/// <summary>
/// OAuth Server呼叫Protected Server進行通知驗證
/// </summary>
/// <param name="oauthToProtectedCypherText"></param>
/// <returns></returns>
public AuthResrcProtectorCypherTextModel Verify(string oauthToProtectedCypherText)
{
//解密OAuth Server帶過來的 CypherText
string decryptCryptoStr = aesCrypter.Decrypt(oauthToProtectedCypherText);
//進行反序列化,取得本次驗證需要的相關資訊
AuthResrcProtectorCypherTextModel authShareProtectedServerCypherTextModel = JsonConvert.DeserializeObject <AuthResrcProtectorCypherTextModel>(decryptCryptoStr);
//將Protected Server 的 Key與IV 進行加密處理,準備進行檢核
SymCryptoModel shareSecretClientWithProtectedSymModel = GetShareSecretClientWithProtectedSymModel(this.protectedServer.ShareKeyOAuthWithProtectedServer,
this.protectedServer.ShareIVOAuthWithProtectedServer, authShareProtectedServerCypherTextModel.ClientId);
//檢核OAuth Server帶來的資料與 Protected Server處理後的資料 是否一致
if (authShareProtectedServerCypherTextModel.PortectedId != this.protectedServer.OAuthApplicatoinId)
{
throw new RequestProtectedServerNotEqualExceptoin("The protected server's application id is not equal with the ProtectedId which is send from OAuth server ");
}
if (GetUtcNowUnixTime() > authShareProtectedServerCypherTextModel.ExpiredTime)
{
throw new OAuthShareCypherWithProtectedServerExpiredException("OAuth Send Secret message like Cypher text is expired, can not use this secret");
}
if (shareSecretClientWithProtectedSymModel.Key != authShareProtectedServerCypherTextModel.ClientProtectedCryptoModel.Key ||
shareSecretClientWithProtectedSymModel.IV != authShareProtectedServerCypherTextModel.ClientProtectedCryptoModel.IV)
{
throw new ShareSecretClientWithProtectedServerNotEqualException("Check the secret from OAuth Server, and found that the secret is not equal after decrypt by protected server");
}
return(authShareProtectedServerCypherTextModel);
}
private SymCryptoModel GetShareSecretClientWithProtectedSymModel(string key, string iv, string clientId)
{
string theShareSecretKeyClientWithProtected = GetClientProtectedCryptoStr(key, clientId);
string theShareSecretIVClientWithProtected = GetClientProtectedCryptoStr(iv, clientId).Substring(0, 16);
SymCryptoModel shareSecretClientWithProtectedModel = new SymCryptoModel()
{
Key = theShareSecretKeyClientWithProtected,
IV = theShareSecretIVClientWithProtected,
};
return(shareSecretClientWithProtectedModel);
}
/// <summary>
/// Client 呼叫 Protected Server進行驗證
/// </summary>
/// <param name="reqModel"></param>
public void Verify(CheckClientReqModel reqModel)
{
//用 ProtectedServerMemberClient 組出 HashMac
ClientTempIdentityModel clientTempId = new ClientTempIdentityModel()
{
ClientId = this.memberClientModel.ClientId,
HashValue = this.memberClientModel.HashValue,
};
SymCryptoModel clientProtectedCryptoModel = new SymCryptoModel()
{
Key = this.memberClientModel.ShareKeyClientWithProtectedServer,
IV = this.memberClientModel.ShareIVClientWithProtectedServer,
};
ClientProtectedMacModel clientProtectedMacModel = new ClientProtectedMacModel();
clientProtectedMacModel.Salt = "2";
clientProtectedMacModel.ClientTempId = clientTempId;
clientProtectedMacModel.ProtectedId = this.memberClientModel.ProtectedId;
clientProtectedMacModel.AuthZTimes = this.memberClientModel.AuthZTimes;
clientProtectedMacModel.HashValue = clientTempId.HashValue;
clientProtectedMacModel.ExpiredTime = reqModel.ExpiredTime;
clientProtectedMacModel.ClientProtectedCryptoModel = clientProtectedCryptoModel;
string shareMacClientWithResrJson = JsonConvert.SerializeObject(clientProtectedMacModel);
//組出HashMac
string shareHashMacClientWithResr = MD5Hasher.Hash(shareMacClientWithResrJson);
//檢核是否一致
if (shareHashMacClientWithResr != reqModel.ClientProtectedMac)
{
throw new ShareHashMacClientWithProtectedNotEqualException("Client request mac in model is invalid. " +
"More message: the share mac in client is not equal after protected server decrypted and compare " +
"the mac message which client request");
}
}
