// </Snippet11> // <Snippet12> /// <summary> /// Validates the signature on the incoming token. /// </summary> /// <param name="simpleWebToken">The incoming <see cref="SimpleWebToken"/>.</param> protected virtual void ValidateSignature(SimpleWebToken simpleWebToken) { if (simpleWebToken == null) { throw new ArgumentNullException("simpleWebToken"); } if (String.IsNullOrEmpty(simpleWebToken.SerializedToken) || String.IsNullOrEmpty(simpleWebToken.Signature)) { throw new SecurityTokenValidationException("The token does not have a signature to verify"); } string serializedToken = simpleWebToken.SerializedToken; string unsignedToken = null; // Find the last parameter. The signature must be last per SWT specification. int lastSeparator = serializedToken.LastIndexOf(ParameterSeparator); // Check whether the last parameter is an hmac. if (lastSeparator > 0) { string lastParamStart = ParameterSeparator + SimpleWebTokenConstants.Signature + "="; string lastParam = serializedToken.Substring(lastSeparator); // Strip the trailing hmac to obtain the original unsigned string for later hmac verification. if (lastParam.StartsWith(lastParamStart, StringComparison.Ordinal)) { unsignedToken = serializedToken.Substring(0, lastSeparator); } } SimpleWebTokenKeyIdentifierClause clause = new SimpleWebTokenKeyIdentifierClause(simpleWebToken.Audience); InMemorySymmetricSecurityKey securityKey = null; try { securityKey = (InMemorySymmetricSecurityKey)this.Configuration.IssuerTokenResolver.ResolveSecurityKey(clause); } catch (InvalidOperationException) { throw new SecurityTokenValidationException("A Symmetric key was not found for the given key identifier clause."); } string generatedSignature = GenerateSignature(unsignedToken, securityKey.GetSymmetricKey()); if (string.CompareOrdinal(generatedSignature, simpleWebToken.Signature) != 0) { throw new SecurityTokenValidationException("The signature on the incoming token is invalid."); } }
protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key) { key = null; SimpleWebTokenKeyIdentifierClause keyClause = keyIdentifierClause as SimpleWebTokenKeyIdentifierClause; if (keyClause != null) { string base64Key = null; _keys.TryGetValue(keyClause.Audience, out base64Key); if (!string.IsNullOrEmpty(base64Key)) { key = new InMemorySymmetricSecurityKey(Encoding.UTF8.GetBytes(base64Key)); return(true); } } return(false); }
// </Snippet9> // <Snippet10> /// <summary> /// Serializes the given SecurityToken to the XmlWriter. /// </summary> /// <param name="writer">XmlWriter into which the token is serialized.</param> /// <param name="token">SecurityToken to be serialized.</param> public override void WriteToken(XmlWriter writer, SecurityToken token) { SimpleWebToken simpleWebToken = token as SimpleWebToken; if (simpleWebToken == null) { throw new SecurityTokenException("The given token is not of the expected type 'SimpleWebToken'."); } string signedToken = null; if (String.IsNullOrEmpty(simpleWebToken.SerializedToken)) { StringBuilder strBuilder = new StringBuilder(); bool skipDelimiter = true; NameValueCollection tokenProperties = simpleWebToken.GetAllProperties(); // remove the signature if present if (String.IsNullOrEmpty(tokenProperties[SimpleWebTokenConstants.Signature])) { tokenProperties.Remove(SimpleWebTokenConstants.Signature); } foreach (string key in tokenProperties.Keys) { if (tokenProperties[key] != null) { if (!skipDelimiter) { strBuilder.Append(ParameterSeparator); } strBuilder.Append(String.Format( CultureInfo.InvariantCulture, "{0}={1}", HttpUtility.UrlEncode(key), HttpUtility.UrlEncode(tokenProperties[key]))); skipDelimiter = false; } } string serializedToken = strBuilder.ToString(); SimpleWebTokenKeyIdentifierClause clause = new SimpleWebTokenKeyIdentifierClause(simpleWebToken.Audience); InMemorySymmetricSecurityKey securityKey = null; try { securityKey = (InMemorySymmetricSecurityKey)this.Configuration.IssuerTokenResolver.ResolveSecurityKey(clause); } catch (InvalidOperationException) { throw new SecurityTokenValidationException("A Symmetric key was not found for the given key identifier clause."); } // append the signature string signature = GenerateSignature(serializedToken, securityKey.GetSymmetricKey()); strBuilder.Append(String.Format( CultureInfo.InvariantCulture, "{0}{1}={2}", ParameterSeparator, HttpUtility.UrlEncode(SimpleWebTokenConstants.Signature), HttpUtility.UrlEncode(signature))); signedToken = strBuilder.ToString(); } else { // reuse the stored serialized token if present signedToken = simpleWebToken.SerializedToken; } string encodedToken = Convert.ToBase64String(Encoding.UTF8.GetBytes(signedToken)); writer.WriteStartElement(BinarySecurityToken); writer.WriteAttributeString("Id", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", token.Id); writer.WriteAttributeString(ValueType, SimpleWebTokenConstants.ValueTypeUri); writer.WriteAttributeString(EncodingType, Base64EncodingType); writer.WriteString(encodedToken); writer.WriteEndElement(); }