private static byte[] securedInput(byte[] header, byte[] payload, bool b64)
{
return(b64
? Encoding.UTF8.GetBytes(Compact.Serialize(header, payload))
: Arrays.Concat(Encoding.UTF8.GetBytes(Compact.Serialize(header)),
Encoding.UTF8.GetBytes("."),
payload));
}
private static byte[] DecryptBytes(Compact.Iterator parts, object key, JweAlgorithm?jweAlg, JweEncryption?jweEnc, JwtSettings settings = null)
{
byte[] header = parts.Next();
byte[] encryptedCek = parts.Next();
byte[] iv = parts.Next();
byte[] cipherText = parts.Next();
byte[] authTag = parts.Next();
JwtSettings jwtSettings = GetSettings(settings);
IDictionary <string, object> jwtHeader = jwtSettings.JsonMapper.Parse <Dictionary <string, object> >(Encoding.UTF8.GetString(header));
JweAlgorithm headerAlg = jwtSettings.JwaAlgorithmFromHeader((string)jwtHeader["alg"]);
JweEncryption headerEnc = jwtSettings.JweAlgorithmFromHeader((string)jwtHeader["enc"]);
IKeyManagement keys = jwtSettings.Jwa(headerAlg);
IJweAlgorithm enc = jwtSettings.Jwe(headerEnc);
if (keys == null)
{
throw new JoseException(string.Format("Unsupported JWA algorithm requested: {0}", headerAlg));
}
if (enc == null)
{
throw new JoseException(string.Format("Unsupported JWE algorithm requested: {0}", headerEnc));
}
if (jweAlg != null && (JweAlgorithm)jweAlg != headerAlg)
{
throw new InvalidAlgorithmException("The algorithm type passed to the Decrypt method did not match the algorithm type in the header.");
}
if (jweEnc != null && (JweEncryption)jweEnc != headerEnc)
{
throw new InvalidAlgorithmException("The encryption type passed to the Decrypt method did not match the encryption type in the header.");
}
byte[] cek = keys.Unwrap(encryptedCek, key, enc.KeySize, jwtHeader);
byte[] aad = Encoding.UTF8.GetBytes(Compact.Serialize(header));
byte[] plainText = enc.Decrypt(aad, cek, iv, cipherText, authTag);
if (jwtHeader.ContainsKey("zip"))
{
ICompression compression = jwtSettings.Compression((string)jwtHeader["zip"]);
plainText = compression.Decompress(plainText);
}
return(plainText);
}
/// <summary>
/// Encodes given binary data to JWT token and sign it using given algorithm.
/// </summary>
/// <param name="payload">Binary data to encode (not null)</param>
/// <param name="key">key for signing, suitable for provided JWS algorithm, can be null.</param>
/// <param name="algorithm">JWT algorithm to be used.</param>
/// <param name="extraHeaders">optional extra headers to pass along with the payload.</param>
/// <param name="settings">optional settings to override global DefaultSettings</param>
/// <param name="options">additional encoding options</param>
/// <returns>JWT in compact serialization form, digitally signed.</returns>
public static string EncodeBytes(byte[] payload, object key, JwsAlgorithm algorithm, IDictionary <string, object> extraHeaders = null, JwtSettings settings = null, JwtOptions options = null)
{
if (payload == null)
{
throw new ArgumentNullException(nameof(payload));
}
JwtSettings jwtSettings = GetSettings(settings);
JwtOptions jwtOptions = options ?? JwtOptions.Default;
var jwtHeader = new Dictionary <string, object> {
{ "alg", jwtSettings.JwsHeaderValue(algorithm) }
};
if (extraHeaders == null) //allow overload, but keep backward compatible defaults
{
extraHeaders = new Dictionary <string, object> {
{ "typ", "JWT" }
};
}
if (!jwtOptions.EncodePayload)
{
jwtHeader["b64"] = false;
jwtHeader["crit"] = Collections.Union(new[] { "b64" }, Dictionaries.Get(extraHeaders, "crit"));
}
Dictionaries.Append(jwtHeader, extraHeaders);
byte[] headerBytes = Encoding.UTF8.GetBytes(jwtSettings.JsonMapper.Serialize(jwtHeader));
IJwsAlgorithm jwsAlgorithm = jwtSettings.Jws(algorithm);
if (jwsAlgorithm == null)
{
throw new JoseException(string.Format("Unsupported JWS algorithm requested: {0}", algorithm));
}
byte[] signature = jwsAlgorithm.Sign(securedInput(headerBytes, payload, jwtOptions.EncodePayload), key);
byte[] payloadBytes = jwtOptions.DetachPayload ? new byte[0] : payload;
return(jwtOptions.EncodePayload
? Compact.Serialize(headerBytes, payloadBytes, signature)
: Compact.Serialize(headerBytes, Encoding.UTF8.GetString(payloadBytes), signature));
}
/// <summary>
/// Parses signed JWT token, extracts and returns payload part as binary data.
/// This method is NOT supported for encrypted JWT tokens.
/// This method is NOT performing integrity checking.
/// </summary>
/// <param name="token">signed JWT token</param>
/// <returns>unmarshalled payload</returns>
/// <exception cref="JoseException">if encrypted JWT token is provided</exception>
public static byte[] PayloadBytes(string token, bool b64 = true)
{
Compact.Iterator parts = Compact.Iterate(token);
if (parts.Count < 3)
{
throw new JoseException(
"The given token doesn't follow JWT format and must contains at least three parts.");
}
if (parts.Count > 3)
{
throw new JoseException(
"Getting payload for encrypted tokens is not supported. Please use JWT.Decode() method instead.");
}
parts.Next(false); //skip header
return(parts.Next(b64));
}
/// <summary>
/// Encodes given binary data to JWT token and applies requested encryption/compression algorithms.
