/// <summary>Parse the <see cref="ReadOnlySpan{T}"/> into its <see cref="SignatureAlgorithm"/> representation.</summary> /// <param name="value"></param> /// <param name="algorithm"></param> public static bool TryParse(ReadOnlySpan <byte> value, [NotNullWhen(true)] out CompressionAlgorithm?algorithm) { if (value.Length == 3) { var zip = IntegerMarshal.ReadUInt24(value); if (zip == DEF) { algorithm = Def; return(true); } } algorithm = null; return(false); }
/// <summary>Parse the <see cref="ReadOnlySpan{T}"/> into its <see cref="SignatureAlgorithm"/> representation.</summary> public static bool TryParse(ReadOnlySpan <byte> value, [NotNullWhen(true)] out CompressionAlgorithm?algorithm) { if (value.Length == 3) { var zip = IntegerMarshal.ReadUInt24(value); if (zip == DEF) { algorithm = Def; return(true); } } #if NET5_0_OR_GREATER Unsafe.SkipInit(out algorithm); #else algorithm = default; #endif return(false); }
/// <summary> /// Gets the claim for a specified key in the current <see cref="JwtPayload"/>. /// </summary> /// <param name="key"></param> /// <returns></returns> public object?this[ReadOnlySpan <byte> key] { get { if (key.Length == 3) { switch (IntegerMarshal.ReadUInt24(key)) { case JwtPayloadParser.Aud: return(_aud); case JwtPayloadParser.Iss: return(_iss); case JwtPayloadParser.Jti: return(_jti); case JwtPayloadParser.Exp: return(_exp); case JwtPayloadParser.Iat: return(_iat); case JwtPayloadParser.Nbf: return(_nbf); case JwtPayloadParser.Sub: return(_sub); } } if (_inner is null) { return(null); } return(_inner.TryGetValue(key, out var value) ? value.Value : null); } }
internal static bool TryParseHeader(ReadOnlyMemory <byte> utf8Payload, byte[]?buffer, TokenValidationPolicy policy, [NotNullWhen(true)] out JwtHeaderDocument?header, [NotNullWhen(false)] out TokenValidationError?error) { ReadOnlySpan <byte> utf8JsonSpan = utf8Payload.Span; var database = new JsonMetadata(utf8Payload.Length); int algIdx = -1; int encIdx = -1; int kidIdx = -1; int critIdx = -1; var reader = new Utf8JsonReader(utf8JsonSpan); if (reader.Read()) { JsonTokenType tokenType = reader.TokenType; if (tokenType == JsonTokenType.StartObject) { while (reader.Read()) { tokenType = reader.TokenType; int tokenStart = (int)reader.TokenStartIndex; if (tokenType == JsonTokenType.EndObject) { break; } else if (tokenType != JsonTokenType.PropertyName) { error = TokenValidationError.MalformedToken(); goto Error; } // Adding 1 to skip the start quote will never overflow Debug.Assert(tokenStart < int.MaxValue); database.Append(JsonTokenType.PropertyName, tokenStart + 1, reader.ValueSpan.Length); if (reader.ValueSpan.IndexOf((byte)'\\') != -1) { database.SetNeedUnescaping(database.Length - JsonRow.Size); } ReadOnlySpan <byte> memberName = reader.ValueSpan; reader.Read(); tokenType = reader.TokenType; tokenStart = (int)reader.TokenStartIndex; // Since the input payload is contained within a Span, // token start index can never be larger than int.MaxValue (i.e. utf8JsonSpan.Length). Debug.Assert(reader.TokenStartIndex <= int.MaxValue); if (tokenType == JsonTokenType.String) { if (memberName.Length == 3) { switch ((JwtHeaderParameters)IntegerMarshal.ReadUInt24(memberName)) { case JwtHeaderParameters.Alg: algIdx = database.Length; break; case JwtHeaderParameters.Enc: encIdx = database.Length; break; case JwtHeaderParameters.Kid: kidIdx = database.Length; break; } } // Adding 1 to skip the start quote will never overflow Debug.Assert(tokenStart < int.MaxValue); database.Append(JsonTokenType.String, tokenStart + 1, reader.ValueSpan.Length); } else if (tokenType == JsonTokenType.StartObject) { int count = Utf8JsonReaderHelper.SkipObject(ref reader); int index = database.Length; int tokenEnd = (int)reader.TokenStartIndex; database.Append(JsonTokenType.StartObject, tokenStart, tokenEnd - tokenStart + 1); database.SetNumberOfRows(index, count); } else if (tokenType == JsonTokenType.StartArray) { int count; if (memberName.Length == 4 && (JwtHeaderParameters)IntegerMarshal.ReadUInt32(memberName) == JwtHeaderParameters.Crit && !policy.IgnoreCriticalHeader) { critIdx = database.Length; if (!TryCheckCrit(ref reader, out count)) { error = TokenValidationError.MalformedToken("The 'crit' header parameter must be an array of string."); goto Error; } } else { count = Utf8JsonReaderHelper.SkipArray(ref reader); } int index = database.Length; int tokenEnd = (int)reader.TokenStartIndex; database.Append(JsonTokenType.StartArray, tokenStart, tokenEnd - tokenStart + 1); database.SetNumberOfRows(index, count); } else { Debug.Assert(tokenType >= JsonTokenType.Number && tokenType <= JsonTokenType.Null); database.Append(tokenType, tokenStart, reader.ValueSpan.Length); } } } } Debug.Assert(reader.BytesConsumed == utf8JsonSpan.Length); database.CompleteAllocations(); header = new JwtHeaderDocument(new JwtDocument(utf8Payload, database, buffer), algIdx, encIdx, kidIdx, critIdx); #if NET5_0_OR_GREATER Unsafe.SkipInit(out error); #else error = default; #endif return(true); Error: #if NET5_0_OR_GREATER Unsafe.SkipInit(out header); #else header = default; #endif return(false); }
internal static bool TryParsePayload(ReadOnlyMemory <byte> utf8Payload, byte[]?buffer, TokenValidationPolicy policy, [NotNullWhen(true)] out JwtPayloadDocument?payload, [NotNullWhen(false)] out TokenValidationError?error) { ReadOnlySpan <byte> utf8JsonSpan = utf8Payload.Span; var database = new JsonMetadata(utf8Payload.Length); byte control = policy.Control; int issIdx = -1; var reader = new Utf8JsonReader(utf8JsonSpan); if (reader.Read()) { JsonTokenType tokenType = reader.TokenType; if (tokenType == JsonTokenType.StartObject) { while (reader.Read()) { tokenType = reader.TokenType; int tokenStart = (int)reader.TokenStartIndex; if (tokenType == JsonTokenType.EndObject) { break; } else if (tokenType != JsonTokenType.PropertyName) { error = TokenValidationError.MalformedToken(); goto Error; } Debug.Assert(tokenStart < int.MaxValue); database.Append(JsonTokenType.PropertyName, tokenStart + 1, reader.ValueSpan.Length); ReadOnlySpan <byte> memberName = reader.ValueSpan; if (memberName.IndexOf((byte)'\\') != -1) { database.SetNeedUnescaping(database.Length - JsonRow.Size); } reader.Read(); tokenType = reader.TokenType; tokenStart = (int)reader.TokenStartIndex; Debug.Assert(reader.TokenStartIndex <= int.MaxValue); if (tokenType == JsonTokenType.String) { if (memberName.Length == 3) { switch ((JwtClaims)IntegerMarshal.ReadUInt24(memberName)) { case JwtClaims.Aud: CheckStringAudience(ref reader, ref control, policy); break; case JwtClaims.Iss: issIdx = database.Length; CheckIssuer(ref reader, ref control, policy); break; } } Debug.Assert(tokenStart < int.MaxValue); database.Append(JsonTokenType.String, tokenStart + 1, reader.ValueSpan.Length); } else if (tokenType == JsonTokenType.Number) { if (memberName.Length == 3) { switch ((JwtClaims)IntegerMarshal.ReadUInt24(memberName)) { case JwtClaims.Exp: if (!TryCheckExpirationTime(ref reader, ref control, policy)) { error = TokenValidationError.MalformedToken("The claim 'exp' must be an integral number."); goto Error; } break; case JwtClaims.Nbf: if (!TryCheckNotBefore(ref reader, ref control, policy)) { error = TokenValidationError.MalformedToken("The claim 'nbf' must be an integral number."); goto Error; } break; } } database.Append(JsonTokenType.Number, tokenStart, reader.ValueSpan.Length); } else