public static T FromEncryptedString <T>(string b64MessageToDecrypt, List <X509Certificate2> issuerEncryptionCerts, IJweCryptoPolicy cryptoPolicy)
{
var parts = b64MessageToDecrypt.SplitInToSections();
var jwsHeader = JwsHeader.CreateJweHeaderFromEncryptedHeader(parts[0]);
var verifiedPayload = JWT.Decode(
b64MessageToDecrypt, jwsHeader.SigningPublicCert.GetRSAPublicKey());
var message = new JweMessage
{
CryptoPolicy = cryptoPolicy,
EncryptedMessage = b64MessageToDecrypt,
Header = jwsHeader,
Payload = JweEncryptedPayload.CreateFromEncryptedPayload(verifiedPayload, issuerEncryptionCerts),
Signature = new JweSignature(parts[2])
};
if (!message.IsSignatureValidAndTrusted())
{
throw new Rsa3dSecureException(RsaErrorCodes.VerifySignatureFailed, "Message Signature is not valid.");
}
return(message.GetDecryptedJsonObjectAs <T>());
}
public JwsMessage Encode <TPayload>(TPayload payload, JwsHeader protectedHeader)
{
protectedHeader.Algorithm = "RS256";
if (_jwk.KeyId != null)
{
protectedHeader.KeyId = _jwk.KeyId;
}
else
{
protectedHeader.Key = _jwk;
}
var message = new JwsMessage
{
Payload = Base64UrlEncoded(JsonConvert.SerializeObject(payload)),
Protected = Base64UrlEncoded(JsonConvert.SerializeObject(protectedHeader))
};
message.Signature = Base64UrlEncoded(
_rsa.SignData(Encoding.ASCII.GetBytes(message.Protected + "." + message.Payload),
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1));
return(message);
}
protected virtual void CheckRequestObject(JwsHeader header, JwsPayload jwsPayload, OpenIdClient openidClient, HandlerContext context)
{
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, OAuth.ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
if (!string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != openidClient.RequestObjectSigningAlg)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.INVALID_SIGNATURE_ALG);
}
if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ResponseType))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.MISSING_RESPONSE_TYPE_CLAIM);
}
if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ClientId))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.MISSING_CLIENT_ID_CLAIM);
}
if (!jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ResponseType].ToString().Split(' ').OrderBy(s => s).SequenceEqual(context.Request.RequestData.GetResponseTypesFromAuthorizationRequest().OrderBy(s => s)))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.INVALID_RESPONSE_TYPE_CLAIM);
}
if (jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ClientId].ToString() != context.Client.ClientId)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.INVALID_CLIENT_ID_CLAIM);
}
}
public static JweMessage FromEncryptedString(string b64MessageToDecrypt, List <X509Certificate2> issuerEncryptionCerts, IJweCryptoPolicy cryptoPolicy)
{
var parts = b64MessageToDecrypt.SplitInToSections();
var jwsHeader = JwsHeader.CreateJweHeaderFromEncryptedHeader(parts[0]);
var verifiedPayload = JWT.Decode(
b64MessageToDecrypt, jwsHeader.SigningPublicCert.GetRSAPublicKey());
return(new JweMessage
{
CryptoPolicy = cryptoPolicy,
EncryptedMessage = b64MessageToDecrypt,
Header = jwsHeader,
Payload = JweEncryptedPayload.CreateFromEncryptedPayload(verifiedPayload, issuerEncryptionCerts),
Signature = new JweSignature(parts[2])
});
}
public virtual async Task <RequestObjectValidatorResult> Validate(string request, BaseClient oauthClient, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_REQUEST_OBJECT)
{
if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request))
{
throw new OAuthException(errorCode, ErrorMessages.INVALID_REQUEST_PARAMETER);
}
var jws = request;
if (_jwtParser.IsJweToken(request))
{
jws = await _jwtParser.Decrypt(jws, cancellationToken);
if (string.IsNullOrWhiteSpace(jws))
{
throw new OAuthException(errorCode, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER);
}
}
JwsHeader header = null;
try
{
header = _jwtParser.ExtractJwsHeader(jws);
}
catch (InvalidOperationException)
{
throw new OAuthException(errorCode, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
JwsPayload jwsPayload;
try
{
jwsPayload = await _jwtParser.Unsign(jws, oauthClient, errorCode);
}
catch (JwtException ex)
{
throw new OAuthException(errorCode, ex.Message);
}
return(new RequestObjectValidatorResult(jwsPayload, header));
}
protected override void CheckRequestObject(JwsHeader header, JwsPayload jwsPayload, OpenIdClient openidClient, HandlerContext context)
{
base.CheckRequestObject(header, jwsPayload, openidClient, context);
if (!jwsPayload.ContainsKey(Jwt.Constants.OAuthClaims.ExpirationTime))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, string.Format(ErrorMessages.MISSING_PARAMETER, Jwt.Constants.OAuthClaims.ExpirationTime));
}
var currentDateTime = DateTime.UtcNow.ConvertToUnixTimestamp();
var exp = jwsPayload.GetExpirationTime();
if (currentDateTime > exp)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.REQUEST_OBJECT_IS_EXPIRED);
}
var audiences = jwsPayload.GetAudiences();
if (audiences.Any() && !audiences.Contains(context.Request.IssuerName))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.REQUEST_OBJECT_BAD_AUDIENCE);
}
}
protected async Task <bool> CheckRequest(HandlerContext context, string request)
{
var openidClient = (OpenIdClient)context.Client;
if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_REQUEST_PARAMETER);
}
var jws = request;
if (_jwtParser.IsJweToken(request))
{
jws = await _jwtParser.Decrypt(jws);
if (string.IsNullOrWhiteSpace(jws))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER);
}
}
JwsHeader header = null;
try
{
header = _jwtParser.ExtractJwsHeader(jws);
}
catch (InvalidOperationException)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
if (
(!string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != openidClient.RequestObjectSigningAlg) ||
(string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != NoneSignHandler.ALG_NAME)
)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_SIGNATURE_ALG);
}
var jwsPayload = await _jwtParser.Unsign(jws, context.Client);
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ResponseType))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_RESPONSE_TYPE_CLAIM);
}
if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ClientId))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_CLIENT_ID_CLAIM);
}
if (!jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ResponseType].ToString().Split(' ').OrderBy(s => s).SequenceEqual(context.Request.Data.GetResponseTypesFromAuthorizationRequest()))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_RESPONSE_TYPE_CLAIM);
}
if (jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ClientId].ToString() != context.Client.ClientId)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_CLIENT_ID_CLAIM);
}
context.Request.SetData(JObject.FromObject(jwsPayload));
return(true);
}
public RequestObjectValidatorResult(JwsPayload jwsPayload, JwsHeader header)
{
JwsPayload = jwsPayload;
JwsHeader = header;
}
