예제 #1
0
		[Ignore ("not up to date")] // X509Chain
		public void DefaultValues ()
		{
			X509Chain chain = new X509Chain ();
			chain.Build (cert);
			Assert.IsTrue (chain.ChainElements.Count > 1, "#0");
			ClaimSet cs = new X509CertificateClaimSet (cert);
			ClaimSet ident = cs.Issuer;
			X509CertificateClaimSet x509is = ident as X509CertificateClaimSet;
			Assert.IsNotNull (x509is, "#0-2");
			Assert.AreEqual (chain.ChainElements [1].Certificate, x509is.X509Certificate, "#0-3");
			Assert.AreEqual (6, cs.Count, "#1");
			Assert.AreEqual (6, ident.Issuer.Count, "#2");
			Assert.IsFalse (cs.ContainsClaim (Claim.System), "#3");
			List<string> d = new List<string> ();
			foreach (Claim c in cs) {
				if (c.ClaimType != ClaimTypes.Thumbprint)
					Assert.AreEqual (Rights.PossessProperty, c.Right, "#4");
				d.Add (c.ClaimType);
			}
			Assert.IsTrue (d.Contains (ClaimTypes.X500DistinguishedName), "#5");
			Assert.IsTrue (d.Contains (ClaimTypes.Thumbprint), "#6");
			Assert.IsTrue (d.Contains (ClaimTypes.Dns), "#7");
			Assert.IsTrue (d.Contains (ClaimTypes.Rsa), "#8");
			Assert.IsTrue (d.Contains (ClaimTypes.Name), "#9");
		}
        protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
        {
            X509SecurityToken x509Token = (X509SecurityToken)token;
            this.validator.Validate(x509Token.Certificate);

            X509CertificateClaimSet x509ClaimSet = new X509CertificateClaimSet(x509Token.Certificate, this.cloneHandle);
            if (!this.mapToWindows)
                return SecurityUtils.CreateAuthorizationPolicies(x509ClaimSet, x509Token.ValidTo);

            WindowsClaimSet windowsClaimSet;
            if (token is X509WindowsSecurityToken)
            {
                windowsClaimSet = new WindowsClaimSet( ( (X509WindowsSecurityToken)token ).WindowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, this.cloneHandle );
            }
            else
            {
                // Ensure NT_AUTH chain policy for certificate account mapping
                X509CertificateValidator.NTAuthChainTrust.Validate(x509Token.Certificate);

                WindowsIdentity windowsIdentity = null;
                // for Vista, LsaLogon supporting mapping cert to NTToken
                if (Environment.OSVersion.Version.Major >= SecurityUtils.WindowsVistaMajorNumber)
                {
                    windowsIdentity = KerberosCertificateLogon(x509Token.Certificate);
                }
                else
                {
                    // Downlevel, S4U over PrincipalName SubjectAltNames
                    string name = x509Token.Certificate.GetNameInfo(X509NameType.UpnName, false);
                    if (string.IsNullOrEmpty(name))
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.InvalidNtMapping,
                            SecurityUtils.GetCertificateId(x509Token.Certificate))));
                    }

                    using (WindowsIdentity initialWindowsIdentity = new WindowsIdentity(name, SecurityUtils.AuthTypeCertMap))
                    {
                        // This is to make sure that the auth Type is shoved down to the class as the above constructor does not do it.
                        windowsIdentity = new WindowsIdentity(initialWindowsIdentity.Token, SecurityUtils.AuthTypeCertMap);
                    }
                }

                windowsClaimSet = new WindowsClaimSet(windowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, false);
            }
            List<ClaimSet> claimSets = new List<ClaimSet>(2);
            claimSets.Add(windowsClaimSet);
            claimSets.Add(x509ClaimSet);

            List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>(1);
            policies.Add(new UnconditionalPolicy(claimSets.AsReadOnly(), x509Token.ValidTo));
            return policies.AsReadOnly();
        }
        protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
        {
            X509SecurityToken x509Token = (X509SecurityToken)token;
            _validator.Validate(x509Token.Certificate);

            X509CertificateClaimSet x509ClaimSet = new X509CertificateClaimSet(x509Token.Certificate, _cloneHandle);
            if (!_mapToWindows)
            {
                return SecurityUtils.CreateAuthorizationPolicies(x509ClaimSet, x509Token.ValidTo);
            }
            else
            {
                throw ExceptionHelper.PlatformNotSupported("Mapping to Windows identity not supported.");
            }
        }
예제 #4
0
 X509CertificateClaimSet(X509CertificateClaimSet from)
     : this(from.X509Certificate, true)
 {
 }
 private X509CertificateClaimSet(X509CertificateClaimSet from)
     : this(from.X509Certificate, true)
 {
 }
 protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
 {
     WindowsClaimSet set2;
     X509SecurityToken token2 = (X509SecurityToken) token;
     this.validator.Validate(token2.Certificate);
     X509CertificateClaimSet claimSet = new X509CertificateClaimSet(token2.Certificate, this.cloneHandle);
     if (!this.mapToWindows)
     {
         return System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, token2.ValidTo);
     }
     if (token is X509WindowsSecurityToken)
     {
         set2 = new WindowsClaimSet(((X509WindowsSecurityToken) token).WindowsIdentity, "SSL/PCT", this.includeWindowsGroups, this.cloneHandle);
     }
     else
     {
         X509CertificateValidator.NTAuthChainTrust.Validate(token2.Certificate);
         WindowsIdentity windowsIdentity = null;
         if (Environment.OSVersion.Version.Major >= 6)
         {
             windowsIdentity = KerberosCertificateLogon(token2.Certificate);
         }
         else
         {
             string nameInfo = token2.Certificate.GetNameInfo(X509NameType.UpnName, false);
             if (string.IsNullOrEmpty(nameInfo))
             {
                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(System.IdentityModel.SR.GetString("InvalidNtMapping", new object[] { System.IdentityModel.SecurityUtils.GetCertificateId(token2.Certificate) })));
             }
             using (WindowsIdentity identity2 = new WindowsIdentity(nameInfo, "SSL/PCT"))
             {
                 windowsIdentity = new WindowsIdentity(identity2.Token, "SSL/PCT");
             }
         }
         set2 = new WindowsClaimSet(windowsIdentity, "SSL/PCT", this.includeWindowsGroups, false);
     }
     List<ClaimSet> list = new List<ClaimSet>(2) {
         set2,
         claimSet
     };
     return new List<IAuthorizationPolicy>(1) { new UnconditionalPolicy(list.AsReadOnly(), token2.ValidTo) }.AsReadOnly();
 }