/// <summary>
/// Validates the given certificate.
/// </summary>
/// <param name="certificate">X.509 Certificate to validate.</param>
/// <exception cref="ArgumentNullException">The input parameter 'certificate' is null.</exception>
/// <exception cref="SecurityTokenValidationException">X.509 Certificate validation failed.</exception>
public override void Validate(X509Certificate2 certificate)
{
if (certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate");
}
X509CertificateChain chain = new X509CertificateChain(this.useMachineContext, (uint)this.chainPolicyOID);
if (this.chainPolicy != null)
{
chain.ChainPolicy = this.chainPolicy;
}
if (!chain.Build(certificate))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new SecurityTokenValidationException(
SR.GetString(
SR.ID4070,
X509Util.GetCertificateId(certificate),
GetChainStatusInformation(chain.ChainStatus))));
}
}
/// <summary>
/// Creates a <see cref="WindowsIdentity"/> associated with a given X509 certificate.
/// </summary>
/// <param name="x509Certificate">The certificate to use to map to the associated <see cref="WindowsIdentity"/></param>
/// <returns></returns>
public static WindowsIdentity CertificateLogon(X509Certificate2 x509Certificate)
{
// for Vista, LsaLogon supporting mapping cert to NTToken
if (Environment.OSVersion.Version.Major >= CryptoHelper.WindowsVistaMajorNumber)
{
return(X509SecurityTokenHandler.KerberosCertificateLogon(x509Certificate));
}
else
{
// Downlevel, S4U over PrincipalName SubjectAltNames
string upn = x509Certificate.GetNameInfo(X509NameType.UpnName, false);
if (string.IsNullOrEmpty(upn))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.ID4067,
X509Util.GetCertificateId(x509Certificate))));
}
return(new WindowsIdentity(upn));
}
}
/// <summary>
/// Validates an <see cref="X509SecurityToken"/>.
/// </summary>
/// <param name="token">The <see cref="X509SecurityToken"/> to validate.</param>
/// <returns>A <see cref="ReadOnlyCollection{T}"/> of <see cref="ClaimsIdentity"/> representing the identities contained in the token.</returns>
/// <exception cref="ArgumentNullException">The parameter 'token' is null.</exception>
/// <exception cref="ArgumentException">The token is not assignable from <see cref="X509SecurityToken"/>.</exception>
/// <exception cref="InvalidOperationException">Configuration <see cref="SecurityTokenHandlerConfiguration"/>is null.</exception>
/// <exception cref="SecurityTokenValidationException">The current <see cref="X509CertificateValidator"/> was unable to validate the certificate in the Token.</exception>
/// <exception cref="InvalidOperationException">Configuration.IssuerNameRegistry is null.</exception>
/// <exception cref="SecurityTokenException">Configuration.IssuerNameRegistry return null when resolving the issuer of the certificate in the Token.</exception>
public override ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token)
{
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
X509SecurityToken x509Token = token as X509SecurityToken;
if (x509Token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID0018, typeof(X509SecurityToken)));
}
if (this.Configuration == null)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
try
{
// Validate the token.
try
{
this.CertificateValidator.Validate(x509Token.Certificate);
}
catch (SecurityTokenValidationException e)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.ID4257,
X509Util.GetCertificateId(x509Token.Certificate)), e));
}
if (this.Configuration.IssuerNameRegistry == null)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4277));
}
string issuer = X509Util.GetCertificateIssuerName(x509Token.Certificate, this.Configuration.IssuerNameRegistry);
if (String.IsNullOrEmpty(issuer))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID4175)));
}
ClaimsIdentity identity = null;
if (!mapToWindows)
{
identity = new ClaimsIdentity(AuthenticationTypes.X509);
// PARTIAL TRUST: will fail when adding claims, AddClaim is SecurityCritical.
identity.AddClaim(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.X509));
}
else
{
WindowsIdentity windowsIdentity;
X509WindowsSecurityToken x509WindowsSecurityToken = token as X509WindowsSecurityToken;
// if this is the case, then the user has already been mapped to a windows account, just return the identity after adding a couple of claims.
if (x509WindowsSecurityToken != null && x509WindowsSecurityToken.WindowsIdentity != null)
{
// X509WindowsSecurityToken is disposable, make a copy.
windowsIdentity = new WindowsIdentity(x509WindowsSecurityToken.WindowsIdentity.Token, x509WindowsSecurityToken.AuthenticationType);
}
else
{
// Ensure NT_AUTH chain policy for certificate account mapping
if (this.x509NTAuthChainTrustValidator == null)
{
lock (this.lockObject)
{
if (this.x509NTAuthChainTrustValidator == null)
{
this.x509NTAuthChainTrustValidator = new X509NTAuthChainTrustValidator();
}
}
}
this.x509NTAuthChainTrustValidator.Validate(x509Token.Certificate);
windowsIdentity = ClaimsHelper.CertificateLogon(x509Token.Certificate);
}
// PARTIAL TRUST: will fail when adding claims, AddClaim is SecurityCritical.
windowsIdentity.AddClaim(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.X509));
identity = windowsIdentity;
}
if (this.Configuration.SaveBootstrapContext)
{
identity.BootstrapContext = new BootstrapContext(token, this);
}
identity.AddClaim(new Claim(ClaimTypes.AuthenticationInstant, XmlConvert.ToString(DateTime.UtcNow, DateTimeFormats.Generated), ClaimValueTypes.DateTime));
identity.AddClaims(X509Util.GetClaimsFromCertificate(x509Token.Certificate, issuer));
this.TraceTokenValidationSuccess(token);
List <ClaimsIdentity> identities = new List <ClaimsIdentity>(1);
identities.Add(identity);
return(identities.AsReadOnly());
}
catch (Exception e)
{
if (Fx.IsFatal(e))
{
throw;
}
this.TraceTokenValidationFailure(token, e.Message);
throw e;
}
}
