其他分享
首页 > 其他分享> > DotnetCore 使用Jwks验证JwtToken签名

DotnetCore 使用Jwks验证JwtToken签名

作者:互联网


[Fact]
public async Task VerfiyJwtTokenUseJwks()
{

    var jwt = @"your jwt token";



    var wellKnownAddress = "http://your-openid-host/.well-known/openid-configuration";
    var httpClientFactory = this.ServiceProvier.GetRequiredService<IHttpClientFactory>();
    var httpClient = httpClientFactory.CreateClient();

    var response = await httpClient.GetAsync(wellKnownAddress);
    response.EnsureSuccessStatusCode();

    var json = await response.Content.ReadAsStringAsync();
    var jObj = (JObject)JsonConvert.DeserializeObject(json);
    var jwks_uri = jObj["jwks_uri"].ToString();
    Console.WriteLine($"Jwks_uri: {jwks_uri}");


    var keySet = await httpClient.GetStringAsync(jwks_uri);
    Console.WriteLine($"keySets: {keySet}");

    var ketSets = (JObject)JsonConvert.DeserializeObject(keySet);
    var keys = (JArray)ketSets["keys"];

    var jwtArray = jwt.Split('.');
    var headerObj = (JObject)JsonConvert.DeserializeObject(DecodeJwtToken(jwtArray[0]));
    Console.WriteLine($"Token Header: {headerObj}");

    var jwtSign = jwtArray[2];

    foreach (var key in keys)
    {
        var kid = headerObj["kid"];
        if (key["kid"].ToString() == kid.ToString())
        {
            var e = key["e"].ToString();
            var n = key["n"].ToString();
            using (var rsa = System.Security.Cryptography.RSA.Create())
            {
                var rsaKeyInfo = new RSAParameters
                {
                    Modulus = DecodeBase64ToByteArray(n),
                    Exponent = DecodeBase64ToByteArray(e)
                };

                rsa.ImportParameters(rsaKeyInfo);
                var d = $"{jwtArray[0]}.{jwtArray[1]}";

                var success = rsa.VerifyData(
                    Encoding.UTF8.GetBytes(d),
                    DecodeBase64ToByteArray(jwtSign), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

                Console.WriteLine($"verfiy: {success}");

                var publicKeyPem = ExportPublicKey(rsa);

                Console.WriteLine($"PublicKey PEM: \r\n{publicKeyPem}");

            }

        }

    }
}

private string DecodeJwtToken(string base64Token)
{
    var bytes = DecodeBase64ToByteArray(base64Token);
    var json = Encoding.UTF8.GetString(bytes);
    return json;
}

private byte[] DecodeBase64ToByteArray(string b64String)
{
    var m = (b64String.Length % 4);
    if (m > 0)
    {
        if (m == 2)
        {
            b64String += "==";
        }
        else
        {
            b64String += "=";
        }
    }
    return Convert.FromBase64String(b64String.Replace("-", "+").Replace("_", "/"));
}




public static string ExportPublicKey(RSA csp)
{
    StringWriter outputStream = new StringWriter();
    var parameters = csp.ExportParameters(false);
    using (var stream = new MemoryStream())
    {
        var writer = new BinaryWriter(stream);
        writer.Write((byte)0x30); // SEQUENCE
        using (var innerStream = new MemoryStream())
        {
            var innerWriter = new BinaryWriter(innerStream);
            innerWriter.Write((byte)0x30); // SEQUENCE
            EncodeLength(innerWriter, 13);
            innerWriter.Write((byte)0x06); // OBJECT IDENTIFIER
            var rsaEncryptionOid = new byte[] { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01 };
            EncodeLength(innerWriter, rsaEncryptionOid.Length);
            innerWriter.Write(rsaEncryptionOid);
            innerWriter.Write((byte)0x05); // NULL
            EncodeLength(innerWriter, 0);
            innerWriter.Write((byte)0x03); // BIT STRING
            using (var bitStringStream = new MemoryStream())
            {
                var bitStringWriter = new BinaryWriter(bitStringStream);
                bitStringWriter.Write((byte)0x00); // # of unused bits
                bitStringWriter.Write((byte)0x30); // SEQUENCE
                using (var paramsStream = new MemoryStream())
                {
                    var paramsWriter = new BinaryWriter(paramsStream);
                    EncodeIntegerBigEndian(paramsWriter, parameters.Modulus); // Modulus
                    EncodeIntegerBigEndian(paramsWriter, parameters.Exponent); // Exponent
                    var paramsLength = (int)paramsStream.Length;
                    EncodeLength(bitStringWriter, paramsLength);
                    bitStringWriter.Write(paramsStream.GetBuffer(), 0, paramsLength);
                }
                var bitStringLength = (int)bitStringStream.Length;
                EncodeLength(innerWriter, bitStringLength);
                innerWriter.Write(bitStringStream.GetBuffer(), 0, bitStringLength);
            }
            var length = (int)innerStream.Length;
            EncodeLength(writer, length);
            writer.Write(innerStream.GetBuffer(), 0, length);
        }

        var base64 = Convert.ToBase64String(stream.GetBuffer(), 0, (int)stream.Length).ToCharArray();
        // WriteLine terminates with \r\n, we want only \n
        outputStream.Write("-----BEGIN PUBLIC KEY-----\n");
        for (var i = 0; i < base64.Length; i += 64)
        {
            outputStream.Write(base64, i, Math.Min(64, base64.Length - i));
            outputStream.Write("\n");
        }
        outputStream.Write("-----END PUBLIC KEY-----");
    }

    return outputStream.ToString();
}


private static void EncodeLength(BinaryWriter stream, int length)
{
    if (length < 0) throw new ArgumentOutOfRangeException("length", "Length must be non-negative");
    if (length < 0x80)
    {
        // Short form
        stream.Write((byte)length);
    }
    else
    {
        // Long form
        var temp = length;
        var bytesRequired = 0;
        while (temp > 0)
        {
            temp >>= 8;
            bytesRequired++;
        }
        stream.Write((byte)(bytesRequired | 0x80));
        for (var i = bytesRequired - 1; i >= 0; i--)
        {
            stream.Write((byte)(length >> (8 * i) & 0xff));
        }
    }
}

private static void EncodeIntegerBigEndian(BinaryWriter stream, byte[] value, bool forceUnsigned = true)
{
    stream.Write((byte)0x02); // INTEGER
    var prefixZeros = 0;
    for (var i = 0; i < value.Length; i++)
    {
        if (value[i] != 0) break;
        prefixZeros++;
    }
    if (value.Length - prefixZeros == 0)
    {
        EncodeLength(stream, 1);
        stream.Write((byte)0);
    }
    else
    {
        if (forceUnsigned && value[prefixZeros] > 0x7f)
        {
            // Add a prefix zero to force unsigned if the MSB is 1
            EncodeLength(stream, value.Length - prefixZeros + 1);
            stream.Write((byte)0);
        }
        else
        {
            EncodeLength(stream, value.Length - prefixZeros);
        }
        for (var i = prefixZeros; i < value.Length; i++)
        {
            stream.Write(value[i]);
        }
    }
}

标签:stream,Jwks,Write,Length,DotnetCore,JwtToken,var,new,byte
来源: https://www.cnblogs.com/byxxw/p/11243772.html