public static IAppBuilder UseSaml11BearerAuthentication(this IAppBuilder app, Uri audience, string issuerThumbprint, string issuerName = null, X509CertificateValidator validator = null)
{
var handler = new HttpSamlSecurityTokenHandler();
ConfigureHandler(handler, audience, issuerThumbprint, issuerName, validator);
return app.UseTokenHandlerAuthentication(handler);
}
internal bool TryGetCertificateValidator(out X509CertificateValidator validator)
{
validator = null;
if (this.certificateValidationMode == X509CertificateValidationMode.None)
{
validator = X509CertificateValidator.None;
}
else if (this.certificateValidationMode == X509CertificateValidationMode.PeerTrust)
{
validator = X509CertificateValidator.PeerTrust;
}
else if (this.certificateValidationMode == X509CertificateValidationMode.Custom)
{
validator = this.customCertificateValidator;
}
else
{
bool useMachineContext = this.trustedStoreLocation == StoreLocation.LocalMachine;
X509ChainPolicy chainPolicy = new X509ChainPolicy {
RevocationMode = this.revocationMode
};
if (this.certificateValidationMode == X509CertificateValidationMode.ChainTrust)
{
validator = X509CertificateValidator.CreateChainTrustValidator(useMachineContext, chainPolicy);
}
else
{
validator = X509CertificateValidator.CreatePeerOrChainTrustValidator(useMachineContext, chainPolicy);
}
}
return (validator != null);
}
internal X509SecurityTokenAuthenticator(X509CertificateValidator validator, bool mapToWindows, bool includeWindowsGroups, bool cloneHandle)
{
_validator = validator ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(validator));
_mapToWindows = mapToWindows;
_includeWindowsGroups = includeWindowsGroups;
_cloneHandle = cloneHandle;
}
public static Dictionary<string, DateTime> onlineUsers = new Dictionary<string, DateTime>(); //Список пользователей
#endregion Fields
#region Methods
public static void ListenerCallback(IAsyncResult result)
{
HttpListener listener = (HttpListener)result.AsyncState;
HttpListenerContext context = listener.EndGetContext(result);
HttpListenerRequest request = context.Request;//Запрос от колиента
System.Security.Cryptography.X509Certificates.X509Certificate2 cerFromClient = context.Request.GetClientCertificate();
X509CertificateValidator validator = new X509CertificateValidator();
validator.Validate(cerFromClient);
HttpListenerResponse response = context.Response;//Ответ клиенту
System.IO.Stream inputStream = context.Request.InputStream;//Текст от клиента
byte[] inputByte = new byte[request.ContentLength64];
string responseString = "";
byte[] message;
if (request.HttpMethod == "GET")//Отправка ответа
{
if (!onlineUsers.ContainsKey(request.RemoteEndPoint.Address.ToString()))//Добавленике пользователя к списку
{
onlineUsers.Add(request.RemoteEndPoint.Address.ToString(), DateTime.Now);
}
List<string> names = onlineUsers.Keys.ToList();
for (int i = 0; i < onlineUsers.Count; i++)//Поиск выключенных пользователей
{
TimeSpan off = (onlineUsers[names[i]] - DateTime.Now);
if (off.Seconds < -10)//Если 10 секунд пользователь не в сети
{
onlineUsers.Remove(names[i]);//Убираем пользователя из списка
}
}
string usersNow = ";";
for (int i = 0; i < onlineUsers.Count; i++)
{
usersNow = usersNow + names[i] + ";";//Формирование списка пользователей для клиента
}
Console.WriteLine("Connecting from IP: " + request.RemoteEndPoint.Address.ToString());
message = EncryptStringToBytes_Aes(log + usersNow, Convert.FromBase64String(keyAES), Convert.FromBase64String(ivAES));
responseString = Encoding.UTF8.GetString(message);
}
else//Получение сообщения от пользователя
{
inputStream.Read(inputByte, 0, (int)request.ContentLength64);
string messageFromClient = DecryptStringFromBytes_Aes(inputByte, Convert.FromBase64String(keyAES), Convert.FromBase64String(ivAES));
log = log + request.RemoteEndPoint.Address.ToString() + ": " + messageFromClient + "\n";
Console.WriteLine("Message from IP " + request.RemoteEndPoint.Address.ToString() + ": " + messageFromClient);
string usersNow = ";";
List<string> names = onlineUsers.Keys.ToList();
for (int i = 0; i < onlineUsers.Count; i++)
{
usersNow = usersNow + names[i] + ";";//Формирование списка пользователей для клиента
}
message = EncryptStringToBytes_Aes(log + usersNow, Convert.FromBase64String(keyAES), Convert.FromBase64String(ivAES));
}
System.IO.Stream output = response.OutputStream;
output.Write(message, 0, message.Length);//Отправка
