement();
return(clause);
}
public static byte[] signingCertificate(string metadataURI)
{
if (metadataURI == null)
{
throw new ArgumentNullException(metadataURI);
}
using (XmlReader metadataReader = XmlReader.Create(metadataURI)) {
MetadataSerializer serializer = new MetadataSerializer()
{
CertificateValidationMode = X509CertificateValidationMode.None
};
EntityDescriptor entityDescriptor = serializer.ReadMetadata(metadataReader) as EntityDescriptor;
if (entityDescriptor != null)
{
SecurityTokenServiceDescriptor stsd = entityDescriptor.RoleDescriptors.OfType <SecurityTokenServiceDescriptor>().First();
if (stsd != null)
{
X509RawDataKeyIdentifierClause clause = stsd.Keys.First().KeyInfo.OfType <X509RawDataKeyIdentifierClause>().First();
if (clause != null)
{
return(clause.GetX509RawData());
}
throw new Exception("The SecurityTokenServiceDescriptor in the metadata does not contain a RawData signing certificate");
}
throw new Exception("The Federation Metadata document does not contain a SecurityTokenServiceDescriptor");
}
throw new Exception("Invalid Federation Metadata document");
}
}
private static SecurityKeyIdentifierClause ReadX509Certificate(XmlReader reader)
{
reader.ReadStartElement("X509Certificate", SignedXml.XmlDsigNamespaceUrl);
var clause = new X509RawDataKeyIdentifierClause(
((XmlDictionaryReader)reader).ReadContentAsBase64());
reader.ReadEndElement();
return(clause);
}
/// <summary>
/// Retrieves a populated <see cref="WsFederationConfiguration"/> given an address and an <see cref="IDocumentRetriever"/>.
/// </summary>
/// <param name="address">address of the metadata document.</param>
/// <param name="retriever">the <see cref="IDocumentRetriever"/> to use to read the metadata document</param>
/// <param name="cancel"><see cref="CancellationToken"/>.</param>
/// <returns>A populated <see cref="WsFederationConfiguration"/> instance.</returns>
public static async Task <WsFederationConfiguration> GetAsync(string address, IDocumentRetriever retriever, CancellationToken cancel)
{
if (string.IsNullOrWhiteSpace(address))
{
LogHelper.Throw(string.Format(CultureInfo.InvariantCulture, LogMessages.IDX10000, GetType() + ": address"), typeof(ArgumentNullException), EventLevel.Verbose);
}
if (retriever == null)
{
LogHelper.Throw(string.Format(CultureInfo.InvariantCulture, LogMessages.IDX10000, GetType() + ": retriever"), typeof(ArgumentNullException), EventLevel.Verbose);
}
WsFederationConfiguration configuration = new WsFederationConfiguration();
string document = await retriever.GetDocumentAsync(address, cancel);
using (XmlReader metaDataReader = XmlReader.Create(new StringReader(document), SafeSettings))
{
var serializer = new MetadataSerializer {
CertificateValidationMode = X509CertificateValidationMode.None
};
MetadataBase metadataBase = serializer.ReadMetadata(metaDataReader);
var entityDescriptor = (EntityDescriptor)metadataBase;
if (!string.IsNullOrWhiteSpace(entityDescriptor.EntityId.Id))
{
configuration.Issuer = entityDescriptor.EntityId.Id;
}
SecurityTokenServiceDescriptor stsd = entityDescriptor.RoleDescriptors.OfType <SecurityTokenServiceDescriptor>().First();
if (stsd != null)
{
configuration.TokenEndpoint = stsd.PassiveRequestorEndpoints.First().Uri.AbsoluteUri;
foreach (KeyDescriptor keyDescriptor in stsd.Keys)
{
if (keyDescriptor.KeyInfo != null && (keyDescriptor.Use == KeyType.Signing || keyDescriptor.Use == KeyType.Unspecified))
{
IdentityModelEventSource.Logger.WriteVerbose(LogMessages.IDX10807);
foreach (SecurityKeyIdentifierClause clause in keyDescriptor.KeyInfo)
{
X509RawDataKeyIdentifierClause x509Clause = clause as X509RawDataKeyIdentifierClause;
if (x509Clause != null)
{
var key = new X509SecurityKey(new X509Certificate2(x509Clause.GetX509RawData()));
configuration.SigningKeys.Add(key);
}
}
}
}
}
}
return(configuration);
}
public override void WriteKeyIdentifierClauseCore(XmlDictionaryWriter writer, SecurityKeyIdentifierClause keyIdentifierClause)
{
X509RawDataKeyIdentifierClause clause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
writer.WriteStartElement(XD.XmlSignatureDictionary.Prefix.Value, XD.XmlSignatureDictionary.X509Data, this.NamespaceUri);
writer.WriteStartElement(XD.XmlSignatureDictionary.Prefix.Value, XD.XmlSignatureDictionary.X509Certificate, this.NamespaceUri);
byte[] buffer = clause.GetX509RawData();
writer.WriteBase64(buffer, 0, buffer.Length);
writer.WriteEndElement();
writer.WriteEndElement();
}
/// <summary>
/// Generate a sample MetadataBase.
