IList <Claim> InitializeClaimsCore()
{
List <Claim> claims = new List <Claim>();
byte[] thumbprint = _certificate.GetCertHash();
claims.Add(new Claim(ClaimTypes.Thumbprint, thumbprint, Rights.Identity));
claims.Add(new Claim(ClaimTypes.Thumbprint, thumbprint, Rights.PossessProperty));
// Ordering SubjectName, Dns, SimpleName, Email, Upn
string value = _certificate.SubjectName.Name;
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateX500DistinguishedNameClaim(_certificate.SubjectName));
}
// new behavior as this is the default long term behavior
// Since a SAN can have multiple DNS entries
string[] entries = GetDnsFromExtensions(_certificate);
for (int i = 0; i < entries.Length; ++i)
{
claims.Add(Claim.CreateDnsClaim(entries[i]));
}
value = _certificate.GetNameInfo(X509NameType.SimpleName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateNameClaim(value));
}
value = _certificate.GetNameInfo(X509NameType.EmailName, false);
if (!string.IsNullOrEmpty(value))
{
throw ExceptionHelper.PlatformNotSupported("InitializeClaimsCore - EmailName");
}
value = _certificate.GetNameInfo(X509NameType.UpnName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateUpnClaim(value));
}
value = _certificate.GetNameInfo(X509NameType.UrlName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateUriClaim(new Uri(value)));
}
//RSA rsa = _certificate.PublicKey.Key as RSA;
//if (rsa != null)
// claims.Add(Claim.CreateRsaClaim(rsa));
return(claims);
}
IList <Claim> InitializeClaimsCore()
{
List <Claim> claims = new List <Claim>();
byte[] thumbprint = this.certificate.GetCertHash();
claims.Add(new Claim(ClaimTypes.Thumbprint, thumbprint, Rights.Identity));
claims.Add(new Claim(ClaimTypes.Thumbprint, thumbprint, Rights.PossessProperty));
// Ordering SubjectName, Dns, SimpleName, Email, Upn
string value = this.certificate.SubjectName.Name;
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateX500DistinguishedNameClaim(this.certificate.SubjectName));
}
value = this.certificate.GetNameInfo(X509NameType.DnsName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateDnsClaim(value));
}
value = this.certificate.GetNameInfo(X509NameType.SimpleName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateNameClaim(value));
}
value = this.certificate.GetNameInfo(X509NameType.EmailName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateMailAddressClaim(new MailAddress(value)));
}
value = this.certificate.GetNameInfo(X509NameType.UpnName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateUpnClaim(value));
}
value = this.certificate.GetNameInfo(X509NameType.UrlName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateUriClaim(new Uri(value)));
}
RSA rsa = this.certificate.PublicKey.Key as RSA;
if (rsa != null)
{
claims.Add(Claim.CreateRsaClaim(rsa));
}
return(claims);
}
// Note: null string represents any.
public override IEnumerable <Claim> FindClaims(string claimType, string right)
{
ThrowIfDisposed();
if (!SupportedClaimType(claimType) || !ClaimSet.SupportedRight(right))
{
yield break;
}
else if (_claims == null && ClaimTypes.Thumbprint.Equals(claimType))
{
if (right == null || Rights.Identity.Equals(right))
{
yield return(new Claim(ClaimTypes.Thumbprint, _certificate.GetCertHash(), Rights.Identity));
}
if (right == null || Rights.PossessProperty.Equals(right))
{
yield return(new Claim(ClaimTypes.Thumbprint, _certificate.GetCertHash(), Rights.PossessProperty));
}
}
else if (_claims == null && ClaimTypes.Dns.Equals(claimType))
{
if (right == null || Rights.PossessProperty.Equals(right))
{
// new behavior since this is the default long term behavior
string[] entries = GetDnsFromExtensions(_certificate);
for (int i = 0; i < entries.Length; ++i)
{
yield return(Claim.CreateDnsClaim(entries[i]));
}
}
}
else
{
EnsureClaims();
bool anyClaimType = (claimType == null);
bool anyRight = (right == null);
for (int i = 0; i < _claims.Count; ++i)
{
Claim claim = _claims[i];
if ((claim != null) &&
(anyClaimType || claimType.Equals(claim.ClaimType)) &&
(anyRight || right.Equals(claim.Right)))
{
yield return(claim);
}
}
}
}
// Note: null string represents any.
