// Permanently set all occurrences of x to true. Assumes positive
// polarity at all occurrences.
static void setTrue(Cnf f, string x)
{
f.vars.Remove(x);
// Eliminate clauses containing x.
for (var i = 0; i < f.clauses.Count;)
{
if (f.clauses[i].lits.Exists(lit => lit.ident == x))
{
f.clauses.RemoveAt(i);
}
else
{
++i;
}
}
}
public void parser_should_read_proper_cnf_structure()
{
var jwk = new JsonWebKey
{
Kty = "oct",
Alg = "HS256",
K = "123"
};
var json = new Cnf(jwk).ToJson();
jwk = CnfParser.Parse(json);
jwk.Should().NotBeNull();
jwk.Kty.Should().Be("oct");
jwk.Alg.Should().Be("HS256");
jwk.K.Should().Be("123");
}
static HttpSignatureValidationMiddlewareTests()
{
var jwk = new JsonWebKey
{
Kty = "oct",
Alg = "HS256",
K = Base64Url.Encode(_symmetricKey)
};
var cnf = new Cnf(jwk);
var cnfJson = cnf.ToJson();
var claims = new Claim[]
{
new Claim("cnf", cnfJson)
};
_cnfIdentity = new ClaimsIdentity(claims, "PoP");
}
// Set all occurrences of x to false. Assumes negative polarity at
// all occurrences. Returns true if the formula becomes
// unsatisfiable.
static bool setFalse(Cnf f, string x)
{
f.vars.Remove(x);
// Eliminate x from clauses.
for (var i = 0; i < f.clauses.Count;)
{
f.clauses[i].lits.RemoveAll(lit => lit.ident == x);
// If a clause becomes empty then the formula is unsatisfiable.
if (f.clauses.Count == 0)
{
return(true);
}
else
{
++i;
}
}
return(false);
}
// Determine the polarity of a variable in a CNF formula.
static Polarity polarity(string x, Cnf f)
{
var pol = Polarity.Unknown;
for (var i = 0; i < f.clauses.Count;)
{
var c_pol = clausePolarity(x, f.clauses[i]);
if (c_pol == Polarity.Mixed)
{
f.clauses.RemoveAt(i);
}
else
{
pol |= c_pol; // combine polarities with bitwise OR
++i;
}
}
return(pol);
}
pure_literal_assign(Cnf f, Dictionary <string, Polarity> pols)
{
var assigns = new List <Tuple <string, bool> >();
foreach (var kv in pols)
{
switch (kv.Value)
{
case Polarity.Negative:
assigns.Add(Tuple.Create(kv.Key, false));
if (setFalse(f, kv.Key))
{
return(null); // unsat
}
break;
case Polarity.Positive:
assigns.Add(Tuple.Create(kv.Key, true));
setTrue(f, kv.Key);
break;
}
}
return(null);
}
public static Formula ChooseLiteral(Cnf cnf)
{
return(cnf.Clauses.First().Literals.First());
}
// Check for an empty clause.
static bool is_there_empty_clause(Cnf f)
{
return(f.clauses.Any(c => c.lits.Count == 0));
}
// Find all variables that occur in a CNF formula.
static List <string> fvs(Cnf f)
{
return(f.clauses.Select(x => x.lits.Select(y => y.ident))
.SelectMany(x => x).Distinct().ToList());
}
// Evaluate a CNF formula under a given environment.
static bool eval(Cnf f, Dictionary <string, bool> env)
{
return(f.clauses.Aggregate(true, (x, y) => x & eval_clause(y, env)));
}
/// <summary>
/// Validates the specified identity token.
/// </summary>
/// <param name="identityToken">The identity token.</param>
/// <returns>The validation result</returns>
public async Task <AccessTokenValidationResult> ValidateAsync(string popToken, bool forceIntrospection = false, string introspectionScope = null, string introspectionSecret = null)
{
_logger.LogTrace("Validate PoP Token");
var handler = new JwtSecurityTokenHandler();
handler.InboundClaimTypeMap.Clear();
// setup general validation parameters
var parameters = new TokenValidationParameters
{
ValidIssuer = _options.ProviderInformation.IssuerName,
ValidateAudience = false, //Pop tokens don't have this - they use the body data.
