public bool TryValidate(JwtHeaderDocument header, JwtPayloadDocument payload, [NotNullWhen(false)] out TokenValidationError?error) { if (!payload.TryGetClaim(JwtClaimNames.Exp.EncodedUtf8Bytes, out var expires)) { error = TokenValidationError.MissingClaim(JwtClaimNames.Exp.ToString()); return(false); } if (!payload.TryGetClaim(JwtClaimNames.Jti.EncodedUtf8Bytes, out var jti)) { error = TokenValidationError.MissingClaim(JwtClaimNames.Jti.ToString()); return(false); } if (!_tokenReplayCache.TryAdd(jti.GetString(), expires.GetInt64())) { error = TokenValidationError.TokenReplayed(); return(false); } #if NET5_0_OR_GREATER Unsafe.SkipInit(out error); #else error = default; #endif return(true); }
public bool TryValidate(JwtHeaderDocument header, JwtPayloadDocument payload, [NotNullWhen(false)] out TokenValidationError?error) { if (payload is null) { error = TokenValidationError.MalformedToken(); return(false); } if (!payload.TryGetClaim(_claim, out var claim)) { error = TokenValidationError.MissingClaim(_claim); return(false); } if (!claim.TryGetDouble(out var value) || _value != value) { error = TokenValidationError.InvalidClaim(_claim); return(false); } #if NET5_0_OR_GREATER Unsafe.SkipInit(out error); #else error = default; #endif return(true); }
public bool TryValidate(JwtHeaderDocument header, JwtPayloadDocument payload, [NotNullWhen(false)] out TokenValidationError?error) { if (header is null) { ThrowHelper.ThrowArgumentNullException(ExceptionArgument.header); } if (header.Alg.IsEmpty) { error = TokenValidationError.MissingHeader(JwtHeaderParameterNames.Alg.ToString()); return(false); } if (!header.Alg.ValueEquals(_algorithm)) { error = TokenValidationError.InvalidHeader(JwtHeaderParameterNames.Alg.ToString()); return(false); } #if NET5_0_OR_GREATER Unsafe.SkipInit(out error); #else error = default; #endif return(true); }
public override bool TryValidateSignature(JwtHeaderDocument header, JwtPayloadDocument payload, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment, [NotNullWhen(false)] out SignatureValidationError?error) { #if NET5_0_OR_GREATER Unsafe.SkipInit(out error); #else error = default; #endif return(true); }
public override bool TryValidateSignature(JwtHeaderDocument header, JwtPayloadDocument payload, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment, [NotNullWhen(false)] out SignatureValidationError?error) { if (!payload.Iss.IsEmpty && payload.Iss.ValueEquals(_issuer)) { return(_policy.TryValidateSignature(header, payload, contentBytes, signatureSegment, out error)); } error = SignatureValidationError.InvalidSignature(); return(false); }
public override bool TryValidateSignature(JwtHeaderDocument header, JwtPayloadDocument payload, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment, [NotNullWhen(false)] out SignatureValidationError?error) { if (!payload.Iss.IsEmpty) { if (TryGetPolicy(payload.Iss, out var policy)) { return(policy.TryValidateSignature(header, payload, contentBytes, signatureSegment, out error)); } } return(_defaultPolicy.TryValidateSignature(header, payload, contentBytes, signatureSegment, out error)); }
public override bool TryValidateSignature(JwtHeaderDocument header, JwtPayloadDocument payload, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment, [NotNullWhen(false)] out SignatureValidationError?error) { if ((contentBytes.Length == 0 && signatureSegment.Length == 0) || (signatureSegment.IsEmpty && !header.Alg.IsEmpty && header.Alg.ValueEquals(SignatureAlgorithm.None.Utf8Name))) { error = null; return(true); } error = SignatureValidationError.InvalidSignature(); return(false); }
public override bool TryValidateSignature(JwtHeaderDocument header, JwtPayloadDocument payload, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment, [NotNullWhen(false)] out SignatureValidationError?error) { if ((contentBytes.Length == 0 && signatureSegment.Length == 0) || (signatureSegment.IsEmpty && !header.Alg.IsEmpty && header.Alg.ValueEquals(SignatureAlgorithm.None.Utf8Name))) { #if NET5_0_OR_GREATER Unsafe.SkipInit(out error); #else error = default; #endif return(true); } error = SignatureValidationError.InvalidSignature(); return(false); }
