/// <inheritdoc/>
public Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
{
var fail = Task.FromResult(new SecretValidationResult {
Success = false
});
if (parsedSecret.Type != ParsedSecretTypes.X509Certificate)
{
_logger.LogDebug("X509 name secret validator cannot process {type}", parsedSecret.Type ?? "null");
return(fail);
}
var cert = parsedSecret.Credential as X509Certificate2;
if (cert == null)
{
throw new InvalidOperationException("Credential is not a x509 certificate.");
}
var name = cert.Subject;
if (name == null)
{
_logger.LogWarning("No subject/name found in X509 certificate.");
return(fail);
}
var nameSecrets = secrets.Where(s => s.Type == SecretTypes.X509CertificateName);
if (!nameSecrets.Any())
{
_logger.LogDebug("No x509 name secrets configured for client.");
return(fail);
}
foreach (var nameSecret in nameSecrets)
{
var secretDescription = string.IsNullOrEmpty(nameSecret.Description) ? "no description" : nameSecret.Description;
if (name.Equals(nameSecret.Value, StringComparison.Ordinal))
{
var values = new Dictionary <string, string>
{
{ "x5t#S256", cert.Thumbprint }
};
var cnf = JsonConvert.SerializeObject(values);
var result = new SecretValidationResult
{
Success = true,
Confirmation = cnf
};
return(Task.FromResult(result));
}
}
_logger.LogDebug("No matching x509 name secret found.");
return(fail);
}
/// <inheritdoc/>
public Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
{
var fail = Task.FromResult(new SecretValidationResult {
Success = false
});
if (parsedSecret.Type != ParsedSecretTypes.X509Certificate)
{
_logger.LogDebug("X509 thumbprint secret validator cannot process {type}", parsedSecret.Type ?? "null");
return(fail);
}
var cert = parsedSecret.Credential as X509Certificate2;
if (cert == null)
{
throw new InvalidOperationException("Credential is not a x509 certificate.");
}
var thumbprint = cert.Thumbprint;
if (thumbprint == null)
{
_logger.LogWarning("No thumbprint found in X509 certificate.");
return(fail);
}
var thumbprintSecrets = secrets.Where(s => s.Type == SecretTypes.X509CertificateThumbprint);
if (!thumbprintSecrets.Any())
{
_logger.LogDebug("No thumbprint secrets configured for client.");
return(fail);
}
foreach (var thumbprintSecret in thumbprintSecrets)
{
var secretDescription = string.IsNullOrEmpty(thumbprintSecret.Description) ? "no description" : thumbprintSecret.Description;
if (thumbprint.Equals(thumbprintSecret.Value, StringComparison.OrdinalIgnoreCase))
{
var result = new SecretValidationResult
{
Success = true,
Confirmation = cert.CreateThumbprintCnf()
};
return(Task.FromResult(result));
}
}
_logger.LogDebug("No matching x509 thumbprint secret found.");
return(fail);
}
/// <inheritdoc/>
public Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
{
var fail = Task.FromResult(new SecretValidationResult {
Success = false
});
if (parsedSecret.Type != ParsedSecretTypes.X509Certificate)
{
_logger.LogDebug("X509 name secret validator cannot process {type}", parsedSecret.Type ?? "null");
return(fail);
}
if (!(parsedSecret.Credential is X509Certificate2 cert))
{
throw new InvalidOperationException("Credential is not a x509 certificate.");
}
var name = cert.Subject;
if (name == null)
{
_logger.LogWarning("No subject/name found in X509 certificate.");
return(fail);
}
var nameSecrets = secrets.Where(s => s.Type == SecretTypes.X509CertificateName);
if (!nameSecrets.Any())
{
_logger.LogDebug("No x509 name secrets configured for client.");
return(fail);
}
foreach (var nameSecret in nameSecrets)
{
if (name.Equals(nameSecret.Value, StringComparison.Ordinal))