/// </summary>
/// <remarks>
/// In a production system this would be generated from the STS configuration.
/// </remarks>
public static MetadataBase GetFederationMetadata()
{
string endpointId = "http://localhost/stsservice/service.svc";
EntityDescriptor metadata = new EntityDescriptor();
metadata.EntityId = new EntityId(endpointId);
// Define the signing key
string signingCertificateName = WebConfigurationManager.AppSettings["SigningCertificateName"];
X509Certificate2 cert = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, signingCertificateName);
metadata.SigningCredentials = new X509SigningCredentials(cert);
// Create role descriptor for security token service
SecurityTokenServiceDescriptor stsRole = new SecurityTokenServiceDescriptor();
stsRole.ProtocolsSupported.Add(new Uri(WSFederationMetadataConstants.Namespace));
metadata.RoleDescriptors.Add(stsRole);
// Add a contact name
ContactPerson person = new ContactPerson(ContactType.Administrative);
person.GivenName = "contactName";
stsRole.Contacts.Add(person);
// Include key identifier for signing key in metadata
SecurityKeyIdentifierClause clause = new X509RawDataKeyIdentifierClause(cert);
SecurityKeyIdentifier ski = new SecurityKeyIdentifier(clause);
KeyDescriptor signingKey = new KeyDescriptor(ski);
signingKey.Use = KeyType.Signing;
stsRole.Keys.Add(signingKey);
// Add endpoints
string activeSTSUrl = "https://localhost/stsservice/service.svc";
EndpointAddress endpointAddress = new EndpointAddress(new Uri(activeSTSUrl),
null,
null, GetMetadataReader(activeSTSUrl), null);
stsRole.SecurityTokenServiceEndpoints.Add(endpointAddress);
// Add a collection of offered claims
// NOTE: In this sample, these claims must match the claims actually generated in CustomSecurityTokenService.GetOutputClaimsIdentity.
