[英]Verify JWT ES256 by Apple Notification C# [Sandbox]
I would like just to verify JWT from Apple Pay server notification.我只想从 Apple Pay 服务器通知中验证 JWT。 You can see the JWT structure on the screenshot from the jwt.io website.您可以在jwt.io网站的屏幕截图上看到JWT结构。
So, I took the first certificate from the x5c collection in the header, and convert it to the object X509Certificate2, then I get the public key in the ECDsa format and try to verify the token.因此,我从 header 中的 x5c 集合中获取了第一个证书,并将其转换为 object X509Certificate2,然后我获得了 ECDsa 格式的公钥并尝试验证令牌。
Did I implement this correctly in terms of security?我是否在安全方面正确实施了这一点? Should I validate a chain of three certificates after verifying the token?我应该在验证令牌后验证三个证书链吗?
I will be grateful for any information.我将不胜感激任何信息。
private static Dictionary<string, string> GetClaimsByToken(string jwtToken)
{
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.ReadJwtToken(jwtToken);
token.Header.TryGetValue("x5c", out object x5c)
var certeficatesItems = JsonConvert.DeserializeObject<IEnumerable<string>>(x5c.ToString());
ValidateJWS(tokenHandler, jwtToken, certeficatesItems.First());
return token.Claims.ToDictionary(c => c.Type, v => v.Value);
}
private static void ValidateJWS(JwtSecurityTokenHandler tokenHandler, string jwtToken, string publicKey)
{
var certificateBytes = Base64UrlEncoder.DecodeBytes(publicKey);
var certificate = new X509Certificate2(certificateBytes);
var eCDsa = certificate.GetECDsaPublicKey();
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new ECDsaSecurityKey(eCDsa),
};
tokenHandler.ValidateToken(jwtToken, tokenValidationParameters, out var securityToken);
}
I don't know C# but today I stumble across this problem too.我不知道 C# 但今天我也偶然发现了这个问题。 It seems so after you validate jwt token, you have to validate a chain of certificates.似乎在验证 jwt 令牌之后,您必须验证证书链。 You need to download certificates from Apple(root and intermediate).您需要从 Apple 下载证书(根证书和中级证书)。 You can find these certificates on apple site: https://www.apple.com/certificateauthority/ .您可以在苹果网站上找到这些证书: https://www.apple.com/certificateauthority/ 。
You need to download them and validate them against the ones found in the x5c header.您需要下载它们并根据 x5c 标头中的内容验证它们。 You can find more info on apple developer forum: https://developer.apple.com/forums/thread/691464您可以在苹果开发者论坛上找到更多信息: https://developer.apple.com/forums/thread/691464
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.