/// <summary> /// Encodes given binary data to JWT token and sign it using given algorithm. /// </summary> /// <param name="payload">Binary data to encode (not null)</param> /// <param name="key">key for signing, suitable for provided JWS algorithm, can be null.</param> /// <param name="algorithm">JWT algorithm to be used.</param> /// <param name="extraHeaders">optional extra headers to pass along with the payload.</param> /// <param name="settings">optional settings to override global DefaultSettings</param> /// <param name="options">additional encoding options</param> /// <returns>JWT in compact serialization form, digitally signed.</returns> public static string EncodeBytes(byte[] payload, object key, JwsAlgorithm algorithm, IDictionary <string, object> extraHeaders = null, JwtSettings settings = null, JwtOptions options = null) { if (payload == null) { throw new ArgumentNullException(nameof(payload)); } JwtSettings jwtSettings = GetSettings(settings); JwtOptions jwtOptions = options ?? JwtOptions.Default; var jwtHeader = new Dictionary <string, object> { { "alg", jwtSettings.JwsHeaderValue(algorithm) } }; if (extraHeaders == null) //allow overload, but keep backward compatible defaults { extraHeaders = new Dictionary <string, object> { { "typ", "JWT" } }; } if (!jwtOptions.EncodePayload) { jwtHeader["b64"] = false; jwtHeader["crit"] = Collections.Union(new[] { "b64" }, Dictionaries.Get(extraHeaders, "crit")); } Dictionaries.Append(jwtHeader, extraHeaders); byte[] headerBytes = Encoding.UTF8.GetBytes(jwtSettings.JsonMapper.Serialize(jwtHeader)); IJwsAlgorithm jwsAlgorithm = jwtSettings.Jws(algorithm); if (jwsAlgorithm == null) { throw new JoseException(string.Format("Unsupported JWS algorithm requested: {0}", algorithm)); } byte[] signature = jwsAlgorithm.Sign(securedInput(headerBytes, payload, jwtOptions.EncodePayload), key); byte[] payloadBytes = jwtOptions.DetachPayload ? new byte[0] : payload; return(jwtOptions.EncodePayload ? Compact.Serialize(headerBytes, payloadBytes, signature) : Compact.Serialize(headerBytes, Encoding.UTF8.GetString(payloadBytes), signature)); }
/// <summary> /// Gets the JWS algoritm that corresponds to a given algorithm name. /// </summary> /// <param name="Name">Algorithm name.</param> /// <param name="Algorithm">Algorithm object, if found.</param> /// <returns>If an algorithm with the given name was found.</returns> public static bool TryGetAlgorithm(string Name, out IJwsAlgorithm Algorithm) { lock (algorithms) { if (!initialized) { foreach (Type T in Types.GetTypesImplementingInterface(typeof(IJwsAlgorithm))) { if (T.GetTypeInfo().IsAbstract) { continue; } try { Algorithm = (IJwsAlgorithm)Activator.CreateInstance(T); if (algorithms.ContainsKey(Algorithm.Name)) { Log.Warning("JWS algorithm with name " + Algorithm.Name + " already registered."); } else { algorithms[Algorithm.Name] = Algorithm; } } catch (Exception ex) { Log.Critical(ex); } } if (!registered) { Types.OnInvalidated += Types_OnInvalidated; registered = true; } initialized = true; } return(algorithms.TryGetValue(Name, out Algorithm)); } }
public AesCbcHmacEncryption(IJwsAlgorithm hashAlgorithm, int keyLength) { this.hashAlgorithm = hashAlgorithm; this.keyLength = keyLength; }
private static byte[] DecodeBytes(string token, object key = null, JwsAlgorithm?expectedJwsAlg = null, JweAlgorithm?expectedJweAlg = null, JweEncryption?expectedJweEnc = null, JwtSettings settings = null, byte[] payload = null, bool requireSignature = false) { Ensure.IsNotEmpty(token, "Incoming token expected to be in compact serialization form, not empty, whitespace or null."); Compact.Iterator parts = Compact.Iterate(token); if (parts.Count == 5) //encrypted JWT { return(DecryptBytes(parts, key, expectedJweAlg, expectedJweEnc, settings)); } else { //signed or plain JWT JwtSettings jwtSettings = GetSettings(settings); byte[] header = parts.Next(); Dictionary <string, object> headerData = jwtSettings.JsonMapper.Parse <Dictionary <string, object> >(Encoding.UTF8.GetString(header)); bool b64 = true; if (headerData.TryGetValue("b64", out object value)) { b64 = (bool)value; } byte[] contentPayload = parts.Next(b64); byte[] signature = parts.Next(); byte[] effectivePayload = payload ?? contentPayload; if (requireSignature && signature.Length == 0) { throw new JoseException("Payload is missing required signature"); } string algorithm = (string)headerData["alg"]; JwsAlgorithm jwsAlgorithm = jwtSettings.JwsAlgorithmFromHeader(algorithm); if (expectedJwsAlg != null && expectedJwsAlg != jwsAlgorithm) { throw new InvalidAlgorithmException("The algorithm type passed to the Decode method did not match the algorithm type in the header."); } IJwsAlgorithm jwsAlgorithmImpl = jwtSettings.Jws(jwsAlgorithm); if (jwsAlgorithmImpl == null) { throw new JoseException(string.Format("Unsupported JWS algorithm requested: {0}", algorithm)); } // If the key has not been specified, attempt to read it from the header. if (key == null && headerData.ContainsKey("kid") && jwsAlgorithm != JwsAlgorithm.none) { if (jwsAlgorithm == JwsAlgorithm.ES256K) { key = (BitcoinPubKeyAddress)BitcoinPubKeyAddress.Create((string)headerData["kid"], jwtSettings.Network); } else { key = (string)headerData["kid"]; } } if (!jwsAlgorithmImpl.Verify(signature, securedInput(header, effectivePayload, b64), key)) { throw new IntegrityException("Invalid signature."); } return(effectivePayload); } }
/// <summary> /// Contains information about a Java Web Token (JWT). JWT is defined in RFC 7519: /// https://tools.ietf.org/html/rfc7519 /// /// JWT are based on JSON Web Signature (JWS), defined in RFC 7515: /// https://tools.ietf.org/html/rfc7515 /// /// Signature algorithms are defined in RFC 7518: /// https://tools.ietf.org/html/rfc7518 /// </summary> public JwtToken(string Token) { this.token = Token; try { string[] Parts = Token.Split('.'); byte[] HeaderBin = Base64Url.Decode(this.header = Parts[0]); string HeaderString = Encoding.UTF8.GetString(HeaderBin); if (JSON.Parse(HeaderString) is Dictionary <string, object> Header) { if (Header.TryGetValue("typ", out object Typ)) { this.type = Typ as string; } if (!Header.TryGetValue("alg", out object Alg) || !(Alg is string AlgStr)) { throw new ArgumentException("Invalid alg header field.", nameof(Token)); } if (string.IsNullOrEmpty(AlgStr) || AlgStr.ToLower() == "none") { this.algorithm = null; } else if (!JwsAlgorithm.TryGetAlgorithm(AlgStr, out this.algorithm)) { throw new ArgumentException("Unrecognized algorithm reference in header field.", nameof(Token)); } } else { throw new Exception("Invalid JSON header."); } if (Parts.Length < 2) { throw new Exception("Claims set missing."); } byte[] ClaimsBin = Base64Url.Decode(this.payload = Parts[1]); string ClaimsString = Encoding.UTF8.GetString(ClaimsBin); if (JSON.Parse(ClaimsString) is Dictionary <string, object> Claims) { this.claims = Claims; foreach (KeyValuePair <string, object> P in Claims) { switch (P.Key) { case "iss": this.issuer = P.Value as string; break; case "sub": this.subject = P.Value as string; break; case "jti": this.id = P.Value as string; break; case "aud": if (P.Value is string AudStr) { this.audience = AudStr.Split(','); } else if (P.Value is Array) { List <string> Audience = new List <string>(); foreach (object Item in (Array)P.Value) { Audience.Add(Item.ToString()); } this.audience = Audience.ToArray(); } break; case "exp": if (P.Value is int ExpInt) { this.expiration = JSON.UnixEpoch.AddSeconds(ExpInt); } break; case "nbf": if (P.Value is int NbfInt) { this.notBefore = JSON.UnixEpoch.AddSeconds(NbfInt); } break; case "iat": if (P.Value is int IatInt) { this.issuedAt = JSON.UnixEpoch.AddSeconds(IatInt); } break; case "expires": break; } } } else { throw new Exception("Invalid JSON claims set."); } if (Parts.Length < 3) { throw new Exception("Signature missing."); } this.signature = Parts[2]; } catch (Exception ex) { throw new Exception("Unable to parse JWT token.", ex); } }