protected async Task <MetadataTOCPayload> DeserializeAndValidateToc(string toc)
{
if (string.IsNullOrWhiteSpace(toc))
{
throw new ArgumentNullException(nameof(toc));
}
var jwtParts = toc.Split('.');
if (jwtParts.Length != 3)
{
throw new ArgumentException("The JWT does not have the 3 expected components");
}
var tocHeaderString = jwtParts.First();
var tocHeader = JObject.Parse(Encoding.UTF8.GetString(Base64Url.Decode(tocHeaderString)));
_tocAlg = tocHeader["alg"]?.Value <string>();
if (_tocAlg == null)
{
throw new ArgumentNullException("No alg value was present in the TOC header.");
}
var x5cArray = tocHeader["x5c"] as JArray;
if (x5cArray == null)
{
throw new Exception("No x5c array was present in the TOC header.");
}
var keyStrings = x5cArray.Values <string>().ToList();
if (keyStrings.Count == 0)
{
throw new ArgumentException("No keys were present in the TOC header.");
}
var rootCert = GetX509Certificate(ROOT_CERT);
var tocCerts = keyStrings.Select(o => GetX509Certificate(o)).ToArray();
var tocPublicKeys = keyStrings.Select(o => GetECDsaPublicKey(o)).ToArray();
var certChain = new X509Chain();
certChain.ChainPolicy.ExtraStore.Add(rootCert);
certChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
var validationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuerSigningKey = true,
IssuerSigningKeys = tocPublicKeys,
};
var tokenHandler = new JwtSecurityTokenHandler();
tokenHandler.ValidateToken(
toc,
validationParameters,
out var validatedToken);
if (tocCerts.Length > 1)
{
certChain.ChainPolicy.ExtraStore.AddRange(tocCerts.Skip(1).ToArray());
}
var certChainIsValid = certChain.Build(tocCerts.First());
// if the root is trusted in the context we are running in, valid should be true here
if (!certChainIsValid)
{
foreach (var element in certChain.ChainElements)
{
if (element.Certificate.Issuer != element.Certificate.Subject)
{
var cdp = CryptoUtils.CDPFromCertificateExts(element.Certificate.Extensions);
var crlFile = await DownloadDataAsync(cdp);
if (true == CryptoUtils.IsCertInCRL(crlFile, element.Certificate))
{
throw new VerificationException(string.Format("Cert {0} found in CRL {1}", element.Certificate.Subject, cdp));
}
}
}
// otherwise we have to manually validate that the root in the chain we are testing is the root we downloaded
if (rootCert.Thumbprint == certChain.ChainElements[certChain.ChainElements.Count - 1].Certificate.Thumbprint &&
// and that the number of elements in the chain accounts for what was in x5c plus the root we added
certChain.ChainElements.Count == (keyStrings.Count + 1) &&
// and that the root cert has exactly one status listed against it
certChain.ChainElements[certChain.ChainElements.Count - 1].ChainElementStatus.Length == 1 &&
// and that that status is a status of exactly UntrustedRoot
certChain.ChainElements[certChain.ChainElements.Count - 1].ChainElementStatus[0].Status == X509ChainStatusFlags.UntrustedRoot)
{
// if we are good so far, that is a good sign
certChainIsValid = true;
for (var i = 0; i < certChain.ChainElements.Count - 1; i++)
{
// check each non-root cert to verify zero status listed against it, otherwise, invalidate chain
if (0 != certChain.ChainElements[i].ChainElementStatus.Length)
{
certChainIsValid = false;
}
}
}
}
if (!certChainIsValid)
{
throw new VerificationException("Failed to validate cert chain while parsing TOC");
}
var tocPayload = ((JwtSecurityToken)validatedToken).Payload.SerializeToJson();
return(Newtonsoft.Json.JsonConvert.DeserializeObject <MetadataTOCPayload>(tocPayload));
}
protected async Task <MetadataTOCPayload> DeserializeAndValidateToc(string toc)
{
var jwtToken = new JwtSecurityToken(toc);
_tocAlg = jwtToken.Header["alg"] as string;
var keys = (jwtToken.Header["x5c"] as JArray)
.Values <string>()
.Select(x => new ECDsaSecurityKey(
(ECDsa)(new X509Certificate2(Convert.FromBase64String(x)).GetECDsaPublicKey())))
.ToArray();
var root = new X509Certificate2(Convert.FromBase64String(ROOT_CERT));
var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.Add(root);
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
var validationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuerSigningKey = true,
IssuerSigningKeys = keys,
};
var tokenHandler = new JwtSecurityTokenHandler();
tokenHandler.ValidateToken(
toc,
validationParameters,
out var validatedToken);
var payload = ((JwtSecurityToken)validatedToken).Payload.SerializeToJson();
chain.ChainPolicy.ExtraStore.Add(new X509Certificate2(Convert.FromBase64String((jwtToken.Header["x5c"] as JArray).Values <string>().Last())));
var valid = chain.Build(new X509Certificate2(Convert.FromBase64String((jwtToken.Header["x5c"] as JArray).Values <string>().First())));
// if the root is trusted in the context we are running in, valid should be true here
if (false == valid)
{
foreach (var element in chain.ChainElements)
{
if (element.Certificate.Issuer != element.Certificate.Subject)
{
var cdp = CryptoUtils.CDPFromCertificateExts(element.Certificate.Extensions);
var crlFile = await DownloadDataAsync(cdp);
if (true == CryptoUtils.IsCertInCRL(crlFile, element.Certificate))
{
throw new VerificationException(string.Format("Cert {0} found in CRL {1}", element.Certificate.Subject, cdp));
}
}
}
