stackoom
  简体   繁体   中英

Verify JWT ES256 by Apple Notification C# [Sandbox]

 原文  2022-02-21 16:57:22       c#/ jwt

Question

I would like just to verify JWT from Apple Pay server notification. You can see the JWT structure on the screenshot from the jwt.io website.

So, I took the first certificate from the x5c collection in the header, and convert it to the object X509Certificate2, then I get the public key in the ECDsa format and try to verify the token.

Did I implement this correctly in terms of security? Should I validate a chain of three certificates after verifying the token?

I will be grateful for any information.

    private static Dictionary<string, string> GetClaimsByToken(string jwtToken)
    {
        var tokenHandler = new JwtSecurityTokenHandler();
        var token = tokenHandler.ReadJwtToken(jwtToken);
        token.Header.TryGetValue("x5c", out object x5c)
        var certeficatesItems = JsonConvert.DeserializeObject<IEnumerable<string>>(x5c.ToString());

        ValidateJWS(tokenHandler, jwtToken, certeficatesItems.First());

        return token.Claims.ToDictionary(c => c.Type, v => v.Value);
    }

    private static void ValidateJWS(JwtSecurityTokenHandler tokenHandler, string jwtToken, string publicKey)
    {
        var certificateBytes = Base64UrlEncoder.DecodeBytes(publicKey);
        var certificate = new X509Certificate2(certificateBytes);
        var eCDsa = certificate.GetECDsaPublicKey();

        TokenValidationParameters tokenValidationParameters = new TokenValidationParameters
        {
            ValidateAudience = false,
            ValidateLifetime = false,
            ValidateIssuer = false,
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new ECDsaSecurityKey(eCDsa),
        };

        tokenHandler.ValidateToken(jwtToken, tokenValidationParameters, out var securityToken);
    }

来自 Apple 的智威汤逊

1 answers

solution1
 1 ACCPTED  2022-02-22 20:23:10

I don't know C# but today I stumble across this problem too. It seems so after you validate jwt token, you have to validate a chain of certificates. You need to download certificates from Apple(root and intermediate). You can find these certificates on apple site: https://www.apple.com/certificateauthority/ .

You need to download them and validate them against the ones found in the x5c header. You can find more info on apple developer forum: https://developer.apple.com/forums/thread/691464

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using ES256 algorithm with jwt-dotnet for Apple AppStore c# JWT load ES256 PEM file into CngKey (jose-jwt) Validate JWT (ES256) Token with ---PUBLIC KEY--- in c# How to load private ecdsa key es256 in c#? Unable to verify Keycloak generated JWTs signed with es256 How to Validate JWT using JWK for ES256 alg? Verify JWT with RS256 (asymmetric) in C# Apple JWT generation on C# verify signature of JWT Token c# c# How to verify signature JWT?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM