/// <inheritdoc/> public Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret) { var fail = Task.FromResult(new SecretValidationResult { Success = false }); if (parsedSecret.Type != ParsedSecretTypes.X509Certificate) { _logger.LogDebug("X509 name secret validator cannot process {type}", parsedSecret.Type ?? "null"); return(fail); } var cert = parsedSecret.Credential as X509Certificate2; if (cert == null) { throw new InvalidOperationException("Credential is not a x509 certificate."); } var name = cert.Subject; if (name == null) { _logger.LogWarning("No subject/name found in X509 certificate."); return(fail); } var nameSecrets = secrets.Where(s => s.Type == SecretTypes.X509CertificateName); if (!nameSecrets.Any()) { _logger.LogDebug("No x509 name secrets configured for client."); return(fail); } foreach (var nameSecret in nameSecrets) { var secretDescription = string.IsNullOrEmpty(nameSecret.Description) ? "no description" : nameSecret.Description; if (name.Equals(nameSecret.Value, StringComparison.Ordinal)) { var values = new Dictionary <string, string> { { "x5t#S256", cert.Thumbprint } }; var cnf = JsonConvert.SerializeObject(values); var result = new SecretValidationResult { Success = true, Confirmation = cnf }; return(Task.FromResult(result)); } } _logger.LogDebug("No matching x509 name secret found."); return(fail); }
/// <inheritdoc/> public Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret) { var fail = Task.FromResult(new SecretValidationResult { Success = false }); if (parsedSecret.Type != ParsedSecretTypes.X509Certificate) { _logger.LogDebug("X509 thumbprint secret validator cannot process {type}", parsedSecret.Type ?? "null"); return(fail); } var cert = parsedSecret.Credential as X509Certificate2; if (cert == null) { throw new InvalidOperationException("Credential is not a x509 certificate."); } var thumbprint = cert.Thumbprint; if (thumbprint == null) { _logger.LogWarning("No thumbprint found in X509 certificate."); return(fail); } var thumbprintSecrets = secrets.Where(s => s.Type == SecretTypes.X509CertificateThumbprint); if (!thumbprintSecrets.Any()) { _logger.LogDebug("No thumbprint secrets configured for client."); return(fail); } foreach (var thumbprintSecret in thumbprintSecrets) { var secretDescription = string.IsNullOrEmpty(thumbprintSecret.Description) ? "no description" : thumbprintSecret.Description; if (thumbprint.Equals(thumbprintSecret.Value, StringComparison.OrdinalIgnoreCase)) { var result = new SecretValidationResult { Success = true, Confirmation = cert.CreateThumbprintCnf() }; return(Task.FromResult(result)); } } _logger.LogDebug("No matching x509 thumbprint secret found."); return(fail); }
/// <inheritdoc/> public Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret) { var fail = Task.FromResult(new SecretValidationResult { Success = false }); if (parsedSecret.Type != ParsedSecretTypes.X509Certificate) { _logger.LogDebug("X509 name secret validator cannot process {type}", parsedSecret.Type ?? "null"); return(fail); } if (!(parsedSecret.Credential is X509Certificate2 cert)) { throw new InvalidOperationException("Credential is not a x509 certificate."); } var name = cert.Subject; if (name == null) { _logger.LogWarning("No subject/name found in X509 certificate."); return(fail); } var nameSecrets = secrets.Where(s => s.Type == SecretTypes.X509CertificateName); if (!nameSecrets.Any()) { _logger.LogDebug("No x509 name secrets configured for client."); return(fail); } foreach (var nameSecret in nameSecrets) { if (name.Equals(nameSecret.Value, StringComparison.Ordinal)) { var result = new SecretValidationResult { Success = true, Confirmation = cert.CreateThumbprintCnf() }; return(Task.FromResult(result)); } } _logger.LogDebug("No matching x509 name secret found."); return(fail); }
