253 lines
10 KiB
C#
253 lines
10 KiB
C#
|
//------------------------------------------------------------------------------
|
||
|
|
// Copyright (c) Microsoft Corporation. All rights reserved.
|
||
|
|
//------------------------------------------------------------------------------
|
||
|
|
|
||
|
|
namespace System.IdentityModel.Tokens
|
||
|
|
{
|
||
|
|
using System.Collections.Generic;
|
||
|
|
using System.Collections.ObjectModel;
|
||
|
|
using System.Runtime;
|
||
|
|
using System.Security.Claims;
|
||
|
|
using System.Security.Cryptography;
|
||
|
|
using System.Xml;
|
||
|
|
|
||
|
|
/// <summary>
|
||
|
|
/// SecurityTokenHandler for RsaSecurityTokens.
|
||
|
|
/// </summary>
|
||
|
|
public class RsaSecurityTokenHandler : SecurityTokenHandler
|
||
|
|
{
|
||
|
|
static string[] _tokenTypeIdentifiers = new string[] { SecurityTokenTypes.Rsa };
|
||
|
|
|
||
|
|
/// <summary>
|
||
|
|
/// Creates an instance of <see cref="RsaSecurityTokenHandler"/>
|
||
|
|
/// </summary>
|
||
|
|
public RsaSecurityTokenHandler()
|
||
|
|
{
|
||
|
|
}
|
||
|
|
|
||
|
|
/// <summary>
|
||
|
|
/// Checks the reader if this is a representation of an RsaSecurityToken.
|
||
|
|
/// </summary>
|
||
|
|
/// <param name="reader">XmlReader over the incoming SecurityToken.</param>
|
||
|
|
/// <returns>'True' if the reader points to an RsaSecurityToken, false otherwise.</returns>
|
||
|
|
/// <exception cref="ArgumentNullException">The input argument 'reader' is null.</exception>
|
||
|
|
public override bool CanReadToken(XmlReader reader)
|
||
|
|
{
|
||
|
|
if (reader == null)
|
||
|
|
{
|
||
|
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
|
||
|
|
}
|
||
|
|
|
||
|
|
return reader.IsStartElement(XmlSignatureConstants.Elements.KeyInfo, XmlSignatureConstants.Namespace);
|
||
|
|
}
|
||
|
|
|
||
|
|
/// <summary>
|
||
|
|
/// Gets the settings that indicate if the token handler can validate tokens.
|
||
|
|
/// Returns true by default.
|
||
|
|
/// </summary>
|
||
|
|
public override bool CanValidateToken
|
||
|
|
{
|
||
|
|
get
|
||
|
|
{
|
||
|
|
return true;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
/// <summary>
|
||
|
|
/// Gets a boolean indicating if the handler can write tokens.
|
||
|
|
/// Returns true by default.
|
||
|
|
/// </summary>
|
||
|
|
public override bool CanWriteToken
|
||
|
|
{
|
||
|
|
get
|
||
|
|
{
|
||
|
|
return true;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
/// <summary>
|
||
|
|
/// Gets the RSA Security Token type as defined in WS-Security Token profile.
|
||
|
|
/// </summary>
|
||
|
|
public override string[] GetTokenTypeIdentifiers()
|
||
|
|
{
|
||
|
|
return _tokenTypeIdentifiers;
|
||
|
|
}
|
||
|
|
|
||
|
|
/// <summary>
|
||
|
|
/// Deserializes an RSA security token from XML.
|
||
|
|
/// </summary>
|
||
|
|
/// <param name="reader">An XML reader positioned at the start of the token</param>
|
||
|
|
/// <returns>An instance of <see cref="RsaSecurityToken"/>.</returns>
|
||
|
|
/// <exception cref="ArgumentNullException">The input argument 'reader' is null.</exception>
|
||
|
|
/// <exception cref="XmlException">The 'reader' is not positioned at a RSA token.