public bool TryValidate(JwtHeaderDocument header, JwtPayloadDocument payload, [NotNullWhen(false)] out TokenValidationError?error) { if (payload is null) { error = TokenValidationError.MalformedToken(); return(false); } if (payload.ContainsClaim(_claim)) { error = null; return(true); } error = TokenValidationError.MissingClaim(_claim); return(false); }
public bool TryValidate(JwtHeaderDocument header, JwtPayloadDocument payload, [NotNullWhen(false)] out TokenValidationError?error) { if (payload is null) { error = TokenValidationError.MalformedToken(); return(false); } if (payload.ContainsClaim(OAuth2Claims.AuthTime.EncodedUtf8Bytes)) { error = null; return(true); } error = TokenValidationError.MissingClaim(OAuth2Claims.AuthTime.ToString()); return(false); }
public bool TryValidate(JwtHeaderDocument header, JwtPayloadDocument payload, [NotNullWhen(false)] out TokenValidationError?error) { if (payload is null) { error = TokenValidationError.MalformedToken(); return(false); } if (payload.ContainsClaim(_claim)) { #if NET5_0_OR_GREATER Unsafe.SkipInit(out error); #else error = default; #endif return(true); } error = TokenValidationError.MissingClaim(_claim); return(false); }
public bool TryValidate(JwtHeaderDocument header, JwtPayloadDocument payload, [NotNullWhen(false)] out TokenValidationError?error) { if (header is null) { ThrowHelper.ThrowArgumentNullException(ExceptionArgument.header); } if (header.Alg.IsEmpty) { error = TokenValidationError.MissingHeader(JwtHeaderParameterNames.Alg.ToString()); return(false); } if (!header.Alg.ValueEquals(_algorithm)) { error = TokenValidationError.InvalidHeader(JwtHeaderParameterNames.Alg.ToString()); return(false); } error = null; return(true); }
public bool TryValidate(JwtHeaderDocument header, JwtPayloadDocument payload, [NotNullWhen(false)] out TokenValidationError?error) { if (payload is null) { error = TokenValidationError.MalformedToken(); return(false); } if (!payload.TryGetClaim(_claim, out var claim)) { error = TokenValidationError.MissingClaim(_claim); return(false); } if (!claim.TryGetDouble(out var value) || _value != value) { error = TokenValidationError.InvalidClaim(_claim); return(false); } error = null; return(true); }
public bool TryValidate(JwtHeaderDocument header, JwtPayloadDocument payload, [NotNullWhen(false)] out TokenValidationError?error) { if (payload is null) { error = TokenValidationError.MalformedToken(); return(false); } if (!payload.TryGetClaim(OAuth2Claims.Acr.EncodedUtf8Bytes, out var property)) { error = TokenValidationError.MissingClaim(OAuth2Claims.Acr.ToString()); return(false); } if (!property.ValueEquals(_requiredAcr)) { error = TokenValidationError.InvalidClaim(OAuth2Claims.Acr.ToString()); return(false); } error = null; return(true); }
public bool TryValidate(JwtHeaderDocument header, JwtPayloadDocument payload, [NotNullWhen(false)] out TokenValidationError?error) { if (!payload.TryGetClaim(JwtClaimNames.Exp.EncodedUtf8Bytes, out var expires)) { error = TokenValidationError.MissingClaim(JwtClaimNames.Exp.ToString()); return(false); } if (!payload.TryGetClaim(JwtClaimNames.Jti.EncodedUtf8Bytes, out var jti)) { error = TokenValidationError.MissingClaim(JwtClaimNames.Jti.ToString()); return(false); } if (!_tokenReplayCache.TryAdd(jti.GetString(), expires.GetInt64())) { error = TokenValidationError.TokenReplayed(); return(false); } error = null; return(true); }
public bool TryValidateSignature(JwtHeaderDocument header, JwtPayloadDocument payload, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment, [NotNullWhen(false)] out SignatureValidationError?error) { return(SignatureValidationPolicy.TryValidateSignature(header, payload, contentBytes, signatureSegment, out error)); }
/// <summary>Try to validate the token, according to the <paramref name="header"/> and the <paramref name="payload"/>.</summary> public bool TryValidateJwt(JwtHeaderDocument header, JwtPayloadDocument payload, [NotNullWhen(false)] out TokenValidationError?error) { if (payload.Control != 0) { if (RequireAudience) { if (payload.MissingAudience) { error = TokenValidationError.MissingClaim(JwtClaimNames.Aud.ToString()); goto Error; } if (payload.InvalidAudience) { error = TokenValidationError.InvalidClaim(JwtClaimNames.Aud.ToString()); goto Error; } } if (RequireIssuer) { if (payload.MissingIssuer) { error = TokenValidationError.MissingClaim(JwtClaimNames.Iss.ToString()); goto Error; } if (payload.InvalidIssuer) { error = TokenValidationError.InvalidClaim(JwtClaimNames.Iss.ToString()); goto Error; } } if (RequireExpirationTime) { if (payload.MissingExpirationTime) { error = TokenValidationError.MissingClaim(JwtClaimNames.Exp.ToString()); goto Error; } if (payload.Expired) { error = TokenValidationError.Expired(); goto Error; } } if (payload.NotYetValid) { error = TokenValidationError.NotYetValid(); goto Error; } } var validators = _validators; for (int i = 0; i < validators.Length; i++) { if (!validators[i].TryValidate(header, payload, out error)) { goto Error; } } #if NET5_0_OR_GREATER Unsafe.SkipInit(out error); #else error = default; #endif return(true); Error: return(false); }