output.Close();//Закрытие соединения
listener.BeginGetContext(new AsyncCallback(ListenerCallback), listener);
}
public X509CertificateMessageHandler(
X509CertificateValidator validator,
Func<X509Certificate2, string> issuerMapper
)
{
_validator = validator;
_issuerMapper = issuerMapper;
}
internal X509ServiceCertificateAuthentication(X509ServiceCertificateAuthentication other)
{
this.certificateValidationMode = other.certificateValidationMode;
this.customCertificateValidator = other.customCertificateValidator;
this.revocationMode = other.revocationMode;
this.trustedStoreLocation = other.trustedStoreLocation;
this.isReadOnly = other.isReadOnly;
}
internal X509ServiceCertificateAuthentication(X509ServiceCertificateAuthentication other)
{
_certificateValidationMode = other._certificateValidationMode;
_customCertificateValidator = other._customCertificateValidator;
_revocationMode = other._revocationMode;
_trustedStoreLocation = other._trustedStoreLocation;
_isReadOnly = other._isReadOnly;
}
internal X509ClientCertificateAuthentication(X509ClientCertificateAuthentication other)
{
this.certificateValidationMode = other.certificateValidationMode;
this.customCertificateValidator = other.customCertificateValidator;
this.includeWindowsGroups = other.includeWindowsGroups;
this.mapClientCertificateToWindowsAccount = other.mapClientCertificateToWindowsAccount;
this.trustedStoreLocation = other.trustedStoreLocation;
this.revocationMode = other.revocationMode;
this.isReadOnly = other.isReadOnly;
}
static X509CertificateValidator()
{
none = new X509NoValidator();
chain = new X509CertificateValidatorImpl(
false, true, false, new X509ChainPolicy());
peer = new X509CertificateValidatorImpl(
true, false, false, null);
peer_or_chain = new X509CertificateValidatorImpl(
true, true, false, new X509ChainPolicy());
}
static X509CertificateValidator ()
{
none = new X509NoValidator ();
chain = new X509CertificateValidatorImpl (
false, true, false, new X509ChainPolicy ());
peer = new X509CertificateValidatorImpl (
true, false, false, null);
peer_or_chain = new X509CertificateValidatorImpl (
true, true, false, new X509ChainPolicy ());
}
public static IAppBuilder UseClientCertificateAuthentication(this IAppBuilder app, X509CertificateValidator validator = null)
{
var options = new ClientCertificateAuthenticationOptions
{
Validator = validator ?? X509CertificateValidator.ChainTrust
};
app.UseClientCertificateAuthentication(options);
return app;
}
internal X509SecurityTokenAuthenticator(X509CertificateValidator validator, bool mapToWindows, bool includeWindowsGroups, bool cloneHandle)
{
if (validator == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("validator");
}
this.validator = validator;
this.mapToWindows = mapToWindows;
this.includeWindowsGroups = includeWindowsGroups;
this.cloneHandle = cloneHandle;
}
public X509SecurityTokenAuthenticator (X509CertificateValidator validator, bool mapToWindows, bool includeWindowsGroups)
{
if (validator == null)
throw new ArgumentNullException ("validator");
this.validator = validator;
map_to_windows = mapToWindows;
include_win_groups = includeWindowsGroups;
if (map_to_windows || include_win_groups)
throw new NotSupportedException ("Why on earth do you expect that mapToWindows or includeWindowsGroups are supported here?");
}
internal X509ServiceCertificateAuthentication(X509ServiceCertificateAuthentication other)
{
this.certificateValidationMode = X509CertificateValidationMode.ChainTrust;
this.revocationMode = X509RevocationMode.Online;
this.trustedStoreLocation = StoreLocation.CurrentUser;
this.certificateValidationMode = other.certificateValidationMode;
this.customCertificateValidator = other.customCertificateValidator;
this.revocationMode = other.revocationMode;
this.trustedStoreLocation = other.trustedStoreLocation;
this.isReadOnly = other.isReadOnly;
}
internal X509SecurityTokenAuthenticator(X509CertificateValidator validator, bool mapToWindows, bool includeWindowsGroups, bool cloneHandle)
{
if (validator == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("validator");
}
this.validator = validator;
this.mapToWindows = mapToWindows;
this.includeWindowsGroups = includeWindowsGroups;
this.cloneHandle = cloneHandle;
}
internal IssuedTokenServiceCredential(IssuedTokenServiceCredential other)
{
this.audienceUriMode = other.audienceUriMode;
this.allowedAudienceUris = new List<string>(other.allowedAudienceUris);