// In a production system, there would be some common data store that both use
stsRole.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.Name, "Name", "The name of the subject."));
stsRole.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.Role, "Role", "The role of the subject."));
// Add a special claim for the QuoteService
stsRole.ClaimTypesOffered.Add(new DisplayClaim(QuotationClassClaimType, "QuotationClass", "Class of quotation desired."));
return(metadata);
}
internal static XmlDocument GetPlainAsertion(SecurityTokenResolver securityTokenResolver, XmlElement el)
{
var encryptedDataElement = GetElement(HttpRedirectBindingConstants.EncryptedData, Saml20Constants.Xenc, el);
var encryptedData = new System.Security.Cryptography.Xml.EncryptedData();
encryptedData.LoadXml(encryptedDataElement);
var encryptedKey = new System.Security.Cryptography.Xml.EncryptedKey();
var encryptedKeyElement = GetElement(HttpRedirectBindingConstants.EncryptedKey, Saml20Constants.Xenc, el);
encryptedKey.LoadXml(encryptedKeyElement);
var securityKeyIdentifier = new SecurityKeyIdentifier();
foreach (KeyInfoX509Data v in encryptedKey.KeyInfo)
{
foreach (X509Certificate2 cert in v.Certificates)
{
var cl = new X509RawDataKeyIdentifierClause(cert);
securityKeyIdentifier.Add(cl);
}
}
var clause = new EncryptedKeyIdentifierClause(encryptedKey.CipherData.CipherValue, encryptedKey.EncryptionMethod.KeyAlgorithm, securityKeyIdentifier);
SecurityKey key;
var success = securityTokenResolver.TryResolveSecurityKey(clause, out key);
if (!success)
{
throw new InvalidOperationException("Cannot locate security key");
}
SymmetricSecurityKey symmetricSecurityKey = key as SymmetricSecurityKey;
if (symmetricSecurityKey == null)
{
throw new InvalidOperationException("Key must be symmentric key");
}
SymmetricAlgorithm symmetricAlgorithm = symmetricSecurityKey.GetSymmetricAlgorithm(encryptedData.EncryptionMethod.KeyAlgorithm);
var encryptedXml = new System.Security.Cryptography.Xml.EncryptedXml();
var plaintext = encryptedXml.DecryptData(encryptedData, symmetricAlgorithm);
var assertion = new XmlDocument {
PreserveWhitespace = true
};
assertion.Load(new StringReader(Encoding.UTF8.GetString(plaintext)));
return(assertion);
}
//[Authorize]
public ActionResult FederationMetadata()
{
var endpoint = Request.Url.Scheme + "://" + Request.Url.Host + ":" + Request.Url.Port;
var entityDescriptor = new EntityDescriptor(
new EntityId(ConfigurationManager.AppSettings["stsName"]))
{
SigningCredentials = CertificateFactory.GetSigningCredentials()
};
var roleDescriptor = new SecurityTokenServiceDescriptor();
roleDescriptor.Contacts.Add(new ContactPerson(ContactType.Administrative));
var clause = new X509RawDataKeyIdentifierClause(CertificateFactory.GetCertificate());
var securityKeyIdentifier = new SecurityKeyIdentifier(clause);
var signingKey = new KeyDescriptor(securityKeyIdentifier)
{
Use = KeyType.Signing
};
roleDescriptor.Keys.Add(signingKey);
var endpointAddress =
new System.IdentityModel.Protocols.WSTrust.EndpointReference(endpoint + "/Security/Authorize");
roleDescriptor.PassiveRequestorEndpoints.Add(endpointAddress);
roleDescriptor.SecurityTokenServiceEndpoints.Add(endpointAddress);
roleDescriptor.ProtocolsSupported.Add(new Uri("http://docs.oasis-open.org/wsfed/federation/200706"));
entityDescriptor.RoleDescriptors.Add(roleDescriptor);
var serializer = new MetadataSerializer();
var settings = new XmlWriterSettings {
Encoding = Encoding.UTF8
};
var memoryStream = new MemoryStream();
var writer = XmlWriter.Create(memoryStream, settings);
serializer.WriteMetadata(writer, entityDescriptor);
writer.Flush();
var content = Content(Encoding.UTF8.GetString(memoryStream.GetBuffer()), "text/xml");
writer.Dispose();
return(content);
}
static ClaimsPrincipal ValidateTokenWithX509SecurityToken(X509RawDataKeyIdentifierClause x509DataClause, string token)
{
var validatingCertificate = new X509Certificate2(x509DataClause.GetX509RawData());
var tokenHandler = new JwtSecurityTokenHandler();
var x509SecurityToken = new X509SecurityToken(validatingCertificate);
var validationParameters = new TokenValidationParameters()
{
AllowedAudience = "http://www.example.com",
SigningToken = x509SecurityToken,
ValidIssuer = "self",
};
ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(new JwtSecurityToken(token), validationParameters);
return(claimsPrincipal);
}
/// <summary>
/// Build a new RequestSecurityToken structure without actually sending it.
