public static bool VerifyBasicAuthorisationToken(string authorisationToken, GetSharedSecret getSharedSecret, out string sessionToken) { if (String.IsNullOrWhiteSpace(authorisationToken)) { throw new ArgumentNullException("authorisationToken"); } if (getSharedSecret == null) { throw new ArgumentNullException("getSharedSecret"); } string[] tokens = authorisationToken.Split(' '); if (tokens.Length != 2 || !AuthorisationMethod.Basic.ToString().Equals(tokens[0]) || String.IsNullOrWhiteSpace(tokens[1])) { throw new ArgumentException("Authorisation token not recognised.", "authorisationToken"); } string base64EncodedString = tokens[1]; string combinedMessage = Encoding.ASCII.GetString(Convert.FromBase64String(base64EncodedString)); string[] nextTokens = combinedMessage.Split(':'); if (nextTokens.Length != 2 || String.IsNullOrWhiteSpace(nextTokens[0]) || String.IsNullOrWhiteSpace(nextTokens[1])) { throw new ArgumentException("Invalid authorisation token.", "authorisationToken"); } string sharedSecret = nextTokens[1]; sessionToken = nextTokens[0]; return(sharedSecret.Equals(getSharedSecret(sessionToken))); }
/// <summary> /// <see cref="IAuthorisationTokenService.Verify(AuthorisationToken, GetSharedSecret, out string)"/> /// </summary> public bool Verify(AuthorisationToken authorisationToken, GetSharedSecret getSharedSecret, out string sessionToken) { if (authorisationToken == null) { throw new InvalidAuthorisationTokenException("Authorisation token is null."); } if (string.IsNullOrWhiteSpace(authorisationToken.Token)) { throw new InvalidAuthorisationTokenException("The authorisation token value is null or empty."); } if (string.IsNullOrWhiteSpace(authorisationToken.Timestamp)) { throw new InvalidAuthorisationTokenException("The authorisation token timestamp is null or empty."); } if (getSharedSecret == null) { throw new ArgumentNullException("getSharedSecret"); } string[] tokens = authorisationToken.Token.Split(' '); if (tokens.Length != 2 || !AuthenticationMethod.SIF_HMACSHA256.ToString().Equals(tokens[0]) || string.IsNullOrWhiteSpace(tokens[1])) { throw new InvalidAuthorisationTokenException("Authorisation token is not recognised."); } string base64EncodedString = tokens[1]; string combinedMessage = Encoding.ASCII.GetString(Convert.FromBase64String(base64EncodedString)); string[] nextTokens = combinedMessage.Split(':'); if (nextTokens.Length != 2 || string.IsNullOrWhiteSpace(nextTokens[0]) || string.IsNullOrWhiteSpace(nextTokens[1])) { throw new InvalidAuthorisationTokenException("Authorisation token is invalid."); } string hmacsha256EncodedString = nextTokens[1]; sessionToken = nextTokens[0]; string sharedSecret = getSharedSecret(sessionToken); // Recalculate the encoded HMAC SHA256 string. // NOTE: Currently there are no checks for the date to be in UTC ISO 8601 format. byte[] messageBytes = Encoding.ASCII.GetBytes(sessionToken + ":" + authorisationToken.Timestamp); byte[] keyBytes = Encoding.ASCII.GetBytes(sharedSecret); string newHmacsha256EncodedString; using (HMACSHA256 hmacsha256 = new HMACSHA256(keyBytes)) { byte[] hashMessage = hmacsha256.ComputeHash(messageBytes); newHmacsha256EncodedString = Convert.ToBase64String(hashMessage); } return(hmacsha256EncodedString.Equals(newHmacsha256EncodedString)); }
public void HMACSHA256AuthorisationTest() { IAuthorisationTokenService service = new HmacShaAuthorisationTokenService(); AuthorisationToken authorisationToken = service.Generate("new", "guest"); Console.WriteLine("Authorisation token is " + authorisationToken.Token + "."); Console.WriteLine("Generated UTC ISO 8601 date is " + authorisationToken.Timestamp + "."); GetSharedSecret sharedSecret = SharedSecret; string sessionToken; bool authorised = service.Verify(authorisationToken, sharedSecret, out sessionToken); Assert.AreEqual(sessionToken, "new"); Assert.IsTrue(authorised); }
