public override SecurityKeyIdentifierClause ReadKeyIdentifierClauseCore(XmlDictionaryReader reader)
{
SecurityKeyIdentifierClause clause = null;
reader.ReadStartElement(XD.XmlSignatureDictionary.X509Data, this.NamespaceUri);
while (reader.IsStartElement())
{
if ((clause == null) && reader.IsStartElement(XD.XmlSignatureDictionary.X509Certificate, this.NamespaceUri))
{
X509Certificate2 certificate = null;
if (!System.ServiceModel.Security.SecurityUtils.TryCreateX509CertificateFromRawData(reader.ReadElementContentAsBase64(), out certificate))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("InvalidX509RawData")));
}
clause = new X509RawDataKeyIdentifierClause(certificate);
}
else if ((clause == null) && reader.IsStartElement("X509SKI", this.NamespaceUri.ToString()))
{
clause = new X509SubjectKeyIdentifierClause(reader.ReadElementContentAsBase64());
}
else
{
reader.Skip();
}
}
reader.ReadEndElement();
return(clause);
}
internal protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
SecurityKeyIdentifierClause result = null;
switch (_x509ReferenceStyle)
{
default:
case X509KeyIdentifierClauseType.Any:
if (referenceStyle == SecurityTokenReferenceStyle.External)
{
X509SecurityToken x509Token = token as X509SecurityToken;
if (x509Token != null)
{
X509SubjectKeyIdentifierClause x509KeyIdentifierClause;
if (X509SubjectKeyIdentifierClause.TryCreateFrom(x509Token.Certificate, out x509KeyIdentifierClause))
{
result = x509KeyIdentifierClause;
}
}
if (result == null)
{
throw new PlatformNotSupportedException();
}
}
else
{
result = token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>();
}
break;
case X509KeyIdentifierClauseType.Thumbprint:
result = CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
case X509KeyIdentifierClauseType.SubjectKeyIdentifier:
result = CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
case X509KeyIdentifierClauseType.IssuerSerial:
result = CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
case X509KeyIdentifierClauseType.RawDataKeyIdentifier:
result = CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
}
return(result);
}
protected internal override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
SecurityKeyIdentifierClause clause = null;
switch (this.x509ReferenceStyle)
{
case X509KeyIdentifierClauseType.Thumbprint:
return(base.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle));
case X509KeyIdentifierClauseType.IssuerSerial:
return(base.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle));
case X509KeyIdentifierClauseType.SubjectKeyIdentifier:
return(base.CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle));
case X509KeyIdentifierClauseType.RawDataKeyIdentifier:
return(base.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle));
}
if (referenceStyle == SecurityTokenReferenceStyle.External)
{
X509SecurityToken token2 = token as X509SecurityToken;
if (token2 != null)
{
X509SubjectKeyIdentifierClause clause2;
if (X509SubjectKeyIdentifierClause.TryCreateFrom(token2.Certificate, out clause2))
{
clause = clause2;
}
}
else
{
X509SubjectKeyIdentifierClause clause3;
X509WindowsSecurityToken token3 = token as X509WindowsSecurityToken;
if ((token3 != null) && X509SubjectKeyIdentifierClause.TryCreateFrom(token3.Certificate, out clause3))
{
clause = clause3;
}
}
if (clause == null)
{
clause = token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>();
}
if (clause == null)
{
clause = token.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
}
return(clause);
}
return(token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>());
}
/// <summary>
/// Resolves the given SecurityKeyIdentifierClause to a SecurityToken.
