public bool IsValid(AssertionModel assertionModel)
{
try
{
if (!_decodedJwtValidator.IsIShareCompliant(CreateTokenValidationArgs(assertionModel)))
{
return(false);
}
if (!IsRootCertificateTrusted(CertificateUtilities.FromBase64Der(assertionModel.Certificates.Last())))
{
_logger.LogWarning("SO root certificate is untrusted.");
return(false);
}
var x509Certificate = CertificateUtilities.FromBase64Der(assertionModel.Certificates.First());
var additionalCertificates = assertionModel.Certificates.Skip(1)
.Select(CertificateUtilities.FromBase64Der)
.ToArray();
return(IsChainValid(x509Certificate, additionalCertificates) && DoesBelongToSchemeOwner(x509Certificate));
}
catch (Exception e)
{
_logger.LogError(e, "Error occurred while validating token response retrieved from Scheme Owner.");
return(false);
}
}
public async Task <bool> IsValidAsync(
TokenValidationArgs args,
string schemeOwnerAccessToken,
CancellationToken token = default)
{
if (!_decodedJwtValidator.IsIShareCompliant(args))
{
return(false);
}
try
{
var validationArgs = new CertificateValidationArgs(
CertificateUtilities.FromBase64Der(args.AssertionModel.Certificates.First()),
args.Issuer,
args.AssertionModel.Certificates.Skip(1).Select(CertificateUtilities.FromBase64Der));
return(await _jwtCertificateValidator.IsValidAsync(validationArgs, schemeOwnerAccessToken, token));
}
catch (Exception e)
{
_logger.LogError(e, "Couldn't create proper CertificateValidationArgs. Certificates are corrupted.");
return(false);
}
}
public void IsIShareCompliant_KeysNotFound_ReturnsFalse()
{
var assertionModel = new AssertionModel(new string[0], null, null);
var args = new TokenValidationArgs(assertionModel, "issuer", "audience");
var result = _sut.IsIShareCompliant(args);
result.Should().BeFalse();
}