if (tokenType == JsonTokenType.StartObject) { int itemCount = Utf8JsonReaderHelper.SkipObject(ref reader); int tokenEnd = (int)reader.TokenStartIndex; int index = database.Length; database.Append(JsonTokenType.StartObject, tokenStart, tokenEnd - tokenStart + 1); database.SetNumberOfRows(index, itemCount); } else if (tokenType == JsonTokenType.StartArray) { int itemCount; if (memberName.Length == 3 && (JwtClaims)IntegerMarshal.ReadUInt24(memberName) == JwtClaims.Aud) { itemCount = CheckArrayAudience(ref reader, ref control, policy); } else { itemCount = Utf8JsonReaderHelper.SkipArray(ref reader); } int index = database.Length; int tokenEnd = (int)reader.TokenStartIndex; database.Append(JsonTokenType.StartArray, tokenStart, tokenEnd - tokenStart + 1); database.SetNumberOfRows(index, itemCount); } else { Debug.Assert(tokenType >= JsonTokenType.True && tokenType <= JsonTokenType.Null); database.Append(tokenType, tokenStart, reader.ValueSpan.Length); } } } } Debug.Assert(reader.BytesConsumed == utf8JsonSpan.Length); database.CompleteAllocations(); payload = new JwtPayloadDocument(new JwtDocument(utf8Payload, database, buffer), control, issIdx); #if NET5_0_OR_GREATER Unsafe.SkipInit(out error); #else error = default; #endif return(true); Error: #if NET5_0_OR_GREATER Unsafe.SkipInit(out payload); #else payload = default; #endif return(false); }
/// <summary> /// Parses the UTF-8 <paramref name="buffer"/> as JSON and returns a <see cref="JwtHeader"/>. /// </summary> /// <param name="buffer"></param> /// <param name="policy"></param> public static JwtHeader ParseHeader(ReadOnlySpan <byte> buffer, TokenValidationPolicy policy) { Utf8JsonReader reader = new Utf8JsonReader(buffer, isFinalBlock: true, state: default); if (!reader.Read() || reader.TokenType != JsonTokenType.StartObject) { ThrowHelper.ThrowFormatException_MalformedJson(); } var header = new JwtHeader(); while (reader.Read()) { if (!(reader.TokenType is JsonTokenType.PropertyName)) { break; } var name = reader.ValueSpan /* reader.HasValueSequence ? reader.ValueSequence.ToArray() : reader.ValueSpan */; reader.Read(); var type = reader.TokenType; if (name.Length == 3) { if (reader.TokenType == JsonTokenType.String) { var refName = IntegerMarshal.ReadUInt24(name); switch (refName) { case Alg: var alg = reader.ValueSpan /* reader.HasValueSequence ? reader.ValueSequence.ToArray() : reader.ValueSpan */; if (SignatureAlgorithm.TryParse(alg, out var signatureAlgorithm)) { header.SignatureAlgorithm = signatureAlgorithm; } else if (KeyManagementAlgorithm.TryParse(alg, out var keyManagementAlgorithm)) { header.KeyManagementAlgorithm = keyManagementAlgorithm; } else if (SignatureAlgorithm.TryParseSlow(ref reader, out signatureAlgorithm)) { header.SignatureAlgorithm = signatureAlgorithm; } else if (KeyManagementAlgorithm.TryParseSlow(ref reader, out keyManagementAlgorithm)) { header.KeyManagementAlgorithm = keyManagementAlgorithm; } else { header.SignatureAlgorithm = SignatureAlgorithm.Create(reader.GetString()); } continue; case Enc: var enc = reader.ValueSpan /* reader.HasValueSequence ? reader.ValueSequence.ToArray() : reader.ValueSpan */; if (EncryptionAlgorithm.TryParse(enc, out var encryptionAlgorithm)) { header.EncryptionAlgorithm = encryptionAlgorithm; } else if (EncryptionAlgorithm.TryParseSlow(ref reader, out encryptionAlgorithm)) { header.EncryptionAlgorithm = encryptionAlgorithm; } else { header.EncryptionAlgorithm = EncryptionAlgorithm.Create(reader.GetString()); } continue; case Zip: var zip = reader.ValueSpan /* reader.HasValueSequence ? reader.ValueSequence.ToArray() : reader.ValueSpan */; if (CompressionAlgorithm.TryParse(zip, out var