/// </summary>
/// <param name="bootstrapSecurityToken">The token to include in ActAs</param>
/// <param name="clientCertificate">The instance certificate. Must have a private key.</param>
/// <param name="RelyingPartyAdress">Address/uri of the provider service which is going to receive the token in the end</param>
/// <param name="requestClaims">Any additional claims to add to the request</param>
/// <returns></returns>
public static RequestSecurityToken RequestSecurityToken(SecurityToken bootstrapSecurityToken, X509Certificate2 clientCertificate, Uri RelyingPartyAdress, IEnumerable <RequestClaim> requestClaims)
{
var requestSecurityToken = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue);
requestSecurityToken.AppliesTo = new EndpointAddress(RelyingPartyAdress);
requestSecurityToken.TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
requestSecurityToken.KeyType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey";
requestSecurityToken.ActAs = new SecurityTokenElement(bootstrapSecurityToken);
SecurityKeyIdentifierClause clause = new X509RawDataKeyIdentifierClause(clientCertificate);
requestSecurityToken.UseKey = new UseKey(new SecurityKeyIdentifier(clause), new X509SecurityToken(clientCertificate));
foreach (RequestClaim claim in requestClaims)
{
requestSecurityToken.Claims.Add(claim);
}
return(requestSecurityToken);
}
/// <summary>
/// Resolves the given SecurityKeyIdentifierClause to a SecurityToken.
/// </summary>
/// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to resolve.</param>
/// <param name="token">The resolved SecurityToken.</param>
/// <returns>True if successfully resolved.</returns>
/// <exception cref="ArgumentNullException">The input argument 'keyIdentifierClause' is null.</exception>
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
if (keyIdentifierClause == null)
{
throw new ArgumentNullException("keyIdentifierClause");
}
token = null;
foreach (X509Certificate2 cert in trustedIssuerCertificates)
{
X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if ((thumbprintKeyIdentifierClause != null) && (thumbprintKeyIdentifierClause.Matches(cert)))
{
token = new X509SecurityToken(cert);
return(true);
}
X509IssuerSerialKeyIdentifierClause issuerSerialKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if ((issuerSerialKeyIdentifierClause != null) && (issuerSerialKeyIdentifierClause.Matches(cert)))
{
token = new X509SecurityToken(cert);
return(true);
}
X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if ((subjectKeyIdentifierClause != null) && (subjectKeyIdentifierClause.Matches(cert)))
{
token = new X509SecurityToken(cert);
return(true);
}
X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if ((rawDataKeyIdentifierClause != null) && (rawDataKeyIdentifierClause.Matches(cert)))
{
token = new X509SecurityToken(cert);
return(true);
}
}
return(false);
}
protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key)
{
key = (SecurityKey)null;
var identifierClause = keyIdentifierClause as EncryptedKeyIdentifierClause;
if (identifierClause != null)
{
var encryptingKeyIdentifier = identifierClause.EncryptingKeyIdentifier;
if (encryptingKeyIdentifier != null && encryptingKeyIdentifier.Count == 0)
{
var certificate = this._certificateManager.GetCertificateFromContext(this._x509CertificateContext);
var kic = new X509RawDataKeyIdentifierClause(certificate);
encryptingKeyIdentifier.Add(kic);
var result = base.TryResolveSecurityKeyCore(keyIdentifierClause, out key);
return(result);
}
}
return(base.TryResolveSecurityKeyCore(keyIdentifierClause, out key));
}
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
token = null;
X509Certificate2 matched = null;
X509ThumbprintKeyIdentifierClause clause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if ((clause != null) && this.TryMatchCertificates(clause.Matches, out matched))
{
token = new X509SecurityToken(matched);
return(true);
}
X509IssuerSerialKeyIdentifierClause clause2 = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if ((clause2 != null) && TryMatchCertificates(clause2.Matches, out matched))
{
token = new X509SecurityToken(matched);
return(true);
}
X509SubjectKeyIdentifierClause clause3 = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if ((clause3 != null) && TryMatchCertificates(clause3.Matches, out matched))
{
token = new X509SecurityToken(matched);
return(true);
}
X509RawDataKeyIdentifierClause clause4 = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if ((clause4 != null) && TryMatchCertificates(clause4.Matches, out matched))
{
token = new X509SecurityToken(matched);
return(true);
}
if (this.innerResolver != null)
{
return(this.innerResolver.TryResolveToken(keyIdentifierClause, out token));
}
return(false);
}
/// <summary>
/// Converts a SKI into one or more certificates for further processing.