RequireExpirationTime = false,
ValidateIssuer = false
};
// read the token signing algorithm
JwtSecurityToken jwt;
try
{
jwt = handler.ReadJwtToken(popToken);
}
catch (Exception ex)
{
return(new AccessTokenValidationResult
{
Error = $"Error validating access token: {ex.ToString()}"
});
}
var algorithm = jwt.Header.Alg;
// if token is unsigned, and this is allowed, skip signature validation
if (string.Equals(algorithm, "none"))
{
if (_options.Policy.RequireAccessTokenSignature)
{
return(new AccessTokenValidationResult
{
Error = $"Pop access token is not singed. Signatures are required by policy"
});
}
else
{
_logger.LogInformation("Pop token is not signed. This is allowed by configuration.");
parameters.RequireSignedTokens = false;
}
}
else
{
// check if signature algorithm is allowed by policy
if (!_options.Policy.ValidSignatureAlgorithms.Contains(algorithm))
{
return(new AccessTokenValidationResult
{
Error = $"Pop token uses invalid algorithm: {algorithm}"
});
}
;
}
var extractedAccessToken = jwt.Payload.ContainsKey("at") ? jwt.Payload["at"] as string : null;
if (string.IsNullOrEmpty(extractedAccessToken))
{
_logger.LogInformation("Pop token was recieved without 'at'");
return(new AccessTokenValidationResult
{
Error = "Token is invalid."
});
}
//Attempt to validate the JWT, if possible.
AccessTokenValidationResult tokenValidation = null;
try
{
tokenValidation = await new AccessTokenValidator(_options, _refreshKeysAsync).ValidateAsync(extractedAccessToken, forceIntrospection, introspectionScope, introspectionSecret).ConfigureAwait(false);
}
catch (Exception ex)
{
return(new AccessTokenValidationResult
{
Error = $"Error validating pop access token: {ex.ToString()}"
});
}
if (tokenValidation.IsError) //If we failed - pass it through.
{
return(tokenValidation);
}
//Get the signature keys and preform online validation.
var cnfJson = tokenValidation.AccessTokenPrincipal.Claims.FirstOrDefault(x => x.Type == "cnf")?.Value;
if (cnfJson == null)
{
_logger.LogError("CNF is not present on the AccessTokenPrincipal");
return(new AccessTokenValidationResult()
{
Error = "Token validation failed."
});
}
Cnf cnf = Newtonsoft.Json.JsonConvert.DeserializeObject <Cnf>(cnfJson);
ClaimsPrincipal claims;
try
{
claims = ValidateSignature(popToken, cnf.jwk, handler, parameters);
}
catch (SecurityTokenSignatureKeyNotFoundException sigEx)
{
return(new AccessTokenValidationResult
{
Error = $"Error validating pop access token: {sigEx.ToString()}"
});
}
catch (Exception ex)
{
return(new AccessTokenValidationResult
{
Error = $"Error validating pop access token: {ex.ToString()}"
});
}
tokenValidation.PopTokenPrincipal = claims;
tokenValidation.PopTokenSignatureAlgorithm = algorithm;
tokenValidation.PreformedPopTokenValidation = true;
return(tokenValidation);
}
/// <summary>
/// Gets the hash code
/// </summary>
/// <returns>Hash code</returns>
public override int GetHashCode()
{
unchecked // Overflow is fine, just wrap
{
var hashCode = 41;
// Suitable nullity checks etc, of course :)
if (Iss != null)
{