public static bool VerifyHMACSHA256AuthorisationToken(string authorisationToken, string dateString, GetSharedSecret getSharedSecret, out string sessionToken) { if (String.IsNullOrWhiteSpace(authorisationToken)) { throw new ArgumentNullException("authorisationToken"); } if (String.IsNullOrWhiteSpace(dateString)) { throw new ArgumentNullException("dateString"); } string[] tokens = authorisationToken.Split(' '); if (tokens.Length != 2 || !AuthorisationMethod.HMACSHA256.ToString().Equals(tokens[0]) || String.IsNullOrWhiteSpace(tokens[1])) { throw new ArgumentException("Authorisation token not recognised.", "authorisationToken"); } string base64EncodedString = tokens[1]; string combinedMessage = Encoding.ASCII.GetString(Convert.FromBase64String(base64EncodedString)); string[] nextTokens = combinedMessage.Split(':'); if (nextTokens.Length != 2 || String.IsNullOrWhiteSpace(nextTokens[0]) || String.IsNullOrWhiteSpace(nextTokens[1])) { throw new ArgumentException("Invalid authorisation token.", "authorisationToken"); } string hmacsha256EncodedString = nextTokens[1]; sessionToken = nextTokens[0]; string sharedSecret = getSharedSecret(sessionToken); // Recalculate the encoded HMAC SHA256 string. // NOTE: Currently there are no checks for the date to be in UTC ISO 8601 format. I don't see how date // can be relevant for verification purposes. byte[] messageBytes = Encoding.ASCII.GetBytes(sessionToken + ":" + dateString); byte[] keyBytes = Encoding.ASCII.GetBytes(sharedSecret); string newHmacsha256EncodedString; using (HMACSHA256 hmacsha256 = new HMACSHA256(keyBytes)) { byte[] hashMessage = hmacsha256.ComputeHash(messageBytes); newHmacsha256EncodedString = Convert.ToBase64String(hashMessage); } return hmacsha256EncodedString.Equals(newHmacsha256EncodedString); }
public static bool VerifyBasicAuthorisationToken(string authorisationToken, GetSharedSecret getSharedSecret, out string sessionToken) { if (String.IsNullOrWhiteSpace(authorisationToken)) { throw new ArgumentNullException("authorisationToken"); } if (getSharedSecret == null) { throw new ArgumentNullException("getSharedSecret"); } string[] tokens = authorisationToken.Split(' '); if (tokens.Length != 2 || !AuthorisationMethod.Basic.ToString().Equals(tokens[0]) || String.IsNullOrWhiteSpace(tokens[1])) { throw new ArgumentException("Authorisation token not recognised.", "authorisationToken"); } string base64EncodedString = tokens[1]; string combinedMessage = Encoding.ASCII.GetString(Convert.FromBase64String(base64EncodedString)); string[] nextTokens = combinedMessage.Split(':'); if (nextTokens.Length != 2 || String.IsNullOrWhiteSpace(nextTokens[0]) || String.IsNullOrWhiteSpace(nextTokens[1])) { throw new ArgumentException("Invalid authorisation token.", "authorisationToken"); } string sharedSecret = nextTokens[1]; sessionToken = nextTokens[0]; return sharedSecret.Equals(getSharedSecret(sessionToken)); }
public static bool VerifyHMACSHA256AuthorisationToken(string authorisationToken, string dateString, GetSharedSecret getSharedSecret, out string sessionToken) { if (String.IsNullOrWhiteSpace(authorisationToken)) { throw new ArgumentNullException("authorisationToken"); } if (String.IsNullOrWhiteSpace(dateString)) { throw new ArgumentNullException("dateString"); } string[] tokens = authorisationToken.Split(' '); if (tokens.Length != 2 || !AuthorisationMethod.HMACSHA256.ToString().Equals(tokens[0]) || String.IsNullOrWhiteSpace(tokens[1])) { throw new ArgumentException("Authorisation token not recognised.", "authorisationToken"); } string base64EncodedString = tokens[1]; string combinedMessage = Encoding.ASCII.GetString(Convert.FromBase64String(base64EncodedString)); string[] nextTokens = combinedMessage.Split(':'); if (nextTokens.Length != 2 || String.IsNullOrWhiteSpace(nextTokens[0]) || String.IsNullOrWhiteSpace(nextTokens[1])) { throw new ArgumentException("Invalid authorisation token.", "authorisationToken"); } string hmacsha256EncodedString = nextTokens[1]; sessionToken = nextTokens[0]; string sharedSecret = getSharedSecret(sessionToken); // Recalculate the encoded HMAC SHA256 string. // NOTE: Currently there are no checks for the date to be in UTC ISO 8601 format. I don't see how date // can be relevant for verification purposes. byte[] messageBytes = Encoding.ASCII.GetBytes(sessionToken + ":" + dateString); byte[] keyBytes = Encoding.ASCII.GetBytes(sharedSecret); string newHmacsha256EncodedString; using (HMACSHA256 hmacsha256 = new HMACSHA256(keyBytes)) { byte[] hashMessage = hmacsha256.ComputeHash(messageBytes); newHmacsha256EncodedString = Convert.ToBase64String(hashMessage); } return(hmacsha256EncodedString.Equals(newHmacsha256EncodedString)); }