/// </summary>
/// <param name="ski">SecurityKeyIdentifier to convert.</param>
/// <returns>List of X509Certificate2 objects converted from the SKI.</returns>
static List <X509Certificate2> GetCertificatesFromKeyInfo(SecurityKeyIdentifier ski)
{
List <X509Certificate2> certificates = new List <X509Certificate2>();
foreach (SecurityKeyIdentifierClause keyClause in ski)
{
//
// Only X509RawData clauses are supported. If any other clause is present, custom code
// would be required to resolve the clause against some certificate store, such as the Windows
// certificate store or a database. WIF exposes security token resolver classes which can
// help with this resolution if needed.
//
X509RawDataKeyIdentifierClause x509KeyClause = keyClause as X509RawDataKeyIdentifierClause;
if (x509KeyClause != null)
{
byte[] certificateBytes = x509KeyClause.GetX509RawData();
certificates.Add(new X509Certificate2(certificateBytes));
}
}
return(certificates);
}
public void MatchesKeyIdentifierClause()
{
UniqueId id = new UniqueId();
X509SecurityToken t = new X509SecurityToken(cert, id.ToString());
LocalIdKeyIdentifierClause l =
new LocalIdKeyIdentifierClause(id.ToString());
Assert.IsTrue(t.MatchesKeyIdentifierClause(l), "#1-1");
l = new LocalIdKeyIdentifierClause("#" + id.ToString());
Assert.IsFalse(t.MatchesKeyIdentifierClause(l), "#1-2");
X509ThumbprintKeyIdentifierClause h =
new X509ThumbprintKeyIdentifierClause(cert);
Assert.IsTrue(t.MatchesKeyIdentifierClause(h), "#2-1");
h = new X509ThumbprintKeyIdentifierClause(cert2);
Assert.IsFalse(t.MatchesKeyIdentifierClause(h), "#2-2");
X509IssuerSerialKeyIdentifierClause i =
new X509IssuerSerialKeyIdentifierClause(cert);
Assert.IsTrue(t.MatchesKeyIdentifierClause(i), "#3-1");
i = new X509IssuerSerialKeyIdentifierClause(cert2);
Assert.IsFalse(t.MatchesKeyIdentifierClause(i), "#3-2");
X509RawDataKeyIdentifierClause s =
new X509RawDataKeyIdentifierClause(cert);
Assert.IsTrue(t.MatchesKeyIdentifierClause(s), "#4-1");
s = new X509RawDataKeyIdentifierClause(cert2);
Assert.IsFalse(t.MatchesKeyIdentifierClause(s), "#4-2");
}
public static AuthMetadata GetWSFederationMetadata(string content)
{
AuthMetadata result;
try
{
using (TextReader textReader = new StringReader(content))
{
using (XmlReader xmlReader = XmlReader.Create(textReader))
{
MetadataSerializer metadataSerializer = new MetadataSerializer
{
CertificateValidationMode = X509CertificateValidationMode.None
};
EntityDescriptor entityDescriptor = metadataSerializer.ReadMetadata(xmlReader) as EntityDescriptor;
SecurityTokenServiceDescriptor securityTokenServiceDescriptor = entityDescriptor.RoleDescriptors.OfType <SecurityTokenServiceDescriptor>().First <SecurityTokenServiceDescriptor>();
List <string> list = new List <string>();
foreach (KeyDescriptor keyDescriptor in from k in securityTokenServiceDescriptor.Keys
where k.Use == KeyType.Signing
select k)
{
foreach (SecurityKeyIdentifierClause securityKeyIdentifierClause in keyDescriptor.KeyInfo)
{
X509RawDataKeyIdentifierClause x509RawDataKeyIdentifierClause = securityKeyIdentifierClause as X509RawDataKeyIdentifierClause;
if (x509RawDataKeyIdentifierClause != null)
{
list.Add(Convert.ToBase64String(x509RawDataKeyIdentifierClause.GetX509RawData()));
}
}
}
AuthMetadata authMetadata = new AuthMetadata();
authMetadata.CertificateStrings = list.ToArray();
string serviceName;
string realm;
