public void Validate_Should_Throw_Exception_When_Crypto_Does_Not_Match_Signature()
{
const string token = TestData.Token;
var urlEncoder = new JwtBase64UrlEncoder();
var jsonNetSerializer = new JsonNetSerializer();
var utcDateTimeProvider = new UtcDateTimeProvider();
var jwt = new JwtParts(token);
var payloadJson = GetString(urlEncoder.Decode(jwt.Payload));
var crypto = urlEncoder.Decode(jwt.Signature);
var decodedCrypto = Convert.ToBase64String(crypto);
var alg = new HMACSHA256Algorithm();
var bytesToSign = GetBytes(string.Concat(jwt.Header, ".", jwt.Payload));
var signatureData = alg.Sign(GetBytes("ABC"), bytesToSign);
++signatureData[0]; // malformed signature
var decodedSignature = Convert.ToBase64String(signatureData);
var jwtValidator = new JwtValidator(jsonNetSerializer, utcDateTimeProvider);
Action validateJwtWithBadSignature = ()
=> jwtValidator.Validate(payloadJson, decodedCrypto, decodedSignature);
validateJwtWithBadSignature.Should()
.Throw <SignatureVerificationException>("because the signature does not match the crypto");
}
public void TryValidate_Should_Return_False_And_Exception_Not_Null_When_Crypto_Matches_Signature()
{
var urlEncoder = new JwtBase64UrlEncoder();
var jsonNetSerializer = new JsonNetSerializer();
var utcDateTimeProvider = new UtcDateTimeProvider();
var jwt = new JwtParts(TestData.Token);
var payloadJson = JwtValidator.GetString(urlEncoder.Decode(jwt.Payload));
var crypto = urlEncoder.Decode(jwt.Signature);
var decodedCrypto = Convert.ToBase64String(crypto);
var alg = new HMACSHA256Algorithm();
var bytesToSign = JwtValidator.GetBytes(String.Concat(jwt.Header, ".", jwt.Payload));
var signatureData = alg.Sign(JwtValidator.GetBytes("ABC"), bytesToSign);
signatureData[0]++; // malformed signature
var decodedSignature = Convert.ToBase64String(signatureData);
var jwtValidator = new JwtValidator(jsonNetSerializer, utcDateTimeProvider);
var isValid = jwtValidator.TryValidate(payloadJson, decodedCrypto, decodedSignature, out var ex);
Assert.False(isValid);
Assert.NotNull(ex);
}
public void TryValidate_Should_Return_True_And_Exception_Null_When_Crypto_Matches_Signature()
{
var urlEncoder = new JwtBase64UrlEncoder();
var jsonNetSerializer = new JsonNetSerializer();
var utcDateTimeProvider = new UtcDateTimeProvider();
var jwt = new JwtParts(TestData.Token);
var payloadJson = GetString(urlEncoder.Decode(jwt.Payload));
var crypto = urlEncoder.Decode(jwt.Signature);
var decodedCrypto = Convert.ToBase64String(crypto);
var alg = new HMACSHA256Algorithm();
var bytesToSign = GetBytes(string.Concat(jwt.Header, ".", jwt.Payload));
var signatureData = alg.Sign(GetBytes("ABC"), bytesToSign);
var decodedSignature = Convert.ToBase64String(signatureData);
var jwtValidator = new JwtValidator(jsonNetSerializer, utcDateTimeProvider);
var isValid = jwtValidator.TryValidate(payloadJson, decodedCrypto, decodedSignature, out var ex);
isValid.Should()
.BeTrue("because the token should have been validated");
ex.Should()
.BeNull("because a valid token verified should not raise any exception");
}
public void TryValidate_Should_Return_True_And_Exception_Null_When_Token_Is_Not_Yet_Usable_But_Validator_Has_Time_Margin()
{
var urlEncoder = new JwtBase64UrlEncoder();
var jsonNetSerializer = new JsonNetSerializer();
var utcDateTimeProvider = new StaticDateTimeProvider(DateTimeOffset.FromUnixTimeSeconds(TestData.TokenTimestamp - 1));
var jwt = new JwtParts(TestData.TokenWithNbf);
var payloadJson = GetString(urlEncoder.Decode(jwt.Payload));
var crypto = urlEncoder.Decode(jwt.Signature);
var decodedCrypto = Convert.ToBase64String(crypto);
var alg = new HMACSHA256Algorithm();
var bytesToSign = GetBytes(String.Concat(jwt.Header, ".", jwt.Payload));
var signatureData = alg.Sign(GetBytes(TestData.Secret), bytesToSign);
var decodedSignature = Convert.ToBase64String(signatureData);
var jwtValidator = new JwtValidator(jsonNetSerializer, utcDateTimeProvider, timeMargin: 1);
var isValid = jwtValidator.TryValidate(payloadJson, decodedCrypto, decodedSignature, out var ex);
isValid.Should()
.BeTrue("because token should be valid");
ex.Should()
.BeNull("because valid token should not throw exception");
}
public void TryValidate_Should_Return_False_And_Exception_Not_Null_When_Token_Is_Expired()
{
var urlEncoder = new JwtBase64UrlEncoder();
var jsonNetSerializer = new JsonNetSerializer();
var utcDateTimeProvider = new StaticDateTimeProvider(DateTimeOffset.FromUnixTimeSeconds(TestData.TokenTimestamp));
var jwt = new JwtParts(TestData.TokenWithExp);
var payloadJson = GetString(urlEncoder.Decode(jwt.Payload));
var crypto = urlEncoder.Decode(jwt.Signature);
var decodedCrypto = Convert.ToBase64String(crypto);
var alg = new HMACSHA256Algorithm();
