//------------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//------------------------------------------------------------------------------
using System;
using System.Collections.Generic;
using System.Text;
using System.IdentityModel.Selectors;
using System.Security.Cryptography.X509Certificates;
namespace System.IdentityModel.Tokens
{
/// <summary>
/// Resolves issuer tokens received from service partners.
/// </summary>
public class IssuerTokenResolver : SecurityTokenResolver
{
/// <summary>
/// Default store for resolving X509 certificates.
/// </summary>
public static readonly StoreName DefaultStoreName = StoreName.TrustedPeople;
/// <summary>
/// Default store location for resolving X509 certificates.
/// </summary>
public static readonly StoreLocation DefaultStoreLocation = StoreLocation.LocalMachine;
//
// By default, the wrapped resolver is an X509CertificateStoreResolver using LM.TrustedPeople.
// This can be overridden by the caller.
//
SecurityTokenResolver _wrappedTokenResolver = null;
internal static IssuerTokenResolver DefaultInstance = new IssuerTokenResolver();
/// <summary>
/// Creates an instance of IssuerTokenResolver.
/// </summary>
public IssuerTokenResolver()
: this( new X509CertificateStoreTokenResolver( DefaultStoreName, DefaultStoreLocation ) )
{
}
/// <summary>
/// Creates an instance of IssuerTokenResolver using a given <see cref="SecurityTokenResolver"/>.
/// </summary>
/// <param name="wrappedTokenResolver">The <see cref="SecurityTokenResolver"/> to use.</param>
public IssuerTokenResolver( SecurityTokenResolver wrappedTokenResolver )
{
if ( wrappedTokenResolver == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "wrappedTokenResolver" );
}
_wrappedTokenResolver = wrappedTokenResolver;
}
/// <summary>
/// Gets the <see cref="SecurityTokenResolver"/> wrapped by this class.
/// </summary>
public SecurityTokenResolver WrappedTokenResolver
{
get
{
return _wrappedTokenResolver;
}
}
/// <summary>
/// Inherited from <see cref="SecurityTokenResolver"/>.
/// </summary>
protected override bool TryResolveSecurityKeyCore( SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key )
{
if ( keyIdentifierClause == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "keyIdentifierClause" );
}
key = null;
X509RawDataKeyIdentifierClause rawDataClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if ( rawDataClause != null )
{
key = rawDataClause.CreateKey();
return true;
}
RsaKeyIdentifierClause rsaClause = keyIdentifierClause as RsaKeyIdentifierClause;
if ( rsaClause != null )
{
key = rsaClause.CreateKey();
return true;
}
if ( _wrappedTokenResolver.TryResolveSecurityKey( keyIdentifierClause, out key ) )
{
return true;
}
return false;
}
/// <summary>
/// Inherited from <see cref="SecurityTokenResolver"/>.
/// </summary>
protected override bool TryResolveTokenCore( SecurityKeyIdentifier keyIdentifier, out SecurityToken token )
{
if ( keyIdentifier == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "keyIdentifier" );
}
token = null;
foreach ( SecurityKeyIdentifierClause clause in keyIdentifier )
{
if ( TryResolveTokenCore( clause, out token ) )
{
return true;
}
}
return false;
}
/// <summary>
/// Inherited from <see cref="SecurityTokenResolver"/>.
/// </summary>
protected override bool TryResolveTokenCore( SecurityKeyIdentifierClause keyIdentifierClause, out SecurityToken token )
{
if ( keyIdentifierClause == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "keyIdentifierClause" );
}
token = null;
//
// Try raw X509
//
X509RawDataKeyIdentifierClause rawDataClause = keyIdentifierClause as X509RawDataKeyIdentifierClause;
if ( rawDataClause != null )
{
token = new X509SecurityToken( new X509Certificate2( rawDataClause.GetX509RawData() ) );
return true;
}
//
// Try RSA
//
RsaKeyIdentifierClause rsaClause = keyIdentifierClause as RsaKeyIdentifierClause;
if ( rsaClause != null )
{
token = new RsaSecurityToken( rsaClause.Rsa );
return true;
}
if ( _wrappedTokenResolver.TryResolveToken( keyIdentifierClause, out token ) )
{
return true;
}
return false;
}
}
}