Skip to content

Commit

Permalink
Merge pull request #14 from TBCBank/bugfix/check-organisation-id
Browse files Browse the repository at this point in the history
Add organization identifier check on request signature validation
  • Loading branch information
svangio authored Jun 23, 2023
2 parents 5dc068d + bfd9394 commit 05e5fa5
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 0 deletions.
3 changes: 3 additions & 0 deletions src/TBC.OpenBanking.Jws/src/HttpMessageData.cs
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ public enum HeaderNecessity

public const string DigestHeadertName = "digest";
public const string SignatureHeaderName = "x-jws-signature";
public const string OrganizationIdentifier = "x-organization-id";

internal const string PsuPrefix = "psu-";

Expand All @@ -74,6 +75,8 @@ public enum HeaderNecessity

internal readonly static byte[] EmptyBody = Array.Empty<byte>();

internal readonly static string[] OidSubjectNames = { "2.5.4.97", "OID.2.5.4.97", "organizationIdentifier" };

/// <summary>
/// Gets or sets the HTTP body.
/// </summary>
Expand Down
54 changes: 54 additions & 0 deletions src/TBC.OpenBanking.Jws/src/HttpSignatureVerifier.cs
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
namespace TBC.OpenBanking.Jws;

using System;
using System.Security.Claims;
using System.Security.Cryptography.X509Certificates;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
Expand Down Expand Up @@ -117,6 +118,10 @@ public bool VerifySignature(T httpData, DateTime checkTime)
// Check certificate: get certificate(s) from protected header and try to build certificate chain
CreateCertificatesChain(ProtectedHeader);

// Check and compare signing certificate organization identifier to clint certificate
if(httpData is HttpRequestData)
CheckOrganizationIdentifier(ProtectedHeader, httpData);

// Compose payload
var payload = httpData.ComposeHeadersForSignature(ProtectedHeader.DataToBeSigned.Parameters);

Expand Down Expand Up @@ -187,4 +192,53 @@ private void CheckMandatoryHeaders(T data)

data.CheckMandatoryHeaders();
}

private void CheckOrganizationIdentifier(ProtectedHeader protHeader, T data)
{
var cert = protHeader.DecodeCertificate(protHeader.EncodedCertificates[0]);

if (_logger.IsEnabled(LogLevel.Debug))
_logger.LogDebug("Incoming certificate: {Cert}", cert);

var subjects = cert.Subject.Split(',');

if (_logger.IsEnabled(LogLevel.Debug))
_logger.LogDebug("Incoming subjects: {Subject}", cert.Subject);

string oidString = null;

foreach (var oidSubjectName in HttpMessageData.OidSubjectNames)
{
oidString = subjects.FirstOrDefault(x => x.Contains(oidSubjectName));

if(oidString != null)
{
if (_logger.IsEnabled(LogLevel.Debug))
_logger.LogDebug("Signing Certificate Organization identifier {OidSubjectName}: {OidString}", oidSubjectName, oidString);

break;
}
}

if (oidString == null)
throw new CertificateValidationException("The organization identifier is missing in signing certificate");

var oid = oidString.Split('=');
if (oid.Length != 2)
throw new CertificateValidationException("Invalid Organization identifier");

if (!data.Headers.ContainsKey(HttpMessageData.OrganizationIdentifier))
throw new HeaderMissingException($"Header '{HttpMessageData.OrganizationIdentifier}' is missing");

var oidFromHeader = data.Headers[HttpMessageData.OrganizationIdentifier];

if (_logger.IsEnabled(LogLevel.Debug))
_logger.LogDebug("Client Certificate Organization identifier: {OidFromHeader}", oidFromHeader);

if (string.IsNullOrEmpty(oidFromHeader))
throw new HeaderMissingException("The organization identifier headers from client's certificate is missing");

if (!string.Equals(oid[1], oidFromHeader, StringComparison.Ordinal))
throw new CertificateValidationException("The organization identifiers in signing certificate and client certificate does not match each other");
}
}

0 comments on commit 05e5fa5

Please sign in to comment.