public static string Sign(WebSecureToken token, SecurityMode mode, string secretKey)
{
byte[] bSecretKey = Encoding.ASCII.GetBytes(secretKey);
string encoded = string.Empty;
switch (mode)
{
case SecurityMode.Sign:
var tokenHandler = new JwtSecurityTokenHandler();
var jwtoken = tokenHandler.CreateJwtSecurityToken(issuer: token.Issuer, audience: null,
subject: new ClaimsIdentity(new[] {
new Claim(WebSecureToken.GXISSUER, token.Issuer),
new Claim(WebSecureToken.GXPROGRAM, token.ProgramName),
new Claim(WebSecureToken.GXVALUE, token.Value),
new Claim(WebSecureToken.GXEXPIRATION, token.Expiration.Subtract(new DateTime(1970, 1, 1)).TotalSeconds.ToString())
}),
notBefore: DateTime.UtcNow,
expires: token.Expiration,
signingCredentials: new SigningCredentials(new SymmetricSecurityKey(bSecretKey), SecurityAlgorithms.HmacSha256));
return(tokenHandler.WriteToken(jwtoken));
}
return(encoded);
}
public static bool Verify(string pgmName, string issuer, string value, string jwtToken, out WebSecureToken token, IGxContext context)
{
token = new WebSecureToken();
bool jwtVerifyOk = SecureTokenHelper.Verify(jwtToken, token, GetSecretKey(context));
bool contentVerifyOk = jwtVerifyOk && !string.IsNullOrEmpty(pgmName) && token.ProgramName == pgmName && issuer == token.Issuer &&
StripInvalidChars(token.Value) == StripInvalidChars(value) && token.Expiration >= DateTime.Now;
if (!contentVerifyOk && _log.IsErrorEnabled)
{
StringBuilder errMessage = new StringBuilder("WebSecurity Token Verification error");
if (!jwtVerifyOk)
{
errMessage.Append($" - JWT Signature Verification failed");
}
if (token.ProgramName != pgmName)
{
errMessage.Append($" - ProgramName mismatch '{token.ProgramName}' <> '{pgmName}'");
}
if (StripInvalidChars(token.Value) != StripInvalidChars(value))
{
errMessage.Append($" - Value mismatch '{StripInvalidChars(token.Value)}' <> '{StripInvalidChars(value)}'");
}
else if (issuer != token.Issuer)
{
errMessage.Append($" - Issuer mismatch '{token.Issuer}' <> '{issuer}'");
}
if (token.Expiration < DateTime.Now)
{
errMessage.Append(" - Token expired ");
}
GXLogging.Error(_log, errMessage.ToString());
}
return(contentVerifyOk);
}
internal static WebSecureToken getWebSecureToken(string signedToken, string secretKey)
{
byte[] bSecretKey = Encoding.ASCII.GetBytes(secretKey);
if (string.IsNullOrEmpty(signedToken))
{
return(null);
}
using (var hmac = new System.Security.Cryptography.HMACSHA256(bSecretKey))
{
var handler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
ClockSkew = TimeSpan.FromMinutes(1),
ValidateAudience = false,
ValidateIssuer = false,
IssuerSigningKey = new SymmetricSecurityKey(hmac.Key),
};
SecurityToken securityToken;
WebSecureToken outToken = new WebSecureToken();
var claims = handler.ValidateToken(signedToken, validationParameters, out securityToken);
outToken.Value = claims.Identities.First().Claims.First(c => c.Type == WebSecureToken.GXVALUE).Value;
return(outToken);
}
}
public static bool Verify(string pgmName, string issuer, string value, string jwtToken, out WebSecureToken token, IGxContext context)
{
token = new WebSecureToken();
bool ok = SecureTokenHelper.Verify(jwtToken, token, GetSecretKey(context));
bool ret = ok && !string.IsNullOrEmpty(pgmName) && token.ProgramName == pgmName && issuer == token.Issuer &&
StripInvalidChars(token.Value) == StripInvalidChars(value) && token.Expiration >= DateTime.Now;
if (!ret)
{
if (!ok)
{
GXLogging.Error(_log, "verify: Invalid token");
}
if (token.ProgramName != pgmName)
{
GXLogging.Error(_log, "verify: pgmName mismatch " + "'" + token.ProgramName + "' <> '" + pgmName + "'");
}
if (issuer != token.Issuer)
{
GXLogging.Error(_log, "verify: issuer mismatch " + "'" + token.Issuer + "' <> '" + issuer + "'");
}
if (StripInvalidChars(token.Value) != StripInvalidChars(value))
{
GXLogging.Error(_log, "verify: value mismatch " + "'" + token.Value + "'" + " <> '" + value + "'");
}
if (token.Expiration < DateTime.Now)
{
GXLogging.Error(_log, "verify: token expired ");
}
}
return(ret);
}
internal static bool VerifySecureSignedSDTToken(string cmpCtx, GxUserType value, string signedToken, IGxContext context)
{
WebSecureToken Token = SecureTokenHelper.getWebSecureToken(signedToken, GetSecretKey(context));
if (Token == null)
{
return(false);
}
GxUserType PayloadObject = (GxUserType)value.Clone();
PayloadObject.FromJSonString(Token.Value);
return(GxUserType.IsEqual(value, PayloadObject));
}
public override bool FromJSonString(string s)
{
try {
WebSecureToken wt = JSONHelper.Deserialize <WebSecureToken>(s, Encoding.UTF8);
this.Expiration = wt.Expiration;
this.Value = wt.Value;
this.ProgramName = wt.ProgramName;
this.Issuer = wt.Issuer;
return(true);
}
catch (Exception)
{
return(false);
}
}
internal static bool Verify(string jwtToken, WebSecureToken outToken, string secretKey)
{
bool ok = false;
byte[] bSecretKey = Encoding.ASCII.GetBytes(secretKey);
if (!string.IsNullOrEmpty(jwtToken))
{
try
{
using (var hmac = new System.Security.Cryptography.HMACSHA256(bSecretKey))
{
var handler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
ClockSkew = TimeSpan.FromMinutes(1),
ValidateAudience = false,
ValidateIssuer = false,
IssuerSigningKey = new SymmetricSecurityKey(hmac.Key),
};
//Avoid handler.ValidateToken which does not work in medium trust environment
JwtSecurityToken jwtSecurityToken = (JwtSecurityToken)handler.GetType().InvokeMember("ValidateSignature",
System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance | System.Reflection.BindingFlags.InvokeMethod, null, handler,
new object[] { jwtToken, validationParameters });
Validators.ValidateIssuerSecurityKey(jwtSecurityToken.SigningKey, jwtSecurityToken, validationParameters);
outToken.Expiration = new DateTime(1970, 1, 1).AddSeconds(Double.Parse(jwtSecurityToken.Claims.First(c => c.Type == WebSecureToken.GXEXPIRATION).Value));
outToken.ProgramName = jwtSecurityToken.Claims.First(c => c.Type == WebSecureToken.GXPROGRAM).Value;
outToken.Issuer = jwtSecurityToken.Claims.First(c => c.Type == WebSecureToken.GXISSUER).Value;
outToken.Value = jwtSecurityToken.Claims.First(c => c.Type == WebSecureToken.GXVALUE).Value;
ok = true;
}
}
catch (Exception e)
{
GXLogging.Error(_log, string.Format("Web Token verify failed for Token '{0}'", jwtToken), e);
}
}
return(ok);
}