예제 #1
0
        protected override async Task <AuthenticateResult> HandleAuthenticateAsync()
        {
            // You only get client certificates over HTTPS
            if (!Context.Request.IsHttps)
            {
                Logger.NotHttps();
                return(AuthenticateResult.NoResult());
            }

            try
            {
                var clientCertificate = await Context.Connection.GetClientCertificateAsync();

                // This should never be the case, as cert authentication happens long before ASP.NET kicks in.
                if (clientCertificate == null)
                {
                    Logger.NoCertificate();
                    return(AuthenticateResult.NoResult());
                }

                if (_cache != null)
                {
                    var cacheHit = _cache.Get(Context, clientCertificate);
                    if (cacheHit != null)
                    {
                        return(cacheHit);
                    }
                }

                var result = await ValidateCertificateAsync(clientCertificate);

                if (_cache != null)
                {
                    _cache.Put(Context, clientCertificate, result);
                }
                return(result);
            }
            catch (Exception ex)
            {
                var authenticationFailedContext = new CertificateAuthenticationFailedContext(Context, Scheme, Options)
                {
                    Exception = ex
                };

                await Events.AuthenticationFailed(authenticationFailedContext);

                if (authenticationFailedContext.Result != null)
                {
                    return(authenticationFailedContext.Result);
                }

                throw;
            }
        }
        private async Task <CertificateAuthenticationFailedContext> HandleFailureAsync(Exception error)
        {
            var authenticationFailedContext = new CertificateAuthenticationFailedContext(Context, Scheme, Options)
            {
                Exception = error
            };

            await Events.AuthenticationFailed(authenticationFailedContext);

            return(authenticationFailedContext);
        }
예제 #3
0
        protected override async Task <AuthenticateResult> HandleAuthenticateAsync()
        {
            // You only get client certificates over HTTPS
            if (!Context.Request.IsHttps)
            {
                return(AuthenticateResult.NoResult());
            }

            try
            {
                var clientCertificate = await Context.Connection.GetClientCertificateAsync();

                // This should never be the case, as cert authentication happens long before ASP.NET kicks in.
                if (clientCertificate == null)
                {
                    Logger.NoCertificate();
                    return(AuthenticateResult.NoResult());
                }

                // If we have a self signed cert, and they're not allowed, exit early and not bother with
                // any other validations.
                if (clientCertificate.IsSelfSigned() &&
                    !Options.AllowedCertificateTypes.HasFlag(CertificateTypes.SelfSigned))
                {
                    Logger.CertificateRejected("Self signed", clientCertificate.Subject);
                    return(AuthenticateResult.Fail("Options do not allow self signed certificates."));
                }

                // If we have a chained cert, and they're not allowed, exit early and not bother with
                // any other validations.
                if (!clientCertificate.IsSelfSigned() &&
                    !Options.AllowedCertificateTypes.HasFlag(CertificateTypes.Chained))
                {
                    Logger.CertificateRejected("Chained", clientCertificate.Subject);
                    return(AuthenticateResult.Fail("Options do not allow chained certificates."));
                }

                var chainPolicy = BuildChainPolicy(clientCertificate);
                var chain       = new X509Chain
                {
                    ChainPolicy = chainPolicy
                };

                var certificateIsValid = chain.Build(clientCertificate);
                if (!certificateIsValid)
                {
                    var chainErrors = new List <string>();
                    foreach (var validationFailure in chain.ChainStatus)
                    {
                        chainErrors.Add($"{validationFailure.Status} {validationFailure.StatusInformation}");
                    }
                    Logger.CertificateFailedValidation(clientCertificate.Subject, chainErrors);
                    return(AuthenticateResult.Fail("Client certificate failed validation."));
                }

                var certificateValidatedContext = new CertificateValidatedContext(Context, Scheme, Options)
                {
                    ClientCertificate = clientCertificate,
                    Principal         = CreatePrincipal(clientCertificate)
                };

                await Events.CertificateValidated(certificateValidatedContext);

                if (certificateValidatedContext.Result != null)
                {
                    return(certificateValidatedContext.Result);
                }

                certificateValidatedContext.Success();
                return(certificateValidatedContext.Result);
            }
            catch (Exception ex)
            {
                var authenticationFailedContext = new CertificateAuthenticationFailedContext(Context, Scheme, Options)
                {
                    Exception = ex
                };

                await Events.AuthenticationFailed(authenticationFailedContext);

                if (authenticationFailedContext.Result != null)
                {
                    return(authenticationFailedContext.Result);
                }

                throw;
            }
        }
예제 #4
0
 /// <summary>
 /// Invoked when a certificate fails authentication.
 /// </summary>
 /// <param name="context"></param>
 /// <returns></returns>
 public virtual Task AuthenticationFailed(CertificateAuthenticationFailedContext context) => OnAuthenticationFailed(context);