堆栈内存溢出
  简体   繁体   English

通过 Apple 通知 C# [沙盒] 验证 JWT ES256

[英]Verify JWT ES256 by Apple Notification C# [Sandbox]

 原文  2022-02-21 16:57:22       c#/ jwt

问题描述

I would like just to verify JWT from Apple Pay server notification.我只想从 Apple Pay 服务器通知中验证 JWT。 You can see the JWT structure on the screenshot from the jwt.io website.您可以在jwt.io网站的屏幕截图上看到JWT结构。

So, I took the first certificate from the x5c collection in the header, and convert it to the object X509Certificate2, then I get the public key in the ECDsa format and try to verify the token.因此,我从 header 中的 x5c 集合中获取了第一个证书,并将其转换为 object X509Certificate2,然后我获得了 ECDsa 格式的公钥并尝试验证令牌。

Did I implement this correctly in terms of security?我是否在安全方面正确实施了这一点? Should I validate a chain of three certificates after verifying the token?我应该在验证令牌后验证三个证书链吗?

I will be grateful for any information.我将不胜感激任何信息。

    private static Dictionary<string, string> GetClaimsByToken(string jwtToken)
    {
        var tokenHandler = new JwtSecurityTokenHandler();
        var token = tokenHandler.ReadJwtToken(jwtToken);
        token.Header.TryGetValue("x5c", out object x5c)
        var certeficatesItems = JsonConvert.DeserializeObject<IEnumerable<string>>(x5c.ToString());

        ValidateJWS(tokenHandler, jwtToken, certeficatesItems.First());

        return token.Claims.ToDictionary(c => c.Type, v => v.Value);
    }

    private static void ValidateJWS(JwtSecurityTokenHandler tokenHandler, string jwtToken, string publicKey)
    {
        var certificateBytes = Base64UrlEncoder.DecodeBytes(publicKey);
        var certificate = new X509Certificate2(certificateBytes);
        var eCDsa = certificate.GetECDsaPublicKey();

        TokenValidationParameters tokenValidationParameters = new TokenValidationParameters
        {
            ValidateAudience = false,
            ValidateLifetime = false,
            ValidateIssuer = false,
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new ECDsaSecurityKey(eCDsa),
        };

        tokenHandler.ValidateToken(jwtToken, tokenValidationParameters, out var securityToken);
    }

来自 Apple 的智威汤逊

1 个解决方案

解决方案1
 1 已采纳  2022-02-22 20:23:10

I don't know C# but today I stumble across this problem too.我不知道 C# 但今天我也偶然发现了这个问题。 It seems so after you validate jwt token, you have to validate a chain of certificates.似乎在验证 jwt 令牌之后,您必须验证证书链。 You need to download certificates from Apple(root and intermediate).您需要从 Apple 下载证书(根证书和中级证书)。 You can find these certificates on apple site: https://www.apple.com/certificateauthority/ .您可以在苹果网站上找到这些证书: https://www.apple.com/certificateauthority/

You need to download them and validate them against the ones found in the x5c header.您需要下载它们并根据 x5c 标头中的内容验证它们。 You can find more info on apple developer forum: https://developer.apple.com/forums/thread/691464您可以在苹果开发者论坛上找到更多信息: https://developer.apple.com/forums/thread/691464

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将 ES256 算法与 jwt-do.net 一起用于 Apple AppStore - Using ES256 algorithm with jwt-dotnet for Apple AppStore c#JWT将ES256 PEM文件加载到CngKey(jose-jwt) - c# JWT load ES256 PEM file into CngKey (jose-jwt) 在 c# 中使用 ---PUBLIC KEY--- 验证 JWT (ES256) 令牌 - Validate JWT (ES256) Token with ---PUBLIC KEY--- in c# 如何在 C# 中加载私有 ecdsa 密钥 es256? - How to load private ecdsa key es256 in c#? 无法验证使用es256签名的Keycloak生成的JWT - Unable to verify Keycloak generated JWTs signed with es256 如何使用 JWK 为 ES256 alg 验证 JWT? - How to Validate JWT using JWK for ES256 alg? 在 C# 中用 RS256(非对称)验证 JWT - Verify JWT with RS256 (asymmetric) in C# C#上的Apple JWT生成 - Apple JWT generation on C# 验证 JWT 令牌 c# 的签名 - verify signature of JWT Token c# c#如何验证签名JWT? - c# How to verify signature JWT?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM