0

I am trying to verify a JWT token signed with RSA256 in C#. The token was created on the server side in Javascript with the jwt library called Jose-jwt. I am veryfing the token in a WinForms app using C#'s System.Security.Cryptography namespace classes. I tried using jose-jwt for C# but apparently it doesn't support loading keys from PEM-encoded files.

Here is my verification code:

public static string IsCertValid()
    {
        string token = System.IO.File.ReadAllText(TokenLocation);
        var stream = System.IO.File.OpenRead(PublicKeyLocation);
        var reader = new PemReader(stream);
        var rsaParameters = reader.ReadRsaKey();

        var rsa = System.Security.Cryptography.RSA.Create();
        rsa.ImportParameters(rsaParameters);

        string[] tokenparts = token.Split('.');

        byte[] signature = Encoding.UTF8.GetBytes(tokenparts[2]);
        string dataToVerify = tokenparts[0] + '.' + tokenparts[1];
        byte[] bytesToVerify = Encoding.UTF8.GetBytes(dataToVerify);
        //string decoded = JWT.Decode(token,rsaParameters);
        bool result = rsa.VerifyData(bytesToVerify, signature, System.Security.Cryptography.HashAlgorithmName.SHA256, System.Security.Cryptography.RSASignaturePadding.Pkcs1);
        return result.ToString();
    }

This validates as false, even though I know that the token is valid for this key. Does verification need to happen with the private key? That doesn't seem very secure. What am I doing wrong? Any help will be greatly appreciated.

tutiplain
  • 1,427
  • 4
  • 19
  • 37
  • Consider using the `JsonWebTokenHandler` class from the `System.IdentityModel.Tokens.Jwt` NuGet package. https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler?view=azure-dotnet https://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt/ – Martin Costello Jan 26 '22 at 12:47
  • *Does verification need to happen with the private key?* - no, it's signed with the private key and verified with the public key. – jps Jan 26 '22 at 12:48
  • @MartinCostello I will look into this nuget. – tutiplain Jan 26 '22 at 13:10
  • @MartinCostello Do you have any links on how to use this library or examples? I found that it has a ValidateToken() method, but the second argument requires something called TokenValidationParameters which I can't instantiate. I've found no examples so far. – tutiplain Jan 26 '22 at 13:34
  • There's an example of using it here in a repo I maintain. https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers/blob/627626387fb5aa41ade3f21506aed2b8a35b71c9/src/AspNet.Security.OAuth.Apple/Internal/DefaultAppleIdTokenValidator.cs#L52 – Martin Costello Jan 26 '22 at 13:54
  • In your case, you are getting the TokenValidationParameters from an AppleIdValidationContext object. But in my case, I don't have a class from which to obtain the TokenValidationParameters context, nor can I instantiate it via its constructor. It says "TokenValidationParameters is a type which is invalid in this context". Any ideas on why that might be? – tutiplain Jan 26 '22 at 14:57

0 Answers0