public async Task <bool> IsValidAsync(
TokenValidationArgs args,
string schemeOwnerAccessToken,
CancellationToken token = default)
{
if (!_decodedJwtValidator.IsIShareCompliant(args))
{
return(false);
}
try
{
var validationArgs = new CertificateValidationArgs(
CertificateUtilities.FromBase64Der(args.AssertionModel.Certificates.First()),
args.Issuer,
args.AssertionModel.Certificates.Skip(1).Select(CertificateUtilities.FromBase64Der));
return(await _jwtCertificateValidator.IsValidAsync(validationArgs, schemeOwnerAccessToken, token));
}
catch (Exception e)
{
_logger.LogError(e, "Couldn't create proper CertificateValidationArgs. Certificates are corrupted.");
return(false);
}
}
private async Task <bool> DoesCertificateBelongToParty(
CertificateValidationArgs validationArgs,
string accessToken,
CancellationToken cancellationToken)
{
var subjectName = validationArgs.PartyCertificate.SubjectName.Name;
var args = new PartiesRequestArgs(
accessToken,
eori: validationArgs.PartyEori,
certificateSubjectName: subjectName);
var response = await _partiesQueryService.GetAsync(args, cancellationToken);
if (response.Count != 1)
{
_logger.LogWarning(
"Parties response count for eori: {eori} and subject: {subjectName} was not 1. Count: {count}.",
validationArgs.PartyEori,
subjectName,
response.Count);
return(false);
}
var adherence = response.Parties.First().Adherence;
return(adherence.Status == "Active" &&
adherence.StartDate < DateTime.UtcNow &&
(!adherence.EndDate.HasValue || adherence.EndDate > DateTime.UtcNow));
}
public async Task <bool> IsValidAsync(
CertificateValidationArgs validationArgs,
string schemeOwnerAccessToken,
CancellationToken cancellationToken)
{
try
{
if (!IsChainValid(validationArgs.PartyCertificate, validationArgs.AdditionalCertificates))
{
return(false);
}
if (!await DoesCertificateBelongToParty(validationArgs, schemeOwnerAccessToken, cancellationToken))
{
return(false);
}
return(await IsRootCertificateTrusted(
validationArgs.AdditionalCertificates.Last(),
schemeOwnerAccessToken,
cancellationToken));
}
catch (Exception e)
{
_logger.LogError("Error occurred during JWT x5c validation.", e);
return(false);
}
}
public async Task IsValidAsync_ChainInvalid_ReturnsFalse()
{
var args = new CertificateValidationArgs(
CertificateUtilities.FromPemFormat(Constants.AbcParty.PublicKey),
Constants.AbcParty.ClientId,
new[] { CertificateUtilities.FromPemFormat(RandomCaPublicKey) });
var result = await _sut.IsValidAsync(args, "access_token_which_wont_be_used_here");
result.Should().BeFalse();
}
public async Task IsValidAsync_ValidAndTrusted_ReturnsTrue()
{
var sut = new JwtCertificateValidator(
_partiesQueryServiceMock.Object,
_trustedListQueryServiceMock.Object,
new ProductionCaStrategy(),
_loggerMock.Object);
var args = new CertificateValidationArgs(
CertificateUtilities.FromBase64Der(Constants.TrustedCertificates.PublicKeyBase64Der),
Constants.SchemeOwner.ClientId,
new[]
{
CertificateUtilities.FromBase64Der(Constants.TrustedCertificates.RootCaPublicKeyBase64Der)
});
var result = await sut.IsValidAsync(args, "access_token", CancellationToken.None);
result.Should().BeTrue();
}
