private static X509Certificate2 GetCertificate(X509Store store, string thumbprint, ObjectId objectId, string name, bool logExpired, out ExternalAuthentication.ExternalAuthenticationSubFailureType subFailureCode)
{
subFailureCode = ExternalAuthentication.ExternalAuthenticationSubFailureType.NoFailure;
X509Certificate2Collection x509Certificate2Collection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);
if (x509Certificate2Collection == null || x509Certificate2Collection.Count == 0 || x509Certificate2Collection[0] == null)
{
ExternalAuthentication.ConfigurationTracer.TraceError <string, string>(0L, "Certificate with thumprint {0} for {1} is not present in the certificate store.", thumbprint, name);
ExternalAuthentication.EventLogger.LogEvent(CommonEventLogConstants.Tuple_FederationTrustOrganizationCertificateNotFound, thumbprint, new object[]
{
thumbprint,
objectId.ToString()
});
subFailureCode = ExternalAuthentication.ExternalAuthenticationSubFailureType.CertificateNotInStore;
return(null);
}
X509Certificate2 x509Certificate = x509Certificate2Collection[0];
if (!x509Certificate.HasPrivateKey)
{
ExternalAuthentication.ConfigurationTracer.TraceError <string, string>(0L, "Certificate with thumprint {0} for {1} does not have private key.", thumbprint, name);
ExternalAuthentication.EventLogger.LogEvent(CommonEventLogConstants.Tuple_FederationTrustOrganizationCertificateNoPrivateKey, thumbprint, new object[]
{
thumbprint,
objectId.ToString()
});
subFailureCode = ExternalAuthentication.ExternalAuthenticationSubFailureType.CertificateNoPrivateKey;
return(null);
}
DateTime utcNow = DateTime.UtcNow;
if (utcNow > x509Certificate.NotAfter || utcNow < x509Certificate.NotBefore)
{
ExternalAuthentication.ConfigurationTracer.TraceError(0L, "Certificate with thumprint {0} for {1} is expired: NotBefore={2}, NotAfter={3}", new object[]
{
thumbprint,
name,
x509Certificate.NotBefore,
x509Certificate.NotAfter
});
if (logExpired)
{
ExternalAuthentication.EventLogger.LogEvent(CommonEventLogConstants.Tuple_FederationTrustCertificateExpired, x509Certificate.Thumbprint, new object[]
{
x509Certificate.Thumbprint,
objectId.ToString()
});
}
subFailureCode = ExternalAuthentication.ExternalAuthenticationSubFailureType.CertificateExpirationTimeError;
return(null);
}
Exception ex = null;
try
{
AsymmetricAlgorithm privateKey = x509Certificate.PrivateKey;
}
catch (CryptographicException ex2)
{
ex = ex2;
}
catch (NotSupportedException ex3)
{
ex = ex3;
}
if (ex != null)
{
ExternalAuthentication.ConfigurationTracer.TraceError <string, string>(0L, "Cannot access private key of certificate with thumprint {0} for {1}.", thumbprint, name);
ExternalAuthentication.EventLogger.LogEvent(CommonEventLogConstants.Tuple_FederationTrustOrganizationCertificateNoPrivateKey, thumbprint, new object[]
{
thumbprint,
objectId.ToString()
});
subFailureCode = ExternalAuthentication.ExternalAuthenticationSubFailureType.CertificatePrivateKeyCryptoError;
return(null);
}
ExternalAuthentication.ConfigurationTracer.TraceDebug <string, string, X509Certificate2>(0L, "Loaded certificate with thumprint {0} for {1}. Certificate details: {2}", thumbprint, name, x509Certificate);
return(x509Certificate);
}
private ExternalAuthentication(ExternalAuthentication.ExternalAuthenticationFailureType failureType, ExternalAuthentication.ExternalAuthenticationSubFailureType subFailureType)
{
this.failureType = failureType;
this.subFailureType = subFailureType;
}
private ExternalAuthentication(Dictionary <ADObjectId, SecurityTokenService> securityTokenServices, TokenValidator tokenValidator, List <X509Certificate2> certificates, Uri applicationUri, ExternalAuthentication.ExternalAuthenticationFailureType failureType, ExternalAuthentication.ExternalAuthenticationSubFailureType subFailureType) : this(failureType, subFailureType)
{
this.securityTokenServices = securityTokenServices;
this.tokenValidator = tokenValidator;
this.certificates = certificates;
