public override SecurityKeyIdentifierClause ReadKeyIdentifierClauseCore(XmlDictionaryReader reader) { SecurityKeyIdentifierClause clause = null; reader.ReadStartElement(XD.XmlSignatureDictionary.X509Data, this.NamespaceUri); while (reader.IsStartElement()) { if ((clause == null) && reader.IsStartElement(XD.XmlSignatureDictionary.X509Certificate, this.NamespaceUri)) { X509Certificate2 certificate = null; if (!System.ServiceModel.Security.SecurityUtils.TryCreateX509CertificateFromRawData(reader.ReadElementContentAsBase64(), out certificate)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("InvalidX509RawData"))); } clause = new X509RawDataKeyIdentifierClause(certificate); } else if ((clause == null) && reader.IsStartElement("X509SKI", this.NamespaceUri.ToString())) { clause = new X509SubjectKeyIdentifierClause(reader.ReadElementContentAsBase64()); } else { reader.Skip(); } } reader.ReadEndElement(); return(clause); }
internal protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle) { SecurityKeyIdentifierClause result = null; switch (_x509ReferenceStyle) { default: case X509KeyIdentifierClauseType.Any: if (referenceStyle == SecurityTokenReferenceStyle.External) { X509SecurityToken x509Token = token as X509SecurityToken; if (x509Token != null) { X509SubjectKeyIdentifierClause x509KeyIdentifierClause; if (X509SubjectKeyIdentifierClause.TryCreateFrom(x509Token.Certificate, out x509KeyIdentifierClause)) { result = x509KeyIdentifierClause; } } if (result == null) { throw new PlatformNotSupportedException(); } } else { result = token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>(); } break; case X509KeyIdentifierClauseType.Thumbprint: result = CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; case X509KeyIdentifierClauseType.SubjectKeyIdentifier: result = CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; case X509KeyIdentifierClauseType.IssuerSerial: result = CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; case X509KeyIdentifierClauseType.RawDataKeyIdentifier: result = CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; } return(result); }
protected internal override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle) { SecurityKeyIdentifierClause clause = null; switch (this.x509ReferenceStyle) { case X509KeyIdentifierClauseType.Thumbprint: return(base.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle)); case X509KeyIdentifierClauseType.IssuerSerial: return(base.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle)); case X509KeyIdentifierClauseType.SubjectKeyIdentifier: return(base.CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle)); case X509KeyIdentifierClauseType.RawDataKeyIdentifier: return(base.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle)); } if (referenceStyle == SecurityTokenReferenceStyle.External) { X509SecurityToken token2 = token as X509SecurityToken; if (token2 != null) { X509SubjectKeyIdentifierClause clause2; if (X509SubjectKeyIdentifierClause.TryCreateFrom(token2.Certificate, out clause2)) { clause = clause2; } } else { X509SubjectKeyIdentifierClause clause3; X509WindowsSecurityToken token3 = token as X509WindowsSecurityToken; if ((token3 != null) && X509SubjectKeyIdentifierClause.TryCreateFrom(token3.Certificate, out clause3)) { clause = clause3; } } if (clause == null) { clause = token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>(); } if (clause == null) { clause = token.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>(); } return(clause); } return(token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>()); }
/// <summary> /// Resolves the given SecurityKeyIdentifierClause to a SecurityToken. /// </summary> /// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to resolve.</param> /// <param name="token">The resolved SecurityToken.</param> /// <returns>True if successfully resolved.</returns> /// <exception cref="ArgumentNullException">The input argument 'keyIdentifierClause' is null.</exception> protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token) { if (keyIdentifierClause == null) { throw new ArgumentNullException("keyIdentifierClause"); } token = null; foreach (X509Certificate2 cert in trustedIssuerCertificates) { X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause; if ((thumbprintKeyIdentifierClause != null) && (thumbprintKeyIdentifierClause.Matches(cert))) { token = new X509SecurityToken(cert); return(true); } X509IssuerSerialKeyIdentifierClause issuerSerialKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause; if ((issuerSerialKeyIdentifierClause != null) && (issuerSerialKeyIdentifierClause.Matches(cert))) { token = new X509SecurityToken(cert); return(true); } X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause; if ((subjectKeyIdentifierClause != null) && (subjectKeyIdentifierClause.Matches(cert))) { token = new X509SecurityToken(cert); return(true); } X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause; if ((rawDataKeyIdentifierClause != null) && (rawDataKeyIdentifierClause.Matches(cert))) { token = new X509SecurityToken(cert); return(true); } } return(false); }
