前提・実現したいこと
SafetynetのJWT検証をするためにこちらのSampleを試しているのですが、JwtSecurityTokenに埋め込まれたX509セキュリティキーを取得する箇所でNullReferenceExceptionエラーが出ます
c#
keys = (token.Header["x5c"] as JArray)
なぜキャストが失敗するのかがわかりません.
Microsoft.IdentityModel.Json.Linq.Jarrray」タイプのオブジェクトを「Newtonsoft.Json.Linq.Jarrray」タイプにキャストしたいです.
検証する対象のJWTはjwt.ioにて確認したところ特に問題はないと思います.
HEADER:ALGORITHM & TOKEN TYPE
{
"alg": "RS256",
"x5c": [ "文字列1",
"文字列2",
"文字列3"
]
}
コード側でtoken.Header["x5c"].ToString()としてみると上記と同じ
[ "文字列1",
"文字列2",
"文字列3"
]
がとれます.
発生している問題・エラーメッセージ
エラーメッセージ { "errorType": "NullReferenceException", "errorMessage": "Object reference not set to an instance of an object.", "stackTrace": [ "at AWSLambdaSafetyNetVerify.OfflineVerify.GetEmbeddedKeys(JwtSecurityToken token) in D:\Myfolder\Documents\SafetyNetCsharpLambda\VisualStudioProject\AWSLambdaSafetyNetVerify\OfflineVerify.cs:line 172", "at AWSLambdaSafetyNetVerify.OfflineVerify.ParseAndVerify(String signedAttestationStatement) in D:\Myfolder\Documents\SafetyNetCsharpLambda\VisualStudioProject\AWSLambdaSafetyNetVerify\OfflineVerify.cs:line 57", "at AWSLambdaSafetyNetVerify.Function.SafetyNetAnalysisSignature(String jwt) in D:\Myfolder\Documents\SafetyNetCsharpLambda\VisualStudioProject\AWSLambdaSafetyNetVerify\Function.cs:line 119", "at AWSLambdaSafetyNetVerify.Function.MyMethod(Object input) in D:\Myfolder\Documents\SafetyNetCsharpLambda\VisualStudioProject\AWSLambdaSafetyNetVerify\Function.cs:line 54", "at lambda_method(Closure , Stream , Stream , LambdaContextInternal )" ]
該当のソースコード
c#
using Microsoft.IdentityModel.Tokens; using Newtonsoft.Json.Linq; using System; using System.Collections.Generic; using System.IdentityModel.Tokens.Jwt; using System.Linq; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; namespace SafetyNetCheck { /// <summary> /// Sample code to verify the device attestation offline. /// </summary> public static class OfflineVerify { /// <summary> /// Parses and verifies a SafetyNet attestation statement. /// </summary> /// <param name="signedAttestationStatement">A string containing the /// JWT attestation statement.</param> /// <returns>A parsed attestation statement. null if the statement is /// invalid.</returns> public static AttestationStatement ParseAndVerify( string signedAttestationStatement) { // First parse the token and get the embedded keys. JwtSecurityToken token; try { token = new JwtSecurityToken(signedAttestationStatement); } catch (ArgumentException) { // The token is not in a valid JWS format. return null; } // We just want to validate the authenticity of the certificate. var validationParameters = new TokenValidationParameters { ValidateIssuer = false, ValidateAudience = false, ValidateLifetime = false, ValidateIssuerSigningKey = true, IssuerSigningKeys = GetEmbeddedKeys(token) }; // Perform the validation var tokenHandler = new JwtSecurityTokenHandler(); SecurityToken validatedToken; try { tokenHandler.ValidateToken( signedAttestationStatement, validationParameters, out validatedToken); } catch (ArgumentException) { // Signature validation failed. return null; } // Verify the hostname if (!(validatedToken.SigningKey is X509SecurityKey)) { // The signing key is invalid. return null; } if (!VerifyHostname( "attest.android.com", validatedToken.SigningKey as X509SecurityKey)) { // The certificate isn't issued for the hostname // attest.android.com. return null; } // Parse and use the data JSON. Dictionary<string, string> claimsDictionary = token.Claims .ToDictionary(x => x.Type, x => x.Value); return new AttestationStatement(claimsDictionary); } /// <summary> /// Verifes an X509Security key, and checks that it is issued for a /// given hostname. /// </summary> /// <param name="hostname">The hostname to check to.</param> /// <param name="securityKey">The security key to verify.</param> /// <returns>true if securityKey is valid and is issued to the given /// hostname.</returns> private static bool VerifyHostname( string hostname, X509SecurityKey securityKey) { string commonName; try { // Verify the certificate with Verify(). Alternatively, you // could use the commented code below instead of Verify(), to // get more details of why a particular verification failed. // // var chain = new X509Chain(); // var chainBuilt = chain.Build(securityKey.Certificate); // if (!chainBuilt) // { // string s; // One could use a StringBuilder instead. // foreach (X509ChainStatus chainStatus in // chain.ChainStatus) // { // s += string.Format( // "Chain error: {0} {1}\n", // chainStatus.Status, // chainStatus.StatusInformation); // } // } if (!securityKey.Certificate.Verify()) { return false; } commonName = securityKey.Certificate.GetNameInfo( X509NameType.DnsName, false); } catch (CryptographicException) { return false; } return (commonName == hostname); } /// <summary> /// Retrieves the X509 security keys embedded in a JwtSecurityToken. /// </summary> /// <param name="token">The token where the keys are to be retrieved /// from.</param> /// <returns>The embedded security keys. null if there are no keys in /// the security token.</returns> /// <exception cref="KeyNotFoundException">Thrown when the JWT data /// does not contain a valid signature /// header "x5c".</exception> /// <exception cref="CryptographicException">Thrwon when the JWT data /// does not contain valid signing /// keys.</exception> private static X509SecurityKey[] GetEmbeddedKeys( JwtSecurityToken token) { // The certificates are embedded in the "x5c" part of the header. // We extract them, parse them, and then create X509 keys out of // them. X509SecurityKey[] keys = null; keys = (token.Header["x5c"] as JArray) //<=========ここでエラー. キャストできない為 nullになる .Values<string>() .Select(x => new X509SecurityKey( new X509Certificate2(Convert.FromBase64String(x)))) .ToArray(); return keys; } } }
補足情報(FW/ツールのバージョンなど)
Windows10 64bit
Microsoft Visual Studio Community 2019 Version 16.10.4
Newtonsoft.Json 13.0.1
System.IdentityModel.Tokens.Jwt 6.12.0
まだ回答がついていません
会員登録して回答してみよう