// otherwise we have to manually validate that the root in the chain we are testing is the root we downloaded
if (root.Thumbprint == chain.ChainElements[chain.ChainElements.Count - 1].Certificate.Thumbprint &&
// and that the number of elements in the chain accounts for what was in x5c plus the root we added
chain.ChainElements.Count == ((jwtToken.Header["x5c"] as JArray).Count + 1) &&
// and that the root cert has exactly one status listed against it
chain.ChainElements[chain.ChainElements.Count - 1].ChainElementStatus.Length == 1 &&
// and that that status is a status of exactly UntrustedRoot
chain.ChainElements[chain.ChainElements.Count - 1].ChainElementStatus[0].Status == X509ChainStatusFlags.UntrustedRoot)
{
// if we are good so far, that is a good sign
valid = true;
for (var i = 0; i < chain.ChainElements.Count - 1; i++)
{
// check each non-root cert to verify zero status listed against it, otherwise, invalidate chain
if (0 != chain.ChainElements[i].ChainElementStatus.Length)
{
valid = false;
}
}
}
}
if (false == valid)
{
throw new VerificationException("Failed to validate cert chain while parsing TOC");
}
return(JsonConvert.DeserializeObject <MetadataTOCPayload>(payload));
}
/// <summary>
/// DeserializeAndValidateBlob method implementation
/// </summary>
protected async Task <MetadataBLOBPayload> DeserializeAndValidateBlob(string rawBLOBJwt)
{
if (string.IsNullOrWhiteSpace(rawBLOBJwt))
{
throw new ArgumentNullException(nameof(rawBLOBJwt));
}
var jwtParts = rawBLOBJwt.Split('.');
if (jwtParts.Length != 3)
{
throw new ArgumentException("The JWT does not have the 3 expected components");
}
var blobHeader = jwtParts.First();
var tokenHeader = JObject.Parse(System.Text.Encoding.UTF8.GetString(Base64Url.Decode(blobHeader)));
var blobAlg = tokenHeader["alg"]?.Value <string>();
if (blobAlg == null)
{
throw new ArgumentNullException("No alg value was present in the BLOB header.");
}
var x5cArray = tokenHeader["x5c"] as JArray;
if (x5cArray == null)
{
throw new ArgumentException("No x5c array was present in the BLOB header.");
}
var rootCert = GetX509Certificate(ROOT_CERT);
var blobCertStrings = x5cArray.Values <string>().ToList();
var blobCertificates = new List <X509Certificate2>();
var blobPublicKeys = new List <SecurityKey>();
foreach (var certString in blobCertStrings)
{
var cert = GetX509Certificate(certString);
blobCertificates.Add(cert);
var ecdsaPublicKey = cert.GetECDsaPublicKey();
if (ecdsaPublicKey != null)
{
blobPublicKeys.Add(new ECDsaSecurityKey(ecdsaPublicKey));
}
var rsa = cert.GetRSAPublicKey();
if (rsa != null)
{
blobPublicKeys.Add(new RsaSecurityKey(rsa));
}
}
var certChain = new X509Chain();
certChain.ChainPolicy.ExtraStore.Add(rootCert);
certChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
var validationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuerSigningKey = true,
IssuerSigningKeys = blobPublicKeys,
};
var tokenHandler = new JwtSecurityTokenHandler()
{
// 250k isn't enough bytes for conformance test tool
// https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1097
MaximumTokenSizeInBytes = rawBLOBJwt.Length
};
tokenHandler.ValidateToken(
rawBLOBJwt,
validationParameters,
out var validatedToken);
if (blobCertificates.Count > 1)
{
certChain.ChainPolicy.ExtraStore.AddRange(blobCertificates.Skip(1).ToArray());
}
var certChainIsValid = certChain.Build(blobCertificates.First());
// if the root is trusted in the context we are running in, valid should be true here
if (!certChainIsValid)
{
foreach (var element in certChain.ChainElements)
{
if (element.Certificate.Issuer != element.Certificate.Subject)
{
var cdp = CryptoUtils.CDPFromCertificateExts(element.Certificate.Extensions);
var crlFile = await DownloadDataAsync(cdp);
if (true == CryptoUtils.IsCertInCRL(crlFile, element.Certificate))
{
throw new VerificationException(string.Format("Cert {0} found in CRL {1}", element.Certificate.Subject, cdp));
}
}
}
// otherwise we have to manually validate that the root in the chain we are testing is the root we downloaded
if (rootCert.Thumbprint == certChain.ChainElements[certChain.ChainElements.Count - 1].Certificate.Thumbprint &&
// and that the number of elements in the chain accounts for what was in x5c plus the root we added
certChain.ChainElements.Count == (blobCertStrings.Count + 1) &&
// and that the root cert has exactly one status listed against it
certChain.ChainElements[certChain.ChainElements.Count - 1].ChainElementStatus.Length == 1 &&
// and that that status is a status of exactly UntrustedRoot
certChain.ChainElements[certChain.ChainElements.Count - 1].ChainElementStatus[0].Status == X509ChainStatusFlags.UntrustedRoot)
{
// if we are good so far, that is a good sign
certChainIsValid = true;
for (var i = 0; i < certChain.ChainElements.Count - 1; i++)
{
// check each non-root cert to verify zero status listed against it, otherwise, invalidate chain
if (0 != certChain.ChainElements[i].ChainElementStatus.Length)
{
certChainIsValid = false;
}
}
}
}
if (!certChainIsValid)
{
throw new VerificationException("Failed to validate cert chain while parsing BLOB");
}
var blobPayload = ((JwtSecurityToken)validatedToken).Payload.SerializeToJson();
var blob = Newtonsoft.Json.JsonConvert.DeserializeObject <MetadataBLOBPayload>(blobPayload);
blob.JwtAlg = blobAlg;
return(blob);
}