|
//------------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//------------------------------------------------------------------------------
namespace System.IdentityModel.Tokens
{
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Runtime;
using System.Security.Claims;
using System.Security.Cryptography;
using System.Xml;
/// <summary>
/// SecurityTokenHandler for RsaSecurityTokens.
/// </summary>
public class RsaSecurityTokenHandler : SecurityTokenHandler
{
static string[] _tokenTypeIdentifiers = new string[] { SecurityTokenTypes.Rsa };
/// <summary>
/// Creates an instance of <see cref="RsaSecurityTokenHandler"/>
/// </summary>
public RsaSecurityTokenHandler()
{
}
/// <summary>
/// Checks the reader if this is a representation of an RsaSecurityToken.
/// </summary>
/// <param name="reader">XmlReader over the incoming SecurityToken.</param>
/// <returns>'True' if the reader points to an RsaSecurityToken, false otherwise.</returns>
/// <exception cref="ArgumentNullException">The input argument 'reader' is null.</exception>
public override bool CanReadToken(XmlReader reader)
{
if (reader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
}
return reader.IsStartElement(XmlSignatureConstants.Elements.KeyInfo, XmlSignatureConstants.Namespace);
}
/// <summary>
/// Gets the settings that indicate if the token handler can validate tokens.
/// Returns true by default.
/// </summary>
public override bool CanValidateToken
{
get
{
return true;
}
}
/// <summary>
/// Gets a boolean indicating if the handler can write tokens.
/// Returns true by default.
/// </summary>
public override bool CanWriteToken
{
get
{
return true;
}
}
/// <summary>
/// Gets the RSA Security Token type as defined in WS-Security Token profile.
/// </summary>
public override string[] GetTokenTypeIdentifiers()
{
return _tokenTypeIdentifiers;
}
/// <summary>
/// Deserializes an RSA security token from XML.
/// </summary>
/// <param name="reader">An XML reader positioned at the start of the token</param>
/// <returns>An instance of <see cref="RsaSecurityToken"/>.</returns>
/// <exception cref="ArgumentNullException">The input argument 'reader' is null.</exception>
/// <exception cref="XmlException">The 'reader' is not positioned at a RSA token.
/// or the SecurityContextToken cannot be read.</exception>
public override SecurityToken ReadToken(XmlReader reader)
{
if (null == reader)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
}
XmlDictionaryReader dicReader = XmlDictionaryReader.CreateDictionaryReader(reader);
if (!dicReader.IsStartElement(XmlSignatureConstants.Elements.KeyInfo, XmlSignatureConstants.Namespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new XmlException(
SR.GetString(
SR.ID4065,
XmlSignatureConstants.Elements.KeyInfo,
XmlSignatureConstants.Namespace,
dicReader.LocalName,
dicReader.NamespaceURI)));
}
dicReader.ReadStartElement();
if (!dicReader.IsStartElement(XmlSignatureConstants.Elements.KeyValue, XmlSignatureConstants.Namespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new XmlException(
SR.GetString(
SR.ID4065,
XmlSignatureConstants.Elements.KeyValue,
XmlSignatureConstants.Namespace,
dicReader.LocalName,
dicReader.NamespaceURI)));
}
dicReader.ReadStartElement();
RSA rsa = new RSACryptoServiceProvider();
rsa.FromXmlString(dicReader.ReadOuterXml());
dicReader.ReadEndElement(); //</KeyValue>
dicReader.ReadEndElement(); //</KeyInfo>
return new RsaSecurityToken(rsa);
}
/// <summary>
/// Gets the System.Type of the SecurityToken that this token handler handles.
/// Return type of <see cref="RsaSecurityToken"/> by default.
/// </summary>
public override Type TokenType
{
get { return typeof(RsaSecurityToken); }
}
/// <summary>
/// Validates a <see cref="RsaSecurityToken"/>.