var bytesToSign = GetBytes(String.Concat(jwt.Header, ".", jwt.Payload));
var signatureData = alg.Sign(GetBytes(TestData.Secret), bytesToSign);
var decodedSignature = Convert.ToBase64String(signatureData);
var jwtValidator = new JwtValidator(jsonNetSerializer, utcDateTimeProvider);
var isValid = jwtValidator.TryValidate(payloadJson, decodedCrypto, decodedSignature, out var ex);
isValid.Should()
.BeFalse("because token should be invalid");
ex.Should()
.NotBeNull("because invalid token should thrown exception");
ex.Should()
.BeOfType(typeof(TokenExpiredException), "because expired token should thrown TokenExpiredException");
}
public void TryValidate_Should_Return_False_And_Exception_Not_Null_When_Signature_Is_Not_Valid()
{
var urlEncoder = new JwtBase64UrlEncoder();
var jsonNetSerializer = new JsonNetSerializer();
var utcDateTimeProvider = new UtcDateTimeProvider();
var jwt = new JwtParts(TestData.Token);
var payloadJson = GetString(urlEncoder.Decode(jwt.Payload));
var crypto = urlEncoder.Decode(jwt.Signature);
var decodedCrypto = Convert.ToBase64String(crypto);
var alg = new HMACSHA256Algorithm();
var bytesToSign = GetBytes(String.Concat(jwt.Header, ".", jwt.Payload));
var signatureData = alg.Sign(GetBytes(TestData.Secret), bytesToSign);
++signatureData[0]; // malformed signature
var decodedSignature = Convert.ToBase64String(signatureData);
var jwtValidator = new JwtValidator(jsonNetSerializer, utcDateTimeProvider);
var isValid = jwtValidator.TryValidate(payloadJson, decodedCrypto, decodedSignature, out var ex);
isValid.Should()
.BeFalse("because token should be invalid");
ex.Should()
.NotBeNull("because invalid token should thrown exception");
}
internal string Base64UrlDecode(String input)
{
var urlEncoder = new JwtBase64UrlEncoder();
byte[] newBytes = urlEncoder.Decode(input);
return(System.Text.Encoding.UTF8.GetString(newBytes));
}
/// <summary>
/// 获取JSON串
/// </summary>
/// <param name="token"></param>
/// <returns></returns>
public string GetJson(string token)
{
IJsonSerializer serializer = new JsonNetSerializer();
IDateTimeProvider provider = new UtcDateTimeProvider();
IJwtValidator validator = new JwtValidator(serializer, provider);
IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder);
string[] arr = token.Split('.');
byte[] headerBytes = urlEncoder.Decode(arr[0]);
string header = System.Text.Encoding.UTF8.GetString(headerBytes);
byte[] claimBytes = urlEncoder.Decode(arr[1]);
string claim = System.Text.Encoding.UTF8.GetString(claimBytes);
string sign = arr[2];
var json = decoder.Decode(token, SecretKey, true);
return(json);
}
public static Dictionary <string, object> Verify(string token)
{
IJsonSerializer serializer = new JsonNetSerializer();
IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
var segments = token.Split('.');
if (segments.Length != 3)
{
throw new Exception("token invalid");
}
var header = serializer.Deserialize <Dictionary <string, string> >(
System.Text.Encoding.UTF8.GetString(urlEncoder.Decode(segments[0])));
if (header["alg"] != "EK256K")
{
throw new Exception("alg should be EK256K but got " + header["alg"]);
}
var payload = serializer.Deserialize <Dictionary <string, object> >(
System.Text.Encoding.UTF8.GetString(urlEncoder.Decode(segments[1])));
var signature = urlEncoder.Decode(segments[2]);
var empty = new Account();
var recoveredAddress = empty.Recover(segments[0] + "." + segments[1], signature, false);
var secretOrPublicKey = payload["iss"].ToString();
var expectedAddress = Account.PublicKeyToAddress(secretOrPublicKey.HexToByteArray());
if (recoveredAddress != expectedAddress)
{
throw new Exception(recoveredAddress + " signed the signature but we are expecting " + expectedAddress);
}
if (payload["iss"].ToString() != secretOrPublicKey)
{
throw new Exception("issuer of the token does not match " + secretOrPublicKey);
}
return(payload);
}
public void Validate_Should_Not_Throw_Exception_When_Crypto_Matches_Signature()
{
var urlEncoder = new JwtBase64UrlEncoder();
var jsonNetSerializer = new JsonNetSerializer();
var utcDateTimeProvider = new UtcDateTimeProvider();
var jwt = new JwtParts(TestData.Token);
var payloadJson = JwtValidator.GetString(urlEncoder.Decode(jwt.Payload));
var crypto = urlEncoder.Decode(jwt.Signature);
var decodedCrypto = Convert.ToBase64String(crypto);
var alg = new HMACSHA256Algorithm();
var bytesToSign = JwtValidator.GetBytes(String.Concat(jwt.Header, ".", jwt.Payload));
var signatureData = alg.Sign(JwtValidator.GetBytes("ABC"), bytesToSign);
var decodedSignature = Convert.ToBase64String(signatureData);
var jwtValidator = new JwtValidator(jsonNetSerializer, utcDateTimeProvider);
jwtValidator.Validate(payloadJson, decodedCrypto, decodedSignature);
}
