private async Task <CertificateAuthenticationFailedContext> HandleFailureAsync(Exception error) { var authenticationFailedContext = new CertificateAuthenticationFailedContext(Context, Scheme, Options) { Exception = error }; await Events.AuthenticationFailed(authenticationFailedContext); return(authenticationFailedContext); }
/// <inheritdoc /> public Task Fail(CertificateAuthenticationFailedContext context) { if (_logger.IsEnabled(LogLevel.Trace)) { _logger.LogTrace("certificate failed to validate: \r\n" + $"AuthenticationScheme: {context.Scheme}\r\n" + $"Result: {context.Result}\r\n" + $"Exception: {context.Exception}"); } if (_logger.IsEnabled(LogLevel.Debug)) { _logger.LogDebug($"certificate failed to validate: {context.Exception}"); } return(Task.CompletedTask); }
protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { // You only get client certificates over HTTPS if (!Context.Request.IsHttps) { return(AuthenticateResult.NoResult()); } try { var clientCertificate = await Context.Connection.GetClientCertificateAsync(); // This should never be the case, as cert authentication happens long before ASP.NET kicks in. if (clientCertificate == null) { Logger.NoCertificate(); return(AuthenticateResult.NoResult()); } // If we have a self signed cert, and they're not allowed, exit early and not bother with // any other validations. if (clientCertificate.IsSelfSigned() && !Options.AllowedCertificateTypes.HasFlag(CertificateTypes.SelfSigned)) { Logger.LogWarning("Self signed certificate rejected, subject was {0}", clientCertificate.Subject); return(AuthenticateResult.Fail("Options do not allow self signed certificates.")); } // If we have a chained cert, and they're not allowed, exit early and not bother with // any other validations. if (!clientCertificate.IsSelfSigned() && !Options.AllowedCertificateTypes.HasFlag(CertificateTypes.Chained)) { Logger.CertificateRejected("Chained", clientCertificate.Subject); return(AuthenticateResult.Fail("Options do not allow chained certificates.")); } var chainPolicy = BuildChainPolicy(clientCertificate); var chain = new X509Chain { ChainPolicy = chainPolicy }; //// <variation> var certificateIsValid = IsChainValid(chain, clientCertificate); //// </variation> if (!certificateIsValid) { var chainErrors = new List <string>(); foreach (var validationFailure in chain.ChainStatus) { chainErrors.Add($"{validationFailure.Status} {validationFailure.StatusInformation}"); } Logger.CertificateFailedValidation(clientCertificate.Subject, chainErrors); return(AuthenticateResult.Fail("Client certificate failed validation.")); } var certificateValidatedContext = new CertificateValidatedContext(Context, Scheme, Options) { ClientCertificate = clientCertificate, Principal = CreatePrincipal(clientCertificate) }; await Events.CertificateValidated(certificateValidatedContext); if (certificateValidatedContext.Result != null) { return(certificateValidatedContext.Result); } certificateValidatedContext.Success(); return(certificateValidatedContext.Result); } catch (Exception ex) { var authenticationFailedContext = new CertificateAuthenticationFailedContext(Context, Scheme, Options) { Exception = ex }; await Events.AuthenticationFailed(authenticationFailedContext); if (authenticationFailedContext.Result != null) { return(authenticationFailedContext.Result); } throw; } }
public Task CertificateAuthenticationFailed(CertificateAuthenticationFailedContext context) { context.Fail("Certificate Authentication Failed"); return(Task.CompletedTask); }
/// <summary> /// Invoked when a certificate fails authentication. /// </summary> /// <param name="context"></param> /// <returns></returns> public virtual Task AuthenticationFailed(CertificateAuthenticationFailedContext context) => OnAuthenticationFailed(context);