this.samlSerializer = other.samlSerializer;
this.knownCertificates = new List<X509Certificate2>(other.knownCertificates);
this.certificateValidationMode = other.certificateValidationMode;
this.customCertificateValidator = other.customCertificateValidator;
this.trustedStoreLocation = other.trustedStoreLocation;
this.revocationMode = other.revocationMode;
this.allowUntrustedRsaIssuers = other.allowUntrustedRsaIssuers;
this.isReadOnly = other.isReadOnly;
}
public X509SecurityTokenAuthenticator(X509CertificateValidator validator, bool mapToWindows, bool includeWindowsGroups)
{
if (validator == null)
{
throw new ArgumentNullException("validator");
}
this.validator = validator;
map_to_windows = mapToWindows;
include_win_groups = includeWindowsGroups;
if (map_to_windows || include_win_groups)
{
throw new NotSupportedException("Why on earth do you expect that mapToWindows or includeWindowsGroups are supported here?");
}
}
public ExpectedJwtSecurityTokenRequirement
(
uint? tokenSize = null, Int32? clock = null, uint? life = null, X509CertificateValidator cert = null, string name = JwtConstants.ReservedClaims.Sub, string role = null, X509RevocationMode? revMode = null, X509CertificateValidationMode? certMode = null, StoreLocation? storeLoc = null, ExpectedException expectedException = null,
string handler = JwtSecurityTokenHandlerType, string requirement = Elements.JwtSecurityTokenRequirement,
string attributeEx1 = "", string attributeEx2 = "", string attributeEx3 = "", string attributeEx4 = "",
string elementEx1 = comment, string elementEx2 = comment, string elementEx3 = comment, string elementEx4 = comment, string elementEx5 = comment, string elementEx6 = comment,
string elementClose = closeRequirement
)
{
MaxTokenSizeInBytes = tokenSize;
NameClaimType = name;
RoleClaimType = role;
CertValidator = cert;
ClockSkewInSeconds = clock;
DefaultTokenLifetimeInMinutes = life;
CertRevocationMode = revMode;
CertValidationMode = certMode;
CertStoreLocation = storeLoc;
ExpectedException = expectedException ?? ExpectedException.NoExceptionExpected;
string[] sParams =
{
handler,
requirement,
CertRevocationMode == null ? string.Empty : Attribute( Attributes.RevocationMode, CertRevocationMode.Value.ToString() ),
attributeEx1,
CertValidationMode == null ? string.Empty : Attribute( Attributes.ValidationMode, CertValidationMode.Value.ToString() ),
attributeEx2,
CertValidator == null ? string.Empty : Attribute( Attributes.Validator, CertValidator.GetType().ToString() +", System.IdentityModel.Tokens.Jwt.Tests" ),
attributeEx3,
CertStoreLocation == null ? string.Empty : Attribute( Attributes.TrustedStoreLocation, CertStoreLocation.ToString() ),
attributeEx4,
elementEx1,
ClockSkewInSeconds == null ? string.Empty : ElementValue( Elements.MaxClockSkewInMinutes, ClockSkewInSeconds.Value.ToString() ),
elementEx2,
MaxTokenSizeInBytes == null ? string.Empty : ElementValue( Elements.MaxTokenSizeInBytes, MaxTokenSizeInBytes.Value.ToString() ),
elementEx3,
DefaultTokenLifetimeInMinutes == null ? string.Empty : ElementValue( Elements.DefaultTokenLifetimeInMinutes, DefaultTokenLifetimeInMinutes.Value.ToString() ),
elementEx4,
NameClaimType == null ? string.Empty : ElementValue( Elements.NameClaimType, NameClaimType ),
elementEx5,
RoleClaimType == null ? string.Empty : ElementValue( Elements.RoleClaimType, RoleClaimType ),
elementEx6,
elementClose,
};
Config = string.Format(ElementTemplate, sParams);
}
public X509CertificateValidatorEx(
X509CertificateValidationMode certificateValidationMode,
X509RevocationMode revocationMode,
StoreLocation trustedStoreLocation)
{
this.certificateValidationMode = certificateValidationMode;
switch (this.certificateValidationMode)
{
case X509CertificateValidationMode.None:
{
this.validator = X509CertificateValidator.None;
break;
}
case X509CertificateValidationMode.PeerTrust:
{
this.validator = X509CertificateValidator.PeerTrust;
break;
}
case X509CertificateValidationMode.ChainTrust:
{
bool useMachineContext = trustedStoreLocation == StoreLocation.LocalMachine;
this.chainPolicy = new X509ChainPolicy();
this.chainPolicy.RevocationMode = revocationMode;
this.validator = X509CertificateValidator.CreateChainTrustValidator(useMachineContext, this.chainPolicy);
break;
}
case X509CertificateValidationMode.PeerOrChainTrust:
{
bool useMachineContext = trustedStoreLocation == StoreLocation.LocalMachine;