|
||
|
|
/// or the SecurityContextToken cannot be read.</exception>
|
||
|
|
public override SecurityToken ReadToken(XmlReader reader)
|
||
|
|
{
|
||
|
|
if (null == reader)
|
||
|
|
{
|
||
|
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
|
||
|
|
}
|
||
|
|
|
||
|
|
XmlDictionaryReader dicReader = XmlDictionaryReader.CreateDictionaryReader(reader);
|
||
|
|
|
||
|
|
if (!dicReader.IsStartElement(XmlSignatureConstants.Elements.KeyInfo, XmlSignatureConstants.Namespace))
|
||
|
|
{
|
||
|
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
|
||
|
|
new XmlException(
|
||
|
|
SR.GetString(
|
||
|
|
SR.ID4065,
|
||
|
|
XmlSignatureConstants.Elements.KeyInfo,
|
||
|
|
XmlSignatureConstants.Namespace,
|
||
|
|
dicReader.LocalName,
|
||
|
|
dicReader.NamespaceURI)));
|
||
|
|
}
|
||
|
|
|
||
|
|
dicReader.ReadStartElement();
|
||
|
|
|
||
|
|
if (!dicReader.IsStartElement(XmlSignatureConstants.Elements.KeyValue, XmlSignatureConstants.Namespace))
|
||
|
|
{
|
||
|
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
|
||
|
|
new XmlException(
|
||
|
|
SR.GetString(
|
||
|
|
SR.ID4065,
|
||
|
|
XmlSignatureConstants.Elements.KeyValue,
|
||
|
|
XmlSignatureConstants.Namespace,
|
||
|
|
dicReader.LocalName,
|
||
|
|
dicReader.NamespaceURI)));
|
||
|
|
}
|
||
|
|
|
||
|
|
dicReader.ReadStartElement();
|
||
|
|
|
||
|
|
RSA rsa = new RSACryptoServiceProvider();
|
||
|
|
rsa.FromXmlString(dicReader.ReadOuterXml());
|
||
|
|
|
||
|
|
dicReader.ReadEndElement(); //</KeyValue>
|
||
|
|
dicReader.ReadEndElement(); //</KeyInfo>
|
||
|
|
|
||
|
|
return new RsaSecurityToken(rsa);
|
||
|
|
}
|
||
|
|
|
||
|
|
/// <summary>
|
||
|
|
/// Gets the System.Type of the SecurityToken that this token handler handles.
|
||
|
|
/// Return type of <see cref="RsaSecurityToken"/> by default.
|
||
|
|
/// </summary>
|
||
|
|
public override Type TokenType
|
||
|
|
{
|
||
|
|
get { return typeof(RsaSecurityToken); }
|
||
|
|
}
|
||
|
|
|
||
|
|
/// <summary>
|
||
|
|
/// Validates a <see cref="RsaSecurityToken"/>.
|
||
|
|
/// </summary>
|
||
|
|
/// <param name="token">The <see cref="RsaSecurityToken"/> to validate.</param>
|
||
|
|
/// <returns>A <see cref="ReadOnlyCollection{T}"/> of <see cref="ClaimsIdentity"/> representing the identities contained in the token.</returns>
|
||
|
|
/// <exception cref="ArgumentNullException">The parameter 'token' is null.</exception>
|
||
|
|
/// <exception cref="ArgumentException">The token is not assignable from <see cref="RsaSecurityToken"/>.</exception>
|
||
|
|
/// <exception cref="InvalidOperationException">Configuration <see cref="SecurityTokenHandlerConfiguration"/>is null.</exception>
|
||
|
|
public override ReadOnlyCollection<ClaimsIdentity> ValidateToken(SecurityToken token)
|
||
|
|
{
|
||
|
|
if (token == null)
|
||
|
|
{
|
||
|
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
|
||
|
|
}
|
||
|
|
|
||
|
|
RsaSecurityToken rsaToken = (RsaSecurityToken)token;
|
||
|
|
if (rsaToken == null)
|
||
|
|
{
|
||
|
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID0018, typeof(RsaSecurityToken)));
|
||
|
|
}
|
||
|
|
|
||
|
|
if (this.Configuration == null)
|
||
|
|
{
|
||
|
|
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
|
||
|
|
}
|
||
|
|
|
||
|
|
try
|
||
|
|
{
|
||
|
|
|
||
|
|
// Export the Public Key of the RSA as a Claim.