{
var result = new SecretValidationResult
{
Success = true,
Confirmation = cert.CreateThumbprintCnf()
};
return(Task.FromResult(result));
}
}
_logger.LogDebug("No matching x509 name secret found.");
return(fail);
}
/// <summary>
/// Validates a secret
/// </summary>
/// <param name="secrets">The stored secrets.</param>
/// <param name="parsedSecret">The received secret.</param>
/// <returns>
/// A validation result
/// </returns>
/// <exception cref="System.ArgumentException">ParsedSecret.Credential is not a JWT token</exception>
public async Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
{
var fail = new SecretValidationResult {
Success = false
};
var success = new SecretValidationResult {
Success = true
};
if (parsedSecret.Type != IdentityServerConstants.ParsedSecretTypes.JwtBearer)
{
return(fail);
}
if (!(parsedSecret.Credential is string jwtTokenString))
{
_logger.LogError("ParsedSecret.Credential is not a string.");
return(fail);
}
List <SecurityKey> trustedKeys;
try
{
trustedKeys = await secrets.GetKeysAsync();
}
catch (Exception e)
{
_logger.LogError(e, "Could not parse secrets");
return(fail);
}
if (!trustedKeys.Any())
{
_logger.LogError("There are no keys available to validate client assertion.");
return(fail);
}
var jwtToken = new JwtSecurityToken(jwtTokenString);
// OZ
// var x5c = jwtToken.Payload.Claims.FirstOrDefault(c => c.Type == "x5c")?.Value;
// string x5c = jwtToken.Header.GetValueOrDefault("x5c");
Console.WriteLine("Client Token:\n" + jwtTokenString + "\n");
object o;
if (jwtToken.Header.TryGetValue("x5c", out o))
{
// if (o is string)
var s = o.GetType().ToString();
if (o is JArray)
{
// string x5c = o as string;
string[] x5c = (o as JArray).ToObject <string[]>();
// if (x5c != null && x5c != "")
if (x5c != null)
{
// Console.WriteLine("x5c:\n" + x5c);
Console.WriteLine("Security 2.1a Server: x5c with certificate chain received");
// parsed = JObject.Parse(Jose.JWT.Payload(token));
// user = parsed.SelectToken("user").Value<string>();
// string user = jwtToken.Payload.Claims.FirstOrDefault(c => c.Type == "user")?.Value;
X509Store storeCA = new X509Store("CA", StoreLocation.CurrentUser);
storeCA.Open(OpenFlags.ReadWrite);
bool valid = false;
// string[] x5c64 = JsonConvert.DeserializeObject<string[]>(x5c);
string[] x5c64 = x5c;
X509Certificate2Collection xcc = new X509Certificate2Collection();
Byte[] certFileBytes = Convert.FromBase64String(x5c64[0]);
/*
* string fileCert = "./temp/" + user + ".cer";
* File.WriteAllBytes(fileCert, certFileBytes);
* Console.WriteLine("Security 2.1b Server: " + fileCert + " received");
*/
var x509 = new X509Certificate2(certFileBytes);
xcc.Add(x509);
Console.WriteLine("Security 2.1c Certificate in Chain: " + x509.Subject);
StringBuilder builder = new StringBuilder();
builder.AppendLine("-----BEGIN CERTIFICATE-----");
builder.AppendLine(
Convert.ToBase64String(x509.RawData, Base64FormattingOptions.InsertLineBreaks));
builder.AppendLine("-----END CERTIFICATE-----");
Console.WriteLine("Client Certificate: ");
Console.WriteLine(builder);
for (int i = 1; i < x5c64.Length; i++)
{
var cert = new X509Certificate2(Convert.FromBase64String(x5c64[i]));
Console.WriteLine("Security 2.1c Certificate in Chain: " + cert.Subject);
if (cert.Subject != cert.Issuer)
{
xcc.Add(cert);
storeCA.Add(cert);
}
}
X509Chain c = new X509Chain();
c.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
valid = c.Build(x509);
// storeCA.RemoveRange(xcc);
Console.WriteLine("Security 2.1d Server: Validate chain with root cert");
if (!valid)
{