public override bool TryValidateSignature(JwtHeaderDocument header, JwtPayloadDocument payload, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment, [NotNullWhen(false)] out SignatureValidationError?error) { if (signatureSegment.IsEmpty) { if (contentBytes.IsEmpty) { // This is not a JWS goto Success; } else { error = SignatureValidationError.MissingSignature(); goto Error; } } byte[]? signatureToReturn = null; try { int signatureBytesLength = Base64Url.GetArraySizeRequiredToDecode(signatureSegment.Length); Span <byte> signatureBytes = signatureBytesLength > Constants.MaxStackallocBytes ? (signatureToReturn = ArrayPool <byte> .Shared.Rent(signatureBytesLength)) : stackalloc byte[Constants.MaxStackallocBytes]; if (Base64Url.Decode(signatureSegment, signatureBytes, out _, out int bytesWritten) != OperationStatus.Done) { error = SignatureValidationError.MalformedSignature(); goto Error; } signatureBytes = signatureBytes.Slice(0, bytesWritten); //Debug.Assert(signatureBytesLength == bytesWritten); bool keysTried = false; var keySet = _keyProvider.GetKeys(header); var algElement = header.Alg; if (keySet != null) { var algorithm = _algorithm; for (int i = 0; i < keySet.Length; i++) { var key = keySet[i]; if (key.CanUseForSignature(algElement)) { var alg = algorithm ?? key.SignatureAlgorithm; if (!(alg is null)) { if (key.TryGetSignatureVerifier(alg, out var signatureVerifier)) { if (signatureVerifier.Verify(contentBytes, signatureBytes.Slice(0, signatureBytesLength))) { goto Success; } } } keysTried = true; } } } error = keysTried ? SignatureValidationError.InvalidSignature() : SignatureValidationError.SignatureKeyNotFound(); } catch (FormatException e) { error = SignatureValidationError.MalformedSignature(e); } finally { if (signatureToReturn != null) { ArrayPool <byte> .Shared.Return(signatureToReturn); } } Error: return(false); Success: #if NET5_0_OR_GREATER Unsafe.SkipInit(out error); #else error = default; #endif return(true); }
public override bool TryValidateSignature(JwtHeaderDocument header, JwtPayloadDocument payload, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment, [NotNullWhen(false)] out SignatureValidationError?error) { error = SignatureValidationError.InvalidSignature(); return(false); }
/// <summary>Try to validate the token signature.</summary> public abstract bool TryValidateSignature(JwtHeaderDocument header, JwtPayloadDocument payload, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment, [NotNullWhen(false)] out SignatureValidationError?error);
internal static bool TryParsePayload(ReadOnlyMemory <byte> utf8Payload, byte[]?buffer, TokenValidationPolicy policy, [NotNullWhen(true)] out JwtPayloadDocument?payload, [NotNullWhen(false)] out TokenValidationError?error) { ReadOnlySpan <byte> utf8JsonSpan = utf8Payload.Span; var database = new JsonMetadata(utf8Payload.Length); byte control = policy.Control; int issIdx = -1; var reader = new Utf8JsonReader(utf8JsonSpan); if (reader.Read()) { JsonTokenType tokenType = reader.TokenType; if (tokenType == JsonTokenType.StartObject) { while (reader.Read()) { tokenType = reader.TokenType; int tokenStart = (int)reader.TokenStartIndex; if (tokenType == JsonTokenType.EndObject) { break; } else if (tokenType != JsonTokenType.PropertyName) { error = TokenValidationError.MalformedToken(); goto Error; } Debug.Assert(tokenStart < int.MaxValue); database.Append(JsonTokenType.PropertyName, tokenStart + 1, reader.ValueSpan.Length); ReadOnlySpan <byte> memberName = reader.ValueSpan; if (memberName.IndexOf((byte)'\\') != -1) { database.SetNeedUnescaping(database.Length - JsonRow.Size); } reader.Read(); tokenType = reader.TokenType; tokenStart = (int)reader.TokenStartIndex; Debug.Assert(reader.TokenStartIndex <= int.MaxValue); if (tokenType == JsonTokenType.String) { if (memberName.Length == 3) { switch ((JwtClaims)IntegerMarshal.ReadUInt24(memberName)) { case JwtClaims.Aud: CheckStringAudience(ref reader, ref control, policy); break; case JwtClaims.Iss: issIdx = database.Length; CheckIssuer(ref reader, ref control, policy); break; } } Debug.Assert(tokenStart < int.MaxValue); database.Append(JsonTokenType.String, tokenStart + 1, reader.ValueSpan.Length); } else if (tokenType == JsonTokenType.Number) { if (memberName.Length == 3) { switch ((JwtClaims)IntegerMarshal.ReadUInt24(memberName)) { case JwtClaims.Exp: if (!TryCheckExpirationTime(ref reader, ref control, policy)) { error = TokenValidationError.MalformedToken("The claim 'exp' must be an integral number."); goto Error; } break; case JwtClaims.Nbf: if (!TryCheckNotBefore(ref reader, ref control, policy)) { error = TokenValidationError.MalformedToken("The claim 'nbf' must be an integral number."); goto Error; } break; } } database.Append(JsonTokenType.Number, tokenStart, reader.ValueSpan.Length); } else if (tokenType == JsonTokenType.StartObject) { int itemCount = Utf8JsonReaderHelper.SkipObject(ref reader); int tokenEnd = (int)reader.TokenStartIndex; int index = database.Length; database.Append(JsonTokenType.StartObject, tokenStart, tokenEnd - tokenStart + 1); database.SetNumberOfRows(index, itemCount); } else if (tokenType == JsonTokenType.StartArray) { int itemCount; if (memberName.Length == 3 && (JwtClaims)IntegerMarshal.ReadUInt24(memberName) == JwtClaims.Aud) { itemCount = CheckArrayAudience(ref reader, ref control, policy); } else { itemCount = Utf8JsonReaderHelper.SkipArray(ref reader); } int index = database.Length; int tokenEnd = (int)reader.TokenStartIndex; database.Append(JsonTokenType.StartArray, tokenStart, tokenEnd - tokenStart + 1); database.SetNumberOfRows(index, itemCount); } else { Debug.Assert(tokenType >= JsonTokenType.True && tokenType <= JsonTokenType.Null); database.Append(tokenType, tokenStart, reader.ValueSpan.Length); } } } } Debug.Assert(reader.BytesConsumed == utf8JsonSpan.Length); database.CompleteAllocations(); payload = new JwtPayloadDocument(new JwtDocument(utf8Payload, database, buffer), control, issIdx); #if NET5_0_OR_GREATER Unsafe.SkipInit(out error); #else error = default; #endif return(true); Error: #if NET5_0_OR_GREATER Unsafe.SkipInit(out payload); #else payload = default; #endif return(false); }
private Jwt(JwtHeaderDocument header, JwtPayloadDocument payload, TokenValidationError error) { _header = header; _payload = payload; _error = error; }
internal Jwt(JwtHeaderDocument header, JwtPayloadDocument payload) { _header = header; _payload = payload; }
public override bool TryValidateSignature(JwtHeaderDocument header, JwtPayloadDocument payload, ReadOnlySpan <byte> contentBytes, ReadOnlySpan <byte> signatureSegment, [NotNullWhen(false)] out SignatureValidationError?error) { if (signatureSegment.IsEmpty) { if (contentBytes.IsEmpty) { // This is not a JWS goto Success; } else { error = SignatureValidationError.MissingSignature(); goto Error; } } try { int signatureBytesLength = Base64Url.GetArraySizeRequiredToDecode(signatureSegment.Length); Span <byte> signatureBytes = stackalloc byte[signatureBytesLength]; if (Base64Url.Decode(signatureSegment, signatureBytes, out int byteConsumed, out int bytesWritten) != OperationStatus.Done) { error = SignatureValidationError.MalformedSignature(); goto Error; } Debug.Assert(bytesWritten == signatureBytes.Length); bool keysTried = false; var keySet = _keyProvider.GetKeys(header); var algElement = header.Alg; if (keySet != null) { var algorithm = _algorithm; for (int i = 0; i < keySet.Length; i++) { var key = keySet[i]; if (key.CanUseForSignature(algElement)) { var alg = algorithm ?? key.SignatureAlgorithm; if (!(alg is null)) { if (key.TryGetSignatureVerifier(alg, out var signatureVerifier)) { if (signatureVerifier.Verify(contentBytes, signatureBytes)) { goto Success; } } } keysTried = true; } } } error = keysTried ? SignatureValidationError.InvalidSignature() : SignatureValidationError.SignatureKeyNotFound(); } catch (FormatException e) { error = SignatureValidationError.MalformedSignature(e); } Error: return(false); Success: error = null; return(true); }