protected internal override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle) { SecurityKeyIdentifierClause clause = null; switch (this.x509ReferenceStyle) { case X509KeyIdentifierClauseType.Thumbprint: return(base.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle)); case X509KeyIdentifierClauseType.IssuerSerial: return(base.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle)); case X509KeyIdentifierClauseType.SubjectKeyIdentifier: return(base.CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle)); case X509KeyIdentifierClauseType.RawDataKeyIdentifier: return(base.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle)); } if (referenceStyle == SecurityTokenReferenceStyle.External) { X509SecurityToken token2 = token as X509SecurityToken; if (token2 != null) { X509SubjectKeyIdentifierClause clause2; if (X509SubjectKeyIdentifierClause.TryCreateFrom(token2.Certificate, out clause2)) { clause = clause2; } } else { X509SubjectKeyIdentifierClause clause3; X509WindowsSecurityToken token3 = token as X509WindowsSecurityToken; if ((token3 != null) && X509SubjectKeyIdentifierClause.TryCreateFrom(token3.Certificate, out clause3)) { clause = clause3; } } if (clause == null) { clause = token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>(); } if (clause == null) { clause = token.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>(); } return(clause); } return(token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>()); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { TlsSspiNegotiation tlsNegotiation = (TlsSspiNegotiation)sspiNegotiation; if (tlsNegotiation.IsValidContext == false) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation))); } if (this.ClientTokenAuthenticator == null) { return(EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } X509Certificate2 clientCertificate = tlsNegotiation.RemoteCertificate; if (clientCertificate == null) { // isAnonymous is false. So, fail the negotiation throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(SR.GetString(SR.ClientCertificateNotProvided))); } ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies; if (this.ClientTokenAuthenticator != null) { X509SecurityToken clientToken; WindowsIdentity preMappedIdentity; if (!this.MapCertificateToWindowsAccount || !tlsNegotiation.TryGetContextIdentity(out preMappedIdentity)) { clientToken = new X509SecurityToken(clientCertificate); } else { clientToken = new X509WindowsSecurityToken(clientCertificate, preMappedIdentity, preMappedIdentity.AuthenticationType, true); preMappedIdentity.Dispose(); } authorizationPolicies = this.ClientTokenAuthenticator.ValidateToken(clientToken); clientToken.Dispose(); } else { authorizationPolicies = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance; } return(authorizationPolicies); }
private SecurityMessageProperty CreateSecurityProperty(X509Certificate2 certificate, WindowsIdentity identity) { SecurityToken token; if (identity == null) { token = new X509SecurityToken(certificate, false); } else { string str; switch (base.AuthenticationScheme) { case AuthenticationSchemes.Digest: str = "Basic"; break; case AuthenticationSchemes.Negotiate: str = "Negotiate"; break; case AuthenticationSchemes.Ntlm: str = "NTLM"; break; case AuthenticationSchemes.IntegratedWindowsAuthentication: str = "Negotiate"; break; case AuthenticationSchemes.Basic: str = "Basic"; break; default: str = ""; break; } token = new X509WindowsSecurityToken(certificate, identity, str, false); } ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies = this.certificateAuthenticator.ValidateToken(token); return(new SecurityMessageProperty { TransportToken = new SecurityTokenSpecification(token, tokenPolicies), ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies) }); }
// Note: the returned SecurityMessageProperty has ownership of certificate and identity. SecurityMessageProperty CreateSecurityProperty(X509Certificate2 certificate, WindowsIdentity identity, string authType) { SecurityToken token; if (identity != null) { token = new X509WindowsSecurityToken(certificate, identity, authType, false); } else { token = new X509SecurityToken(certificate, false); } ReadOnlyCollection <IAuthorizationPolicy> policies = this.certificateAuthenticator.ValidateToken(token); SecurityMessageProperty result = new SecurityMessageProperty(); result.TransportToken = new SecurityTokenSpecification(token, policies); result.ServiceSecurityContext = new ServiceSecurityContext(policies); return(result); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { X509SecurityToken token; WindowsIdentity identity; TlsSspiNegotiation negotiation = (TlsSspiNegotiation)sspiNegotiation; if (!negotiation.IsValidContext) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation"))); } if (this.ClientTokenAuthenticator == null) { return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } X509Certificate2 remoteCertificate = negotiation.RemoteCertificate; if (remoteCertificate == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvided"))); } if (this.ClientTokenAuthenticator == null) { return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } if (!this.MapCertificateToWindowsAccount || !negotiation.TryGetContextIdentity(out identity)) { token = new X509SecurityToken(remoteCertificate); } else { token = new X509WindowsSecurityToken(remoteCertificate, identity, identity.AuthenticationType, true); identity.Dispose(); } ReadOnlyCollection <IAuthorizationPolicy> onlys = this.ClientTokenAuthenticator.ValidateToken(token); token.Dispose(); return(onlys); }
internal protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle) { SecurityKeyIdentifierClause result = null; switch (this.x509ReferenceStyle) { default: case X509KeyIdentifierClauseType.Any: if (referenceStyle == SecurityTokenReferenceStyle.External) { X509SecurityToken x509Token = token as X509SecurityToken; if (x509Token != null) { X509SubjectKeyIdentifierClause x509KeyIdentifierClause; if (X509SubjectKeyIdentifierClause.TryCreateFrom(x509Token.Certificate, out x509KeyIdentifierClause)) { result = x509KeyIdentifierClause; } } else { X509WindowsSecurityToken windowsX509Token = token as X509WindowsSecurityToken; if (windowsX509Token != null) { X509SubjectKeyIdentifierClause x509KeyIdentifierClause; if (X509SubjectKeyIdentifierClause.TryCreateFrom(windowsX509Token.Certificate, out x509KeyIdentifierClause)) { result = x509KeyIdentifierClause; } } } if (result == null) { result = token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>(); } if (result == null) { result = token.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>(); } } else { result = token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>(); } break; case X509KeyIdentifierClauseType.Thumbprint: result = this.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; case X509KeyIdentifierClauseType.SubjectKeyIdentifier: result = this.CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; case X509KeyIdentifierClauseType.IssuerSerial: result = this.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; case X509KeyIdentifierClauseType.RawDataKeyIdentifier: result = this.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; } return(result); }