예제 #1
0
            public override SecurityKeyIdentifierClause ReadKeyIdentifierClauseCore(XmlDictionaryReader reader)
            {
                SecurityKeyIdentifierClause clause = null;

                reader.ReadStartElement(XD.XmlSignatureDictionary.X509Data, this.NamespaceUri);
                while (reader.IsStartElement())
                {
                    if ((clause == null) && reader.IsStartElement(XD.XmlSignatureDictionary.X509Certificate, this.NamespaceUri))
                    {
                        X509Certificate2 certificate = null;
                        if (!System.ServiceModel.Security.SecurityUtils.TryCreateX509CertificateFromRawData(reader.ReadElementContentAsBase64(), out certificate))
                        {
                            throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("InvalidX509RawData")));
                        }
                        clause = new X509RawDataKeyIdentifierClause(certificate);
                    }
                    else if ((clause == null) && reader.IsStartElement("X509SKI", this.NamespaceUri.ToString()))
                    {
                        clause = new X509SubjectKeyIdentifierClause(reader.ReadElementContentAsBase64());
                    }
                    else
                    {
                        reader.Skip();
                    }
                }
                reader.ReadEndElement();
                return(clause);
            }
예제 #2
0
        internal protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
        {
            SecurityKeyIdentifierClause result = null;

            switch (_x509ReferenceStyle)
            {
            default:
            case X509KeyIdentifierClauseType.Any:
                if (referenceStyle == SecurityTokenReferenceStyle.External)
                {
                    X509SecurityToken x509Token = token as X509SecurityToken;
                    if (x509Token != null)
                    {
                        X509SubjectKeyIdentifierClause x509KeyIdentifierClause;
                        if (X509SubjectKeyIdentifierClause.TryCreateFrom(x509Token.Certificate, out x509KeyIdentifierClause))
                        {
                            result = x509KeyIdentifierClause;
                        }
                    }

                    if (result == null)
                    {
                        throw new PlatformNotSupportedException();
                    }
                }
                else
                {
                    result = token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>();
                }

                break;

            case X509KeyIdentifierClauseType.Thumbprint:
                result = CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
                break;

            case X509KeyIdentifierClauseType.SubjectKeyIdentifier:
                result = CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
                break;

            case X509KeyIdentifierClauseType.IssuerSerial:
                result = CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
                break;

            case X509KeyIdentifierClauseType.RawDataKeyIdentifier:
                result = CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
                break;
            }

            return(result);
        }
        protected internal override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
        {
            SecurityKeyIdentifierClause clause = null;

            switch (this.x509ReferenceStyle)
            {
            case X509KeyIdentifierClauseType.Thumbprint:
                return(base.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle));

            case X509KeyIdentifierClauseType.IssuerSerial:
                return(base.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle));

            case X509KeyIdentifierClauseType.SubjectKeyIdentifier:
                return(base.CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle));

            case X509KeyIdentifierClauseType.RawDataKeyIdentifier:
                return(base.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle));
            }
            if (referenceStyle == SecurityTokenReferenceStyle.External)
            {
                X509SecurityToken token2 = token as X509SecurityToken;
                if (token2 != null)
                {
                    X509SubjectKeyIdentifierClause clause2;
                    if (X509SubjectKeyIdentifierClause.TryCreateFrom(token2.Certificate, out clause2))
                    {
                        clause = clause2;
                    }
                }
                else
                {
                    X509SubjectKeyIdentifierClause clause3;
                    X509WindowsSecurityToken       token3 = token as X509WindowsSecurityToken;
                    if ((token3 != null) && X509SubjectKeyIdentifierClause.TryCreateFrom(token3.Certificate, out clause3))
                    {
                        clause = clause3;
                    }
                }
                if (clause == null)
                {
                    clause = token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>();
                }
                if (clause == null)
                {
                    clause = token.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
                }
                return(clause);
            }
            return(token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>());
        }
예제 #4
0
    /// <summary>
    /// Resolves the given SecurityKeyIdentifierClause to a SecurityToken.
    /// </summary>
    /// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to resolve.</param>
    /// <param name="token">The resolved SecurityToken.</param>
    /// <returns>True if successfully resolved.</returns>
    /// <exception cref="ArgumentNullException">The input argument 'keyIdentifierClause' is null.</exception>
    protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
    {
        if (keyIdentifierClause == null)
        {
            throw new ArgumentNullException("keyIdentifierClause");
        }

        token = null;

        foreach (X509Certificate2 cert in trustedIssuerCertificates)
        {
            X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
            if ((thumbprintKeyIdentifierClause != null) && (thumbprintKeyIdentifierClause.Matches(cert)))
            {
                token = new X509SecurityToken(cert);
                return(true);
            }

            X509IssuerSerialKeyIdentifierClause issuerSerialKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
            if ((issuerSerialKeyIdentifierClause != null) && (issuerSerialKeyIdentifierClause.Matches(cert)))
            {
                token = new X509SecurityToken(cert);
                return(true);
            }

            X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
            if ((subjectKeyIdentifierClause != null) && (subjectKeyIdentifierClause.Matches(cert)))
            {
                token = new X509SecurityToken(cert);
                return(true);
            }