|
||
|
|
ClaimsIdentity identity = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.Rsa, rsaToken.Rsa.ToXmlString(false), ClaimValueTypes.RsaKeyValue, ClaimsIdentity.DefaultIssuer) }, AuthenticationTypes.Signature);
|
||
|
|
|
||
|
|
identity.AddClaim(new Claim(ClaimTypes.AuthenticationInstant, XmlConvert.ToString(DateTime.UtcNow, DateTimeFormats.Generated), ClaimValueTypes.DateTime));
|
||
|
|
identity.AddClaim(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.Signature));
|
||
|
|
|
||
|
|
if (this.Configuration.SaveBootstrapContext)
|
||
|
|
{
|
||
|
|
identity.BootstrapContext = new BootstrapContext(token, this);
|
||
|
|
}
|
||
|
|
|
||
|
|
this.TraceTokenValidationSuccess(token);
|
||
|
|
|
||
|
|
List<ClaimsIdentity> identities = new List<ClaimsIdentity>(1);
|
||
|
|
identities.Add(identity);
|
||
|
|
return identities.AsReadOnly();
|
||
|
|
}
|
||
|
|
catch (Exception e)
|
||
|
|
{
|
||
|
|
if (Fx.IsFatal(e))
|
||
|
|
{
|
||
|
|
throw;
|
||
|
|
}
|
||
|
|
|
||
|
|
this.TraceTokenValidationFailure(token, e.Message);
|
||
|
|
throw e;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
/// <summary>
|
||
|
|
/// Serializes an RSA security token to XML.
|
||
|
|
/// </summary>
|
||
|
|
/// <param name="writer">The XML writer.</param>
|
||
|
|
/// <param name="token">An RSA security token.</param>
|
||
|
|
/// <exception cref="ArgumentNullException">The input argument 'writer' is null.</exception>
|
||
|
|
/// <exception cref="InvalidOperationException">The input argument 'token' is either null or not of type
|
||
|
|
/// <see cref="RsaSecurityToken"/>.</exception>
|
||
|
|
public override void WriteToken(XmlWriter writer, SecurityToken token)
|
||
|
|
{
|
||
|
|
if (writer == null)
|
||
|
|
{
|
||
|
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
|
||
|
|
}
|
||
|
|
|
||
|
|
if (token == null)
|
||
|
|
{
|
||
|
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
|
||
|
|
}
|
||
|
|
|
||
|
|
RsaSecurityToken rsaToken = token as RsaSecurityToken;
|
||
|
|
|
||
|
|
if (rsaToken == null)
|
||
|
|
{
|
||
|
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID0018, typeof(RsaSecurityToken)));
|
||
|
|
}
|
||
|
|
|
||
|
|
RSAParameters rsaParams = rsaToken.Rsa.ExportParameters(false);
|
||
|
|
|
||
|
|
writer.WriteStartElement(XmlSignatureConstants.Elements.KeyInfo, XmlSignatureConstants.Namespace);
|
||
|
|
writer.WriteStartElement(XmlSignatureConstants.Elements.KeyValue, XmlSignatureConstants.Namespace);
|
||
|
|
|
||
|
|
//
|
||
|
|
// RSA.ToXmlString shouldn't be used here because it doesn't write namespaces. The modulus and exponent are written manually.
|
||
|
|
//
|
||
|
|
writer.WriteStartElement(XmlSignatureConstants.Elements.RsaKeyValue, XmlSignatureConstants.Namespace);
|
||
|
|
|
||
|
|
writer.WriteStartElement(XmlSignatureConstants.Elements.Modulus, XmlSignatureConstants.Namespace);
|
||
|
|
|
||
|
|
byte[] modulus = rsaParams.Modulus;
|
||
|
|
writer.WriteBase64(modulus, 0, modulus.Length);
|
||
|
|
writer.WriteEndElement(); // </modulus>
|
||
|
|
|
||
|
|
writer.WriteStartElement(XmlSignatureConstants.Elements.Exponent, XmlSignatureConstants.Namespace);
|
||
|
|
|
||
|
|
byte[] exponent = rsaParams.Exponent;
|
||
|
|
writer.WriteBase64(exponent, 0, exponent.Length);
|
||
|
|
writer.WriteEndElement(); // </exponent>
|
||
|
|
|
||
|
|
writer.WriteEndElement(); // </RsaKeyValue>
|
||
|
|
writer.WriteEndElement(); // </KeyValue>
|
||
|
|
writer.WriteEndElement(); // </KeyInfo>
|
||
|
|
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|