Console.WriteLine("ERROR: Certificate " + x509.Subject + " not valid!");
_logger.LogError("Certificate " + x509.Subject + " not valid!");
return(fail);
}
var xsk = new X509SecurityKey(x509);
trustedKeys = new List <SecurityKey> {
xsk
};
}
}
}
// OZ end
var validAudiences = new[]
{
// issuer URI (tbd)
//_contextAccessor.HttpContext.GetIdentityServerIssuerUri(),
// token endpoint URL
string.Concat(_contextAccessor.HttpContext.GetIdentityServerIssuerUri().EnsureTrailingSlash(),
Constants.ProtocolRoutePaths.Token)
};
var tokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKeys = trustedKeys,
ValidateIssuerSigningKey = true,
ValidIssuer = parsedSecret.Id,
ValidateIssuer = true,
ValidAudiences = validAudiences,
ValidateAudience = true,
RequireSignedTokens = true,
RequireExpirationTime = true,
ClockSkew = TimeSpan.FromMinutes(5)
};
try
{
var handler = new JwtSecurityTokenHandler();
handler.ValidateToken(jwtTokenString, tokenValidationParameters, out var token);
jwtToken = (JwtSecurityToken)token;
if (jwtToken.Subject != jwtToken.Issuer)
{
_logger.LogError("Both 'sub' and 'iss' in the client assertion token must have a value of client_id.");
return(fail);
}
var exp = jwtToken.Payload.Exp;
if (!exp.HasValue)
{
_logger.LogError("exp is missing.");
return(fail);
}
var jti = jwtToken.Payload.Jti;
if (jti.IsMissing())
{
_logger.LogError("jti is missing.");
return(fail);
}
if (await _replayCache.ExistsAsync(Purpose, jti))
{
_logger.LogError("jti is found in replay cache. Possible replay attack.");
return(fail);
}
else
{
await _replayCache.AddAsync(Purpose, jti, DateTimeOffset.FromUnixTimeSeconds(exp.Value).AddMinutes(5));
}
return(success);
}
catch (Exception e)
{
_logger.LogError(e, "JWT token validation error");
return(fail);
}
}
/// <summary>
/// Validates a secret
/// </summary>
/// <param name="secrets">The stored secrets.</param>
/// <param name="parsedSecret">The received secret.</param>
/// <returns>
/// A validation result
/// </returns>
/// <exception cref="System.ArgumentException">ParsedSecret.Credential is not a JWT token</exception>
public async Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
{
var fail = new SecretValidationResult {
Success = false
};
var success = new SecretValidationResult {
Success = true
};
if (parsedSecret.Type != IdentityServerConstants.ParsedSecretTypes.JwtBearer)
{
return(fail);
}
if (!(parsedSecret.Credential is string jwtTokenString))
{
_logger.LogError("ParsedSecret.Credential is not a string.");
return(fail);
}
List <SecurityKey> trustedKeys;
try
{
trustedKeys = await secrets.GetKeysAsync();
}
catch (Exception e)
{
_logger.LogError(e, "Could not parse secrets");
return(fail);
}
if (!trustedKeys.Any())
{
_logger.LogError("There are no keys available to validate client assertion.");
return(fail);
}
var tokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKeys = trustedKeys,
ValidateIssuerSigningKey = true,
ValidIssuer = parsedSecret.Id,
ValidateIssuer = true,
ValidAudience = _audienceUri,
ValidateAudience = true,
RequireSignedTokens = true,
RequireExpirationTime = true
};
try
{
var handler = new JwtSecurityTokenHandler();
handler.ValidateToken(jwtTokenString, tokenValidationParameters, out var token);
var jwtToken = (JwtSecurityToken)token;
if (jwtToken.Subject != jwtToken.Issuer)
{
_logger.LogError("Both 'sub' and 'iss' in the client assertion token must have a value of client_id.");
return(fail);
}
return(success);
}
catch (Exception e)
{
_logger.LogError(e, "JWT token validation error");
return(fail);
}
}
/// <summary>
/// Validates the current request.
