diff --git a/FitConnect/Encryption/FitEncryption.cs b/FitConnect/Encryption/FitEncryption.cs
index 4975ed142f25316c18ce1b3f94aecfe7e4ca9d20..c5005d8701b3437ca075ed912f5ef7a055e2840c 100644
--- a/FitConnect/Encryption/FitEncryption.cs
+++ b/FitConnect/Encryption/FitEncryption.cs
@@ -209,7 +209,7 @@ public class FitEncryption {
return sb.ToString();
}
-
+
public static bool VerifyJwt(string signature, IEnumerable<JsonWebKey> keys,
ILogger? logger = null) {
foreach (var key in keys)
diff --git a/FitConnect/FitConnectClient.cs b/FitConnect/FitConnectClient.cs
index 19089979576abe25e29fb04b368216e49d167689..fa1c531fe69d2bb2f41fd0353f7ef861a8f42fed 100644
--- a/FitConnect/FitConnectClient.cs
+++ b/FitConnect/FitConnectClient.cs
@@ -104,9 +104,17 @@ public abstract class FitConnectClient {
public List<SecurityEventToken> GetStatusForSubmission(string caseId, string destinationId,
bool skipTest = false) {
var events = SubmissionService.GetStatusForSubmissionAsync(caseId, destinationId, skipTest)
- .Result;
- return events?.Where(s => s != null)
- .Select(e => new SecurityEventToken(e!)).ToList() ?? new List<SecurityEventToken>();
+ .Result?.Select(e => new SecurityEventToken(e!)).ToList() ??
+ new List<SecurityEventToken>();
+
+ // Check OCSP Signature of SET Event
+ #warning Sender has no way to verify the OCSP signature
+ if (_publicKeySignatureVerification != null) {
+ var setsSignatureValid = events.Aggregate(true,
+ (run, e) => run &= FitEncryption.VerifyJwt(e.TokenString,
+ new JsonWebKey(_publicKeySignatureVerification), Logger));
+ }
+ return events;
}
/// <summary>
diff --git a/FitConnect/Models/SecurityEventToken.cs b/FitConnect/Models/SecurityEventToken.cs
index de3b3ec1000f0dd55eafb8e7101134256034c753..91ac89b85d26f23db3b9af249c65305e99414585 100644
--- a/FitConnect/Models/SecurityEventToken.cs
+++ b/FitConnect/Models/SecurityEventToken.cs
@@ -18,7 +18,6 @@ public enum EventType {
}
public class SecurityEventToken {
-
public const string CreateSubmissionSchema =
"https://schema.fitko.de/fit-connect/events/create-submission";
@@ -42,12 +41,12 @@ public class SecurityEventToken {
public SecurityEventToken(string jwtEncodedString) {
- Token = new JsonWebToken(jwtEncodedString);
+ TokenString = jwtEncodedString;
EventType = DecodeEventType(Token.Claims);
- if (Token.Claims.All(c => c.Type != "iat"))
+ if (Token.Claims.All(c => c.Type != "iat"))
return;
-
+
var iat = Token.Claims.FirstOrDefault(c => c.Type == "iat")!.Value;
if (long.TryParse(iat, out var timeEpoch))
EventTime = DateTime.UnixEpoch.AddSeconds(timeEpoch);
@@ -59,7 +58,8 @@ public class SecurityEventToken {
public Events? Event { get; set; }
public object? Payload { get; set; }
- public JsonWebToken Token { get; set; }
+ public JsonWebToken Token => new JsonWebToken(TokenString);
+ public string TokenString { get; set; }
private EventType DecodeEventType(IEnumerable<Claim> claims) {
var eventsClaim = claims.FirstOrDefault(c => c.Type == "events");
@@ -87,14 +87,12 @@ public class SecurityEventToken {
ForwardSubmissionSchema))
return EventType.Forward;
if (eventsClaim.Value.Contains(
-
RejectSubmissionSchema)) {
Problems = GetProblems(events?.Values?.FirstOrDefault()?.ToString() ?? "");
return EventType.Reject;
}
-
if (eventsClaim.Value.Contains(AcceptSubmissionSchema))
return EventType.Accept;