private static JsonWebKeySet RetrieveTrustedSigningKeys(string serviceJwt, string attestDnsName, string tenantName, bool includeDetails)
{
var expectedCertificateDiscoveryEndpoint = $"https://{attestDnsName}/certs";
// Parse attestation service trusted signing key discovery endpoint from JWT header jku field
var jwt = new JsonWebToken(serviceJwt);
var jsonHeaderBytes = Base64Url.DecodeBytes(jwt.EncodedHeader);
var jsonHeaderString = Encoding.UTF8.GetString(jsonHeaderBytes);
var jsonHeader = JObject.Parse(jsonHeaderString);
var jkuUri = jsonHeader.SelectToken("jku");
Uri certificateDiscoveryEndpoint = new Uri(jkuUri.ToString());
// Validate that "jku" points to the expected certificate discovery endpoint
if (!expectedCertificateDiscoveryEndpoint.Equals(certificateDiscoveryEndpoint.ToString(), StringComparison.InvariantCultureIgnoreCase))
{
throw new ArgumentException($"JWT JKU header not valid. Value is '{certificateDiscoveryEndpoint.ToString()}'. Expected value is '{expectedCertificateDiscoveryEndpoint}'");
}
Logger.WriteLine($"JWT JKU location validation : True");
if (includeDetails)
{
Logger.WriteLine($" JWT JKU value : {certificateDiscoveryEndpoint.ToString()}");
}
// Retrieve trusted signing keys from the attestation service
var webClient = new WebClient();
webClient.Headers.Add("tenantName", tenantName.Length > 24 ? tenantName.Remove(24) : tenantName);
var jwksValue = webClient.DownloadString(certificateDiscoveryEndpoint);
return(new JsonWebKeySet(jwksValue));
}