/// <summary>
/// 檢核 資源保護者回傳值
/// </summary>
/// <param name="timesCypherTextPrimeModel"></param>
/// <returns></returns>
private bool CheckProtectedServerRespAuthZValue(TimesCypherTextPrimeModel timesCypherTextPrimeModel)
{
bool result = false;
string hashNMinusIAddOne = timesCypherTextPrimeModel.ClientTempId.HashValue;
string hashNMinusI = timesCypherTextPrimeModel.ClientTempIdPrime.HashValue;
if (MD5Hasher.Hash(hashNMinusI) == hashNMinusIAddOne)
{
result = true;
}
return(result);
}
private TimesCypherTextPrimeModel DecryptProtectedServerResult(string authZKey, string authZIv, ApiResult <string> rescrAuthorizeRespOpt)
{
if (rescrAuthorizeRespOpt.ResultCode != 0)
{
throw new Exception(rescrAuthorizeRespOpt.ResultMessage);
}
string cypherTextPrimeStr = rescrAuthorizeRespOpt.CypherCheckValue;
aesCrypter.SetKey(authZKey);
aesCrypter.SetIV(authZIv.Substring(0, 16));
string decryptStr = aesCrypter.Decrypt(cypherTextPrimeStr);
TimesCypherTextPrimeModel timesCypherTextPrimeModel = JsonConvert.DeserializeObject <TimesCypherTextPrimeModel>(decryptStr);
return(timesCypherTextPrimeModel);
}
public AuthorizeValueModel SendRequestAndAuthorizeByPost <TClass>(string protectedServerUrl, AuthorizeValueModel authorizeModel, TClass sendData)
{
//Hash(r)^(n-i)
int minusValue = authorizeModel.AuthZTimes - authorizeModel.CurrentTimes;
string hashNMinusI = HashMultipleTimes(authorizeModel.RandomValue, minusValue);
//初始化請求授權
string hashNMinusIAddOne = MD5Hasher.Hash(hashNMinusI);
string authZKey = GetResrcClientKeyAuthzTimesValue(authorizeModel.ClientProtectedCryptoModel.Key, authorizeModel.ClientTempId, authorizeModel.CurrentTimes);
string authZIv = GetResrcClientKeyAuthzTimesValue(authorizeModel.ClientProtectedCryptoModel.IV, authorizeModel.ClientTempId, authorizeModel.CurrentTimes);
string currentTimesCypherText = GetCurrentTimesCypherText(authorizeModel, hashNMinusI, authZKey, authZIv);
string token = GetTokenByAuthorizeDataAndCurrentTimesCypherText(authorizeModel, currentTimesCypherText);
Dictionary <string, string> headers = new Dictionary <string, string>
{
{ "ClientId", clientResource.ClientId },
{ "Token", token }
};
// 向資源保護者請求授權
string reqAuthZValueStr = JsonConvert.SerializeObject(sendData);
ApiResult <string> rescrAuthorizeRespOpt = AuthenHttpHandler.SendRequestByPost <string>(protectedServerUrl, reqAuthZValueStr, headers);
TimesCypherTextPrimeModel timesCypherTextPrimeModel = DecryptProtectedServerResult(authZKey, authZIv, rescrAuthorizeRespOpt);
bool checkAuthZValueResult = CheckProtectedServerRespAuthZValue(timesCypherTextPrimeModel);
if (checkAuthZValueResult == false)
{
throw new Exception("CheckProtectedServerRespAuthZValue is fail.");
}
authorizeModel.CurrentTimes = authorizeModel.CurrentTimes + 1;
authorizeModel.ClientTempId.HashValue = hashNMinusI;
return(authorizeModel);
}
public AuthResrcProtectedAuthorizeModel Verify(string token)
{
//解 Token
string jwtDecodeValue = JWT.Decode(token,
Encoding.Unicode.GetBytes(this.clientInProtectedMember.ShareKeyClientWithProtectedServer),
JwsAlgorithm.HS256);
ClientAuthorizedReqModel jwtObject = JsonConvert.DeserializeObject <ClientAuthorizedReqModel>(jwtDecodeValue);
//加密後的合法 Url List
List <string> encryptValueList = jwtObject.ValidUrlList;
VerifyUrlIsInAuthorizedList(encryptValueList);