/// <summary> /// Validates a secret /// </summary> /// <param name="secrets">The stored secrets.</param> /// <param name="parsedSecret">The received secret.</param> /// <returns> /// A validation result /// </returns> /// <exception cref="System.ArgumentException">ParsedSecret.Credential is not a JWT token</exception> public async Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret) { var fail = new SecretValidationResult { Success = false }; var success = new SecretValidationResult { Success = true }; if (parsedSecret.Type != IdentityServerConstants.ParsedSecretTypes.JwtBearer) { return(fail); } if (!(parsedSecret.Credential is string jwtTokenString)) { _logger.LogError("ParsedSecret.Credential is not a string."); return(fail); } List <SecurityKey> trustedKeys; try { trustedKeys = await secrets.GetKeysAsync(); } catch (Exception e) { _logger.LogError(e, "Could not parse secrets"); return(fail); } if (!trustedKeys.Any()) { _logger.LogError("There are no keys available to validate client assertion."); return(fail); } var jwtToken = new JwtSecurityToken(jwtTokenString); // OZ // var x5c = jwtToken.Payload.Claims.FirstOrDefault(c => c.Type == "x5c")?.Value; // string x5c = jwtToken.Header.GetValueOrDefault("x5c"); Console.WriteLine("Client Token:\n" + jwtTokenString + "\n"); object o; if (jwtToken.Header.TryGetValue("x5c", out o)) { // if (o is string) var s = o.GetType().ToString(); if (o is JArray) { // string x5c = o as string; string[] x5c = (o as JArray).ToObject <string[]>(); // if (x5c != null && x5c != "") if (x5c != null) { // Console.WriteLine("x5c:\n" + x5c); Console.WriteLine("Security 2.1a Server: x5c with certificate chain received"); // parsed = JObject.Parse(Jose.JWT.Payload(token)); // user = parsed.SelectToken("user").Value<string>(); // string user = jwtToken.Payload.Claims.FirstOrDefault(c => c.Type == "user")?.Value; X509Store storeCA = new X509Store("CA", StoreLocation.CurrentUser); storeCA.Open(OpenFlags.ReadWrite); bool valid = false; // string[] x5c64 = JsonConvert.DeserializeObject<string[]>(x5c); string[] x5c64 = x5c; X509Certificate2Collection xcc = new X509Certificate2Collection(); Byte[] certFileBytes = Convert.FromBase64String(x5c64[0]); /* * string fileCert = "./temp/" + user + ".cer"; * File.WriteAllBytes(fileCert, certFileBytes); * Console.WriteLine("Security 2.1b Server: " + fileCert + " received"); */ var x509 = new X509Certificate2(certFileBytes); xcc.Add(x509); Console.WriteLine("Security 2.1c Certificate in Chain: " + x509.Subject); StringBuilder builder = new StringBuilder(); builder.AppendLine("-----BEGIN CERTIFICATE-----"); builder.AppendLine( Convert.ToBase64String(x509.RawData, Base64FormattingOptions.InsertLineBreaks)); builder.AppendLine("-----END CERTIFICATE-----"); Console.WriteLine("Client Certificate: "); Console.WriteLine(builder); for (int i = 1; i < x5c64.Length; i++) { var cert = new X509Certificate2(Convert.FromBase64String(x5c64[i])); Console.WriteLine("Security 2.1c Certificate in Chain: " + cert.Subject); if (cert.Subject != cert.Issuer) { xcc.Add(cert); storeCA.Add(cert); } } X509Chain c = new X509Chain(); c.