hashCode = hashCode * 59 + Iss.GetHashCode();
}
if (Sub != null)
{
hashCode = hashCode * 59 + Sub.GetHashCode();
}
if (Aud != null)
{
hashCode = hashCode * 59 + Aud.GetHashCode();
}
if (Exp != null)
{
hashCode = hashCode * 59 + Exp.GetHashCode();
}
if (Nbf != null)
{
hashCode = hashCode * 59 + Nbf.GetHashCode();
}
if (Iat != null)
{
hashCode = hashCode * 59 + Iat.GetHashCode();
}
if (Jti != null)
{
hashCode = hashCode * 59 + Jti.GetHashCode();
}
if (Uuid != null)
{
hashCode = hashCode * 59 + Uuid.GetHashCode();
}
if (Name != null)
{
hashCode = hashCode * 59 + Name.GetHashCode();
}
if (GivenName != null)
{
hashCode = hashCode * 59 + GivenName.GetHashCode();
}
if (Nickname != null)
{
hashCode = hashCode * 59 + Nickname.GetHashCode();
}
if (Email != null)
{
hashCode = hashCode * 59 + Email.GetHashCode();
}
if (EmailVerified != null)
{
hashCode = hashCode * 59 + EmailVerified.GetHashCode();
}
if (Zoneinfo != null)
{
hashCode = hashCode * 59 + Zoneinfo.GetHashCode();
}
if (Locale != null)
{
hashCode = hashCode * 59 + Locale.GetHashCode();
}
if (Cnf != null)
{
hashCode = hashCode * 59 + Cnf.GetHashCode();
}
if (Orig != null)
{
hashCode = hashCode * 59 + Orig.GetHashCode();
}
if (Dest != null)
{
hashCode = hashCode * 59 + Dest.GetHashCode();
}
if (Mky != null)
{
hashCode = hashCode * 59 + Mky.GetHashCode();
}
return(hashCode);
}
}
/// <summary>
/// Returns true if JWToken instances are equal
/// </summary>
/// <param name="other">Instance of JWToken to be compared</param>
/// <returns>Boolean</returns>
public bool Equals(JWToken other)
{
if (ReferenceEquals(null, other))
{
return(false);
}
if (ReferenceEquals(this, other))
{
return(true);
}
return
((
Iss == other.Iss ||
Iss != null &&
Iss.Equals(other.Iss)
) &&
(
Sub == other.Sub ||
Sub != null &&
Sub.Equals(other.Sub)
) &&
(
Aud == other.Aud ||
Aud != null &&
Aud.Equals(other.Aud)
) &&
(
Exp == other.Exp ||
Exp != null &&
Exp.Equals(other.Exp)
) &&
(
Nbf == other.Nbf ||
Nbf != null &&
Nbf.Equals(other.Nbf)
) &&
(
Iat == other.Iat ||
Iat != null &&
Iat.Equals(other.Iat)
) &&
(
Jti == other.Jti ||
Jti != null &&
Jti.Equals(other.Jti)
) &&
(
Uuid == other.Uuid ||
Uuid != null &&
Uuid.Equals(other.Uuid)
) &&
(
Name == other.Name ||
Name != null &&
Name.Equals(other.Name)
) &&
(
GivenName == other.GivenName ||
GivenName != null &&
GivenName.Equals(other.GivenName)
) &&
(
Nickname == other.Nickname ||
Nickname != null &&
Nickname.Equals(other.Nickname)
) &&
(
Email == other.Email ||
Email != null &&
Email.Equals(other.Email)
) &&
(
EmailVerified == other.EmailVerified ||
EmailVerified != null &&
EmailVerified.Equals(other.EmailVerified)
) &&
(
Zoneinfo == other.Zoneinfo ||
Zoneinfo != null &&
Zoneinfo.Equals(other.Zoneinfo)
) &&
(
Locale == other.Locale ||
Locale != null &&
Locale.Equals(other.Locale)
) &&
(
Cnf == other.Cnf ||
Cnf != null &&
Cnf.Equals(other.Cnf)
) &&
(
Orig == other.Orig ||
Orig != null &&
Orig.Equals(other.Orig)
) &&
(
Dest == other.Dest ||
Dest != null &&
Dest.Equals(other.Dest)
) &&
(
Mky == other.Mky ||
Mky != null &&
Mky.Equals(other.Mky)
));
}