this.chainPolicy = new X509ChainPolicy();
this.chainPolicy.RevocationMode = revocationMode;
this.validator = X509CertificateValidator.CreatePeerOrChainTrustValidator(useMachineContext, this.chainPolicy);
break;
}
case X509CertificateValidationMode.Custom:
default:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4256)));
}
}
private static void ConfigureHandler(SecurityTokenHandler handler, Uri audience, string issuerThumbprint, string issuerName = null, X509CertificateValidator validator = null)
{
var handlerConfiguration = new SecurityTokenHandlerConfiguration();
handlerConfiguration.AudienceRestriction.AllowedAudienceUris.Add(audience);
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(issuerThumbprint, issuerName ?? issuerThumbprint);
if (validator != null)
{
handlerConfiguration.CertificateValidator = validator;
}
else
{
handlerConfiguration.CertificateValidator = X509CertificateValidator.None;
}
handlerConfiguration.IssuerNameRegistry = registry;
handler.Configuration = handlerConfiguration;
}
public X509CertificateValidatorEx(X509CertificateValidationMode certificateValidationMode, X509RevocationMode revocationMode, StoreLocation trustedStoreLocation)
{
this.certificateValidationMode = certificateValidationMode;
switch (this.certificateValidationMode)
{
case X509CertificateValidationMode.None:
{
this.validator = X509CertificateValidator.None;
break;
}
case X509CertificateValidationMode.PeerTrust:
{
this.validator = X509CertificateValidator.PeerTrust;
break;
}
case X509CertificateValidationMode.ChainTrust:
{
bool useMachineContext = trustedStoreLocation == StoreLocation.LocalMachine;
this.chainPolicy = new X509ChainPolicy();
this.chainPolicy.RevocationMode = revocationMode;
this.validator = X509CertificateValidator.CreateChainTrustValidator(useMachineContext, this.chainPolicy);
break;
}
case X509CertificateValidationMode.PeerOrChainTrust:
{
bool useMachineContext = trustedStoreLocation == StoreLocation.LocalMachine;
this.chainPolicy = new X509ChainPolicy();
this.chainPolicy.RevocationMode = revocationMode;
this.validator = X509CertificateValidator.CreatePeerOrChainTrustValidator(useMachineContext, this.chainPolicy);
break;
}
default:
throw new InvalidOperationException(string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10637, this.certificateValidationMode));
}
}
public X509SecurityTokenAuthenticator(X509CertificateValidator validator)
: this(validator, false)
{
}
/// <summary>
/// Creates an instance of <see cref="SamlSecurityTokenRequirement"/>
/// <param name="element">The XmlElement from which the instance is to be loaded.</param>
/// </summary>
public SamlSecurityTokenRequirement(XmlElement element)
{
if (element == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("element");
}
if (element.LocalName != ConfigurationStrings.SamlSecurityTokenRequirement)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7000, ConfigurationStrings.SamlSecurityTokenRequirement, element.LocalName));
}
bool foundCustomX509Validator = false;
X509RevocationMode revocationMode = DefaultRevocationMode;
X509CertificateValidationMode certificateValidationMode = DefaultValidationMode;
StoreLocation trustedStoreLocation = DefaultStoreLocation;
string customValidator = null;
foreach (XmlAttribute attribute in element.Attributes)
{
if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.MapToWindows))
{
bool outMapToWindows = false;
if (!bool.TryParse(attribute.Value, out outMapToWindows))
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7022, attribute.Value));
}
this.MapToWindows = outMapToWindows;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.IssuerCertificateValidator))
{
customValidator = attribute.Value.ToString();
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.IssuerCertificateRevocationMode))
{
foundCustomX509Validator = true;
string revocationModeString = attribute.Value.ToString();
if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeNoCheck))
{
revocationMode = X509RevocationMode.NoCheck;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeOffline))
{
revocationMode = X509RevocationMode.Offline;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeOnline))
{
revocationMode = X509RevocationMode.Online;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, element.LocalName)));
}
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.IssuerCertificateValidationMode))
