private static X509Certificate2 GetCertificate(X509Store store, string thumbprint, ObjectId objectId, string name, bool logExpired, out ExternalAuthentication.ExternalAuthenticationSubFailureType subFailureCode) { subFailureCode = ExternalAuthentication.ExternalAuthenticationSubFailureType.NoFailure; X509Certificate2Collection x509Certificate2Collection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false); if (x509Certificate2Collection == null || x509Certificate2Collection.Count == 0 || x509Certificate2Collection[0] == null) { ExternalAuthentication.ConfigurationTracer.TraceError <string, string>(0L, "Certificate with thumprint {0} for {1} is not present in the certificate store.", thumbprint, name); ExternalAuthentication.EventLogger.LogEvent(CommonEventLogConstants.Tuple_FederationTrustOrganizationCertificateNotFound, thumbprint, new object[] { thumbprint, objectId.ToString() }); subFailureCode = ExternalAuthentication.ExternalAuthenticationSubFailureType.CertificateNotInStore; return(null); } X509Certificate2 x509Certificate = x509Certificate2Collection[0]; if (!x509Certificate.HasPrivateKey) { ExternalAuthentication.ConfigurationTracer.TraceError <string, string>(0L, "Certificate with thumprint {0} for {1} does not have private key.", thumbprint, name); ExternalAuthentication.EventLogger.LogEvent(CommonEventLogConstants.Tuple_FederationTrustOrganizationCertificateNoPrivateKey, thumbprint, new object[] { thumbprint, objectId.ToString() }); subFailureCode = ExternalAuthentication.ExternalAuthenticationSubFailureType.CertificateNoPrivateKey; return(null); } DateTime utcNow = DateTime.UtcNow; if (utcNow > x509Certificate.NotAfter || utcNow < x509Certificate.NotBefore) { ExternalAuthentication.ConfigurationTracer.TraceError(0L, "Certificate with thumprint {0} for {1} is expired: NotBefore={2}, NotAfter={3}", new object[] { thumbprint, name, x509Certificate.NotBefore, x509Certificate.NotAfter }); if (logExpired) { ExternalAuthentication.EventLogger.LogEvent(CommonEventLogConstants.Tuple_FederationTrustCertificateExpired, x509Certificate.Thumbprint, new object[] { x509Certificate.Thumbprint, objectId.ToString() }); } subFailureCode = ExternalAuthentication.ExternalAuthenticationSubFailureType.CertificateExpirationTimeError; return(null); } Exception ex = null; try { AsymmetricAlgorithm privateKey = x509Certificate.PrivateKey; } catch (CryptographicException ex2) { ex = ex2; } catch (NotSupportedException ex3) { ex = ex3; } if (ex != null) { ExternalAuthentication.ConfigurationTracer.TraceError <string, string>(0L, "Cannot access private key of certificate with thumprint {0} for {1}.", thumbprint, name); ExternalAuthentication.EventLogger.LogEvent(CommonEventLogConstants.Tuple_FederationTrustOrganizationCertificateNoPrivateKey, thumbprint, new object[] { thumbprint, objectId.ToString() }); subFailureCode = ExternalAuthentication.ExternalAuthenticationSubFailureType.CertificatePrivateKeyCryptoError; return(null); } ExternalAuthentication.ConfigurationTracer.TraceDebug <string, string, X509Certificate2>(0L, "Loaded certificate with thumprint {0} for {1}. Certificate details: {2}", thumbprint, name, x509Certificate); return(x509Certificate); }
private ExternalAuthentication(ExternalAuthentication.ExternalAuthenticationFailureType failureType, ExternalAuthentication.ExternalAuthenticationSubFailureType subFailureType) { this.failureType = failureType; this.subFailureType = subFailureType; }
private ExternalAuthentication(Dictionary <ADObjectId, SecurityTokenService> securityTokenServices, TokenValidator tokenValidator, List <X509Certificate2> certificates, Uri applicationUri, ExternalAuthentication.ExternalAuthenticationFailureType failureType, ExternalAuthentication.ExternalAuthenticationSubFailureType subFailureType) : this(failureType, subFailureType) { this.securityTokenServices = securityTokenServices; this.tokenValidator = tokenValidator; this.certificates = certificates; this.applicationUri = applicationUri; }
