private string GetResrcClientKeyAuthzTimesValue(string crypto, ClientTempIdentityModel clientTempIdModel, int currentTimes)
{
AuthorizeHashModel authorizeKeyHashModel = new AuthorizeHashModel()
{
ClientProtectedCryptoStr = crypto,
ClientTempId = clientTempIdModel,
CurrentTimes = currentTimes
};
string resrcClientKeyAuthZTimes = JsonConvert.SerializeObject(authorizeKeyHashModel);
string hashValue = MD5Hasher.Hash(resrcClientKeyAuthZTimes);
AuthorizeKeyModel authorizeKeyModel = new AuthorizeKeyModel
{
HashKeyTIDCTimesValue = resrcClientKeyAuthZTimes,
HashValue = hashValue
};
string authorizeCryptoStr = JsonConvert.SerializeObject(authorizeKeyModel);
string hashResult = MD5Hasher.Hash(authorizeCryptoStr);
return(hashResult);
}
private string GetTempClientSecretByAuthorizedTimes(string shareScretClientWithProtectedServer,
ClientTempIdentityModel tempIdentityModel,
int currentTimes)
{
AuthorizeHashModel authorizeKeyHashModel = new AuthorizeHashModel
{
ClientProtectedCryptoStr = shareScretClientWithProtectedServer,
ClientTempId = tempIdentityModel,
CurrentTimes = currentTimes
};
string resrcClientKeyAuthZTimes = JsonConvert.SerializeObject(authorizeKeyHashModel);
string hashValue = MD5Hasher.Hash(resrcClientKeyAuthZTimes);
string authorizeCryptoStr = GetAuthorizeSecretModel(hashValue, resrcClientKeyAuthZTimes);
string hashResult = MD5Hasher.Hash(authorizeCryptoStr);
return(hashResult);
}
/// <summary>
/// Client 呼叫 Protected Server進行驗證
/// </summary>
/// <param name="reqModel"></param>
public void Verify(CheckClientReqModel reqModel)
{
//用 ProtectedServerMemberClient 組出 HashMac
ClientTempIdentityModel clientTempId = new ClientTempIdentityModel()
{
ClientId = this.memberClientModel.ClientId,
HashValue = this.memberClientModel.HashValue,
};
SymCryptoModel clientProtectedCryptoModel = new SymCryptoModel()
{
Key = this.memberClientModel.ShareKeyClientWithProtectedServer,
IV = this.memberClientModel.ShareIVClientWithProtectedServer,
};
ClientProtectedMacModel clientProtectedMacModel = new ClientProtectedMacModel();
clientProtectedMacModel.Salt = "2";
clientProtectedMacModel.ClientTempId = clientTempId;
clientProtectedMacModel.ProtectedId = this.memberClientModel.ProtectedId;
clientProtectedMacModel.AuthZTimes = this.memberClientModel.AuthZTimes;
clientProtectedMacModel.HashValue = clientTempId.HashValue;
clientProtectedMacModel.ExpiredTime = reqModel.ExpiredTime;
clientProtectedMacModel.ClientProtectedCryptoModel = clientProtectedCryptoModel;
string shareMacClientWithResrJson = JsonConvert.SerializeObject(clientProtectedMacModel);
//組出HashMac
string shareHashMacClientWithResr = MD5Hasher.Hash(shareMacClientWithResrJson);
//檢核是否一致
if (shareHashMacClientWithResr != reqModel.ClientProtectedMac)
{
throw new ShareHashMacClientWithProtectedNotEqualException("Client request mac in model is invalid. " +
"More message: the share mac in client is not equal after protected server decrypted and compare " +
"the mac message which client request");
}
}
public AuthResrcProtectedAuthorizeModel Verify(string token)
{
//解 Token
string jwtDecodeValue = JWT.Decode(token,
Encoding.Unicode.GetBytes(this.clientInProtectedMember.ShareKeyClientWithProtectedServer),
JwsAlgorithm.HS256);
ClientAuthorizedReqModel jwtObject = JsonConvert.DeserializeObject <ClientAuthorizedReqModel>(jwtDecodeValue);
//加密後的合法 Url List
List <string> encryptValueList = jwtObject.ValidUrlList;
