WIP: TokenVerification for SET events not working for sender due to missing public key

b0d3fdb1 · Klaus Fischer · 50e75ef0 · b0d3fdb1 · b0d3fdb1 · b0d3fdb1
Commit b0d3fdb1 authored 2 years ago by Klaus Fischer
--- a/FitConnect/Encryption/FitEncryption.cs
+++ b/FitConnect/Encryption/FitEncryption.cs
@@ -209,7 +209,7 @@ public class FitEncryption {
        return sb.ToString();
    }
    public static bool VerifyJwt(string signature, IEnumerable<JsonWebKey> keys,
        ILogger? logger = null) {
        foreach (var key in keys)

--- a/FitConnect/FitConnectClient.cs
+++ b/FitConnect/FitConnectClient.cs
@@ -104,9 +104,17 @@ public abstract class FitConnectClient {
    public List<SecurityEventToken> GetStatusForSubmission(string caseId, string destinationId,
        bool skipTest = false) {
        var events = SubmissionService.GetStatusForSubmissionAsync(caseId, destinationId, skipTest)
-            .Result;
+                         .Result?.Select(e => new SecurityEventToken(e!)).ToList() ??
-        return events?.Where(s => s != null)
+                     new List<SecurityEventToken>();
-            .Select(e => new SecurityEventToken(e!)).ToList() ?? new List<SecurityEventToken>();
+        // Check OCSP Signature of SET Event
+        #warning Sender has no way to verify the OCSP signature
+        if (_publicKeySignatureVerification != null) {
+            var setsSignatureValid = events.Aggregate(true,
+                (run, e) => run &= FitEncryption.VerifyJwt(e.TokenString,
+                    new JsonWebKey(_publicKeySignatureVerification), Logger));
+        }
+        return events;
    }
    /// <summary>

--- a/FitConnect/Models/SecurityEventToken.cs
+++ b/FitConnect/Models/SecurityEventToken.cs
@@ -18,7 +18,6 @@ public enum EventType {
 }
 public class SecurityEventToken {
    public const string CreateSubmissionSchema =
        "https://schema.fitko.de/fit-connect/events/create-submission";
@@ -42,12 +41,12 @@ public class SecurityEventToken {
    public SecurityEventToken(string jwtEncodedString) {
-        Token = new JsonWebToken(jwtEncodedString);
+        TokenString = jwtEncodedString;
        EventType = DecodeEventType(Token.Claims);
-        if (Token.Claims.All(c => c.Type != "iat")) 
+        if (Token.Claims.All(c => c.Type != "iat"))
            return;
        var iat = Token.Claims.FirstOrDefault(c => c.Type == "iat")!.Value;
        if (long.TryParse(iat, out var timeEpoch))
            EventTime = DateTime.UnixEpoch.AddSeconds(timeEpoch);
@@ -59,7 +58,8 @@ public class SecurityEventToken {
    public Events? Event { get; set; }
    public object? Payload { get; set; }
-    public JsonWebToken Token { get; set; }
+    public JsonWebToken Token => new JsonWebToken(TokenString);
+    public string TokenString { get; set; }
    private EventType DecodeEventType(IEnumerable<Claim> claims) {
        var eventsClaim = claims.FirstOrDefault(c => c.Type == "events");
@@ -87,14 +87,12 @@ public class SecurityEventToken {
                ForwardSubmissionSchema))
            return EventType.Forward;
        if (eventsClaim.Value.Contains(
                RejectSubmissionSchema)) {
            Problems = GetProblems(events?.Values?.FirstOrDefault()?.ToString() ?? "");
            return EventType.Reject;
        }
        if (eventsClaim.Value.Contains(AcceptSubmissionSchema))
            return EventType.Accept;