/// </summary>
/// <param name="payload">Binary data to encode (not null)</param>
/// <param name="key">key for encryption, suitable for provided JWS algorithm, can be null.</param>
/// <param name="alg">JWT algorithm to be used.</param>
/// <param name="enc">encryption algorithm to be used.</param>
/// <param name="compression">optional compression type to use.</param>
/// <param name="extraHeaders">optional extra headers to pass along with the payload.</param>
/// <param name="settings">optional settings to override global DefaultSettings</param>
/// <returns>JWT in compact serialization form, encrypted and/or compressed.</returns>
public static string EncodeBytes(byte[] payload, object key, JweAlgorithm alg, JweEncryption enc, JweCompression?compression = null, IDictionary <string, object> extraHeaders = null, JwtSettings settings = null)
{
if (payload == null)
{
throw new ArgumentNullException(nameof(payload));
}
JwtSettings jwtSettings = GetSettings(settings);
IKeyManagement keys = jwtSettings.Jwa(alg);
IJweAlgorithm _enc = jwtSettings.Jwe(enc);
if (keys == null)
{
throw new JoseException(string.Format("Unsupported JWA algorithm requested: {0}", alg));
}
if (_enc == null)
{
throw new JoseException(string.Format("Unsupported JWE algorithm requested: {0}", enc));
}
IDictionary <string, object> jwtHeader = new Dictionary <string, object> {
{ "alg", jwtSettings.JwaHeaderValue(alg) }, { "enc", jwtSettings.JweHeaderValue(enc) }
};
Dictionaries.Append(jwtHeader, extraHeaders);
byte[][] contentKeys = keys.WrapNewKey(_enc.KeySize, key, jwtHeader);
byte[] cek = contentKeys[0];
byte[] encryptedCek = contentKeys[1];
if (compression.HasValue)
{
jwtHeader["zip"] = jwtSettings.CompressionHeader(compression.Value);
payload = jwtSettings.Compression(compression.Value).Compress(payload);
}
byte[] header = Encoding.UTF8.GetBytes(jwtSettings.JsonMapper.Serialize(jwtHeader));
byte[] aad = Encoding.UTF8.GetBytes(Compact.Serialize(header));
byte[][] encParts = _enc.Encrypt(aad, payload, cek);
return(Compact.Serialize(header, encryptedCek, encParts[0], encParts[1], encParts[2]));
}
private static byte[] DecodeBytes(string token, object key = null, JwsAlgorithm?expectedJwsAlg = null, JweAlgorithm?expectedJweAlg = null, JweEncryption?expectedJweEnc = null, JwtSettings settings = null, byte[] payload = null, bool requireSignature = false)
{
Ensure.IsNotEmpty(token, "Incoming token expected to be in compact serialization form, not empty, whitespace or null.");
Compact.Iterator parts = Compact.Iterate(token);
if (parts.Count == 5) //encrypted JWT
{
return(DecryptBytes(parts, key, expectedJweAlg, expectedJweEnc, settings));
}
else
{
//signed or plain JWT
JwtSettings jwtSettings = GetSettings(settings);
byte[] header = parts.Next();
Dictionary <string, object> headerData = jwtSettings.JsonMapper.Parse <Dictionary <string, object> >(Encoding.UTF8.GetString(header));
bool b64 = true;
if (headerData.TryGetValue("b64", out object value))
{
b64 = (bool)value;
}
byte[] contentPayload = parts.Next(b64);
byte[] signature = parts.Next();
byte[] effectivePayload = payload ?? contentPayload;
if (requireSignature && signature.Length == 0)
{
throw new JoseException("Payload is missing required signature");
}
string algorithm = (string)headerData["alg"];
JwsAlgorithm jwsAlgorithm = jwtSettings.JwsAlgorithmFromHeader(algorithm);
if (expectedJwsAlg != null && expectedJwsAlg != jwsAlgorithm)
{
throw new InvalidAlgorithmException("The algorithm type passed to the Decode method did not match the algorithm type in the header.");
}
IJwsAlgorithm jwsAlgorithmImpl = jwtSettings.Jws(jwsAlgorithm);
if (jwsAlgorithmImpl == null)
{
throw new JoseException(string.Format("Unsupported JWS algorithm requested: {0}", algorithm));
}
// If the key has not been specified, attempt to read it from the header.
if (key == null && headerData.ContainsKey("kid") && jwsAlgorithm != JwsAlgorithm.none)
{
if (jwsAlgorithm == JwsAlgorithm.ES256K)
{
key = (BitcoinPubKeyAddress)BitcoinPubKeyAddress.Create((string)headerData["kid"], jwtSettings.Network);
}
else
{
key = (string)headerData["kid"];
}
}
if (!jwsAlgorithmImpl.Verify(signature, securedInput(header, effectivePayload, b64), key))
{
throw new IntegrityException("Invalid signature.");
}
return(effectivePayload);
}
}
/// <summary>
/// Parses JWT token, extracts and attempts to unmarshal headers to requested type
/// This method is NOT performing integrity checking.
/// </summary>
/// <param name="token">signed JWT token</param>
/// <param name="settings">optional settings to override global DefaultSettings</param>
/// <typeparam name="T">desired type after unmarshalling</typeparam>
/// <returns>unmarshalled headers</returns>
public static T Headers <T>(string token, JwtSettings settings = null)
{
Compact.Iterator parts = Compact.Iterate(token);
return(GetSettings(settings).JsonMapper.Parse <T>(Encoding.UTF8.GetString(parts.Next())));
}
