public async Task CanRoundTripRSA()
{
using (var rsa = new RSACryptoServiceProvider()) {
var publicKeyParams = rsa.ExportParameters(false);
var rsaAlg = RSASignatureAlgorithm.CreateForVerification(HashAlgorithmName.SHA384, publicKeyParams);
var client = new Client("c1", "app one", rsaAlg, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(1), new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning"));
await _sut.Register(client);
var actual = await _sut.Get(client.Id);
actual.Should().BeEquivalentTo(client, options => options.ComparingByMembers <Client>());
actual.SignatureAlgorithm.Should().BeAssignableTo <RSASignatureAlgorithm>();
actual.SignatureAlgorithm.As <RSASignatureAlgorithm>().GetPublicKey().ToXml().Should().Be(rsa.ExportParameters(false).ToXml());
actual.SignatureAlgorithm.As <RSASignatureAlgorithm>().HashAlgorithm.Should().Be(HashAlgorithmName.SHA384);
}
}
public void GivenRSADataRecord_ReturnsRSAAlgorithm()
{
using (var rsa = new RSACryptoServiceProvider()) {
var publicParameters = rsa.ExportParameters(includePrivateParameters: false);
_dataRecord.Type = "RSA";
_dataRecord.Parameter = publicParameters.ToXml();
_dataRecord.HashAlgorithm = HashAlgorithmName.MD5.Name;
_dataRecord.IsParameterEncrypted = false;
using (var actual = _sut.ToSignatureAlgorithm(_dataRecord, _encryptionKey, _recordVersion)) {
var expected = RSASignatureAlgorithm.CreateForVerification(HashAlgorithmName.MD5, publicParameters);
actual.Should().BeAssignableTo <RSASignatureAlgorithm>();
actual.As <RSASignatureAlgorithm>().Should().BeEquivalentTo(expected);
actual.As <RSASignatureAlgorithm>().GetPublicKey().ToXml().Should().Be(publicParameters.ToXml());
}
}
}
public void GivenRSADataRecord_ReturnsRSAAlgorithm()
{
using (var rsa = new RSACryptoServiceProvider()) {
var publicParameters = rsa.ExportParameters(false);
var sut = new SignatureAlgorithmDataRecord {
Type = "RSA",
Parameter = publicParameters.ToXml(),
HashAlgorithm = HashAlgorithmName.MD5.Name
};
using (var actual = sut.ToSignatureAlgorithm()) {
var expected = RSASignatureAlgorithm.CreateForVerification(HashAlgorithmName.MD5, publicParameters);
actual.Should().BeAssignableTo <RSASignatureAlgorithm>();
actual.As <RSASignatureAlgorithm>().Should().BeEquivalentTo(expected);
actual.As <RSASignatureAlgorithm>().GetPublicKey().ToXml().Should().Be(publicParameters.ToXml());
}
}
}
public static async Task <bool> Run(VerifyOptions options)
{
ISignatureAlgorithm signatureAlgorithm;
if (string.IsNullOrEmpty(options.KeyType) || options.KeyType.Equals("RSA", StringComparison.OrdinalIgnoreCase))
{
signatureAlgorithm = RSASignatureAlgorithm.CreateForVerification(HashAlgorithmName.SHA512, KeyReader.ReadRSA(options.PublicKey));
}
else if (options.KeyType.Equals("P256", StringComparison.OrdinalIgnoreCase) || options.KeyType.Equals("ECDSA", StringComparison.OrdinalIgnoreCase))
{
signatureAlgorithm = ECDsaSignatureAlgorithm.CreateForVerification(HashAlgorithmName.SHA512, KeyReader.ReadECDsaPublic(options.PublicKey));
}
else if (options.KeyType.Equals("HMAC", StringComparison.OrdinalIgnoreCase))
{
signatureAlgorithm = SignatureAlgorithm.CreateForVerification(options.PublicKey, HashAlgorithmName.SHA512);
}
else
{
throw new NotSupportedException("The specified key type is not supported.");