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; valid = c.Build(x509); // storeCA.RemoveRange(xcc); Console.WriteLine("Security 2.1d Server: Validate chain with root cert"); if (!valid) { Console.WriteLine("ERROR: Certificate " + x509.Subject + " not valid!"); _logger.LogError("Certificate " + x509.Subject + " not valid!"); return(fail); } var xsk = new X509SecurityKey(x509); trustedKeys = new List <SecurityKey> { xsk }; } } } // OZ end var validAudiences = new[] { // issuer URI (tbd) //_contextAccessor.HttpContext.GetIdentityServerIssuerUri(), // token endpoint URL string.Concat(_contextAccessor.HttpContext.GetIdentityServerIssuerUri().EnsureTrailingSlash(), Constants.ProtocolRoutePaths.Token) }; var tokenValidationParameters = new TokenValidationParameters { IssuerSigningKeys = trustedKeys, ValidateIssuerSigningKey = true, ValidIssuer = parsedSecret.Id, ValidateIssuer = true, ValidAudiences = validAudiences, ValidateAudience = true, RequireSignedTokens = true, RequireExpirationTime = true, ClockSkew = TimeSpan.FromMinutes(5) }; try { var handler = new JwtSecurityTokenHandler(); handler.ValidateToken(jwtTokenString, tokenValidationParameters, out var token); jwtToken = (JwtSecurityToken)token; if (jwtToken.Subject != jwtToken.Issuer) { _logger.LogError("Both 'sub' and 'iss' in the client assertion token must have a value of client_id."); return(fail); } var exp = jwtToken.Payload.Exp; if (!exp.HasValue) { _logger.LogError("exp is missing."); return(fail); } var jti = jwtToken.Payload.Jti; if (jti.IsMissing()) { _logger.LogError("jti is missing."); return(fail); } if (await _replayCache.ExistsAsync(Purpose, jti)) { _logger.LogError("jti is found in replay cache. Possible replay attack."); return(fail); } else { await _replayCache.AddAsync(Purpose, jti, DateTimeOffset.FromUnixTimeSeconds(exp.Value).AddMinutes(5)); } return(success); } catch (Exception e) { _logger.LogError(e, "JWT token validation error"); return(fail); } }
/// <summary> /// Validates a secret /// </summary> /// <param name="secrets">The stored secrets.</param> /// <param name="parsedSecret">The received secret.</param> /// <returns> /// A validation result /// </returns> /// <exception cref="System.ArgumentException">ParsedSecret.Credential is not a JWT token</exception> public async Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret) { var fail = new SecretValidationResult { Success = false }; var success = new SecretValidationResult { Success = true }; if (parsedSecret.Type != IdentityServerConstants.ParsedSecretTypes.JwtBearer) { return(fail); } if (!(parsedSecret.Credential is string jwtTokenString)) { _logger.LogError("ParsedSecret.Credential is not a string."); return(fail); } List <SecurityKey> trustedKeys; try { trustedKeys = await secrets.GetKeysAsync(); } catch (Exception e) { _logger.LogError(e, "Could not parse secrets"); return(fail); } if (!trustedKeys.Any()) { _logger.LogError("There are no keys available to validate client assertion."); return(fail); } var tokenValidationParameters = new TokenValidationParameters { IssuerSigningKeys = trustedKeys, ValidateIssuerSigningKey = true, ValidIssuer = parsedSecret.Id, ValidateIssuer = true, ValidAudience = _audienceUri, ValidateAudience = true, RequireSignedTokens = true, RequireExpirationTime = true }; try { var handler = new JwtSecurityTokenHandler(); handler.ValidateToken(jwtTokenString, tokenValidationParameters, out var token); var jwtToken = (JwtSecurityToken)token; if (jwtToken.Subject != jwtToken.Issuer) { _logger.LogError("Both 'sub' and 'iss' in the client assertion token must have a value of client_id."); return(fail); } return(success); } catch (Exception e) { _logger.LogError(e, "JWT token validation error"); return(fail); } }
