C# Hash and Verify JWT using Google KMS

Question

We need to hash and verify the JWT token using a custom AsymmetricSecurityKey which uses Google Cloud KMS API to sign/verify the token.

The hash logic is working fine, here is implementation:

public override byte[] Sign(byte[] input)
{
    string projectId = "<PROJECT-ID>";

    string location = "global";

    var locationName = new LocationName(projectId, location);

    // Instantiate a Cloud KMS client.
    var client = KeyManagementServiceClient.Create();

    var cryptoKeyVersion = new CryptoKeyVersionName(projectId, location, "test", "asymmetric-signing-key", "1");

    var publicKey = client.GetPublicKey(cryptoKeyVersion);

    byte[] hashedInput;
    using (var hasher = SHA256.Create())
    {
        hashedInput = hasher.ComputeHash(input);
    }

    var digest = new Digest
    {
        Sha256 = ByteString.CopyFrom(hashedInput)
    };

    var asymmetricSignResponse = client.AsymmetricSign(cryptoKeyVersion, digest);

    var output = asymmetricSignResponse.Signature.ToByteArray();

    return output;
}

I need to know how to verify the signature, I tried many different ways and libs but always fails

Google KMS documentation for creating and validating digital signatures here has no implementation for .NET C#

Appreciate your help!

Answer 1

I have found a repo that could be useful for you, it contains examples of KMS for NetCore and AspNet.

This sample requires .NET Core 2.0 or later. That means using Visual Studio 2017, or the command line.

https://github.com/GoogleCloudPlatform/dotnet-docs-samples/tree/master/kms/api

Maybe this link would be useful for your research:

https://medium.com/google-cloud/keeping-secrets-in-asp-nets-appsettings-json-5694e533dc87

Answer 2

we're working on getting those samples together and published in our docs ( see here ). Here's an example:

KeyManagementServiceClient client = KeyManagementServiceClient.Create();
CryptoKeyVersionName keyVersionName = new CryptoKeyVersionName(
    projectId, locationId, keyRingId, cryptoKeyId, cryptoKeyVersionId);

byte[] content = File.ReadAllBytes(contentFile);
byte[] signature = File.ReadAllBytes(signatureFile);

string pubKeyPem = client.GetPublicKey(keyVersionName).Pem;
PemReader reader = new PemReader(new StringReader(pubKeyPem));
byte[] publicKeyInfoBytes = reader.ReadPemObject().Content;
AsymmetricKeyParameter key = PublicKeyFactory.CreateKey(publicKeyInfoBytes);

// The algorithm string to use will vary depending on the algorithm associated
// with the CryptoKeyVersion. `SignerUtilities.cs` in BouncyCastle source
// contains a mapping of algorithm strings.
// "SHA512withRSA/PSS" and "SHA256withRSA" (for PKCS1) are also useful example
// values.
const string algorithm = "SHA256withECDSA";

ISigner signer = SignerUtilities.GetSigner(algorithm);
signer.Init(false, key);
signer.BlockUpdate(content, 0, content.Length);
bool verified = signer.VerifySignature(signature);

Console.Write($"Signature verified: {verified}");