public void CanValidateES256()
{
const string token = "eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q";
var x = Base64Url.DeserializeBytes("f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "ECDSA key X value");
var y = Base64Url.DeserializeBytes("x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "ECDSA key Y value");
var key = new ECDsaSecurityKey(ECDsa.Create(new ECParameters
{
Q = new ECPoint
{
X = x,
Y = y
},
Curve = ECCurve.NamedCurves.nistP384
}));
IdentityModelEventSource.ShowPII = true;
var result = new JsonWebTokenHandler().ValidateToken(token, new TokenValidationParameters
{
IssuerSigningKey = key,
ClockSkew = TimeSpan.FromDays(4000),
ValidIssuer = "joe",
ValidateAudience = false
});
result.IsValid.ShouldBeTrue();
}
private HMAC CreateHasher(Jwk key)
{
var keyBytes = Base64Url.DeserializeBytes(key.K, "HMAC signature key");
switch (Algorithm)
{
case JwsAlgorithm.HS256: return(new HMACSHA256(keyBytes));
case JwsAlgorithm.HS384: return(new HMACSHA384(keyBytes));
case JwsAlgorithm.HS512: return(new HMACSHA512(keyBytes));
default: throw Logger.Exception($"Invalid algorithm \"{Algorithm}\" for {nameof(Hmac)}");
}
}
public async Task ValidateSignature(Jws jws)
{
if (jws.Algorithm == JwsAlgorithm.none)
{
return;
}
var signedBytes = GetBytes(jws.RawSignedPart);
var signature = Base64Url.DeserializeBytes(jws.RawSignature, "Token signature");
var validator = ValidatorFactory.Create(jws.Header, jws.Algorithm);
var keys = (await Metadata.JsonWebKeys()).Keys;
validator.Validate(signedBytes, signature, keys);
}
private (ECDsa, HashAlgorithmName) CreateHasher(Jwk key)
{
var(algorithmName, curve) = HasherParameters;
var parameters = new ECParameters
{
Q = new ECPoint
{
X = Base64Url.DeserializeBytes(key.X, "ECDSA key X value"),
Y = Base64Url.DeserializeBytes(key.Y, "ECDSA key Y value")
},
Curve = curve
};
return(ECDsa.Create(parameters), algorithmName);
}
public override bool IsValid(byte[] signedBytes, byte[] signature, Jwk key)
{
var(hasher, algorithName) = CreateHasher();
using (hasher)
{
var hash = hasher.ComputeHash(signedBytes);
using var provider = new RSACryptoServiceProvider();
provider.ImportParameters(new RSAParameters
{
Modulus = Base64Url.DeserializeBytes(key.N, "RSA key modulus"),
Exponent = Base64Url.DeserializeBytes(key.E, "RSA key exponent")
});
var rsaDeformatter = new RSAPKCS1SignatureDeformatter(provider);
rsaDeformatter.SetHashAlgorithm(algorithName);
return(rsaDeformatter.VerifySignature(hash, signature));
}
}
public void CanValidateRS256()
{
const string token = "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrBp0igcN_IoypGlUPQGe77Rw";
var n = Base64Url.DeserializeBytes("ofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd_wWJcyQoTbji9k0l8W26mPddxHmfHQp-Vaw-4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL-yRT-SFd2lZS-pCgNMsD1W_YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb_7OMg0LOL-bSf63kpaSHSXndS5z5rexMdbBYUsLA9e-KXBdQOS-UTo7WTBEMa2R2CapHg665xsmtdVMTBQY4uDZlxvb3qCo5ZwKh9kG4LT6_I5IhlJH7aGhyxXFvUK-DWNmoudF8NAco9_h9iaGNj8q2ethFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQ", "n");
var e = Base64Url.DeserializeBytes("AQAB", "e");
var key = new RsaSecurityKey(new RSAParameters {
Exponent = e, Modulus = n
});
IdentityModelEventSource.ShowPII = true;
var result = new JsonWebTokenHandler().ValidateToken(token, new TokenValidationParameters
{
IssuerSigningKey = key,
ClockSkew = TimeSpan.FromDays(4000),
ValidIssuer = "joe",
ValidateAudience = false
});
result.IsValid.ShouldBeTrue();
}