/// <summary>
/// Encodes given binary data to JWT token and sign it using given algorithm.
/// </summary>
/// <param name="payload">Binary data to encode (not null)</param>
/// <param name="key">key for signing, suitable for provided JWS algorithm, can be null.</param>
/// <param name="algorithm">JWT algorithm to be used.</param>
/// <param name="extraHeaders">optional extra headers to pass along with the payload.</param>
/// <param name="settings">optional settings to override global DefaultSettings</param>
/// <param name="options">additional encoding options</param>
/// <returns>JWT in compact serialization form, digitally signed.</returns>
public static string EncodeBytes(byte[] payload, object key, JwsAlgorithm algorithm, IDictionary <string, object> extraHeaders = null, JwtSettings settings = null, JwtOptions options = null)
{
if (payload == null)
{
throw new ArgumentNullException(nameof(payload));
}
JwtSettings jwtSettings = GetSettings(settings);
JwtOptions jwtOptions = options ?? JwtOptions.Default;
var jwtHeader = new Dictionary <string, object> {
{ "alg", jwtSettings.JwsHeaderValue(algorithm) }
};
if (extraHeaders == null) //allow overload, but keep backward compatible defaults
{
extraHeaders = new Dictionary <string, object> {
{ "typ", "JWT" }
};
}
if (!jwtOptions.EncodePayload)
{
jwtHeader["b64"] = false;
jwtHeader["crit"] = Collections.Union(new[] { "b64" }, Dictionaries.Get(extraHeaders, "crit"));
}
Dictionaries.Append(jwtHeader, extraHeaders);
byte[] headerBytes = Encoding.UTF8.GetBytes(jwtSettings.JsonMapper.Serialize(jwtHeader));
IJwsAlgorithm jwsAlgorithm = jwtSettings.Jws(algorithm);
if (jwsAlgorithm == null)
{
throw new JoseException(string.Format("Unsupported JWS algorithm requested: {0}", algorithm));
}
byte[] signature = jwsAlgorithm.Sign(securedInput(headerBytes, payload, jwtOptions.EncodePayload), key);
byte[] payloadBytes = jwtOptions.DetachPayload ? new byte[0] : payload;
return(jwtOptions.EncodePayload
? Compact.Serialize(headerBytes, payloadBytes, signature)
: Compact.Serialize(headerBytes, Encoding.UTF8.GetString(payloadBytes), signature));
}
/// <summary>
/// Gets the JWS algoritm that corresponds to a given algorithm name.
/// </summary>
/// <param name="Name">Algorithm name.</param>
/// <param name="Algorithm">Algorithm object, if found.</param>
/// <returns>If an algorithm with the given name was found.</returns>
public static bool TryGetAlgorithm(string Name, out IJwsAlgorithm Algorithm)
{
lock (algorithms)
{
if (!initialized)
{
foreach (Type T in Types.GetTypesImplementingInterface(typeof(IJwsAlgorithm)))
{
if (T.GetTypeInfo().IsAbstract)
{
continue;
}
try
{
Algorithm = (IJwsAlgorithm)Activator.CreateInstance(T);
if (algorithms.ContainsKey(Algorithm.Name))
{
Log.Warning("JWS algorithm with name " + Algorithm.Name + " already registered.");
}
else
{
algorithms[Algorithm.Name] = Algorithm;
}
}
catch (Exception ex)
{
Log.Critical(ex);
}
}
if (!registered)
{
Types.OnInvalidated += Types_OnInvalidated;
registered = true;
}
initialized = true;
}
return(algorithms.TryGetValue(Name, out Algorithm));
}
}
public AesCbcHmacEncryption(IJwsAlgorithm hashAlgorithm, int keyLength)
{
this.hashAlgorithm = hashAlgorithm;
this.keyLength = keyLength;
}
public AesCbcHmacEncryption(IJwsAlgorithm hashAlgorithm, int keyLength)
{
this.hashAlgorithm = hashAlgorithm;
this.keyLength = keyLength;
}
private static byte[] DecodeBytes(string token, object key = null, JwsAlgorithm?expectedJwsAlg = null, JweAlgorithm?expectedJweAlg = null, JweEncryption?expectedJweEnc = null, JwtSettings settings = null, byte[] payload = null, bool requireSignature = false)
{
Ensure.IsNotEmpty(token, "Incoming token expected to be in compact serialization form, not empty, whitespace or null.");
Compact.Iterator parts = Compact.Iterate(token);
if (parts.Count == 5) //encrypted JWT
{
return(DecryptBytes(parts, key, expectedJweAlg, expectedJweEnc, settings));
}
else
{
//signed or plain JWT
JwtSettings jwtSettings = GetSettings(settings);
byte[] header = parts.Next();
Dictionary <string, object> headerData = jwtSettings.JsonMapper.Parse <Dictionary <string, object> >(Encoding.UTF8.GetString(header));
bool b64 = true;
if (headerData.TryGetValue("b64", out object value))
{
b64 = (bool)value;
}
byte[] contentPayload = parts.Next(b64);
byte[] signature = parts.Next();
byte[] effectivePayload = payload ?? contentPayload;
if (requireSignature && signature.Length == 0)
{
throw new JoseException("Payload is missing required signature");
}
string algorithm = (string)headerData["alg"];
JwsAlgorithm jwsAlgorithm = jwtSettings.JwsAlgorithmFromHeader(algorithm);
if (expectedJwsAlg != null && expectedJwsAlg != jwsAlgorithm)
{
throw new InvalidAlgorithmException("The algorithm type passed to the Decode method did not match the algorithm type in the header.");
}
IJwsAlgorithm jwsAlgorithmImpl = jwtSettings.Jws(jwsAlgorithm);
if (jwsAlgorithmImpl == null)
{
throw new JoseException(string.Format("Unsupported JWS algorithm requested: {0}", algorithm));
}
// If the key has not been specified, attempt to read it from the header.
