/// <summary> /// Client 呼叫 Protected Server進行驗證 /// </summary> /// <param name="reqModel"></param> public void Verify(CheckClientReqModel reqModel) { //用 ProtectedServerMemberClient 組出 HashMac ClientTempIdentityModel clientTempId = new ClientTempIdentityModel() { ClientId = this.memberClientModel.ClientId, HashValue = this.memberClientModel.HashValue, }; SymCryptoModel clientProtectedCryptoModel = new SymCryptoModel() { Key = this.memberClientModel.ShareKeyClientWithProtectedServer, IV = this.memberClientModel.ShareIVClientWithProtectedServer, }; ClientProtectedMacModel clientProtectedMacModel = new ClientProtectedMacModel(); clientProtectedMacModel.Salt = "2"; clientProtectedMacModel.ClientTempId = clientTempId; clientProtectedMacModel.ProtectedId = this.memberClientModel.ProtectedId; clientProtectedMacModel.AuthZTimes = this.memberClientModel.AuthZTimes; clientProtectedMacModel.HashValue = clientTempId.HashValue; clientProtectedMacModel.ExpiredTime = reqModel.ExpiredTime; clientProtectedMacModel.ClientProtectedCryptoModel = clientProtectedCryptoModel; string shareMacClientWithResrJson = JsonConvert.SerializeObject(clientProtectedMacModel); //組出HashMac string shareHashMacClientWithResr = MD5Hasher.Hash(shareMacClientWithResrJson); //檢核是否一致 if (shareHashMacClientWithResr != reqModel.ClientProtectedMac) { throw new ShareHashMacClientWithProtectedNotEqualException("Client request mac in model is invalid. " + "More message: the share mac in client is not equal after protected server decrypted and compare " + "the mac message which client request"); } }
/// <summary> /// 確認 Auth Server 驗證回應值,且請求資源保護者驗證 /// </summary> /// <param name="cypherText"></param> /// <param name="protectedId"></param> /// <returns></returns> public AuthorizeValueModel SendCypherTextToProtectedResourceForVerify(AuthClientCypherTextModel authClientCypherTextModel, string protectedId) { //check if (authClientCypherTextModel.ClientId != clientResource.ClientId) { throw new ClientNotEqualException("ClientId is not equal."); } if (authClientCypherTextModel.ProtectedId != protectedId) { throw new ProtectedServerNotEqualException("ProtectedId is not equal. "); } if (UnixTimeGenerator.GetUtcNowUnixTime() > authClientCypherTextModel.ExpiredTime) { throw new ClientAuthorizeTokenExpiredException("Client authorized token has expired, please re-authenticate and get new token"); } //請求資源保護者驗證 long expiredTime = GetExpiredUtc0UnixTime(); string hashValue = HashMultipleTimes(authClientCypherTextModel.RandomValue, authClientCypherTextModel.AuthZTimes); ClientProtectedMacModel macModel = new ClientProtectedMacModel() { Salt = "2", ClientTempId = authClientCypherTextModel.ClientTempId, ProtectedId = authClientCypherTextModel.ProtectedId, AuthZTimes = authClientCypherTextModel.AuthZTimes, HashValue = hashValue, ExpiredTime = expiredTime, ClientProtectedCryptoModel = authClientCypherTextModel.ClientProtectedCryptoModel, }; string clientResrcMacStr = JsonConvert.SerializeObject(macModel); string macValue = MD5Hasher.Hash(clientResrcMacStr); CheckClientReqModel reqModel = new CheckClientReqModel() { ClientProtectedMac = macValue, ExpiredTime = expiredTime, ClientTempId = authClientCypherTextModel.ClientTempId }; string reqStr = JsonConvert.SerializeObject(reqModel); ApiResult <bool> resrcResp = AuthenHttpHandler.SendRequestByPost <bool>(protectedAuthenApiUrl, reqStr); //Protected Server 驗證結果 if (!resrcResp.Value) { throw new ProtectedServerAuthorizeException("The cypherText is not valid. Protected Server authorize fail."); } else { AuthorizeValueModel authorizeModel = new AuthorizeValueModel() { AuthZTimes = authClientCypherTextModel.AuthZTimes, ClientProtectedCryptoModel = authClientCypherTextModel.ClientProtectedCryptoModel, ClientTempId = authClientCypherTextModel.ClientTempId, CurrentTimes = 1, RandomValue = authClientCypherTextModel.RandomValue, ProtectedId = authClientCypherTextModel.ProtectedId, ValidUrlList = authClientCypherTextModel.ValidUrlList, }; return(authorizeModel); } }