ClientTempIdentityModel tempIdentityModel = new ClientTempIdentityModel(this.clientInProtectedMember.ClientId, this.clientInProtectedMember.HashValue);
string shareKeyClientAndResrcDependsAuthorizedTimes = GetTempClientSecretByAuthorizedTimes(this.clientInProtectedMember.ShareKeyClientWithProtectedServer, tempIdentityModel, this.clientInProtectedMember.CurrentTimes);
string shareIVClientAndResrcDependsAuthorizedTimes = GetTempClientSecretByAuthorizedTimes(this.clientInProtectedMember.ShareIVClientWithProtectedServer, tempIdentityModel, this.clientInProtectedMember.CurrentTimes);
aesCrypter.SetKey(shareKeyClientAndResrcDependsAuthorizedTimes);
aesCrypter.SetIV(shareIVClientAndResrcDependsAuthorizedTimes.Substring(0, 16));
string clientAuthorizeCTCryptoDecrypt = aesCrypter.Decrypt(jwtObject.CurrentTimesCypherText);
ClientCTCypherTextModelForAuthorize clientAuthorizeCypherTextModel = JsonConvert.DeserializeObject <ClientCTCypherTextModelForAuthorize>(clientAuthorizeCTCryptoDecrypt);
if (GetUtcNowUnixTime() > clientAuthorizeCypherTextModel.ExpiredTime)
{
throw new ClientAuthorizeTokenExpiredException("Client authorized token has expired, please re-authenticate and get new token");
}
string protectedServerOriginalHash = this.clientInProtectedMember.HashValue;
string doubleHashValue = MD5Hasher.Hash(clientAuthorizeCypherTextModel.HashValue);
if (doubleHashValue != protectedServerOriginalHash)
{
throw new TokenTicketCerticateException("After checkt the token ticket, the token ticket is not right, the ticket you send has been used, please re-authenticate and get new token ticket");
}
//確認是否能夠取得下一次授權
if (jwtObject.CurrentTimes + 1 >= clientInProtectedMember.AuthZTimes)
{
throw new AuthorizeTimesHasRunOutException("The token authorzie times has run out and expired, please re-authenticate and get new token ticket");
}
TimesCypherTextPrimeModel clientPrimeModel = new TimesCypherTextPrimeModel()
{
ClientTempIdPrime = new ClientTempIdentityModel()
{
ClientId = clientInProtectedMember.ClientId,
HashValue = clientAuthorizeCypherTextModel.HashValue
},
CurrentTimes = clientInProtectedMember.CurrentTimes,
ClientTempId = new ClientTempIdentityModel()
{
ClientId = clientInProtectedMember.ClientId,
HashValue = clientInProtectedMember.HashValue,
},
};
string newShareKeyClientAndProtected = GetTempClientSecretByAuthorizedTimes(clientInProtectedMember.ShareKeyClientWithProtectedServer, clientPrimeModel.ClientTempId, clientInProtectedMember.CurrentTimes);
string newShareIVClientAndProtected = GetTempClientSecretByAuthorizedTimes(clientInProtectedMember.ShareIVClientWithProtectedServer, clientPrimeModel.ClientTempId, clientInProtectedMember.CurrentTimes).Substring(0, 16);
aesCrypter.SetIV(newShareIVClientAndProtected);
aesCrypter.SetKey(newShareKeyClientAndProtected);
string cypherPrimeStr = JsonConvert.SerializeObject(clientPrimeModel);
string newCypherTextRespClientForNextAuthZ = aesCrypter.Encrypt(cypherPrimeStr);
AuthResrcProtectedAuthorizeModel result = new AuthResrcProtectedAuthorizeModel()
{
ClientId = clientInProtectedMember.ClientId,
PortectedId = clientInProtectedMember.ProtectedId,
ProcessScoreCurrentTimes = (clientInProtectedMember.CurrentTimes + 1),
ProcessScoreHashValue = clientAuthorizeCypherTextModel.HashValue,
ClientRespCypherText = newCypherTextRespClientForNextAuthZ
};
return(result);
}