public bool IsValid(AssertionModel assertionModel)
{
try
{
if (!_decodedJwtValidator.IsIShareCompliant(CreateTokenValidationArgs(assertionModel)))
{
return(false);
}
if (!IsRootCertificateTrusted(CertificateUtilities.FromBase64Der(assertionModel.Certificates.Last())))
{
_logger.LogWarning("SO root certificate is untrusted.");
return(false);
}
var x509Certificate = CertificateUtilities.FromBase64Der(assertionModel.Certificates.First());
var additionalCertificates = assertionModel.Certificates.Skip(1)
.Select(CertificateUtilities.FromBase64Der)
.ToArray();
return(IsChainValid(x509Certificate, additionalCertificates) && DoesBelongToSchemeOwner(x509Certificate));
}
catch (Exception e)
{
_logger.LogError(e, "Error occurred while validating token response retrieved from Scheme Owner.");
return(false);
}
}
public void FromPemFormat_FromBase64Der_BothCertsConvertedCorrectly()
{
var cert1 = CertificateUtilities.FromPemFormat(Constants.SchemeOwner.PublicKey);
var cert2 = CertificateUtilities.FromBase64Der(Constants.SchemeOwner.PublicKeyBase64Der);
var sha1 = cert1.GetSha256();
var sha2 = cert2.GetSha256();
sha1.Should().Be(sha2);
}
public async Task IsValidAsync_ValidAndTrusted_ReturnsTrue()
{
var sut = new JwtCertificateValidator(
_partiesQueryServiceMock.Object,
_trustedListQueryServiceMock.Object,
new ProductionCaStrategy(),
_loggerMock.Object);
var args = new CertificateValidationArgs(
CertificateUtilities.FromBase64Der(Constants.TrustedCertificates.PublicKeyBase64Der),
Constants.SchemeOwner.ClientId,
new[]
{
CertificateUtilities.FromBase64Der(Constants.TrustedCertificates.RootCaPublicKeyBase64Der)
});
var result = await sut.IsValidAsync(args, "access_token", CancellationToken.None);
result.Should().BeTrue();
}