if (key == null && headerData.ContainsKey("kid") && jwsAlgorithm != JwsAlgorithm.none)
{
if (jwsAlgorithm == JwsAlgorithm.ES256K)
{
key = (BitcoinPubKeyAddress)BitcoinPubKeyAddress.Create((string)headerData["kid"], jwtSettings.Network);
}
else
{
key = (string)headerData["kid"];
}
}
if (!jwsAlgorithmImpl.Verify(signature, securedInput(header, effectivePayload, b64), key))
{
throw new IntegrityException("Invalid signature.");
}
return(effectivePayload);
}
}
/// <summary>
/// Contains information about a Java Web Token (JWT). JWT is defined in RFC 7519:
/// https://tools.ietf.org/html/rfc7519
///
/// JWT are based on JSON Web Signature (JWS), defined in RFC 7515:
/// https://tools.ietf.org/html/rfc7515
///
/// Signature algorithms are defined in RFC 7518:
/// https://tools.ietf.org/html/rfc7518
/// </summary>
public JwtToken(string Token)
{
this.token = Token;
try
{
string[] Parts = Token.Split('.');
byte[] HeaderBin = Base64Url.Decode(this.header = Parts[0]);
string HeaderString = Encoding.UTF8.GetString(HeaderBin);
if (JSON.Parse(HeaderString) is Dictionary <string, object> Header)
{
if (Header.TryGetValue("typ", out object Typ))
{
this.type = Typ as string;
}
if (!Header.TryGetValue("alg", out object Alg) || !(Alg is string AlgStr))
{
throw new ArgumentException("Invalid alg header field.", nameof(Token));
}
if (string.IsNullOrEmpty(AlgStr) || AlgStr.ToLower() == "none")
{
this.algorithm = null;
}
else if (!JwsAlgorithm.TryGetAlgorithm(AlgStr, out this.algorithm))
{
throw new ArgumentException("Unrecognized algorithm reference in header field.", nameof(Token));
}
}
else
{
throw new Exception("Invalid JSON header.");
}
if (Parts.Length < 2)
{
throw new Exception("Claims set missing.");
}
byte[] ClaimsBin = Base64Url.Decode(this.payload = Parts[1]);
string ClaimsString = Encoding.UTF8.GetString(ClaimsBin);
if (JSON.Parse(ClaimsString) is Dictionary <string, object> Claims)
{
this.claims = Claims;
foreach (KeyValuePair <string, object> P in Claims)
{
switch (P.Key)
{
case "iss":
this.issuer = P.Value as string;
break;
case "sub":
this.subject = P.Value as string;
break;
case "jti":
this.id = P.Value as string;
break;
case "aud":
if (P.Value is string AudStr)
{
this.audience = AudStr.Split(',');
}
else if (P.Value is Array)
{
List <string> Audience = new List <string>();
foreach (object Item in (Array)P.Value)
{
Audience.Add(Item.ToString());
}
this.audience = Audience.ToArray();
}
break;
case "exp":
if (P.Value is int ExpInt)
{
this.expiration = JSON.UnixEpoch.AddSeconds(ExpInt);
}
break;
case "nbf":
if (P.Value is int NbfInt)
{
this.notBefore = JSON.UnixEpoch.AddSeconds(NbfInt);
}
break;
case "iat":
if (P.Value is int IatInt)
{
this.issuedAt = JSON.UnixEpoch.AddSeconds(IatInt);
}
break;
case "expires":
break;
}
}
}
else
{
throw new Exception("Invalid JSON claims set.");
}
if (Parts.Length < 3)
{
throw new Exception("Signature missing.");
}
this.signature = Parts[2];
}
catch (Exception ex)
{
throw new Exception("Unable to parse JWT token.", ex);
}
}