            X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
            if ((rawDataKeyIdentifierClause != null) && (rawDataKeyIdentifierClause.Matches(cert)))
            {
                token = new X509SecurityToken(cert);
                return(true);
            }
        }

        return(false);
    }
        protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
        {
            token = null;
            X509Certificate2 matched = null;
            X509ThumbprintKeyIdentifierClause clause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;

            if ((clause != null) && this.TryMatchCertificates(clause.Matches, out matched))
            {
                token = new X509SecurityToken(matched);
                return(true);
            }
            X509IssuerSerialKeyIdentifierClause clause2 = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;

            if ((clause2 != null) && TryMatchCertificates(clause2.Matches, out matched))
            {
                token = new X509SecurityToken(matched);
                return(true);
            }
            X509SubjectKeyIdentifierClause clause3 = keyIdentifierClause as X509SubjectKeyIdentifierClause;

            if ((clause3 != null) && TryMatchCertificates(clause3.Matches, out matched))
            {
                token = new X509SecurityToken(matched);
                return(true);
            }
            X509RawDataKeyIdentifierClause clause4 = keyIdentifierClause as X509RawDataKeyIdentifierClause;

            if ((clause4 != null) && TryMatchCertificates(clause4.Matches, out matched))
            {
                token = new X509SecurityToken(matched);
                return(true);
            }

            if (this.innerResolver != null)
            {
                return(this.innerResolver.TryResolveToken(keyIdentifierClause, out token));
            }

            return(false);
        }
        protected internal override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
        {
            SecurityKeyIdentifierClause result = null;

            switch (_x509ReferenceStyle)
            {
            default:
            case X509KeyIdentifierClauseType.Any:
                if (referenceStyle == SecurityTokenReferenceStyle.External)
                {
                    if (token is X509SecurityToken x509Token)
                    {
                        if (X509SubjectKeyIdentifierClause.TryCreateFrom(x509Token.Certificate, out X509SubjectKeyIdentifierClause x509KeyIdentifierClause))
                        {
                            result = x509KeyIdentifierClause;
                        }
                    }
                    else
                    {
                        if (token is X509WindowsSecurityToken windowsX509Token)
                        {
                            if (X509SubjectKeyIdentifierClause.TryCreateFrom(windowsX509Token.Certificate, out X509SubjectKeyIdentifierClause x509KeyIdentifierClause))
                            {
                                result = x509KeyIdentifierClause;
                            }
                        }
                    }

                    if (result == null)
                    {
                        result = token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>();
                    }

                    if (result == null)
                    {
                        result = token.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
                    }
                }
                else
                {
                    result = token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>();
                }

                break;

            case X509KeyIdentifierClauseType.Thumbprint:
                result = CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
                break;

            case X509KeyIdentifierClauseType.SubjectKeyIdentifier:
                result = CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
                break;

            case X509KeyIdentifierClauseType.IssuerSerial:
                result = CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
                break;

            case X509KeyIdentifierClauseType.RawDataKeyIdentifier:
                result = CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
                break;
            }

            return(result);
        }
        private bool ResolvesToSigningToken(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key, out SecurityToken token)
        {
            token = null;
            key   = null;
            CertMatcher certMatcher = null;

            // for SAML tokens the highest probability are certs, with RawData first
            X509RawDataKeyIdentifierClause rawCertKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;

            if (rawCertKeyIdentifierClause != null)
            {
                certMatcher = rawCertKeyIdentifierClause.Matches;
            }
            else
            {
                X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
                if (subjectKeyIdentifierClause != null)
                {
                    certMatcher = subjectKeyIdentifierClause.Matches;
                }
                else
                {
                    X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
                    if (thumbprintKeyIdentifierClause != null)
                    {
                        certMatcher = thumbprintKeyIdentifierClause.Matches;
                    }
                    else
                    {
                        X509IssuerSerialKeyIdentifierClause issuerKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
                        if (issuerKeyIdentifierClause != null)
                        {
                            certMatcher = issuerKeyIdentifierClause.Matches;
                        }
                    }
                }
            }

            if (_validationParameters.IssuerSigningKeyResolver != null)
            {
                key = _validationParameters.IssuerSigningKeyResolver(token: _securityToken, securityToken: null, keyIdentifier: new SecurityKeyIdentifier(keyIdentifierClause), validationParameters: _validationParameters);
                if (key != null)
                {
                    this.IsKeyMatched = true;
                }
            }

            if (_validationParameters.IssuerSigningKey != null)
            {
                if (Matches(keyIdentifierClause, _validationParameters.IssuerSigningKey, certMatcher, out token))
                {
                    key = _validationParameters.IssuerSigningKey;
                    this.IsKeyMatched = true;
                }
            }

            if (_validationParameters.IssuerSigningKeys != null)
            {
                foreach (SecurityKey securityKey in _validationParameters.IssuerSigningKeys)
                {
                    if (Matches(keyIdentifierClause, securityKey, certMatcher, out token))
                    {
                        key = securityKey;
                        this.IsKeyMatched = true;
                        break;
                    }
                }
            }

            if (_validationParameters.IssuerSigningToken != null)
            {
                if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause))
                {
                    token             = _validationParameters.IssuerSigningToken;
                    key               = token.SecurityKeys[0];
                    this.IsKeyMatched = true;
                }
            }

            if (_validationParameters.IssuerSigningTokens != null)
            {
                foreach (SecurityToken issuerToken in _validationParameters.IssuerSigningTokens)
                {
                    if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause))
                    {
                        token             = issuerToken;
                        key               = token.SecurityKeys[0];
                        this.IsKeyMatched = true;
                        break;
                    }
                }
            }

            return(this.IsKeyMatched);
        }