-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathAuthTokenValidator.cs
More file actions
218 lines (197 loc) · 9.7 KB
/
AuthTokenValidator.cs
File metadata and controls
218 lines (197 loc) · 9.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
/*
* Copyright © 2020-2024 Estonian Information System Authority
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
namespace WebEid.Security.Validator
{
using System;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;
using Exceptions;
using Microsoft.Extensions.Logging;
using Microsoft.IdentityModel.Tokens;
using Newtonsoft.Json;
using Ocsp;
using Ocsp.Service;
using AuthToken;
using Util;
using WebEid.Security.Validator.CertValidators;
/// <summary>
/// Represents the configuration for validating authentication tokens (JWTs) in the Web eID system.
/// </summary>
public sealed class AuthTokenValidator : IAuthTokenValidator
{
private readonly ILogger logger;
private readonly AuthTokenValidationConfiguration configuration;
private readonly AuthTokenSignatureValidator authTokenSignatureValidator;
private readonly SubjectCertificateValidatorBatch simpleSubjectCertificateValidators;
private readonly OcspClient ocspClient;
private readonly OcspServiceProvider ocspServiceProvider;
private const int TokenMinLength = 100;
private const int TokenMaxLength = 10000;
/// <summary>
/// Initializes a new instance of the <see cref="AuthTokenValidator"/> class.
/// </summary>
/// <param name="configuration">The configuration for token validation.</param>
/// <param name="logger">The logger for capturing log messages (optional).</param>
public AuthTokenValidator(AuthTokenValidationConfiguration configuration, ILogger logger = null)
{
this.logger = logger;
this.configuration = configuration.Copy();
this.authTokenSignatureValidator = new AuthTokenSignatureValidator(configuration.SiteOrigin);
this.simpleSubjectCertificateValidators = SubjectCertificateValidatorBatch.CreateFrom(
new SubjectCertificatePurposeValidator(this.logger),
new SubjectCertificatePolicyValidator(configuration.DisallowedSubjectCertificatePolicies
.Select(policy => new Oid(policy))
.ToArray(), this.logger)
);
if (configuration.IsUserCertificateRevocationCheckWithOcspEnabled)
{
this.ocspClient = new OcspClient(TimeSpan.FromSeconds(5), this.logger);
this.ocspServiceProvider =
new OcspServiceProvider(configuration.DesignatedOcspServiceConfiguration,
new AiaOcspServiceConfiguration(configuration.NonceDisabledOcspUrls,
configuration.TrustedCaCertificates));
}
// Turn off caching of signature providers
CryptoProviderFactory.DefaultCacheSignatureProviders = false;
}
/// <summary>
/// Parses the authentication token (JWT) and returns a <see cref="WebEidAuthToken"/> instance.
/// </summary>
/// <param name="authToken">The authentication token to parse.</param>
/// <returns>A parsed <see cref="WebEidAuthToken"/> instance.</returns>
public WebEidAuthToken Parse(string authToken)
{
this.logger?.LogInformation("Starting token parsing");
try
{
ValidateTokenLength(authToken);
return ParseToken(authToken);
}
catch (Exception ex)
{
// Generally "log and rethrow" is an anti-pattern, but it fits with the surrounding logging style.
this.logger?.LogWarning(ex, "Token parsing was interrupted:");
throw;
}
}
/// <summary>
/// Validates the authentication token (JWT) and returns the user certificate.
/// </summary>
/// <param name="authToken">The authentication token to validate.</param>
/// <param name="currentChallengeNonce">The current challenge nonce value.</param>
/// <returns>A task representing the validation result with the user certificate.</returns>
public Task<X509Certificate2> Validate(WebEidAuthToken authToken, string currentChallengeNonce)
{
this.logger?.LogInformation("Starting token validation");
try
{
return this.ValidateToken(authToken, currentChallengeNonce);
}
catch (Exception ex)
{
// Generally "log and rethrow" is an anti-pattern, but it fits with the surrounding logging style.
this.logger?.LogWarning(ex, "Token validation was interrupted:");
throw;
}
}
private static void ValidateTokenLength(string authToken)
{
if (authToken == null || authToken.Length < TokenMinLength)
{
throw new AuthTokenParseException("Auth token is null or too short");
}
if (authToken.Length > TokenMaxLength)
{
throw new AuthTokenParseException("Auth token is too long");
}
}
private static WebEidAuthToken ParseToken(string authToken)
{
try
{
var token = JsonConvert.DeserializeObject<WebEidAuthToken>(authToken);
if (token == null)
{
throw new AuthTokenParseException("Web eID authentication token deserialization failed");
}
return token;
}
catch (JsonException ex)
{
throw new AuthTokenParseException("Error parsing Web eID authentication token", ex);
}
}
private async Task<X509Certificate2> ValidateToken(WebEidAuthToken token, string currentChallengeNonce)
{
if (token.Format == null || !token.Format.StartsWith(IAuthTokenValidator.CURRENT_TOKEN_FORMAT_VERSION))
{
throw new AuthTokenParseException($"Only token format version '{IAuthTokenValidator.CURRENT_TOKEN_FORMAT_VERSION}' is currently supported");
}
if (string.IsNullOrEmpty(token.UnverifiedCertificate))
{
throw new AuthTokenParseException("'unverifiedCertificate' field is missing, null or empty");
}
var subjectCertificate = X509CertificateExtensions.ParseCertificate(token.UnverifiedCertificate, "unverifiedCertificate");
await this.simpleSubjectCertificateValidators.ExecuteFor(subjectCertificate);
await this.GetCertTrustValidators().ExecuteFor(subjectCertificate);
try
{
var publicKey = subjectCertificate
.GetAsymmetricPublicKey()
.CreateSecurityKeyWithoutCachingSignatureProviders();
// It is guaranteed that if the signature verification succeeds, then the origin and challenge
// have been implicitly and correctly verified without the need to implement any additional checks.
this.authTokenSignatureValidator.Validate(token.Algorithm,
publicKey,
token.Signature,
currentChallengeNonce);
return subjectCertificate;
}
catch (Exception ex) when (!(ex is AuthTokenException))
{
throw new AuthTokenSignatureValidationException(ex);
}
}
/// <summary>
/// Creates the certificate trust validator batch.
/// As SubjectCertificateTrustedValidator has mutable state that SubjectCertificateNotRevokedValidator depends on,
/// they cannot be reused/cached in an instance variable in a multi-threaded environment. Hence they are
/// re-created for each validation run for thread safety.
/// </summary>
/// <returns>certificate trust validator batch</returns>
private SubjectCertificateValidatorBatch GetCertTrustValidators()
{
var certTrustedValidator =
new SubjectCertificateTrustedValidator(this.configuration.TrustedCaCertificates, this.logger);
return SubjectCertificateValidatorBatch.CreateFrom(certTrustedValidator)
.AddOptional(this.configuration.IsUserCertificateRevocationCheckWithOcspEnabled,
new SubjectCertificateNotRevokedValidator(certTrustedValidator,
this.ocspClient,
this.ocspServiceProvider,
this.configuration.AllowedOcspResponseTimeSkew,
this.configuration.MaxOcspResponseThisUpdateAge,
this.logger));
}
}
}