2 // X509SecurityTokenAuthenticator.cs
5 // Atsushi Enomoto <atsushi@ximian.com>
7 // Copyright (C) 2006 Novell, Inc. http://www.novell.com
9 // Permission is hereby granted, free of charge, to any person obtaining
10 // a copy of this software and associated documentation files (the
11 // "Software"), to deal in the Software without restriction, including
12 // without limitation the rights to use, copy, modify, merge, publish,
13 // distribute, sublicense, and/or sell copies of the Software, and to
14 // permit persons to whom the Software is furnished to do so, subject to
15 // the following conditions:
17 // The above copyright notice and this permission notice shall be
18 // included in all copies or substantial portions of the Software.
20 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
21 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
22 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
23 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
24 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
25 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
26 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
29 using System.Collections.Generic;
30 using System.Collections.ObjectModel;
31 using System.IdentityModel.Claims;
32 using System.IdentityModel.Policy;
33 using System.IdentityModel.Tokens;
34 using System.Security.Principal;
35 using System.Security.Cryptography.X509Certificates;
38 namespace System.IdentityModel.Selectors
40 public class X509SecurityTokenAuthenticator
41 : SecurityTokenAuthenticator
43 bool map_to_windows, include_win_groups;
44 X509CertificateValidator validator;
46 public X509SecurityTokenAuthenticator ()
47 : this (X509CertificateValidator.ChainTrust)
51 public X509SecurityTokenAuthenticator (X509CertificateValidator validator)
52 : this (validator, false)
56 public X509SecurityTokenAuthenticator (X509CertificateValidator validator, bool mapToWindows)
57 : this (validator, mapToWindows, false)
61 public X509SecurityTokenAuthenticator (X509CertificateValidator validator, bool mapToWindows, bool includeWindowsGroups)
63 if (validator == null)
64 throw new ArgumentNullException ("validator");
65 this.validator = validator;
66 map_to_windows = mapToWindows;
67 include_win_groups = includeWindowsGroups;
69 if (map_to_windows || include_win_groups)
70 throw new NotSupportedException ("Why on earth do you expect that mapToWindows or includeWindowsGroups are supported here?");
73 protected override bool CanValidateTokenCore (SecurityToken token)
75 return token is X509SecurityToken;
78 protected override ReadOnlyCollection<IAuthorizationPolicy>
79 ValidateTokenCore (SecurityToken token)
81 X509SecurityToken xt = token as X509SecurityToken;
83 throw new InvalidOperationException (String.Format ("Security token '{0}' cannot be validated by this security token authenticator.", xt));
84 validator.Validate (xt.Certificate);
85 IAuthorizationPolicy policy =
86 new X509AuthorizationPolicy (xt.Certificate);
87 return new ReadOnlyCollection<IAuthorizationPolicy> (new IAuthorizationPolicy [] {policy});
90 class X509AuthorizationPolicy : SystemIdentityAuthorizationPolicy
92 X509Certificate2 cert;
94 public X509AuthorizationPolicy (X509Certificate2 cert)
95 : base (new UniqueId ().ToString ())
100 public override DateTime ExpirationTime {
101 // FIXME: should it really be converted to UTC?
102 get { return cert.NotAfter.ToUniversalTime (); }
105 public override ClaimSet CreateClaims ()
107 return new DefaultClaimSet (Claim.CreateX500DistinguishedNameClaim (cert.SubjectName));
110 public override IIdentity CreateIdentity ()
112 return new GenericIdentity (String.Concat (cert.SubjectName, "; ", cert.Thumbprint), "X509");