public ClientCertificateValidationResult Validate(X509Certificate2 certificate)
{
bool isValid = false;
List <string> exceptions = new List <string>();
if (CheckValidCertificateCache(certificate))
{
isValid = true;
}
else
{
try
{
using (X509Chain chain = new X509Chain())
{
X509ChainPolicy chainPolicy = new X509ChainPolicy()
{
RevocationMode = X509RevocationMode.NoCheck, RevocationFlag = X509RevocationFlag.EntireChain
};
chain.ChainPolicy = chainPolicy;
if (!chain.Build(certificate))
{
foreach (X509ChainElement chainElement in chain.ChainElements)
{
foreach (X509ChainStatus chainStatus in chainElement.ChainElementStatus)
{
exceptions.Add(chainStatus.StatusInformation);
}
}
}
else
{
if (chain.ChainElements.Cast <X509ChainElement>().Any(e => e.Certificate.Thumbprint.Equals(HeadNodeCertThumbprint.Value, StringComparison.OrdinalIgnoreCase)))
{
isValid = true;
SetValidCertificateCache(certificate);
}
else
{
exceptions.Add("Client cert is not signed by Headnode cert.");
}
}
}
}
catch (Exception ex)
{
exceptions.Add(ex.Message);
}
}
ClientCertificateValidationResult res = new ClientCertificateValidationResult(isValid);
res.AddValidationExceptions(exceptions);
return(res);
}
private ClientCertificateValidationResult ValidateCertificate(IDictionary <string, object> owinEnvironment)
{
if (owinEnvironment.ContainsKey(this.owinClientCertKey))
{
X509Certificate2 clientCert = this.Context.Get <X509Certificate2>(this.owinClientCertKey);
return(this.clientCertificateValidator.Validate(clientCert));
}
ClientCertificateValidationResult invalid = new ClientCertificateValidationResult(false);
invalid.AddValidationException("There's no client certificate attached to the request.");
return(invalid);
}
protected override Task <AuthenticationTicket> AuthenticateCoreAsync()
{
ClientCertificateValidationResult validationResult = this.ValidateCertificate(this.Request.Environment);
if (validationResult.CertificateValid)
{
AuthenticationProperties authProperties =
new AuthenticationProperties
{
IssuedUtc = DateTime.UtcNow,
ExpiresUtc = DateTime.UtcNow.AddDays(1),
AllowRefresh = true,
IsPersistent = true
};
ClaimsIdentity claimsIdentity = new ClaimsIdentity(new List <Claim> {
}, "X.509");
AuthenticationTicket ticket = new AuthenticationTicket(claimsIdentity, authProperties);
return(Task.FromResult(ticket));
}
return(Task.FromResult <AuthenticationTicket>(null));
}