{
foundCustomX509Validator = true;
string validationModeString = attribute.Value.ToString();
if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeChainTrust))
{
certificateValidationMode = X509CertificateValidationMode.ChainTrust;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModePeerOrChainTrust))
{
certificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModePeerTrust))
{
certificateValidationMode = X509CertificateValidationMode.PeerTrust;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeNone))
{
certificateValidationMode = X509CertificateValidationMode.None;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeCustom))
{
certificateValidationMode = X509CertificateValidationMode.Custom;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, element.LocalName)));
}
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.IssuerCertificateTrustedStoreLocation))
{
foundCustomX509Validator = true;
string trustedStoreLocationString = attribute.Value.ToString();
if (StringComparer.OrdinalIgnoreCase.Equals(trustedStoreLocationString, ConfigurationStrings.X509TrustedStoreLocationCurrentUser))
{
trustedStoreLocation = StoreLocation.CurrentUser;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(trustedStoreLocationString, ConfigurationStrings.X509TrustedStoreLocationLocalMachine))
{
trustedStoreLocation = StoreLocation.LocalMachine;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, element.LocalName)));
}
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7004, attribute.LocalName, element.LocalName)));
}
}
List<XmlElement> configElements = XmlUtil.GetXmlElements(element.ChildNodes);
foreach (XmlElement childElement in configElements)
{
if (StringComparer.Ordinal.Equals(childElement.LocalName, ConfigurationStrings.NameClaimType))
{
if (childElement.Attributes.Count != 1 || !StringComparer.Ordinal.Equals(childElement.Attributes[0].LocalName, ConfigurationStrings.Value))
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7001, String.Format(System.Globalization.CultureInfo.InvariantCulture, "{0}/{1}", element.LocalName, childElement.LocalName), ConfigurationStrings.Value));
}
this.NameClaimType = childElement.Attributes[0].Value;
}
else if (StringComparer.Ordinal.Equals(childElement.LocalName, ConfigurationStrings.RoleClaimType))
{
if (childElement.Attributes.Count != 1 || !StringComparer.Ordinal.Equals(childElement.Attributes[0].LocalName, ConfigurationStrings.Value))
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7001, String.Format(System.Globalization.CultureInfo.InvariantCulture, "{0}/{1}", element.LocalName, childElement.LocalName), ConfigurationStrings.Value));
}
this.RoleClaimType = childElement.Attributes[0].Value;
}
else
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7002, childElement.LocalName, ConfigurationStrings.SamlSecurityTokenRequirement));
}
}
if (certificateValidationMode == X509CertificateValidationMode.Custom)
{
if (string.IsNullOrEmpty(customValidator))
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7028));
}
Type customValidatorType = Type.GetType(customValidator, true);
if (customValidatorType == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("value", SR.GetString(SR.ID7007, customValidatorType));
}
_certificateValidator = CustomTypeElement.Resolve<X509CertificateValidator>(new CustomTypeElement(customValidatorType));
}
else if (foundCustomX509Validator)
{
_certificateValidator = X509Util.CreateCertificateValidator(certificateValidationMode, revocationMode, trustedStoreLocation);
}
}
public PeerOrChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy)
{
this.chain = X509CertificateValidator.CreateChainTrustValidator(useMachineContext, chainPolicy);
this.peer = (PeerTrustValidator)X509CertificateValidator.PeerTrust;
}
public X509SecurityTokenAuthenticator(X509CertificateValidator validator, bool mapToWindows)
: this(validator, mapToWindows, /* WindowsClaimSet.DefaultIncludeWindowsGroups */ true)
{
}
public PeerOrChainTrustValidator()
{
this.chain = X509CertificateValidator.ChainTrust;
this.peer = (X509CertificateValidator.PeerTrustValidator)X509CertificateValidator.PeerTrust;
}
/// <summary>
/// Load custom configuration from Xml
/// </summary>
/// <param name="customConfigElements">XmlElement to custom configuration.</param>
/// <exception cref="ArgumentNullException">The param 'customConfigElements' is null.</exception>
