public static T FromEncryptedString <T>(string b64MessageToDecrypt, List <X509Certificate2> issuerEncryptionCerts, IJweCryptoPolicy cryptoPolicy) { var parts = b64MessageToDecrypt.SplitInToSections(); var jwsHeader = JwsHeader.CreateJweHeaderFromEncryptedHeader(parts[0]); var verifiedPayload = JWT.Decode( b64MessageToDecrypt, jwsHeader.SigningPublicCert.GetRSAPublicKey()); var message = new JweMessage { CryptoPolicy = cryptoPolicy, EncryptedMessage = b64MessageToDecrypt, Header = jwsHeader, Payload = JweEncryptedPayload.CreateFromEncryptedPayload(verifiedPayload, issuerEncryptionCerts), Signature = new JweSignature(parts[2]) }; if (!message.IsSignatureValidAndTrusted()) { throw new Rsa3dSecureException(RsaErrorCodes.VerifySignatureFailed, "Message Signature is not valid."); } return(message.GetDecryptedJsonObjectAs <T>()); }
public JwsMessage Encode <TPayload>(TPayload payload, JwsHeader protectedHeader) { protectedHeader.Algorithm = "RS256"; if (_jwk.KeyId != null) { protectedHeader.KeyId = _jwk.KeyId; } else { protectedHeader.Key = _jwk; } var message = new JwsMessage { Payload = Base64UrlEncoded(JsonConvert.SerializeObject(payload)), Protected = Base64UrlEncoded(JsonConvert.SerializeObject(protectedHeader)) }; message.Signature = Base64UrlEncoded( _rsa.SignData(Encoding.ASCII.GetBytes(message.Protected + "." + message.Payload), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1)); return(message); }
protected virtual void CheckRequestObject(JwsHeader header, JwsPayload jwsPayload, OpenIdClient openidClient, HandlerContext context) { if (jwsPayload == null) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, OAuth.ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } if (!string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != openidClient.RequestObjectSigningAlg) { throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.INVALID_SIGNATURE_ALG); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ResponseType)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.MISSING_RESPONSE_TYPE_CLAIM); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ClientId)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.MISSING_CLIENT_ID_CLAIM); } if (!jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ResponseType].ToString().Split(' ').OrderBy(s => s).SequenceEqual(context.Request.RequestData.GetResponseTypesFromAuthorizationRequest().OrderBy(s => s))) { throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.INVALID_RESPONSE_TYPE_CLAIM); } if (jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ClientId].ToString() != context.Client.ClientId) { throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.INVALID_CLIENT_ID_CLAIM); } }
public static JweMessage FromEncryptedString(string b64MessageToDecrypt, List <X509Certificate2> issuerEncryptionCerts, IJweCryptoPolicy cryptoPolicy) { var parts = b64MessageToDecrypt.SplitInToSections(); var jwsHeader = JwsHeader.CreateJweHeaderFromEncryptedHeader(parts[0]); var verifiedPayload = JWT.Decode( b64MessageToDecrypt, jwsHeader.SigningPublicCert.GetRSAPublicKey()); return(new JweMessage { CryptoPolicy = cryptoPolicy, EncryptedMessage = b64MessageToDecrypt, Header = jwsHeader, Payload = JweEncryptedPayload.CreateFromEncryptedPayload(verifiedPayload, issuerEncryptionCerts), Signature = new JweSignature(parts[2]) }); }
public virtual async Task <RequestObjectValidatorResult> Validate(string request, BaseClient oauthClient, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_REQUEST_OBJECT) { if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request)) { throw new OAuthException(errorCode, ErrorMessages.INVALID_REQUEST_PARAMETER); } var jws = request; if (_jwtParser.IsJweToken(request)) { jws = await _jwtParser.Decrypt(jws, cancellationToken); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(errorCode, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER); } } JwsHeader header = null; try { header = _jwtParser.ExtractJwsHeader(jws); } catch (InvalidOperationException) { throw new OAuthException(errorCode, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } JwsPayload jwsPayload; try { jwsPayload = await _jwtParser.Unsign(jws, oauthClient, errorCode); } catch (JwtException ex) { throw new OAuthException(errorCode, ex.Message); } return(new RequestObjectValidatorResult(jwsPayload, header)); }
protected override void CheckRequestObject(JwsHeader header, JwsPayload jwsPayload, OpenIdClient openidClient, HandlerContext context) { base.CheckRequestObject(header, jwsPayload, openidClient, context); if (!jwsPayload.ContainsKey(Jwt.Constants.OAuthClaims.ExpirationTime)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, string.Format(ErrorMessages.MISSING_PARAMETER, Jwt.Constants.OAuthClaims.ExpirationTime)); } var currentDateTime = DateTime.UtcNow.ConvertToUnixTimestamp(); var exp = jwsPayload.GetExpirationTime(); if (currentDateTime > exp) { throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.REQUEST_OBJECT_IS_EXPIRED); } var audiences = jwsPayload.GetAudiences(); if (audiences.Any() && !audiences.Contains(context.Request.IssuerName)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.REQUEST_OBJECT_BAD_AUDIENCE); } }
protected async Task <bool> CheckRequest(HandlerContext context, string request) { var openidClient = (OpenIdClient)context.Client; if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_REQUEST_PARAMETER); } var jws = request; if (_jwtParser.IsJweToken(request)) { jws = await _jwtParser.Decrypt(jws); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER); } } JwsHeader header = null; try { header = _jwtParser.ExtractJwsHeader(jws); } catch (InvalidOperationException) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } if ( (!string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != openidClient.RequestObjectSigningAlg) || (string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != NoneSignHandler.ALG_NAME) ) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_SIGNATURE_ALG); } var jwsPayload = await _jwtParser.Unsign(jws, context.Client); if (jwsPayload == null) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ResponseType)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_RESPONSE_TYPE_CLAIM); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ClientId)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_CLIENT_ID_CLAIM); } if (!jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ResponseType].ToString().Split(' ').OrderBy(s => s).SequenceEqual(context.Request.Data.GetResponseTypesFromAuthorizationRequest())) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_RESPONSE_TYPE_CLAIM); } if (jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ClientId].ToString() != context.Client.ClientId) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_CLIENT_ID_CLAIM); } context.Request.SetData(JObject.FromObject(jwsPayload)); return(true); }
public RequestObjectValidatorResult(JwsPayload jwsPayload, JwsHeader header) { JwsPayload = jwsPayload; JwsHeader = header; }