public override IEnumerable <Claim> FindClaims(string claimType, string right)
{
ThrowIfDisposed();
if (!SupportedClaimType(claimType) || !ClaimSet.SupportedRight(right))
{
yield break;
}
else if (_claims == null && ClaimTypes.Thumbprint.Equals(claimType))
{
if (right == null || Rights.Identity.Equals(right))
{
yield return(new Claim(ClaimTypes.Thumbprint, _certificate.GetCertHash(), Rights.Identity));
}
if (right == null || Rights.PossessProperty.Equals(right))
{
yield return(new Claim(ClaimTypes.Thumbprint, _certificate.GetCertHash(), Rights.PossessProperty));
}
}
else if (_claims == null && ClaimTypes.Dns.Equals(claimType))
{
if (right == null || Rights.PossessProperty.Equals(right))
{
// #321 - Desktop implmentation > 4.6 replaces this with a SAN check
string value = _certificate.GetNameInfo(X509NameType.DnsName, false);
if (!string.IsNullOrEmpty(value))
{
yield return(Claim.CreateDnsClaim(value));
}
}
}
else
{
EnsureClaims();
bool anyClaimType = (claimType == null);
bool anyRight = (right == null);
for (int i = 0; i < _claims.Count; ++i)
{
Claim claim = _claims[i];
if ((claim != null) &&
(anyClaimType || claimType.Equals(claim.ClaimType)) &&
(anyRight || right.Equals(claim.Right)))
{
yield return(claim);
}
}
}
}
IList <Claim> InitializeClaimsCore()
{
List <Claim> claims = new List <Claim>();
byte[] thumbprint = _certificate.GetCertHash();
claims.Add(new Claim(ClaimTypes.Thumbprint, thumbprint, Rights.Identity));
claims.Add(new Claim(ClaimTypes.Thumbprint, thumbprint, Rights.PossessProperty));
// Ordering SubjectName, Dns, SimpleName, Email, Upn
string value = _certificate.SubjectName.Name;
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateX500DistinguishedNameClaim(_certificate.SubjectName));
}
// #321 - Desktop implmentation > 4.6 replaces this with a SAN check
value = _certificate.GetNameInfo(X509NameType.DnsName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateDnsClaim(value));
}
value = _certificate.GetNameInfo(X509NameType.SimpleName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateNameClaim(value));
}
value = _certificate.GetNameInfo(X509NameType.UpnName, false);
if (!string.IsNullOrEmpty(value))
#if FEATURE_CORECLR
{ claims.Add(Claim.CreateUpnClaim(value)); }
#else
{ throw ExceptionHelper.PlatformNotSupported(); }
#endif
value = _certificate.GetNameInfo(X509NameType.UrlName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateUriClaim(new Uri(value)));
}
//RSA rsa = _certificate.PublicKey.Key as RSA;
//if (rsa != null)
// claims.Add(Claim.CreateRsaClaim(rsa));
return(claims);
}
private static List <Claim> GetDnsClaims(X509Certificate2 cert)
{
List <Claim> dnsClaimEntries = new List <Claim>();
// old behavior, default for <= 4.6
string value = cert.GetNameInfo(X509NameType.DnsName, false);
if (!string.IsNullOrEmpty(value))
{
dnsClaimEntries.Add(Claim.CreateDnsClaim(value));
}
// App context switch for disabling support for multiple dns entries in a SAN certificate
// If we can't dynamically parse the alt subject names, we will not add any dns claims ONLY for the alt subject names.
