示例#1
0
        static void verifyNonceUnused(IDictionary <string, string> query, ServiceEndpoint endpoint, IRelyingPartyApplicationStore store)
        {
            if (endpoint.Protocol.Version.Major < 2)
            {
                return;                                                  // nothing to validate
            }
            if (store == null)
            {
                return;                            // we'll pass verifying the nonce responsibility to the OP
            }
            Logger.Debug("Verifying nonce is unused...");
            var nonce = new Nonce(Util.GetRequiredArg(query, endpoint.Protocol.openid.response_nonce), true);

            nonce.Consume(store);
        }
示例#2
0
        /// <summary>
        /// Deserializes a token returned to us from the provider and verifies its integrity.
        /// </summary>
        /// <remarks>
        /// As part of deserialization, the signature is verified to check
        /// for tampering, and the nonce (if included by the RP) is also checked.
        /// If no signature is present (due to stateless mode), the endpoint is verified
        /// by discovery (slow but secure).
        /// </remarks>
        public static Token Deserialize(string token, INonceStore store)
        {
            byte[] tok;
            try {
                tok = Convert.FromBase64String(token);
            } catch (FormatException ex) {
                throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
                                                        Strings.ExpectedBase64OpenIdQueryParameter, token), null, ex);
            }
            if (tok.Length < 1)
            {
                throw new OpenIdException(Strings.InvalidSignature);
            }
            bool         signaturePresent  = tok[0] == 1;
            bool         signatureVerified = false;
            MemoryStream dataStream;

            if (signaturePresent)
            {
                if (persistSignature(store))
                {
                    // Verify the signature to guarantee that our state hasn't been
                    // tampered with in transit or on the provider.
                    HashAlgorithm hmac            = createHashAlgorithm(store);
                    int           signatureLength = hmac.HashSize / 8;
                    dataStream = new MemoryStream(tok, 1 + signatureLength, tok.Length - 1 - signatureLength);
                    byte[] newSig = hmac.ComputeHash(dataStream);
                    dataStream.Position = 0;
                    if (tok.Length - 1 < newSig.Length)
                    {
                        throw new OpenIdException(Strings.InvalidSignature);
                    }
                    for (int i = 0; i < newSig.Length; i++)
                    {
                        if (tok[i + 1] != newSig[i])
                        {
                            throw new OpenIdException(Strings.InvalidSignature);
                        }
                    }
                    signatureVerified = true;
                }
                else
                {
                    // Oops, we have no application state, so we have no way of validating the signature.
                    throw new OpenIdException(Strings.InconsistentAppState);
                }
            }
            else
            {
                dataStream = new MemoryStream(tok, 1, tok.Length - 1);
            }

            StreamReader    reader   = new StreamReader(dataStream);
            ServiceEndpoint endpoint = ServiceEndpoint.Deserialize(reader);
            Nonce           nonce    = null;

            if (signatureVerified && persistNonce(endpoint, store))
            {
                nonce = new Nonce(reader.ReadLine(), false);
                nonce.Consume(store);
            }
            if (!signatureVerified)
            {
                verifyEndpointByDiscovery(endpoint);
            }

            return(new Token(nonce, endpoint));
        }
示例#3
0
文件: Token.cs 项目: Belxjander/Asuna
		/// <summary>
		/// Deserializes a token returned to us from the provider and verifies its integrity.
		/// </summary>
		/// <remarks>
		/// As part of deserialization, the signature is verified to check
		/// for tampering, and the nonce (if included by the RP) is also checked.
		/// If no signature is present (due to stateless mode), the endpoint is verified
		/// by discovery (slow but secure).
		/// </remarks>
		public static Token Deserialize(string token, INonceStore store) {
			byte[] tok = Convert.FromBase64String(token);
			if (tok.Length < 1) throw new OpenIdException(Strings.InvalidSignature);
			bool signaturePresent = tok[0] == 1;
			bool signatureVerified = false;
			MemoryStream dataStream;

			if (signaturePresent) {
				if (persistSignature(store)) {
					// Verify the signature to guarantee that our state hasn't been
					// tampered with in transit or on the provider.
					HashAlgorithm hmac = createHashAlgorithm(store);
					int signatureLength = hmac.HashSize / 8;
					dataStream = new MemoryStream(tok, 1 + signatureLength, tok.Length - 1 - signatureLength);
					byte[] newSig = hmac.ComputeHash(dataStream);
					dataStream.Position = 0;
					if (tok.Length - 1 < newSig.Length)
						throw new OpenIdException(Strings.InvalidSignature);
					for (int i = 0; i < newSig.Length; i++)
						if (tok[i + 1] != newSig[i])
							throw new OpenIdException(Strings.InvalidSignature);
					signatureVerified = true;
				} else {
					// Oops, we have no application state, so we have no way of validating the signature.
					throw new OpenIdException(Strings.InconsistentAppState);
				}
			} else {
				dataStream = new MemoryStream(tok, 1, tok.Length - 1);
			}

			StreamReader reader = new StreamReader(dataStream);
			ServiceEndpoint endpoint = ServiceEndpoint.Deserialize(reader);
			Nonce nonce = null;
			if (signatureVerified && persistNonce(endpoint, store)) {
				nonce = new Nonce(reader.ReadLine(), false);
				nonce.Consume(store);
			}
			if (!signatureVerified) {
				verifyEndpointByDiscovery(endpoint);
			}

			return new Token(nonce, endpoint);
		}