public AuthClientCypherTextModel DecryptAuthServerResp(string cypherText)
{
aesCrypter.SetKey(clientResource.ClientKey);
aesCrypter.SetIV(clientResource.ClientIV);
string decryptResult = aesCrypter.Decrypt(cypherText);
AuthClientCypherTextModel authClientCypherTextModel = JsonConvert.DeserializeObject <AuthClientCypherTextModel>(decryptResult);
return(authClientCypherTextModel);
}
/// <summary>
/// OAuth Server呼叫Protected Server進行通知驗證
/// </summary>
/// <param name="oauthToProtectedCypherText"></param>
/// <returns></returns>
public AuthResrcProtectorCypherTextModel Verify(string oauthToProtectedCypherText)
{
//解密OAuth Server帶過來的 CypherText
string decryptCryptoStr = aesCrypter.Decrypt(oauthToProtectedCypherText);
//進行反序列化,取得本次驗證需要的相關資訊
AuthResrcProtectorCypherTextModel authShareProtectedServerCypherTextModel = JsonConvert.DeserializeObject <AuthResrcProtectorCypherTextModel>(decryptCryptoStr);
//將Protected Server 的 Key與IV 進行加密處理,準備進行檢核
SymCryptoModel shareSecretClientWithProtectedSymModel = GetShareSecretClientWithProtectedSymModel(this.protectedServer.ShareKeyOAuthWithProtectedServer,
this.protectedServer.ShareIVOAuthWithProtectedServer, authShareProtectedServerCypherTextModel.ClientId);
//檢核OAuth Server帶來的資料與 Protected Server處理後的資料 是否一致
if (authShareProtectedServerCypherTextModel.PortectedId != this.protectedServer.OAuthApplicatoinId)
{
throw new RequestProtectedServerNotEqualExceptoin("The protected server's application id is not equal with the ProtectedId which is send from OAuth server ");
}
if (GetUtcNowUnixTime() > authShareProtectedServerCypherTextModel.ExpiredTime)
{
throw new OAuthShareCypherWithProtectedServerExpiredException("OAuth Send Secret message like Cypher text is expired, can not use this secret");
}
if (shareSecretClientWithProtectedSymModel.Key != authShareProtectedServerCypherTextModel.ClientProtectedCryptoModel.Key ||
shareSecretClientWithProtectedSymModel.IV != authShareProtectedServerCypherTextModel.ClientProtectedCryptoModel.IV)
{
throw new ShareSecretClientWithProtectedServerNotEqualException("Check the secret from OAuth Server, and found that the secret is not equal after decrypt by protected server");
}
return(authShareProtectedServerCypherTextModel);
}
public AuthResrcProtectedAuthorizeModel Verify(string token)
{
//解 Token
string jwtDecodeValue = JWT.Decode(token,
Encoding.Unicode.GetBytes(this.clientInProtectedMember.ShareKeyClientWithProtectedServer),
JwsAlgorithm.HS256);
ClientAuthorizedReqModel jwtObject = JsonConvert.DeserializeObject <ClientAuthorizedReqModel>(jwtDecodeValue);
//加密後的合法 Url List
List <string> encryptValueList = jwtObject.ValidUrlList;
VerifyUrlIsInAuthorizedList(encryptValueList);
ClientTempIdentityModel tempIdentityModel = new ClientTempIdentityModel(this.clientInProtectedMember.ClientId, this.clientInProtectedMember.HashValue);
string shareKeyClientAndResrcDependsAuthorizedTimes = GetTempClientSecretByAuthorizedTimes(this.clientInProtectedMember.ShareKeyClientWithProtectedServer, tempIdentityModel, this.clientInProtectedMember.CurrentTimes);
string shareIVClientAndResrcDependsAuthorizedTimes = GetTempClientSecretByAuthorizedTimes(this.clientInProtectedMember.ShareIVClientWithProtectedServer, tempIdentityModel, this.clientInProtectedMember.CurrentTimes);
aesCrypter.SetKey(shareKeyClientAndResrcDependsAuthorizedTimes);
aesCrypter.SetIV(shareIVClientAndResrcDependsAuthorizedTimes.Substring(0, 16));
string clientAuthorizeCTCryptoDecrypt = aesCrypter.Decrypt(jwtObject.CurrentTimesCypherText);
ClientCTCypherTextModelForAuthorize clientAuthorizeCypherTextModel = JsonConvert.DeserializeObject <ClientCTCypherTextModelForAuthorize>(clientAuthorizeCTCryptoDecrypt);
if (GetUtcNowUnixTime() > clientAuthorizeCypherTextModel.ExpiredTime)
{
throw new ClientAuthorizeTokenExpiredException("Client authorized token has expired, please re-authenticate and get new token");
}
string protectedServerOriginalHash = this.clientInProtectedMember.HashValue;
string doubleHashValue = MD5Hasher.Hash(clientAuthorizeCypherTextModel.HashValue);
if (doubleHashValue != protectedServerOriginalHash)
{
throw new TokenTicketCerticateException("After checkt the token ticket, the token ticket is not right, the ticket you send has been used, please re-authenticate and get new token ticket");
}
//確認是否能夠取得下一次授權
if (jwtObject.CurrentTimes + 1 >= clientInProtectedMember.AuthZTimes)
{
throw new AuthorizeTimesHasRunOutException("The token authorzie times has run out and expired, please re-authenticate and get new token ticket");
}
TimesCypherTextPrimeModel clientPrimeModel = new TimesCypherTextPrimeModel()
{
ClientTempIdPrime = new ClientTempIdentityModel()
{
ClientId = clientInProtectedMember.ClientId,
HashValue = clientAuthorizeCypherTextModel.HashValue
},
CurrentTimes = clientInProtectedMember.CurrentTimes,
ClientTempId = new ClientTempIdentityModel()
{
ClientId = clientInProtectedMember.ClientId,
HashValue = clientInProtectedMember.HashValue,
},
};
string newShareKeyClientAndProtected = GetTempClientSecretByAuthorizedTimes(clientInProtectedMember.ShareKeyClientWithProtectedServer, clientPrimeModel.ClientTempId, clientInProtectedMember.CurrentTimes);
string newShareIVClientAndProtected = GetTempClientSecretByAuthorizedTimes(clientInProtectedMember.ShareIVClientWithProtectedServer, clientPrimeModel.ClientTempId, clientInProtectedMember.CurrentTimes).Substring(0, 16);
aesCrypter.SetIV(newShareIVClientAndProtected);
aesCrypter.SetKey(newShareKeyClientAndProtected);
string cypherPrimeStr = JsonConvert.SerializeObject(clientPrimeModel);
string newCypherTextRespClientForNextAuthZ = aesCrypter.Encrypt(cypherPrimeStr);
AuthResrcProtectedAuthorizeModel result = new AuthResrcProtectedAuthorizeModel()
{
ClientId = clientInProtectedMember.ClientId,
PortectedId = clientInProtectedMember.ProtectedId,
ProcessScoreCurrentTimes = (clientInProtectedMember.CurrentTimes + 1),
ProcessScoreHashValue = clientAuthorizeCypherTextModel.HashValue,
ClientRespCypherText = newCypherTextRespClientForNextAuthZ
};
return(result);
}