compressionAlgorithm)) { header.CompressionAlgorithm = compressionAlgorithm; } else if (CompressionAlgorithm.TryParseSlow(ref reader, out compressionAlgorithm)) { header.CompressionAlgorithm = compressionAlgorithm; } else { header.CompressionAlgorithm = CompressionAlgorithm.Create(reader.GetString()); } continue; case Cty: header.Cty = reader.GetString(); continue; case Typ: header.Typ = reader.GetString(); continue; case Kid: header.Kid = reader.GetString(); continue; } } } else if (name.Length == 4) { if (reader.TokenType == JsonTokenType.StartArray && IntegerMarshal.ReadUInt32(name) == Crit) { var handlers = policy.CriticalHandlers; if (handlers.Count != 0) { var criticalHeaderHandlers = new List <KeyValuePair <string, ICriticalHeaderHandler> >(handlers.Count); var criticals = new List <JwtValue>(); while (reader.Read() && reader.TokenType == JsonTokenType.String) { string criticalHeader = reader.GetString(); criticals.Add(new JwtValue(criticalHeader)); if (handlers.TryGetValue(criticalHeader, out var handler)) { criticalHeaderHandlers.Add(new KeyValuePair <string, ICriticalHeaderHandler>(criticalHeader, handler)); } else { criticalHeaderHandlers.Add(new KeyValuePair <string, ICriticalHeaderHandler>(criticalHeader, null !)); } } header.CriticalHeaderHandlers = criticalHeaderHandlers; if (reader.TokenType != JsonTokenType.EndArray) { ThrowHelper.ThrowFormatException_MalformedJson("The 'crit' header parameter must be an array of string."); } header.Inner.Add(name, new JwtArray(criticals)); } else { var criticals = new List <JwtValue>(); while (reader.Read() && reader.TokenType == JsonTokenType.String) { string criticalHeader = reader.GetString(); criticals.Add(new JwtValue(criticalHeader)); } if (reader.TokenType != JsonTokenType.EndArray) { ThrowHelper.ThrowFormatException_MalformedJson("The 'crit' header parameter must be an array of string."); } header.Inner.Add(name, new JwtArray(criticals)); } continue; } } switch (type) { case JsonTokenType.StartObject: header.Inner.Add(name, JsonParser.ReadJsonObject(ref reader)); break; case JsonTokenType.StartArray: header.Inner.Add(name, JsonParser.ReadJsonArray(ref reader)); break; case JsonTokenType.String: header.Inner.Add(name, reader.GetString()); break; case JsonTokenType.True: header.Inner.Add(name, true); break; case JsonTokenType.False: header.Inner.Add(name, false); break; case JsonTokenType.Null: header.Inner.Add(name); break; case JsonTokenType.Number: if (reader.TryGetInt64(out long longValue)) { header.Inner.Add(name, longValue); } else { header.Inner.Add(name, reader.GetDouble()); } break; default: ThrowHelper.ThrowFormatException_MalformedJson(); break; } } if (!(reader.TokenType is JsonTokenType.EndObject)) { ThrowHelper.ThrowFormatException_MalformedJson(); } return(header); }
/// <summary> /// Parses the UTF-8 <paramref name="buffer"/> as JSON and returns a <see cref="JwtPayload"/>. /// </summary> /// <param name="buffer"></param> /// <param name="policy"></param> public static JwtPayload ParsePayload(ReadOnlySpan <byte> buffer, TokenValidationPolicy policy) { Utf8JsonReader reader = new Utf8JsonReader(buffer, isFinalBlock: true, state: default); if (!reader.Read() || reader.TokenType != JsonTokenType.StartObject) { ThrowHelper.ThrowFormatException_MalformedJson(); } var payload = new JwtPayload(); byte control = policy.ValidationControl; while (reader.Read() && reader.TokenType is JsonTokenType.PropertyName) { var name = reader.ValueSpan /* reader.HasValueSequence ? reader.ValueSequence.ToArray() : reader.ValueSpan */; reader.Read(); var type = reader.TokenType; if (name.Length == 3) { uint nameValue = IntegerMarshal.ReadUInt24(name); switch (nameValue) { case Aud: if (type == JsonTokenType.String) { if (policy.RequireAudience) { var audiencesBinary = policy.RequiredAudiencesBinary; var audiences = policy.RequiredAudiences; for (int i = 0; i < audiencesBinary.Length; i++) { if (reader.ValueTextEquals(audiencesBinary[i])) { payload.Aud = new[] { audiences[i] }; control &= unchecked ((byte)~TokenValidationPolicy.AudienceFlag); break; } } control &= unchecked ((byte)~JwtPayload.MissingAudienceFlag); } else { payload.Aud = new[] { reader.GetString() }; } } else if (type == JsonTokenType.StartArray) { if (policy.RequireAudience) { var audiences = new List <string>(); while (reader.Read() && reader.TokenType == JsonTokenType.String) { var requiredAudiences = policy.RequiredAudiencesBinary; for (int i = 0; i < requiredAudiences.Length; i++) { if (reader.ValueTextEquals(requiredAudiences[i])) { control &= unchecked ((byte)~TokenValidationPolicy.AudienceFlag); break; } } audiences.Add(reader.GetString()); control &= unchecked ((byte)~JwtPayload.MissingAudienceFlag); } if (reader.TokenType != JsonTokenType.EndArray) { ThrowHelper.ThrowFormatException_MalformedJson("The 'aud' claim must be an array of string or a string."); } payload.Aud = audiences.ToArray(); } else { payload.Aud = JsonParser.ReadStringArray(ref reader); } } else { ThrowHelper.ThrowFormatException_MalformedJson("The 'aud' claim must be an array of string or a string."); } continue; case Iss: if (policy.RequireIssuer) { if (reader.ValueTextEquals(policy.RequiredIssuerBinary)) { payload.Iss = policy.RequiredIssuer; control &= unchecked ((byte)~TokenValidationPolicy.IssuerFlag); } else { control &= unchecked ((byte)~JwtPayload.MissingIssuerFlag); } } else { payload.Iss = reader.GetString(); } continue; case Exp: if (!reader.TryGetInt64(out long longValue)) { ThrowHelper.ThrowFormatException_MalformedJson("The claim 'exp' must be an integral number."); } if (policy.RequireExpirationTime) { control &= unchecked ((byte)~JwtPayload.MissingExpirationFlag); } if (longValue >= EpochTime.UtcNow - policy.ClockSkew) { control &= unchecked ((byte)~JwtPayload.ExpiredFlag); } payload.Exp = longValue; continue; case Iat: if (!reader.TryGetInt64(out longValue)) { ThrowHelper.ThrowFormatException_MalformedJson("The claim 'iat' must be an integral number."); } payload.Iat = longValue; continue; case Nbf: if (!reader.TryGetInt64(out longValue)) { ThrowHelper.ThrowFormatException_MalformedJson("The claim 'nbf' must be an integral number."); } // the 'nbf' claim is not common. The 2nd call to EpochTime.UtcNow should be rare. if (longValue <= EpochTime.UtcNow + policy.ClockSkew) { control &= unchecked ((byte)~JwtPayload.NotYetFlag); } payload.Nbf = longValue; continue; case Jti: payload.Jti = reader.GetString(); continue; case Sub: payload.Sub = reader.GetString(); continue; } } switch (type) { case JsonTokenType.StartObject: payload.Inner.Add(name, JsonParser.ReadJsonObject(ref reader)); break; case JsonTokenType.StartArray: payload.Inner.Add(name, JsonParser.ReadJsonArray(ref reader)); break; case JsonTokenType.String: payload.Inner.Add(name, reader.GetString()); break; case JsonTokenType.True: payload.Inner.Add(name, true); break; case JsonTokenType.False: payload.Inner.Add(name, false); break; case JsonTokenType.Null: payload.Inner.Add(name); break; case JsonTokenType.Number: long longValue; if (reader.TryGetInt64(out longValue)) { payload.Inner.Add(name, longValue); } else { payload.Inner.Add(name, reader.GetDouble()); } break; default: ThrowHelper.ThrowFormatException_MalformedJson(); break; } } if (!(reader.TokenType is JsonTokenType.EndObject)) { ThrowHelper.ThrowFormatException_MalformedJson(); } payload.ValidationControl = control; return(payload); }