/// </summary>
/// <param name="context">The context.</param>
/// <returns></returns>
public async Task <ClientSecretValidationResult> ValidateAsync(HttpContext context)
{
_logger.LogDebug("Start client validation");
var fail = new ClientSecretValidationResult
{
IsError = true
};
var parsedSecret = await _parser.ParseAsync(context);
if (parsedSecret == null)
{
await RaiseFailureEventAsync("unknown", "No client id found");
_logger.LogError("No client identifier found");
return(fail);
}
// load client
var client = await _clients.FindEnabledClientByIdAsync(parsedSecret.Id);
if (client == null)
{
await RaiseFailureEventAsync(parsedSecret.Id, "Unknown client");
_logger.LogError("No client with id '{clientId}' found. aborting", parsedSecret.Id);
return(fail);
}
SecretValidationResult secretValidationResult = null;
if (!client.RequireClientSecret || client.IsImplicitOnly())
{
_logger.LogDebug("Public Client - skipping secret validation success");
}
else
{
secretValidationResult = await _validator.ValidateAsync(parsedSecret, client.ClientSecrets);
if (secretValidationResult.Success == false)
{
await RaiseFailureEventAsync(client.ClientId, "Invalid client secret");
_logger.LogError("Client secret validation failed for client: {clientId}.", client.ClientId);
return(fail);
}
}
_logger.LogDebug("Client validation success");
var success = new ClientSecretValidationResult
{
IsError = false,
Client = client,
Secret = parsedSecret,
Confirmation = secretValidationResult?.Confirmation
};
await RaiseSuccessEventAsync(client.ClientId, parsedSecret.Type);
return(success);
}
/// <summary>
/// Validates a secret
/// </summary>
/// <param name="secrets">The stored secrets.</param>
/// <param name="parsedSecret">The received secret.</param>
/// <returns>
/// A validation result
/// </returns>
/// <exception cref="System.ArgumentException">ParsedSecret.Credential is not a JWT token</exception>
public async Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
{
var fail = new SecretValidationResult {
Success = false
};
var success = new SecretValidationResult {
Success = true
};
if (parsedSecret.Type != IdentityServerConstants.ParsedSecretTypes.JwtBearer)
{
return(fail);
}
if (!(parsedSecret.Credential is string jwtTokenString))
{
_logger.LogError("ParsedSecret.Credential is not a string.");
return(fail);
}
List <SecurityKey> trustedKeys;
try
{
trustedKeys = await secrets.GetKeysAsync();
}
catch (Exception e)
{
_logger.LogError(e, "Could not parse secrets");
return(fail);
}
if (!trustedKeys.Any())
{
_logger.LogError("There are no keys available to validate client assertion.");
return(fail);
}
var validAudiences = new[]
{
// issuer URI (tbd)
//_contextAccessor.HttpContext.GetIdentityServerIssuerUri(),
// token endpoint URL
string.Concat(_contextAccessor.HttpContext.GetIdentityServerIssuerUri().EnsureTrailingSlash(),
Constants.ProtocolRoutePaths.Token)
};
var tokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKeys = trustedKeys,
ValidateIssuerSigningKey = true,
ValidIssuer = parsedSecret.Id,
ValidateIssuer = true,
ValidAudiences = validAudiences,
ValidateAudience = true,
RequireSignedTokens = true,
RequireExpirationTime = true,
ClockSkew = TimeSpan.FromMinutes(5)
};
try
{
var handler = new JwtSecurityTokenHandler();
handler.ValidateToken(jwtTokenString, tokenValidationParameters, out var token);
var jwtToken = (JwtSecurityToken)token;
if (jwtToken.Subject != jwtToken.Issuer)
{
_logger.LogError("Both 'sub' and 'iss' in the client assertion token must have a value of client_id.");
return(fail);
}
var exp = jwtToken.Payload.Exp;
if (!exp.HasValue)
{
_logger.LogError("exp is missing.");
return(fail);
}
var jti = jwtToken.Payload.Jti;
if (jti.IsMissing())
{
_logger.LogError("jti is missing.");
return(fail);
}
if (await _replayCache.ExistsAsync(Purpose, jti))
{
_logger.LogError("jti is found in replay cache. Possible replay attack.");
return(fail);
}
else
{
await _replayCache.AddAsync(Purpose, jti, DateTimeOffset.FromUnixTimeSeconds(exp.Value).AddMinutes(5));
}
return(success);
}
catch (Exception e)
{
_logger.LogError(e, "JWT token validation error");
return(fail);
}
}
