1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
//-----------------------------------------------------------------------
// <copyright file="X509SigningCredentials.cs" company="Microsoft">
// Copyright (c) Microsoft Corporation. All rights reserved.
// </copyright>
//-----------------------------------------------------------------------
namespace System.IdentityModel.Tokens
{
using System.Security.Cryptography.X509Certificates;
/// <summary>
/// Use x509 token as the encrypting credential
/// </summary>
public class X509SigningCredentials : SigningCredentials
{
private X509Certificate2 certificate;
/// <summary>
/// Constructor for X509SigningCredentials based on an x509 certificate.
/// By default, it uses the X509RawDataKeyIdentifierClause to generate the security key identifier.
/// </summary>
/// <param name="certificate">x509 certificate</param>
public X509SigningCredentials(X509Certificate2 certificate)
: this(
certificate,
new SecurityKeyIdentifier((new X509SecurityToken(certificate)).CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>()))
{
}
#if INCLUDE_CERT_CHAIN
/// <summary>
/// Constructor for X509SigningCredentials based on an x509 certificate.
/// By default, it uses the X509RawDataKeyIdentifierClause to generate the security key identifier.
/// </summary>
/// <param name="certificates">x509 certificate chain</param>
public X509SigningCredentials( IEnumerable<X509Certificate2> certificates )
: this ( GetLeafCertificate( certificates ),
new SecurityKeyIdentifier( new X509ChainRawDataKeyIdentifierClause( certificates ) ) )
{
}
#endif
/// <summary>
/// Constructor for X509SigningCredentials based on an x509 certificate.
/// By default, it uses the X509RawDataKeyIdentifierClause to generate the security key identifier.
/// </summary>
/// <param name="certificate">x509 certificate</param>
/// <param name="signatureAlgorithm">signature algorithm</param>
/// <param name="digestAlgorithm">digest algorithm</param>
public X509SigningCredentials(X509Certificate2 certificate, string signatureAlgorithm, string digestAlgorithm)
: this(
new X509SecurityToken(certificate),
new SecurityKeyIdentifier((new X509SecurityToken(certificate)).CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>()),
signatureAlgorithm,
digestAlgorithm)
{
}
#if INCLUDE_CERT_CHAIN
/// <summary>
/// Constructor for X509SigningCredentials based on an x509 certificate.
/// By default, it uses the X509RawDataKeyIdentifierClause to generate the security key identifier.
/// </summary>
/// <param name="certificates">x509 certificate chain</param>
/// <param name="signatureAlgorithm">signature algorithm</param>
/// <param name="digestAlgorithm">digest algorithm</param>
public X509SigningCredentials( IEnumerable<X509Certificate2> certificates, string signatureAlgorithm, string digestAlgorithm )
: this ( new X509SecurityToken( GetLeafCertificate( certificates ) ),
new SecurityKeyIdentifier( new X509ChainRawDataKeyIdentifierClause( certificates ) ),
signatureAlgorithm,
digestAlgorithm )
{
}
#endif
/// <summary>
/// Constructor for X509SigningCredentials based on an x509 certificate and the security key identifier to be used.
/// <remarks>
/// Note that the key identifier clause types supported by Windows Communication Foundation for generating a security key identifier that
/// references an X509SecurityToken are X509SubjectKeyIdentifierClause, X509ThumbprintKeyIdentifierClause, X509IssuerSerialKeyIdentifierClause,
/// and X509RawDataKeyIdentifierClause. However, in order to enable custom scenarios, this constructor does not perform any validation on
/// the clause types that were used to generate the security key identifier supplied in the <paramref name="ski"/> parameter.
/// </remarks>
/// </summary>
/// <param name="certificate">The x509 certificate.</param>
/// <param name="ski">The security key identifier to be used.</param>
public X509SigningCredentials(X509Certificate2 certificate, SecurityKeyIdentifier ski)
: this(new X509SecurityToken(certificate), ski, SecurityAlgorithms.DefaultAsymmetricSignatureAlgorithm, SecurityAlgorithms.DefaultDigestAlgorithm)
{
}
/// <summary>
/// Constructor for X509SigningCredentials based on an x509 certificate and the security key identifier to be used.
/// <remarks>
/// Note that the key identifier clause types supported by Windows Communication Foundation for generating a security key identifier that
/// references an X509SecurityToken are X509SubjectKeyIdentifierClause, X509ThumbprintKeyIdentifierClause, X509IssuerSerialKeyIdentifierClause,
/// and X509RawDataKeyIdentifierClause. However, in order to enable custom scenarios, this constructor does not perform any validation on
/// the clause types that were used to generate the security key identifier supplied in the <paramref name="ski"/> parameter.
/// </remarks>
/// </summary>
/// <param name="certificate">The x509 certificate.</param>
/// <param name="ski">The security key identifier to be used.</param>
/// <param name="signatureAlgorithm">signature algorithm</param>
/// <param name="digestAlgorithm">digest algorithm</param>
public X509SigningCredentials(X509Certificate2 certificate, SecurityKeyIdentifier ski, string signatureAlgorithm, string digestAlgorithm)
: this(new X509SecurityToken(certificate), ski, signatureAlgorithm, digestAlgorithm)
{
}
/// <summary>
/// Constructor for X509SigningCredentials based on an x509 token and the security key identifier to be used.
/// It uses the token's public key, its default asymmetric signature algorithm and the specified security key identifier
/// </summary>
/// <param name="token">The x509 security token.</param>
/// <param name="ski">The security key identifier to be used.</param>
/// <param name="signatureAlgorithm">signature algorithm</param>
/// <param name="digestAlgorithm">digest algorithm</param>
internal X509SigningCredentials(X509SecurityToken token, SecurityKeyIdentifier ski, string signatureAlgorithm, string digestAlgorithm)
: base(token.SecurityKeys[0], signatureAlgorithm, digestAlgorithm, ski)
{
this.certificate = token.Certificate;
if (!this.certificate.HasPrivateKey)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID2057));
}
}
/// <summary>
/// Gets the x509 certificate.
/// </summary>
public X509Certificate2 Certificate
{
get
{
return this.certificate;
}
}
#if INCLUDE_CERT_CHAIN
internal static X509Certificate2 GetLeafCertificate( IEnumerable<X509Certificate2> certificates )
{
if ( null == certificates )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "certificates" );
}
X509Certificate2 cert = certificates.FirstOrDefault();
if( null == cert )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument( "certificates", SR.GetString( SR.ID2100 ) );
}
return cert;
}
#endif
}
}
|
