public async Task <bool> IsValidAsync(
            TokenValidationArgs args,
            string schemeOwnerAccessToken,
            CancellationToken token = default)
        {
            if (!_decodedJwtValidator.IsIShareCompliant(args))
            {
                return(false);
            }

            try
            {
                var validationArgs = new CertificateValidationArgs(
                    CertificateUtilities.FromBase64Der(args.AssertionModel.Certificates.First()),
                    args.Issuer,
                    args.AssertionModel.Certificates.Skip(1).Select(CertificateUtilities.FromBase64Der));

                return(await _jwtCertificateValidator.IsValidAsync(validationArgs, schemeOwnerAccessToken, token));
            }
            catch (Exception e)
            {
                _logger.LogError(e, "Couldn't create proper CertificateValidationArgs. Certificates are corrupted.");

                return(false);
            }
        }
示例#2
0
        private async Task <bool> DoesCertificateBelongToParty(
            CertificateValidationArgs validationArgs,
            string accessToken,
            CancellationToken cancellationToken)
        {
            var subjectName = validationArgs.PartyCertificate.SubjectName.Name;
            var args        = new PartiesRequestArgs(
                accessToken,
                eori: validationArgs.PartyEori,
                certificateSubjectName: subjectName);

            var response = await _partiesQueryService.GetAsync(args, cancellationToken);

            if (response.Count != 1)
            {
                _logger.LogWarning(
                    "Parties response count for eori: {eori} and subject: {subjectName} was not 1. Count: {count}.",
                    validationArgs.PartyEori,
                    subjectName,
                    response.Count);

                return(false);
            }

            var adherence = response.Parties.First().Adherence;

            return(adherence.Status == "Active" &&
                   adherence.StartDate < DateTime.UtcNow &&
                   (!adherence.EndDate.HasValue || adherence.EndDate > DateTime.UtcNow));
        }
示例#3
0
        public async Task <bool> IsValidAsync(
            CertificateValidationArgs validationArgs,
            string schemeOwnerAccessToken,
            CancellationToken cancellationToken)
        {
            try
            {
                if (!IsChainValid(validationArgs.PartyCertificate, validationArgs.AdditionalCertificates))
                {
                    return(false);
                }

                if (!await DoesCertificateBelongToParty(validationArgs, schemeOwnerAccessToken, cancellationToken))
                {
                    return(false);
                }

                return(await IsRootCertificateTrusted(
                           validationArgs.AdditionalCertificates.Last(),
                           schemeOwnerAccessToken,
                           cancellationToken));
            }
            catch (Exception e)
            {
                _logger.LogError("Error occurred during JWT x5c validation.", e);

                return(false);
            }
        }
        public async Task IsValidAsync_ChainInvalid_ReturnsFalse()
        {
            var args = new CertificateValidationArgs(
                CertificateUtilities.FromPemFormat(Constants.AbcParty.PublicKey),
                Constants.AbcParty.ClientId,
                new[] { CertificateUtilities.FromPemFormat(RandomCaPublicKey) });

            var result = await _sut.IsValidAsync(args, "access_token_which_wont_be_used_here");

            result.Should().BeFalse();
        }
        public async Task IsValidAsync_ValidAndTrusted_ReturnsTrue()
        {
            var sut = new JwtCertificateValidator(
                _partiesQueryServiceMock.Object,
                _trustedListQueryServiceMock.Object,
                new ProductionCaStrategy(),
                _loggerMock.Object);
            var args = new CertificateValidationArgs(
                CertificateUtilities.FromBase64Der(Constants.TrustedCertificates.PublicKeyBase64Der),
                Constants.SchemeOwner.ClientId,
                new[]
            {
                CertificateUtilities.FromBase64Der(Constants.TrustedCertificates.RootCaPublicKeyBase64Der)
            });

            var result = await sut.IsValidAsync(args, "access_token", CancellationToken.None);

            result.Should().BeTrue();
        }