[Ignore ("not up to date")] // X509Chain
public void DefaultValues ()
{
X509Chain chain = new X509Chain ();
chain.Build (cert);
Assert.IsTrue (chain.ChainElements.Count > 1, "#0");
ClaimSet cs = new X509CertificateClaimSet (cert);
ClaimSet ident = cs.Issuer;
X509CertificateClaimSet x509is = ident as X509CertificateClaimSet;
Assert.IsNotNull (x509is, "#0-2");
Assert.AreEqual (chain.ChainElements [1].Certificate, x509is.X509Certificate, "#0-3");
Assert.AreEqual (6, cs.Count, "#1");
Assert.AreEqual (6, ident.Issuer.Count, "#2");
Assert.IsFalse (cs.ContainsClaim (Claim.System), "#3");
List<string> d = new List<string> ();
foreach (Claim c in cs) {
if (c.ClaimType != ClaimTypes.Thumbprint)
Assert.AreEqual (Rights.PossessProperty, c.Right, "#4");
d.Add (c.ClaimType);
}
Assert.IsTrue (d.Contains (ClaimTypes.X500DistinguishedName), "#5");
Assert.IsTrue (d.Contains (ClaimTypes.Thumbprint), "#6");
Assert.IsTrue (d.Contains (ClaimTypes.Dns), "#7");
Assert.IsTrue (d.Contains (ClaimTypes.Rsa), "#8");
Assert.IsTrue (d.Contains (ClaimTypes.Name), "#9");
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
X509SecurityToken x509Token = (X509SecurityToken)token;
this.validator.Validate(x509Token.Certificate);
X509CertificateClaimSet x509ClaimSet = new X509CertificateClaimSet(x509Token.Certificate, this.cloneHandle);
if (!this.mapToWindows)
return SecurityUtils.CreateAuthorizationPolicies(x509ClaimSet, x509Token.ValidTo);
WindowsClaimSet windowsClaimSet;
if (token is X509WindowsSecurityToken)
{
windowsClaimSet = new WindowsClaimSet( ( (X509WindowsSecurityToken)token ).WindowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, this.cloneHandle );
}
else
{
// Ensure NT_AUTH chain policy for certificate account mapping
X509CertificateValidator.NTAuthChainTrust.Validate(x509Token.Certificate);
WindowsIdentity windowsIdentity = null;
// for Vista, LsaLogon supporting mapping cert to NTToken
if (Environment.OSVersion.Version.Major >= SecurityUtils.WindowsVistaMajorNumber)
{
windowsIdentity = KerberosCertificateLogon(x509Token.Certificate);
}
else
{
// Downlevel, S4U over PrincipalName SubjectAltNames
string name = x509Token.Certificate.GetNameInfo(X509NameType.UpnName, false);
if (string.IsNullOrEmpty(name))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.InvalidNtMapping,
SecurityUtils.GetCertificateId(x509Token.Certificate))));
}
using (WindowsIdentity initialWindowsIdentity = new WindowsIdentity(name, SecurityUtils.AuthTypeCertMap))
{
// This is to make sure that the auth Type is shoved down to the class as the above constructor does not do it.
windowsIdentity = new WindowsIdentity(initialWindowsIdentity.Token, SecurityUtils.AuthTypeCertMap);
}
}
windowsClaimSet = new WindowsClaimSet(windowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, false);
}
List<ClaimSet> claimSets = new List<ClaimSet>(2);
claimSets.Add(windowsClaimSet);
claimSets.Add(x509ClaimSet);
List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>(1);
policies.Add(new UnconditionalPolicy(claimSets.AsReadOnly(), x509Token.ValidTo));
return policies.AsReadOnly();
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
X509SecurityToken x509Token = (X509SecurityToken)token;
_validator.Validate(x509Token.Certificate);
X509CertificateClaimSet x509ClaimSet = new X509CertificateClaimSet(x509Token.Certificate, _cloneHandle);
if (!_mapToWindows)
{
return SecurityUtils.CreateAuthorizationPolicies(x509ClaimSet, x509Token.ValidTo);
}
else
{
throw ExceptionHelper.PlatformNotSupported("Mapping to Windows identity not supported.");
}
}
X509CertificateClaimSet(X509CertificateClaimSet from)
: this(from.X509Certificate, true)
{
}
private X509CertificateClaimSet(X509CertificateClaimSet from)
: this(from.X509Certificate, true)
{
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
WindowsClaimSet set2;
X509SecurityToken token2 = (X509SecurityToken) token;
this.validator.Validate(token2.Certificate);
X509CertificateClaimSet claimSet = new X509CertificateClaimSet(token2.Certificate, this.cloneHandle);
if (!this.mapToWindows)
{
return System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, token2.ValidTo);
}
if (token is X509WindowsSecurityToken)
{
set2 = new WindowsClaimSet(((X509WindowsSecurityToken) token).WindowsIdentity, "SSL/PCT", this.includeWindowsGroups, this.cloneHandle);
}
else
{
X509CertificateValidator.NTAuthChainTrust.Validate(token2.Certificate);
WindowsIdentity windowsIdentity = null;
if (Environment.OSVersion.Version.Major >= 6)
{
windowsIdentity = KerberosCertificateLogon(token2.Certificate);
}
else
{
string nameInfo = token2.Certificate.GetNameInfo(X509NameType.UpnName, false);
if (string.IsNullOrEmpty(nameInfo))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(System.IdentityModel.SR.GetString("InvalidNtMapping", new object[] { System.IdentityModel.SecurityUtils.GetCertificateId(token2.Certificate) })));
}
using (WindowsIdentity identity2 = new WindowsIdentity(nameInfo, "SSL/PCT"))
{
windowsIdentity = new WindowsIdentity(identity2.Token, "SSL/PCT");
}
}
set2 = new WindowsClaimSet(windowsIdentity, "SSL/PCT", this.includeWindowsGroups, false);
}
List<ClaimSet> list = new List<ClaimSet>(2) {
set2,
claimSet
};
return new List<IAuthorizationPolicy>(1) { new UnconditionalPolicy(list.AsReadOnly(), token2.ValidTo) }.AsReadOnly();
}