}
var serviceProvider = new ServiceCollection()
.AddHttpMessageSignatureVerification(provider => {
var clientStore = new InMemoryClientStore();
clientStore.Register(new Client(
new KeyId("test"),
"ConformanceClient",
signatureAlgorithm,
TimeSpan.FromSeconds(30),
TimeSpan.FromMinutes(1)));
return(clientStore);
})
.BuildServiceProvider();
var verifier = serviceProvider.GetRequiredService <IRequestSignatureVerifier>();
var verificationResult = await verifier.VerifySignature(options.Message, new SignedRequestAuthenticationOptions {
OnSignatureParsed = options.ModifyParsedSignature
});
return(verificationResult is RequestSignatureVerificationResultSuccess);
}
public async Task <int> Run(VerifyOptions options, string httpMessage)
{
ISignatureAlgorithm signatureAlgorithmForVerification;
if (string.IsNullOrEmpty(options.KeyType) || options.KeyType.Equals("RSA", StringComparison.OrdinalIgnoreCase))
{
RSAParameters rsaPublicKey;
using (var stream = File.OpenRead(options.PublicKey)) {
using (var reader = new PemReader(stream)) {
rsaPublicKey = reader.ReadRsaKey();
}
}
signatureAlgorithmForVerification = RSASignatureAlgorithm.CreateForVerification(HashAlgorithmName.SHA512, rsaPublicKey);
}
else if (options.KeyType.Equals("P256", StringComparison.OrdinalIgnoreCase) || options.KeyType.Equals("ECDSA", StringComparison.OrdinalIgnoreCase))
{
ECParameters ecPublicKey;
using (var stream = File.OpenRead(options.PublicKey)) {
using (var reader = new StreamReader(stream)) {
var fileContents = reader.ReadToEnd();
var lines = fileContents.Split(new[] { '\n', '\r' }, StringSplitOptions.RemoveEmptyEntries);
lines = lines.Skip(1).Take(lines.Length - 2).ToArray();
var pem = string.Join("", lines);
var ecdsa = ECDsa.Create();
var derArray = Convert.FromBase64String(pem);
ecdsa.ImportSubjectPublicKeyInfo(derArray, out _);
ecPublicKey = ecdsa.ExportParameters(false);
}
}
signatureAlgorithmForVerification = ECDsaSignatureAlgorithm.CreateForVerification(HashAlgorithmName.SHA512, ecPublicKey);
}
else if (options.KeyType.Equals("HMAC", StringComparison.OrdinalIgnoreCase))
{
signatureAlgorithmForVerification = SignatureAlgorithm.CreateForVerification(options.PublicKey, HashAlgorithmName.SHA512);
}
else
{
throw new NotSupportedException("The specified key type is not supported.");
}
var serviceProvider = new ServiceCollection()
.AddHttpMessageSignatureVerification(provider => {
var clientStore = new InMemoryClientStore();
clientStore.Register(new Client(
new KeyId("test"),
"ConformanceClient",
signatureAlgorithmForVerification,
TimeSpan.FromSeconds(30),
TimeSpan.FromMinutes(1)));
return(clientStore);
})
.BuildServiceProvider();
var verifier = serviceProvider.GetRequiredService <IRequestSignatureVerifier>();
var clientRequest = HttpRequestMessageParser.Parse(httpMessage);
var requestToVerify = await clientRequest.ToServerSideHttpRequest();
var verificationResult = await verifier.VerifySignature(requestToVerify, new SignedRequestAuthenticationOptions {
OnSignatureParsed = (request, signature) => {
if (!string.IsNullOrEmpty(options.Algorithm))
{
signature.Algorithm = options.Algorithm;
}
return(Task.CompletedTask);
}
});
return(verificationResult is RequestSignatureVerificationResultSuccess
? 0
: 1);
}