验证Google idToken - 使用RSACryptoServiceProvider验证证书失败

时间:2015-06-19 06:49:13

标签: c# cryptography google-signin

我正在使用Google为用户构建登录工作流程。一旦用户通过身份验证,我就会调用GetAuthResponse来获取idToken。                 https://developers.google.com/identity/sign-in/web/backend-auth

现在,我需要针对Google证书验证证书。我正在使用JwtSecurityToken(C#)。                 我正在引用验证 - http://blogs.msdn.com/b/alejacma/archive/2008/06/25/how-to-sign-and-verify-the-signature-with-net-and-a-certificate-c.aspx

问题是 - 我总是从VerifyHash得到错误。因为,VerifyHash没有任何理由返回false,我无法找到验证idToken是否正确的方法 有效与否。我的代码如下:

            String strID = ""; // idToken received from Google AuthResponse
            JwtSecurityToken token = new JwtSecurityToken(strID);                
            byte[] text = GetHash(token.RawData);
            SHA256Cng sha1 = new SHA256Cng();
            UnicodeEncoding encoding = new UnicodeEncoding();
            byte[] data = encoding.GetBytes(text);
            byte[] hash = sha1.ComputeHash(data);
            byte[] signature = Encoding.Unicode.GetBytes(token.RawSignature);
            // Modulus and exponent value from https://www.googleapis.com/oauth2/v2/certs - second set of keys
            String modulus = "uHzGq7cMlx21nydbz9VsW1PItetb9mqvnpLp_8E3Knyk-mjv9DlaPhKGHYlJfHYGzKa2190C5vfsLLb1MIeGfdAv7ftpFsanIWawl8Zo0g-l0m7T2yG_7XerqcVK91lFifeJtgxKI86cPdZkgRy6DaYxMuAwAlhvpi3_UhPvsIwi7M6mxE8nUNpUWodh_YjJNu3wOxKDwbBZuRV2itjY6Z7RjFgJt1CsKF-QjqSVvWjAl0LaCaeMS_8yae0ln5YNeS8rAb6xkmcOuYeyhYsiBzwLRvgpXzEVLjLr631Z99oUHTpP9vWJDpGhfkrClkbmdtZ-ZCwX-eFW6ndd54BJEQ==";
            String exponent = "AQAB";
            modulus = modulus.Replace('-', '+').Replace('_', '/'); // Else it gives Base64 error
            StringBuilder sb = new StringBuilder();
            sb.Append("<RSAKeyValue>");
            sb.Append("<Modulus>");
            sb.Append(modulus);                
            sb.Append("</Modulus>");
            sb.Append("<Exponent>");
            sb.Append(exponent);
            sb.Append("</Exponent>");
            sb.Append("</RSAKeyValue>");
            RSACryptoServiceProvider RSAVerifier = new RSACryptoServiceProvider();                
            RSAVerifier.FromXmlString(sb.ToString());               
            // Verify the signature with the hash                
            return RSAVerifier.VerifyHash(hash, CryptoConfig.MapNameToOID("SHA256"), signature);

1 个答案:

答案 0 :(得分:0)

您可能希望在Google+ Token Verification project中尝试完成 - this fork包含一些仍在审核中的小更新。

另一种方法是使用Google的令牌验证端点验证令牌:

curl https://www.googleapis.com/oauth2/v2/tokeninfo?id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjkyNGE0NjA2NDgxM2I5YTA5ZmFjZGJiNzYwZGI5OTMwMWU0ZjBkZjAifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTEwNTcwOTc3MjI2ODMwNTc3MjMwIiwiYXpwIjoiMzY0MzgxNDQxMzEwLXRuOGw2ZnY2OWdnOGY3a3VjanJhYTFyZWpmaXRxbGpuLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiYXRfaGFzaCI6IlAzLU1HZTdocWZhUkZ5Si1qcWRidHciLCJhdWQiOiIzNjQzODE0NDEzMTAtdG44bDZmdjY5Z2c4ZjdrdWNqcmFhMXJlamZpdHFsam4uYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJjX2hhc2giOiJjd3hsdXBUSkc4N2FnbU1pb0tSYUV3IiwiaWF0IjoxNDM0NDcyODc2LCJleHAiOjE0MzQ0NzY0NzZ9.Gz_WljZOV9NphDdClakLstutEKk65PNpEof7mxM2j-AOfVwh-SS0L5uxIaknFOk4-nDGmip42vrPYgNvbQWKZY63XuCs94YQgVVmTNCTJnao1IavtrhYvpDqGuGKdEB3Wemg5sS81pEthdvHwyxfwLPYukIhT8-u4ESfbFacsRtR77QRIOk-iLJAVYWTROJ05Gpa-EkTunEBVmZyYetbMfSoYkbwFKxYOlHLY-ENz_XfHTGhYhb-GyGrrw0r4FyHb81IWJ6Jf-7w6y3RiUJik7kYRkvnFouXUFSm8GBwxsioi9AAkavUWUk27s15Kcv-_hkPXzVrW5SvR1zoTI_IMw