/// </summary>
/// <param name="token">The <see cref="RsaSecurityToken"/> to validate.</param>
/// <returns>A <see cref="ReadOnlyCollection{T}"/> of <see cref="ClaimsIdentity"/> representing the identities contained in the token.</returns>
/// <exception cref="ArgumentNullException">The parameter 'token' is null.</exception>
/// <exception cref="ArgumentException">The token is not assignable from <see cref="RsaSecurityToken"/>.</exception>
/// <exception cref="InvalidOperationException">Configuration <see cref="SecurityTokenHandlerConfiguration"/>is null.</exception>
public override ReadOnlyCollection<ClaimsIdentity> ValidateToken(SecurityToken token)
{
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
RsaSecurityToken rsaToken = (RsaSecurityToken)token;
if (rsaToken == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID0018, typeof(RsaSecurityToken)));
}
if (this.Configuration == null)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
try
{
// Export the Public Key of the RSA as a Claim.
ClaimsIdentity identity = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.Rsa, rsaToken.Rsa.ToXmlString(false), ClaimValueTypes.RsaKeyValue, ClaimsIdentity.DefaultIssuer) }, AuthenticationTypes.Signature);
identity.AddClaim(new Claim(ClaimTypes.AuthenticationInstant, XmlConvert.ToString(DateTime.UtcNow, DateTimeFormats.Generated), ClaimValueTypes.DateTime));
identity.AddClaim(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.Signature));
if (this.Configuration.SaveBootstrapContext)
{
identity.BootstrapContext = new BootstrapContext(token, this);
}
this.TraceTokenValidationSuccess(token);
List<ClaimsIdentity> identities = new List<ClaimsIdentity>(1);
identities.Add(identity);
return identities.AsReadOnly();
}
catch (Exception e)
{
if (Fx.IsFatal(e))
{
throw;
}
this.TraceTokenValidationFailure(token, e.Message);
throw e;
}
}
/// <summary>
/// Serializes an RSA security token to XML.
/// </summary>
/// <param name="writer">The XML writer.</param>
/// <param name="token">An RSA security token.</param>
/// <exception cref="ArgumentNullException">The input argument 'writer' is null.</exception>
/// <exception cref="InvalidOperationException">The input argument 'token' is either null or not of type
/// <see cref="RsaSecurityToken"/>.</exception>
public override void WriteToken(XmlWriter writer, SecurityToken token)
{
if (writer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
}
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
RsaSecurityToken rsaToken = token as RsaSecurityToken;
if (rsaToken == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID0018, typeof(RsaSecurityToken)));
}
RSAParameters rsaParams = rsaToken.Rsa.ExportParameters(false);
writer.WriteStartElement(XmlSignatureConstants.Elements.KeyInfo, XmlSignatureConstants.Namespace);
writer.WriteStartElement(XmlSignatureConstants.Elements.KeyValue, XmlSignatureConstants.Namespace);
//
// RSA.ToXmlString shouldn't be used here because it doesn't write namespaces. The modulus and exponent are written manually.
//
writer.WriteStartElement(XmlSignatureConstants.Elements.RsaKeyValue, XmlSignatureConstants.Namespace);
writer.WriteStartElement(XmlSignatureConstants.Elements.Modulus, XmlSignatureConstants.Namespace);
byte[] modulus = rsaParams.Modulus;
writer.WriteBase64(modulus, 0, modulus.Length);
writer.WriteEndElement(); // </modulus>
writer.WriteStartElement(XmlSignatureConstants.Elements.Exponent, XmlSignatureConstants.Namespace);
byte[] exponent = rsaParams.Exponent;
writer.WriteBase64(exponent, 0, exponent.Length);
writer.WriteEndElement(); // </exponent>
writer.WriteEndElement(); // </RsaKeyValue>
writer.WriteEndElement(); // </KeyValue>
writer.WriteEndElement(); // </KeyInfo>
}
}
}
|