public async Task <bool> IsValidAsync( TokenValidationArgs args, string schemeOwnerAccessToken, CancellationToken token = default) { if (!_decodedJwtValidator.IsIShareCompliant(args)) { return(false); } try { var validationArgs = new CertificateValidationArgs( CertificateUtilities.FromBase64Der(args.AssertionModel.Certificates.First()), args.Issuer, args.AssertionModel.Certificates.Skip(1).Select(CertificateUtilities.FromBase64Der)); return(await _jwtCertificateValidator.IsValidAsync(validationArgs, schemeOwnerAccessToken, token)); } catch (Exception e) { _logger.LogError(e, "Couldn't create proper CertificateValidationArgs. Certificates are corrupted."); return(false); } }
private async Task <bool> DoesCertificateBelongToParty( CertificateValidationArgs validationArgs, string accessToken, CancellationToken cancellationToken) { var subjectName = validationArgs.PartyCertificate.SubjectName.Name; var args = new PartiesRequestArgs( accessToken, eori: validationArgs.PartyEori, certificateSubjectName: subjectName); var response = await _partiesQueryService.GetAsync(args, cancellationToken); if (response.Count != 1) { _logger.LogWarning( "Parties response count for eori: {eori} and subject: {subjectName} was not 1. Count: {count}.", validationArgs.PartyEori, subjectName, response.Count); return(false); } var adherence = response.Parties.First().Adherence; return(adherence.Status == "Active" && adherence.StartDate < DateTime.UtcNow && (!adherence.EndDate.HasValue || adherence.EndDate > DateTime.UtcNow)); }
public async Task <bool> IsValidAsync( CertificateValidationArgs validationArgs, string schemeOwnerAccessToken, CancellationToken cancellationToken) { try { if (!IsChainValid(validationArgs.PartyCertificate, validationArgs.AdditionalCertificates)) { return(false); } if (!await DoesCertificateBelongToParty(validationArgs, schemeOwnerAccessToken, cancellationToken)) { return(false); } return(await IsRootCertificateTrusted( validationArgs.AdditionalCertificates.Last(), schemeOwnerAccessToken, cancellationToken)); } catch (Exception e) { _logger.LogError("Error occurred during JWT x5c validation.", e); return(false); } }
public async Task IsValidAsync_ChainInvalid_ReturnsFalse() { var args = new CertificateValidationArgs( CertificateUtilities.FromPemFormat(Constants.AbcParty.PublicKey), Constants.AbcParty.ClientId, new[] { CertificateUtilities.FromPemFormat(RandomCaPublicKey) }); var result = await _sut.IsValidAsync(args, "access_token_which_wont_be_used_here"); result.Should().BeFalse(); }
public async Task IsValidAsync_ValidAndTrusted_ReturnsTrue() { var sut = new JwtCertificateValidator( _partiesQueryServiceMock.Object, _trustedListQueryServiceMock.Object, new ProductionCaStrategy(), _loggerMock.Object); var args = new CertificateValidationArgs( CertificateUtilities.FromBase64Der(Constants.TrustedCertificates.PublicKeyBase64Der), Constants.SchemeOwner.ClientId, new[] { CertificateUtilities.FromBase64Der(Constants.TrustedCertificates.RootCaPublicKeyBase64Der) }); var result = await sut.IsValidAsync(args, "access_token", CancellationToken.None); result.Should().BeTrue(); }