VerifyUrlIsInAuthorizedList(encryptValueList);
ClientTempIdentityModel tempIdentityModel = new ClientTempIdentityModel(this.clientInProtectedMember.ClientId, this.clientInProtectedMember.HashValue);
string shareKeyClientAndResrcDependsAuthorizedTimes = GetTempClientSecretByAuthorizedTimes(this.clientInProtectedMember.ShareKeyClientWithProtectedServer, tempIdentityModel, this.clientInProtectedMember.CurrentTimes);
string shareIVClientAndResrcDependsAuthorizedTimes = GetTempClientSecretByAuthorizedTimes(this.clientInProtectedMember.ShareIVClientWithProtectedServer, tempIdentityModel, this.clientInProtectedMember.CurrentTimes);
aesCrypter.SetKey(shareKeyClientAndResrcDependsAuthorizedTimes);
aesCrypter.SetIV(shareIVClientAndResrcDependsAuthorizedTimes.Substring(0, 16));
string clientAuthorizeCTCryptoDecrypt = aesCrypter.Decrypt(jwtObject.CurrentTimesCypherText);
ClientCTCypherTextModelForAuthorize clientAuthorizeCypherTextModel = JsonConvert.DeserializeObject <ClientCTCypherTextModelForAuthorize>(clientAuthorizeCTCryptoDecrypt);
if (GetUtcNowUnixTime() > clientAuthorizeCypherTextModel.ExpiredTime)
{
throw new ClientAuthorizeTokenExpiredException("Client authorized token has expired, please re-authenticate and get new token");
}
string protectedServerOriginalHash = this.clientInProtectedMember.HashValue;
string doubleHashValue = MD5Hasher.Hash(clientAuthorizeCypherTextModel.HashValue);
if (doubleHashValue != protectedServerOriginalHash)
{
throw new TokenTicketCerticateException("After checkt the token ticket, the token ticket is not right, the ticket you send has been used, please re-authenticate and get new token ticket");
}
//確認是否能夠取得下一次授權
if (jwtObject.CurrentTimes + 1 >= clientInProtectedMember.AuthZTimes)
{
throw new AuthorizeTimesHasRunOutException("The token authorzie times has run out and expired, please re-authenticate and get new token ticket");
}
TimesCypherTextPrimeModel clientPrimeModel = new TimesCypherTextPrimeModel()
{
ClientTempIdPrime = new ClientTempIdentityModel()
{
ClientId = clientInProtectedMember.ClientId,
HashValue = clientAuthorizeCypherTextModel.HashValue
},
CurrentTimes = clientInProtectedMember.CurrentTimes,
ClientTempId = new ClientTempIdentityModel()
{
ClientId = clientInProtectedMember.ClientId,
HashValue = clientInProtectedMember.HashValue,
},
};
string newShareKeyClientAndProtected = GetTempClientSecretByAuthorizedTimes(clientInProtectedMember.ShareKeyClientWithProtectedServer, clientPrimeModel.ClientTempId, clientInProtectedMember.CurrentTimes);
string newShareIVClientAndProtected = GetTempClientSecretByAuthorizedTimes(clientInProtectedMember.ShareIVClientWithProtectedServer, clientPrimeModel.ClientTempId, clientInProtectedMember.CurrentTimes).Substring(0, 16);
aesCrypter.SetIV(newShareIVClientAndProtected);
aesCrypter.SetKey(newShareKeyClientAndProtected);
string cypherPrimeStr = JsonConvert.SerializeObject(clientPrimeModel);
string newCypherTextRespClientForNextAuthZ = aesCrypter.Encrypt(cypherPrimeStr);
AuthResrcProtectedAuthorizeModel result = new AuthResrcProtectedAuthorizeModel()
{
ClientId = clientInProtectedMember.ClientId,
PortectedId = clientInProtectedMember.ProtectedId,
ProcessScoreCurrentTimes = (clientInProtectedMember.CurrentTimes + 1),
ProcessScoreHashValue = clientAuthorizeCypherTextModel.HashValue,
ClientRespCypherText = newCypherTextRespClientForNextAuthZ
};
return(result);
}