// In this way, if the X509NameType.DnsName was enough to succeed for the out-bound-message. We would have a success.
if (!LocalAppContextSwitches.DisableMultipleDNSEntriesInSANCertificate && X509SubjectAlternativeNameConstants.SuccessfullyInitialized)
{
foreach (X509Extension ext in cert.Extensions)
{
// Extension is SAN or SAN2
if (ext.Oid.Value == X509SubjectAlternativeNameConstants.SanOid || ext.Oid.Value == X509SubjectAlternativeNameConstants.San2Oid)
{
string asnString = ext.Format(false);
if (string.IsNullOrWhiteSpace(asnString))
{
break;
}
// SubjectAlternativeNames might contain something other than a dNSName,
// so we have to parse through and only use the dNSNames
// <identifier><delimiter><value><separator(s)>
string[] rawDnsEntries = asnString.Split(X509SubjectAlternativeNameConstants.SeparatorArray, StringSplitOptions.RemoveEmptyEntries);
for (int i = 0; i < rawDnsEntries.Length; i++)
{
string[] keyval = rawDnsEntries[i].Split(X509SubjectAlternativeNameConstants.Delimiter);
if (string.Equals(keyval[0], X509SubjectAlternativeNameConstants.Identifier))
{
dnsClaimEntries.Add(Claim.CreateDnsClaim(keyval[1]));
}
}
}
}
}
return(dnsClaimEntries);
}
public override IEnumerable <Claim> FindClaims(string claimType, string right)
{
this.ThrowIfDisposed();
if (SupportedClaimType(claimType) && ClaimSet.SupportedRight(right))
{
if ((this.claims != null) || !ClaimTypes.Thumbprint.Equals(claimType))
{
if ((this.claims == null) && ClaimTypes.Dns.Equals(claimType))
{
if ((right == null) || Rights.PossessProperty.Equals(right))
{
string nameInfo = this.certificate.GetNameInfo(X509NameType.DnsName, false);
if (!string.IsNullOrEmpty(nameInfo))
{
yield return(Claim.CreateDnsClaim(nameInfo));
}
}
}
else
{
this.EnsureClaims();
bool iteratorVariable1 = claimType == null;
bool iteratorVariable2 = right == null;
for (int i = 0; i < this.claims.Count; i++)
{
Claim iteratorVariable4 = this.claims[i];
if (((iteratorVariable4 != null) && (iteratorVariable1 || claimType.Equals(iteratorVariable4.ClaimType))) && (iteratorVariable2 || right.Equals(iteratorVariable4.Right)))
{
yield return(iteratorVariable4);
}
}
}
}
else
{
if ((right == null) || Rights.Identity.Equals(right))
{
yield return(new Claim(ClaimTypes.Thumbprint, this.certificate.GetCertHash(), Rights.Identity));
}
if ((right == null) || Rights.PossessProperty.Equals(right))
{
yield return(new Claim(ClaimTypes.Thumbprint, this.certificate.GetCertHash(), Rights.PossessProperty));
}
}
}
}
private IList <Claim> InitializeClaimsCore()
{
List <Claim> list = new List <Claim>();
byte[] certHash = this.certificate.GetCertHash();
list.Add(new Claim(ClaimTypes.Thumbprint, certHash, Rights.Identity));
list.Add(new Claim(ClaimTypes.Thumbprint, certHash, Rights.PossessProperty));
if (!string.IsNullOrEmpty(this.certificate.SubjectName.Name))
{
list.Add(Claim.CreateX500DistinguishedNameClaim(this.certificate.SubjectName));
}
string nameInfo = this.certificate.GetNameInfo(X509NameType.DnsName, false);
if (!string.IsNullOrEmpty(nameInfo))
{
list.Add(Claim.CreateDnsClaim(nameInfo));
}
nameInfo = this.certificate.GetNameInfo(X509NameType.SimpleName, false);
if (!string.IsNullOrEmpty(nameInfo))
{
list.Add(Claim.CreateNameClaim(nameInfo));
}
nameInfo = this.certificate.GetNameInfo(X509NameType.EmailName, false);
if (!string.IsNullOrEmpty(nameInfo))
{
list.Add(Claim.CreateMailAddressClaim(new MailAddress(nameInfo)));
}
nameInfo = this.certificate.GetNameInfo(X509NameType.UpnName, false);
if (!string.IsNullOrEmpty(nameInfo))
{
list.Add(Claim.CreateUpnClaim(nameInfo));
}
nameInfo = this.certificate.GetNameInfo(X509NameType.UrlName, false);
if (!string.IsNullOrEmpty(nameInfo))
{
list.Add(Claim.CreateUriClaim(new Uri(nameInfo)));
}
RSA key = this.certificate.PublicKey.Key as RSA;
if (key != null)
{
list.Add(Claim.CreateRsaClaim(key));
}
return(list);
}
public X509CertificateClaimSet(X509Certificate2 certificate)
{
if (certificate == null)
{
throw new ArgumentNullException("certificate");
}
this.cert = certificate;
Claim ident = new Claim(ClaimTypes.Thumbprint, cert.Thumbprint, Rights.Identity);
// issuer = new X509IdentityClaimSet (ident);
claims.Add(ident);
//claims.Add (Claim.CreateX500DistinguishedNameClaim (cert.SubjectName));
//claims.Add (Claim.CreateNameClaim (cert.SubjectName.Name));
RSA rsa = cert.PublicKey.Key as RSA;
if (rsa != null)
{
claims.Add(Claim.CreateRsaClaim(rsa));
}
claims.Add(Claim.CreateThumbprintClaim(cert.GetCertHash()));
// FIXME: where is DNS info for X509 cert?