/// </summary>
/// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to resolve.</param>
/// <param name="token">The resolved SecurityToken.</param>
/// <returns>True if successfully resolved.</returns>
/// <exception cref="ArgumentNullException">The input argument 'keyIdentifierClause' is null.</exception>
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
if (keyIdentifierClause == null)
{
throw new ArgumentNullException("keyIdentifierClause");
}
token = null;
foreach (X509Certificate2 cert in trustedIssuerCertificates)
{
X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if ((thumbprintKeyIdentifierClause != null) && (thumbprintKeyIdentifierClause.Matches(cert)))
{
token = new X509SecurityToken(cert);
return(true);
}
X509IssuerSerialKeyIdentifierClause issuerSerialKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if ((issuerSerialKeyIdentifierClause != null) && (issuerSerialKeyIdentifierClause.Matches(cert)))
{
token = new X509SecurityToken(cert);
return(true);
}
X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if ((subjectKeyIdentifierClause != null) && (subjectKeyIdentifierClause.Matches(cert)))
{
token = new X509SecurityToken(cert);
return(true);
}
X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if ((rawDataKeyIdentifierClause != null) && (rawDataKeyIdentifierClause.Matches(cert)))
{
token = new X509SecurityToken(cert);
return(true);
}
}
return(false);
}
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token)
{
token = null;
X509Certificate2 matched = null;
X509ThumbprintKeyIdentifierClause clause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if ((clause != null) && this.TryMatchCertificates(clause.Matches, out matched))
{
token = new X509SecurityToken(matched);
return(true);
}
X509IssuerSerialKeyIdentifierClause clause2 = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if ((clause2 != null) && TryMatchCertificates(clause2.Matches, out matched))
{
token = new X509SecurityToken(matched);
return(true);
}
X509SubjectKeyIdentifierClause clause3 = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if ((clause3 != null) && TryMatchCertificates(clause3.Matches, out matched))
{
token = new X509SecurityToken(matched);
return(true);
}
X509RawDataKeyIdentifierClause clause4 = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if ((clause4 != null) && TryMatchCertificates(clause4.Matches, out matched))
{
token = new X509SecurityToken(matched);
return(true);
}
if (this.innerResolver != null)
{
return(this.innerResolver.TryResolveToken(keyIdentifierClause, out token));
}
return(false);
}
protected internal override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
SecurityKeyIdentifierClause result = null;
switch (_x509ReferenceStyle)
{
default:
case X509KeyIdentifierClauseType.Any:
if (referenceStyle == SecurityTokenReferenceStyle.External)
{
if (token is X509SecurityToken x509Token)
{
if (X509SubjectKeyIdentifierClause.TryCreateFrom(x509Token.Certificate, out X509SubjectKeyIdentifierClause x509KeyIdentifierClause))
{
result = x509KeyIdentifierClause;
}
}
else
{
if (token is X509WindowsSecurityToken windowsX509Token)
{
if (X509SubjectKeyIdentifierClause.TryCreateFrom(windowsX509Token.Certificate, out X509SubjectKeyIdentifierClause x509KeyIdentifierClause))
{
result = x509KeyIdentifierClause;
}
}
}
if (result == null)
{
result = token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>();
}
if (result == null)
{
result = token.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
}
}
else
{
result = token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>();
}
break;
case X509KeyIdentifierClauseType.Thumbprint:
result = CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
case X509KeyIdentifierClauseType.SubjectKeyIdentifier:
result = CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
case X509KeyIdentifierClauseType.IssuerSerial:
result = CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
case X509KeyIdentifierClauseType.RawDataKeyIdentifier:
result = CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
}
return(result);
}
private bool ResolvesToSigningToken(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key, out SecurityToken token)
{
token = null;
key = null;
CertMatcher certMatcher = null;
// for SAML tokens the highest probability are certs, with RawData first
X509RawDataKeyIdentifierClause rawCertKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if (rawCertKeyIdentifierClause != null)
{
certMatcher = rawCertKeyIdentifierClause.Matches;
}
else
{
X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause;
if (subjectKeyIdentifierClause != null)
{
certMatcher = subjectKeyIdentifierClause.Matches;
}
else
{
X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause;
if (thumbprintKeyIdentifierClause != null)
{
certMatcher = thumbprintKeyIdentifierClause.Matches;
}
else
{
X509IssuerSerialKeyIdentifierClause issuerKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause;
if (issuerKeyIdentifierClause != null)
{
certMatcher = issuerKeyIdentifierClause.Matches;
}
}
}
}
if (_validationParameters.IssuerSigningKeyResolver != null)
{
key = _validationParameters.IssuerSigningKeyResolver(token: _securityToken, securityToken: null, keyIdentifier: new SecurityKeyIdentifier(keyIdentifierClause), validationParameters: _validationParameters);
if (key != null)
{
this.IsKeyMatched = true;
}
}
if (_validationParameters.IssuerSigningKey != null)
{
if (Matches(keyIdentifierClause, _validationParameters.IssuerSigningKey, certMatcher, out token))
{
key = _validationParameters.IssuerSigningKey;
this.IsKeyMatched = true;
}
}
if (_validationParameters.IssuerSigningKeys != null)
{
foreach (SecurityKey securityKey in _validationParameters.IssuerSigningKeys)
{
if (Matches(keyIdentifierClause, securityKey, certMatcher, out token))
{
key = securityKey;
this.IsKeyMatched = true;
break;
}
}
}
if (_validationParameters.IssuerSigningToken != null)
{
if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause))
{
token = _validationParameters.IssuerSigningToken;
key = token.SecurityKeys[0];
this.IsKeyMatched = true;
}
}
if (_validationParameters.IssuerSigningTokens != null)
{
foreach (SecurityToken issuerToken in _validationParameters.IssuerSigningTokens)
{
if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause))
{
token = issuerToken;
key = token.SecurityKeys[0];
this.IsKeyMatched = true;
break;
}
}
}
return(this.IsKeyMatched);
}
