internal static SecurityToken ResolveSecurityToken(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver)
{
SecurityToken token = null;
if (tokenResolver != null)
{
tokenResolver.TryResolveToken(ski, out token);
}
if (token == null)
{
// Check if this is a RSA key.
RsaKeyIdentifierClause rsaClause;
if (ski.TryFind <RsaKeyIdentifierClause>(out rsaClause))
{
token = new RsaSecurityToken(rsaClause.Rsa);
}
}
if (token == null)
{
// Check if this is a X509RawDataKeyIdentifier Clause.
X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause;
if (ski.TryFind <X509RawDataKeyIdentifierClause>(out rawDataKeyIdentifierClause))
{
token = new X509SecurityToken(new X509Certificate2(rawDataKeyIdentifierClause.GetX509RawData()));
}
}
return(token);
}
internal static RsaSecurityToken CreateSafeRsaSecurityToken(int keySize)
{
RsaSecurityToken token;
RSACryptoServiceProvider rsa = null;
RuntimeHelpers.PrepareConstrainedRegions();
try
{
try
{
}
finally
{
rsa = new RSACryptoServiceProvider(keySize);
}
token = new RsaSecurityToken(rsa, true);
rsa = null;
}
finally
{
if (rsa != null)
{
rsa.Dispose();
}
}
return(token);
}
/// <summary>
/// Validates a <see cref="RsaSecurityToken"/>.
/// </summary>
/// <param name="token">The <see cref="RsaSecurityToken"/> to validate.</param>
/// <returns>A <see cref="ReadOnlyCollection{T}"/> of <see cref="ClaimsIdentity"/> representing the identities contained in the token.</returns>
/// <exception cref="ArgumentNullException">The parameter 'token' is null.</exception>
/// <exception cref="ArgumentException">The token is not assignable from <see cref="RsaSecurityToken"/>.</exception>
/// <exception cref="InvalidOperationException">Configuration <see cref="SecurityTokenHandlerConfiguration"/>is null.</exception>
public override ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token)
{
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
RsaSecurityToken rsaToken = (RsaSecurityToken)token;
if (rsaToken == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID0018, typeof(RsaSecurityToken)));
}
if (this.Configuration == null)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
try
{
// Export the Public Key of the RSA as a Claim.
ClaimsIdentity identity = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.Rsa, rsaToken.Rsa.ToXmlString(false), ClaimValueTypes.RsaKeyValue, ClaimsIdentity.DefaultIssuer) }, AuthenticationTypes.Signature);
identity.AddClaim(new Claim(ClaimTypes.AuthenticationInstant, XmlConvert.ToString(DateTime.UtcNow, DateTimeFormats.Generated), ClaimValueTypes.DateTime));
identity.AddClaim(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.Signature));
if (this.Configuration.SaveBootstrapContext)
{
identity.BootstrapContext = new BootstrapContext(token, this);
}
this.TraceTokenValidationSuccess(token);
List <ClaimsIdentity> identities = new List <ClaimsIdentity>(1);
identities.Add(identity);
return(identities.AsReadOnly());
}
catch (Exception e)
{
if (Fx.IsFatal(e))
{
throw;
}
this.TraceTokenValidationFailure(token, e.Message);
throw e;
}
}
/// <summary>
/// Serializes an RSA security token to XML.
/// </summary>
/// <param name="writer">The XML writer.</param>
/// <param name="token">An RSA security token.</param>
/// <exception cref="ArgumentNullException">The input argument 'writer' is null.</exception>
/// <exception cref="InvalidOperationException">The input argument 'token' is either null or not of type
/// <see cref="RsaSecurityToken"/>.</exception>
public override void WriteToken(XmlWriter writer, SecurityToken token)
{
if (writer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
}
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
RsaSecurityToken rsaToken = token as RsaSecurityToken;
if (rsaToken == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID0018, typeof(RsaSecurityToken)));
}
RSAParameters rsaParams = rsaToken.Rsa.ExportParameters(false);
writer.WriteStartElement(XmlSignatureConstants.Elements.KeyInfo, XmlSignatureConstants.Namespace);
writer.WriteStartElement(XmlSignatureConstants.Elements.KeyValue, XmlSignatureConstants.Namespace);
//
// RSA.ToXmlString shouldn't be used here because it doesn't write namespaces. The modulus and exponent are written manually.
//
writer.WriteStartElement(XmlSignatureConstants.Elements.RsaKeyValue, XmlSignatureConstants.Namespace);
writer.WriteStartElement(XmlSignatureConstants.Elements.Modulus, XmlSignatureConstants.Namespace);
byte[] modulus = rsaParams.Modulus;
writer.WriteBase64(modulus, 0, modulus.Length);
writer.WriteEndElement(); // </modulus>
writer.WriteStartElement(XmlSignatureConstants.Elements.Exponent, XmlSignatureConstants.Namespace);
byte[] exponent = rsaParams.Exponent;
writer.WriteBase64(exponent, 0, exponent.Length);
writer.WriteEndElement(); // </exponent>
writer.WriteEndElement(); // </RsaKeyValue>
writer.WriteEndElement(); // </KeyValue>
writer.WriteEndElement(); // </KeyInfo>
}
internal static SecurityToken ResolveSecurityToken(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver)
{
SecurityToken token = null;
RsaKeyIdentifierClause clause;
X509RawDataKeyIdentifierClause clause2;
if (tokenResolver != null)
{
tokenResolver.TryResolveToken(ski, out token);
}
if ((token == null) && ski.TryFind <RsaKeyIdentifierClause>(out clause))
{
token = new RsaSecurityToken(clause.Rsa);
}
if ((token == null) && ski.TryFind <X509RawDataKeyIdentifierClause>(out clause2))
{
token = new X509SecurityToken(new X509Certificate2(clause2.GetX509RawData()));
}
return(token);
}
/// <summary>
/// Inherited from <see cref="SecurityTokenResolver"/>.
/// </summary>
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
if (keyIdentifierClause == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
}
token = null;
//
// Try raw X509
//
X509RawDataKeyIdentifierClause rawDataClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if (rawDataClause != null)
{
token = new X509SecurityToken(new X509Certificate2(rawDataClause.GetX509RawData()));
return(true);
}
//
// Try RSA
//
RsaKeyIdentifierClause rsaClause = keyIdentifierClause as RsaKeyIdentifierClause;
if (rsaClause != null)
{
token = new RsaSecurityToken(rsaClause.Rsa);
return(true);
}
if (_wrappedTokenResolver.TryResolveToken(keyIdentifierClause, out token))
{
return(true);
}
return(false);
}
public FederatedTokenProviderState(System.IdentityModel.Tokens.RsaSecurityToken rsaToken) : base(null)
{
this.rsaToken = rsaToken;
}