/// <exception cref="InvalidOperationException">Custom configuration specified was invalid.</exception>
public override void LoadCustomConfiguration(XmlNodeList customConfigElements)
{
if (customConfigElements == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("customConfigElements");
}
List<XmlElement> configNodes = XmlUtil.GetXmlElements(customConfigElements);
bool foundValidConfig = false;
bool foundCustomX509Validator = false;
X509RevocationMode revocationMode = defaultRevocationMode;
X509CertificateValidationMode certificateValidationMode = defaultValidationMode;
StoreLocation trustedStoreLocation = defaultStoreLocation;
string customValidator = null;
foreach (XmlElement customConfigElement in configNodes)
{
if (!StringComparer.Ordinal.Equals(customConfigElement.LocalName, ConfigurationStrings.X509SecurityTokenHandlerRequirement))
{
continue;
}
if (foundValidConfig)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7026, ConfigurationStrings.X509SecurityTokenHandlerRequirement));
}
foreach (XmlAttribute attribute in customConfigElement.Attributes)
{
if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.MapToWindows))
{
mapToWindows = XmlConvert.ToBoolean(attribute.Value.ToLowerInvariant());
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.X509CertificateValidator))
{
customValidator = attribute.Value.ToString();
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.X509CertificateRevocationMode))
{
foundCustomX509Validator = true;
string revocationModeString = attribute.Value.ToString();
if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeNoCheck))
{
revocationMode = X509RevocationMode.NoCheck;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeOffline))
{
revocationMode = X509RevocationMode.Offline;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeOnline))
{
revocationMode = X509RevocationMode.Online;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, customConfigElement.LocalName)));
}
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.X509CertificateValidationMode))
{
foundCustomX509Validator = true;
string validationModeString = attribute.Value.ToString();
if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeChainTrust))
{
certificateValidationMode = X509CertificateValidationMode.ChainTrust;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModePeerOrChainTrust))
{
certificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModePeerTrust))
{
certificateValidationMode = X509CertificateValidationMode.PeerTrust;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeNone))
{
certificateValidationMode = X509CertificateValidationMode.None;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeCustom))
{
certificateValidationMode = X509CertificateValidationMode.Custom;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, customConfigElement.LocalName)));
}
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.X509TrustedStoreLocation))
{
foundCustomX509Validator = true;
string trustedStoreLocationString = attribute.Value.ToString();
if (StringComparer.OrdinalIgnoreCase.Equals(trustedStoreLocationString, ConfigurationStrings.X509TrustedStoreLocationCurrentUser))
{
trustedStoreLocation = StoreLocation.CurrentUser;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(trustedStoreLocationString, ConfigurationStrings.X509TrustedStoreLocationLocalMachine))
{
trustedStoreLocation = StoreLocation.LocalMachine;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, customConfigElement.LocalName)));
}
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7004, attribute.LocalName, customConfigElement.LocalName)));
}
}
foundValidConfig = true;
}
if (certificateValidationMode == X509CertificateValidationMode.Custom)
{
if (String.IsNullOrEmpty(customValidator))
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7028));
}
Type customValidatorType = Type.GetType(customValidator, true);
if (customValidatorType == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("value", SR.GetString(SR.ID7007, customValidatorType));
}
certificateValidator = CustomTypeElement.Resolve<X509CertificateValidator>(new CustomTypeElement(customValidatorType));
}
else if (foundCustomX509Validator)
{
certificateValidator = X509Util.CreateCertificateValidator(certificateValidationMode, revocationMode, trustedStoreLocation);
}
}
/// <summary>
/// Creates an instance of <see cref="X509SecurityTokenHandler"/>.