if (AuthMetadataParser.TryExtractUrlFormatServiceNameAndRealm(entityDescriptor.EntityId.Id, out serviceName, out realm))
{
authMetadata.ServiceName = serviceName;
authMetadata.Realm = realm;
}
else
{
authMetadata.ServiceName = entityDescriptor.EntityId.Id;
authMetadata.Realm = null;
}
if (string.IsNullOrEmpty(authMetadata.ServiceName))
{
throw new AuthMetadataParserException(DirectoryStrings.ErrorAuthMetadataCannotResolveServiceName);
}
result = authMetadata;
}
}
}
catch (XmlException innerException)
{
throw new AuthMetadataParserException(DirectoryStrings.ErrorCannotParseAuthMetadata, innerException);
}
catch (IOException innerException2)
{
throw new AuthMetadataParserException(DirectoryStrings.ErrorCannotParseAuthMetadata, innerException2);
}
catch (SecurityException innerException3)
{
throw new AuthMetadataParserException(DirectoryStrings.ErrorCannotParseAuthMetadata, innerException3);
}
catch (SystemException innerException4)
{
throw new AuthMetadataParserException(DirectoryStrings.ErrorCannotParseAuthMetadata, innerException4);
}
return(result);
}
private bool ResolvesToSigningToken(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key, out SecurityToken token)
{
token = null;
key = null;
CertMatcher certMatcher = null;
// for SAML tokens the highest probability are certs, with RawData first
X509RawDataKeyIdentifierClause rawCertKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if (rawCertKeyIdentifierClause != null)
{
certMatcher = rawCertKeyIdentifierClause.Matches;
}
else
{
X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if (subjectKeyIdentifierClause != null)
{
certMatcher = subjectKeyIdentifierClause.Matches;
}
else
{
X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if (thumbprintKeyIdentifierClause != null)
{
certMatcher = thumbprintKeyIdentifierClause.Matches;
}
else
{
X509IssuerSerialKeyIdentifierClause issuerKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if (issuerKeyIdentifierClause != null)
{
certMatcher = issuerKeyIdentifierClause.Matches;
}
}
}
}
if (_validationParameters.IssuerSigningKeyResolver != null)
{
key = _validationParameters.IssuerSigningKeyResolver(token: _securityToken, securityToken: null, keyIdentifier: new SecurityKeyIdentifier(keyIdentifierClause), validationParameters: _validationParameters);
if (key != null)
{
this.IsKeyMatched = true;
}
}
if (_validationParameters.IssuerSigningKey != null)
{
if (Matches(keyIdentifierClause, _validationParameters.IssuerSigningKey, certMatcher, out token))
{
key = _validationParameters.IssuerSigningKey;
this.IsKeyMatched = true;
}
}
if (_validationParameters.IssuerSigningKeys != null)
{
foreach (SecurityKey securityKey in _validationParameters.IssuerSigningKeys)
{
if (Matches(keyIdentifierClause, securityKey, certMatcher, out token))
{
key = securityKey;
this.IsKeyMatched = true;
break;
}
}
}
if (_validationParameters.IssuerSigningToken != null)
{
if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause))
{
token = _validationParameters.IssuerSigningToken;
key = token.SecurityKeys[0];
this.IsKeyMatched = true;
}
}
if (_validationParameters.IssuerSigningTokens != null)
{
foreach (SecurityToken issuerToken in _validationParameters.IssuerSigningTokens)
{
if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause))
{
token = issuerToken;
key = token.SecurityKeys[0];
this.IsKeyMatched = true;
break;
}
}
}
return(this.IsKeyMatched);
}