protected override bool TryResolveTokenCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token) { token = null; X509Certificate2 matched = null; X509ThumbprintKeyIdentifierClause clause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause; if ((clause != null) && this.TryMatchCertificates(clause.Matches, out matched)) { token = new X509SecurityToken(matched); return(true); } X509IssuerSerialKeyIdentifierClause clause2 = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause; if ((clause2 != null) && TryMatchCertificates(clause2.Matches, out matched)) { token = new X509SecurityToken(matched); return(true); } X509SubjectKeyIdentifierClause clause3 = keyIdentifierClause as X509SubjectKeyIdentifierClause; if ((clause3 != null) && TryMatchCertificates(clause3.Matches, out matched)) { token = new X509SecurityToken(matched); return(true); } X509RawDataKeyIdentifierClause clause4 = keyIdentifierClause as X509RawDataKeyIdentifierClause; if ((clause4 != null) && TryMatchCertificates(clause4.Matches, out matched)) { token = new X509SecurityToken(matched); return(true); } if (this.innerResolver != null) { return(this.innerResolver.TryResolveToken(keyIdentifierClause, out token)); } return(false); }
protected internal override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle) { SecurityKeyIdentifierClause result = null; switch (_x509ReferenceStyle) { default: case X509KeyIdentifierClauseType.Any: if (referenceStyle == SecurityTokenReferenceStyle.External) { if (token is X509SecurityToken x509Token) { if (X509SubjectKeyIdentifierClause.TryCreateFrom(x509Token.Certificate, out X509SubjectKeyIdentifierClause x509KeyIdentifierClause)) { result = x509KeyIdentifierClause; } } else { if (token is X509WindowsSecurityToken windowsX509Token) { if (X509SubjectKeyIdentifierClause.TryCreateFrom(windowsX509Token.Certificate, out X509SubjectKeyIdentifierClause x509KeyIdentifierClause)) { result = x509KeyIdentifierClause; } } } if (result == null) { result = token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>(); } if (result == null) { result = token.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>(); } } else { result = token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>(); } break; case X509KeyIdentifierClauseType.Thumbprint: result = CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; case X509KeyIdentifierClauseType.SubjectKeyIdentifier: result = CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; case X509KeyIdentifierClauseType.IssuerSerial: result = CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; case X509KeyIdentifierClauseType.RawDataKeyIdentifier: result = CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle); break; } return(result); }
private bool ResolvesToSigningToken(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key, out SecurityToken token) { token = null; key = null; CertMatcher certMatcher = null; // for SAML tokens the highest probability are certs, with RawData first X509RawDataKeyIdentifierClause rawCertKeyIdentifierClause = keyIdentifierClause as X509RawDataKeyIdentifierClause; if (rawCertKeyIdentifierClause != null) { certMatcher = rawCertKeyIdentifierClause.Matches; } else { X509SubjectKeyIdentifierClause subjectKeyIdentifierClause = keyIdentifierClause as X509SubjectKeyIdentifierClause; if (subjectKeyIdentifierClause != null) { certMatcher = subjectKeyIdentifierClause.Matches; } else { X509ThumbprintKeyIdentifierClause thumbprintKeyIdentifierClause = keyIdentifierClause as X509ThumbprintKeyIdentifierClause; if (thumbprintKeyIdentifierClause != null) { certMatcher = thumbprintKeyIdentifierClause.Matches; } else { X509IssuerSerialKeyIdentifierClause issuerKeyIdentifierClause = keyIdentifierClause as X509IssuerSerialKeyIdentifierClause; if (issuerKeyIdentifierClause != null) { certMatcher = issuerKeyIdentifierClause.Matches; } } } } if (_validationParameters.IssuerSigningKeyResolver != null) { key = _validationParameters.IssuerSigningKeyResolver(token: _securityToken, securityToken: null, keyIdentifier: new SecurityKeyIdentifier(keyIdentifierClause), validationParameters: _validationParameters); if (key != null) { this.IsKeyMatched = true; } } if (_validationParameters.IssuerSigningKey != null) { if (Matches(keyIdentifierClause, _validationParameters.IssuerSigningKey, certMatcher, out token)) { key = _validationParameters.IssuerSigningKey; this.IsKeyMatched = true; } } if (_validationParameters.IssuerSigningKeys != null) { foreach (SecurityKey securityKey in _validationParameters.IssuerSigningKeys) { if (Matches(keyIdentifierClause, securityKey, certMatcher, out token)) { key = securityKey; this.IsKeyMatched = true; break; } } } if (_validationParameters.IssuerSigningToken != null) { if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause)) { token = _validationParameters.IssuerSigningToken; key = token.SecurityKeys[0]; this.IsKeyMatched = true; } } if (_validationParameters.IssuerSigningTokens != null) { foreach (SecurityToken issuerToken in _validationParameters.IssuerSigningTokens) { if (_validationParameters.IssuerSigningToken.MatchesKeyIdentifierClause(keyIdentifierClause)) { token = issuerToken; key = token.SecurityKeys[0]; this.IsKeyMatched = true; break; } } } return(this.IsKeyMatched); }