/// </summary>
/// <param name="mapToWindows">Boolean to indicate if the certificate should be mapped to a windows account.</param>
/// <param name="certificateValidator">The certificate validator.</param>
public X509SecurityTokenHandler(bool mapToWindows, X509CertificateValidator certificateValidator)
{
this.mapToWindows = mapToWindows;
this.certificateValidator = certificateValidator;
}
/// <summary>
/// Creates an instance of <see cref="X509SecurityTokenHandler"/> with an X509 certificate validator.
/// MapToWindows is to false by default.
/// </summary>
/// <param name="certificateValidator">The certificate validator.</param>
public X509SecurityTokenHandler(X509CertificateValidator certificateValidator)
: this(false, certificateValidator)
{
}
public static IEnumerable<Claim> ValidateIdentityToken(string token, string issuer, string audience, X509Certificate2 signingCertificate, X509CertificateValidator certificateValidator = null)
{
if (certificateValidator == null)
{
certificateValidator = X509CertificateValidator.None;
}
var configuration = new SecurityTokenHandlerConfiguration
{
CertificateValidator = certificateValidator
};
var handler = new JwtSecurityTokenHandler
{
Configuration = configuration
};
var parameters = new TokenValidationParameters
{
ValidIssuer = issuer,
AllowedAudience = audience,
SigningToken = new X509SecurityToken(signingCertificate)
};
return handler.ValidateToken(token, parameters).Claims;
}
public RequireSslOptions()
{
RequireClientCertificate = false;
ClientCertificateValidator = X509CertificateValidator.None;
}
public X509SecurityTokenAuthenticator(X509CertificateValidator validator, bool mapToWindows)
: this(validator, mapToWindows, /* WindowsClaimSet.DefaultIncludeWindowsGroups */ true)
{
}
public PeerOrChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy)
{
_chain = X509CertificateValidator.CreateChainTrustValidator(useMachineContext, chainPolicy);
_peer = (PeerTrustValidator)X509CertificateValidator.PeerTrust;
}
public X509SecurityTokenAuthenticator(X509CertificateValidator validator, bool mapToWindows, bool includeWindowsGroups)
: this(validator, mapToWindows, includeWindowsGroups, true)
{
}
public X509SecurityTokenAuthenticator(X509CertificateValidator validator, bool mapToWindows)
: this(validator, mapToWindows, false)
{
}
public PeerCertificateClientCredentials(X509Certificate2 selfCertificate, X509CertificateValidator validator)
{
this.selfCertificate = selfCertificate;
this.certificateValidator = validator;
}
public PeerOrChainTrustValidator()
{
_chain = X509CertificateValidator.ChainTrust;
_peer = (PeerTrustValidator)X509CertificateValidator.PeerTrust;
}
public X509SecurityTokenAuthenticator(X509CertificateValidator validator)
: this(validator, false)
{
}
public PeerOrChainTrustValidator()
{
this.chain = X509CertificateValidator.ChainTrust;
this.peer = (PeerTrustValidator)X509CertificateValidator.PeerTrust;
}
public X509SecurityTokenAuthenticator(X509CertificateValidator validator, bool mapToWindows, bool includeWindowsGroups)
: this(validator, mapToWindows, includeWindowsGroups, true)
{
}
public static void AddSaml2(this AuthenticationConfiguration configuration, string issuerThumbprint, string issuerName, string audienceUri, X509CertificateValidator certificateValidator, AuthenticationOptions options, AuthenticationScheme scheme)
{
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(issuerThumbprint, issuerName);
var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audienceUri));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = certificateValidator;
configuration.AddSaml2(handlerConfig, options, scheme);
}