claims.Add(Claim.CreateDnsClaim(null));
}
// Note: null string represents any.
public override IEnumerable <Claim> FindClaims(string claimType, string right)
{
ThrowIfDisposed();
if (!SupportedClaimType(claimType) || !ClaimSet.SupportedRight(right))
{
yield break;
}
else if (this.claims == null && ClaimTypes.Thumbprint.Equals(claimType))
{
if (right == null || Rights.Identity.Equals(right))
{
yield return(new Claim(ClaimTypes.Thumbprint, this.certificate.GetCertHash(), Rights.Identity));
}
if (right == null || Rights.PossessProperty.Equals(right))
{
yield return(new Claim(ClaimTypes.Thumbprint, this.certificate.GetCertHash(), Rights.PossessProperty));
}
}
else if (this.claims == null && ClaimTypes.Dns.Equals(claimType))
{
if (right == null || Rights.PossessProperty.Equals(right))
{
// App context switch for disabling support for multiple dns entries in a SAN certificate
if (LocalAppContextSwitches.DisableMultipleDNSEntriesInSANCertificate)
{
// old behavior, default for <= 4.6
string value = this.certificate.GetNameInfo(X509NameType.DnsName, false);
if (!string.IsNullOrEmpty(value))
{
yield return(Claim.CreateDnsClaim(value));
}
}
else
{
// new behavior since this is the default long term behavior
string[] entries = GetDnsFromExtensions(certificate);
for (int i = 0; i < entries.Length; ++i)
{
yield return(Claim.CreateDnsClaim(entries[i]));
}
}
}
}
else
{
EnsureClaims();
bool anyClaimType = (claimType == null);
bool anyRight = (right == null);
for (int i = 0; i < this.claims.Count; ++i)
{
Claim claim = this.claims[i];
if ((claim != null) &&
(anyClaimType || claimType.Equals(claim.ClaimType)) &&
(anyRight || right.Equals(claim.Right)))
{
yield return(claim);
}
}
}
}
IList <Claim> InitializeClaimsCore()
{
List <Claim> claims = new List <Claim>();
byte[] thumbprint = this.certificate.GetCertHash();
claims.Add(new Claim(ClaimTypes.Thumbprint, thumbprint, Rights.Identity));
claims.Add(new Claim(ClaimTypes.Thumbprint, thumbprint, Rights.PossessProperty));
// Ordering SubjectName, Dns, SimpleName, Email, Upn
string value = this.certificate.SubjectName.Name;
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateX500DistinguishedNameClaim(this.certificate.SubjectName));
}
// App context switch for disabling support for multiple dns entries in a SAN certificate
if (LocalAppContextSwitches.DisableMultipleDNSEntriesInSANCertificate)
{
// old behavior, default for <= 4.6
value = this.certificate.GetNameInfo(X509NameType.DnsName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateDnsClaim(value));
}
}
else
{
// new behavior as this is the default long term behavior
// Since a SAN can have multiple DNS entries
string[] entries = GetDnsFromExtensions(this.certificate);
for (int i = 0; i < entries.Length; ++i)
{
claims.Add(Claim.CreateDnsClaim(entries[i]));
}
}
value = this.certificate.GetNameInfo(X509NameType.SimpleName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateNameClaim(value));
}
value = this.certificate.GetNameInfo(X509NameType.EmailName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateMailAddressClaim(new MailAddress(value)));
}
value = this.certificate.GetNameInfo(X509NameType.UpnName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateUpnClaim(value));
}
value = this.certificate.GetNameInfo(X509NameType.UrlName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateUriClaim(new Uri(value)));
}
RSA rsa = this.certificate.PublicKey.Key as RSA;
if (rsa != null)
{
claims.Add(Claim.CreateRsaClaim(rsa));
}
return(claims);
}
// Note: null string represents any.
