验证 Google idToken - 使用 RSACryptoServiceProvider 验证证书失败

Question

我正在使用 Google 为用户构建登录工作流程。用户通过身份验证后，我调用 GetAuthResponse 来获取 idToken。 https://developers.google.com/identity/sign-in/web/backend-auth

现在，我需要根据 Google 证书验证证书。我同样使用 JwtSecurityToken(C#)。 我正在参考验证 - http://blogs.msdn.com/b/alejacma/archive/2008/06/25/how-to-sign-and-verify-the-signature-with-net-and-a-certificate-c.aspx

问题是 - 我总是从 VerifyHash 得到错误。因为，VerifyHash 无缘无故地返回 false，我无法找到验证 idToken 是否为 有效与否。我的代码如下所示

            String strID = ""; // idToken received from Google AuthResponse
            JwtSecurityToken token = new JwtSecurityToken(strID);                
            byte[] text = GetHash(token.RawData);
            SHA256Cng sha1 = new SHA256Cng();
            UnicodeEncoding encoding = new UnicodeEncoding();
            byte[] data = encoding.GetBytes(text);
            byte[] hash = sha1.ComputeHash(data);
            byte[] signature = Encoding.Unicode.GetBytes(token.RawSignature);
            // Modulus and exponent value from https://www.googleapis.com/oauth2/v2/certs - second set of keys
            String modulus = "uHzGq7cMlx21nydbz9VsW1PItetb9mqvnpLp_8E3Knyk-mjv9DlaPhKGHYlJfHYGzKa2190C5vfsLLb1MIeGfdAv7ftpFsanIWawl8Zo0g-l0m7T2yG_7XerqcVK91lFifeJtgxKI86cPdZkgRy6DaYxMuAwAlhvpi3_UhPvsIwi7M6mxE8nUNpUWodh_YjJNu3wOxKDwbBZuRV2itjY6Z7RjFgJt1CsKF-QjqSVvWjAl0LaCaeMS_8yae0ln5YNeS8rAb6xkmcOuYeyhYsiBzwLRvgpXzEVLjLr631Z99oUHTpP9vWJDpGhfkrClkbmdtZ-ZCwX-eFW6ndd54BJEQ==";
            String exponent = "AQAB";
            modulus = modulus.Replace('-', '+').Replace('_', '/'); // Else it gives Base64 error
            StringBuilder sb = new StringBuilder();
            sb.Append("<RSAKeyValue>");
            sb.Append("<Modulus>");
            sb.Append(modulus);                
            sb.Append("</Modulus>");
            sb.Append("<Exponent>");
            sb.Append(exponent);
            sb.Append("</Exponent>");
            sb.Append("</RSAKeyValue>");
            RSACryptoServiceProvider RSAVerifier = new RSACryptoServiceProvider();                
            RSAVerifier.FromXmlString(sb.ToString());               
            // Verify the signature with the hash                
            return RSAVerifier.VerifyHash(hash, CryptoConfig.MapNameToOID("SHA256"), signature);

Answer 1

您可能想按照Google+ Token Verification project 中的做法进行尝试 - this fork 包含一些仍在审核中的小更新。

另一种方法是仅使用 Google 的令牌验证端点来验证令牌：

curl https://www.googleapis.com/oauth2/v2/tokeninfo?id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjkyNGE0NjA2NDgxM2I5YTA5ZmFjZGJiNzYwZGI5OTMwMWU0ZjBkZjAifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTEwNTcwOTc3MjI2ODMwNTc3MjMwIiwiYXpwIjoiMzY0MzgxNDQxMzEwLXRuOGw2ZnY2OWdnOGY3a3VjanJhYTFyZWpmaXRxbGpuLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiYXRfaGFzaCI6IlAzLU1HZTdocWZhUkZ5Si1qcWRidHciLCJhdWQiOiIzNjQzODE0NDEzMTAtdG44bDZmdjY5Z2c4ZjdrdWNqcmFhMXJlamZpdHFsam4uYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJjX2hhc2giOiJjd3hsdXBUSkc4N2FnbU1pb0tSYUV3IiwiaWF0IjoxNDM0NDcyODc2LCJleHAiOjE0MzQ0NzY0NzZ9.Gz_WljZOV9NphDdClakLstutEKk65PNpEof7mxM2j-AOfVwh-SS0L5uxIaknFOk4-nDGmip42vrPYgNvbQWKZY63XuCs94YQgVVmTNCTJnao1IavtrhYvpDqGuGKdEB3Wemg5sS81pEthdvHwyxfwLPYukIhT8-u4ESfbFacsRtR77QRIOk-iLJAVYWTROJ05Gpa-EkTunEBVmZyYetbMfSoYkbwFKxYOlHLY-ENz_XfHTGhYhb-GyGrrw0r4FyHb81IWJ6Jf-7w6y3RiUJik7kYRkvnFouXUFSm8GBwxsioi9AAkavUWUk27s15Kcv-_hkPXzVrW5SvR1zoTI_IMw