Beispiel #1
0
        private static byte[] DecryptBytes(Compact.Iterator parts, object key, JweAlgorithm?jweAlg, JweEncryption?jweEnc, JwtSettings settings = null)
        {
            byte[] header       = parts.Next();
            byte[] encryptedCek = parts.Next();
            byte[] iv           = parts.Next();
            byte[] cipherText   = parts.Next();
            byte[] authTag      = parts.Next();

            JwtSettings jwtSettings = GetSettings(settings);
            IDictionary <string, object> jwtHeader = jwtSettings.JsonMapper.Parse <Dictionary <string, object> >(Encoding.UTF8.GetString(header));

            JweAlgorithm  headerAlg = jwtSettings.JwaAlgorithmFromHeader((string)jwtHeader["alg"]);
            JweEncryption headerEnc = jwtSettings.JweAlgorithmFromHeader((string)jwtHeader["enc"]);

            IKeyManagement keys = jwtSettings.Jwa(headerAlg);
            IJweAlgorithm  enc  = jwtSettings.Jwe(headerEnc);

            if (keys == null)
            {
                throw new JoseException(string.Format("Unsupported JWA algorithm requested: {0}", headerAlg));
            }

            if (enc == null)
            {
                throw new JoseException(string.Format("Unsupported JWE algorithm requested: {0}", headerEnc));
            }

            if (jweAlg != null && (JweAlgorithm)jweAlg != headerAlg)
            {
                throw new InvalidAlgorithmException("The algorithm type passed to the Decrypt method did not match the algorithm type in the header.");
            }

            if (jweEnc != null && (JweEncryption)jweEnc != headerEnc)
            {
                throw new InvalidAlgorithmException("The encryption type passed to the Decrypt method did not match the encryption type in the header.");
            }

            byte[] cek = keys.Unwrap(encryptedCek, key, enc.KeySize, jwtHeader);
            byte[] aad = Encoding.UTF8.GetBytes(Compact.Serialize(header));

            byte[] plainText = enc.Decrypt(aad, cek, iv, cipherText, authTag);

            if (jwtHeader.ContainsKey("zip"))
            {
                ICompression compression = jwtSettings.Compression((string)jwtHeader["zip"]);

                plainText = compression.Decompress(plainText);
            }

            return(plainText);
        }
Beispiel #2
0
        /// <summary>
        /// Parses signed JWT token, extracts and returns payload part as binary data.
        /// This method is NOT supported for encrypted JWT tokens.
        /// This method is NOT performing integrity checking.
        /// </summary>
        /// <param name="token">signed JWT token</param>
        /// <returns>unmarshalled payload</returns>
        /// <exception cref="JoseException">if encrypted JWT token is provided</exception>
        public static byte[] PayloadBytes(string token, bool b64 = true)
        {
            Compact.Iterator parts = Compact.Iterate(token);

            if (parts.Count < 3)
            {
                throw new JoseException(
                          "The given token doesn't follow JWT format and must contains at least three parts.");
            }

            if (parts.Count > 3)
            {
                throw new JoseException(
                          "Getting payload for encrypted tokens is not supported. Please use JWT.Decode() method instead.");
            }

            parts.Next(false); //skip header
            return(parts.Next(b64));
        }
Beispiel #3
0
        private static byte[] DecodeBytes(string token, object key = null, JwsAlgorithm?expectedJwsAlg = null, JweAlgorithm?expectedJweAlg = null, JweEncryption?expectedJweEnc = null, JwtSettings settings = null, byte[] payload = null, bool requireSignature = false)
        {
            Ensure.IsNotEmpty(token, "Incoming token expected to be in compact serialization form, not empty, whitespace or null.");

            Compact.Iterator parts = Compact.Iterate(token);

            if (parts.Count == 5) //encrypted JWT
            {
                return(DecryptBytes(parts, key, expectedJweAlg, expectedJweEnc, settings));
            }
            else
            {
                //signed or plain JWT
                JwtSettings jwtSettings = GetSettings(settings);

                byte[] header = parts.Next();

                Dictionary <string, object> headerData = jwtSettings.JsonMapper.Parse <Dictionary <string, object> >(Encoding.UTF8.GetString(header));

                bool b64 = true;

                if (headerData.TryGetValue("b64", out object value))
                {
                    b64 = (bool)value;
                }

                byte[] contentPayload   = parts.Next(b64);
                byte[] signature        = parts.Next();
                byte[] effectivePayload = payload ?? contentPayload;

                if (requireSignature && signature.Length == 0)
                {
                    throw new JoseException("Payload is missing required signature");
                }

                string       algorithm    = (string)headerData["alg"];
                JwsAlgorithm jwsAlgorithm = jwtSettings.JwsAlgorithmFromHeader(algorithm);

                if (expectedJwsAlg != null && expectedJwsAlg != jwsAlgorithm)
                {
                    throw new InvalidAlgorithmException("The algorithm type passed to the Decode method did not match the algorithm type in the header.");
                }

                IJwsAlgorithm jwsAlgorithmImpl = jwtSettings.Jws(jwsAlgorithm);

                if (jwsAlgorithmImpl == null)
                {
                    throw new JoseException(string.Format("Unsupported JWS algorithm requested: {0}", algorithm));
                }

                // If the key has not been specified, attempt to read it from the header.
                if (key == null && headerData.ContainsKey("kid") && jwsAlgorithm != JwsAlgorithm.none)
                {
                    if (jwsAlgorithm == JwsAlgorithm.ES256K)
                    {
                        key = (BitcoinPubKeyAddress)BitcoinPubKeyAddress.Create((string)headerData["kid"], jwtSettings.Network);
                    }
                    else
                    {
                        key = (string)headerData["kid"];
                    }
                }

                if (!jwsAlgorithmImpl.Verify(signature, securedInput(header, effectivePayload, b64), key))
                {
                    throw new IntegrityException("Invalid signature.");
                }

                return(effectivePayload);
            }
        }
Beispiel #4
0
        /// <summary>
        /// Parses JWT token, extracts and attempts to unmarshal headers to requested type
        /// This method is NOT performing integrity checking.
        /// </summary>
        /// <param name="token">signed JWT token</param>
        /// <param name="settings">optional settings to override global DefaultSettings</param>
        /// <typeparam name="T">desired type after unmarshalling</typeparam>
        /// <returns>unmarshalled headers</returns>
        public static T Headers <T>(string token, JwtSettings settings = null)
        {
            Compact.Iterator parts = Compact.Iterate(token);

            return(GetSettings(settings).JsonMapper.Parse <T>(Encoding.UTF8.GetString(parts.Next())));
        }