private static ExternalAuthentication CreateExternalAuthentication() { ExternalAuthentication.InitializeNotificationsIfNeeded(); ExternalAuthentication.ConfigurationTracer.TraceDebug(0L, "Searching for federation trust configuration in AD"); WebProxy webProxy = null; Server localServer = LocalServerCache.LocalServer; Uri uri = null; if (localServer != null && localServer.InternetWebProxy != null) { ExternalAuthentication.ConfigurationTracer.TraceDebug <Uri>(0L, "Using custom InternetWebProxy {0}.", localServer.InternetWebProxy); uri = localServer.InternetWebProxy; webProxy = new WebProxy(localServer.InternetWebProxy); } ExternalAuthentication.currentWebProxy = uri; IEnumerable <FederationTrust> enumerable = null; try { enumerable = FederationTrustCache.GetFederationTrusts(); } catch (LocalizedException arg) { ExternalAuthentication.ConfigurationTracer.TraceError <LocalizedException>(0L, "Unable to get federation trust. Exception: {0}", arg); return(new ExternalAuthentication(ExternalAuthentication.ExternalAuthenticationFailureType.ErrorReadingFederationTrust, ExternalAuthentication.ExternalAuthenticationSubFailureType.DirectoryReadError)); } Uri uri2 = null; List <X509Certificate2> list = new List <X509Certificate2>(4); List <X509Certificate2> list2 = new List <X509Certificate2>(4); Dictionary <ADObjectId, SecurityTokenService> dictionary = new Dictionary <ADObjectId, SecurityTokenService>(2); ExternalAuthentication.ExternalAuthenticationFailureType externalAuthenticationFailureType = ExternalAuthentication.ExternalAuthenticationFailureType.NoFederationTrust; ExternalAuthentication.ExternalAuthenticationSubFailureType externalAuthenticationSubFailureType = ExternalAuthentication.ExternalAuthenticationSubFailureType.NoFailure; int num = 0; bool flag = false; if (enumerable != null) { foreach (FederationTrust federationTrust in enumerable) { num++; ExternalAuthentication.FederationTrustResults federationTrustResults = ExternalAuthentication.TryCreateSecurityTokenService(federationTrust, webProxy); if (federationTrustResults.FailureType == ExternalAuthentication.ExternalAuthenticationFailureType.NoFailure) { dictionary.Add(federationTrust.Id, federationTrustResults.SecurityTokenService); list.AddRange(federationTrustResults.TokenSignatureCertificates); list2.AddRange(federationTrustResults.TokenDecryptionCertificates); if (uri2 == null) { uri2 = federationTrust.ApplicationUri; ExternalAuthentication.ConfigurationTracer.TraceDebug <Uri>(0L, "Using {0} as applicationUri", uri2); } else if (!federationTrust.ApplicationUri.Equals(uri2)) { ExternalAuthentication.ConfigurationTracer.TraceError <Uri>(0L, "Cannot have multiple FederationTrust with different ApplicationUri values: {0}. Uri will be ignored", federationTrust.ApplicationUri); flag = true; } } else { externalAuthenticationFailureType = federationTrustResults.FailureType; externalAuthenticationSubFailureType = federationTrustResults.SubFailureType; } } } if (dictionary.Count == 0) { return(new ExternalAuthentication(externalAuthenticationFailureType, externalAuthenticationSubFailureType)); } if (dictionary.Count != num) { ExternalAuthentication.ConfigurationTracer.TraceError <string, string>(0L, "Number of Security Token Service clients {0} does not match number of federation trusts {1}", dictionary.Count.ToString(), num.ToString()); } TokenValidator tokenValidator = new TokenValidator(uri2, list, list2); List <X509Certificate2> list3 = new List <X509Certificate2>(list.Count + list2.Count); list3.AddRange(list); list3.AddRange(list2); if (flag) { return(new ExternalAuthentication(dictionary, tokenValidator, list3, uri2, ExternalAuthentication.ExternalAuthenticationFailureType.NoFailure, ExternalAuthentication.ExternalAuthenticationSubFailureType.WarningApplicationUriSkipped)); } return(new ExternalAuthentication(dictionary, tokenValidator, list3, uri2)); }