public X509CertificateMessageHandler(
X509CertificateValidator validator,
Func <X509Certificate2, string> issuerMapper
)
{
_validator = validator;
_issuerMapper = issuerMapper;
}
private SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
SamlSecurityTokenAuthenticator authenticator;
if (recipientRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement");
}
Collection <SecurityToken> collection = new Collection <SecurityToken>();
if (this.parent.ServiceCertificate.Certificate != null)
{
collection.Add(new X509SecurityToken(this.parent.ServiceCertificate.Certificate));
}
List <SecurityTokenAuthenticator> supportingAuthenticators = new List <SecurityTokenAuthenticator>();
if ((this.parent.IssuedTokenAuthentication.KnownCertificates != null) && (this.parent.IssuedTokenAuthentication.KnownCertificates.Count > 0))
{
for (int i = 0; i < this.parent.IssuedTokenAuthentication.KnownCertificates.Count; i++)
{
collection.Add(new X509SecurityToken(this.parent.IssuedTokenAuthentication.KnownCertificates[i]));
}
}
X509CertificateValidator certificateValidator = this.parent.IssuedTokenAuthentication.GetCertificateValidator();
supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(certificateValidator));
if (this.parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers)
{
supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator());
}
outOfBandTokenResolver = (collection.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(collection), false) : null;
if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null))
{
authenticator = new SamlSecurityTokenAuthenticator(supportingAuthenticators);
}
else
{
authenticator = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew);
}
authenticator.AudienceUriMode = this.parent.IssuedTokenAuthentication.AudienceUriMode;
IList <string> allowedAudienceUris = authenticator.AllowedAudienceUris;
if (this.parent.IssuedTokenAuthentication.AllowedAudienceUris != null)
{
for (int j = 0; j < this.parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; j++)
{
allowedAudienceUris.Add(this.parent.IssuedTokenAuthentication.AllowedAudienceUris[j]);
}
}
if (recipientRequirement.ListenUri != null)
{
allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri);
}
return(authenticator);
}
internal X509PeerCertificateAuthentication(X509PeerCertificateAuthentication other)
{
this.certificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
this.revocationMode = X509RevocationMode.Online;
this.trustedStoreLocation = StoreLocation.CurrentUser;
this.certificateValidationMode = other.certificateValidationMode;
this.customCertificateValidator = other.customCertificateValidator;
this.revocationMode = other.revocationMode;
this.trustedStoreLocation = other.trustedStoreLocation;
this.isReadOnly = other.isReadOnly;
}
/// <summary>
/// Creates the objects used to validate the user identity tokens supported by the server.
/// </summary>
private void CreateUserIdentityValidators(ApplicationConfiguration configuration)
{
for (int ii = 0; ii < configuration.ServerConfiguration.UserTokenPolicies.Count; ii++)
{
UserTokenPolicy policy = configuration.ServerConfiguration.UserTokenPolicies[ii];
// ignore policies without an explicit id.
if (String.IsNullOrEmpty(policy.PolicyId))
{
continue;
}
// create a validator for an issued token policy.
if (policy.TokenType == UserTokenType.IssuedToken)
{
// the name of the element in the configuration file.
XmlQualifiedName qname = new XmlQualifiedName(policy.PolicyId, Namespaces.OpcUa);
// find the id for the issuer certificate.
CertificateIdentifier id = configuration.ParseExtension<CertificateIdentifier>(qname);
if (id == null)
{
Utils.Trace(
(int)Utils.TraceMasks.Error,
"Could not load CertificateIdentifier for UserTokenPolicy {0}",
policy.PolicyId);
continue;
}
}
// create a validator for a certificate token policy.
if (policy.TokenType == UserTokenType.Certificate)
{
// the name of the element in the configuration file.
XmlQualifiedName qname = new XmlQualifiedName(policy.PolicyId, Namespaces.OpcUa);
// find the location of the trusted issuers.
CertificateTrustList trustedIssuers = configuration.ParseExtension<CertificateTrustList>(qname);
if (trustedIssuers == null)
{
Utils.Trace(
(int)Utils.TraceMasks.Error,
"Could not load CertificateTrustList for UserTokenPolicy {0}",
policy.PolicyId);
continue;
}
// trusts any certificate in the trusted people store.
m_certificateValidator = new X509CertificateValidator();
}
}
}