public override IEnumerable <Claim> FindClaims(string claimType, string right)
{
ThrowIfDisposed();
if (!SupportedClaimType(claimType) || !ClaimSet.SupportedRight(right))
{
yield break;
}
else if (_claims == null && ClaimTypes.Thumbprint.Equals(claimType))
{
if (right == null || Rights.Identity.Equals(right))
{
yield return(new Claim(ClaimTypes.Thumbprint, _certificate.GetCertHash(), Rights.Identity));
}
if (right == null || Rights.PossessProperty.Equals(right))
{
yield return(new Claim(ClaimTypes.Thumbprint, _certificate.GetCertHash(), Rights.PossessProperty));
}
}
else if (_claims == null && ClaimTypes.Dns.Equals(claimType))
{
if (right == null || Rights.PossessProperty.Equals(right))
{
// A SAN field can have multiple DNS names
string[] dnsEntries = GetDnsFromExtensions(_certificate);
if (dnsEntries.Length > 0)
{
for (int i = 0; i < dnsEntries.Length; ++i)
{
yield return(Claim.CreateDnsClaim(dnsEntries[i]));
}
}
else
{
// If no SANs found in certificate, fall back to looking at the CN
string value = _certificate.GetNameInfo(X509NameType.DnsName, false);
if (!string.IsNullOrEmpty(value))
{
yield return(Claim.CreateDnsClaim(value));
}
}
}
}
else
{
EnsureClaims();
bool anyClaimType = (claimType == null);
bool anyRight = (right == null);
for (int i = 0; i < _claims.Count; ++i)
{
Claim claim = _claims[i];
if ((claim != null) &&
(anyClaimType || claimType.Equals(claim.ClaimType)) &&
(anyRight || right.Equals(claim.Right)))
{
yield return(claim);
}
}
}
}
private IList <Claim> InitializeClaimsCore()
{
List <Claim> claims = new List <Claim>();
byte[] thumbprint = _certificate.GetCertHash();
claims.Add(new Claim(ClaimTypes.Thumbprint, thumbprint, Rights.Identity));
claims.Add(new Claim(ClaimTypes.Thumbprint, thumbprint, Rights.PossessProperty));
// Ordering SubjectName, Dns, SimpleName, Email, Upn
string value = _certificate.SubjectName.Name;
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateX500DistinguishedNameClaim(_certificate.SubjectName));
}
// A SAN field can have multiple DNS names
string[] dnsEntries = GetDnsFromExtensions(_certificate);
if (dnsEntries.Length > 0)
{
for (int i = 0; i < dnsEntries.Length; ++i)
{
claims.Add(Claim.CreateDnsClaim(dnsEntries[i]));
}
}
else
{
// If no SANs found in certificate, fall back to looking for the CN
value = _certificate.GetNameInfo(X509NameType.DnsName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateDnsClaim(value));
}
}
value = _certificate.GetNameInfo(X509NameType.SimpleName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateNameClaim(value));
}
value = _certificate.GetNameInfo(X509NameType.UpnName, false);
if (!string.IsNullOrEmpty(value))
#if SUPPORTS_WINDOWSIDENTITY
{ claims.Add(Claim.CreateUpnClaim(value)); }
#else
{ throw ExceptionHelper.PlatformNotSupported(); }
#endif // SUPPORTS_WINDOWSIDENTITY
value = _certificate.GetNameInfo(X509NameType.UrlName, false);
if (!string.IsNullOrEmpty(value))
{
claims.Add(Claim.CreateUriClaim(new Uri(value)));
}
//RSA rsa = _certificate.PublicKey.Key as RSA;
//if (rsa != null)
// claims.Add(Claim.CreateRsaClaim(rsa));
return(claims);
}