this.applicationUri = applicationUri;
}
private static ExternalAuthentication CreateExternalAuthentication()
{
ExternalAuthentication.InitializeNotificationsIfNeeded();
ExternalAuthentication.ConfigurationTracer.TraceDebug(0L, "Searching for federation trust configuration in AD");
WebProxy webProxy = null;
Server localServer = LocalServerCache.LocalServer;
Uri uri = null;
if (localServer != null && localServer.InternetWebProxy != null)
{
ExternalAuthentication.ConfigurationTracer.TraceDebug <Uri>(0L, "Using custom InternetWebProxy {0}.", localServer.InternetWebProxy);
uri = localServer.InternetWebProxy;
webProxy = new WebProxy(localServer.InternetWebProxy);
}
ExternalAuthentication.currentWebProxy = uri;
IEnumerable <FederationTrust> enumerable = null;
try
{
enumerable = FederationTrustCache.GetFederationTrusts();
}
catch (LocalizedException arg)
{
ExternalAuthentication.ConfigurationTracer.TraceError <LocalizedException>(0L, "Unable to get federation trust. Exception: {0}", arg);
return(new ExternalAuthentication(ExternalAuthentication.ExternalAuthenticationFailureType.ErrorReadingFederationTrust, ExternalAuthentication.ExternalAuthenticationSubFailureType.DirectoryReadError));
}
Uri uri2 = null;
List <X509Certificate2> list = new List <X509Certificate2>(4);
List <X509Certificate2> list2 = new List <X509Certificate2>(4);
Dictionary <ADObjectId, SecurityTokenService> dictionary = new Dictionary <ADObjectId, SecurityTokenService>(2);
ExternalAuthentication.ExternalAuthenticationFailureType externalAuthenticationFailureType = ExternalAuthentication.ExternalAuthenticationFailureType.NoFederationTrust;
ExternalAuthentication.ExternalAuthenticationSubFailureType externalAuthenticationSubFailureType = ExternalAuthentication.ExternalAuthenticationSubFailureType.NoFailure;
int num = 0;
bool flag = false;
if (enumerable != null)
{
foreach (FederationTrust federationTrust in enumerable)
{
num++;
ExternalAuthentication.FederationTrustResults federationTrustResults = ExternalAuthentication.TryCreateSecurityTokenService(federationTrust, webProxy);
if (federationTrustResults.FailureType == ExternalAuthentication.ExternalAuthenticationFailureType.NoFailure)
{
dictionary.Add(federationTrust.Id, federationTrustResults.SecurityTokenService);
list.AddRange(federationTrustResults.TokenSignatureCertificates);
list2.AddRange(federationTrustResults.TokenDecryptionCertificates);
if (uri2 == null)
{
uri2 = federationTrust.ApplicationUri;
ExternalAuthentication.ConfigurationTracer.TraceDebug <Uri>(0L, "Using {0} as applicationUri", uri2);
}
else if (!federationTrust.ApplicationUri.Equals(uri2))
{
ExternalAuthentication.ConfigurationTracer.TraceError <Uri>(0L, "Cannot have multiple FederationTrust with different ApplicationUri values: {0}. Uri will be ignored", federationTrust.ApplicationUri);
flag = true;
}
}
else
{
externalAuthenticationFailureType = federationTrustResults.FailureType;
externalAuthenticationSubFailureType = federationTrustResults.SubFailureType;
}
}
}
if (dictionary.Count == 0)
{
return(new ExternalAuthentication(externalAuthenticationFailureType, externalAuthenticationSubFailureType));
}
if (dictionary.Count != num)
{
ExternalAuthentication.ConfigurationTracer.TraceError <string, string>(0L, "Number of Security Token Service clients {0} does not match number of federation trusts {1}", dictionary.Count.ToString(), num.ToString());
}
TokenValidator tokenValidator = new TokenValidator(uri2, list, list2);
List <X509Certificate2> list3 = new List <X509Certificate2>(list.Count + list2.Count);
list3.AddRange(list);
list3.AddRange(list2);
if (flag)
{
return(new ExternalAuthentication(dictionary, tokenValidator, list3, uri2, ExternalAuthentication.ExternalAuthenticationFailureType.NoFailure, ExternalAuthentication.ExternalAuthenticationSubFailureType.WarningApplicationUriSkipped));
}
return(new ExternalAuthentication(dictionary, tokenValidator, list3, uri2));
}
