protected internal override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
SecurityKeyIdentifierClause clause = null;
switch (this.x509ReferenceStyle)
{
case X509KeyIdentifierClauseType.Thumbprint:
return(base.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle));
case X509KeyIdentifierClauseType.IssuerSerial:
return(base.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle));
case X509KeyIdentifierClauseType.SubjectKeyIdentifier:
return(base.CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle));
case X509KeyIdentifierClauseType.RawDataKeyIdentifier:
return(base.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle));
}
if (referenceStyle == SecurityTokenReferenceStyle.External)
{
X509SecurityToken token2 = token as X509SecurityToken;
if (token2 != null)
{
X509SubjectKeyIdentifierClause clause2;
if (X509SubjectKeyIdentifierClause.TryCreateFrom(token2.Certificate, out clause2))
{
clause = clause2;
}
}
else
{
X509SubjectKeyIdentifierClause clause3;
X509WindowsSecurityToken token3 = token as X509WindowsSecurityToken;
if ((token3 != null) && X509SubjectKeyIdentifierClause.TryCreateFrom(token3.Certificate, out clause3))
{
clause = clause3;
}
}
if (clause == null)
{
clause = token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>();
}
if (clause == null)
{
clause = token.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
}
return(clause);
}
return(token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>());
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
TlsSspiNegotiation tlsNegotiation = (TlsSspiNegotiation)sspiNegotiation;
if (tlsNegotiation.IsValidContext == false)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)));
}
if (this.ClientTokenAuthenticator == null)
{
return(EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
X509Certificate2 clientCertificate = tlsNegotiation.RemoteCertificate;
if (clientCertificate == null)
{
// isAnonymous is false. So, fail the negotiation
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(SR.GetString(SR.ClientCertificateNotProvided)));
}
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
if (this.ClientTokenAuthenticator != null)
{
X509SecurityToken clientToken;
WindowsIdentity preMappedIdentity;
if (!this.MapCertificateToWindowsAccount || !tlsNegotiation.TryGetContextIdentity(out preMappedIdentity))
{
clientToken = new X509SecurityToken(clientCertificate);
}
else
{
clientToken = new X509WindowsSecurityToken(clientCertificate, preMappedIdentity, preMappedIdentity.AuthenticationType, true);
preMappedIdentity.Dispose();
}
authorizationPolicies = this.ClientTokenAuthenticator.ValidateToken(clientToken);
clientToken.Dispose();
}
else
{
authorizationPolicies = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
return(authorizationPolicies);
}
private SecurityMessageProperty CreateSecurityProperty(X509Certificate2 certificate, WindowsIdentity identity)
{
SecurityToken token;
if (identity == null)
{
token = new X509SecurityToken(certificate, false);
}
else
{
string str;
switch (base.AuthenticationScheme)
{
case AuthenticationSchemes.Digest:
str = "Basic";
break;
case AuthenticationSchemes.Negotiate:
str = "Negotiate";
break;
case AuthenticationSchemes.Ntlm:
str = "NTLM";
break;
case AuthenticationSchemes.IntegratedWindowsAuthentication:
str = "Negotiate";
break;
case AuthenticationSchemes.Basic:
str = "Basic";
break;
default:
str = "";
break;
}
token = new X509WindowsSecurityToken(certificate, identity, str, false);
}
ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies = this.certificateAuthenticator.ValidateToken(token);
return(new SecurityMessageProperty {
TransportToken = new SecurityTokenSpecification(token, tokenPolicies), ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies)
});
}
// Note: the returned SecurityMessageProperty has ownership of certificate and identity.
SecurityMessageProperty CreateSecurityProperty(X509Certificate2 certificate, WindowsIdentity identity, string authType)
{
SecurityToken token;
if (identity != null)
{
token = new X509WindowsSecurityToken(certificate, identity, authType, false);
}
else
{
token = new X509SecurityToken(certificate, false);
}
ReadOnlyCollection <IAuthorizationPolicy> policies = this.certificateAuthenticator.ValidateToken(token);
SecurityMessageProperty result = new SecurityMessageProperty();
result.TransportToken = new SecurityTokenSpecification(token, policies);
result.ServiceSecurityContext = new ServiceSecurityContext(policies);
return(result);
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
X509SecurityToken token;
WindowsIdentity identity;
TlsSspiNegotiation negotiation = (TlsSspiNegotiation)sspiNegotiation;
if (!negotiation.IsValidContext)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation")));
}
if (this.ClientTokenAuthenticator == null)
{
return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
X509Certificate2 remoteCertificate = negotiation.RemoteCertificate;
if (remoteCertificate == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityTokenValidationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvided")));
}
if (this.ClientTokenAuthenticator == null)
{
return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
if (!this.MapCertificateToWindowsAccount || !negotiation.TryGetContextIdentity(out identity))
{
token = new X509SecurityToken(remoteCertificate);
}
else
{
token = new X509WindowsSecurityToken(remoteCertificate, identity, identity.AuthenticationType, true);
identity.Dispose();
}
ReadOnlyCollection <IAuthorizationPolicy> onlys = this.ClientTokenAuthenticator.ValidateToken(token);
token.Dispose();
return(onlys);
}
internal protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
SecurityKeyIdentifierClause result = null;
switch (this.x509ReferenceStyle)
{
default:
case X509KeyIdentifierClauseType.Any:
if (referenceStyle == SecurityTokenReferenceStyle.External)
{
X509SecurityToken x509Token = token as X509SecurityToken;
if (x509Token != null)
{
X509SubjectKeyIdentifierClause x509KeyIdentifierClause;
if (X509SubjectKeyIdentifierClause.TryCreateFrom(x509Token.Certificate, out x509KeyIdentifierClause))
{
result = x509KeyIdentifierClause;
}
}
else
{
X509WindowsSecurityToken windowsX509Token = token as X509WindowsSecurityToken;
if (windowsX509Token != null)
{
X509SubjectKeyIdentifierClause x509KeyIdentifierClause;
if (X509SubjectKeyIdentifierClause.TryCreateFrom(windowsX509Token.Certificate, out x509KeyIdentifierClause))
{
result = x509KeyIdentifierClause;
}
}
}
if (result == null)
{
result = token.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause>();
}
if (result == null)
{
result = token.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>();
}
}
else
{
result = token.CreateKeyIdentifierClause <LocalIdKeyIdentifierClause>();
}
break;
case X509KeyIdentifierClauseType.Thumbprint:
result = this.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
case X509KeyIdentifierClauseType.SubjectKeyIdentifier:
result = this.CreateKeyIdentifierClause <X509SubjectKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
case X509KeyIdentifierClauseType.IssuerSerial:
result = this.CreateKeyIdentifierClause <X509IssuerSerialKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
case X509KeyIdentifierClauseType.RawDataKeyIdentifier:
result = this.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause, LocalIdKeyIdentifierClause>(token, referenceStyle);
break;
}
return(result);
}