/// <summary> /// Validates the current request. /// </summary> /// <param name="context">The context.</param> /// <returns></returns> public async Task <ClientSecretValidationResult> ValidateAsync(HttpContext context) { _logger.LogDebug("Start client validation"); var fail = new ClientSecretValidationResult { IsError = true }; var parsedSecret = await _parser.ParseAsync(context); if (parsedSecret == null) { await RaiseFailureEventAsync("unknown", "No client id found"); _logger.LogError("No client identifier found"); return(fail); } // load client var client = await _clients.FindEnabledClientByIdAsync(parsedSecret.Id); if (client == null) { await RaiseFailureEventAsync(parsedSecret.Id, "Unknown client"); _logger.LogError("No client with id '{clientId}' found. aborting", parsedSecret.Id); return(fail); } SecretValidationResult secretValidationResult = null; if (!client.RequireClientSecret || client.IsImplicitOnly()) { _logger.LogDebug("Public Client - skipping secret validation success"); } else { secretValidationResult = await _validator.ValidateAsync(parsedSecret, client.ClientSecrets); if (secretValidationResult.Success == false) { await RaiseFailureEventAsync(client.ClientId, "Invalid client secret"); _logger.LogError("Client secret validation failed for client: {clientId}.", client.ClientId); return(fail); } } _logger.LogDebug("Client validation success"); var success = new ClientSecretValidationResult { IsError = false, Client = client, Secret = parsedSecret, Confirmation = secretValidationResult?.Confirmation }; await RaiseSuccessEventAsync(client.ClientId, parsedSecret.Type); return(success); }
/// <summary> /// Validates a secret /// </summary> /// <param name="secrets">The stored secrets.</param> /// <param name="parsedSecret">The received secret.</param> /// <returns> /// A validation result /// </returns> /// <exception cref="System.ArgumentException">ParsedSecret.Credential is not a JWT token</exception> public async Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret) { var fail = new SecretValidationResult { Success = false }; var success = new SecretValidationResult { Success = true }; if (parsedSecret.Type != IdentityServerConstants.ParsedSecretTypes.JwtBearer) { return(fail); } if (!(parsedSecret.Credential is string jwtTokenString)) { _logger.LogError("ParsedSecret.Credential is not a string."); return(fail); } List <SecurityKey> trustedKeys; try { trustedKeys = await secrets.GetKeysAsync(); } catch (Exception e) { _logger.LogError(e, "Could not parse secrets"); return(fail); } if (!trustedKeys.Any()) { _logger.LogError("There are no keys available to validate client assertion."); return(fail); } var validAudiences = new[] { // issuer URI (tbd) //_contextAccessor.HttpContext.GetIdentityServerIssuerUri(), // token endpoint URL string.Concat(_contextAccessor.HttpContext.GetIdentityServerIssuerUri().EnsureTrailingSlash(), Constants.ProtocolRoutePaths.Token) }; var tokenValidationParameters = new TokenValidationParameters { IssuerSigningKeys = trustedKeys, ValidateIssuerSigningKey = true, ValidIssuer = parsedSecret.Id, ValidateIssuer = true, ValidAudiences = validAudiences, ValidateAudience = true, RequireSignedTokens = true, RequireExpirationTime = true, ClockSkew = TimeSpan.FromMinutes(5) }; try { var handler = new JwtSecurityTokenHandler(); handler.ValidateToken(jwtTokenString, tokenValidationParameters, out var token); var jwtToken = (JwtSecurityToken)token; if (jwtToken.Subject != jwtToken.Issuer) { _logger.LogError("Both 'sub' and 'iss' in the client assertion token must have a value of client_id."); return(fail); } var exp = jwtToken.Payload.Exp; if (!exp.HasValue) { _logger.LogError("exp is missing."); return(fail); } var jti = jwtToken.Payload.Jti; if (jti.IsMissing()) { _logger.LogError("jti is missing."); return(fail); } if (await _replayCache.ExistsAsync(Purpose, jti)) { _logger.LogError("jti is found in replay cache. Possible replay attack."); return(fail); } else { await _replayCache.AddAsync(Purpose, jti, DateTimeOffset.FromUnixTimeSeconds(exp.Value).AddMinutes(5)); } return(success); } catch (Exception e) { _logger.LogError(e, "JWT token validation error"); return(fail); } }